.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
.BR slapd.conf (5)
for details.
+The proxy instance of
+.BR slapd (8)
+must contain schema information for the attributes and objectClasses
+used in filters, request DN and request-related data in general.
+It should also contain schema information for the data returned
+by the proxied server.
+It is the responsibility of the proxy administrator to keep the schema
+of the proxy lined up with that of the proxied server.
+
.LP
-Note: When looping back to the same instance of \fBslapd\fP(8),
-each connection requires a new thread; as a consequence, \fBslapd\fP(8)
+Note: When looping back to the same instance of
+.BR slapd (8),
+each connection requires a new thread; as a consequence,
+.BR slapd (8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, one may consider using
-\fBslapd-relay\fP(5) instead, which performs the relayed operation
+.BR slapd-relay (5)
+instead, which performs the relayed operation
internally and thus reuses the same connection.
.SH CONFIGURATION
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
.RS
Allows to define the parameters of the authentication method that is
internally used by the proxy to collect info related to access control,
.BR acl-authcDN ,
and
.BR acl-passwd .
+
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand".
.RE
.TP
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
.RS
Allows to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
.B idassert-authzFrom
patterns.
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand".
+
The identity associated to this directive is also used for privileged
operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
is not. See \fBacl-bind\fP for details.
The value is in seconds, and it can be specified as for
.BR idle-timeout .
+.TP
+.B norefs <NO|yes>
+If
+.BR yes ,
+do not return search reference responses.
+By default, they are returned unless request is LDAPv2.
+
+.TP
+.B noundeffilter <NO|yes>
+If
+.BR yes ,
+return success instead of searching if a filter is undefined or contains
+undefined portions.
+By default, the search is propagated after replacing undefined portions
+with
+.BR (!(objectClass=*)) ,
+which corresponds to the empty result set.
+
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
.TP
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
-for rebinds when chasing referrals. Useful when
-\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
+for rebinds, when trying to re-establish a broken connection,
+or when chasing a referral, if
+.B chase-referrals
+is set to
+.IR yes .
+
+.TP
+.B session\-tracking\-request {NO|yes}
+Adds session tracking control for all requests.
+The client's IP and hostname, and the identity associated to each request,
+if known, are sent to the remote server for informational purposes.
+This directive is incompatible with setting \fIprotocol\-version\fP to 2.
.TP
.B single\-conn {NO|yes}
This directive allows to set per-operation timeouts.
Operations can be
-\fB<op> ::= bind, add, delete, modrdn, modify, compare\fP
+\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
-The \fBsearch\fP operation is already controlled either
+The overall duration of the \fBsearch\fP operation is controlled either
by the \fBtimelimit\fP parameter or by server-side enforced
time limits (see \fBtimelimit\fP and \fBlimits\fP in
.BR slapd.conf (5)
for details).
+This \fBtimeout\fP parameter controls how long the target can be
+irresponsive before the operation is aborted.
Timeout is meaningless for the remaining operations,
\fBunbind\fP and \fBabandon\fP, which do not imply any response,
while it is not yet implemented in currently supported \fBextended\fP
In this case, the timeout of the operation that resulted in the bind
is used.
-.TP
-.B tls {[try-]start|[try-]propagate}
-execute the StartTLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
+.HP
+.hy 0
+.B tls {[try-]start|[try-]propagate|ldaps}
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
+.RS
+Specify the use of TLS when a regular connection is initialized. The
+StartTLS extended operation will be used unless the URI directive protocol
+scheme is \fBldaps://\fP. In that case this keyword may only be
+set to "ldaps" and the StartTLS operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is \fBnot\fP recommended.
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand".
+.RE
+
+.TP
+.B use-temporary-conn {NO|yes}
+when set to
+.BR yes ,
+create a temporary connection whenever competing with other threads
+for a shared one; otherwise, wait until the shared connection is available.
+
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
and subsequently between 2.3 and 2.4.
projects / openldap / blobdiff