1 .TH SLAPD-META 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2005 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
4 .\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 .\" Portions of this document should probably be moved to slapd-ldap(5)
8 .\" and maybe manual pages for librewrite.
11 slapd-meta \- metadirectory backend
19 performs basic LDAP proxying with respect to a set of remote LDAP
20 servers, called "targets".
21 The information contained in these servers can be presented as
22 belonging to a single Directory Information Tree (DIT).
24 A basic knowledge of the functionality of the
26 backend is recommended.
27 This backend has been designed as an enhancement of the ldap backend.
28 The two backends share many features (actually they also share
32 backend is intended to proxy operations directed to a single server, the
34 backend is mainly intended for proxying of multiple servers and possibly
35 naming context masquerading.
36 These features, although useful in many scenarios, may result in
37 excessive overhead for some applications, so its use should be
39 In the examples section, some typical scenarios will be discussed.
41 There are examples in various places in this document, as well as in the
42 slapd/back-meta/data/ directory in the OpenLDAP source tree.
46 options apply to the META backend database.
47 That is, they must follow a "database meta" line and come before any
48 subsequent "backend" or "database" lines.
49 Other database options are described in the
55 backend, operational attributes related to entry creation/modification
56 should not be used, as they would be passed to the target servers,
58 Moreover, it makes little sense to use such attributes in proxying, as
59 the proxy server doesn't actually store data, so it should have no
60 knowledge of such attributes.
61 While code to strip the modification attributes has been put in place
62 (and #ifdef'd), it implies unmotivated overhead.
63 So it is strongly recommended to set
72 .SH SPECIAL CONFIGURATION DIRECTIVES
73 Target configuration starts with the "uri" directive.
74 All the configuration directives that are not specific to targets
75 should be defined first for clarity, including those that are common
79 .B default-target none
80 This directive forces the backend to reject all those operations
81 that must resolve to a single target in case none or multiple
83 They include: add, delete, modify, modrdn; compare is not included, as
84 well as bind since, as they don't alter entries, in case of multiple
85 matches an attempt is made to perform the operation on any candidate
86 target, with the constraint that at most one must succeed.
87 This directive can also be used when processing targets to mark a
88 specific target as default.
90 .B dncache-ttl {forever|disabled|<ttl>}
91 This directive sets the time-to-live of the DN cache.
92 This caches the target that holds a given DN to speed up target
93 selection in case multiple targets would result from an uncached
94 search; forever means cache never expires; disabled means no DN
95 caching; otherwise a valid ( > 0 ) ttl in seconds is required.
97 .B nretries {forever|never|<nretries>}
98 This directive defines how many times a bind should be retried
99 in case of temporary failure in contacting a target. If defined
100 before any target specification, it applies to all targets (by default,
102 the global value can be overridden by redefinitions inside each target
104 .SH TARGET SPECIFICATION
105 Target specification starts with a "uri" directive:
107 .B uri <protocol>://[<host>[:<port>]]/<naming context>
108 The "server" directive that was allowed in the LDAP backend (although
109 deprecated) has been completely discarded in the Meta backend.
110 The <protocol> part can be anything
111 .BR ldap_initialize (3)
112 accepts ({ldap|ldaps|ldapi} and variants); <host> and <port> may be
113 omitted, defaulting to whatever is set in
115 The <naming context> part is mandatory.
116 It must end with one of the naming contexts defined for the backend,
121 suffix "\fBdc=foo,dc=com\fP"
122 uri "ldap://x.foo.com/dc=x,\fBdc=foo,dc=com\fP"
127 The <naming context> part doesn't need to be unique across the targets;
128 it may also match one of the values of the "suffix" directive.
129 Multiple URIs may be defined in a single argument. The URIs must
130 be separated by TABs (e.g. '\\t'; commas or spaces, unlike back-ldap,
132 because they are legal in the <naming context>, and we don't want to use
133 URL-encoded <namimg context>s), and the additional URIs must have
134 no <naming context> part. This causes the underlying library
135 to contact the first server of the list that responds.
