The most significant change is that, while is still supported (as of 2.4), increasingly Open LDAP is moving toward On-Line Configuration (OLC) - frequently also known as cn=config or slapd.d configuration.
This method enables most configuration changes to be made without starting and stopping the LDAP server.
The side-effect of this complexity and power is that it is very easy to get olc Access (access to) attributes/directives horribly wrong.
You must thoroughly test ACL directives with all possible permissions.
Current (2.4) is versions are now warning that attr is deprecated so the parameter has been changed to attrs in our documentation and all sample files).Unless otherwise noted all the attributes/directives below can appear in the global, backend or database entries/sections.olc Access attribute (access to directive) olc Allows attribute (allow directive) olc Args File attribute (argsfile directive) attributetype (olc Attribute Types) concurrency (olc Concurrency) conn_max_pending (olc Conn Max Pending) conn_max_auth (olc Conn Max Pending Auth) defaultaccess defaultsearchbase (olc Default Search Base) disallow (olc Disallows) gentlehup (olc Gentle HUP) idletimeout (olc Idle Timeout) include olc Db Index (index) logfile (olc Log File) loglevel (olc Log Level) olc Module Load (moduleload) modulepath (olc Module Path) objectclass (olc Object Classes) password-hash (olc Password Hash) pidfile (olc Pid File) referral (olc Referral) replicationinterval require (olc Requires) reverse-lookup (olc Reverse Lookup) root DSE (olc Root DSE) schemadn (olc Schema DN) security (olc Security) Server ID (olc Server ID) sizelimit (olc Size Limit) sockbuf_max_incoming (olc Sock Buf Max Incoming) sockbuf_max_incoming_auth (olc Sock Buf Max Incoming Auth) threads (olc Threads) timelimit (olc Time Limit) TLS Server overview - what is a TLS Server TLSCACertificate File (olc TLSCACertificate File) TLSCertificate File (olc TLSCertificate File) TLSCertificate Key File (olc TLSCertificate Key File) TLSCipher Suite (olc TLSCipher Suite) TLSRand File (olc TLSRand File) TLSEphemeral DHParam File (olc TLSDHParam File) TLSVerify Client (olc TLSVerify Client) TLS Server overview - what is a TLS Client TLS_CACERT In all appropriate cases the OLC (cn=config) form is shown first followed by the form in parentheses to reflect the move to OLC (cn=config) form of configuration.There are three additional pseudo-attributes that may be used: Open LDAP 2.2 the @ implies all attributes of the objectclass defined, for example, [email protected] Org Person will include all the attributes of this object Class and all its parents (organizational Person, Person). is used then only attributes NOT defined for the object Class (and its parents) are included thus attrs=!inet Org Person excludes all attributes in the MUST and MAY lists for the object Class (and its parents).