mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
refresh back-ldap man page, reflecting recent changes
This commit is contained in:
parent
672c39024e
commit
2a55844da3
@ -66,6 +66,7 @@ to the target server(s), generating an error.
|
|||||||
The current implementation automatically sets lastmod to off, so its use
|
The current implementation automatically sets lastmod to off, so its use
|
||||||
is redundant and should be omitted, because the lastmod directive will
|
is redundant and should be omitted, because the lastmod directive will
|
||||||
be deprecated in the future.
|
be deprecated in the future.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.B uri <ldapurl>
|
.B uri <ldapurl>
|
||||||
LDAP server to use. Multiple URIs can be set in in a single
|
LDAP server to use. Multiple URIs can be set in in a single
|
||||||
@ -76,19 +77,20 @@ call the first server of the list that responds, e.g.
|
|||||||
\fBuri "ldap://host/ ldap://backup-host"\fP
|
\fBuri "ldap://host/ ldap://backup-host"\fP
|
||||||
|
|
||||||
The URI list is space- or comma-separated.
|
The URI list is space- or comma-separated.
|
||||||
|
This statement is mandatory.
|
||||||
.\".TP
|
.\".TP
|
||||||
.\".B server <hostport>
|
.\".B server <hostport>
|
||||||
.\"Obsolete option; same as `uri ldap://<hostport>/'.
|
.\"Obsolete option; same as `uri ldap://<hostport>/'.
|
||||||
.HP
|
.HP
|
||||||
.hy 0
|
.hy 0
|
||||||
.B acl-method
|
.B acl-bind
|
||||||
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
||||||
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
||||||
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
||||||
.RS
|
.RS
|
||||||
Allows to define the parameters of the authentication method that is
|
Allows to define the parameters of the authentication method that is
|
||||||
internally used by the proxy to collect info related to access control.
|
internally used by the proxy to collect info related to access control.
|
||||||
The identity defined by this directive, along with the properties
|
The identity defined by this directive, according to the properties
|
||||||
associated to the authentication method, is supposed to have read access
|
associated to the authentication method, is supposed to have read access
|
||||||
on the target server to attributes used on the proxy for ACL checking.
|
on the target server to attributes used on the proxy for ACL checking.
|
||||||
The
|
The
|
||||||
@ -96,48 +98,38 @@ The
|
|||||||
field is currently ignored.
|
field is currently ignored.
|
||||||
There is no risk of giving away such values; they are only used to
|
There is no risk of giving away such values; they are only used to
|
||||||
check permissions.
|
check permissions.
|
||||||
|
The default is to use
|
||||||
|
.BR simple ,
|
||||||
|
with empty binddn and credentials,
|
||||||
|
which means that the related operations will be performed anonymously.
|
||||||
|
|
||||||
.B This identity is by no means implicitly used by the proxy
|
.B This identity is by no means implicitly used by the proxy
|
||||||
.B when the client connects anonymously.
|
.B when the client connects anonymously.
|
||||||
See the
|
See the
|
||||||
.B idassert-*
|
.B idassert-bind
|
||||||
feature instead.
|
feature instead.
|
||||||
This directive obsoletes
|
This directive obsoletes
|
||||||
.B acl-authcDN
|
.BR acl-authcDN ,
|
||||||
and
|
and
|
||||||
.BR acl-passwd .
|
.BR acl-passwd .
|
||||||
.RE
|
.RE
|
||||||
.TP
|
|
||||||
.B acl-authcDN "<administrative DN for access control purposes>"
|
.HP
|
||||||
DN which is used to query the target server for acl checking; it
|
.hy 0
|
||||||
is supposed to have read access on the target server to attributes used
|
.B idassert-bind
|
||||||
on the proxy for acl checking.
|
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
||||||
There is no risk of giving away such values; they are only used to
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
||||||
check permissions.
