X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-translucent.5;h=f28a3769cf384ce5f8f6f34630703a12c42fd1df;hb=2dd578221b3dbaf7ba2308b63c3cc46154323cae;hp=c44218e522292bd2abc571bc5342fd1719f074f9;hpb=8da7cce20d994c15be699676b66804648620fb00;p=openldap diff --git a/doc/man/man5/slapo-translucent.5 b/doc/man/man5/slapo-translucent.5 index c44218e522..f28a3769cf 100644 --- a/doc/man/man5/slapo-translucent.5 +++ b/doc/man/man5/slapo-translucent.5 @@ -1,14 +1,14 @@ .TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 2004 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapo-translucent \- Proxy Override overlay +slapo\-translucent \- Translucent Proxy overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION -The Proxy Override overlay can be used with a backend database such as -.BR slapd-bdb (5) +The Translucent Proxy overlay can be used with a backend database such as +.BR slapd\-bdb (5) to create a "translucent proxy". Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the @@ -31,17 +31,19 @@ operation will perform a comparison with attributes defined in the local database record (if any) before any comparison is made with data in the remote database. .SH CONFIGURATION -The Proxy Override overlay uses a remote LDAP server which is configured -with the options shown in -.BR slapd-ldap (5). +The Translucent Proxy overlay uses a proxied database, +typically a (set of) remote LDAP server(s), which is configured with the options shown in +.BR slapd\-ldap (5), +.BR slapd\-meta (5) +or similar. These .B slapd.conf -options are specific to the Proxy Override overlay; they may appear anywhere +options are specific to the Translucent Proxy overlay; they must appear after the .B overlay -directive and before any subsequent -.B database -directive. +directive that instantiates the +.B translucent +overlay. .TP .B translucent_strict By default, attempts to delete attributes in either the local or remote @@ -59,9 +61,62 @@ operation, such that all parents of an entry added to the local database must be created by hand. Glue records are always created for a .B modify operation. +.TP +.B translucent_local +Specify a list of attributes that should be searched for in the local database +when used in a search filter. By default, search filters are only handled by +the remote database. With this directive, search filters will be split into a +local and remote portion, and local attributes will be searched locally. +.TP +.B translucent_remote +Specify a list of attributes that should be searched for in the remote database +when used in a search filter. This directive complements the +.B translucent_local +directive. Attributes may be specified as both local and remote if desired. +.LP +If neither +.B translucent_local +nor +.B translucent_remote +are specified, the default behavior is to search the remote database with the +complete search filter. If only +.B translucent_local +is specified, searches will only be run on the local database. Likewise, if only +.B translucent_remote +is specified, searches will only be run on the remote database. In any case, both +the local and remote entries corresponding to a search result will be merged +before being returned to the client. + +.TP +.B translucent_bind_local +Enable looking for locally stored credentials for simple bind when binding +to the remote database fails. Disabled by default. + +.TP +.B translucent_pwmod_local +Enable RFC 3062 Password Modification extended operation on locally stored +credentials. The operation only applies to entries that exist in the remote +database. Disabled by default. + +.SH ACCESS CONTROL +Access control is delegated to either the remote DSA(s) or to the local database +backend for +.B auth +and +.B write +operations. +It is delegated to the remote DSA(s) and to the frontend for +.B read +operations. +Local access rules involving data returned by the remote DSA(s) should be designed +with care. In fact, entries are returned by the remote DSA(s) only based on the +remote fraction of the data, based on the identity the operation is performed as. +As a consequence, local rules might only be allowed to see a portion +of the remote data. + .SH CAVEATS .LP -The Proxy Override overlay will disable schema checking in the local database, +The Translucent Proxy overlay will disable schema checking in the local database, so that an entry consisting of overlay attributes need not adhere to the complete schema. .LP @@ -74,4 +129,5 @@ ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO .BR slapd.conf (5), -.BR slapd-ldap (5). +.BR slapd\-config (5), +.BR slapd\-ldap (5).