-.TH SLAPD-LDAP 5 "2 May 2002" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
+.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
requests to another LDAP server. While processing requests it will also
chase referrals, so that referrals are fully processed instead of being
returned to the slapd client.
+
+Sessions that explicitly Bind to the back-ldap database always create their
+own private connection to the remote LDAP server. Anonymous sessions will
+share a single anonymous connection to the remote server. For sessions bound
+through other mechanisms, all sessions with the same DN will share the
+same connection. This connection pooling strategy can enhance the proxy's
+efficiency by reducing the overhead of repeatedly making/breaking multiple
+connections.
+
.SH CONFIGURATION
These
.B slapd.conf
manual page.
.LP
Note: It is strongly recommended to set
+.LP
.RS
+.nf
lastmod off
+.fi
.RE
+.LP
for every
.B ldap
and
servers, generating an error.
.TP
.B uri <ldapurl>
-LDAP server to use.
+LDAP server to use. Multiple URIs can be set in in a single
+.B ldapurl
+argument, resulting in the underlying library automatically
+call the first server of the list that responds, e.g.
+
+\fBuri "ldap://host/ ldap://backup-host"\fP
+
+The URI list is space- or comma-separated.
.TP
.B server <hostport>
Obsolete option; same as `uri ldap://<hostport>/'.
.B bindpw <password>
Password used with the bind DN above.
.TP
+.B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
+DN which is used to propagate the client's identity to the target
+by means of the proxyAuthz control when the client does not
+belong to the DIT fragment that is being proxyied by back-ldap.
+This is useful when operations performed by users bound to another
+backend are propagated through back-ldap.
+This requires the entry with
+.B proxyauthzdn
+identity on the remote server to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR saslAuthzTo=dn.regex:.* ,
+and the remote server to have
+.B sasl-authz-policy
+set to
+.B to
+or
+.BR both .
+See
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+.TP
+.B proxyauthzpw <password>
+Password used with the proxy authz DN above.
+.TP
+.B proxy-whoami
+Turns on proxying of the WhoAmI extended operation. If this option is
+given, back-ldap will replace slapd's original WhoAmI routine with its
+own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
+request will be forwarded to the remote LDAP server. Other sessions will
+be handled by the local slapd, as before. This option is mainly useful
+in conjunction with Proxy Authorization.
+.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
suffix> before sending the request to the remote server, and <remote
suffix> in the results are changed back to <suffix> before returning
them to the client.
-The <suffix> field must be defined as a valid suffix (or suffixAlias?)
+The <suffix> field must be defined as a valid suffix
for the current database.
.TP
-.B map "{attribute | objectclass} {<local name> | *} [<foreign name> | *]"
+.B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
Map attribute names and object classes from the foreign server to
different values on the local slapd.
The reason is that some attributes might not be part of the local
slapd's schema, some attribute names might be different but serve the
same purpose, etc.
If local or foreign name is `*', the name is preserved.
-If foreign name is missing, the name is dropped.
-Local name `*' and no foreign name means unmapped attributes are
-removed, while local name = foreign name = `*' means unmapped
-attributes are preserved.
+If local name is omitted, the foreign name is removed.
+Unmapped names are preseved if both local and foreign name are `*',
+and removed if local name is omitted and foreign name is `*'.
.TP
.B rewrite*
The rewrite options are described in the "REWRITING" section of the
to the client (or sent up to the LDAP server). This is obviously a
simplistic example, but you get the point.
.SH FILES
+.TP
ETCDIR/slapd.conf
+default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd-meta (5),
.BR slapd (8),
.BR ldap (3).
-
+.SH AUTHOR
+Howard Chu, with enhancements by Pierangelo Masarati
projects / openldap / blobdiff