X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=doc%2Fman%2Fman5%2Fslapd-ldap.5;h=53f5b4886bcd6417f4afbdcaa92a6e3d2e4fbaac;hb=c4c6a38a0b8b48a3a733a43357b9eda7bf6d3acf;hp=398ef24b278bca72fce3a412a3b33f9b1c2b8108;hpb=55d21236d14efead51851477efe60a3e1698e022;p=openldap diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 398ef24b27..53f5b4886b 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -13,6 +13,15 @@ is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server. While processing requests it will also chase referrals, so that referrals are fully processed instead of being returned to the slapd client. + +Sessions that explicitly Bind to the back-ldap database always create their +own private connection to the remote LDAP server. Anonymous sessions will +share a single anonymous connection to the remote server. For sessions bound +through other mechanisms, all sessions with the same DN will share the +same connection. This connection pooling strategy can enhance the proxy's +efficiency by reducing the overhead of repeatedly making/breaking multiple +connections. + .SH CONFIGURATION These .B slapd.conf @@ -24,9 +33,13 @@ Other database options are described in the manual page. .LP Note: It is strongly recommended to set +.LP .RS +.nf lastmod off +.fi .RE +.LP for every .B ldap and @@ -59,6 +72,40 @@ check permissions. .B bindpw Password used with the bind DN above. .TP +.B proxyauthzdn "" +DN which is used to propagate the client's identity to the target +by means of the proxyAuthz control when the client does not +belong to the DIT fragment that is being proxyied by back-ldap. +This is useful when operations performed by users bound to another +backend are propagated through back-ldap. +This requires the entry with +.B proxyauthzdn +identity on the remote server to have +.B proxyAuthz +privileges on a wide set of DNs, e.g. +.BR saslAuthzTo=dn.regex:.* , +and the remote server to have +.B sasl-authz-policy +set to +.B to +or +.BR both . +See +.BR slapd.conf (5) +for details on these statements and for remarks and drawbacks about +their usage. +.TP +.B proxyauthzpw +Password used with the proxy authz DN above. +.TP +.B proxy-whoami +Turns on proxying of the WhoAmI extended operation. If this option is +given, back-ldap will replace slapd's original WhoAmI routine with its +own. On slapd sessions that were authenticated by back-ldap, the WhoAmI +request will be forwarded to the remote LDAP server. Other sessions will +be handled by the local slapd, as before. This option is mainly useful +in conjunction with Proxy Authorization. +.TP .B rebind-as-user If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals. @@ -68,7 +115,7 @@ DNs ending with in a request are changed to end with before sending the request to the remote server, and in the results are changed back to before returning them to the client. -The field must be defined as a valid suffix (or suffixAlias?) +The field must be defined as a valid suffix for the current database. .TP .B map "{attribute | objectclass} [ | *] { | *}" @@ -122,4 +169,5 @@ default slapd configuration file .BR slapd-meta (5), .BR slapd (8), .BR ldap (3). - +.SH AUTHOR +Howard Chu, with enhancements by Pierangelo Masarati