argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
-\fBuri "ldap://host/ ldap://backup-host"\fP
+\fBuri "ldap://host/ ldap://backup-host/"\fP
The URI list is space- or comma-separated.
-This statement is mandatory.
+.\"This statement is mandatory.
.\".TP
.\".B server <hostport>
.\"Obsolete option; same as `uri ldap://<hostport>/'.
.BR acl-passwd .
.RE
+.TP
+.B cancel {ABANDON|ignore|exop[-discover]}
+Defines how to handle operation cancellation.
+By default,
+.B abandon
+is invoked, so the operation is abandoned immediately.
+If set to
+.BR ignore ,
+no action is taken and any further response is ignored; this may result
+in further response messages to be queued for that connection, so it is
+recommended that long lasting connections are timed out either by
+.I idle-timeout
+or
+.IR conn-ttl ,
+so that resources eventually get released.
+If set to
+.BR exop ,
+a
+.I cancel
+operation (RFC 3909) is issued, resulting in the cancellation
+of the current operation; the
+.I cancel
+operation waits for remote server response, so its use
+may not be recommended.
+If set to
+.BR exop-discover ,
+support of the
+.I cancel
+extended operation is detected by reading the remote server's root DSE.
+
+.TP
+.B chase-referrals {YES|no}
+enable/disable automatic referral chasing, which is delegated to the
+underlying libldap, with rebinding eventually performed if the
+\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+
+.TP
+.B conn-ttl <time>
+This directive causes a cached connection to be dropped an recreated
+after a given ttl, regardless of being idle or not.
+
+.TP
+.B idassert-authzFrom <authz-regexp>
+if defined, selects what
+.I local
+identities are authorized to exploit the identity assertion feature.
+The string
+.B <authz-regexp>
+follows the rules defined for the
+.I authzFrom
+attribute.
+See
+.BR slapd.conf (5),
+section related to
+.BR authz-policy ,
+for details on the syntax of this field.
+
.HP
.hy 0
.B idassert-bind
.RE
.TP
-.B idassert-authzFrom <authz-regexp>
-if defined, selects what
-.I local
-identities are authorized to exploit the identity assertion feature.
-The string
-.B <authz-regexp>
-follows the rules defined for the
-.I authzFrom
-attribute.
-See
-.BR slapd.conf (5),
-section related to
-.BR authz-policy ,
-for details on the syntax of this field.
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
+.TP
+.B protocol\-version {0,2,3}
+This directive indicates what protocol version must be used to contact
+the remote server.
+If set to 0 (the default), the proxy uses the same protocol version
+used by the client, otherwise the requested protocol is used.
+The proxy returns \fIunwillingToPerform\fP if an operation that is
+incompatible with the requested protocol is attempted.
.TP
-.B proxy-whoami {NO|yes}
+.B proxy\-whoami {NO|yes}
Turns on proxying of the WhoAmI extended operation. If this option is
given, back-ldap will replace slapd's original WhoAmI routine with its
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
be handled by the local slapd, as before. This option is mainly useful
in conjunction with Proxy Authorization.
+.TP
+.B quarantine <interval>,<num>[;<interval>,<num>[...]]
+Turns on quarantine of URIs that returned
+.IR LDAP_UNAVAILABLE ,
+so that an attempt to reconnect only occurs at given intervals instead
+of any time a client requests an operation.
+The pattern is: retry only after at least
+.I interval
+seconds elapsed since last attempt, for exactly
+.I num
+times; then use the next pattern.
+If
+.I num
+for the last pattern is "\fB+\fP", it retries forever; otherwise,
+no more retries occur.
+The process can be restarted by resetting the \fIolcDbQuarantine\fP
+attribute of the database entry in the configuration backend.
+
.TP
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
.TP
-.B chase-referrals {YES|no}
-enable/disable automatic referral chasing, which is delegated to the
-underlying libldap, with rebinding eventually performed if the
-\fBrebind-as-user\fP directive is used. The default is to chase referrals.
-
-.TP
-.B tls {[try-]start|[try-]propagate}
-execute the StartTLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the StartTLS operation only if the original
-connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
-if the StartTLS operation failed; its use is highly deprecated.
+.B single\-conn {NO|yes}
+Discards current cached connection when the client rebinds.
.TP
.B t-f-support {NO|yes|discover}
so the client will not know if the operation eventually succeeded or not.
.TP
-.B idle-timeout <time>
-This directive causes a cached connection to be dropped an recreated
-after it has been idle for the specified time.
+.B tls {[try-]start|[try-]propagate}
+execute the StartTLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the StartTLS operation only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if the StartTLS operation failed; its use is highly deprecated.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
deprecated and should be no longer used, as they might disappear
in future releases.
-.TP
-.B server <hostname[:port]>
-this directive is no longer supported. Use the
-.B uri
-directive as described above.
-
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
.BR idassert-bind ,
and will be dismissed in the future.
+.TP
+.B server <hostname[:port]>
+this directive is no longer supported. Use the
+.B uri
+directive as described above.
+
.TP
.B suffixmassage, map, rewrite*
These directives are no longer supported by back-ldap; their
projects / openldap / blobdiff