From: Pierangelo Masarati Date: Sat, 7 Oct 2006 18:14:30 +0000 (+0000) Subject: more on clarification of special proxy identities and resilience to connection failure X-Git-Tag: OPENLDAP_REL_ENG_2_3_MP~73 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=dd2721c8571a94823ae5b9de615c35644456574a;p=openldap more on clarification of special proxy identities and resilience to connection failure --- diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 6ead6fa1c9..28bcc7ebf6 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -97,16 +97,25 @@ needs be created. .B [authcId=] [authzId=] .RS Allows to define the parameters of the authentication method that is -internally used by the proxy to collect info related to access control. +internally used by the proxy to collect info related to access control, +and whenever an operation occurs with the identity of the rootdn +of the LDAP proxy database. The identity defined by this directive, according to the properties associated to the authentication method, is supposed to have read access on the target server to attributes used on the proxy for ACL checking. + There is no risk of giving away such values; they are only used to check permissions. The default is to use .BR simple bind, with empty \fIbinddn\fP and \fIcredentials\fP, which means that the related operations will be performed anonymously. +If not set, and if \fBidassert-bind\fP is defined, this latter identity +is used instead. See \fBidassert-bind\fP for details. + +The connection between the proxy database and the remote server +associated to this identity is cached regardless of the lifespan +of the client-proxy connection that first established it. .B This identity is by no means implicitly used by the proxy .B when the client connects anonymously. @@ -321,6 +330,10 @@ whose assertion is not allowed by the .B idassert-authzFrom patterns. +The identity associated to this directive is also used for privileged +operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP +is not. See \fBacl-bind\fP for details. + This directive obsoletes .BR idassert-authcDN , .BR idassert-passwd ,