2002-06-13 11:59:10 +08:00
|
|
|
.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
2005-01-02 04:49:32 +08:00
|
|
|
.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
|
2002-05-02 03:21:21 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
|
|
.\" $OpenLDAP$
|
|
|
|
.SH NAME
|
|
|
|
slapd-ldap \- LDAP backend to slapd
|
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
|
|
|
The LDAP backend to
|
|
|
|
.BR slapd (8)
|
|
|
|
is not an actual database; instead it acts as a proxy to forward incoming
|
|
|
|
requests to another LDAP server. While processing requests it will also
|
|
|
|
chase referrals, so that referrals are fully processed instead of being
|
|
|
|
returned to the slapd client.
|
2003-02-27 00:35:09 +08:00
|
|
|
|
|
|
|
Sessions that explicitly Bind to the back-ldap database always create their
|
|
|
|
own private connection to the remote LDAP server. Anonymous sessions will
|
|
|
|
share a single anonymous connection to the remote server. For sessions bound
|
|
|
|
through other mechanisms, all sessions with the same DN will share the
|
|
|
|
same connection. This connection pooling strategy can enhance the proxy's
|
|
|
|
efficiency by reducing the overhead of repeatedly making/breaking multiple
|
|
|
|
connections.
|
|
|
|
|
2004-05-15 18:10:09 +08:00
|
|
|
The ldap database can also act as an information service, i.e. the identity
|
|
|
|
of locally authenticated clients is asserted to the remote server, possibly
|
|
|
|
in some modified form.
|
|
|
|
For this purpose, the proxy binds to the remote server with some
|
|
|
|
administrative identity, and, if required, authorizes the asserted identity.
|
|
|
|
See the
|
|
|
|
.IR idassert- *
|
|
|
|
rules below.
|
|
|
|
The administrative identity of the proxy, on the remote server, must be
|
|
|
|
allowed to authorize by means of appropriate
|
|
|
|
.B authzTo
|
|
|
|
rules; see
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
for details.
|
|
|
|
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH CONFIGURATION
|
|
|
|
These
|
|
|
|
.B slapd.conf
|
|
|
|
options apply to the LDAP backend database.
|
|
|
|
That is, they must follow a "database ldap" line and come before any
|
|
|
|
subsequent "backend" or "database" lines.
|
|
|
|
Other database options are described in the
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
manual page.
|
2002-05-03 00:35:16 +08:00
|
|
|
.LP
|
|
|
|
Note: It is strongly recommended to set
|
2003-12-01 16:29:06 +08:00
|
|
|
.LP
|
2002-05-03 00:35:16 +08:00
|
|
|
.RS
|
2003-12-01 16:29:06 +08:00
|
|
|
.nf
|
2002-05-03 00:35:16 +08:00
|
|
|
lastmod off
|
2003-12-01 16:29:06 +08:00
|
|
|
.fi
|
2002-05-03 00:35:16 +08:00
|
|
|
.RE
|
2003-12-01 16:29:06 +08:00
|
|
|
.LP
|
2002-05-03 00:35:16 +08:00
|
|
|
for every
|
|
|
|
.B ldap
|
|
|
|
and
|
|
|
|
.B meta
|
|
|
|
database.
|
|
|
|
This is because operational attributes related to entry creation and
|
|
|
|
modification should not be used, as they could be passed to the target
|
|
|
|
servers, generating an error.
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
|
|
|
.B uri <ldapurl>
|
2003-02-05 03:43:10 +08:00
|
|
|
LDAP server to use. Multiple URIs can be set in in a single
|
|
|
|
.B ldapurl
|
|
|
|
argument, resulting in the underlying library automatically
|
|
|
|
call the first server of the list that responds, e.g.
|
|
|
|
|
|
|
|
\fBuri "ldap://host/ ldap://backup-host"\fP
|
|
|
|
|
|
|
|
The URI list is space- or comma-separated.
|
2004-11-14 01:59:21 +08:00
|
|
|
.\".TP
|
|
|
|
.\".B server <hostport>
|
|
|
|
.\"Obsolete option; same as `uri ldap://<hostport>/'.
