From f0ea4161ba33a0df4665a0296b46194390a07143 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 1 Dec 2003 08:29:06 +0000 Subject: [PATCH] add administrative bind and proxyAuthz control to enable bound operations in distributed directories (need to manually #define LDAP_BACK_PROXY_AUTHZ and patches from ITS#2851 and ITS#2852) --- doc/man/man5/slapd-ldap.5 | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index b3949472eb..be5ddf1c05 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -33,9 +33,13 @@ Other database options are described in the manual page. .LP Note: It is strongly recommended to set +.LP .RS +.nf lastmod off +.fi .RE +.LP for every .B ldap and @@ -64,6 +68,32 @@ should have read access on the target server to attributes used on the proxy for acl checking. There is no risk of giving away such values; they are only used to check permissions. +.RS +Note: the +.B binddn +/ +.B bindpw +values are also used to propagate user authorization by means of the +.B proxyAuthz +mechanism when operations performed by users bound to another backend +are propagated to back-ldap. +This requires the entry with +.B binddn +DN on the remote server to have +.B proxyAuthz +privileges on a wide set of DNs, e.g. +.BR saslAuthzTo=regex:.* , +and the remote server to have +.B sasl-authz-policy +set to +.B to +or +.BR both . +See +.BR slapd.conf (5) +for details on these statements and for remarks and drawbacks about +their usage. +.RE .TP .B bindpw Password used with the bind DN above. -- 2.39.5