From 2cf20312e2163fbd4f5c306c00e7dfad2cad5568 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 13 Nov 2004 17:59:21 +0000
Subject: [PATCH] cleanup

---
 doc/man/man5/slapd-ldap.5 | 168 +++++++++++++++++++++-----------------
 doc/man/man5/slapo-rwm.5  |  48 +++++++++--
 2 files changed, 136 insertions(+), 80 deletions(-)

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 751f5ece39..7380682d3d 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -73,9 +73,9 @@ call the first server of the list that responds, e.g.
 \fBuri "ldap://host/ ldap://backup-host"\fP
 
 The URI list is space- or comma-separated.
-.TP
-.B server <hostport>
-Obsolete option; same as `uri ldap://<hostport>/'.
+.\".TP
+.\".B server <hostport>
+.\"Obsolete option; same as `uri ldap://<hostport>/'.
 .TP
 .B acl-authcDN "<administrative DN for access control purposes>"
 DN which is used to query the target server for acl checking; it
@@ -85,6 +85,9 @@ There is no risk of giving away such values; they are only used to
 check permissions.
 .B The acl-authcDN identity is by no means implicitly used by the proxy 
 .B when the client connects anonymously.
+See the
+.B idassert-*
+feature instead.
 .TP
 .B acl-passwd <password>
 Password used with the bind DN above.
@@ -115,19 +118,17 @@ their usage.
 .B idassert-passwd <password>
 Password used with the proxy authzDN above.
 .TP
-.B idassert-mode <mode>
+.B idassert-mode <mode> [<flags>]
 defines what type of
 .I identity assertion
 is used.
 The supported modes are:
-.RS
-.RS
-.TP
-.B <mode>={legacy|anonymous|none|<id>|self}
-.RE
-.RS
-.B <id>={u:<ID>|[dn:]<DN>}
-.RE
+
+\fB<mode> := {legacy|anonymous|none|<id>|self}\fP
+
+\fB<flags> := {override}\fP
+
+\fB<id> := {u:<ID>|[dn:]<DN>}\fP
 
 The default is 
 .BR legacy ,
@@ -175,14 +176,21 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
+When the 
+.B override
+flag is used, identity assertion takes place even when the database
+is authorizing for the identity of the client, i.e. after binding
+with the provided identity, and thus authenticating it, the proxy
+performs the identity assertion using the configured identity and
+authentication method.
 .RE
 .TP
-.B idassert-authzFrom <authz>
+.B idassert-authzFrom <authz-regexp>
 if defined, selects what
 .I local
 identities are authorized to exploit the identity assertion feature.
 The string
-.B authz 
+.B <authz-regexp>
 follows the rules defined for the
 .I authzFrom
 attribute.
@@ -190,22 +198,18 @@ See
 .BR slapd.conf (5),
 section related to
 .BR authz-policy ,
-for details on the supported syntaxes.
+for details on the syntax of this field.
 .TP
 .B idassert-method <method> [<saslargs>]
 where valid method values are
-.RS
-.TP
-.B <method>={none|simple|sasl}
-.RE
-.RS
-.B <saslargs>=[mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>]
 
