Mac Developer Library Developer


This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.

SLAPD(8C)                                                                                          SLAPD(8C)

       slapd - Stand-alone LDAP Daemon

       /usr/libexec/slapd    [-4|-6]    [-T {acl|a[dd]|auth|c[at]|   d[n]|i[ndex]|p[asswd]|s[chema]|t[est]}]
       [-d debug-level]  [-f slapd-config-file]  [-F slapd-config-directory]   [-h URLs]   [-n service-name]
       [-s syslog-level]  [-l syslog-local-user]  [-o option[=value]]  [-r directory]  [-u user]  [-g group]
       [-c cookie]

       Slapd is the stand-alone LDAP daemon. It listens for LDAP connections on any number of ports (default
       389),  responding  to  the  LDAP  operations  it receives over these connections.  slapd is typically
       invoked at boot time, usually out of /etc/rc.local.  Upon startup, slapd normally forks and  disasso-ciates disassociates
       ciates  itself  from  the  invoking tty.  If configured in the config file (or config directory), the
       slapd process will print its process ID (see getpid(2)) to a .pid file, as well as the  command  line
       options during invocation to an .args file (see slapd.conf(5)).  If the -d flag is given, even with a
       zero argument, slapd will not fork and disassociate from the invoking tty.

       See the "OpenLDAP Administrator's Guide" for more details on slapd.

       -4     Listen on IPv4 addresses only.

       -6     Listen on IPv6 addresses only.

       -T tool
              Run in Tool mode. The tool argument selects  whether  to  run  as  slapadd,  slapcat,  slapdn,
              slapindex,  slappasswd,  slapschema, or slaptest (slapacl and slapauth need the entire acl and
              auth option value to be spelled out, as a is reserved to slapadd).  This option should be  the
              first  option specified when it is used; any remaining options will be interpreted by the cor-responding corresponding
              responding slap tool program, according to the respective man pages.   Note  that  these  tool
              programs  will  usually  be  symbolic  links to slapd.  This option is provided for situations
              where symbolic links are not provided or not usable.

       -d debug-level
              Turn on debugging as defined by debug-level.  If this option is specified, even  with  a  zero
              argument, slapd will not fork or disassociate from the invoking terminal.  Some general opera-tion operation
              tion and status messages are printed for any value of debug-level.  debug-level is taken as  a
              bit  string,  with  each  bit corresponding to a different kind of debugging information.  See
              <ldap_log.h> for details.  Comma-separated arrays of friendly names can be specified to select
              debugging  output of the corresponding debugging information.  All the names recognized by the
              loglevel directive described in slapd.conf(5) are supported.  If debug-level is ?, a  list  of
              installed debug-levels is printed, and slapd exits.

              Remember that if you turn on packet logging, packets containing bind passwords will be output,
              so if you redirect the log to a logfile, that file should be read-protected.

       -s syslog-level
              This option tells slapd at what debug-level debugging statements should be logged to the  sys-log(8) syslog(8)
              log(8) facility.  The value syslog-level can be set to any value or combination allowed by the
              -d switch.  Slapd logs all messages selected by syslog-leveli at the syslog(3) severity debug-level debuglevel
              level DEBUG, on the unit specified with -l.

       -n service-name
              Specifies  the  service name for logging and other purposes.  Defaults to basename of argv[0],
              i.e.: "slapd".

       -l syslog-local-user
              Selects the local user of the syslog(8) facility. Value can be LOCAL0, through LOCAL7, as well
              as USER and DAEMON.  The default is LOCAL4.  However, this option is only permitted on systems
              that support local users with the syslog(8) facility.  Logging  to  syslog(8)  occurs  at  the
              "DEBUG" severity debug-level.

       -f slapd-config-file
              Specifies the slapd configuration file. The default is /etc/openldap/slapd.conf.

       -F slapd-config-directory
              Specifies the slapd configuration directory. The default is /etc/openldap/slapd.d.  If both -f
              and -F are specified, the config file will be read and converted to  config  directory  format
              and written to the specified directory.  If neither option is specified, slapd will attempt to
              read the default config directory before trying to use the default config  file.  If  a  valid
              config  directory  exists  then the default config file is ignored. All of the slap tools that
              use the config options observe this same behavior.

       -h URLlist
              slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default  LDAP  port).
              That  is,  it  will  bind using INADDR_ANY and port 389.  The -h option may be used to specify
              LDAP  (and  other  scheme)  URLs  to   serve.    For   example,   if   slapd   is   given   -h
              "ldap://  ldaps:///  ldapi:///",  it  will  listen  on for LDAP,
     for LDAP over TLS, and LDAP over IPC (Unix domain sockets).  Host  repre-sents represents
              sents  INADDR_ANY  (any  interface).   A  space  separated list of URLs is expected.  The URLs
              should be of the LDAP, LDAPS, or LDAPI schemes, and generally without a DN or  other  optional
              parameters  (excepting  as  discussed  below).   Support for the latter two schemes depends on
              selected configuration options.  Hosts may be specified by name or IPv4 and IPv6 address  for-mats. formats.
              mats.   Ports, if specified, must be numeric.  The default ldap:// port is 389 and the default
              ldaps:// port is 636.

