mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
Pierangelo Masarati 2004-11-13 17:59:21 +00:00
parent 60c99a889c
commit 2cf20312e2
2 changed files with 136 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
doc/man/man5/slapd-ldap.5
View File

@ -73,9 +73,9 @@ call the first server of the list that responds, e.g.
\fBuri "ldap://host/ ldap://backup-host"\fP \fBuri "ldap://host/ ldap://backup-host"\fP
The URI list is space- or comma-separated. The URI list is space- or comma-separated.
.TP .\".TP
.B server <hostport> .\".B server <hostport>
Obsolete option; same as `uri ldap://<hostport>/'. .\"Obsolete option; same as `uri ldap://<hostport>/'.
.TP .TP
.B acl-authcDN "<administrative DN for access control purposes>" .B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it DN which is used to query the target server for acl checking; it
@ -85,6 +85,9 @@ There is no risk of giving away such values; they are only used to
check permissions. check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy .B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously. .B when the client connects anonymously.
See the
.B idassert-*
feature instead.
.TP .TP
.B acl-passwd <password> .B acl-passwd <password>
Password used with the bind DN above. Password used with the bind DN above.
@ -115,19 +118,17 @@ their usage.
.B idassert-passwd <password> .B idassert-passwd <password>
Password used with the proxy authzDN above. Password used with the proxy authzDN above.
.TP .TP
.B idassert-mode <mode> .B idassert-mode <mode> [<flags>]
defines what type of defines what type of
.I identity assertion .I identity assertion
is used. is used.
The supported modes are: The supported modes are:
.RS
.RS \fB<mode> := {legacy|anonymous|none|<id>|self}\fP
.TP
.B <mode>={legacy|anonymous|none|<id>|self} \fB<flags> := {override}\fP
.RE
.RS \fB<id> := {u:<ID>|[dn:]<DN>}\fP
.B <id>={u:<ID>|[dn:]<DN>}
.RE
The default is The default is
.BR legacy , .BR legacy ,
@ -175,14 +176,21 @@ permissions, or the asserted identities must have appropriate
.I authzFrom .I authzFrom
permissions. Note, however, that the ID assertion feature is mostly permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server. useful when the asserted identities do not exist on the remote server.
When the
.B override
flag is used, identity assertion takes place even when the database
is authorizing for the identity of the client, i.e. after binding
with the provided identity, and thus authenticating it, the proxy
performs the identity assertion using the configured identity and
authentication method.
.RE .RE
.TP .TP
.B idassert-authzFrom <authz> .B idassert-authzFrom <authz-regexp>
if defined, selects what if defined, selects what
.I local .I local
identities are authorized to exploit the identity assertion feature. identities are authorized to exploit the identity assertion feature.
The string The string
.B authz .B <authz-regexp>
follows the rules defined for the follows the rules defined for the
.I authzFrom .I authzFrom
attribute. attribute.
@ -190,22 +198,18 @@ See
.BR slapd.conf (5), .BR slapd.conf (5),
section related to section related to
.BR authz-policy , .BR authz-policy ,
for details on the supported syntaxes. for details on the syntax of this field.
.TP .TP
.B idassert-method <method> [<saslargs>] .B idassert-method <method> [<saslargs>]
where valid method values are where valid method values are
.RS
.TP
.B <method>={none|simple|sasl}
.RE
.RS
.B <saslargs>=[mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>]
.RE \fB<method> := {none|simple|sasl}\fP
.RS
\fB<saslargs> := [mech=<mech>] [realm=<realm>] [authcid=<authcid>] [cred=<cred>] [authz={native|proxyauthz}]\fP
If method is If method is
.IR sasl , .IR sasl ,
extra parameters can be given a described above. extra parameters can be given as described above.
The default is The default is
.BR simple ; .BR simple ;
.B none .B none
@ -229,58 +233,71 @@ in conjunction with Proxy Authorization.
