| blob | ac4079d091638a9fa5987429e726661faf1e06e2 |
1 .TH SLAPD-SOCK 5 "2008/07/16" "OpenLDAP 2.4.11"
2 .\" Copyright 2007-2008 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
4 .\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-sock.5,v 1.3.2.1 2008/02/09 00:46:08 quanah Exp $
5 .SH NAME
6 slapd-sock \- Socket backend to slapd
7 .SH SYNOPSIS
8 /etc/openldap/slapd.conf
9 .SH DESCRIPTION
10 The Socket backend to
11 .BR slapd (8)
12 uses an external program to handle queries, similarly to
13 .BR slapd-shell (5).
14 However, in this case the external program listens on a Unix domain socket.
15 This makes it possible to have a pool of processes, which persist between
16 requests. This allows multithreaded operation and a higher level of
17 efficiency. The external program must have been started independently;
18 .BR slapd (8)
19 itself will not start it.
20 .SH CONFIGURATION
21 These
22 .B slapd.conf
23 options apply to the SOCK backend database.
24 That is, they must follow a "database sock" line and come before any
25 subsequent "backend" or "database" lines.
26 Other database options are described in the
27 .BR slapd.conf (5)
28 manual page.
29 .TP
30 .B extensions [ binddn | peername | ssf ]*
31 Enables the sending of additional meta-attributes with each request.
32 .nf
33 binddn: <bound DN>
34 peername: IP=<address>:<port>
35 ssf: <SSF value>
36 .fi
37 .TP
38 .B socketpath <pathname>
39 Gives the path to a Unix domain socket to which the commands will
40 be sent and from which replies are received.
41 .SH PROTOCOL
42 The protocol is essentially the same as
43 .BR slapd-shell (5)
44 with the addition of a newline to terminate the command parameters. The
45 following commands are sent:
46 .RS
47 .nf
48 ADD
49 msgid: <message id>
50 <repeat { "suffix:" <database suffix DN> }>
51 <entry in LDIF format>
52 <blank line>
53 .fi
54 .RE
55 .PP
56 .RS
57 .nf
58 BIND
59 msgid: <message id>
60 <repeat { "suffix:" <database suffix DN> }>
61 dn: <DN>
62 method: <method number>
63 credlen: <length of <credentials>>
64 cred: <credentials>
65 <blank line>
66 .fi
67 .RE
68 .PP
69 .RS
70 .nf
71 COMPARE
72 msgid: <message id>
73 <repeat { "suffix:" <database suffix DN> }>
74 dn: <DN>
75 <attribute>: <value>
76 <blank line>
77 .fi
78 .RE
79 .PP
80 .RS
81 .nf
82 DELETE
83 msgid: <message id>
84 <repeat { "suffix:" <database suffix DN> }>
85 dn: <DN>
86 <blank line>
87 .fi
88 .RE
89 .PP
90 .RS
91 .nf
92 MODIFY
93 msgid: <message id>
94 <repeat { "suffix:" <database suffix DN> }>
95 dn: <DN>
96 <repeat {
97 <"add"/"delete"/"replace">: <attribute>
98 <repeat { <attribute>: <value> }>
99 -
100 }>
101 <blank line>
102 .fi
103 .RE
104 .PP
105 .RS
106 .nf
107 MODRDN
108 msgid: <message id>
109 <repeat { "suffix:" <database suffix DN> }>
110 dn: <DN>
111 newrdn: <new RDN>
112 deleteoldrdn: <0 or 1>
113 <if new superior is specified: "newSuperior: <DN>">
114 <blank line>
115 .fi
116 .RE
117 .PP
118 .RS
119 .nf
120 SEARCH
121 msgid: <message id>
122 <repeat { "suffix:" <database suffix DN> }>
123 base: <base DN>
124 scope: <0-2, see ldap.h>
125 deref: <0-3, see ldap.h>
126 sizelimit: <size limit>
127 timelimit: <time limit>
128 filter: <filter>
129 attrsonly: <0 or 1>
130 attrs: <"all" or space-separated attribute list>
131 <blank line>
132 .fi
133 .RE
134 .PP
135 .RS
136 .nf
137 UNBIND
138 msgid: <message id>
139 <repeat { "suffix:" <database suffix DN> }>
140 <blank line>
141 .fi
142 .RE
143 .LP
144 The commands - except \fBunbind\fP - should output:
145 .RS
146 .nf
147 RESULT
148 code: <integer>
149 matched: <matched DN>
150 info: <text>
151 .fi
152 .RE
153 where only RESULT is mandatory, and then close the socket.
154 The \fBsearch\fP RESULT should be preceded by the entries in LDIF
155 format, each entry followed by a blank line.
156 Lines starting with `#' or `DEBUG:' are ignored.
157 .SH ACCESS CONTROL
158 The
159 .B sock
160 backend does not honor all ACL semantics as described in
161 .BR slapd.access (5).
162 In general, access to objects is checked by using a dummy object
163 that contains only the DN, so access rules that rely on the contents
164 of the object are not honored.
165 In detail:
166 .LP
167 The
168 .B add
169 operation does not require
170 .B write (=w)
171 access to the
172 .B children
173 pseudo-attribute of the parent entry.
174 .LP
175 The
176 .B bind
177 operation requires
178 .B auth (=x)
179 access to the
180 .B entry
181 pseudo-attribute of the entry whose identity is being assessed;
182 .B auth (=x)
183 access to the credentials is not checked, but rather delegated
184 to the underlying program.
185 .LP
186 The
187 .B compare
188 operation requires
189 .B compare (=c)
190 access to the
191 .B entry
192 pseudo-attribute
193 of the object whose value is being asserted;
194 .B compare (=c)
195 access to the attribute whose value is being asserted is not checked.
196 .LP
197 The
198 .B delete
199 operation does not require
200 .B write (=w)
201 access to the
202 .B children
203 pseudo-attribute of the parent entry.
204 .LP
205 The
206 .B modify
207 operation requires
208 .B write (=w)
209 access to the
210 .B entry
211 pseudo-attribute;
212 .B write (=w)
213 access to the specific attributes that are modified is not checked.
214 .LP
215 The
216 .B modrdn
217 operation does not require
218 .B write (=w)
219 access to the
220 .B children
221 pseudo-attribute of the parent entry, nor to that of the new parent,
222 if different;
223 .B write (=w)
224 access to the distinguished values of the naming attributes
225 is not checked.
226 .LP
227 The
228 .B search
229 operation does not require
230 .B search (=s)
231 access to the
232 .B entry
233 pseudo_attribute of the searchBase;
234 .B search (=s)
235 access to the attributes and values used in the filter is not checked.
237 .SH EXAMPLE
238 There is an example script in the slapd/back-sock/ directory
239 in the OpenLDAP source tree.
240 .SH FILES
241 .TP
242 /etc/openldap/slapd.conf
243 default slapd configuration file
244 .SH SEE ALSO
245 .BR slapd.conf (5),
246 .BR slapd (8).
247 .SH AUTHOR
248 Brian Candler