138 .B default-target [<target>]
139 The "default-target" directive can also be used during target specification.
140 With no arguments it marks the current target as the default.
141 The optional number marks target <target> as the default one, starting
143 Target <target> must be defined.
145 .B acl-authcDN "<administrative DN for access control purposes>"
146 DN which is used to query the target server for acl checking,
147 as in the LDAP backend; it is supposed to have read access
148 on the target server to attributes used on the proxy for acl checking.
149 There is no risk of giving away such values; they are only used to
151 .B The acl-authcDN identity is by no means implicitly used by the proxy
152 .B when the client connects anonymously.
154 .B acl-passwd <password>
155 Password used with the
161 If this option is given, the client's bind credentials are remembered
162 for rebinds when chasing referrals.
164 .B pseudorootdn "<substitute DN in case of rootdn bind>"
165 This directive, if present, sets the DN that will be substituted to
166 the bind DN if a bind with the backend's "rootdn" succeeds.
167 The true "rootdn" of the target server ought not be used; an arbitrary
168 administrative DN should used instead.
170 .B pseudorootpw "<substitute password in case of rootdn bind>"
171 This directive sets the credential that will be used in case a bind
172 with the backend's "rootdn" succeeds, and the bind is propagated to
173 the target using the "pseudorootdn" DN.
175 Note: cleartext credentials must be supplied here; as a consequence,
176 using the pseudorootdn/pseudorootpw directives is inherently unsafe.
179 The rewrite options are described in the "REWRITING" section.
181 .B suffixmassage "<virtual naming context>" "<real naming context>"
182 All the directives starting with "rewrite" refer to the rewrite engine
183 that has been added to slapd.
184 The "suffixmassage" directive was introduced in the LDAP backend to
185 allow suffix massaging while proxying.
186 It has been obsoleted by the rewriting tools.
187 However, both for backward compatibility and for ease of configuration
188 when simple suffix massage is required, it has been preserved.
189 It wraps the basic rewriting instructions that perform suffix
190 massaging. See the "REWRITING" section for a detailed list
191 of the rewrite rules it implies.
193 Note: this also fixes a flaw in suffix massaging, which operated
194 on (case insensitive) DNs instead of normalized DNs,
195 so "dc=foo, dc=com" would not match "dc=foo,dc=com".
197 See the "REWRITING" section.
199 .B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
200 This maps object classes and attributes as in the LDAP backend.
204 A powerful (and in some sense dangerous) rewrite engine has been added
205 to both the LDAP and Meta backends.
206 While the former can gain limited beneficial effects from rewriting
207 stuff, the latter can become an amazingly powerful tool.
209 Consider a couple of scenarios first.
211 1) Two directory servers share two levels of naming context;
212 say "dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
213 Then, an unambiguous Meta database can be configured as:
218 suffix "\fBdc=foo,dc=com\fP"
219 uri "ldap://a.foo.com/dc=a,\fBdc=foo,dc=com\fP"
220 uri "ldap://b.foo.com/dc=b,\fBdc=foo,dc=com\fP"
224 Operations directed to a specific target can be easily resolved
225 because there are no ambiguities.
226 The only operation that may resolve to multiple targets is a search
227 with base "dc=foo,dc=com" and scope at least "one", which results in
228 spawning two searches to the targets.
230 2a) Two directory servers don't share any portion of naming context,
231 but they'd present as a single DIT
232 [Caveat: uniqueness of (massaged) entries among the two servers is
233 assumed; integrity checks risk to incur in excessive overhead and have
234 not been implemented].
235 Say we have "dc=bar,dc=org" and "o=Foo,c=US",
236 and we'd like them to appear as branches of "dc=foo,dc=com", say
237 "dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
238 Then we need to configure our Meta backend as:
243 suffix "dc=foo,dc=com"
245 uri "ldap://a.bar.com/\fBdc=a,dc=foo,dc=com\fP"
246 suffixmassage "\fBdc=a,dc=foo,dc=com\fP" "dc=bar,dc=org"
248 uri "ldap://b.foo.com/\fBdc=b,dc=foo,dc=com\fP"
249 suffixmassage "\fBdc=b,dc=foo,dc=com\fP" "o=Foo,c=US"
253 Again, operations can be resolved without ambiguity, although
254 some rewriting is required.
255 Notice that the virtual naming context of each target is a branch of
256 the database's naming context; it is rewritten back and forth when
257 operations are performed towards the target servers.
