add administrative bind and proxyAuthz control to enable bound operations in distribu...

author Pierangelo Masarati <ando@openldap.org>

Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)
author Pierangelo Masarati <ando@openldap.org>
Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)
diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5

index b3949472eb8163d2e5fb0b6d16a912f985780591..be5ddf1c05d202567772749a56ef82d1a1b1573e 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -33,9 +33,13 @@ Other database options are described in the
  manual page.
  .LP
  Note: It is strongly recommended to set
+.LP
  .RS
+.nf
  lastmod  off
+.fi
  .RE
+.LP
  for every
  .B ldap
  and
@@ -64,6 +68,32 @@ should have read access on the target server to attributes used on the
  proxy for acl checking.
  There is no risk of giving away such values; they are only used to
  check permissions.
+.RS
+Note: the
+.B binddn 
+/
+.B bindpw
+values are also used to propagate user authorization by means of the 
+.B proxyAuthz 
+mechanism when operations performed by users bound to another backend 
+are propagated to back-ldap.
+This requires the entry with 
+.B binddn 
+DN on the remote server to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR saslAuthzTo=regex:.* ,
+and the remote server to have
+.B sasl-authz-policy
+set to 
+.B to
+or 
+.BR both .
+See 
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+.RE
  .TP
  .B bindpw <password>
  Password used with the bind DN above.
author	Pierangelo Masarati <ando@openldap.org>
	Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Mon, 1 Dec 2003 08:29:06 +0000 (08:29 +0000)