From 1a7479a16bc90be4103090f24c59243d0ad24257 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 20 Sep 2008 11:43:40 +0000 Subject: [PATCH] clarify remote database; clarify ACLs --- doc/man/man5/slapo-translucent.5 | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/doc/man/man5/slapo-translucent.5 b/doc/man/man5/slapo-translucent.5 index 5f308b6bf7..99d36b1c07 100644 --- a/doc/man/man5/slapo-translucent.5 +++ b/doc/man/man5/slapo-translucent.5 @@ -31,15 +31,19 @@ operation will perform a comparison with attributes defined in the local database record (if any) before any comparison is made with data in the remote database. .SH CONFIGURATION -The Translucent Proxy overlay uses a remote LDAP server which is configured -with the options shown in -.BR slapd-ldap (5). +The Translucent Proxy overlay uses a proxied database, +typically a (set of) remote LDAP server(s), which is configured with the options shown in +.BR slapd-ldap (5), +.BR slapd-meta (5) +or similar. These .B slapd.conf options are specific to the Translucent Proxy overlay; they must appear after the .B overlay -directive. +directive that instantiates the +.B translucent +overlay. .TP .B translucent_strict By default, attempts to delete attributes in either the local or remote @@ -88,6 +92,22 @@ before being returned to the client. Enable looking for locally stored credentials for simple bind when binding to the remote database fails. +.SH ACCESS CONTROL +Access control is delegated to either the remote DSA(s) or to the local database +backend for +.B auth +and +.B write +operations. +It is delegated to the remote DSA(s) and to the frontend for +.B read +operations. +Local access rules involving data returned by the remote DSA(s) should be designed +with care. In fact, entries are returned by the remote DSA(s) only based on the +remote fraction of the data, based on the identity the operation is performed as. +As a consequence, local rules might only be allowed to see a portion +of the remote data. + .SH CAVEATS .LP The Translucent Proxy overlay will disable schema checking in the local database, -- 2.39.5