slapd-sock — Socket backend to slapd
ETCDIR/slapd.conf
The Socket backend to slapd(8) uses an external program to handle queries, similarly to slapd-shell(5). However, in this case the external program listens on a Unix domain socket. This makes it possible to have a pool of processes, which persist between requests. This allows multithreaded operation and a higher level of efficiency. The external program must have been started independently; slapd(8) itself will not start it.
These slapd.conf
options apply to the SOCK backend database. That is, they
must follow a "database sock" line and come before any
subsequent "backend" or "database" lines. Other database
options are described in the slapd.conf(5) manual
page.
Enables the sending of additional meta-attributes with each request.
binddn: <bound DN> peername: IP=<address>:<port> ssf: <SSF value>
Gives the path to a Unix domain socket to which the commands will be sent and from which replies are received.
The protocol is essentially the same as slapd-shell(5) with the addition of a newline to terminate the command parameters. The following commands are sent:
ADD msgid: <message id> <repeat { "suffix:" <database suffix DN> }> <entry in LDIF format> <blank line>
BIND msgid: <message id> <repeat { "suffix:" <database suffix DN> }> dn: <DN> method: <method number> credlen: <length of <credentials>> cred: <credentials> <blank line>
COMPARE msgid: <message id> <repeat { "suffix:" <database suffix DN> }> dn: <DN> <attribute>: <value> <blank line>
DELETE msgid: <message id> <repeat { "suffix:" <database suffix DN> }> dn: <DN> <blank line>
MODIFY msgid: <message id> <repeat { "suffix:" <database suffix DN> }> dn: <DN> <repeat { <"add"/"delete"/"replace">: <attribute> <repeat { <attribute>: <value> }> - }> <blank line>
MODRDN msgid: <message id> <repeat { "suffix:" <database suffix DN> }> dn: <DN> newrdn: <new RDN> deleteoldrdn: <0 or 1> <if new superior is specified: "newSuperior: <DN>"> <blank line>
SEARCH msgid: <message id> <repeat { "suffix:" <database suffix DN> }> base: <base DN> scope: <0-2, see ldap.h> deref: <0-3, see ldap.h> sizelimit: <size limit> timelimit: <time limit> filter: <filter> attrsonly: <0 or 1> attrs: <"all" or space-separated attribute list> <blank line>
UNBIND msgid: <message id> <repeat { "suffix:" <database suffix DN> }> <blank line>
The commands - except unbind - should output:
RESULT code: <integer> matched: <matched DN> info: <text>
where only RESULT is mandatory, and then close the socket.
The search RESULT
should be preceded by the entries in LDIF format, each entry
followed by a blank line. Lines starting with `#' or `DEBUG:'
are ignored.
The sock backend
does not honor all ACL semantics as described in slapd.access(5). In
general, access to objects is checked by using a dummy object
that contains only the DN, so access rules that rely on the
contents of the object are not honored. In detail:
The add
operation does not require write
(=w) access to the children pseudo-attribute of
the parent entry.
The bind
operation requires auth
(=x) access to the entry pseudo-attribute of the
entry whose identity is being assessed; auth (=x) access to the
credentials is not checked, but rather delegated to the
underlying program.
The compare
operation requires compare
(=c) access to the entry pseudo-attribute of the
object whose value is being asserted; compare (=c) access to the
attribute whose value is being asserted is not checked.
The delete
operation does not require write
(=w) access to the children pseudo-attribute of
the parent entry.
The modify
operation requires write
(=w) access to the entry pseudo-attribute;
write (=w) access to
the specific attributes that are modified is not checked.
The modrdn
operation does not require write
(=w) access to the children pseudo-attribute of
the parent entry, nor to that of the new parent, if
different; write (=w)
access to the distinguished values of the naming attributes
is not checked.
The search
operation does not require search
(=s) access to the entry pseudo_attribute of the
searchBase; search
(=s) access to the attributes and values used in
the filter is not checked.