[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd.conf manpages update (ITS#966)
Please make submissions in unified patch format per our
contributing guidelines:
http://www.openldap.org/devel/contributing.html
At 07:29 AM 1/17/01 +0000, h.nardmann@secunet.de wrote:
>This is a multi-part message in MIME format.
>--------------DEA26C3CC5AFFD374E61B67B
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>Based on the information which I got from Dmitry Kovalev
><mitya@seismic.geol.msu.ru>,
>I updated the slapd.conf.5 file from CVS to include some more
>information about the
>SQL backend specific options.
>Maybe this could be added to CVS?
>
>See attachment.
>
>--
>Heiko Nardmann (Dipl.-Ing.), h.nardmann@secunet.de, Software Development
>
>secunet Security Networks AG - Sicherheit in Netzwerken
>(www.secunet.de),
>Weidenauer Str. 223-225, D-57076 Siegen
>Tel. : +49 271 48950-13, Fax : +49 271 48950-50
>
>
>--------------DEA26C3CC5AFFD374E61B67B
>Content-Type: text/plain; charset=us-ascii;
> name="slapd.conf.5"
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline;
> filename="slapd.conf.5"
>
>.TH SLAPD.CONF 5 "17 October 2000" "OpenLDAP LDVERSION"
>.\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
>.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
>.\" $OpenLDAP: /doc/man/man5/slapd.conf.5,v 1.57 2000/10/17 22:22:30 kurt Exp $
>.SH NAME
>slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
>.SH SYNOPSIS
>ETCDIR/slapd.conf
>.SH DESCRIPTION
>The file
>.B ETCDIR/slapd.conf
>contains configuration information for the
>.BR slapd (8)
>daemon. This configuration file is also used by the
>.BR slurpd (8)
>replication daemon and by the SLAPD tools
>.BR slapadd (8),
>.BR slapcat (8),
>and
>.BR slapindex (8).
>.LP
>The
>.B slapd.conf
>file consists of a series of global configuration options that apply to
>.B slapd
>as a whole (including all backends), followed by zero or more database
>backend definitions that contain information specific to a backend
>instance.
>.LP
>The general format of
>.B slapd.conf
>is as follows:
>.LP
>.nf
> # comment - these options apply to every database
> <global configuration options>
> # first database definition & configuration options
> database <backend 1 type>
> <configuration options specific to backend 1>
> # subsequent database definitions & configuration options
> ...
>.fi
>.LP
>As many backend-specific sections as desired may be included. Global
>options can be overridden in a backend (for options that appear more
>than once, the last appearance in the
>.B slapd.conf
>file is used). Blank lines and comment lines beginning with a `#'
>character are ignored. If a line begins with white space, it is
>considered a continuation of the previous line.
>.LP
>Arguments on configuration lines are separated by white space. If an
>argument contains white space, the argument should be enclosed in
>double quotes. If an argument contains a double quote (`"') or a
>backslash character (`\\'), the character should be preceded by a
>backslash character.
>.LP
>The specific configuration options available are discussed below in the
>Global Configuration Options, General Backend Options, LDBM
>Backend-Specific Options, Shell Backend-Specific Options, and Password
>Backend-Specific Options sections. Refer to the "OpenLDAP
>Administrator's Guide" for more details on the slapd configuration
>file.
>.SH GLOBAL CONFIGURATION OPTIONS
>Options described in this section apply to all backends, unless specifically
>overridden in a backend definition. Arguments that should be replaced by
>actual text are shown in brackets <>.
>.TP
>.B access to <what> [ by <who> <access> <control> ]+
>Grant access (specified by <access>) to a set of entries and/or
>attributes (specified by <what>) by one or more requestors (specified
>by <who>).
>See the "OpenLDAP's Administrator's Guide" for details.
>.TP
>.B allow <features>
>Specify a set of features (separated by white space) to
>allow (default none).
>.B tls_2_anon
>allows Start TLS to force session to anonymous status (see also
>.B disallow
>.BR tls_authc ).
>.TP
>.B argsfile <filename>
>The ( absolute ) name of a file that will hold the
>.B slapd
>server's command line options
>if started without the debugging command line option.
