From: Pierangelo Masarati <ando@openldap.org>
Date: Wed, 7 Dec 2005 17:57:35 +0000 (+0000)
Subject: document idle-timeout; cleanup
X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~624
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=fdbcfbe59805891c0651d7b4e1575a537fd5de04;p=openldap

document idle-timeout; cleanup
---

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index b683085b0b..a56e1a0926 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -93,21 +93,19 @@ internally used by the proxy to collect info related to access control.
 The identity defined by this directive, according to the properties
 associated to the authentication method, is supposed to have read access 
 on the target server to attributes used on the proxy for ACL checking.
-The
-.B secprops
-field is currently ignored.
 There is no risk of giving away such values; they are only used to
 check permissions.
 The default is to use
-.BR simple ,
-with empty binddn and credentials,
+.BR simple 
+bind, with empty \fIbinddn\fP and \fIcredentials\fP,
 which means that the related operations will be performed anonymously.
 
 .B This identity is by no means implicitly used by the proxy 
 .B when the client connects anonymously.
-See the
+The
 .B idassert-bind
-feature instead.
+feature, instead, in some cases can be crafted to implement that behavior,
+which is \fIintrinsically unsafe and should be used with extreme care\fP.
 This directive obsoletes
 .BR acl-authcDN ,
 and
@@ -334,6 +332,11 @@ Note: if the timelimit is exceeded, the operation is abandoned;
 the protocol does not provide any means to rollback the operation,
 so the client will not know if the operation eventually succeeded or not.
 
+.TP
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
 .SH BACKWARD COMPATIBILITY
 The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
 as a side-effect, some of the traditional directives have been
diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 548e9a2bbc..e900ea8104 100644
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -154,6 +154,18 @@ because they are legal in the <naming context>, and we don't want to use
 URL-encoded <naming context>s), and the additional URIs must have
 no <naming context> part.  This causes the underlying library
 to contact the first server of the list that responds.
+For example, if \fIl1.foo.com\fP and \fIl2.foo.com\fP are shadows
+of the same server, the directive
+.LP
+.nf
+suffix "\fBdc=foo,dc=com\fP"
+uri    "ldap://l1.foo.com/\fBdc=foo,dc=com\fP	ldap://l2.foo.com/"
+.fi
+
+.RE
+.RS
+causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
+does not respond.
 .RE
 
 .TP
@@ -228,6 +240,11 @@ so the client will not know if the operation eventually succeeded or not.
 If set before any target specification, it affects all targets, unless
 overridden by any per-target directive.
 
+.TP
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
 .TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
 This directive, if present, sets the DN that will be substituted to