X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-translucent.5;h=f28a3769cf384ce5f8f6f34630703a12c42fd1df;hb=2dd578221b3dbaf7ba2308b63c3cc46154323cae;hp=5f308b6bf764bdf4c170b0dc6f035ed684b38314;hpb=661398337aeae53e1d9e574caa645d2279593454;p=openldap diff --git a/doc/man/man5/slapo-translucent.5 b/doc/man/man5/slapo-translucent.5 index 5f308b6bf7..f28a3769cf 100644 --- a/doc/man/man5/slapo-translucent.5 +++ b/doc/man/man5/slapo-translucent.5 @@ -1,14 +1,14 @@ .TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapo-translucent \- Translucent Proxy overlay to slapd +slapo\-translucent \- Translucent Proxy overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION The Translucent Proxy overlay can be used with a backend database such as -.BR slapd-bdb (5) +.BR slapd\-bdb (5) to create a "translucent proxy". Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the @@ -31,15 +31,19 @@ operation will perform a comparison with attributes defined in the local database record (if any) before any comparison is made with data in the remote database. .SH CONFIGURATION -The Translucent Proxy overlay uses a remote LDAP server which is configured -with the options shown in -.BR slapd-ldap (5). +The Translucent Proxy overlay uses a proxied database, +typically a (set of) remote LDAP server(s), which is configured with the options shown in +.BR slapd\-ldap (5), +.BR slapd\-meta (5) +or similar. These .B slapd.conf options are specific to the Translucent Proxy overlay; they must appear after the .B overlay -directive. +directive that instantiates the +.B translucent +overlay. .TP .B translucent_strict By default, attempts to delete attributes in either the local or remote @@ -86,7 +90,29 @@ before being returned to the client. .TP .B translucent_bind_local Enable looking for locally stored credentials for simple bind when binding -to the remote database fails. +to the remote database fails. Disabled by default. + +.TP +.B translucent_pwmod_local +Enable RFC 3062 Password Modification extended operation on locally stored +credentials. The operation only applies to entries that exist in the remote +database. Disabled by default. + +.SH ACCESS CONTROL +Access control is delegated to either the remote DSA(s) or to the local database +backend for +.B auth +and +.B write +operations. +It is delegated to the remote DSA(s) and to the frontend for +.B read +operations. +Local access rules involving data returned by the remote DSA(s) should be designed +with care. In fact, entries are returned by the remote DSA(s) only based on the +remote fraction of the data, based on the identity the operation is performed as. +As a consequence, local rules might only be allowed to see a portion +of the remote data. .SH CAVEATS .LP @@ -103,4 +129,5 @@ ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO .BR slapd.conf (5), -.BR slapd-ldap (5). +.BR slapd\-config (5), +.BR slapd\-ldap (5).