Scroll to navigation

DICOD.CONF(5) GNU Dico Reference DICOD.CONF(5)


dicod.conf - GNU dictionary server configuration file.


The file /etc/dicod.conf contains configuration settings and database definitions for the GNU dictionary server dicod(8). The server reads this file once, upon startup, and uses the settings until it is shut down or the HUP signal is delivered, in which case previous configuration settings are discarded and the file is re-read.


This manpage is a short description of the dicod.conf configuration file. For a detailed discussion, including examples and usage recommendations, refer to the GNU Dico Manual available in texinfo format. If the info reader and GNU Dico documentation are properly installed on your system, the command

info dico

should give you access to the complete manual.

You can also view the manual using the info mode in emacs(1), or find it in various formats online at

If any discrepancies occur between this manpage and the GNU Dico Manual, the later shall be considered the authoritative source.


There are three classes of lexical tokens: words, quoted strings, and separators. Blanks, tabs, newlines and comments, collectively called white space are ignored except as they serve to separate tokens. Some white space is required to separate otherwise adjacent keywords and values.


A word is a sequence of letters, digits, and any of the following characters: _, -, ., /, @, *, :, [, ].


A quoted string is any sequence of characters enclosed in double-quotes ("). A backslash appearing within a quoted string introduces an escape sequence, which is replaced with a single character according to the following rules:

	Sequence	Expansion	ASCII
	\\	\	134
	\"	"	042
	\a	audible bell	007	
	\b	backspace	010
	\f	form-feed	014
	\n	new line	012
	\r	charriage return	015
	\t	horizontal tabulation	011
	\v	vertical tabulation	013

In addition, the sequence \newline is removed from the string. This allows to split long strings over several physical lines, e.g.:

"a long string may be\

split over several lines"

If the character following a backslash is not one of those specified above, the backslash is ignored and a warning is issued.

Two or more adjacent quoted strings are concatenated, which gives another way to split long strings over several lines to improve readability. The following fragment produces the same result as the example above:

"a long string may be"
" split over several lines"

A here-document is a special construct that allows to introduce strings of text containing embedded newlines.

The <<word construct instructs the parser to read all the following lines up to the line containing only word, with possible trailing blanks. Any lines thus read are concatenated together into a single string. For example:

A multiline

The body of a here-document is interpreted the same way as a double-quoted string, unless word is preceded by a backslash (e.g. <<\EOT) or enclosed in double-quotes, in which case the text is read as is, without interpretation of escape sequences.

If word is prefixed with - (a dash), then all leading tab characters are stripped from input lines and the line containing word. Furthermore, - is followed by a single space, all leading whitespace is stripped from them. This allows to indent here-documents in a natural fashion. For example:

<<- TEXT

The leading whitespace will be
ignored when reading these lines. TEXT

It is important that the terminating delimiter be the only token on its line. The only exception to this rule is allowed if a here-document appears as the last element of a statement. In this case a semicolon can be placed on the same line with its terminating delimiter, as in:

help-text <<-EOT

A sample help text. EOT;


The usual comment styles are supported:

C style: /* */

C++ style: // to end of line

Unix style: # to end of line

Pragmatic comments are similar to the usual single-line comments, except that they cause some changes in the way the configuration is parsed. Pragmatic comments begin with a # sign and end with the next physical newline character.

#include <FILE>
#include FILE
Include the contents of the file file. Both forms are equivalent. The FILE must be an absolute file name.
#include_once <FILE>
#include_once FILE
Same as #include, except that, if the FILE has already been included, it will not be included again.
#line num
#line num "FILE"
This line causes the parser to believe, for purposes of error diagnostics, that the line number of the next source line is given by num and the current input file is named by FILE. If the latter is absent, the remembered file name does not change.
# num "FILE"
This is a special form of the #line statement, understood for compatibility with the C preprocessor.


A simple statement consists of a keyword and value separated by any amount of whitespace. Some statements take more than one value. Simple statement is terminated with a semicolon (;).

