2002-06-13 11:59:10 +08:00
|
|
|
.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
2020-01-10 00:50:21 +08:00
|
|
|
.\" Copyright 1998-2020 The OpenLDAP Foundation All Rights Reserved.
|
2002-05-02 03:21:21 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
|
|
.\" $OpenLDAP$
|
|
|
|
.SH NAME
|
2009-06-03 08:43:44 +08:00
|
|
|
slapd\-ldap \- LDAP backend to slapd
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
|
|
|
The LDAP backend to
|
|
|
|
.BR slapd (8)
|
|
|
|
is not an actual database; instead it acts as a proxy to forward incoming
|
|
|
|
requests to another LDAP server. While processing requests it will also
|
|
|
|
chase referrals, so that referrals are fully processed instead of being
|
|
|
|
returned to the slapd client.
|
2003-02-27 00:35:09 +08:00
|
|
|
|
|
|
|
Sessions that explicitly Bind to the back-ldap database always create their
|
|
|
|
own private connection to the remote LDAP server. Anonymous sessions will
|
|
|
|
share a single anonymous connection to the remote server. For sessions bound
|
|
|
|
through other mechanisms, all sessions with the same DN will share the
|
|
|
|
same connection. This connection pooling strategy can enhance the proxy's
|
|
|
|
efficiency by reducing the overhead of repeatedly making/breaking multiple
|
|
|
|
connections.
|
|
|
|
|
2004-05-15 18:10:09 +08:00
|
|
|
The ldap database can also act as an information service, i.e. the identity
|
|
|
|
of locally authenticated clients is asserted to the remote server, possibly
|
|
|
|
in some modified form.
|
|
|
|
For this purpose, the proxy binds to the remote server with some
|
|
|
|
administrative identity, and, if required, authorizes the asserted identity.
|
|
|
|
See the
|
2009-06-03 08:43:44 +08:00
|
|
|
.IR idassert\- *
|
2004-05-15 18:10:09 +08:00
|
|
|
rules below.
|
|
|
|
The administrative identity of the proxy, on the remote server, must be
|
|
|
|
allowed to authorize by means of appropriate
|
|
|
|
.B authzTo
|
|
|
|
rules; see
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
for details.
|
|
|
|
|
2008-09-04 06:44:59 +08:00
|
|
|
The proxy instance of
|
|
|
|
.BR slapd (8)
|
|
|
|
must contain schema information for the attributes and objectClasses
|
2012-09-27 00:29:57 +08:00
|
|
|
used in filters, request DNs and request-related data in general.
|
2008-09-04 06:44:59 +08:00
|
|
|
It should also contain schema information for the data returned
|
|
|
|
by the proxied server.
|
|
|
|
It is the responsibility of the proxy administrator to keep the schema
|
|
|
|
of the proxy lined up with that of the proxied server.
|
|
|
|
|
2005-12-22 03:01:59 +08:00
|
|
|
.LP
|
2007-01-09 08:01:28 +08:00
|
|
|
Note: When looping back to the same instance of
|
|
|
|
.BR slapd (8),
|
2020-05-15 01:14:02 +08:00
|
|
|
each connection requires a new thread; as a consequence, the
|
2007-01-09 08:01:28 +08:00
|
|
|
.BR slapd (8)
|
2020-05-15 01:14:02 +08:00
|
|
|
\fBthreads\fP parameter may need some tuning. In those cases,
|
|
|
|
one may consider using
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR slapd\-relay (5)
|
2007-01-09 08:01:28 +08:00
|
|
|
instead, which performs the relayed operation
|
2005-12-22 09:51:57 +08:00
|
|
|
internally and thus reuses the same connection.
|
2005-12-22 03:01:59 +08:00
|
|
|
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH CONFIGURATION
|
|
|
|
These
|
|
|
|
.B slapd.conf
|
|
|
|
options apply to the LDAP backend database.
|
|
|
|
That is, they must follow a "database ldap" line and come before any
|
|
|
|
subsequent "backend" or "database" lines.
|
|
|
|
Other database options are described in the
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
manual page.
|
2005-12-22 03:01:59 +08:00
|
|
|
|
2002-05-03 00:35:16 +08:00
|
|
|
.LP
|
2005-01-31 06:59:43 +08:00
|
|
|
Note: In early versions of back-ldap it was recommended to always set
|
2003-12-01 16:29:06 +08:00
|
|
|
.LP
|
2002-05-03 00:35:16 +08:00
|
|
|
.RS
|
2003-12-01 16:29:06 +08:00
|
|
|
.nf
|
2002-05-03 00:35:16 +08:00
|
|
|
lastmod off
|
2003-12-01 16:29:06 +08:00
|
|
|
.fi
|
2002-05-03 00:35:16 +08:00
|
|
|
.RE
|
2003-12-01 16:29:06 +08:00
|
|
|
.LP
|
2006-09-04 16:24:05 +08:00
|
|
|
for
|
2002-05-03 00:35:16 +08:00
|
|
|
.B ldap
|
|
|
|
and
|
|
|
|
.B meta
|
2006-09-04 16:24:05 +08:00
|
|
|
databases.
