document idle-timeout; cleanup

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index b683085b0b755e240d34b709f13eee9983870a2c..a56e1a092623ef79d9bf0a930321d6afb838d19a 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -93,21 +93,19 @@ internally used by the proxy to collect info related to access control.
 The identity defined by this directive, according to the properties
 associated to the authentication method, is supposed to have read access 
 on the target server to attributes used on the proxy for ACL checking.
-The
-.B secprops
-field is currently ignored.
 There is no risk of giving away such values; they are only used to
 check permissions.
 The default is to use
-.BR simple ,
-with empty binddn and credentials,
+.BR simple 
+bind, with empty \fIbinddn\fP and \fIcredentials\fP,
 which means that the related operations will be performed anonymously.
 
 .B This identity is by no means implicitly used by the proxy 
 .B when the client connects anonymously.
-See the
+The
 .B idassert-bind
-feature instead.
+feature, instead, in some cases can be crafted to implement that behavior,
+which is \fIintrinsically unsafe and should be used with extreme care\fP.
 This directive obsoletes
 .BR acl-authcDN ,
 and
@@ -334,6 +332,11 @@ Note: if the timelimit is exceeded, the operation is abandoned;
 the protocol does not provide any means to rollback the operation,
 so the client will not know if the operation eventually succeeded or not.
 
+.TP
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
 .SH BACKWARD COMPATIBILITY
 The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
 as a side-effect, some of the traditional directives have been

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 548e9a2bbcd5ea384930c1bea781119df966b4fe..e900ea81041b8ff00d83f7892fdf1527daa297e6 100644 (file)
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -154,6 +154,18 @@ because they are legal in the <naming context>, and we don't want to use
 URL-encoded <naming context>s), and the additional URIs must have
 no <naming context> part.  This causes the underlying library
 to contact the first server of the list that responds.
+For example, if \fIl1.foo.com\fP and \fIl2.foo.com\fP are shadows
+of the same server, the directive
+.LP
+.nf
+suffix "\fBdc=foo,dc=com\fP"
+uri    "ldap://l1.foo.com/\fBdc=foo,dc=com\fP  ldap://l2.foo.com/"
+.fi
+
+.RE
+.RS
+causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
+does not respond.
 .RE
 
 .TP
@@ -228,6 +240,11 @@ so the client will not know if the operation eventually succeeded or not.
 If set before any target specification, it affects all targets, unless
 overridden by any per-target directive.
 
+.TP
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
 .TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
 This directive, if present, sets the DN that will be substituted to