Merge branch 'mdb.master' of ssh://git-master.openldap.org/~git/git/openldap

[openldap] / doc / man / man5 / slapo-translucent.5

diff --git a/doc/man/man5/slapo-translucent.5 b/doc/man/man5/slapo-translucent.5
index b1da11d9625b0b8b0715bc96957df208c865bfa0..f28a3769cf384ce5f8f6f34630703a12c42fd1df 100644 (file)
--- a/doc/man/man5/slapo-translucent.5
+++ b/doc/man/man5/slapo-translucent.5
@@ -1,14 +1,14 @@
 .TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION"

-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved.

 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME

-slapo-translucent \- Translucent Proxy overlay to slapd
+slapo\-translucent \- Translucent Proxy overlay to slapd

 .SH SYNOPSIS
 ETCDIR/slapd.conf
 .SH DESCRIPTION
 The Translucent Proxy overlay can be used with a backend database such as
 .SH SYNOPSIS
 ETCDIR/slapd.conf
 .SH DESCRIPTION
 The Translucent Proxy overlay can be used with a backend database such as

-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)

 to create a "translucent proxy".  Entries retrieved from a remote LDAP
 server may have some or all attributes overridden, or new attributes
 added, by entries in the local database before being presented to the
 to create a "translucent proxy".  Entries retrieved from a remote LDAP
 server may have some or all attributes overridden, or new attributes
 added, by entries in the local database before being presented to the


@@ -31,15 +31,19 @@ operation will perform a comparison with attributes defined in the local
 database record (if any) before any comparison is made with data in the
 remote database.
 .SH CONFIGURATION
 database record (if any) before any comparison is made with data in the
 remote database.
 .SH CONFIGURATION

-The Translucent Proxy overlay uses a remote LDAP server which is configured
-with the options shown in
-.BR slapd-ldap (5).
+The Translucent Proxy overlay uses a proxied database,
+typically a (set of) remote LDAP server(s), which is configured with the options shown in
+.BR slapd\-ldap (5),
+.BR slapd\-meta (5)
+or similar.

 These
 .B slapd.conf
 options are specific to the Translucent Proxy overlay; they must appear 
 after the
 .B overlay
 These
 .B slapd.conf
 options are specific to the Translucent Proxy overlay; they must appear 
 after the
 .B overlay

-directive.
+directive that instantiates the
+.B translucent
+overlay.

 .TP
 .B translucent_strict
 By default, attempts to delete attributes in either the local or remote
 .TP
 .B translucent_strict
 By default, attempts to delete attributes in either the local or remote


@@ -83,6 +87,33 @@ is specified, searches will only be run on the remote database. In any case, bot
 the local and remote entries corresponding to a search result will be merged
 before being returned to the client.
 
 the local and remote entries corresponding to a search result will be merged
 before being returned to the client.
 

+.TP
+.B translucent_bind_local 
+Enable looking for locally stored credentials for simple bind when binding
+to the remote database fails.  Disabled by default.
+
+.TP
+.B translucent_pwmod_local
+Enable RFC 3062 Password Modification extended operation on locally stored
+credentials.  The operation only applies to entries that exist in the remote
+database.  Disabled by default.
+
+.SH ACCESS CONTROL
+Access control is delegated to either the remote DSA(s) or to the local database
+backend for
+.B auth
+and
+.B write
+operations.
+It is delegated to the remote DSA(s) and to the frontend for
+.B read
+operations.
+Local access rules involving data returned by the remote DSA(s) should be designed
+with care.  In fact, entries are returned by the remote DSA(s) only based on the
+remote fraction of the data, based on the identity the operation is performed as.
+As a consequence, local rules might only be allowed to see a portion
+of the remote data.
+

 .SH CAVEATS
 .LP
 The Translucent Proxy overlay will disable schema checking in the local database,
 .SH CAVEATS
 .LP
 The Translucent Proxy overlay will disable schema checking in the local database,


@@ -98,4 +129,5 @@ ETCDIR/slapd.conf
 default slapd configuration file
 .SH SEE ALSO
 .BR slapd.conf (5),
 default slapd configuration file
 .SH SEE ALSO
 .BR slapd.conf (5),

-.BR slapd-ldap (5).
+.BR slapd\-config (5),
+.BR slapd\-ldap (5).