|
|
|
|
This was required because operational attributes related to entry creation
|
|
|
|
and modification should not be proxied, as they could be mistakenly written
|
2005-05-23 15:19:58 +08:00
|
|
|
to the target server(s), generating an error.
|
2006-09-04 16:24:05 +08:00
|
|
|
The current implementation automatically sets lastmod to \fBoff\fP,
|
|
|
|
so its use is redundant and should be omitted.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2002-05-02 03:21:21 +08:00
|
|
|
.TP
|
|
|
|
.B uri <ldapurl>
|
2006-09-04 16:24:05 +08:00
|
|
|
LDAP server to use. Multiple URIs can be set in a single
|
2003-02-05 03:43:10 +08:00
|
|
|
.B ldapurl
|
|
|
|
argument, resulting in the underlying library automatically
|
2012-09-27 00:29:57 +08:00
|
|
|
calling the first server of the list that responds, e.g.
|
2003-02-05 03:43:10 +08:00
|
|
|
|
2009-06-03 08:43:44 +08:00
|
|
|
\fBuri "ldap://host/ ldap://backup\-host/"\fP
|
2003-02-05 03:43:10 +08:00
|
|
|
|
|
|
|
The URI list is space- or comma-separated.
|
2006-09-04 16:24:05 +08:00
|
|
|
Whenever the server that responds is not the first one in the list,
|
|
|
|
the list is rearranged and the responsive server is moved to the head,
|
|
|
|
so that it will be first contacted the next time a connection
|
2012-09-27 00:29:57 +08:00
|
|
|
needs to be created.
|
2005-05-23 15:19:58 +08:00
|
|
|
.HP
|
|
|
|
.hy 0
|
2009-06-03 08:43:44 +08:00
|
|
|
.B acl\-bind
|
2005-05-23 15:19:58 +08:00
|
|
|
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
|
|
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
|
|
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
2009-03-04 20:22:19 +08:00
|
|
|
.B [starttls=no|yes|critical]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_cert=<file>]
|
|
|
|
.B [tls_key=<file>]
|
|
|
|
.B [tls_cacert=<file>]
|
|
|
|
.B [tls_cacertdir=<path>]
|
|
|
|
.B [tls_reqcert=never|allow|try|demand]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_reqsan=never|allow|try|demand]
|
2015-04-09 04:01:15 +08:00
|
|
|
.B [tls_cipher_suite=<ciphers>]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_ecname=<names>]
|
2013-08-08 02:08:09 +08:00
|
|
|
.B [tls_protocol_min=<major>[.<minor>]]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_crlcheck=none|peer|all]
|
2005-05-23 15:19:58 +08:00
|
|
|
.RS
|
2017-01-18 23:56:59 +08:00
|
|
|
Allows one to define the parameters of the authentication method that is
|
2006-10-08 02:14:30 +08:00
|
|
|
internally used by the proxy to collect info related to access control,
|
|
|
|
and whenever an operation occurs with the identity of the rootdn
|
|
|
|
of the LDAP proxy database.
|
2005-05-23 22:28:30 +08:00
|
|
|
The identity defined by this directive, according to the properties
|
2005-05-23 15:19:58 +08:00
|
|
|
associated to the authentication method, is supposed to have read access
|
|
|
|
on the target server to attributes used on the proxy for ACL checking.
|
2006-10-08 02:14:30 +08:00
|
|
|
|
2005-05-23 15:19:58 +08:00
|
|
|
There is no risk of giving away such values; they are only used to
|
|
|
|
check permissions.
|
2005-05-23 22:28:30 +08:00
|
|
|
The default is to use
|
2005-12-08 01:57:35 +08:00
|
|
|
.BR simple
|
|
|
|
bind, with empty \fIbinddn\fP and \fIcredentials\fP,
|
2005-05-23 22:28:30 +08:00
|
|
|
which means that the related operations will be performed anonymously.
|
2009-06-03 08:43:44 +08:00
|
|
|
If not set, and if \fBidassert\-bind\fP is defined, this latter identity
|
|
|
|
is used instead. See \fBidassert\-bind\fP for details.
|
2006-10-08 02:14:30 +08:00
|
|
|
|
|
|
|
The connection between the proxy database and the remote server
|
|
|
|
associated to this identity is cached regardless of the lifespan
|
|
|
|
of the client-proxy connection that first established it.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2012-09-27 00:29:57 +08:00
|
|
|
.B This identity is not implicitly used by the proxy
|
2005-05-23 15:19:58 +08:00
|
|
|
.B when the client connects anonymously.
|
2005-12-08 01:57:35 +08:00
|
|
|
The
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idassert\-bind
|
2005-12-08 01:57:35 +08:00
|
|
|
feature, instead, in some cases can be crafted to implement that behavior,
|
|
|
|
which is \fIintrinsically unsafe and should be used with extreme care\fP.
|
2007-01-09 07:52:25 +08:00
|
|
|
|
|
|
|
The TLS settings default to the same as the main slapd TLS settings,
|
|
|
|
except for
|
|
|
|
.B tls_reqcert
|
2020-08-28 18:08:17 +08:00
|
|
|
which defaults to "demand", and
|
|
|
|
.B tls_reqsan
|
|
|
|
which defaults to "allow".