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
2004-05-23 01:26:02 +08:00
|
|
|
.B acl-authcDN "<administrative DN for access control purposes>"
|
2002-05-02 03:21:21 +08:00
|
|
|
DN which is used to query the target server for acl checking; it
|
|
|
|
should have read access on the target server to attributes used on the
|
|
|
|
proxy for acl checking.
|
|
|
|
There is no risk of giving away such values; they are only used to
|
|
|
|
check permissions.
|
2004-05-23 01:26:02 +08:00
|
|
|
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
2004-06-22 12:33:18 +08:00
|
|
|
.B when the client connects anonymously.
|
2004-11-14 01:59:21 +08:00
|
|
|
See the
|
|
|
|
.B idassert-*
|
|
|
|
feature instead.
|
2003-12-13 18:57:42 +08:00
|
|
|
.TP
|
2004-05-23 01:26:02 +08:00
|
|
|
.B acl-passwd <password>
|
2003-12-13 18:57:42 +08:00
|
|
|
Password used with the bind DN above.
|
|
|
|
.TP
|
2004-05-15 18:10:09 +08:00
|
|
|
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
|
2003-12-13 18:57:42 +08:00
|
|
|
DN which is used to propagate the client's identity to the target
|
|
|
|
by means of the proxyAuthz control when the client does not
|
|
|
|
belong to the DIT fragment that is being proxyied by back-ldap.
|
|
|
|
This is useful when operations performed by users bound to another
|
|
|
|
backend are propagated through back-ldap.
|
2003-12-01 16:29:06 +08:00
|
|
|
This requires the entry with
|
2004-05-23 01:26:02 +08:00
|
|
|
.B idassert-authcdn
|
2003-12-13 18:57:42 +08:00
|
|
|
identity on the remote server to have
|
2003-12-01 16:29:06 +08:00
|
|
|
.B proxyAuthz
|
|
|
|
privileges on a wide set of DNs, e.g.
|
2004-05-15 18:10:09 +08:00
|
|
|
.BR authzTo=dn.subtree:"" ,
|
2003-12-01 16:29:06 +08:00
|
|
|
and the remote server to have
|
2004-04-16 10:29:55 +08:00
|
|
|
.B authz-policy
|
2003-12-01 16:29:06 +08:00
|
|
|
set to
|
|
|
|
.B to
|
|
|
|
or
|
|
|
|
.BR both .
|
|
|
|
See
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
for details on these statements and for remarks and drawbacks about
|
|
|
|
their usage.
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
2004-05-15 18:10:09 +08:00
|
|
|
.B idassert-passwd <password>
|
2004-04-16 10:29:55 +08:00
|
|
|
Password used with the proxy authzDN above.
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
2004-11-14 01:59:21 +08:00
|
|
|
.B idassert-mode <mode> [<flags>]
|
2004-05-14 18:01:22 +08:00
|
|
|
defines what type of
|
|
|
|
.I identity assertion
|
|
|
|
is used.
|
|
|
|
The supported modes are:
|
2004-11-14 01:59:21 +08:00
|
|
|
|
|
|
|
\fB<mode> := {legacy|anonymous|none|<id>|self}\fP
|
|
|
|
|
|
|
|
\fB<flags> := {override}\fP
|
|
|
|
|
|
|
|
\fB<id> := {u:<ID>|[dn:]<DN>}\fP
|
2004-05-14 18:01:22 +08:00
|
|
|
|
2004-05-14 07:35:39 +08:00
|
|
|
The default is
|
2004-05-14 18:01:22 +08:00
|
|
|
.BR legacy ,
|
|
|
|
which implies that the proxy will bind as
|
2004-05-23 01:26:02 +08:00
|
|
|
.I idassert-authcdn
|
2004-05-14 18:01:22 +08:00
|
|
|
and assert the client's identity when it is not anonymous.
|
|
|
|
Direct binds are always proxied.
|
|
|
|
The other modes imply that the proxy will always bind as
|
2004-05-23 01:26:02 +08:00
|
|
|
.IR idassert-authcdn ,
|
2004-05-14 18:01:22 +08:00
|
|
|
unless restricted by
|
2004-06-21 06:39:43 +08:00
|
|
|
.BR idassert-authzFrom
|
2004-05-14 18:01:22 +08:00
|
|
|
rules (see below), in which case the operation will fail;
|
|
|
|
eventually, it will assert some other identity according to
|
|
|
|
.BR <mode> .
|
|
|
|
Other identity assertion modes are
|
2004-05-14 07:35:39 +08:00
|
|
|
.BR anonymous
|
|
|
|
and
|
|
|
|
.BR self ,
|
2004-05-14 18:01:22 +08:00
|
|
|
which respectively mean that the
|
|
|
|
.I empty
|
|
|
|
or the
|
|
|
|
.IR client 's
|
|
|
|
identity
|
|
|
|
will be asserted;
|
|
|
|
.BR none ,
|
|
|
|
which means that no proxyAuthz control will be used, so the
|
2004-05-23 01:26:02 +08:00
|
|
|
.I idassert-authcdn
|
2004-05-14 07:35:39 +08:00
|
|
|
identity will be asserted.
