.LP
.RS
.nf
-(default) if defined and no specific context
- is available
-bindDN bind
-searchBase search
-searchFilter search
-compareDN compare
-compareAttrDN compare AVA
-addDN add
-addAttrDN add AVA
-modifyDN modify
-modifyAttrDN modify AVA
-modrDN modrdn
-newSuperiorDN modrdn
-deleteDN delete
+(default) if defined and no specific context
+ is available
+bindDN bind
+searchBase search
+searchFilter search
+searchFilterAttrDN search
+compareDN compare
+compareAttrDN compare AVA
+addDN add
+addAttrDN add AVA
+modifyDN modify
+modifyAttrDN modify AVA
+modrDN modrdn
+newSuperiorDN modrdn
+deleteDN delete
+exopPasswdDN passwd exop DN if proxy
.fi
.RE
.LP
.LP
.RS
.nf
-searchResult search (only if defined; no default;
- acts on DN and DN-syntax attributes
- of search results)
-searchAttrDN search AVA
-matchedDN all ops (only if applicable)
+searchResult search (only if defined; no default;
+ acts on DN and DN-syntax attributes
+ of search results)
+searchAttrDN search AVA
+matchedDN all ops (only if applicable)
.fi
.RE
.LP
.\"
.\" # Finally, in a bind, if one uses a `uid=username' DN,
.\" # it is rewritten in `cn=name surname' if possible.
-.\" rewriteContext bindDn
+.\" rewriteContext bindDN
.\" rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
.\"
-# Rewrite the search base according to `default' rules.
+# Rewrite the search base according to `default' rules.
rewriteContext searchBase alias default
# Search results with OpenLDAP DN are rewritten back with
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDn
# rewrite context overrides the default definition.
-rewriteContext bindDn
+rewriteContext bindDN
rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" ":@I"
# This is a rather sophisticated example. It massages a
# track of the bind DN of the incoming request, which is
# stored in a variable called `binddn' with session scope,
# and left in place to allow regular binding:
-rewriteContext bindDn
+rewriteContext bindDN
rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
# A search filter containing `uid=' is rewritten only
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
- [.<style>]=<group>
+ [.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl>
- set[.<style>]=<pattern>
+ set[.<setstyle>]=<pattern>
ssf=<n>
transport_ssf=<n>
.LP
.nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
- <style>={exact|regex}
- <peernamestyle>={exact|regex|ip|path}
+ <groupstyle>={exact|expand}
+ <style>={exact|regex|expand}
+ <peernamestyle>={<style>|ip|path}
<domainstyle>={exact|regex|sub(tree)}
+ <setstyle>={exact|regex}
<modifier>={expand}
.fi
.LP
The optional style qualifier
.B <style>
can be
-.BR regex ,
+.BR expand ,
which means that
.B <group>
will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and
-.B base
-or
-.B exact
-(an alias of
-.BR base ),
+.BR exact ,
which means that exact match will be used.
.LP
For static groups, the specified attributeType must have
.B labeledURI
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
-will be evaluated in a dynamic group.
+will be evaluated in a dynamic group, by searching the local server only.
.LP
The statements
.BR peername=<peername> ,
.B style
rules for pattern match described for the
.B group
-case apply.
+case apply, plus the
+.B regex
+style, which implies submatch
+.B expand
+and
+.BR regex (7)
+match of the corresponding connection parameters.
The
.B exact
style of the
exactly matches the
.BR domain
pattern.
+The
+.B expand
+style is allowed, implying an
+.B exact
+match with submatch expansion; the use of
+.B expand
+as a style modifier is considered more appropriate.
As an example,
.B domain.subtree=example.com
will match www.example.com, but will not match www.anotherexample.com.
with
.RS
.TP
-<style> ::= exact | base | one | subtree | children | regex | anonymous
+<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
.RE
The term
or
.B base
(which are synonyms), to require an exact match; with
-.BR one,
+.BR onelevel ,
to require exactly one level of depth match; with
-.BR subtree,
+.BR subtree ,
to allow any level of depth match, including the exact match; with
-.BR children,
+.BR children ,
to allow any level of depth match, not including the exact match;
.BR regex
explicitly requires the (default) match based on regular expression
The currently supported limits are
.B size
and
-.BR time.
+.BR time .
The syntax for time limits is
.BR time[.{soft|hard}]=<integer> ,
.BR soft
limit is used; if the requested time limit exceeds the
.BR hard
-limit, an "Administrative limit exceeded" is returned.
+limit, an
+.I \"Administrative limit exceeded\"
+is returned.