|
2005-05-23 15:19:58 +08:00
|
|
|
.RE
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2006-05-25 01:56:48 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B cancel {ABANDON|ignore|exop[\-discover]}
|
2006-05-25 01:56:48 +08:00
|
|
|
Defines how to handle operation cancellation.
|
|
|
|
By default,
|
|
|
|
.B abandon
|
|
|
|
is invoked, so the operation is abandoned immediately.
|
|
|
|
If set to
|
|
|
|
.BR ignore ,
|
|
|
|
no action is taken and any further response is ignored; this may result
|
|
|
|
in further response messages to be queued for that connection, so it is
|
|
|
|
recommended that long lasting connections are timed out either by
|
2009-06-03 08:43:44 +08:00
|
|
|
.I idle\-timeout
|
2006-05-25 01:56:48 +08:00
|
|
|
or
|
2009-06-03 08:43:44 +08:00
|
|
|
.IR conn\-ttl ,
|
2006-05-25 01:56:48 +08:00
|
|
|
so that resources eventually get released.
|
|
|
|
If set to
|
|
|
|
.BR exop ,
|
|
|
|
a
|
|
|
|
.I cancel
|
|
|
|
operation (RFC 3909) is issued, resulting in the cancellation
|
|
|
|
of the current operation; the
|
|
|
|
.I cancel
|
|
|
|
operation waits for remote server response, so its use
|
|
|
|
may not be recommended.
|
|
|
|
If set to
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR exop\-discover ,
|
2006-05-25 01:56:48 +08:00
|
|
|
support of the
|
|
|
|
.I cancel
|
|
|
|
extended operation is detected by reading the remote server's root DSE.
|
|
|
|
|
2006-05-02 06:12:17 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B chase\-referrals {YES|no}
|
2006-05-02 06:12:17 +08:00
|
|
|
enable/disable automatic referral chasing, which is delegated to the
|
|
|
|
underlying libldap, with rebinding eventually performed if the
|
2009-06-03 08:43:44 +08:00
|
|
|
\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
|
2006-05-02 06:12:17 +08:00
|
|
|
|
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B conn\-ttl <time>
|
2012-09-27 00:29:57 +08:00
|
|
|
This directive causes a cached connection to be dropped and recreated
|
2006-05-02 06:12:17 +08:00
|
|
|
after a given ttl, regardless of being idle or not.
|
|
|
|
|
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idassert\-authzFrom <authz-regexp>
|
2006-05-02 06:12:17 +08:00
|
|
|
if defined, selects what
|
|
|
|
.I local
|
|
|
|
identities are authorized to exploit the identity assertion feature.
|
|
|
|
The string
|
|
|
|
.B <authz-regexp>
|
2019-06-17 22:50:13 +08:00
|
|
|
mostly follows the rules defined for the
|
2006-05-02 06:12:17 +08:00
|
|
|
.I authzFrom
|
|
|
|
attribute.
|
|
|
|
See
|
|
|
|
.BR slapd.conf (5),
|
|
|
|
section related to
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR authz\-policy ,
|
2019-06-17 22:50:13 +08:00
|
|
|
for details on the syntax of this field. This parameter differs from
|
|
|
|
the documented behavior in relation to the meaning of *, which in this
|
|
|
|
case allows anonymous rather than denies.
|
2006-05-02 06:12:17 +08:00
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
.HP
|
|
|
|
.hy 0
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idassert\-bind
|
2005-05-23 22:28:30 +08:00
|
|
|
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
|
|
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
|
|
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
|
|
|
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
|
2009-03-04 20:22:19 +08:00
|
|
|
.B [starttls=no|yes|critical]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_cert=<file>]
|
|
|
|
.B [tls_key=<file>]
|
|
|
|
.B [tls_cacert=<file>]
|
|
|
|
.B [tls_cacertdir=<path>]
|
|
|
|
.B [tls_reqcert=never|allow|try|demand]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_reqsan=never|allow|try|demand]
|
2015-04-09 04:01:15 +08:00
|
|
|
.B [tls_cipher_suite=<ciphers>]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_ecname=<names>]
|
2009-03-04 20:22:19 +08:00
|
|
|
.B [tls_protocol_min=<version>]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_crlcheck=none|peer|all]
|
2005-05-23 22:28:30 +08:00
|
|
|
.RS
|
2017-01-18 23:56:59 +08:00
|
|
|
Allows one to define the parameters of the authentication method that is
|
2005-05-23 22:28:30 +08:00
|
|
|
internally used by the proxy to authorize connections that are
|
|
|
|
authenticated by other databases.
|
2012-09-27 00:29:57 +08:00
|
|
|
Direct binds are always proxied without any idassert handling.
|
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
The identity defined by this directive, according to the properties
|
|
|
|
associated to the authentication method, is supposed to have auth access
|
|
|
|
on the target server to attributes used on the proxy for authentication
|
|
|
|
and authorization, and to be allowed to authorize the users.
|
|
|
|
This requires to have
|
2003-12-01 16:29:06 +08:00
|
|
|
.B proxyAuthz
|
|
|
|
privileges on a wide set of DNs, e.g.