258 What "back and forth" means will be clarified later.
260 When a search with base "dc=foo,dc=com" is attempted, if the
261 scope is "base" it fails with "no such object"; in fact, the
262 common root of the two targets (prior to massaging) does not
264 If the scope is "one", both targets are contacted with the base
265 replaced by each target's base; the scope is derated to "base".
266 In general, a scope "one" search is honored, and the scope is derated,
267 only when the incoming base is at most one level lower of a target's
268 naming context (prior to massaging).
270 Finally, if the scope is "sub" the incoming base is replaced
271 by each target's unmassaged naming context, and the scope
274 2b) Consider the above reported scenario with the two servers
275 sharing the same naming context:
280 suffix "\fBdc=foo,dc=com\fP"
282 uri "ldap://a.bar.com/\fBdc=foo,dc=com\fP"
283 suffixmassage "\fBdc=foo,dc=com\fP" "dc=bar,dc=org"
285 uri "ldap://b.foo.com/\fBdc=foo,dc=com\fP"
286 suffixmassage "\fBdc=foo,dc=com\fP" "o=Foo,c=US"
290 All the previous considerations hold, except that now there is
291 no way to unambiguously resolve a DN.
292 In this case, all the operations that require an unambiguous target
293 selection will fail unless the DN is already cached or a default
295 Practical configurations may result as a combination of all the
298 Note on ACLs: at present you may add whatever ACL rule you desire
299 to to the Meta (and LDAP) backends.
300 However, the meaning of an ACL on a proxy may require some
302 Two philosophies may be considered:
304 a) the remote server dictates the permissions; the proxy simply passes
305 back what it gets from the remote server.
307 b) the remote server unveils "everything"; the proxy is responsible
308 for protecting data from unauthorized access.
310 Of course the latter sounds unreasonable, but it is not.
311 It is possible to imagine scenarios in which a remote host discloses
312 data that can be considered "public" inside an intranet, and a proxy
313 that connects it to the internet may impose additional constraints.
314 To this purpose, the proxy should be able to comply with all the ACL
315 matching criteria that the server supports.
316 This has been achieved with regard to all the criteria supported by
317 slapd except a special subtle case (please drop me a note if you can
318 find other exceptions: <ando@openldap.org>).
323 access to dn="<dn>" attr=<attr>
324 by dnattr=<dnattr> read
329 cannot be matched iff the attribute that is being requested, <attr>,
330 is NOT <dnattr>, and the attribute that determines membership,
331 <dnattr>, has not been requested (e.g. in a search)
333 In fact this ACL is resolved by slapd using the portion of entry it
334 retrieved from the remote server without requiring any further
335 intervention of the backend, so, if the <dnattr> attribute has not
336 been fetched, the match cannot be assessed because the attribute is
337 not present, not because no value matches the requirement!
339 Note on ACLs and attribute mapping: ACLs are applied to the mapped
340 attributes; for instance, if the attribute locally known as "foo" is
341 mapped to "bar" on a remote server, then local ACLs apply to attribute
342 "foo" and are totally unaware of its remote name.
343 The remote server will check permissions for "bar", and the local
344 server will possibly enforce additional restrictions to "foo".
346 .\" If this section is moved, also update the reference in
347 .\" libraries/librewrite/RATIONALE.
350 A string is rewritten according to a set of rules, called a `rewrite
352 The rules are based on POSIX (''extended'') regular expressions (regex)
353 with substring matching; basic variable substitution and map resolution
354 of substrings is allowed by specific mechanisms detailed in the following.
355 The behavior of pattern matching/substitution can be altered by a set
358 The underlying concept is to build a lightweight rewrite module
359 for the slapd server (initially dedicated to the LDAP backend).
361 An incoming string is matched agains a set of rules.
362 Rules are made of a regex match pattern, a substitution pattern
363 and a set of actions, described by a set of flags.
364 In case of match a string rewriting is performed according to the
365 substitution pattern that allows to refer to substrings matched in the
367 The actions, if any, are finally performed.
368 The substitution pattern allows map resolution of substrings.
369 A map is a generic object that maps a substitution pattern to a value.
370 The flags are divided in "Pattern matching Flags" and "Action Flags";
371 the former alter the regex match pattern behaviorm while the latter
372 alter the action that is taken after substitution.