>.HP
>.hy 0
>.B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
> [DESC\ <description>]\
> [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
> [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
> [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
>.RS
>Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
>The slapd parser extends the RFC 2252 definition by allowing string
>forms as well as numeric OIDs to be used for the attribute OID and
>attribute syntax OID.
>(See the
>.B objectidentifier
>description.) Currently the syntax name parser is case-sensitive.
>The known syntax names are:
>.RS
>.RS
>.PD 0
>AttributeTypeDescription Audio Binary BitString Certificate CertificateList
>CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
>DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
>GeneralizedTime Guide IA5String Integer MatchingRuleDescription
>MatchingRuleUseDescription MailPreference NameAndOptionalUUID
>NameFormDescription NumericString ObjectClassDescription OID
>OtherMailbox OctetString PostalAddress ProtocolInformation
>PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
>TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
>SubstringAssertion NISnetgrouptriple Bootparameter
>.PD
>.RE
>.RE
>.RE
>.TP
>.B concurrency <integer>
>Specify a desired level of concurrency. Provided to the underlying
>thread system as a hint. The default is not to provide any hint.
>.TP
>.B defaultsearchbase <dn>
>Specify a default search base to use when client submits a
>non-base search request with an empty base DN.
>.TP
>.B disallow <features>
>Specify a set of features (separated by white space) to
>disallow (default none).
>.B bind_v2
>disables acceptance of LDAPv2 bind requests.
>.B bind_anon
>disables acceptance of anonymous bind requests.
>.B bind_anon_cred
>disables anonymous bind creditials are not empty (e.g.
>when DN is empty).
>.B bind_anon_dn
>disables anonymous bind when DN is not empty.
>.B bind_simple
>disables simple (bind) authentication.
>.B bind_krbv4
>disables Kerberos V4 (bind) authentication.
>.B tls_authc
>disables StartTLS if authenticated (see also
>.B allow
>.BR tls_2_anon ).
>.TP
>.B idletimeout <integer>
>Specify the number of seconds to wait before forcibly closing
>an idle client connections. A idletimeout of 0 disables this
>feature. The default is 0.
>.TP
>.B include <filename>
>Read additional configuration information from the given file before
>continuing with the next line of the current file.
>.TP
>.B loglevel <integer>
>Specify the level at which debugging statements and operation
>statistics should be syslogged (currently logged to the
>.BR syslogd (8)
>LOG_LOCAL4 facility). Log levels are additive, and available levels
>are:
>.RS
>.RS
>.PD 0
>.TP
>.B 1
>trace function calls
>.TP
>.B 2
>debug packet handling
>.TP
>.B 4
>heavy trace debugging
>.TP
>.B 8
>connection management
>.TP
>.B 16
>print out packets sent and received
>.TP
>.B 32
>search filter processing
>.TP
>.B 64
>configuration file processing
>.TP
>.B 128
>access control list processing
>.TP
>.B 256
>stats log connections/operations/results
>.TP
>.B 512
>stats log entries sent
>.TP
>.B 1024
>print communication with shell backends
>.TP
>.B 2048
>entry parsing
>.PD
>.RE
>.RE
>.HP
>.B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
> [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
> [MAY <oids>] )
>.RS
>Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
>The slapd parser extends the RFC 2252 definition by allowing string
>forms as well as numeric OIDs to be used for the object class OID.
>(See the
>.B
>objectidentifier
>description.) Object classes are "STRUCTURAL" by default.
>.RE
>.TP
>.B objectidentifier <name> { <oid> | <name>[:<suffix>] }
>Define a string name that equates to the given OID. The string can be used
>in place of the numeric OID in objectclass and attribute definitions. The
>name can also be used with a suffix of the form ":xx" in which case the
>value "oid.xx" will be used.
>.TP
>.B password-hash <hash>
>The <hash> to use for userPassword generation. One of
>.BR {SSHA} ,
>.BR {SHA} ,
>.BR {SMD5} ,
>.BR {MD5} ,
>.BR {CRYPT} ,
>.BR {KERBEROS} ,
>.BR {SASL} ,
>and
>.BR {UNIX} .
>The default is
>.BR {SSHA} .
>.TP
>.B pidfile <filename>
>The ( absolute ) name of a file that will hold the
>.B slapd
>server's process ID ( see
>.BR getpid (2)
>) if started without the debugging command line option.