If this option is given, the client's bind credentials are remembered If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals. for rebinds when chasing referrals.
.TP .TP
.B suffixmassage <suffix> <massaged (remote) suffix> .\".B suffixmassage <suffix> <massaged (remote) suffix>
DNs ending with <suffix> in a request are changed to end with <remote .\"DNs ending with <suffix> in a request are changed to end with <remote
suffix> before sending the request to the remote server, and <remote .\"suffix> before sending the request to the remote server, and <remote
suffix> in the results are changed back to <suffix> before returning .\"suffix> in the results are changed back to <suffix> before returning
them to the client. .\"them to the client.
The <suffix> field must be defined as a valid suffix .\"The <suffix> field must be defined as a valid suffix
for the current database. .\"for the current database.
.\".TP
.\".B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
.\"Map attribute names and object classes from the foreign server to
.\"different values on the local slapd.
.\"The reason is that some attributes might not be part of the local
.\"slapd's schema, some attribute names might be different but serve the
.\"same purpose, etc.
.\"If local or foreign name is `*', the name is preserved.
.\"If local name is omitted, the foreign name is removed.
.\"Unmapped names are preseved if both local and foreign name are `*',
.\"and removed if local name is omitted and foreign name is `*'.
.\".TP
.\".B rewrite*
.\"The rewrite options are described in the "REWRITING" section of the
.\".BR slapd-meta (5)
.\"manual page.
.TP .TP
.B map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}" .B suffixmassage, map, rewrite*
Map attribute names and object classes from the foreign server to These directives are no longer supported by back-ldap; their
different values on the local slapd. functionality is now delegated to the
The reason is that some attributes might not be part of the local .B rwm
slapd's schema, some attribute names might be different but serve the overlay; see
same purpose, etc. .BR slapo-rwm (5)
If local or foreign name is `*', the name is preserved. for details.
If local name is omitted, the foreign name is removed. However, to ease update from existing configurations, back-ldap still
Unmapped names are preseved if both local and foreign name are `*', recognizes them and automatically instantiates the
and removed if local name is omitted and foreign name is `*'. .B rwm
.TP overlay if available and not instantiated yet.
.B rewrite* This behavior may change in the future.
The rewrite options are described in the "REWRITING" section of the .\".SH EXAMPLES
.BR slapd-meta (5) .\"The following directives map the object class `groupOfNames' to
manual page. .\"the object class `groupOfUniqueNames' and the attribute type
.SH EXAMPLES .\"`member' to the attribute type `uniqueMember':
The following directives map the object class `groupOfNames' to .\".LP
the object class `groupOfUniqueNames' and the attribute type .\".RS
`member' to the attribute type `uniqueMember': .\".nf
.LP .\"map objectclass groupOfNames groupOfUniqueNames
.RS .\"map attribute uniqueMember member
.nf .\".fi
map objectclass groupOfNames groupOfUniqueNames .\".RE
map attribute uniqueMember member .\".LP
.fi .\"This presents a limited attribute set from the foreign
.RE .\"server:
.LP .\".LP
This presents a limited attribute set from the foreign .\".RS
server: .\".nf
.LP .\"map attribute cn *
.RS .\"map attribute sn *
.nf .\"map attribute manager *
map attribute cn * .\"map attribute description *
map attribute sn * .\"map attribute *
map attribute manager * .\".fi
map attribute description * .\".RE
map attribute * .\".LP
.fi .\"These lines map cn, sn, manager, and description to themselves, and
.RE .\"any other attribute gets "removed" from the object before it is sent
.LP .\"to the client (or sent up to the LDAP server). This is obviously a
These lines map cn, sn, manager, and description to themselves, and .\"simplistic example, but you get the point.
any other attribute gets "removed" from the object before it is sent
to the client (or sent up to the LDAP server). This is obviously a
simplistic example, but you get the point.
.SH PROXY CACHE OVERLAY .SH PROXY CACHE OVERLAY
The proxy cache overlay The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database. allows caching of LDAP search requests (queries) in a local database.