If the
.BR hard
-limit is set to 0 or to the keyword "soft", the soft limit is used
-in either case; if it is set to -1 or to the keyword "none",
+limit is set to 0 or to the keyword
+.IR soft ,
+the soft limit is used in either case; if it is set to
+.I -1
+or to the keyword
+.IR none ,
no hard limit is enforced.
Explicit requests for time limits smaller or equal to the
.BR hard
.BR soft
limit is used; if the requested size limit exceeds the
.BR hard
-limit, an "Administrative limit exceeded" is returned.
+limit, an
+.I \"Administrative limit exceeded\"
+is returned.
If the
.BR hard
-limit is set to 0 or to the keyword "soft", the soft limit is used
-in either case; if it is set to -1 or to the keyword "none",
+limit is set to 0 or to the keyword
+.IR soft ,
+the soft limit is used in either case; if it is set to
+.I -1
+or to the keyword
+.IR none ,
no hard limit is enforced.
Explicit requests for size limits smaller or equal to the
.BR hard
to examine.
If the selected candidates exceed the
.BR unchecked
-limit, the search will abort with "Unwilling to perform".
-If it is set to -1 or to the keyword "none", no limit is applied (the default).
+limit, the search will abort with
+.IR \"Unwilling to perform\" .
+If it is set to
+.I -1
+or to the keyword
+.IR none ,
+no limit is applied (the default).
If no flag is set, the value is assigned to the
.BR soft
limit, and the
In case of no match, the global limits are used.
The default values are the same of
-.BR sizelimit
+.B sizelimit
and
.BR timelimit ;
no limit is set on
where
.BR integer
is the max page size if no explicit limit is set; the keyword
-.BR noEstimate
+.IR noEstimate
inhibits the server to return an estimate of the total number
of entries that will be returned.
.RE
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
-.B password-hash <hash>
-This option sets the hash to be used in generation of user
-passwords, stored in userPassword, during processing of
+.B password-hash <hash> [<hash>...]
+This option configures one or more hashes to be used in generation of user
+passwords stored in the userPassword attribute during processing of
LDAP Password Modify Extended Operations (RFC 3062).
The <hash> must be one of
.BR {SSHA} ,
.I saslAuthzTo
attribute must be protected with ACLs such that
only privileged users can modify it.
+The value of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+describes an
+.B identity
+or a set of identities; it can take three forms:
+.RS
+.RS
+.TP
+.B ldap:///<base>??[<scope>]?<filter>
+.RE
+.RS
+.B dn[.<dnstyle>]:<pattern>
+.RE
+.RS
+.B u[<mech>[<realm>]]:<pattern>
+.RE
+.RS
+.B <pattern>
+.RE
+.RS
+
+.B <dnstyle>:={exact|onelevel|children|subtree|regex}
+
+.RE
+The first form is a valid LDAP
+.B uri
+where the
+.IR <host>:<port> ,
+the
+.I <attrs>
+and the
+.I <extensions>
+portions must be absent, so that the search occurs locally on either
+.I saslAuthzFrom
+or
+.IR saslAuthzTo .
+The second form is a
+.BR DN ,
+with the optional style modifiers
+.IR exact ,
+.IR onelevel ,
+.IR children ,
+and
+.I subtree
+for exact, onelevel, children and subtree matches, which cause
+.I <pattern>
+to be normalized according to the DN normalization rules, or the special
+.I regex
+style, which causes
+.I <pattern>
+to be compiled according to
+.BR regex (7).
+The third form is a SASL
+.BR id ,
+with the optional fields
+.I <mech>
+and
+.I <realm>
+that allow to specify a SASL
+.BR mechanism ,
+and eventually a SASL
+.BR realm ,
+for those mechanisms that support one.
+The need to allow the specification of a mechanism is still debated,
+and users are strongly discouraged to rely on this possibility.
+For backwards compatibility, if no identity type is provided, i.e. only
+.B <pattern>
+is present, an
+.I exact DN
+is assumed; as a consequence,
+.B <pattern>
+is subjected to DN normalization.
+Since the interpretation of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+can impact security, users are strongly encouraged
+to explicitly set the type of identity specification that is being used.
+.RE
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid infinite alias loops. The default is 1.
.TP
+.B overlay <overlay-name>
+Add the specified overlay to this database. An overlay is a piece of
+code that intercepts database operations in order to extend or change
+them. Overlays are pushed onto
+a stack over the database, and so they will execute in the reverse
+of the order in which they were configured and the database itself
+will receive control last of all.
+.TP
.B readonly on | off
This option puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error. By