>.TP
>.B referral <url>
>Specify the referral to pass back when
>.BR slapd (8)
>cannot find a local database to handle a request.
>If specified multiple times, each url is provided.
>.TP
>.B require <conditions>
>Specify a set of conditions (separated by white space) to
>require (default none).
>The directive may be specified globally and/or per-database.
>.B bind
>requires bind operation prior to directory operations.
>.B LDAPv3
>requires session to be using LDAP version 3.
>.B authc
>requires authentication prior to directory operations.
>.B SASL
>requires SASL authentication prior to directory operations.
>.B strong
>requires strong authentication prior to directory operations.
>Currently
>.B SASL
>and
>.B strong
>conditions are currently same.
>.B none
>may be used to require no conditions (useful for clearly globally
>set conditions within a particular database).
>.TP
>.B sasl-host <fqdn>
>Used to specify the fully qualified domain name used for SASL processing.
>.TP
>.B sasl-realm <realm>
>Specify SASL realm. Default is empty.
>.TP
>.B sasl-regexp <match> <replace>
>Used by the SASL authorization mechanism to convert a SASL authenticated
>username to an LDAP DN. When an authorization request is received, the SASL
>.B USERNAME, REALM,
>and
>.B MECHANISM
>are taken, when available, and combined into a SASL name of the
>form
>.RS
>.RS
>.TP
>.B uid=<UID>[,cn=<REALM>][,cn=<MECH>],cn=AUTHZ
>
>.RE
>This SASL name is then compared against the
>.B match
>regular expression, and if the match is successful, the SASL name is
>replaced with the
>.B replace
>string. If there are wildcard strings in the
>.B match
>regular expression that are enclosed in parenthesis, e.g.
>.RS
>.RS
>.TP
>.B uid=(.*)\\\\+realm=.*
>
>.RE
>.RE
>then the portion of the SASL name that matched the wildcard will be stored
>in the numbered placeholder variable $1. If there are other wildcard strings
>in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
>placeholders can then be used in the
>.B replace
>string, e.g.
>.RS
>.RS
>.TP
>.B cn=$1,ou=Accounts,dc=$2,dc=$4.
>
>.RE
>.RE
>The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
>server will use the URI to search its own database, and if the search returns
>exactly one entry, the SASL name is replaced by the DN of that entry.
>Multiple
>.B sasl-regexp
>options can be given in the configuration file to allow for multiple matching
>and replacement patterns. The matching patterns are checked in the order they
>appear in the file, stopping at the first successful match.
>.LP
>.B Caution:
>Because the plus sign + is a character recognized by the regular expression engine,
>and it will appear in SASL names that include a REALM, be careful to escape the
>plus sign with a backslash \\+ to remove the character's special meaning.
>.RE
>.TP
>.B sasl-secprops <properties>
>Used to specify Cyrus SASL security properties.
>The
>.B none
>flag (without any other properities) causes the flag properites
>default, "noanonymous,noplain", to be cleared.
>The
>.B noplain
>flag disables mechanisms susceptible to simple passive attacks.
>The
>.B noactive
>flag disables mechanisms susceptible to active attacks.
>The
>.B nodict
>flag disables mechanisms susceptible to passive dictionary attacks.
>The
>.B noanonyous
>flag disables mechanisms which support anonymous login.
>The
>.B forwardsec
>flag require forward secrecy between sessions.
>The
>.B passcred
>require mechanisms which pass client credentials (and allow
>mechanisms which can pass credentials to do so).
>The
>.B minssf=<factor>
>property specifies the minimum acceptable
>.I security strength factor
>as an integer approximate to effective key length used for
>encryption. 0 (zero) implies no protection, 1 implies integrity
>protection only, 56 allows DES or other weak ciphers, 112
>allows triple DES and other strong ciphers, 128 allows RC4,
>Blowfish and other modern strong ciphers. The default is 0.
>The
>.B maxssf=<factor>
>property specifies the maximum acceptable
>.I security strength factor
>as an integer (see minssf description). The default is INT_MAX.
>The
>.B maxbufsize=<size>
>property specifies the maximum security layer receive buffer
>size allowed. 0 disables security layers. The default is 65536.