373 .SH "Pattern Matching Flags"
376 honors case in matching (default is case insensitive)
379 use POSIX ''basic'' regular expressions (default is ''extended'')
384 recursive passes for a specific rule; does not alter the max total count
385 of passes, so it can only enforce a stricter limit for a specific rule.
389 apply the rule once only (default is recursive)
392 stop applying rules in case of match; the current rule is still applied
393 recursively; combine with `:' to apply the current rule only once
397 stop current operation if the rule matches, and issue an `unwilling to
403 rules back and forth (watch for loops!).
404 Note that `G{1}' is implicit in every rule.
407 ignores errors in rule; this means, in case of error, e.g. issued by a
408 map, the error is treated as a missed match.
409 The `unwilling to perform' is not overridden.
415 as return code if the rule matches; the flag does not alter the recursive
416 behavior of the rule, so, to have it performed only once, it must be used
417 in combination with `:', e.g.
419 returns the value `16' after exactly one execution of the rule, if the
421 As a consequence, its behavior is equivalent to `@', with the return
424 or, in other words, `@' is equivalent to `U{0}'.
425 By convention, the freely available codes are above 16 included;
426 the others are reserved.
428 The ordering of the flags can be significant.
429 For instance: `IG{2}' means ignore errors and jump two lines ahead
430 both in case of match and in case of error, while `G{2}I' means ignore
431 errors, but jump two lines ahead only in case of match.
433 More flags (mainly Action Flags) will be added as needed.
434 .SH "Pattern matching:"
439 .SH "Substitution Pattern Syntax:"
440 Everything starting with `%' requires substitution;
442 the only obvious exception is `%%', which is left as is;
444 the basic substitution is `%d', where `d' is a digit;
445 0 means the whole string, while 1-9 is a submatch;
447 a `%' followed by a `{' invokes an advanced substitution.
451 `%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
454 where <name> must be a legal name for the map, i.e.
458 <name> ::= [a-z][a-z0-9]* (case insensitive)
459 <op> ::= `>' `|' `&' `&&' `*' `**' `$'
463 and <substitution> must be a legal substitution
464 pattern, with no limits on the nesting level.
469 sub context invocation; <name> must be a legal, already defined
473 external command invocation; <name> must refer to a legal, already
474 defined command name (NOT IMPL.)
477 variable assignment; <name> defines a variable in the running
478 operation structure which can be dereferenced later; operator
480 assigns a variable in the rewrite context scope; operator
482 assigns a variable that scopes the entire session, e.g. its value
483 can be derefenced later by other rewrite contexts
486 variable dereferencing; <name> must refer to a variable that is
487 defined and assigned for the running operation; operator
489 dereferences a variable scoping the rewrite context; operator
491 dereferences a variable scoping the whole session, e.g. the value
492 is passed across rewrite contexts
495 parameter dereferencing; <name> must refer to an existing parameter;
496 the idea is to make some run-time parameters set by the system
497 available to the rewrite engine, as the client host name, the bind DN
498 if any, constant parameters initialized at config time, and so on;
499 no parameter is currently set by either
503 but constant parameters can be defined in the configuration file
508 Substitution escaping has been delegated to the `%' symbol,
509 which is used instead of `\e' in string substitution patterns
510 because `\e' is already escaped by slapd's low level parsing routines;
511 as a consequence, regex escaping requires two `\e' symbols,
512 e.g. `\fB.*\e.foo\e.bar\fP' must be written as `\fB.*\e\e.foo\e\e.bar\fP'.
514 .\" The symbol can be altered at will by redefining the related macro in
517 .SH "Rewrite context:"
518 A rewrite context is a set of rules which are applied in sequence.
519 The basic idea is to have an application initialize a rewrite
520 engine (think of Apache's mod_rewrite ...) with a set of rewrite
521 contexts; when string rewriting is required, one invokes the
522 appropriate rewrite context with the input string and obtains the
523 newly rewritten one if no errors occur.
525 Each basic server operation is associated to a rewrite context;
526 they are divided in two main groups: client \-> server and
527 server \-> client rewriting.
