1 .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd-ldap \- LDAP backend to slapd
12 is not an actual database; instead it acts as a proxy to forward incoming
13 requests to another LDAP server. While processing requests it will also
14 chase referrals, so that referrals are fully processed instead of being
15 returned to the slapd client.
17 Sessions that explicitly Bind to the back-ldap database always create their
18 own private connection to the remote LDAP server. Anonymous sessions will
19 share a single anonymous connection to the remote server. For sessions bound
20 through other mechanisms, all sessions with the same DN will share the
21 same connection. This connection pooling strategy can enhance the proxy's
22 efficiency by reducing the overhead of repeatedly making/breaking multiple
28 options apply to the LDAP backend database.
29 That is, they must follow a "database ldap" line and come before any
30 subsequent "backend" or "database" lines.
31 Other database options are described in the
35 Note: It is strongly recommended to set
48 This is because operational attributes related to entry creation and
49 modification should not be used, as they could be passed to the target
50 servers, generating an error.
53 LDAP server to use. Multiple URIs can be set in in a single
55 argument, resulting in the underlying library automatically
56 call the first server of the list that responds, e.g.
58 \fBuri "ldap://host/ ldap://backup-host"\fP
60 The URI list is space- or comma-separated.
63 Obsolete option; same as `uri ldap://<hostport>/'.
65 .B binddn "<administrative DN for access control purposes>"
66 DN which is used to query the target server for acl checking; it
67 should have read access on the target server to attributes used on the
68 proxy for acl checking.
69 There is no risk of giving away such values; they are only used to
73 Password used with the bind DN above.
75 .B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
76 DN which is used to propagate the client's identity to the target
77 by means of the proxyAuthz control when the client does not
78 belong to the DIT fragment that is being proxyied by back-ldap.
79 This is useful when operations performed by users bound to another
80 backend are propagated through back-ldap.
81 This requires the entry with
83 identity on the remote server to have
85 privileges on a wide set of DNs, e.g.
86 .BR authzTo=dn.regex:.* ,
87 and the remote server to have
95 for details on these statements and for remarks and drawbacks about
98 .B proxyauthzpw <password>
99 Password used with the proxy authzDN above.
101 .B idassert-mode {none|anonymous|self|proxyid|<dn>}
102 defines what type of identity assertion is used.
105 which implies that the proxy will bind as itself and assert the user's
106 identity only when a user is bound.
111 which respectively mean that the empty or the client's identity
114 which means that no proxyAuthz control will be used, so the proxyauthzdn
115 identity will be asserted.
116 Moreover, if a valid DN is used as
118 that identity will be asserted.
120 .B idassert-authz <authz>
121 if defined, selects what
123 identities are authorized to exploit the identity assertion feature.
126 Turns on proxying of the WhoAmI extended operation. If this option is
127 given, back-ldap will replace slapd's original WhoAmI routine with its
128 own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
129 request will be forwarded to the remote LDAP server. Other sessions will
130 be handled by the local slapd, as before. This option is mainly useful
131 in conjunction with Proxy Authorization.
134 If this option is given, the client's bind credentials are remembered
135 for rebinds when chasing referrals.
137 .B suffixmassage <suffix> <massaged (remote) suffix>
138 DNs ending with <suffix> in a request are changed to end with <remote
139 suffix> before sending the request to the remote server, and <remote
140 suffix> in the results are changed back to <suffix> before returning
142 The <suffix> field must be defined as a valid suffix
143 for the current database.
145 .B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
146 Map attribute names and object classes from the foreign server to
147 different values on the local slapd.
148 The reason is that some attributes might not be part of the local
149 slapd's schema, some attribute names might be different but serve the
151 If local or foreign name is `*', the name is preserved.
152 If local name is omitted, the foreign name is removed.
153 Unmapped names are preseved if both local and foreign name are `*',
154 and removed if local name is omitted and foreign name is `*'.
157 The rewrite options are described in the "REWRITING" section of the
161 This maps the OpenLDAP objectclass `groupOfNames' to the Active
162 Directory objectclass `group':
166 map objectclass groupOfNames group
170 This presents a limited attribute set from the foreign
177 map attribute manager *
178 map attribute description *
183 These lines map cn, sn, manager, and description to themselves, and
184 any other attribute gets "removed" from the object before it is sent
185 to the client (or sent up to the LDAP server). This is obviously a
186 simplistic example, but you get the point.
190 default slapd configuration file
197 Howard Chu, with enhancements by Pierangelo Masarati