>.TP
>.B schemacheck { on | off }
>Turn schema checking on or off. The default is on.
>.TP
>.B security <factors>
>Specify a set of factors (separated by white space) to require.
>An integer value is associated with each factor and is roughly
>equivalent of the encryption key length to require. A value
>of 112 is equivalent to 3DES, 128 to Blowfish, etc..
>The directive may be specified globally and/or per-database.
>.B ssf=<n>
>specifies the overall security strength factor.
>.B transport=<n>
>specifies the transport security strength factor.
>.B tls=<n>
>specifies the TLS security strength factor.
>.B sasl=<n>
>specifies the SASL security strength factor.
>.B update_ssf=<n>
>specifies the overall security strength factor to require for
>directory updates.
>.B update_transport=<n>
>specifies the transport security strength factor to require for
>directory updates.
>.B update_tls=<n>
>specifies the TLS security strength factor to require for
>directory updates.
>.B update_sasl=<n>
>specifies the SASL security strength factor to require for
>directory updates.
>Note that the
>.B transport
>factor is measure of security provided by the underlying transport,
>e.g. ldapi:// (and eventually IPSEC). It is not normally used.
>.TP
>.B sizelimit <integer>
>Specify the maximum number of entries to return from a search operation.
>The default size limit is 500.
>.TP
>.B srvtab <filename>
>Specify the srvtab file in which the kerberos keys necessary for
>authenticating clients using kerberos can be found. This option is only
>meaningful if you are using Kerberos authentication.
>.TP
>.B schemacheck { on | off }
>Turn schema checking on or off. The default is on.
>.TP
>.B sizelimit <integer>
>Specify the maximum number of entries to return from a search operation.
>The default size limit is 500.
>.TP
>.B srvtab <filename>
>Specify the srvtab file in which the kerberos keys necessary for
>authenticating clients using kerberos can be found. This option is only
>meaningful if you are using Kerberos authentication.
>.TP
>.B threads <integer>
>Specify the maximum size of the primary thread pool.
>The default is 32.
>.TP
>.B timelimit <integer>
>Specify the maximum number of seconds (in real time)
>.B slapd
>will spend answering a search request. The default time limit is 3600.
>.SH TLS OPTIONS
>If
>.B slapd
>is build with support for Transport Layer Security, there are more options
>you can specify.
>.TP
>.B TLSCipherSuite <cipher-suite-spec>
>Permits configuring what ciphers will be accepted and the preference order.
><cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
>
>TLSCipherSuite HIGH:MEDIUM:+SSLv2
>
>To check what ciphers a given spec selects, use:
>
>openssl ciphers -v <cipher-suite-spec>
>.TP
>.B TLSCertificateFile <filename>
>Specifies the file that contains the
>.B slapd
>server certificate.
>.TP
>.B TLSCertificateKeyFile <filename>
>Specifies the file that contains the
>.B slapd
>server private key that matches the certificate stored in the
>.B TLSCertificateFile
>file. Currently, the private key must not be protected with a password, so
>it is of critical importance that it is protected carefully.
>.SH GENERAL BACKEND OPTIONS
>Options in this section only apply to the configuration file section
>for the backend in which they are defined. They are supported by every
>type of backend.
>.TP
>.B database <databasetype>
>Mark the beginning of a new database instance definition. <databasetype>
>should be one of
>.B ldbm,
>.B shell,
>or
>.B passwd
>depending on which backend will serve the database.
>.TP
>.B lastmod on | off
>Controls whether
>.B slapd
>will automatically maintain the
>modifiersName, modifyTimestamp, creatorsName, and
>createTimestamp attributes for entries. By default, lastmod is on.
>.TP
>.B readonly on | off
>This option puts the database into "read-only" mode. Any attempts to
>modify the database will return an "unwilling to perform" error. By
>default, readonly is off.
>.HP
>.B replica host=<hostname>[:port] [tls=yes|critical]
>.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
>.B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
>.B [authcId=<authentication ID>] [authcId=<authentication ID>]
>.RS
>Specify a replication site for this database. Refer to the "OpenLDAP
>Administrator's Guide" for detailed information on setting up a replicated
>.B slapd
>directory service. A
>.B bindmethod
>of
>.B simple
>requires the options
>.B binddn
>and
>.B credentials
>and should only be used when adequate security services
>(e.g TLS or IPSEC) are in place. A
>.B bindmethod
>of
>.B sasl
>requires the option
>.B saslmech.
