.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2015 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-ldap \- LDAP backend to slapd
+slapd\-ldap \- LDAP backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
For this purpose, the proxy binds to the remote server with some
administrative identity, and, if required, authorizes the asserted identity.
See the
-.IR idassert- *
+.IR idassert\- *
rules below.
The administrative identity of the proxy, on the remote server, must be
allowed to authorize by means of appropriate
The proxy instance of
.BR slapd (8)
must contain schema information for the attributes and objectClasses
-used in filters, request DN and request-related data in general.
+used in filters, request DNs and request-related data in general.
It should also contain schema information for the data returned
by the proxied server.
It is the responsibility of the proxy administrator to keep the schema
.BR slapd (8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, one may consider using
-.BR slapd-relay (5)
+.BR slapd\-relay (5)
instead, which performs the relayed operation
internally and thus reuses the same connection.
LDAP server to use. Multiple URIs can be set in a single
.B ldapurl
argument, resulting in the underlying library automatically
-call the first server of the list that responds, e.g.
+calling the first server of the list that responds, e.g.
-\fBuri "ldap://host/ ldap://backup-host/"\fP
+\fBuri "ldap://host/ ldap://backup\-host/"\fP
The URI list is space- or comma-separated.
Whenever the server that responds is not the first one in the list,
the list is rearranged and the responsive server is moved to the head,
so that it will be first contacted the next time a connection
-needs be created.
+needs to be created.
.HP
.hy 0
-.B acl-bind
+.B acl\-bind
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
+.B [starttls=no|yes|critical]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
-.B [tls_ciphersuite=<ciphers>]
+.B [tls_cipher_suite=<ciphers>]
+.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
Allows to define the parameters of the authentication method that is
.BR simple
bind, with empty \fIbinddn\fP and \fIcredentials\fP,
which means that the related operations will be performed anonymously.
-If not set, and if \fBidassert-bind\fP is defined, this latter identity
-is used instead. See \fBidassert-bind\fP for details.
+If not set, and if \fBidassert\-bind\fP is defined, this latter identity
+is used instead. See \fBidassert\-bind\fP for details.
The connection between the proxy database and the remote server
associated to this identity is cached regardless of the lifespan
of the client-proxy connection that first established it.
-.B This identity is by no means implicitly used by the proxy
+.B This identity is not implicitly used by the proxy
.B when the client connects anonymously.
The
-.B idassert-bind
+.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
-.BR acl-authcDN ,
+.BR acl\-authcDN ,
and
-.BR acl-passwd .
+.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
.RE
.TP
-.B cancel {ABANDON|ignore|exop[-discover]}
+.B cancel {ABANDON|ignore|exop[\-discover]}
Defines how to handle operation cancellation.
By default,
.B abandon
no action is taken and any further response is ignored; this may result
in further response messages to be queued for that connection, so it is
recommended that long lasting connections are timed out either by
-.I idle-timeout
+.I idle\-timeout
or
-.IR conn-ttl ,
+.IR conn\-ttl ,
so that resources eventually get released.
If set to
.BR exop ,
operation waits for remote server response, so its use
may not be recommended.
If set to
-.BR exop-discover ,
+.BR exop\-discover ,
support of the
.I cancel
extended operation is detected by reading the remote server's root DSE.
.TP
-.B chase-referrals {YES|no}
+.B chase\-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
-\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
.TP
-.B conn-ttl <time>
-This directive causes a cached connection to be dropped an recreated
+.B conn\-ttl <time>
+This directive causes a cached connection to be dropped and recreated
after a given ttl, regardless of being idle or not.
.TP
-.B idassert-authzFrom <authz-regexp>
+.B idassert
\-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
See
.BR slapd.conf (5),
section related to
-.BR authz-policy ,
+.BR authz\-policy ,
for details on the syntax of this field.
.HP
.hy 0
-.B idassert-bind
+.B idassert\-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
+.B [starttls=no|yes|critical]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
-.B [tls_ciphersuite=<ciphers>]
+.B [tls_cipher_suite=<ciphers>]
+.B [tls_protocol_min=<version>]
.B [tls_crlcheck=none|peer|all]
.RS
Allows to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
+Direct binds are always proxied without any idassert handling.
+
The identity defined by this directive, according to the properties
associated to the authentication method, is supposed to have auth access
on the target server to attributes used on the proxy for authentication
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
-.B authz-policy
+.B authz\-policy
set to
.B to
or
or a SASL bind as the
.I authcID
and assert the client's identity when it is not anonymous.
-Direct binds are always proxied.
The other modes imply that the proxy will always either perform a simple bind
as the
.IR authcDN
or a SASL bind as the
.IR authcID ,
unless restricted by
-.BR idassert-authzFrom
+.BR idassert\-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
Flags can be
-\fBoverride,[non-]prescriptive\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP
When the
.B override
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
If the
-.B non-prescriptive
+.B non\-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
+When the
+.B proxy\-authz\-non\-critical
+flag is used (the default), the proxyAuthz control is not marked as critical,
+in violation of RFC 4370. Use of
+.B proxy\-authz\-critical
+is recommended.
