.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
.BR slapd.conf (5)
for details.
+.LP
+Note: When looping back to the same instance of \fBslapd\fP(8),
+each connection requires a new thread; as a consequence, \fBslapd\fP(8)
+must be compiled with thread support, and the \fBthreads\fP parameter
+may need some tuning; in those cases, one may consider using
+\fBslapd-relay\fP(5) instead, which performs the relayed operation
+internally and thus reuses the same connection.
+
.SH CONFIGURATION
These
.B slapd.conf
Other database options are described in the
.BR slapd.conf (5)
manual page.
+
.LP
Note: In early versions of back-ldap it was recommended to always set
.LP
The identity defined by this directive, according to the properties
associated to the authentication method, is supposed to have read access
on the target server to attributes used on the proxy for ACL checking.
-The
-.B secprops
-field is currently ignored.
There is no risk of giving away such values; they are only used to
check permissions.
The default is to use
-.BR simple ,
-with empty binddn and credentials,
+.BR simple
+bind, with empty \fIbinddn\fP and \fIcredentials\fP,
which means that the related operations will be performed anonymously.
.B This identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
-See the
+The
.B idassert-bind
-feature instead.
+feature, instead, in some cases can be crafted to implement that behavior,
+which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl-authcDN ,
and
.TP
.B tls {[try-]start|[try-]propagate}
-execute the start TLS extended operation when the connection is initialized;
+execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the Start TLS exop only if the original
+\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
-if start TLS failed; its use is highly deprecated.
+if the StartTLS operation failed; its use is highly deprecated.
.TP
.B t-f-support {NO|yes|discover}
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
+.TP
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
+.TP
+.B conn-ttl <time>
+This directive causes a cached connection to be dropped an recreated
+after a given ttl, regardless of being idle or not.
+
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
as a side-effect, some of the traditional directives have been
-deprecated and should be no longer used.
+deprecated and should be no longer used, as they might disappear
+in future releases.
.TP
.B server <hostname[:port]>
See the
.B idassert-*
feature instead.
-This directive is obsoleted by
-.BR acl-bind ,
-and may dismissed in the future.
+This directive is obsoleted by the
+.B binddn
+arg of
+.B acl-bind
+when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B acl-passwd <password>
-Password used with the
-.B
-acl-authcDN
-above.
-This directive is obsoleted by
-.BR acl-bind ,
-and may be dismissed in the future.
+Password used with the above
+.B acl-authcDN
+directive.
+This directive is obsoleted by the
+.B binddn
+arg of
+.B acl-bind
+when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
-This directive is obsoleted by
-.BR idassert-bind ,
-and may be dismissed in the future.
+This directive is obsoleted by the
+.B binddn
+arg of
+.BR idassert-bind
+when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-passwd <password>
Password used with the
.B idassert-authcDN
above.
-This directive is obsoleted by
-.BR idassert-bind ,
-and may be dismissed in the future.
+This directive is obsoleted by the
+.B crendentials
+of
+.B idassert-bind
+when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
-This directive is obsoleted by
+This directive is obsoleted by the
+.B mode
+arg of
.BR idassert-bind ,
-and may be dismissed in the future.
+and will be dismissed in the future.
.TP
.B idassert-method <method> [<saslargs>]
-This directive is obsoleted by
+This directive is obsoleted by the
+.B bindmethod
+arg of
.BR idassert-bind ,
-and may be dismissed in the future.
+and will be dismissed in the future.
.TP
.B suffixmassage, map, rewrite*