The following is a simple statement:

pidfile /var/run/;

See below for a list of valid simple statements.

A value can be one of the following:

A number is a sequence of decimal digits.
A boolean value is one of the following: yes, true, t or 1, meaning true, and no, false, nil, 0 meaning false.
A comma-separated list of values, enclosed in parentheses.

Block Statement

A block statement introduces a logical group of statements. It consists of a keyword, followed by an optional value, called a tag, and a sequence of statements enclosed in curly braces, as shown in the example below:

acl global {

allow all from;
deny all; }
The closing curly brace may be followed by a semicolon, although this is not required.


Run with the privileges of this user. The argument is either a user name, or UID prefixed with a plus sign.
group LIST
If the user statement is present, dicod will drop all supplementary groups and switch to the principal group of that user. Sometimes, however, it may be necessary to retain one or more supplementary groups. For example, this might be necessary to access dictionary databases. The group statement retains the supplementary groups listed in LIST. Each group can be specified either by its name or by its GID number, prefixed with @samp{+}, e.g.:
user nobody;
group (man, dict +88);

This statement is ignored if no user statement is present or if dicod is running in inetd mode.

Sets server operation mode.
Specify the IP addresses and ports to listen on in daemon mode. By default, dicod will listen on port 2628 on all existing interfaces.

Elements of LIST can have the following forms:

Specifies an IP (version 4 or 6) socket to listen on. The HOST part is either an IPv4 in ``dotted-quad'' notation, or an IPv6 address in square brackets, or a host name. In the latter case, dicod will listen on all IP addresses corresponding to its A and AAAA DNS records.

The PORT part is either a numeric port number or a symbolic service name from the /etc/services file.

Either of the two parts may be omitted. If HOST is omitted, the server will listen on all interfaces. If PORT is omitted, the default port 2628 will be used.

inet://HOST:PORT, inet4://HOST:PORT
Listen on IPv4 socket. HOST is either an IP address or a host name. In the latter case, dicod will start listening on all IP addresses from the A records for this host.

Either HOST or PORT (but not both) can be omitted. Missing HOST defaults to IPv4 addresses on all available network interfaces, and missing PORT defaults to 2628.

Listen on IPv6 socket. HOST is either an IPv6 address in square brackets, or a host name. In the latter case, dicod will start listening on all IP addresses from the AAAA records for this host.

Either HOST or PORT (but not both) can be omitted. Missing HOST defaults to IPv6 addresses on all available network interfaces, and missing PORT defaults to 2628.

Specifies the name of a UNIX socket to listen on. FILENAME must be an absolute file name of the socket.
Store PID of the master process in this file. Default is /var/run/
Sets maximum number of subprocesses that can run simultaneously. This is equivalent to the number of clients that can simultaneously use the server. The default is 64.
Sets inactivity timeout to the NUMBER of seconds. The server disconnects automatically if the remote client has not sent any command within this number of seconds. Setting timeout to 0 disables inactivity timeout (the default).

This statement along with max-children allows you to control the server load.

When the master server is shutting down, wait this number of seconds for all children to terminate. Default is 5 seconds.
Enable identification check using AUTH protocol (RFC 1413). The received user name or UID can be shown in access log using the %l conversion (see below).
Use encryption keys from the named file to decrypt AUTH replies encrypted using DES.
Set timeout for AUTH input/output operation to NUMBER of seconds. Default timeout is 3 seconds.


The authentication database is defined as:

user-db URL {

# Additional configuration options.
options STRING;
# Name of the password resource.
password-resource RESOURCE;
# Name of the resource returning user group information.
group-resource RESOURCE; }

The URL consists of the following parts (square brackets denoting optional ones):



Database type. Two types are supported: text and ldap.
User name, if necessary to access the database.
User password, if necessary to access the database.
Domain name or IP address of a machine running the database.
A path to the database. The exact meaning of this element depends on the database protocol. See the texinfo documentation.
A list of protocol-dependent parameters. Each parameter is of the form KEYWORD=NAME, multiple parameters are separated with semicolons.

