.BR never );
the global value can be overridden by redefinitions inside each target
specification.
+
+.TP
+.B onerr {CONTINUE|stop}
+This directive allows to select the behavior in case an error is returned
+by one target during a search.
+The default, \fBcontinue\fP, consists in continuing the operation,
+trying to return as much data as possible.
+If this statement is set to \fBstop\fP, the search is terminated as soon
+as an error is returned by one target, and the error is immediately
+propagated to the client.
+
+.TP
+.B rebind-as-user {NO|yes}
+If this option is given, the client's bind credentials are remembered
+for rebinds when chasing referrals.
+
.SH TARGET SPECIFICATION
Target specification starts with a "uri" directive:
be separated by TABs (e.g. '\\t'; commas or spaces, unlike back-ldap,
will not work,
because they are legal in the <naming context>, and we don't want to use
-URL-encoded <namimg context>s), and the additional URIs must have
+URL-encoded <naming context>s), and the additional URIs must have
no <naming context> part. This causes the underlying library
to contact the first server of the list that responds.
.RE
acl-authcDN
above.
-.TP
-.B rebind-as-user {NO|yes}
-If this option is given, the client's bind credentials are remembered
-for rebinds when chasing referrals.
-
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
.TP
.B tls {[try-]start|[try-]propagate}
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if start TLS failed; its use is highly deprecated.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
.TP
.B t-f-support {NO|yes|discover}
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
-support is detected by reading the remote server's rootDSE.
-
-.TP
-.B onerr {CONTINUE|stop}
-This directive allows to select the behavior in case an error is returned
-by one targe during a search.
-The default, \fBcontinue\fP, consists in continuing the operation,
-trying to return as much data as possible.
-If this statement is set to \fBstop\fP, the search is terminated as soon
-as an error is returned by one target, and the error is immediately
-propagated to the client.
+support is detected by reading the remote server's root DSE.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
+.TP
+.B timeout [{add|delete|modify|modrdn}=]<val> [...]
+This directive allows to set per-database, per-target and per-operation
+timeouts.
+If no operation is specified, it affects all.
+Currently, only write operations are addressed, because searches
+can already be limited by means of the
+.B limits
+directive (see
+.BR slapd.conf (5)
+for details), and other operations are not supposed to incur into the
+need for timeouts.
+Note: if the timelimit is exceeded, the operation is abandoned;
+the protocol does not provide any means to rollback the operation,
+so the client will not know if the operation eventually succeeded or not.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
Note: cleartext credentials must be supplied here; as a consequence,
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
+.TP
+.B pseudoroot-bind-defer {NO|yes}
+This directive, when set to
+.BR yes ,
+causes the authentication to the remote servers with the pseudo-root
+identity to be deferred until actually needed by subsequent operations.
+
.TP
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
The underlying concept is to build a lightweight rewrite module
for the slapd server (initially dedicated to the LDAP backend).
.SH Passes
-An incoming string is matched agains a set of rules.
+An incoming string is matched against a set of rules.
Rules are made of a regex match pattern, a substitution pattern
and a set of actions, described by a set of flags.
In case of match a string rewriting is performed according to the
The substitution pattern allows map resolution of substrings.
A map is a generic object that maps a substitution pattern to a value.
The flags are divided in "Pattern matching Flags" and "Action Flags";
-the former alter the regex match pattern behaviorm while the latter
+the former alter the regex match pattern behavior while the latter
alter the action that is taken after substitution.
.SH "Pattern Matching Flags"
.TP
assigns a variable in the rewrite context scope; operator
.B &&
assigns a variable that scopes the entire session, e.g. its value
-can be derefenced later by other rewrite contexts
+can be dereferenced later by other rewrite contexts
.TP
.B *
variable dereferencing; <name> must refer to a variable that is
<Context name> is the name that identifies the context, i.e. the name
used by the application to refer to the set of rules it contains.
It is used also to reference sub contexts in string rewriting.
-A context may aliase another one.
+A context may alias another one.
In this case the alias context contains no rule, and any reference to
it will result in accessing the aliased one.
.TP