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
||||||
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
|
||||||
.B when the client connects anonymously.
|
.RS
|
||||||
See the
|
Allows to define the parameters of the authentication method that is
|
||||||
.B idassert-*
|
internally used by the proxy to authorize connections that are
|
||||||
feature instead.
|
authenticated by other databases.
|
||||||
This configure statement is deprecated in favor of
|
The identity defined by this directive, according to the properties
|
||||||
.BR acl-method .
|
associated to the authentication method, is supposed to have auth access
|
||||||
.TP
|
on the target server to attributes used on the proxy for authentication
|
||||||
.B acl-passwd <password>
|
and authorization, and to be allowed to authorize the users.
|
||||||
Password used with the
|
This requires to have
|
||||||
.B
|
|
||||||
acl-authcDN
|
|
||||||
above.
|
|
||||||
This configure statement is deprecated in favor of
|
|
||||||
.BR acl-method .
|
|
||||||
.TP
|
|
||||||
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
|
|
||||||
DN which is used to propagate the client's identity to the target
|
|
||||||
by means of the proxyAuthz control when the client does not
|
|
||||||
belong to the DIT fragment that is being proxyied by back-ldap.
|
|
||||||
This is useful when operations performed by users bound to another
|
|
||||||
backend are propagated through back-ldap.
|
|
||||||
This requires the entry with
|
|
||||||
.B idassert-authcdn
|
|
||||||
identity on the remote server to have
|
|
||||||
.B proxyAuthz
|
.B proxyAuthz
|
||||||
privileges on a wide set of DNs, e.g.
|
privileges on a wide set of DNs, e.g.
|
||||||
.BR authzTo=dn.subtree:"" ,
|
.BR authzTo=dn.subtree:"" ,
|
||||||
@ -151,32 +143,64 @@ See
|
|||||||
.BR slapd.conf (5)
|
.BR slapd.conf (5)
|
||||||
for details on these statements and for remarks and drawbacks about
|
for details on these statements and for remarks and drawbacks about
|
||||||
their usage.
|
their usage.
|
||||||
.TP
|
The supported bindmethods are
|
||||||
.B idassert-passwd <password>
|
|
||||||
Password used with the
|
\fBnone|simple|sasl\fP
|
||||||
.B idassert-authcdn
|
|
||||||
above.
|
where
|
||||||
.TP
|
.B none
|
||||||
.B idassert-mode <mode> [<flags>]
|
is the default, i.e. no \fIidentity assertion\fP is performed.
|
||||||
defines what type of
|
|
||||||
.I identity assertion
|
The authz parameter is used to instruct the SASL bind to exploit
|
||||||
is used.
|
.B native
|
||||||
|
SASL authorization, if available; since connections are cached,
|
||||||
|
this should only be used when authorizing with a fixed identity
|
||||||
|
(e.g. by means of the
|
||||||
|
.B authzDN
|
||||||
|
or
|
||||||
|
.B authzID
|
||||||
|
parameters).
|
||||||
|
Otherwise, the default
|
||||||
|
.B proxyauthz
|
||||||
|
is used, i.e. the proxyAuthz control is added to all operations.
|
||||||
|
|
||||||
The supported modes are:
|
The supported modes are:
|
||||||
|
|
||||||
\fB<mode> := {legacy|anonymous|none|<id>|self}\fP
|
\fB<mode> := {legacy|anonymous|none|self}\fP
|
||||||
|
|
||||||
\fB<flags> := {override}\fP
|
If
|
||||||
|
.B <mode>
|
||||||
|
is not present, and
|
||||||
|
.B authzId
|
||||||
|
is given, the proxy always authorizes that identity.
|
||||||
|
.B <authorization ID>
|
||||||
|
can be
|
||||||
|
|
||||||
\fB<id> := {u:<ID>|[dn:]<DN>}\fP
|
\fBu:<user>\fP
|
||||||
|
|
||||||
The default is
|
\fB[dn:]<DN>\fP
|
||||||
|
|
||||||
|
The former is supposed to be expanded by the remote server according
|
||||||
|
to the authz rules; see
|
||||||
|
.BR slapd.conf (5)
|
||||||
|
for details.
|
||||||
|
In the latter case, whether or not the
|
||||||
|
.B dn:
|
||||||
|
prefix is present, the string must pass DN validation and normalization.
|
||||||
|
|
||||||
|
The default mode is
|
||||||
.BR legacy ,
|
.BR legacy ,
|
||||||
which implies that the proxy will bind as
|
which implies that the proxy will either perform a simple bind as the
|
||||||
.I idassert-authcdn
|
.I authcDN
|
||||||
|
or a SASL bind as the
|
||||||
|
.I authcID
|
||||||
and assert the client's identity when it is not anonymous.