|
2004-05-15 18:10:09 +08:00
|
|
|
.BR authzTo=dn.subtree:"" ,
|
2003-12-01 16:29:06 +08:00
|
|
|
and the remote server to have
|
2009-06-03 08:43:44 +08:00
|
|
|
.B authz\-policy
|
2005-05-23 22:28:30 +08:00
|
|
|
set to
|
2003-12-01 16:29:06 +08:00
|
|
|
.B to
|
2005-05-23 22:28:30 +08:00
|
|
|
or
|
2003-12-01 16:29:06 +08:00
|
|
|
.BR both .
|
2005-05-23 22:28:30 +08:00
|
|
|
See
|
2003-12-01 16:29:06 +08:00
|
|
|
.BR slapd.conf (5)
|
|
|
|
for details on these statements and for remarks and drawbacks about
|
|
|
|
their usage.
|
2005-05-23 22:28:30 +08:00
|
|
|
The supported bindmethods are
|
|
|
|
|
|
|
|
\fBnone|simple|sasl\fP
|
|
|
|
|
|
|
|
where
|
|
|
|
.B none
|
|
|
|
is the default, i.e. no \fIidentity assertion\fP is performed.
|
|
|
|
|
|
|
|
The authz parameter is used to instruct the SASL bind to exploit
|
|
|
|
.B native
|
|
|
|
SASL authorization, if available; since connections are cached,
|
|
|
|
this should only be used when authorizing with a fixed identity
|
|
|
|
(e.g. by means of the
|
|
|
|
.B authzDN
|
|
|
|
or
|
|
|
|
.B authzID
|
|
|
|
parameters).
|
|
|
|
Otherwise, the default
|
|
|
|
.B proxyauthz
|
2006-09-04 16:24:05 +08:00
|
|
|
is used, i.e. the proxyAuthz control (Proxied Authorization, RFC 4370)
|
|
|
|
is added to all operations.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2004-05-14 18:01:22 +08:00
|
|
|
The supported modes are:
|
2004-11-14 01:59:21 +08:00
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
\fB<mode> := {legacy|anonymous|none|self}\fP
|
2004-11-14 01:59:21 +08:00
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
If
|
|
|
|
.B <mode>
|
|
|
|
is not present, and
|
|
|
|
.B authzId
|
|
|
|
is given, the proxy always authorizes that identity.
|
|
|
|
.B <authorization ID>
|
|
|
|
can be
|
2004-11-14 01:59:21 +08:00
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
\fBu:<user>\fP
|
2004-05-14 18:01:22 +08:00
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
\fB[dn:]<DN>\fP
|
|
|
|
|
|
|
|
The former is supposed to be expanded by the remote server according
|
|
|
|
to the authz rules; see
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
for details.
|
|
|
|
In the latter case, whether or not the
|
|
|
|
.B dn:
|
|
|
|
prefix is present, the string must pass DN validation and normalization.
|
|
|
|
|
|
|
|
The default mode is
|
2004-05-14 18:01:22 +08:00
|
|
|
.BR legacy ,
|
2005-05-23 22:28:30 +08:00
|
|
|
which implies that the proxy will either perform a simple bind as the
|
|
|
|
.I authcDN
|
|
|
|
or a SASL bind as the
|
|
|
|
.I authcID
|
2004-05-14 18:01:22 +08:00
|
|
|
and assert the client's identity when it is not anonymous.
|
2005-05-23 22:28:30 +08:00
|
|
|
The other modes imply that the proxy will always either perform a simple bind
|
|
|
|
as the
|
|
|
|
.IR authcDN
|
|
|
|
or a SASL bind as the
|
|
|
|
.IR authcID ,
|
2004-05-14 18:01:22 +08:00
|
|
|
unless restricted by
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR idassert\-authzFrom
|
2004-05-14 18:01:22 +08:00
|
|
|
rules (see below), in which case the operation will fail;
|
|
|
|
eventually, it will assert some other identity according to
|
|
|
|
.BR <mode> .
|
|
|
|
Other identity assertion modes are
|
2004-05-14 07:35:39 +08:00
|
|
|
.BR anonymous
|
|
|
|
and
|
|
|
|
.BR self ,
|
2004-05-14 18:01:22 +08:00
|
|
|
which respectively mean that the
|
|
|
|
.I empty
|
|
|
|
or the
|
|
|
|
.IR client 's
|
|
|
|
identity
|
|
|
|
will be asserted;
|
|
|
|
.BR none ,
|
|
|
|
which means that no proxyAuthz control will be used, so the
|
2005-05-23 22:28:30 +08:00
|
|
|
.I authcDN
|
|
|
|
or the
|
|
|
|
.I authcID
|
2004-05-14 07:35:39 +08:00
|
|
|
identity will be asserted.
