\fBuri "ldap://host/ ldap://backup-host"\fP
The URI list is space- or comma-separated.
-.TP
-.B server <hostport>
-Obsolete option; same as `uri ldap://<hostport>/'.
+.\".TP
+.\".B server <hostport>
+.\"Obsolete option; same as `uri ldap://<hostport>/'.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
+See the
+.B idassert-*
+feature instead.
.TP
.B acl-passwd <password>
Password used with the bind DN above.
.B idassert-passwd <password>
Password used with the proxy authzDN above.
.TP
-.B idassert-mode <mode>
+.B idassert-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
The supported modes are:
-.RS
-.RS
-.TP
-.B <mode>={legacy|anonymous|none|<id>|self}
-.RE
-.RS
-.B <id>={u:<ID>|[dn:]<DN>}
-.RE
+
+\fB<mode> := {legacy|anonymous|none|<id>|self}\fP
+
+\fB<flags> := {override}\fP
+
+\fB<id> := {u:<ID>|[dn:]<DN>}\fP
The default is
.BR legacy ,
.I authzFrom
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
+When the
+.B override
+flag is used, identity assertion takes place even when the database
+is authorizing for the identity of the client, i.e. after binding
+with the provided identity, and thus authenticating it, the proxy
+performs the identity assertion using the configured identity and
+authentication method.
.RE
.TP
-.B idassert-authzFrom <authz>
+.B idassert-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The string
-.B authz
+.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
.BR slapd.conf (5),
section related to
.BR authz-policy ,
-for details on the supported syntaxes.
+for details on the syntax of this field.
.TP
.B idassert-method <method> [<saslargs>]
where valid method values are
-.RS
-.TP
-.B <method>={none|simple|sasl}
-.RE
-.RS
-.B <saslargs>=[mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>]
-.RE
-.RS
+\fB<method> := {none|simple|sasl}\fP
+
+\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP
+
If method is
.IR sasl ,
-extra parameters can be given a described above.
+extra parameters can be given as described above.
The default is
.BR simple ;
.B none
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
.TP
-.B suffixmassage <suffix> <massaged (remote) suffix>
-DNs ending with <suffix> in a request are changed to end with <remote
-suffix> before sending the request to the remote server, and <remote
-suffix> in the results are changed back to <suffix> before returning
-them to the client.
-The <suffix> field must be defined as a valid suffix
-for the current database.
-.TP
-.B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
-Map attribute names and object classes from the foreign server to
-different values on the local slapd.
-The reason is that some attributes might not be part of the local
-slapd's schema, some attribute names might be different but serve the
-same purpose, etc.
-If local or foreign name is `*', the name is preserved.
-If local name is omitted, the foreign name is removed.
-Unmapped names are preseved if both local and foreign name are `*',
-and removed if local name is omitted and foreign name is `*'.
+.\".B suffixmassage <suffix> <massaged (remote) suffix>
+.\"DNs ending with <suffix> in a request are changed to end with <remote
+.\"suffix> before sending the request to the remote server, and <remote
+.\"suffix> in the results are changed back to <suffix> before returning
+.\"them to the client.
+.\"The <suffix> field must be defined as a valid suffix
+.\"for the current database.
+.\".TP
+.\".B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
+.\"Map attribute names and object classes from the foreign server to
+.\"different values on the local slapd.
+.\"The reason is that some attributes might not be part of the local
+.\"slapd's schema, some attribute names might be different but serve the
+.\"same purpose, etc.
+.\"If local or foreign name is `*', the name is preserved.
+.\"If local name is omitted, the foreign name is removed.
+.\"Unmapped names are preseved if both local and foreign name are `*',
+.\"and removed if local name is omitted and foreign name is `*'.
+.\".TP
+.\".B rewrite*
+.\"The rewrite options are described in the "REWRITING" section of the
+.\".BR slapd-meta (5)
+.\"manual page.
.TP
-.B rewrite*
-The rewrite options are described in the "REWRITING" section of the
-.BR slapd-meta (5)
-manual page.
-.SH EXAMPLES
-The following directives map the object class `groupOfNames' to
-the object class `groupOfUniqueNames' and the attribute type
-`member' to the attribute type `uniqueMember':
-.LP
-.RS
-.nf
-map objectclass groupOfNames groupOfUniqueNames
-map attribute uniqueMember member
-.fi
-.RE
-.LP
-This presents a limited attribute set from the foreign
-server:
-.LP
-.RS
-.nf
-map attribute cn *
-map attribute sn *
-map attribute manager *
-map attribute description *
-map attribute *
-.fi
-.RE
-.LP
-These lines map cn, sn, manager, and description to themselves, and
-any other attribute gets "removed" from the object before it is sent
-to the client (or sent up to the LDAP server). This is obviously a
-simplistic example, but you get the point.
