X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapd-ldap.5;h=884d305c24fd179cf390b59041ef9a83f341166e;hb=006745430e494adb5c7e192576dbe783c602172a;hp=be5ddf1c05d202567772749a56ef82d1a1b1573e;hpb=f0ea4161ba33a0df4665a0296b46194390a07143;p=openldap diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index be5ddf1c05..884d305c24 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -1,5 +1,5 @@ .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME @@ -68,21 +68,22 @@ should have read access on the target server to attributes used on the proxy for acl checking. There is no risk of giving away such values; they are only used to check permissions. -.RS -Note: the -.B binddn -/ -.B bindpw -values are also used to propagate user authorization by means of the -.B proxyAuthz -mechanism when operations performed by users bound to another backend -are propagated to back-ldap. +.TP +.B bindpw +Password used with the bind DN above. +.TP +.B proxyauthzdn "" +DN which is used to propagate the client's identity to the target +by means of the proxyAuthz control when the client does not +belong to the DIT fragment that is being proxyied by back-ldap. +This is useful when operations performed by users bound to another +backend are propagated through back-ldap. This requires the entry with -.B binddn -DN on the remote server to have +.B proxyauthzdn +identity on the remote server to have .B proxyAuthz privileges on a wide set of DNs, e.g. -.BR saslAuthzTo=regex:.* , +.BR saslAuthzTo=dn.regex:.* , and the remote server to have .B sasl-authz-policy set to @@ -93,10 +94,9 @@ See .BR slapd.conf (5) for details on these statements and for remarks and drawbacks about their usage. -.RE .TP -.B bindpw -Password used with the bind DN above. +.B proxyauthzpw +Password used with the proxy authz DN above. .TP .B proxy-whoami Turns on proxying of the WhoAmI extended operation. If this option is