|
2004-05-14 18:01:22 +08:00
|
|
|
For all modes that require the use of the
|
|
|
|
.I proxyAuthz
|
|
|
|
control, on the remote server the proxy identity must have appropriate
|
|
|
|
.I authzTo
|
|
|
|
permissions, or the asserted identities must have appropriate
|
|
|
|
.I authzFrom
|
|
|
|
permissions. Note, however, that the ID assertion feature is mostly
|
|
|
|
useful when the asserted identities do not exist on the remote server.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2005-07-04 07:18:08 +08:00
|
|
|
Flags can be
|
|
|
|
|
2011-03-05 18:28:04 +08:00
|
|
|
\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical,dn\-{authzid|whoami}\fP
|
2005-07-04 07:18:08 +08:00
|
|
|
|
2004-11-14 01:59:21 +08:00
|
|
|
When the
|
|
|
|
.B override
|
|
|
|
flag is used, identity assertion takes place even when the database
|
|
|
|
is authorizing for the identity of the client, i.e. after binding
|
|
|
|
with the provided identity, and thus authenticating it, the proxy
|
|
|
|
performs the identity assertion using the configured identity and
|
|
|
|
authentication method.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2005-07-04 07:18:08 +08:00
|
|
|
When the
|
|
|
|
.B prescriptive
|
|
|
|
flag is used (the default), operations fail with
|
|
|
|
\fIinappropriateAuthentication\fP
|
|
|
|
for those identities whose assertion is not allowed by the
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idassert\-authzFrom
|
2005-07-04 07:18:08 +08:00
|
|
|
patterns.
|
|
|
|
If the
|
2009-06-03 08:43:44 +08:00
|
|
|
.B non\-prescriptive
|
2005-07-04 07:18:08 +08:00
|
|
|
flag is used, operations are performed anonymously for those identities
|
|
|
|
whose assertion is not allowed by the
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idassert\-authzFrom
|
2005-07-04 07:18:08 +08:00
|
|
|
patterns.
|
|
|
|
|
2010-04-15 05:37:03 +08:00
|
|
|
When the
|
|
|
|
.B proxy\-authz\-non\-critical
|
|
|
|
flag is used (the default), the proxyAuthz control is not marked as critical,
|
|
|
|
in violation of RFC 4370. Use of
|
|
|
|
.B proxy\-authz\-critical
|
|
|
|
is recommended.
|
|
|
|
|
2011-03-05 18:28:04 +08:00
|
|
|
When the
|
|
|
|
.B dn\-authzid
|
|
|
|
flag is used, RFC 3829 LDAP Authorization Identity Controls
|
|
|
|
is used to retrieve the identity associated to the SASL identity;
|
|
|
|
when the
|
|
|
|
.B dn\-whoami
|
|
|
|
flag is used, RFC 4532 LDAP Who am I? Operation is performed
|
|
|
|
after the bind for the same purpose.
|
|
|
|
|
2007-01-09 07:52:25 +08:00
|
|
|
The TLS settings default to the same as the main slapd TLS settings,
|
|
|
|
except for
|
|
|
|
.B tls_reqcert
|
2020-08-28 18:08:17 +08:00
|
|
|
which defaults to "demand", and
|
|
|
|
.B tls_reqsan
|
|
|
|
which defaults to "allow".
|
2007-01-09 07:52:25 +08:00
|
|
|
|
2006-10-08 02:14:30 +08:00
|
|
|
The identity associated to this directive is also used for privileged
|
2009-06-03 08:43:44 +08:00
|
|
|
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
|
|
|
|
is not. See \fBacl\-bind\fP for details.
|
2006-10-08 02:14:30 +08:00
|
|
|
|
2010-04-10 09:25:21 +08:00
|
|
|
.TP
|
|
|
|
.B idassert-passthru <authz-regexp>
|
|
|
|
if defined, selects what
|
|
|
|
.I local
|
|
|
|
identities bypass the identity assertion feature.
|
|
|
|
Those identities need to be known by the remote host.
|
|
|
|
The string
|
|
|
|
.B <authz-regexp>
|
|
|
|
follows the rules defined for the
|
|
|
|
.I authzFrom
|
|
|
|
attribute.
|
|
|
|
See
|
|
|
|
.BR slapd.conf (5),
|
|
|
|
section related to
|
|
|
|
.BR authz\-policy ,
|
|
|
|
for details on the syntax of this field.
|
|
|
|
|
2004-05-14 07:35:39 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B idle\-timeout <time>
|
2006-05-02 06:12:17 +08:00
|
|
|
This directive causes a cached connection to be dropped an recreated
|
|
|
|
after it has been idle for the specified time.
|
|
|
|
|
2013-01-24 09:10:41 +08:00
|
|
|
.TP
|
|
|
|
.B keepalive <idle>:<probes>:<interval>
|
|
|
|
The
|
|
|
|
.B keepalive
|
|
|
|
parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
|
|
|
|
used to check whether a socket is alive;
|
|
|
|
.I idle
|
2013-01-25 03:31:41 +08:00
|
|
|
is the number of seconds a connection needs to remain idle before TCP
|
2013-01-24 09:10:41 +08:00
|
|
|
starts sending keepalive probes;
|
|
|
|
.I probes
|
|
|
|
is the maximum number of keepalive probes TCP should send before dropping
|
|
|
|
the connection;
|
|
|
|
.I interval
|
|
|
|
is interval in seconds between individual keepalive probes.