>If the
>.B mechanism
>will use Kerberos, a kerberos instance should be given in
>.B authcId.
>.RE
>.TP
>.B replogfile <filename>
>Specify the name of the replication log file to log changes to.
>The replication log is typically written by
>.BR slapd (8)
>and read by
>.BR slurpd (8).
>See
>.BR slapd.replog (5)
>for more information. The specified file should be located
>in a directory with limited read/write/execute access as the replication
>logs may contain sensitive information.
>.TP
>.B rootdn <dn>
>Specify the distinguished name that is not subject to access control
>or administrative limit restrictions for operations on this database.
>This DN may or may not be associated with an entry. An empty root
>DN (the default) specifies no root access is to be granted. It is
>recommended that the rootdn only be specified when needed (such as
>when initially populating a database). If the rootdn is within
>a namingContext (suffix) of the database, a simple bind password
>may also be provided using the
>.B rootpw
>directive.
>.TP
>.B rootpw <password>
>Specify a password (or hash of the password) for the rootdn. If
>the rootdn is not within the namingContext of the database, the
>provided password is ignored.
>This option accepts all RFC 2307 userPassword formats known to
>the server (see
>.B password-hash
>desription) as well as cleartext.
>.BR slappasswd (8)
>may be used to generate a hash of a password. Cleartext
>and \fB{CRYPT}\fP passwords are not recommended. If empty
>(the default), authentication of the root DN is by other means
>(e.g. SASL). Use of SASL is encouraged.
>.TP
>.B suffix <dn suffix>
>Specify the DN suffix of queries that will be passed to this
>backend database. Multiple suffix lines can be given and at least one is
>required for each database definition.
>.TP
>.B updatedn <dn>
>This option is only applicable in a slave
>.B slapd.
>It specifies the DN allowed to make changes to the replica (typically,
>this is the DN
>.BR slurpd (8)
>binds as when making changes to the replica).
>.TP
>.B updateref <url>
>Specify the referral to pass back when
>.BR slapd (8)
>is asked to modify a replicated local database.
>If specified multiple times, each url is provided.
>.SH LDBM BACKEND-SPECIFIC OPTIONS
>Options in this category only apply to the LDBM backend database. That is,
>they must follow a "database ldbm" line and come before any subsequent
>"database" lines. The LDBM backend is a high-performance database that
>makes extensive use of indexing and caching to speed data access.
>.TP
>.B cachesize <integer>
>Specify the size in entries of the in-memory cache maintained
>by the LDBM backend database instance. The default is 1000 entries.
>.TP
>.B dbcachesize <integer>
>Specify the size in bytes of the in-memory cache associated
>with each open index file. If not supported by the underlying database
>method, this option is ignored without comment. The default is 100000 bytes.
>.TP
>.B dbnolocking
>Specify that no database locking should be performed.
>Enabling this option may improve performance at the expense of data security.
>.B dbnosync
>Specify that on-disk database contents should not be immediately
>synchronized with in memory changes. Enabling this option may improve
>performance at the expense of data security.
>.TP
>.B directory <directory>
>Specify the directory where the LDBM files containing this database and
>associated indexes live. A separate directory must be specified for
>each database. The default is
>.BR LOCALSTATEDIR/openldap-ldbm .
>.TP
>.B
>index {<attrlist>|default} [pres,eq,approx,sub,<special>]
>Specify the indexes to maintain for the given attribute. If only
>an <attr> is given, the indices specified for \fBdefault\fR
>are maintained. A number of special index parameters may be
>specified.
>The index type
>.B sub
>can be decomposed into
>.BR subinitial ,
>.BR subany ,\ and
>.B subfinal
>indices.
>The special type
>.B lang
>may be specified to allow use of this index by language subtypes.
>The special type
>.B autolang
>may be specified to automatically maintain separate indices for each
>language subtypes.
>The special type
>.B subtypes
>may be specified to allow use of this index by named subtypes.
>The special type
>.B autosubtypes
>may be specified to automatically maintain separate indices for each
>other subtypes.
