.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
requests to another LDAP server. While processing requests it will also
chase referrals, so that referrals are fully processed instead of being
returned to the slapd client.
+
+Sessions that explicitly Bind to the back-ldap database always create their
+own private connection to the remote LDAP server. Anonymous sessions will
+share a single anonymous connection to the remote server. For sessions bound
+through other mechanisms, all sessions with the same DN will share the
+same connection. This connection pooling strategy can enhance the proxy's
+efficiency by reducing the overhead of repeatedly making/breaking multiple
+connections.
+
.SH CONFIGURATION
These
.B slapd.conf
manual page.
.LP
Note: It is strongly recommended to set
+.LP
.RS
+.nf
lastmod off
+.fi
.RE
+.LP
for every
.B ldap
and
.B bindpw <password>
Password used with the bind DN above.
.TP
+.B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
+DN which is used to propagate the client's identity to the target
+by means of the proxyAuthz control when the client does not
+belong to the DIT fragment that is being proxyied by back-ldap.
+This is useful when operations performed by users bound to another
+backend are propagated through back-ldap.
+This requires the entry with
+.B proxyauthzdn
+identity on the remote server to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR saslAuthzTo=dn.regex:.* ,
+and the remote server to have
+.B sasl-authz-policy
+set to
+.B to
+or
+.BR both .
+See
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+.TP
+.B proxyauthzpw <password>
+Password used with the proxy authz DN above.
+.TP
+.B proxy-whoami
+Turns on proxying of the WhoAmI extended operation. If this option is
+given, back-ldap will replace slapd's original WhoAmI routine with its
+own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
+request will be forwarded to the remote LDAP server. Other sessions will
+be handled by the local slapd, as before. This option is mainly useful
+in conjunction with Proxy Authorization.
+.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
suffix> before sending the request to the remote server, and <remote
suffix> in the results are changed back to <suffix> before returning
them to the client.
-The <suffix> field must be defined as a valid suffix (or suffixAlias?)
+The <suffix> field must be defined as a valid suffix
for the current database.
.TP
.B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
.BR slapd-meta (5),
.BR slapd (8),
.BR ldap (3).
-
+.SH AUTHOR
+Howard Chu, with enhancements by Pierangelo Masarati