The following statements can appear within the user-db block:

Pass additional options to the underlying mechanism. The argument is treated as an opaque string and passed to the authentication open procedure verbatim. Its exact meaning depends on the type of the database.
A database resource which returns the user's password.
group-resource ARG
A database resource which returns the list of groups this user is member of.

The exact semantics of the database resource depends on the type of database being used. For flat text databases, it means the name of a text file that contains these data, for LDAP databases, the resource is the filter string, etc. Please refer to the GNU Dico Manual, subsection 4.3.3 Authentication for a detailed discussion.


The SASL authentication is available if the server was compiled with GNU SASL. It is configured using the following statement:

sasl {

# Disable SASL mechanisms listed in MECH.
disable-mechanism MECH;
# Enable SASL mechanisms listed in MECH.
enable-mechanism MECH;
# Set service name for GSSAPI and Kerberos.
service NAME;
# Set realm name for GSSAPI and Kerberos.
realm NAME;
# Define groups for anonymous users.
anon-group GROUPS; }
Disable SASL mechanisms listed in MECH, which is a list of names.
Enable SASL mechanisms listed in MECH, which is a list of names.
Sets the service name for GSSAPI and Kerberos mechanisms.
Sets the realm name.
Declares the list of user groups considered anonymous.


Define an ACL:

acl NAME {


The parameter NAME assigns a unique name to that ACL. This name will be used by another configuration statements to refer to that ACL (see SECURITY SETTINGS, and Database Visibility).


allow|deny [all|authenticated|group GROUPLIST] [acl NAME] [from ADDRLIST]

A definition starting with allow allows access to the resource, and the one starting with deny denies it.

The next part controls what users have access to the resource:

All users (the default).
Only authenticated users.
Authenticated users which are members of at least one of the groups listed in GROUPLIST.

The acl part refers to an already defined ACL.

The from keyword declares that the client IP must be within the ADDRLIST in order for the definition to apply. Elements of ADDRLIST are:

Matches any client address.
Matches if the request comes from the given IP (both IPv4 and IPv6 are allowed).
Matches if first NETLEN bits from the client IP address equal to ADDR. The network mask length, NETLEN must be an integer number between 0 and 32 for IPv4, and between 0 and 128 for IPv6. The address part, ADDR, is as described above.
The specifier matches if the result of logical AND between the client IP address and NETMASK equals to ADDR. The network mask must be specified in a IP address (either IPv4 or IPv6) notation.


Use ACL NAME to control incoming connections. The ACL itself must be defined before this statement. Using the group clause in this ACL makes no sense, because the authentication itself is performed only after the connection have been established.
Controls whether to show system information in reply to SHOW SERVER command. The information will be shown only if ACL NAME allows it.
Sets name of the ACL that controls visibility of all databases.


Prefix syslog messages with this string. By default, the program name is used.
Sets the syslog facility to use. Allowed values are: user, daemon, auth, authpriv, mail, cron, local0 through local7 (case-insensitive), or a decimal facility number.
Prefix diagnostics messages with a string identifying their severity.
Controls the transcript of user sessions.


GNU Dico provides a feature similar to Apache's CustomLog, which keeps a log of MATCH and DEFINE requests.