|
and assert the client's identity when it is not anonymous.
|
||||||
Direct binds are always proxied.
|
Direct binds are always proxied.
|
||||||
The other modes imply that the proxy will always bind as
|
The other modes imply that the proxy will always either perform a simple bind
|
||||||
.IR idassert-authcdn ,
|
as the
|
||||||
|
.IR authcDN
|
||||||
|
or a SASL bind as the
|
||||||
|
.IR authcID ,
|
||||||
unless restricted by
|
unless restricted by
|
||||||
.BR idassert-authzFrom
|
.BR idassert-authzFrom
|
||||||
rules (see below), in which case the operation will fail;
|
rules (see below), in which case the operation will fail;
|
||||||
@ -194,19 +218,10 @@ identity
|
|||||||
will be asserted;
|
will be asserted;
|
||||||
.BR none ,
|
.BR none ,
|
||||||
which means that no proxyAuthz control will be used, so the
|
which means that no proxyAuthz control will be used, so the
|
||||||
.I idassert-authcdn
|
.I authcDN
|
||||||
|
or the
|
||||||
|
.I authcID
|
||||||
identity will be asserted.
|
identity will be asserted.
|
||||||
Moreover, if a string prefixed with
|
|
||||||
.B u:
|
|
||||||
or
|
|
||||||
.B dn:
|
|
||||||
is used as
|
|
||||||
.BR <mode> ,
|
|
||||||
that identity will be asserted.
|
|
||||||
Ths string is also treated as a DN if it is not prefixed
|
|
||||||
by any recognized type indicator. Whether or not the
|
|
||||||
.B dn:
|
|
||||||
prefix is present, the string must pass DN validation and normalization.
|
|
||||||
For all modes that require the use of the
|
For all modes that require the use of the
|
||||||
.I proxyAuthz
|
.I proxyAuthz
|
||||||
control, on the remote server the proxy identity must have appropriate
|
control, on the remote server the proxy identity must have appropriate
|
||||||
@ -215,6 +230,7 @@ permissions, or the asserted identities must have appropriate
|
|||||||
.I authzFrom
|
.I authzFrom
|
||||||
permissions. Note, however, that the ID assertion feature is mostly
|
permissions. Note, however, that the ID assertion feature is mostly
|
||||||
useful when the asserted identities do not exist on the remote server.
|
useful when the asserted identities do not exist on the remote server.
|
||||||
|
|
||||||
When the
|
When the
|
||||||
.B override
|
.B override
|
||||||
flag is used, identity assertion takes place even when the database
|
flag is used, identity assertion takes place even when the database
|
||||||
@ -222,7 +238,15 @@ is authorizing for the identity of the client, i.e. after binding
|
|||||||
with the provided identity, and thus authenticating it, the proxy
|
with the provided identity, and thus authenticating it, the proxy
|
||||||
performs the identity assertion using the configured identity and
|
performs the identity assertion using the configured identity and
|
||||||
authentication method.
|
authentication method.
|
||||||
|
|
||||||
|
This directive obsoletes
|
||||||
|
.BR idassert-authcDN ,
|
||||||
|
.BR idassert-passwd ,
|
||||||
|
.BR idassert-mode ,
|
||||||
|
and
|
||||||
|
.BR idassert-method .
|
||||||
.RE
|
.RE
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.B idassert-authzFrom <authz-regexp>
|
.B idassert-authzFrom <authz-regexp>
|
||||||
if defined, selects what
|
if defined, selects what
|
||||||
@ -238,66 +262,114 @@ See
|
|||||||
section related to
|
section related to
|
||||||
.BR authz-policy ,
|
.BR authz-policy ,
|
||||||
for details on the syntax of this field.
|
for details on the syntax of this field.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.B idassert-method <method> [<saslargs>]
|
.B proxy-whoami {NO|yes}
|
||||||
where valid method values are
|
|
||||||
|
|
||||||
\fB<method> := {none|simple|sasl}\fP
|
|
||||||
|
|
||||||
\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP
|
|
||||||
|
|
||||||
If method is
|
|
||||||
.IR sasl ,
|
|
||||||
extra parameters can be given as described above.
