.BI \-S \ scheme\fR]
.SH DESCRIPTION
.I ldapurl
-is a command that allows to either compose or decompose LDAP URIs.
+is a command that allows one to either compose or decompose LDAP URIs.
.LP
When invoked with the \fB\-H\fP option,
.B ldapurl
.BR ber_printf ()
provides. In
general, these routines return the length of the element encoded, or
--1 if an error occurred.
+\-1 if an error occurred.
.LP
The
.BR ber_alloc_t ()
.nf
TLS_CERT my hardware device:Certificate for Sam Carter
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLS_KEY <filename>
the location of the cert/key database, use modutil to change the password
to the empty string:
.nf
- modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
+ modutil \-dbdir ~/.moznss \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
.TP
.B onerr {CONTINUE|report|stop}
-This directive allows to select the behavior in case an error is returned
+This directive allows one to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.
.TP
.B client\-pr {accept-unsolicited|DISABLE|<size>}
-This feature allows to use RFC 2696 Paged Results control when performing
+This feature allows one to use RFC 2696 Paged Results control when performing
search operations with a specific target,
irrespective of the client's request. See
.B slapd\-meta(5)
.B [tls_cipher_suite=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
-Allows to define the parameters of the authentication method that is
+Allows one to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases. See
.B slapd\-meta(5)
.TP
.B subtree\-{exclude|include} "<rule>"
-This directive allows to indicate what subtrees are actually served
+This directive allows one to indicate what subtrees are actually served
by a target. See
.B slapd\-meta(5)
for details.
.TP
.B timeout [<op>=]<val> [...]
-This directive allows to set per-operation timeouts.
+This directive allows one to set per-operation timeouts.
Operations can be
\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
to any overlays configured on the database. The olcDatabase and
olcOverlay entries may also have miscellaneous child entries for
other settings as needed. There are two special database entries
-that are predefined - one is an entry for the config database itself,
+that are predefined \- one is an entry for the config database itself,
and the other is for the "frontend" database. Settings in the
frontend database are inherited by the other databases, unless
they are explicitly overridden in a specific database.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or - as before -
+have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
.nf
olcTLSCertificateFile: my hardware device:Server-Cert
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B olcTLSCertificateKeyFile: <filename>
specifes /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
- modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+ modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
(see above).
The
.B extended
-keyword allows to indicate the OID of the specific operation
+keyword allows one to indicate the OID of the specific operation
to be restricted.
.TP
.B olcSchemaDN: <dn>
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
-allows to set a limit on the total number of entries that a pagedResults
-control allows to return.
+allows one to set a limit on the total number of entries that the pagedResults
+control will return.
By default it is set to the
.B hard
limit.
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
-Allows to define the parameters of the authentication method that is
+Allows one to define the parameters of the authentication method that is
internally used by the proxy to collect info related to access control,
and whenever an operation occurs with the identity of the rootdn
of the LDAP proxy database.
.B [tls_protocol_min=<version>]
.B [tls_crlcheck=none|peer|all]
.RS
-Allows to define the parameters of the authentication method that is
+Allows one to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
Direct binds are always proxied without any idassert handling.
.TP
.B onerr {CONTINUE|stop}
-This directive allows to select the behavior in case an error is returned
+This directive allows one to select the behavior in case an error is returned
by the remote server during a search.
The default, \fBcontinue\fP, consists in returning success.
If the value is set to \fBstop\fP, the error is returned to the client.
.TP
.B timeout [<op>=]<val> [...]
-This directive allows to set per-operation timeouts.
+This directive allows one to set per-operation timeouts.
Operations can be
\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
.TP
.B onerr {CONTINUE|report|stop}
-This directive allows to select the behavior in case an error is returned
+This directive allows one to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.
.TP
.B client\-pr {accept-unsolicited|DISABLE|<size>}
-This feature allows to use RFC 2696 Paged Results control when performing
+This feature allows one to use RFC 2696 Paged Results control when performing
search operations with a specific target,
irrespective of the client's request.
When set to a numeric value, Paged Results control is always
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
-Allows to define the parameters of the authentication method that is
+Allows one to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
The identity defined by this directive, according to the properties
.TP
.B subtree\-{exclude|include} "<rule>"
-This directive allows to indicate what subtrees are actually served
+This directive allows one to indicate what subtrees are actually served
by a target.
The syntax of the supported rules is
.TP
.B timeout [<op>=]<val> [...]
-This directive allows to set per-operation timeouts.
+This directive allows one to set per-operation timeouts.
Operations can be
\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
Rules are made of a regex match pattern, a substitution pattern
and a set of actions, described by a set of flags.
In case of match a string rewriting is performed according to the
-substitution pattern that allows to refer to substrings matched in the
+substitution pattern that allows one to refer to substrings matched in the
incoming string.
The actions, if any, are finally performed.
The substitution pattern allows map resolution of substrings.
.SH "Additional configuration syntax:"
.TP
.B rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
-Allows to define a map that transforms substring rewriting into
+Allows one to define a map that transforms substring rewriting into
something else.
The map is referenced inside the substitution pattern of a rule.