|
|
|
|
Only some systems support the customization of these values;
|
|
|
|
the
|
|
|
|
.B keepalive
|
|
|
|
parameter is ignored otherwise, and system-wide settings are used.
|
|
|
|
|
2006-10-25 03:49:48 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B network\-timeout <time>
|
2006-10-25 03:49:48 +08:00
|
|
|
Sets the network timeout value after which
|
|
|
|
.BR poll (2)/ select (2)
|
|
|
|
following a
|
|
|
|
.BR connect (2)
|
|
|
|
returns in case of no activity.
|
|
|
|
The value is in seconds, and it can be specified as for
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR idle\-timeout .
|
2006-10-25 03:49:48 +08:00
|
|
|
|
2008-07-08 05:25:59 +08:00
|
|
|
.TP
|
|
|
|
.B norefs <NO|yes>
|
|
|
|
If
|
|
|
|
.BR yes ,
|
|
|
|
do not return search reference responses.
|
|
|
|
By default, they are returned unless request is LDAPv2.
|
|
|
|
|
2015-02-06 09:19:39 +08:00
|
|
|
.TP
|
|
|
|
.B omit-unknown-schema <NO|yes>
|
|
|
|
If
|
|
|
|
.BR yes ,
|
|
|
|
do not return objectClasses or attributes that are not known to the local server.
|
|
|
|
The default is to return all schema elements.
|
|
|
|
|
2008-07-15 06:44:01 +08:00
|
|
|
.TP
|
|
|
|
.B noundeffilter <NO|yes>
|
|
|
|
If
|
|
|
|
.BR yes ,
|
|
|
|
return success instead of searching if a filter is undefined or contains
|
|
|
|
undefined portions.
|
|
|
|
By default, the search is propagated after replacing undefined portions
|
|
|
|
with
|
|
|
|
.BR (!(objectClass=*)) ,
|
|
|
|
which corresponds to the empty result set.
|
|
|
|
|
2013-01-12 07:13:07 +08:00
|
|
|
.TP
|
|
|
|
.B onerr {CONTINUE|stop}
|
2017-01-18 23:56:59 +08:00
|
|
|
This directive allows one to select the behavior in case an error is returned
|
2013-01-12 07:13:07 +08:00
|
|
|
by the remote server during a search.
|
|
|
|
The default, \fBcontinue\fP, consists in returning success.
|
|
|
|
If the value is set to \fBstop\fP, the error is returned to the client.
|
|
|
|
|
2006-05-02 06:12:17 +08:00
|
|
|
.TP
|
|
|
|
.B protocol\-version {0,2,3}
|
|
|
|
This directive indicates what protocol version must be used to contact
|
|
|
|
the remote server.
|
|
|
|
If set to 0 (the default), the proxy uses the same protocol version
|
|
|
|
used by the client, otherwise the requested protocol is used.
|
|
|
|
The proxy returns \fIunwillingToPerform\fP if an operation that is
|
|
|
|
incompatible with the requested protocol is attempted.
|
2004-11-14 01:59:21 +08:00
|
|
|
|
2004-05-15 18:10:09 +08:00
|
|
|
.TP
|
2006-05-02 06:12:17 +08:00
|
|
|
.B proxy\-whoami {NO|yes}
|
2003-02-27 00:35:09 +08:00
|
|
|
Turns on proxying of the WhoAmI extended operation. If this option is
|
|
|
|
given, back-ldap will replace slapd's original WhoAmI routine with its
|
|
|
|
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
|
|
|
|
request will be forwarded to the remote LDAP server. Other sessions will
|
|
|
|
be handled by the local slapd, as before. This option is mainly useful
|
|
|
|
in conjunction with Proxy Authorization.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2006-05-28 03:54:27 +08:00
|
|
|
.TP
|
|
|
|
.B quarantine <interval>,<num>[;<interval>,<num>[...]]
|
|
|
|
Turns on quarantine of URIs that returned
|
|
|
|
.IR LDAP_UNAVAILABLE ,
|
|
|
|
so that an attempt to reconnect only occurs at given intervals instead
|
|
|
|
of any time a client requests an operation.
|
|
|
|
The pattern is: retry only after at least
|
|
|
|
.I interval
|
|
|
|
seconds elapsed since last attempt, for exactly
|
|
|
|
.I num
|
|
|
|
times; then use the next pattern.
|
|
|
|
If
|
|
|
|
.I num
|
|
|
|
for the last pattern is "\fB+\fP", it retries forever; otherwise,
|
|
|
|
no more retries occur.
|
|
|
|
The process can be restarted by resetting the \fIolcDbQuarantine\fP
|
|
|
|
attribute of the database entry in the configuration backend.
|
|
|
|
|
2003-02-27 00:35:09 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B rebind\-as\-user {NO|yes}
|
2002-05-02 03:21:21 +08:00
|
|
|
If this option is given, the client's bind credentials are remembered
|
2006-10-25 04:01:19 +08:00
|
|
|
for rebinds, when trying to re-establish a broken connection,
|
|
|
|
or when chasing a referral, if
|
2009-06-03 08:43:44 +08:00
|
|
|
.B chase\-referrals
|
2006-10-25 04:01:19 +08:00
|
|
|
is set to
|
|
|
|
.IR yes .