@ -295,6 +312,7 @@ default slapd configuration file
.BR slapd.conf (5), .BR slapd.conf (5),
.BR slapd\-meta (5), .BR slapd\-meta (5),
.BR slapo\-pcache (5), .BR slapo\-pcache (5),
.BR slapo\-rwm (5),
.BR slapd (8), .BR slapd (8),
.BR ldap (3). .BR ldap (3).
.SH AUTHOR .SH AUTHOR

48
doc/man/man5/slapo-rwm.5
View File

@ -69,15 +69,24 @@ and a real naming context by means of the
.B rwm-suffixmassage .B rwm-suffixmassage
directive. directive.
.TP .TP
.B rwm-suffixmassage "<virtual naming context>" "<real naming context>" .B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
Shortcut to implement naming context rewriting; the trailing part Shortcut to implement naming context rewriting; the trailing part
of the DN is rewritten from the virtual to the real naming context of the DN is rewritten from the virtual to the real naming context
in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN, in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN, addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
deleteDN, exopPasswdDN, and from the real to the virtual naming context deleteDN, exopPasswdDN, and from the real to the virtual naming context
in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts. in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
By default no rewriting occurs for the searchFilter rewrite context. By default no rewriting occurs for the searchFilter
This directive implies setting the and for the referralAttrDN and referralDN rewrite contexts.
If no \fI<virtual naming context>\fP is given, the first suffix of the
database is used; this requires the
.B rwm-suffixmassage
directive be defined \fIafter\fP the database
.B suffix
directive.
The
.B rwm-suffixmassage
directive automatically sets the
.B rwm-rewriteEngine .B rwm-rewriteEngine
to to
.BR ON . .BR ON .
@ -195,7 +204,7 @@ and/or
.SH "Substitution Pattern Syntax" .SH "Substitution Pattern Syntax"
Everything starting with `$' requires substitution; Everything starting with `$' requires substitution;
.LP .LP
the only obvious exception is `$$', which is left as is; the only obvious exception is `$$', which is turned into a single `$';
.LP .LP
the basic substitution is `$<d>', where `<d>' is a digit; the basic substitution is `$<d>', where `<d>' is a digit;
0 means the whole string, while 1-9 is a submatch, as discussed in 0 means the whole string, while 1-9 is a submatch, as discussed in
@ -374,7 +383,7 @@ The count applies to the rewriting operation as a whole, not
to any single rule; an optional per-rule limit can be set. to any single rule; an optional per-rule limit can be set.
This limit is overridden by setting specific per-rule limits This limit is overridden by setting specific per-rule limits
with the `M{n}' flag. with the `M{n}' flag.
.SH "Configuration Examples" .SH "REWRITE CONFIGURATION EXAMPLES"
.nf .nf
# set to `off' to disable rewriting # set to `off' to disable rewriting
rwm-rewriteEngine on rwm-rewriteEngine on
@ -501,6 +510,35 @@ rwm-rewriteContext searchEntryDN
rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@" rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
rwm-rewriteRule ".*" "" "#" rwm-rewriteRule ".*" "" "#"
.fi .fi
.SH "MAPPING EXAMPLES"
The following directives map the object class `groupOfNames' to
the object class `groupOfUniqueNames' and the attribute type
`member' to the attribute type `uniqueMember':
.LP
.RS
.nf
map objectclass groupOfNames groupOfUniqueNames
map attribute uniqueMember member
.fi
.RE
.LP
This presents a limited attribute set from the foreign
server:
.LP
.RS
.nf
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
.fi
.RE
.LP
These lines map cn, sn, manager, and description to themselves, and
any other attribute gets "removed" from the object before it is sent
to the client (or sent up to the LDAP server). This is obviously a
simplistic example, but you get the point.
.SH FILES .SH FILES
.TP .TP
ETCDIR/slapd.conf ETCDIR/slapd.conf