.TP
appropriate one is looked-up after rewriting the request DN
for the operation that is being handled.
.LP
-This allows to write carefully crafted rewrite rules that
+This allows one to write carefully crafted rewrite rules that
cause some of the requests to be directed to one database, and
some to another; e.g., authentication can be mapped to one
database, and searches to another, or different target databases
.br
.B fetch_all_attrs { NO | yes }
.RS
-The first statement allows to provide a list of attributes that
+The first statement allows one to provide a list of attributes that
must always be fetched in addition to those requested by any specific
operation, because they are required for the proper usage of the
backend. For instance, all attributes used in ACLs should be listed
description.)
The slapd parser also honors the
.B X\-SUBST
-extension (an OpenLDAP-specific extension), which allows to use the
+extension (an OpenLDAP-specific extension), which allows one to use the
.B ldapsyntax
statement to define a non-implemented syntax along with another syntax,
the extension value
The
.I substitute-syntax
must be defined.
-This allows to define attribute types that make use of non-implemented syntaxes
+This allows one to define attribute types that make use of non-implemented syntaxes
using the correct syntax OID.
Unless
.B X\-SUBST
.nf
TLSCertificateFile my hardware device:Server-Cert
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLSCertificateKeyFile <filename>
specifes /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
- modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+ modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
-allows to set a limit on the total number of entries that a pagedResults
-control allows to return.
+allows one to set a limit on the total number of entries that the pagedResults
+control will return.
By default it is set to the
.B hard
limit.
(see above).
The
.B extended
-keyword allows to indicate the OID of the specific operation
+keyword allows one to indicate the OID of the specific operation
to be restricted.
.TP
.B rootdn <dn>
The parameter following the
.B set
type is a string that is interpreted according to the syntax in use
-for ACL sets. This allows to construct constraints based on the contents
+for ACL sets. This allows one to construct constraints based on the contents
of the entry.
The
.RE
.RS
-This extra parameter allows to restrict the application of the corresponding
+This extra parameter allows one to restrict the application of the corresponding
constraint only to entries that match the
.IR base ,
.I scope
.B dds
stands for
Dynamic Directory Services.
-It allows to define dynamic objects, characterized by the
+It allows one to define dynamic objects, characterized by the
.B dynamicObject
objectClass.
(TTL) that can be refreshed by means of a specific
.B refresh
extended operation.
-This operation allows to set the Client Refresh Period (CRP),
+This operation allows one to set the Client Refresh Period (CRP),
namely the period between refreshes that is required to preserve the
dynamic object from expiration.
The expiration time is computed by adding the requested TTL to the
.B dds\-max\-dynamicObjects <num>
Specifies the maximum number of dynamic objects that can simultaneously exist
within a naming context.
-This allows to limit the amount of resources (mostly in terms of
+This allows one to limit the amount of resources (mostly in terms of
run-queue size) that are used by dynamic objects.
By default, no limit is set.
database.
Currently, there is no means to remove the
.B dynamicObject
-class from the entry; this may be seen as a feature, since it allows to see
+class from the entry; this may be seen as a feature, since it allows one to see
the dynamic properties of the object.
.SH FILES
.hy 0
.B retcode\-item <RDN> <errCode> [op=<oplist>] [text=<message>]
.B [ref=<referral>] [sleeptime=<sec>] [matched=<DN>]
-.B [unsolicited=<OID>[:<data>]] [flags=[{pre|post}\-]disconnect[,...]]
+.B [unsolicited=<OID>[:<data>]] [flags=[\{pre|post\}\-]disconnect[,...]]
.RS
A dynamically generated entry, located below \fBretcode\-parent\fP.
The \fBerrCode\fP is the number of the response code;
.BR slapd\-meta (5),
or with the relay backend,
.BR slapd\-relay (5),
-allows to create virtual views of databases.
+allows one to create virtual views of databases.
A distinguishing feature of this overlay is that, when instantiated
before any database, it can modify the DN of requests
.I before
and a set of actions, described by a set of
.IR "optional flags" .
In case of match, string rewriting is performed according to the
-substitution pattern that allows to refer to substrings matched in the
+substitution pattern that allows one to refer to substrings matched in the
incoming string.
The actions, if any, are finally performed.
Each rule is executed recursively, unless altered by specific action
.SH "Additional Configuration Syntax"
.TP
.B rwm\-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
-Allows to define a map that transforms substring rewriting into
+Allows one to define a map that transforms substring rewriting into
something else.
The map is referenced inside the substitution pattern of a rule.
.TP
encoding of the value:
.LP
.nf
- ldapsearch -E 1.3.6.1.4.1.4203.666.5.14=::MAMBAf8=
+ ldapsearch \-E 1.3.6.1.4.1.4203.666.5.14=::MAMBAf8=
.fi
.SH FILES
For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
registers at SLP DAs with the three SLP attributes tree, server-type and server-version
that have the values given above.
-This allows to specifically query the SLP DAs for LDAP servers holding the
+This allows one to specifically query the SLP DAs for LDAP servers holding the
.I production
tree in case multiple trees are available.
.RE
projects / openldap / commitdiff