+.B suffixmassage, map, rewrite*
+These directives are no longer supported by back-ldap; their
+functionality is now delegated to the
+.B rwm
+overlay; see
+.BR slapo-rwm (5)
+for details.
+However, to ease update from existing configurations, back-ldap still
+recognizes them and automatically instantiates the
+.B rwm
+overlay if available and not instantiated yet.
+This behavior may change in the future.
+.\".SH EXAMPLES
+.\"The following directives map the object class `groupOfNames' to
+.\"the object class `groupOfUniqueNames' and the attribute type
+.\"`member' to the attribute type `uniqueMember':
+.\".LP
+.\".RS
+.\".nf
+.\"map objectclass groupOfNames groupOfUniqueNames
+.\"map attribute uniqueMember member
+.\".fi
+.\".RE
+.\".LP
+.\"This presents a limited attribute set from the foreign
+.\"server:
+.\".LP
+.\".RS
+.\".nf
+.\"map attribute cn *
+.\"map attribute sn *
+.\"map attribute manager *
+.\"map attribute description *
+.\"map attribute *
+.\".fi
+.\".RE
+.\".LP
+.\"These lines map cn, sn, manager, and description to themselves, and
+.\"any other attribute gets "removed" from the object before it is sent
+.\"to the client (or sent up to the LDAP server). This is obviously a
+.\"simplistic example, but you get the point.
.SH PROXY CACHE OVERLAY
The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database.
.BR slapd.conf (5),
.BR slapd\-meta (5),
.BR slapo\-pcache (5),
+.BR slapo\-rwm (5),
.BR slapd (8),
.BR ldap (3).
.SH AUTHOR
.B rwm-suffixmassage
directive.
.TP
-.B rwm-suffixmassage "<virtual naming context>" "<real naming context>"
+.B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
Shortcut to implement naming context rewriting; the trailing part
of the DN is rewritten from the virtual to the real naming context
in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
deleteDN, exopPasswdDN, and from the real to the virtual naming context
in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
-By default no rewriting occurs for the searchFilter rewrite context.
-This directive implies setting the
+By default no rewriting occurs for the searchFilter
+and for the referralAttrDN and referralDN rewrite contexts.
+If no \fI<virtual naming context>\fP is given, the first suffix of the
+database is used; this requires the
+.B rwm-suffixmassage
+directive be defined \fIafter\fP the database
+.B suffix
+directive.
+The
+.B rwm-suffixmassage
+directive automatically sets the
.B rwm-rewriteEngine
to
.BR ON .
.SH "Substitution Pattern Syntax"
Everything starting with `$' requires substitution;
.LP
-the only obvious exception is `$$', which is left as is;
+the only obvious exception is `$$', which is turned into a single `$';
.LP
the basic substitution is `$<d>', where `<d>' is a digit;
0 means the whole string, while 1-9 is a submatch, as discussed in
to any single rule; an optional per-rule limit can be set.
This limit is overridden by setting specific per-rule limits
with the `M{n}' flag.
-.SH "Configuration Examples"
+.SH "REWRITE CONFIGURATION EXAMPLES"
.nf
# set to `off' to disable rewriting
rwm-rewriteEngine on
rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
rwm-rewriteRule ".*" "" "#"
.fi
+.SH "MAPPING EXAMPLES"
+The following directives map the object class `groupOfNames' to
+the object class `groupOfUniqueNames' and the attribute type
+`member' to the attribute type `uniqueMember':
+.LP
+.RS
+.nf
+map objectclass groupOfNames groupOfUniqueNames
+map attribute uniqueMember member
+.fi
+.RE
+.LP
+This presents a limited attribute set from the foreign
+server:
+.LP
+.RS
+.nf
+map attribute cn *
+map attribute sn *
+map attribute manager *
+map attribute description *
+map attribute *
+.fi
+.RE
+.LP
+These lines map cn, sn, manager, and description to themselves, and
+any other attribute gets "removed" from the object before it is sent
+to the client (or sent up to the LDAP server). This is obviously a
+simplistic example, but you get the point.
.SH FILES
.TP
ETCDIR/slapd.conf
projects / openldap / commitdiff