|
|
||||||
The default is
|
|
||||||
.BR simple ;
|
|
||||||
.B none
|
|
||||||
inhibits proxy authorization;
|
|
||||||
.B sasl
|
|
||||||
uses a SASL bind with the above parameters; if required,
|
|
||||||
.I authorization
|
|
||||||
is performed by means of native SASL mechanism, and no proxyAuthz
|
|
||||||
is used for subsequent operations.
|
|
||||||
.RE
|
|
||||||
.TP
|
|
||||||
.B proxy-whoami
|
|
||||||
Turns on proxying of the WhoAmI extended operation. If this option is
|
Turns on proxying of the WhoAmI extended operation. If this option is
|
||||||
given, back-ldap will replace slapd's original WhoAmI routine with its
|
given, back-ldap will replace slapd's original WhoAmI routine with its
|
||||||
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
|
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
|
||||||
request will be forwarded to the remote LDAP server. Other sessions will
|
request will be forwarded to the remote LDAP server. Other sessions will
|
||||||
be handled by the local slapd, as before. This option is mainly useful
|
be handled by the local slapd, as before. This option is mainly useful
|
||||||
in conjunction with Proxy Authorization.
|
in conjunction with Proxy Authorization.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.B rebind-as-user
|
.B rebind-as-user {NO|yes}
|
||||||
If this option is given, the client's bind credentials are remembered
|
If this option is given, the client's bind credentials are remembered
|
||||||
for rebinds when chasing referrals. Useful in conjunction with
|
for rebinds when chasing referrals. Useful when
|
||||||
\fBchase-referrals\fP, useless if \fBdont-chase-referrals\fP is set.
|
\fBchase-referrals\fP is set to \fByes\P, useless otherwise.
|
||||||
.LP
|
|
||||||
.B chase-referrals
|
.TP
|
||||||
.br
|
.B chase-referrals {YES|no}
|
||||||
.B dont-chase-referrals
|
|
||||||
.RS
|
|
||||||
enable/disable automatic referral chasing, which is delegated to the
|
enable/disable automatic referral chasing, which is delegated to the
|
||||||
underlying libldap, with rebinding eventually performed if the
|
underlying libldap, with rebinding eventually performed if the
|
||||||
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
|
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
|
||||||
.RE
|
|
||||||
|
|
||||||
.LP
|
.TP
|
||||||
.B tls-start
|
.B tls {[try-]start|[try-]propagate}
|
||||||
.br
|
|
||||||
.B tls-try-start
|
|
||||||
.br
|
|
||||||
.B tls-propagate
|
|
||||||
.br
|
|
||||||
.B tls-try-propagate
|
|
||||||
.RS
|
|
||||||
execute the start TLS extended operation when the connection is initialized;
|
execute the start TLS extended operation when the connection is initialized;
|
||||||
only works if the URI directive protocol scheme is not \fBldaps://\fP.
|
only works if the URI directive protocol scheme is not \fBldaps://\fP.
|
||||||
The \fBtls-propagate\fP version issues the Start TLS exop only if the original
|
\fBpropagate\fP issues the Start TLS exop only if the original
|
||||||
connection did.
|
connection did.
|
||||||
\fBtry-start-tls\fP and \fBtry-propagate-tls\fP continue operations
|
The \fBtry-\fP prefix instructs the proxy to continue operations
|
||||||
if start TLS failed.
|
if start TLS failed; its use is highly deprecated.
|
||||||
.RE
|
|
||||||
|
.TP
|
||||||
|
.B t-f-support {NO|yes|discover}
|
||||||
|
enable if the remote server supports absolute filters
|
||||||
|
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
|
||||||
|
If set to
|
||||||
|
.BR discover ,
|
||||||
|
support is detected by reading the remote server's rootDSE.
|
||||||
|
|
||||||
|
.SH BACKWARD COMPATIBILITY
|
||||||
|
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
|
||||||
|
as a side-effect, some of the traditional directives have been
|
||||||
|
deprecated and should be no longer used.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B server <hostname[:port]>
|
||||||
|
this directive is no longer supported. Use the
|
||||||
|
.B uri
|
||||||
|
directive as described above.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B acl-authcDN "<administrative DN for access control purposes>"
|
||||||
|
DN which is used to query the target server for acl checking; it
|
||||||
|
is supposed to have read access on the target server to attributes used
|
||||||
|
on the proxy for acl checking.
|
||||||
|
There is no risk of giving away such values; they are only used to
|
||||||
|
check permissions.
|
||||||
|
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
||||||
|
.B when the client connects anonymously.
|
||||||
|
See the
|
||||||
|
.B idassert-*
|
||||||
|
feature instead.