>.TP
>.B mode <integer>
>Specify the file protection mode that newly created database
>index files should have. The default is 0600.
>.SH SHELL BACKEND-SPECIFIC OPTIONS
>Options in this category only apply to the SHELL backend database. That is,
>they must follow a "database shell" line and come before any subsequent
>"database" lines. The Shell backend executes external programs to
>implement operations, and is designed to make it easy to tie an existing
>database to the
>.B slapd
>front-end.
>.TP
>.B bind <pathname>
>.TP
>.B unbind <pathname>
>.TP
>.B search <pathname>
>.TP
>.B compare <pathname>
>.TP
>.B modify <pathname>
>.TP
>.B modrdn <pathname>
>.TP
>.B add <pathname>
>.TP
>.B delete <pathname>
>.TP
>.B abandon <pathname>
>These options specify the pathname of the command to execute in response
>to the given LDAP operation.
>.LP
>Note that you need only supply configuration lines for those commands you
>want the backend to handle. Operations for which a command is not
>supplied will be refused with an "unwilling to perform" error.
>.SH PASSWORD BACKEND-SPECIFIC OPTIONS
>Options in this category only apply to the PASSWD backend database.
>That is, they must follow a "database passwd" line and come before any
>subsequent "database" lines. The PASSWD database serves up the user
>account information listed in the system
>.BR passwd (5)
>file.
>.TP
>.B file <filename>
>Specifies an alternate passwd file to use. The default is
>.B /etc/passwd.
>.SH SQL BACKEND-SPECIFIC OPTIONS
>Options in this category only apply to the SQL backend database.
>That is, they must follow a "database sql" line and come before any
>subsequent "database" lines.
>.TP
>.B dbname <datasource name>
>The name of ODBC datasource to use.
>.TP
>.B dbhost <hostname>
>.TP
>.B dbuser <username>
>.TP
>.B dbpasswd <password>
>These three options are generally unneeded, because this information is already taken from datasource.
>Use them if you need to override datasource settings.
>Also, several RDBMS' drivers tend to require explicit passing of user/password,
>even if those are given in datasource.
>.TP
>.B subtree_cond <SQL expression>
>Specifies a where-clause template used to form subtree search condition.
>It may differ from one SQL dialect to another (see samples).
>.TP
>.B oc_query <SQL expression>
>The default is
>.B "SELECT id, name, keytbl, keycol, create_proc, delete_proc, expect_return FROM ldap_oc_mappings"
>.TP
>.B at_query <SQL expression>
>The default is
>.B "SELECT name, sel_expr, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return FROM ldap_attr_mappings WHERE oc_map_id=?"
>.TP
>.B insentry_query <SQL expression>
>The default is
>.B "INSERT INTO ldap_entries (dn, oc_map_id, parent, keyval) VALUES (?, ?, ?, ?)"
>.TP
>.B delentry_query <SQL expression>
>The default is
>.B "DELETE FROM ldap_entries WHERE id=?"
>
>These four options specify SQL query templates for loading schema mapping metainformation,
>adding and deleting entries to ldap_entries, etc.
>All these and subtree_cond should have the given default values.
>For the current value it is recommended to look at the sources,
>or in the log output when slapd starts with "-d 5" or greater.
>.TP
>.B upper_func <SQL function name>
>Specifies the name of a function that converts a given value to uppercase.
>This is used for CIS matching when the RDBMS is case sensitive.
>I.e., for Oracle this is set to "UPPER" (see sample configuration file
>in subdirectory rdbms_depend/oracle).
>.SH EXAMPLE
>"OpenLDAP Administrator's Guide" contains an annotated
>example of a configuration file.
>.SH FILES
>ETCDIR/slapd.conf
>.SH SEE ALSO
>.BR ldap (3),
>.BR slapd.replog (5),
>.BR locale (5),
>.BR passwd (5),
>.BR slapd (8),
>.BR slapadd (8),
>.BR slapcat (8),
>.BR slapindex (8),
>.BR slappassword (8),
>.BR slurpd (8),
>.LP
>"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
>.SH ACKNOWLEDGEMENTS
>.B OpenLDAP
>is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
>.B OpenLDAP
>is derived from University of Michigan LDAP 3.3 Release.
>
>--------------DEA26C3CC5AFFD374E61B67B--