+
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
The identity associated to this directive is also used for privileged
-operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
-is not. See \fBacl-bind\fP for details.
+operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
+is not. See \fBacl\-bind\fP for details.
This directive obsoletes
-.BR idassert-authcDN ,
-.BR idassert-passwd ,
-.BR idassert-mode ,
+.BR idassert\-authcDN ,
+.BR idassert\-passwd ,
+.BR idassert\-mode ,
and
-.BR idassert-method .
+.BR idassert\-method .
.RE
.TP
-.B idle-timeout <time>
+.B idassert-passthru <authz-regexp>
+if defined, selects what
+.I local
+identities bypass the identity assertion feature.
+Those identities need to be known by the remote host.
+The string
+.B <authz-regexp>
+follows the rules defined for the
+.I authzFrom
+attribute.
+See
+.BR slapd.conf (5),
+section related to
+.BR authz\-policy ,
+for details on the syntax of this field.
+
+
+.TP
+.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
-.B network-timeout <time>
+.B keepalive <idle>:<probes>:<interval>
+The
+.B keepalive
+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
+used to check whether a socket is alive;
+.I idle
+is the number of seconds a connection needs to remain idle before TCP
+starts sending keepalive probes;
+.I probes
+is the maximum number of keepalive probes TCP should send before dropping
+the connection;
+.I interval
+is interval in seconds between individual keepalive probes.
+Only some systems support the customization of these values;
+the
+.B keepalive
+parameter is ignored otherwise, and system-wide settings are used.
+
+.TP
+.B network\-timeout <time>
Sets the network timeout value after which
.BR poll (2)/ select (2)
following a
.BR connect (2)
returns in case of no activity.
The value is in seconds, and it can be specified as for
-.BR idle-timeout .
+.BR idle\-timeout .
.TP
.B norefs <NO|yes>
.BR (!(objectClass=*)) ,
which corresponds to the empty result set.
+.TP
+.B onerr {CONTINUE|stop}
+This directive allows to select the behavior in case an error is returned
+by the remote server during a search.
+The default, \fBcontinue\fP, consists in returning success.
+If the value is set to \fBstop\fP, the error is returned to the client.
+
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
attribute of the database entry in the configuration backend.
.TP
-.B rebind-as-user {NO|yes}
+.B rebind\-as\-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection,
or when chasing a referral, if
-.B chase-referrals
+.B chase\-referrals
is set to
.IR yes .
Discards current cached connection when the client rebinds.
.TP
-.B t-f-support {NO|yes|discover}
+.B t\-f\-support {NO|yes|discover}
enable if the remote server supports absolute filters
-(see \fIdraft-zeilenga-ldap-t-f\fP for details).
+(see \fIRFC 4526\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
Note: in some cases, this backend may issue binds prior
to other operations (e.g. to bind anonymously or with some prescribed
-identity according to the \fBidassert-bind\fP directive).
+identity according to the \fBidassert\-bind\fP directive).
In this case, the timeout of the operation that resulted in the bind
is used.
.HP
.hy 0
-.B tls {[try-]start|[try-]propagate|ldaps}
+.B tls {[try\-]start|[try\-]propagate|ldaps}
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
-.B [tls_ciphersuite=<ciphers>]
+.B [tls_cipher_suite=<ciphers>]
.B [tls_crlcheck=none|peer|all]
.RS
Specify the use of TLS when a regular connection is initialized. The
set to "ldaps" and the StartTLS operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
+The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings,
.RE
.TP
-.B use-temporary-conn {NO|yes}
+.B use\-temporary\-conn {NO|yes}
when set to
.BR yes ,
create a temporary connection whenever competing with other threads
in future releases.
.TP
-.B acl-authcDN "<administrative DN for access control purposes>"
+.B acl
\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
There is no risk of giving away such values; they are only used to
check permissions.
-.B The acl-authcDN identity is by no means implicitly used by the proxy
+.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
-.B idassert-*
+.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
-.B acl-bind
+.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B acl-passwd <password>
+.B acl
\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
-.B acl-authcDN
+.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
-.B acl-bind
+.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
+.B idassert
\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
-.BR idassert-bind
+.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-passwd <password>
+.B idassert
\-passwd <password>
Password used with the
-.B idassert-authcDN
+.B idassert\-authcDN
above.
This directive is obsoleted by the
.B crendentials
arg of
-.B idassert-bind
+.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-mode <mode> [<flags>]
+.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
-.BR idassert-bind ,
+.BR idassert\-bind ,
and will be dismissed in the future.
.TP
-.B idassert-method <method> [<saslargs>]
+.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
-.BR idassert-bind ,
+.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B overlay rwm
first, and prefix all rewrite/map statements with
-.B rwm-
+.B rwm\-
to obtain the original behavior.
See
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the
projects / openldap / blobdiff