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR acl-bind ,
|
||||||
|
and may dismissed in the future.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B acl-passwd <password>
|
||||||
|
Password used with the
|
||||||
|
.B
|
||||||
|
acl-authcDN
|
||||||
|
above.
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR acl-bind ,
|
||||||
|
and may be dismissed in the future.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
|
||||||
|
DN which is used to propagate the client's identity to the target
|
||||||
|
by means of the proxyAuthz control when the client does not
|
||||||
|
belong to the DIT fragment that is being proxyied by back-ldap.
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR idassert-bind ,
|
||||||
|
and may be dismissed in the future.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B idassert-passwd <password>
|
||||||
|
Password used with the
|
||||||
|
.B idassert-authcDN
|
||||||
|
above.
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR idassert-bind ,
|
||||||
|
and may be dismissed in the future.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B idassert-mode <mode> [<flags>]
|
||||||
|
defines what type of
|
||||||
|
.I identity assertion
|
||||||
|
is used.
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR idassert-bind ,
|
||||||
|
and may be dismissed in the future.
|
||||||
|
|
||||||
|
.TP
|
||||||
|
.B idassert-method <method> [<saslargs>]
|
||||||
|
This directive is obsoleted by
|
||||||
|
.BR idassert-bind ,
|
||||||
|
and may be dismissed in the future.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.B suffixmassage, map, rewrite*
|
.B suffixmassage, map, rewrite*
|
||||||
@ -335,12 +407,35 @@ returned by the
|
|||||||
.B search
|
.B search
|
||||||
operation is honored, which is performed by the frontend.
|
operation is honored, which is performed by the frontend.
|
||||||
|
|
||||||
.SH PROXY CACHE OVERLAY
|
.SH OVERLAYS
|
||||||
The proxy cache overlay
|
The LDAP backend provides basic proxying functionalities to many overlays.
|
||||||
allows caching of LDAP search requests (queries) in a local database.
|
The
|
||||||
|
.B chain
|
||||||
|
overlay, described in
|
||||||
|
.BR slapo\-chain (5),
|
||||||
|
and the
|
||||||
|
.B translucent
|
||||||
|
overlay, described in
|
||||||
|
.BR slapo\-translucent (5),
|
||||||
|
deserve a special mention.
|
||||||
|
|
||||||
|
Conversely, there are many overlays that are best used in conjunction
|
||||||
|
with the LDAP backend.
|
||||||
|
The
|
||||||
|
.B proxycache
|
||||||
|
overlay allows caching of LDAP search requests (queries)
|
||||||
|
in a local database.
|
||||||
See
|
See
|
||||||
.BR slapo-pcache (5)
|
.BR slapo\-pcache (5)
|
||||||
for details.
|
for details.
|
||||||
|
The
|
||||||
|
.B rwm
|
||||||
|
overlay provides DN rewrite and attribute/objectClass mapping
|
||||||
|
capabilities to the underlying database.
|
||||||
|
See
|
||||||
|
.BR slapo\-rwm (5)
|
||||||
|
for details.
|
||||||
|
|
||||||
.SH FILES
|
.SH FILES
|
||||||
.TP
|
.TP
|
||||||
ETCDIR/slapd.conf
|
ETCDIR/slapd.conf
|
||||||
@ -348,8 +443,10 @@ default slapd configuration file
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
.BR slapd.conf (5),
|
.BR slapd.conf (5),
|
||||||
.BR slapd\-meta (5),
|
.BR slapd\-meta (5),
|
||||||
|
.BR slapo\-chain (5),
|
||||||
.BR slapo\-pcache (5),
|
.BR slapo\-pcache (5),
|
||||||
.BR slapo\-rwm (5),
|
.BR slapo\-rwm (5),
|
||||||
|
.BR slapo\-translucent (5),
|
||||||
.BR slapd (8),
|
.BR slapd (8),
|
||||||
.BR ldap (3).
|
.BR ldap (3).
|
||||||
.SH AUTHOR
|
.SH AUTHOR
|
||||||
|
Loading…
Reference in New Issue
Block a user