<limits.h> cleanup && ITS#3643

[openldap] / doc / man / man5 / slapd-ldap.5

.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-ldap \- LDAP backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The LDAP backend to
.BR slapd (8)
is not an actual database; instead it acts as a proxy to forward incoming
requests to another LDAP server. While processing requests it will also
chase referrals, so that referrals are fully processed instead of being
returned to the slapd client.

Sessions that explicitly Bind to the back-ldap database always create their
own private connection to the remote LDAP server. Anonymous sessions will
share a single anonymous connection to the remote server. For sessions bound
through other mechanisms, all sessions with the same DN will share the
same connection. This connection pooling strategy can enhance the proxy's
efficiency by reducing the overhead of repeatedly making/breaking multiple
connections.

The ldap database can also act as an information service, i.e. the identity
of locally authenticated clients is asserted to the remote server, possibly
in some modified form.
For this purpose, the proxy binds to the remote server with some 
administrative identity, and, if required, authorizes the asserted identity.
See the 
.IR idassert- *
rules below.
The administrative identity of the proxy, on the remote server, must be 
allowed to authorize by means of appropriate
.B authzTo
rules; see 
.BR slapd.conf (5)
for details.

.SH CONFIGURATION
These
.B slapd.conf
options apply to the LDAP backend database.
That is, they must follow a "database ldap" line and come before any
subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
manual page.
.LP
Note: In early versions of back-ldap it was recommended to always set
.LP
.RS
.nf
lastmod  off
.fi
.RE
.LP
for every
.B ldap
and
.B meta
database.
This is because operational attributes related to entry creation and
modification should not be used, as they could be passed to the target
servers, generating an error.
The current implementation automatically sets ldapmod to off, so its use
is redundant and can be safely omitted.
.TP
.B uri <ldapurl>
LDAP server to use.  Multiple URIs can be set in in a single
.B ldapurl
argument, resulting in the underlying library automatically 
call the first server of the list that responds, e.g. 

\fBuri "ldap://host/ ldap://backup-host"\fP

The URI list is space- or comma-separated.
.\".TP
.\".B server <hostport>
.\"Obsolete option; same as `uri ldap://<hostport>/'.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy 
.B when the client connects anonymously.
See the
.B idassert-*
feature instead.
.TP
.B acl-passwd <password>
Password used with the
.B 
acl-authcDN
above.
.TP
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxyied by back-ldap.
This is useful when operations performed by users bound to another 
backend are propagated through back-ldap.
This requires the entry with 
.B idassert-authcdn
identity on the remote server to have
.B proxyAuthz
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
.B authz-policy
set to 
.B to
or 
.BR both .
See 
.BR slapd.conf (5)
for details on these statements and for remarks and drawbacks about
their usage.
.TP
.B idassert-passwd <password>
Password used with the
.B idassert-authcdn
above.
.TP
.B idassert-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
The supported modes are:

\fB<mode> := {legacy|anonymous|none|<id>|self}\fP

\fB<flags> := {override}\fP

\fB<id> := {u:<ID>|[dn:]<DN>}\fP

The default is 
.BR legacy ,
which implies that the proxy will bind as
.I idassert-authcdn
and assert the client's identity when it is not anonymous.
Direct binds are always proxied.
The other modes imply that the proxy will always bind as 
.IR idassert-authcdn ,
unless restricted by
.BR idassert-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
Other identity assertion modes are
.BR anonymous
and
.BR self ,
which respectively mean that the 
.I empty 
or the 
.IR client 's 
identity
will be asserted;
.BR none ,
which means that no proxyAuthz control will be used, so the
.I idassert-authcdn
identity will be asserted.
Moreover, if a string prefixed with
.B u:
or 
.B dn:
is used as 
.BR <mode> ,
that identity will be asserted.
Ths string is also treated as a DN if it is not prefixed
by any recognized type indicator.  Whether or not the 
.B dn: 
prefix is present, the string must pass DN validation and normalization.
For all modes that require the use of the
.I proxyAuthz 
control, on the remote server the proxy identity must have appropriate 
.I authzTo
permissions, or the asserted identities must have appropriate
.I authzFrom 
permissions.  Note, however, that the ID assertion feature is mostly 
useful when the asserted identities do not exist on the remote server.
When the 
.B override
flag is used, identity assertion takes place even when the database
is authorizing for the identity of the client, i.e. after binding
with the provided identity, and thus authenticating it, the proxy
performs the identity assertion using the configured identity and
authentication method.
.RE
.TP
.B idassert-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The string
.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
See 
.BR slapd.conf (5),
section related to
.BR authz-policy ,
for details on the syntax of this field.
.TP
.B idassert-method <method> [<saslargs>]
where valid method values are

\fB<method> := {none|simple|sasl}\fP

\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP

If method is 
.IR sasl ,
extra parameters can be given as described above.
The default is
.BR simple ;
.B none
inhibits proxy authorization;
.B sasl
uses a SASL bind with the above parameters; if required,
.I authorization
is performed by means of native SASL mechanism, and no proxyAuthz
is used for subsequent operations.
.RE
.TP
.B proxy-whoami
Turns on proxying of the WhoAmI extended operation. If this option is
given, back-ldap will replace slapd's original WhoAmI routine with its
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
request will be forwarded to the remote LDAP server. Other sessions will
be handled by the local slapd, as before. This option is mainly useful
in conjunction with Proxy Authorization.
.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.  Useful in conjunction with
\fBchase-referrals\fP, useless if \fBdont-chase-referrals\fP is set.
.LP
.B chase-referrals
.br
.B dont-chase-referrals
.RS
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used.  The default is to chase referrals.
.RE

.LP
.B tls-start
.br
.B tls-try-start
.br
.B tls-propagate
.br
.B tls-try-propagate
.RS
execute the start TLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
The \fBtls-propagate\fP version issues the Start TLS exop only if the original
connection did.
\fBtry-start-tls\fP and \fBtry-propagate-tls\fP continue operations
if start TLS failed.
.RE

.TP
.B suffixmassage, map, rewrite*
These directives are no longer supported by back-ldap; their 
functionality is now delegated to the
.B rwm
overlay; see
.BR slapo-rwm (5)
for details.
However, to ease update from existing configurations, back-ldap still 
recognizes them and automatically instantiates the
.B rwm
overlay if available and not instantiated yet.
This behavior may change in the future.

.SH ACCESS CONTROL
The
.B ldap
backend does not honor all ACL semantics as described in
.BR slapd.access (5).
In general, access checking is delegated to the remote server(s).
Only
.B read (=r)
access to the
.B entry
pseudo-attribute and to the other attribute values of the entries
returned by the
.B search
operation is honored, which is performed by the frontend.

.SH PROXY CACHE OVERLAY
The proxy cache overlay 
allows caching of LDAP search requests (queries) in a local database.
See 
.BR slapo-pcache (5)
for details.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-meta (5),
.BR slapo\-pcache (5),
.BR slapo\-rwm (5),
.BR slapd (8),
.BR ldap (3).
.SH AUTHOR
Howard Chu, with enhancements by Pierangelo Masarati