|
2004-05-14 18:01:22 +08:00
|
|
|
Moreover, if a string prefixed with
|
|
|
|
.B u:
|
|
|
|
or
|
|
|
|
.B dn:
|
|
|
|
is used as
|
2004-05-14 07:35:39 +08:00
|
|
|
.BR <mode> ,
|
|
|
|
that identity will be asserted.
|
2004-05-14 18:01:22 +08:00
|
|
|
Ths string is also treated as a DN if it is not prefixed
|
|
|
|
by any recognized type indicator. Whether or not the
|
|
|
|
.B dn:
|
|
|
|
prefix is present, the string must pass DN validation and normalization.
|
|
|
|
For all modes that require the use of the
|
|
|
|
.I proxyAuthz
|
|
|
|
control, on the remote server the proxy identity must have appropriate
|
|
|
|
.I authzTo
|
|
|
|
permissions, or the asserted identities must have appropriate
|
|
|
|
.I authzFrom
|
|
|
|
permissions. Note, however, that the ID assertion feature is mostly
|
|
|
|
useful when the asserted identities do not exist on the remote server.
|
2004-11-14 01:59:21 +08:00
|
|
|
When the
|
|
|
|
.B override
|
|
|
|
flag is used, identity assertion takes place even when the database
|
|
|
|
is authorizing for the identity of the client, i.e. after binding
|
|
|
|
with the provided identity, and thus authenticating it, the proxy
|
|
|
|
performs the identity assertion using the configured identity and
|
|
|
|
authentication method.
|
2004-05-15 18:10:09 +08:00
|
|
|
.RE
|
2004-05-14 07:35:39 +08:00
|
|
|
.TP
|
2004-11-14 01:59:21 +08:00
|
|
|
.B idassert-authzFrom <authz-regexp>
|
2004-05-14 07:35:39 +08:00
|
|
|
if defined, selects what
|
|
|
|
.I local
|
|
|
|
identities are authorized to exploit the identity assertion feature.
|
2004-05-14 18:01:22 +08:00
|
|
|
The string
|
2004-11-14 01:59:21 +08:00
|
|
|
.B <authz-regexp>
|
2004-05-14 18:01:22 +08:00
|
|
|
follows the rules defined for the
|
|
|
|
.I authzFrom
|
|
|
|
attribute.
|
|
|
|
See
|
|
|
|
.BR slapd.conf (5),
|
|
|
|
section related to
|
|
|
|
.BR authz-policy ,
|
2004-11-14 01:59:21 +08:00
|
|
|
for details on the syntax of this field.
|
2004-05-14 07:35:39 +08:00
|
|
|
.TP
|
2004-05-15 18:10:09 +08:00
|
|
|
.B idassert-method <method> [<saslargs>]
|
|
|
|
where valid method values are
|
2004-06-16 04:57:28 +08:00
|
|
|
|
2004-11-14 01:59:21 +08:00
|
|
|
\fB<method> := {none|simple|sasl}\fP
|
|
|
|
|
|
|
|
\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP
|
|
|
|
|
2004-05-15 18:10:09 +08:00
|
|
|
If method is
|
|
|
|
.IR sasl ,
|
2004-11-14 01:59:21 +08:00
|
|
|
extra parameters can be given as described above.
|
2004-05-15 18:10:09 +08:00
|
|
|
The default is
|
|
|
|
.BR simple ;
|
|
|
|
.B none
|
|
|
|
inhibits proxy authorization;
|
|
|
|
.B sasl
|
|
|
|
uses a SASL bind with the above parameters; if required,
|
|
|
|
.I authorization
|
|
|
|
is performed by means of native SASL mechanism, and no proxyAuthz
|
|
|
|
is used for subsequent operations.
|
2004-06-16 04:57:28 +08:00
|
|
|
.RE
|
2004-05-15 18:10:09 +08:00
|
|
|
.TP
|
2003-02-27 00:35:09 +08:00
|
|
|
.B proxy-whoami
|
|
|
|
Turns on proxying of the WhoAmI extended operation. If this option is
|
|
|
|
given, back-ldap will replace slapd's original WhoAmI routine with its
|
|
|
|
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
|
|
|
|
request will be forwarded to the remote LDAP server. Other sessions will
|
|
|
|
be handled by the local slapd, as before. This option is mainly useful
|
|
|
|
in conjunction with Proxy Authorization.
|
|
|
|
.TP
|
2002-05-02 03:21:21 +08:00
|
|
|
.B rebind-as-user
|
|
|
|
If this option is given, the client's bind credentials are remembered
|
|
|
|
for rebinds when chasing referrals.
|
|
|
|
.TP
|
2004-11-14 01:59:21 +08:00
|
|
|
.\".B suffixmassage <suffix> <massaged (remote) suffix>
|
|
|
|
.\"DNs ending with <suffix> in a request are changed to end with <remote
|
|
|
|
.\"suffix> before sending the request to the remote server, and <remote
|
|
|
|
.\"suffix> in the results are changed back to <suffix> before returning
|
|
|
|
.\"them to the client.
