slapd-sock

SLAPD-SOCK(5)                 File Formats Manual                SLAPD-SOCK(5)



NAME
       slapd-sock - Socket backend/overlay to slapd

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The Socket backend to slapd(8) uses an external program to handle
       queries, similarly to slapd-shell(5).  However, in this case the
       external program listens on a Unix domain socket.  This makes it
       possible to have a pool of processes, which persist between requests.
       This allows multithreaded operation and a higher level of efficiency.
       The external program must have been started independently; slapd(8)
       itself will not start it.

       This module may also be used as an overlay on top of some other
       database.  Use as an overlay allows external actions to be triggered in
       response to operations on the main database.

CONFIGURATION
       These slapd.conf options apply to the SOCK backend database.  That is,
       they must follow a "database sock" line and come before any subsequent
       "backend" or "database" lines.  Other database options are described in
       the slapd.conf(5) manual page.

       Alternatively, to use this module as an overlay, these directives must
       follow an "overlay sock" line within an existing database definition.

       extensions [ binddn | peername | ssf | connid ]*
              Enables the sending of additional meta-attributes with each
              request.
              binddn: <bound DN>
              peername: IP=<address>:<port>
              ssf: <SSF value>
              connid: <connection ID>

       socketpath <pathname>
              Gives the path to a Unix domain socket to which the commands
              will be sent and from which replies are received.

              When used as an overlay, these additional directives are
              defined:

       sockops   [ bind | unbind | search | compare | modify | modrdn | add |
       delete ]*
              Specify which request types to send to the external program. The
              default is empty (no requests are sent).

       sockresps [ result | search ]*
              Specify which response types to send to the external program.
              "result" sends just the results of an operation. "search" sends
              all entries that the database returned for a search request. The
              default is empty (no responses are sent).


PROTOCOL
       The protocol is essentially the same as slapd-shell(5) with the
       addition of a newline to terminate the command parameters. The
       following commands are sent:
              ADD
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <entry in LDIF format>
              <blank line>

              BIND
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              method: <method number>
              credlen: <length of <credentials>>
              cred: <credentials>
              <blank line>

              COMPARE
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <attribute>: <value>
              <blank line>

              DELETE
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <blank line>

              MODIFY
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <repeat {
                  <"add"/"delete"/"replace">: <attribute>
                  <repeat { <attribute>: <value> }>
                  -
              }>
              <blank line>

              MODRDN
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              newrdn: <new RDN>
              deleteoldrdn: <0 or 1>
              <if new superior is specified: "newSuperior: <DN>">
              <blank line>

              SEARCH
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              base: <base DN>
              scope: <0-2, see ldap.h>
              deref: <0-3, see ldap.h>
              sizelimit: <size limit>
              timelimit: <time limit>
              filter: <filter>
              attrsonly: <0 or 1>
              attrs: <"all" or space-separated attribute list>
              <blank line>

              UNBIND
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <blank line>

       The commands - except unbind - should output:
              RESULT
              code: <integer>
              matched: <matched DN>
              info: <text>
       where only RESULT is mandatory, and then close the socket.  The search
       RESULT should be preceded by the entries in LDIF format, each entry
       followed by a blank line.  Lines starting with `#' or `DEBUG:' are
       ignored.

       When used as an overlay, the external program should return a CONTINUE
       response if request processing should continue normally, or a regular
       RESULT response if the external program wishes to bypass the underlying
       database.

       If the overlay is configured to send response messages to the external
       program, they will appear as an extended RESULT message or as an ENTRY
       message, defined below. The RESULT message is similar to the one above,
       but also includes the msgid and any configured extensions:
              RESULT
              msgid: <message id>
              code: <integer>
              matched: <matched DN>
              info: <text>
              <blank line>

       Typically both the msgid and the connid will be needed to match a
       result message to a request. The ENTRY message has the form
              ENTRY
              msgid: <message id>
              <entry in LDIF format>
              <blank line>


ACCESS CONTROL
       The sock backend does not honor all ACL semantics as described in
       slapd.access(5).  In general, access to objects is checked by using a
       dummy object that contains only the DN, so access rules that rely on
       the contents of the object are not honored.  In detail:

       The add operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry.

       The bind operation requires auth (=x) access to the entry pseudo-
       attribute of the entry whose identity is being assessed; auth (=x)
       access to the credentials is not checked, but rather delegated to the
       underlying program.

       The compare operation requires compare (=c) access to the entry pseudo-
       attribute of the object whose value is being asserted; compare (=c)
       access to the attribute whose value is being asserted is not checked.

       The delete operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry.

       The modify operation requires write (=w) access to the entry pseudo-
       attribute; write (=w) access to the specific attributes that are
       modified is not checked.

       The modrdn operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry, nor to that of the new parent, if
       different; write (=w) access to the distinguished values of the naming
       attributes is not checked.

       The search operation does not require search (=s) access to the entry
       pseudo_attribute of the searchBase; search (=s) access to the
       attributes and values used in the filter is not checked.


EXAMPLE
       There is an example script in the slapd/back-sock/ directory in the
       OpenLDAP source tree.

FILES
       /etc/openldap/slapd.conf
              default slapd configuration file

SEE ALSO
       slapd.conf(5), slapd-config(5), slapd(8).

AUTHOR
       Brian Candler, with enhancements by Howard Chu



OpenLDAP 2.4.40                   2014/09/20                     SLAPD-SOCK(5)