533 (default) if defined and no specific context
538 searchFilterAttrDN search
540 compareAttrDN compare AVA
544 modifyAttrDN modify AVA
548 exopPasswdDN passwd exop DN if proxy
556 searchResult search (only if defined; no default;
557 acts on DN and DN-syntax attributes
559 searchAttrDN search AVA
560 matchedDN all ops (only if applicable)
564 .SH "Basic configuration syntax"
566 .B rewriteEngine { on | off }
567 If `on', the requested rewriting is performed; if `off', no
568 rewriting takes place (an easy way to stop rewriting without
569 altering too much the configuration file).
571 .B rewriteContext <context name> "[ alias <aliased context name> ]"
572 <Context name> is the name that identifies the context, i.e. the name
573 used by the application to refer to the set of rules it contains.
574 It is used also to reference sub contexts in string rewriting.
575 A context may aliase another one.
576 In this case the alias context contains no rule, and any reference to
577 it will result in accessing the aliased one.
579 .B rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
580 Determines how a string can be rewritten if a pattern is matched.
581 Examples are reported below.
582 .SH "Additional configuration syntax:"
584 .B rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
585 Allows to define a map that transforms substring rewriting into
587 The map is referenced inside the substitution pattern of a rule.
589 .B rewriteParam <param name> <param value>
590 Sets a value with global scope, that can be dereferenced by the
591 command `%{$paramName}'.
593 .B rewriteMaxPasses <number of passes> [<number of passes per rule>]
594 Sets the maximum number of total rewriting passes that can be
595 performed in a single rewrite operation (to avoid loops).
596 A safe default is set to 100; note that reaching this limit is still
597 treated as a success; recursive invocation of rules is simply
599 The count applies to the rewriting operation as a whole, not
600 to any single rule; an optional per-rule limit can be set.
601 This limit is overridden by setting specific per-rule limits
602 with the `M{n}' flag.
603 .SH "Configuration examples:"
605 # set to `off' to disable rewriting
608 # the rules the "suffixmassage" directive implies
610 # all dataflow from client to server referring to DNs
611 rewriteContext default
612 rewriteRule "(.*)<virtualnamingcontext>$" "%1<realnamingcontext>" ":"
614 rewriteContext searchFilter
615 # all dataflow from server to client
616 rewriteContext searchResult
617 rewriteRule "(.*)<realnamingcontext>$" "%1<virtualnamingcontext>" ":"
618 rewriteContext searchAttrDN alias searchResult
619 rewriteContext matchedDN alias searchResult
621 # Everything defined here goes into the `default' context.
622 # This rule changes the naming context of anything sent
623 # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
625 rewriteRule "(.*)dc=home,[ ]?dc=net"
626 "%1dc=OpenLDAP, dc=org" ":"
628 # since a pretty/normalized DN does not include spaces
629 # after rdn separators, e.g. `,', this rule suffices:
631 rewriteRule "(.*)dc=home,dc=net"
632 "%1dc=OpenLDAP,dc=org" ":"
634 # Start a new context (ends input of the previous one).
635 # This rule adds blanks between DN parts if not present.
636 rewriteContext addBlanks
637 rewriteRule "(.*),([^ ].*)" "%1, %2"
639 # This one eats blanks
640 rewriteContext eatBlanks
641 rewriteRule "(.*),[ ](.*)" "%1,%2"
643 # Here control goes back to the default rewrite
644 # context; rules are appended to the existing ones.
645 # anything that gets here is piped into rule `addBlanks'
646 rewriteContext default
647 rewriteRule ".*" "%{>addBlanks(%0)}" ":"
649 .\" # Anything with `uid=username' is looked up in
650 .\" # /etc/passwd for gecos (I know it's nearly useless,
651 .\" # but it is there just as a guideline to implementing
653 .\" # Note the `I' flag that leaves `uid=username' in place
654 .\" # if `username' does not have a valid account, and the
655 .\" # `:' that forces the rule to be processed exactly once.
656 .\" rewriteContext uid2Gecos
657 .\" rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
658 .\" "%1cn=%2{xpasswd},%3" "I:"
660 .\" # Finally, in a bind, if one uses a `uid=username' DN,
661 .\" # it is rewritten in `cn=name surname' if possible.
