1 .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd-ldap \- LDAP backend to slapd
12 is not an actual database; instead it acts as a proxy to forward incoming
13 requests to another LDAP server. While processing requests it will also
14 chase referrals, so that referrals are fully processed instead of being
15 returned to the slapd client.
17 Sessions that explicitly Bind to the back-ldap database always create their
18 own private connection to the remote LDAP server. Anonymous sessions will
19 share a single anonymous connection to the remote server. For sessions bound
20 through other mechanisms, all sessions with the same DN will share the
21 same connection. This connection pooling strategy can enhance the proxy's
22 efficiency by reducing the overhead of repeatedly making/breaking multiple
25 The ldap database can also act as an information service, i.e. the identity
26 of locally authenticated clients is asserted to the remote server, possibly
27 in some modified form.
28 For this purpose, the proxy binds to the remote server with some
29 administrative identity, and, if required, authorizes the asserted identity.
33 The administrative identity of the proxy, on the remote server, must be
34 allowed to authorize by means of appropriate
43 options apply to the LDAP backend database.
44 That is, they must follow a "database ldap" line and come before any
45 subsequent "backend" or "database" lines.
46 Other database options are described in the
50 Note: It is strongly recommended to set
63 This is because operational attributes related to entry creation and
64 modification should not be used, as they could be passed to the target
65 servers, generating an error.
68 LDAP server to use. Multiple URIs can be set in in a single
70 argument, resulting in the underlying library automatically
71 call the first server of the list that responds, e.g.
73 \fBuri "ldap://host/ ldap://backup-host"\fP
75 The URI list is space- or comma-separated.
78 Obsolete option; same as `uri ldap://<hostport>/'.
80 .B acl-authcDN "<administrative DN for access control purposes>"
81 DN which is used to query the target server for acl checking; it
82 should have read access on the target server to attributes used on the
83 proxy for acl checking.
84 There is no risk of giving away such values; they are only used to
86 .B The acl-authcDN identity is by no means implicitly used by the proxy
87 .B when the client connects anonymously.
89 .B acl-passwd <password>
90 Password used with the bind DN above.
92 .B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
93 DN which is used to propagate the client's identity to the target
94 by means of the proxyAuthz control when the client does not
95 belong to the DIT fragment that is being proxyied by back-ldap.
96 This is useful when operations performed by users bound to another
97 backend are propagated through back-ldap.
98 This requires the entry with
100 identity on the remote server to have
102 privileges on a wide set of DNs, e.g.
103 .BR authzTo=dn.subtree:"" ,
104 and the remote server to have
112 for details on these statements and for remarks and drawbacks about
115 .B idassert-passwd <password>
116 Password used with the proxy authzDN above.
118 .B idassert-mode <mode>
120 .I identity assertion
122 The supported modes are:
126 .B <mode>={legacy|anonymous|none|<id>|self}
129 .B <id>={u:<ID>|[dn:]<DN>}
134 which implies that the proxy will bind as
136 and assert the client's identity when it is not anonymous.
137 Direct binds are always proxied.
138 The other modes imply that the proxy will always bind as
139 .IR idassert-authcdn ,
141 .BR idassert-authzFrom
142 rules (see below), in which case the operation will fail;
143 eventually, it will assert some other identity according to
145 Other identity assertion modes are
149 which respectively mean that the
156 which means that no proxyAuthz control will be used, so the
158 identity will be asserted.
159 Moreover, if a string prefixed with
165 that identity will be asserted.
166 Ths string is also treated as a DN if it is not prefixed
167 by any recognized type indicator. Whether or not the
169 prefix is present, the string must pass DN validation and normalization.
170 For all modes that require the use of the
172 control, on the remote server the proxy identity must have appropriate
174 permissions, or the asserted identities must have appropriate
176 permissions. Note, however, that the ID assertion feature is mostly
177 useful when the asserted identities do not exist on the remote server.
180 .B idassert-authzFrom <authz>
181 if defined, selects what
183 identities are authorized to exploit the identity assertion feature.
186 follows the rules defined for the
193 for details on the supported syntaxes.
195 .B idassert-method <method> [<saslargs>]
196 where valid method values are
199 .B <method>={none|simple|sasl}
202 .B <saslargs>=[mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>]
208 extra parameters can be given a described above.
212 inhibits proxy authorization;
214 uses a SASL bind with the above parameters; if required,
216 is performed by means of native SASL mechanism, and no proxyAuthz
217 is used for subsequent operations.
221 Turns on proxying of the WhoAmI extended operation. If this option is
222 given, back-ldap will replace slapd's original WhoAmI routine with its
223 own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
224 request will be forwarded to the remote LDAP server. Other sessions will
225 be handled by the local slapd, as before. This option is mainly useful
226 in conjunction with Proxy Authorization.
229 If this option is given, the client's bind credentials are remembered
230 for rebinds when chasing referrals.
232 .B suffixmassage <suffix> <massaged (remote) suffix>
233 DNs ending with <suffix> in a request are changed to end with <remote
234 suffix> before sending the request to the remote server, and <remote
235 suffix> in the results are changed back to <suffix> before returning
237 The <suffix> field must be defined as a valid suffix
238 for the current database.
240 .B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
241 Map attribute names and object classes from the foreign server to
242 different values on the local slapd.
243 The reason is that some attributes might not be part of the local
244 slapd's schema, some attribute names might be different but serve the
246 If local or foreign name is `*', the name is preserved.
247 If local name is omitted, the foreign name is removed.
248 Unmapped names are preseved if both local and foreign name are `*',
249 and removed if local name is omitted and foreign name is `*'.
252 The rewrite options are described in the "REWRITING" section of the
256 The following directives map the object class `groupOfNames' to
257 the object class `groupOfUniqueNames' and the attribute type
258 `member' to the attribute type `uniqueMember':
262 map objectclass groupOfNames groupOfUniqueNames
263 map attribute uniqueMember member
267 This presents a limited attribute set from the foreign
274 map attribute manager *
275 map attribute description *
280 These lines map cn, sn, manager, and description to themselves, and
281 any other attribute gets "removed" from the object before it is sent
282 to the client (or sent up to the LDAP server). This is obviously a
283 simplistic example, but you get the point.
287 default slapd configuration file
294 Howard Chu, with enhancements by Pierangelo Masarati