-.RE
-.RS
+\fB<method> := {none|simple|sasl}\fP
+
+\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP
+
 If method is 
 .IR sasl ,
-extra parameters can be given a described above.
+extra parameters can be given as described above.
 The default is
 .BR simple ;
 .B none
@@ -229,58 +233,71 @@ in conjunction with Proxy Authorization.
 If this option is given, the client's bind credentials are remembered
 for rebinds when chasing referrals.
 .TP
-.B suffixmassage <suffix> <massaged (remote) suffix>
-DNs ending with <suffix> in a request are changed to end with <remote
-suffix> before sending the request to the remote server, and <remote
-suffix> in the results are changed back to <suffix> before returning
-them to the client.
-The <suffix> field must be defined as a valid suffix
-for the current database.
-.TP
-.B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
-Map attribute names and object classes from the foreign server to
-different values on the local slapd.
-The reason is that some attributes might not be part of the local
-slapd's schema, some attribute names might be different but serve the
-same purpose, etc.
-If local or foreign name is `*', the name is preserved.
-If local name is omitted, the foreign name is removed.
-Unmapped names are preseved if both local and foreign name are `*',
-and removed if local name is omitted and foreign name is `*'.
+.\".B suffixmassage <suffix> <massaged (remote) suffix>
+.\"DNs ending with <suffix> in a request are changed to end with <remote
+.\"suffix> before sending the request to the remote server, and <remote
+.\"suffix> in the results are changed back to <suffix> before returning
+.\"them to the client.
+.\"The <suffix> field must be defined as a valid suffix
+.\"for the current database.
+.\".TP
+.\".B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
+.\"Map attribute names and object classes from the foreign server to
+.\"different values on the local slapd.
+.\"The reason is that some attributes might not be part of the local
+.\"slapd's schema, some attribute names might be different but serve the
+.\"same purpose, etc.
+.\"If local or foreign name is `*', the name is preserved.
+.\"If local name is omitted, the foreign name is removed.
+.\"Unmapped names are preseved if both local and foreign name are `*',
+.\"and removed if local name is omitted and foreign name is `*'.
+.\".TP
+.\".B rewrite*
+.\"The rewrite options are described in the "REWRITING" section of the
+.\".BR slapd-meta (5)
+.\"manual page.
 .TP
-.B rewrite*
-The rewrite options are described in the "REWRITING" section of the
-.BR slapd-meta (5)
-manual page.
-.SH EXAMPLES
-The following directives map the object class `groupOfNames' to
-the object class `groupOfUniqueNames' and the attribute type
-`member' to the attribute type `uniqueMember':
-.LP
-.RS
-.nf
-map objectclass groupOfNames groupOfUniqueNames
-map attribute uniqueMember member
-.fi
-.RE
-.LP
-This presents a limited attribute set from the foreign
-server:
-.LP
-.RS
-.nf
-map attribute cn *
-map attribute sn *
-map attribute manager *
-map attribute description *
-map attribute *
-.fi
-.RE
-.LP
-These lines map cn, sn, manager, and description to themselves, and 
-any other attribute gets "removed" from the object before it is sent 
-to the client (or sent up to the LDAP server).  This is obviously a 
-simplistic example, but you get the point.
+.B suffixmassage, map, rewrite*
+These directives are no longer supported by back-ldap; their 
+functionality is now delegated to the
+.B rwm
+overlay; see
+.BR slapo-rwm (5)
+for details.
+However, to ease update from existing configurations, back-ldap still 
+recognizes them and automatically instantiates the
+.B rwm
+overlay if available and not instantiated yet.
+This behavior may change in the future.
+.\".SH EXAMPLES
+.\"The following directives map the object class `groupOfNames' to
+.\"the object class `groupOfUniqueNames' and the attribute type
+.\"`member' to the attribute type `uniqueMember':
+.\".LP
+.\".RS
+.\".nf
+.\"map objectclass groupOfNames groupOfUniqueNames
+.\"map attribute uniqueMember member
+.\".fi
+.\".RE
+.\".LP
+.\"This presents a limited attribute set from the foreign
+.\"server:
+.\".LP
+.\".RS
+.\".nf
+.\"map attribute cn *
+.\"map attribute sn *
+.\"map attribute manager *
+.\"map attribute description *
+.\"map attribute *
+.\".fi
+.\".RE
+.\".LP
+.\"These lines map cn, sn, manager, and description to themselves, and 
+.\"any other attribute gets "removed" from the object before it is sent 
+.\"to the client (or sent up to the LDAP server).  This is obviously a 
+.\"simplistic example, but you get the point.
 .SH PROXY CACHE OVERLAY
 The proxy cache overlay 
 allows caching of LDAP search requests (queries) in a local database.
@@ -295,6 +312,7 @@ default slapd configuration file
 .BR slapd.conf (5),
 .BR slapd\-meta (5),
 .BR slapo\-pcache (5),
+.BR slapo\-rwm (5),
 .BR slapd (8),
 .BR ldap (3).
 .SH AUTHOR
diff --git a/doc/man/man5/slapo-rwm.5 b/doc/man/man5/slapo-rwm.5
index 4fc074f311..20815ddcfb 100644
--- a/doc/man/man5/slapo-rwm.5
+++ b/doc/man/man5/slapo-rwm.5
@@ -69,15 +69,24 @@ and a real naming context by means of the
 .B rwm-suffixmassage
 directive.
 .TP
-.B rwm-suffixmassage "<virtual naming context>" "<real naming context>"
+.B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
 Shortcut to implement naming context rewriting; the trailing part
 of the DN is rewritten from the virtual to the real naming context
 in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
 addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
 deleteDN, exopPasswdDN, and from the real to the virtual naming context
 in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
-By default no rewriting occurs for the searchFilter rewrite context.
-This directive implies setting the
+By default no rewriting occurs for the searchFilter 
+and for the referralAttrDN and referralDN rewrite contexts.
+If no \fI<virtual naming context>\fP is given, the first suffix of the
+database is used; this requires the 
+.B rwm-suffixmassage
+directive be defined \fIafter\fP the database
+.B suffix
+directive.
+The
+.B rwm-suffixmassage
+directive automatically sets the
 .B rwm-rewriteEngine
 to
 .BR ON .
@@ -195,7 +204,7 @@ and/or
 .SH "Substitution Pattern Syntax"
 Everything starting with `$' requires substitution;
 .LP
-the only obvious exception is `$$', which is left as is;
+the only obvious exception is `$$', which is turned into a single `$';
 .LP
 the basic substitution is `$<d>', where `<d>' is a digit;
 0 means the whole string, while 1-9 is a submatch, as discussed in 
@@ -374,7 +383,7 @@ The count applies to the rewriting operation as a whole, not
 to any single rule; an optional per-rule limit can be set.
 This limit is overridden by setting specific per-rule limits
 with the `M{n}' flag.
-.SH "Configuration Examples"
+.SH "REWRITE CONFIGURATION EXAMPLES"
 .nf
 # set to `off' to disable rewriting
 rwm-rewriteEngine on
@@ -501,6 +510,35 @@ rwm-rewriteContext searchEntryDN
 rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
 rwm-rewriteRule ".*" "" "#"
 .fi
+.SH "MAPPING EXAMPLES"
+The following directives map the object class `groupOfNames' to
+the object class `groupOfUniqueNames' and the attribute type
+`member' to the attribute type `uniqueMember':
+.LP
+.RS
+.nf
+map objectclass groupOfNames groupOfUniqueNames
+map attribute uniqueMember member
+.fi
+.RE
+.LP
+This presents a limited attribute set from the foreign
+server:
+.LP
+.RS
+.nf
+map attribute cn *
+map attribute sn *
+map attribute manager *
+map attribute description *
+map attribute *
+.fi
+.RE
+.LP
+These lines map cn, sn, manager, and description to themselves, and 
+any other attribute gets "removed" from the object before it is sent 
+to the client (or sent up to the LDAP server).  This is obviously a 
+simplistic example, but you get the point.
 .SH FILES
 .TP
 ETCDIR/slapd.conf
-- 
2.39.5