662 .\" rewriteContext bindDN
663 .\" rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
665 # Rewrite the search base according to `default' rules.
666 rewriteContext searchBase alias default
668 # Search results with OpenLDAP DN are rewritten back with
669 # `dc=home,dc=net' naming context, with spaces eaten.
670 rewriteContext searchResult
671 rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org"
672 "%{>eatBlanks(%1)}dc=home,dc=net" ":"
674 # Bind with email instead of full DN: we first need
675 # an ldap map that turns attributes into a DN (the
676 # argument used when invoking the map is appended to
677 # the URI and acts as the filter portion)
678 rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
680 # Then we need to detect DN made up of a single email,
681 # e.g. `mail=someone@example.com'; note that the rule
682 # in case of match stops rewriting; in case of error,
683 # it is ignored. In case we are mapping virtual
684 # to real naming contexts, we also need to rewrite
685 # regular DNs, because the definition of a bindDn
686 # rewrite context overrides the default definition.
687 rewriteContext bindDN
688 rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" ":@I"
690 # This is a rather sophisticated example. It massages a
691 # search filter in case who performs the search has
692 # administrative privileges. First we need to keep
693 # track of the bind DN of the incoming request, which is
694 # stored in a variable called `binddn' with session scope,
695 # and left in place to allow regular binding:
696 rewriteContext bindDN
697 rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
699 # A search filter containing `uid=' is rewritten only
700 # if an appropriate DN is bound.
701 # To do this, in the first rule the bound DN is
702 # dereferenced, while the filter is decomposed in a
703 # prefix, in the value of the `uid=<arg>' AVA, and
704 # in a suffix. A tag `<>' is appended to the DN.
705 # If the DN refers to an entry in the `ou=admin' subtree,
706 # the filter is rewritten OR-ing the `uid=<arg>' with
707 # `cn=<arg>'; otherwise it is left as is. This could be
708 # useful, for instance, to allow apache's auth_ldap-1.4
709 # module to authenticate users with both `uid' and
710 # `cn', but only if the request comes from a possible
711 # `cn=Web auth,ou=admin,dc=home,dc=net' user.
712 rewriteContext searchFilter
713 rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
714 "%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}"
716 rewriteRule "[^,]+,ou=admin,dc=home,dc=net"
717 "%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" ":@I"
718 rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"
720 # This example shows how to strip unwanted DN-valued
721 # attribute values from a search result; the first rule
722 # matches DN values below "ou=People,dc=example,dc=com";
723 # in case of match the rewriting exits successfully.
724 # The second rule matches everything else and causes
725 # the value to be rejected.
726 rewriteContext searchResult
727 rewriteRule ".*,ou=People,dc=example,dc=com" "%0" ":@"
728 rewriteRule ".*" "" "#"
730 .SH "LDAP Proxy resolution (a possible evolution of slapd\-ldap(5)):"
731 In case the rewritten DN is an LDAP URI, the operation is initiated
732 towards the host[:port] indicated in the uri, if it does not refer
737 rewriteRule '^cn=root,.*' '%0' 'G{3}'
738 rewriteRule '^cn=[a-l].*' 'ldap://ldap1.my.org/%0' ':@'
739 rewriteRule '^cn=[m-z].*' 'ldap://ldap2.my.org/%0' ':@'
740 rewriteRule '.*' 'ldap://ldap3.my.org/%0' ':@'
743 (Rule 1 is simply there to illustrate the `G{n}' action; it could have
747 rewriteRule '^cn=root,.*' 'ldap://ldap3.my.org/%0' ':@'
750 with the advantage of saving one rewrite pass ...)
755 backend does not honor all ACL semantics as described in
756 .BR slapd.access (5).
757 In general, access checking is delegated to the remote server(s).
762 pseudo-attribute and to the other attribute values of the entries
765 operation is honored, which is performed by the frontend.
767 .SH PROXY CACHE OVERLAY
768 The proxy cache overlay
769 allows caching of LDAP search requests (queries) in a local database.
776 default slapd configuration file
780 .BR slapo\-pcache (5),
785 Pierangelo Masarati, based on back-ldap by Howard Chu