Sets access log file name.
Defines the format string. Its argument can contain literal characters, which are copied into the log file verbatim, and format specifiers, i.e. special sequences beginning with %, which are replaced in the log file as shown in the table below:
The percent sign.
Remote IP address.
Local IP address.
Size of response in bytes.
Size of response in bytes in CLF format, i.e. a dash rather than a 0 when no bytes are sent.
Remote client (from the CLIENT command).
The time taken to serve the request, in microseconds.
Request command verb in abbreviated form, suitable for use in URLs, i.e. d for DEFINE, and m for MATCH.
Remote host.
Request command verb (DEFINE or MATCH).
Remote logname (from identd(1), if supplied). This will return a dash unless identity-check statement is set to true.
The search strategy.
The canonical port of the server serving the request.
The PID of the child that served the request.
The database from the request.
Full request.
The Nth token from the request (N is 0-based).
Reply status. For multiple replies, the form %s returns the status of the first reply, while %>s returns that of the last reply.
Time the request was received in the standard Apache format, e.g.:

[04/Jun/2008:11:05:22 +0300]
The time, in the form given by FORMAT, which should be a valid strftime(3) format string. The standard %t format is equivalent to

[%d/%b/%Y:%H:%M:%S %z]
The time taken to serve the request, in seconds.
Remote user from AUTH command.
The host name of the server serving the request.
Actual host name of the server (in case it was overridden in configuration).
The word from the request.

The absence of access-log-format statement is equivalent to the following:

access-log-format "%h %l %u %t \"%r\" %>s %b";


Display TEXT in the textual part of the initial server reply.
Sets the hostname. By default it is determined automatically.

The server hostname is used, among others, in the initial reply after the 220 and may also be displayed in the access log file using the %v escape (see ACCESS LOG).

Sets the server description to be shown in reply to the SHOW SERVER command.

It is common for TEXT to use the here-document syntax, e.g.:

server-info <<EOT
Welcome to the FOO dictionary service.
Contact <> if you have questions or
Sets the text to be displayed in reply to the HELP command.

The default reply displays a list of commands understood by the server with a short description of each.

If TEXT begins with a plus sign, it will be appended to the default reply.

Sets the name of the default matching strategy (*note MATCH::). By default, Levenshtein matching is used, which is equivalent to default-strategy lev;


Requests additional capabilities from the LIST.

Capabilities are certain server features that can be enabled or disabled at the system administrator's will. The following capabilities are defined:

The AUTH command is supported. See the section AUTHENTICATION, for its configuration.
The OPTION MIME command is supported. Notice that RFC 2229 requires all servers to support that command, so you should always specify this capability.
The XVERSION command is supported. It is a GNU extension that displays the dicod implementation and version number.
The XLEV command is supported. This command allows the remote party to set and query maximal Levenshtein distance for the lev matching strategy.

The capabilities set using this directive are displayed in the initial server reply, and their descriptions are added to the HELP command output (unless specified otherwise by the help-text statement).


A database module is an external piece of software designed to handle a particular format of dictionary databases. This piece of software is built as a shared library that `dicod' loads at run time.

A handler is an instance of the database module loaded by dicod and configured for a specific database or a set of databases.

Database handlers are defined using the following block statement:

load-module NAME {

command CMD; }

The load-module statement creates an instance of a database module. The NAME argument specifies a unique name which will be used by subsequent parts of the configuration to refer to this handler. The command line for this handler is supplied with the command statement. It must begin with the name of the module (without the library suffix) and can contain any additional arguments. If the module name is not an absolute file name, the module will be searched in the module load path.

For example:

load-module dict {

command "dictorg dbdir=/var/dicodb"; }

A simplified form of this statement:

load-module NAME;

is equivalent to:

load-module NAME {
command NAME;

A module load path is an internal list of directories which dicod scans in order to find a loadable file name specified in the command statement. By default the search order is as follows:

Optional prefix search directories specified in the prepend-load-path statement (see below);
GNU Dico module directory /usr/lib/x86_64-linux-gnu/dico;
Additional search directories specified in the module-load-path statement (see below);
The value of the environment variable LTDL_LIBRARY_PATH;
The system dependent library search path (e.g. on GNU/Linux it is defined by the file /etc/ and the environment variable LD_LIBRARY_PATH).

The value of LTDL_LIBRARY_PATH and LD_LIBRARY_PATH must be a colon-separated list of absolute directory names.