              For LDAP over IPC, name is the name of the socket, and no port is required, nor allowed;  note
              that  directory  separators must be URL-encoded, like any other characters that are special to
              URLs; so the socket


              must be specified as


              The default location for the IPC socket is /var/db/openldap/run/ldapi

              The listener permissions are indicated by  "x-mod=-rwxrwxrwx",  "x-mod=0777"  or  "x-mod=777",
              where any of the "rwx" can be "-" to suppress the related permission, while any of the "7" can
              be any legal octal digit, according to chmod(1).  The listeners  can  take  advantage  of  the
              "x-mod"  extension  to apply rough limitations to operations, e.g. allow read operations ("r",
              which applies to search and compare), write operations ("w", which  applies  to  add,  delete,
              modify  and  modrdn), and execute operations ("x", which means bind is required).  "User" per-missions permissions
              missions apply to authenticated users, while "other" apply to anonymous users; "group" permis-sions permissions
              sions  are  ignored.  For example, "ldap:///????x-mod=-rw-------" means that read and write is
              only allowed for authenticated connections, and bind is required  for  all  operations.   This
              feature is experimental, and requires to be manually enabled at configure time.

       -r directory
              Specifies  a  directory  to  become the root directory.  slapd will change the current working
              directory to this directory and then chroot(2) to this directory.  This is done after  opening
              listeners but before reading any configuration file or initializing any backend.  When used as
              a security mechanism, it should be used in conjunction with -u and -g options.

       -u user
              slapd will run slapd with the specified user name or id, and that user's  supplementary  group
              access  list  as  set  with  initgroups(3).   The group ID is also changed to this user's gid,
              unless the -g option is used to override.  Note when used with -r, slapd  will  use  the  user
              database in the change root environment.

              Note that on some systems, running as a non-privileged user will prevent passwd back-ends from
              accessing the encrypted passwords.  Note also that any shell back-ends will run as the  speci-fied specified
              fied non-privileged user.

       -g group
              slapd  will  run  with the specified group name or id.  Note when used with -r, slapd will use
              the group database in the change root environment.

       -c cookie
              This option provides a cookie for the syncrepl replication consumer.  The cookie  is  a  comma
              separated  list of name=value pairs.  Currently supported syncrepl cookie fields are rid, sid,
              and csn.  rid identifies a replication thread within the consumer server and is used  to  find
              the syncrepl specification in slapd.conf(5) or slapd-config(5) having the matching replication
              identifier in its definition. The rid must be provided in order for any other specified values
              to  be  used.   sid  is the server id in a multi-master/mirror-mode configuration.  csn is the
              commit sequence number received by a previous synchronization and represents the state of  the
              consumer  replica  content  which the syncrepl engine will synchronize to the current provider
              content.  In case of mirror-mode or multi-master replication agreement, multiple  csn  values,
              semicolon separated, can appear.  Use only the rid part to force a full reload.

       -o option[=value]
              This option provides a generic means to specify options without the need to reserve a separate
              letter for them.

              It supports the following options:

                     When SLP support is compiled into slapd, disable it (off),
                      enable it by registering at SLP DAs without specific SLP attributes (on), or with spe-cific specific
                     cific  SLP attributes slp-attrs that must be an SLP attribute list definition according
                     to the SLP standard.

                     For   example,   "slp=(tree=production),(server-type=OpenLDAP),(server-version=2.4.15)"
                     registers at SLP DAs with the three SLP attributes tree, server-type and server-version
                     that have the values given above.  This allows to specifically query the  SLP  DAs  for
                     LDAP servers holding the production tree in case multiple trees are available.

       To  start  slapd  and  have it fork and detach from the terminal and start serving the LDAP databases
       defined in the default config file, just type:


       To start slapd with an alternate configuration file, and turn on voluminous debugging which  will  be
       printed on standard error, type:

            /usr/libexec/slapd -f /var/tmp/slapd.conf -d 255

       To test whether the configuration file is correct or not, type:

            /usr/libexec/slapd -Tt

       ldap(3),  slapd.conf(5), slapd-config(5), slapd.access(5), slapacl(8), slapadd(8), slapauth(8), slap-cat(8), slapcat(8),
       cat(8), slapdn(8), slapindex(8), slappasswd(8), slapschema(8), slaptest(8).

       "OpenLDAP Administrator's Guide" (


       OpenLDAP Software is developed and maintained by  The  OpenLDAP  Project  <>.
       OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.

OpenLDAP 2.4.28                                  2011/11/24                                        SLAPD(8C)

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.