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2007-08-22 23:49:35 +08:00
|
|
|
.TP
|
|
|
|
.B session\-tracking\-request {NO|yes}
|
|
|
|
Adds session tracking control for all requests.
|
|
|
|
The client's IP and hostname, and the identity associated to each request,
|
|
|
|
if known, are sent to the remote server for informational purposes.
|
|
|
|
This directive is incompatible with setting \fIprotocol\-version\fP to 2.
|
|
|
|
|
2006-05-28 03:54:27 +08:00
|
|
|
.TP
|
|
|
|
.B single\-conn {NO|yes}
|
|
|
|
Discards current cached connection when the client rebinds.
|
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B t\-f\-support {NO|yes|discover}
|
2005-05-23 22:28:30 +08:00
|
|
|
enable if the remote server supports absolute filters
|
2012-06-16 00:03:15 +08:00
|
|
|
(see \fIRFC 4526\fP for details).
|
2005-05-23 22:28:30 +08:00
|
|
|
If set to
|
|
|
|
.BR discover ,
|
2005-07-04 14:57:10 +08:00
|
|
|
support is detected by reading the remote server's root DSE.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2005-11-07 07:29:10 +08:00
|
|
|
.TP
|
2006-09-04 16:24:05 +08:00
|
|
|
.B timeout [<op>=]<val> [...]
|
2017-01-18 23:56:59 +08:00
|
|
|
This directive allows one to set per-operation timeouts.
|
2006-09-04 16:24:05 +08:00
|
|
|
Operations can be
|
|
|
|
|
2007-01-26 10:05:49 +08:00
|
|
|
\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
|
2006-09-04 16:24:05 +08:00
|
|
|
|
2007-01-26 10:05:49 +08:00
|
|
|
The overall duration of the \fBsearch\fP operation is controlled either
|
2006-09-04 16:24:05 +08:00
|
|
|
by the \fBtimelimit\fP parameter or by server-side enforced
|
|
|
|
time limits (see \fBtimelimit\fP and \fBlimits\fP in
|
2005-11-07 07:29:10 +08:00
|
|
|
.BR slapd.conf (5)
|
2006-09-04 16:24:05 +08:00
|
|
|
for details).
|
2007-01-26 10:05:49 +08:00
|
|
|
This \fBtimeout\fP parameter controls how long the target can be
|
|
|
|
irresponsive before the operation is aborted.
|
2006-09-04 16:24:05 +08:00
|
|
|
Timeout is meaningless for the remaining operations,
|
|
|
|
\fBunbind\fP and \fBabandon\fP, which do not imply any response,
|
|
|
|
while it is not yet implemented in currently supported \fBextended\fP
|
|
|
|
operations.
|
|
|
|
If no operation is specified, the timeout \fBval\fP affects all
|
|
|
|
supported operations.
|
|
|
|
|
|
|
|
Note: if the timelimit is exceeded, the operation is cancelled
|
|
|
|
(according to the \fBcancel\fP directive);
|
|
|
|
the protocol does not provide any means to rollback operations,
|
|
|
|
so the client will not be notified about the result of the operation,
|
|
|
|
which may eventually succeeded or not.
|
|
|
|
In case the timeout is exceeded during a bind operation, the connection
|
|
|
|
is destroyed, according to RFC4511.
|
|
|
|
|
|
|
|
Note: in some cases, this backend may issue binds prior
|
|
|
|
to other operations (e.g. to bind anonymously or with some prescribed
|
2009-06-03 08:43:44 +08:00
|
|
|
identity according to the \fBidassert\-bind\fP directive).
|
2006-09-04 16:24:05 +08:00
|
|
|
In this case, the timeout of the operation that resulted in the bind
|
|
|
|
is used.
|
2005-11-07 07:29:10 +08:00
|
|
|
|
2007-01-09 07:52:25 +08:00
|
|
|
.HP
|
|
|
|
.hy 0
|
2019-08-30 21:02:20 +08:00
|
|
|
.B tls {none|[try\-]start|[try\-]propagate|ldaps}
|
2019-05-08 22:12:08 +08:00
|
|
|
.B [starttls=no]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_cert=<file>]
|
|
|
|
.B [tls_key=<file>]
|
|
|
|
.B [tls_cacert=<file>]
|
|
|
|
.B [tls_cacertdir=<path>]
|
|
|
|
.B [tls_reqcert=never|allow|try|demand]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_reqsan=never|allow|try|demand]
|
2015-04-09 04:01:15 +08:00
|
|
|
.B [tls_cipher_suite=<ciphers>]
|
2020-08-28 18:08:17 +08:00
|
|
|
.B [tls_ecname=<names>]
|
2007-01-09 07:52:25 +08:00
|
|
|
.B [tls_crlcheck=none|peer|all]
|
|
|
|
.RS
|
2019-08-30 21:02:20 +08:00
|
|
|
Specify TLS settings for regular connections.
|
|
|
|
|
|
|
|
The first parameter only applies to \fBldap://\fP connections and so
|
|
|
|
at the moment, \fBnone\fP and \fBldaps\fP are equivalent.