In each of these directories, dicod first attempts to find and load the given filename. If this fails, it tries to append the following suffixes to it:

the libtool archive suffix .la;
the suffix used for native dynamic libraries on the host platform, e.g., .so, .sl, etc.
Add directories from LIST to the end of the module load path.
Add directories from LIST to the beginning of the module load path.


database {

name WORD;
description STRING;
info TEXT;
languages-from LANGLIST;
languages-to LANGLIST;
handler NAME;
visibility-acl NAME;
mime-headers TEXT; }
Sets the name of this database (a single word). This name will be used to identify this database in DICT commands.
Specifies the handler name for this database and optional arguments for it. This handler must be previously defined using the load-module statement (see above).
Supplies a short description, to be shown in reply to the SHOW DB command. The STRING may not contain newlines.
Defines a full description of the database. This description is shown in reply to the SHOW INFO command. It is usually a multi-line text, so it is common to use here-document syntax.
Sets the content type of the reply (for use in MIME headers).
Sets transfer encoding to use when sending MIME replies for this database. VALUE is one of: base64, quoted-printable.
Sets name of the ACL that controls that database visibility.


A default search is a MATCH request with * or ! as the database argument. The former means search in all available databases, and the latter means search in all databases until a match is found.

Default searches cabd be quite expensive and can cause considerable strain on the server. For example, the command MATCH * priefix "" returns all entries from all available databases, which would consume a lot of resources both on the server and on the client side.

To minimize harmful effects from such potentially dangerous requests, the following statement makes it possible to limit the use of certain strategies in default searches:

strategy NAME {

deny-all BOOL;
deny-word CONDLIST;
deny-length-lt NUMBER;
deny-length-le NUMBER;
deny-length-gt NUMBER;
deny-length-ge NUMBER;
deny-length-eq NUMBER;
deny-length-ne NUMBER; }
Unconditionally deny the use of this strategy in default searches.
Deny this strategy if the search word matches one of the words from LIST.
Deny if length of the search word is less than NUMBER.
Deny if length of the search word is less than or equal to NUMBER.
Deny if length of the search word is greater than NUMBER.
Deny if length of the search word is greater than or equal to NUMBER.
Deny if length of the search word is equal to NUMBER.
Deny if length of the search word is not equal to NUMBER.

For example, the following statement denies the use of prefix strategy in default searches if its argument is an empty string:

strategy prefix {

deny-length-eq 0; }


While tuning your server, it is often necessary to get timing information which shows how much time is spent serving certain requests. This can be achieved using the following configuration directive:

Provide timing information after successful completion of an operation.

This information is displayed after replies to the following requests: MATCH, DEFINE, and QUIT. The format is:

[d/m/c = ND/NM/NC RTr UTu STs]


Number of processed define requests.
Number of processed match requests.
Number of comparisons made. This value may be inaccurate if the underlying database module does not provide such information.
Real time spent serving the request.
Time in user space spent serving the request.
Time in kernel space spent serving the request.

You can also add timing information to your access log files. See the %T conversuion in section ACCESS LOG.


Aliases allow a string to be substituted for a word when it is used as the first word of a command. The daemon maintains a list of aliases that are created using the alias configuration file statement:

Creates a new alias.

Aliases may be recursive, i.e. the first word of COMMAND may refer to another alias. To prevent endless loops, recursive expansion is stopped if the first word of the replacement text is identical to an alias expanded earlier.

Aliases are useful to facilitate manual interaction with the server, as they allow the administrator to create abbreviations for some frequently typed commands. For example, the following alias creates new command d which is equivalent to DEFINE *:

alias d DEFINE "*";


dicod(1), RFC 2229.

Complete GNU Dico manual: run info dico or use emacs(1) info mode to read it.

Online copies of GNU Dico documentation in various formats can be found at:


Sergey Poznyakoff


Report bugs to <>.


Copyright © 2008-2018 Sergey Poznyakoff
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

August 20, 2018 GNU DICO