|
|
|
|
.\"The <suffix> field must be defined as a valid suffix
|
|
|
|
.\"for the current database.
|
|
|
|
.\".TP
|
|
|
|
.\".B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
|
|
|
|
.\"Map attribute names and object classes from the foreign server to
|
|
|
|
.\"different values on the local slapd.
|
|
|
|
.\"The reason is that some attributes might not be part of the local
|
|
|
|
.\"slapd's schema, some attribute names might be different but serve the
|
|
|
|
.\"same purpose, etc.
|
|
|
|
.\"If local or foreign name is `*', the name is preserved.
|
|
|
|
.\"If local name is omitted, the foreign name is removed.
|
|
|
|
.\"Unmapped names are preseved if both local and foreign name are `*',
|
|
|
|
.\"and removed if local name is omitted and foreign name is `*'.
|
|
|
|
.\".TP
|
|
|
|
.\".B rewrite*
|
|
|
|
.\"The rewrite options are described in the "REWRITING" section of the
|
|
|
|
.\".BR slapd-meta (5)
|
|
|
|
.\"manual page.
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
2004-11-14 01:59:21 +08:00
|
|
|
.B suffixmassage, map, rewrite*
|
|
|
|
These directives are no longer supported by back-ldap; their
|
|
|
|
functionality is now delegated to the
|
|
|
|
.B rwm
|
|
|
|
overlay; see
|
|
|
|
.BR slapo-rwm (5)
|
|
|
|
for details.
|
|
|
|
However, to ease update from existing configurations, back-ldap still
|
|
|
|
recognizes them and automatically instantiates the
|
|
|
|
.B rwm
|
|
|
|
overlay if available and not instantiated yet.
|
|
|
|
This behavior may change in the future.
|
|
|
|
.\".SH EXAMPLES
|
|
|
|
.\"The following directives map the object class `groupOfNames' to
|
|
|
|
.\"the object class `groupOfUniqueNames' and the attribute type
|
|
|
|
.\"`member' to the attribute type `uniqueMember':
|
|
|
|
.\".LP
|
|
|
|
.\".RS
|
|
|
|
.\".nf
|
|
|
|
.\"map objectclass groupOfNames groupOfUniqueNames
|
|
|
|
.\"map attribute uniqueMember member
|
|
|
|
.\".fi
|
|
|
|
.\".RE
|
|
|
|
.\".LP
|
|
|
|
.\"This presents a limited attribute set from the foreign
|
|
|
|
.\"server:
|
|
|
|
.\".LP
|
|
|
|
.\".RS
|
|
|
|
.\".nf
|
|
|
|
.\"map attribute cn *
|
|
|
|
.\"map attribute sn *
|
|
|
|
.\"map attribute manager *
|
|
|
|
.\"map attribute description *
|
|
|
|
.\"map attribute *
|
|
|
|
.\".fi
|
|
|
|
.\".RE
|
|
|
|
.\".LP
|
|
|
|
.\"These lines map cn, sn, manager, and description to themselves, and
|
|
|
|
.\"any other attribute gets "removed" from the object before it is sent
|
|
|
|
.\"to the client (or sent up to the LDAP server). This is obviously a
|
|
|
|
.\"simplistic example, but you get the point.
|
2004-08-21 20:20:01 +08:00
|
|
|
.SH PROXY CACHE OVERLAY
|
|
|
|
The proxy cache overlay
|
|
|
|
allows caching of LDAP search requests (queries) in a local database.
|
|
|
|
See
|
|
|
|
.BR slapo-pcache (5)
|
|
|
|
for details.
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH FILES
|
2002-05-09 10:07:41 +08:00
|
|
|
.TP
|
2002-05-02 03:21:21 +08:00
|
|
|
ETCDIR/slapd.conf
|
2002-05-09 10:07:41 +08:00
|
|
|
default slapd configuration file
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH SEE ALSO
|
|
|
|
.BR slapd.conf (5),
|
2004-08-21 20:20:01 +08:00
|
|
|
.BR slapd\-meta (5),
|
|
|
|
.BR slapo\-pcache (5),
|
2004-11-14 01:59:21 +08:00
|
|
|
.BR slapo\-rwm (5),
|
2002-05-02 03:21:21 +08:00
|
|
|
.BR slapd (8),
|
|
|
|
.BR ldap (3).
|
2003-05-25 11:50:59 +08:00
|
|
|
.SH AUTHOR
|
|
|
|
Howard Chu, with enhancements by Pierangelo Masarati
|