|
|
|
|
|
|
|
|
With \fBpropagate\fP, the proxy issues StartTLS operation only if
|
|
|
|
the original connection has a TLS layer set up.
|
2009-06-03 08:43:44 +08:00
|
|
|
The \fBtry\-\fP prefix instructs the proxy to continue operations
|
2006-09-04 16:24:05 +08:00
|
|
|
if the StartTLS operation failed; its use is \fBnot\fP recommended.
|
2006-02-02 07:10:12 +08:00
|
|
|
|
2007-01-09 07:52:25 +08:00
|
|
|
The TLS settings default to the same as the main slapd TLS settings,
|
|
|
|
except for
|
|
|
|
.B tls_reqcert
|
2020-08-28 18:08:17 +08:00
|
|
|
which defaults to "demand",
|
|
|
|
.B tls_reqsan
|
|
|
|
which defaults to "allow", and
|
2019-05-08 22:12:08 +08:00
|
|
|
.B starttls
|
2019-05-08 22:31:13 +08:00
|
|
|
which is overshadowed by the first keyword and thus ignored.
|
2007-09-07 02:35:40 +08:00
|
|
|
.RE
|
2007-01-09 07:52:25 +08:00
|
|
|
|
2006-12-18 06:20:02 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.B use\-temporary\-conn {NO|yes}
|
2006-12-18 06:20:02 +08:00
|
|
|
when set to
|
|
|
|
.BR yes ,
|
|
|
|
create a temporary connection whenever competing with other threads
|
|
|
|
for a shared one; otherwise, wait until the shared connection is available.
|
|
|
|
|
2005-04-09 06:52:23 +08:00
|
|
|
.SH ACCESS CONTROL
|
|
|
|
The
|
|
|
|
.B ldap
|
|
|
|
backend does not honor all ACL semantics as described in
|
|
|
|
.BR slapd.access (5).
|
|
|
|
In general, access checking is delegated to the remote server(s).
|
|
|
|
Only
|
|
|
|
.B read (=r)
|
|
|
|
access to the
|
|
|
|
.B entry
|
|
|
|
pseudo-attribute and to the other attribute values of the entries
|
|
|
|
returned by the
|
|
|
|
.B search
|
|
|
|
operation is honored, which is performed by the frontend.
|
|
|
|
|
2005-05-23 22:28:30 +08:00
|
|
|
.SH OVERLAYS
|
|
|
|
The LDAP backend provides basic proxying functionalities to many overlays.
|
|
|
|
The
|
|
|
|
.B chain
|
|
|
|
overlay, described in
|
|
|
|
.BR slapo\-chain (5),
|
|
|
|
and the
|
|
|
|
.B translucent
|
|
|
|
overlay, described in
|
|
|
|
.BR slapo\-translucent (5),
|
|
|
|
deserve a special mention.
|
|
|
|
|
|
|
|
Conversely, there are many overlays that are best used in conjunction
|
|
|
|
with the LDAP backend.
|
|
|
|
The
|
|
|
|
.B proxycache
|
|
|
|
overlay allows caching of LDAP search requests (queries)
|
|
|
|
in a local database.
|
|
|
|
See
|
|
|
|
.BR slapo\-pcache (5)
|
|
|
|
for details.
|
|
|
|
The
|
|
|
|
.B rwm
|
|
|
|
overlay provides DN rewrite and attribute/objectClass mapping
|
|
|
|
capabilities to the underlying database.
|
2004-08-21 20:20:01 +08:00
|
|
|
See
|
2005-05-23 22:28:30 +08:00
|
|
|
.BR slapo\-rwm (5)
|
2004-08-21 20:20:01 +08:00
|
|
|
for details.
|
2005-05-23 22:28:30 +08:00
|
|
|
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH FILES
|
2002-05-09 10:07:41 +08:00
|
|
|
.TP
|
2002-05-02 03:21:21 +08:00
|
|
|
ETCDIR/slapd.conf
|
2002-05-09 10:07:41 +08:00
|
|
|
default slapd configuration file
|
2002-05-02 03:21:21 +08:00
|
|
|
.SH SEE ALSO
|
|
|
|
.BR slapd.conf (5),
|
2009-01-30 08:23:58 +08:00
|
|
|
.BR slapd\-config (5),
|
2004-08-21 20:20:01 +08:00
|
|
|
.BR slapd\-meta (5),
|
2005-05-23 22:28:30 +08:00
|
|
|
.BR slapo\-chain (5),
|
2004-08-21 20:20:01 +08:00
|
|
|
.BR slapo\-pcache (5),
|
2004-11-14 01:59:21 +08:00
|
|
|
.BR slapo\-rwm (5),
|
2005-05-23 22:28:30 +08:00
|
|
|
.BR slapo\-translucent (5),
|
2002-05-02 03:21:21 +08:00
|
|
|
.BR slapd (8),
|
|
|
|
.BR ldap (3).
|
2003-05-25 11:50:59 +08:00
|
|
|
.SH AUTHOR
|
|
|
|
Howard Chu, with enhancements by Pierangelo Masarati
|