mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
487 lines
14 KiB
Groff
487 lines
14 KiB
Groff
.TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
.\" $OpenLDAP$
|
|
.SH NAME
|
|
slapd-ldap \- LDAP backend to slapd
|
|
.SH SYNOPSIS
|
|
ETCDIR/slapd.conf
|
|
.SH DESCRIPTION
|
|
The LDAP backend to
|
|
.BR slapd (8)
|
|
is not an actual database; instead it acts as a proxy to forward incoming
|
|
requests to another LDAP server. While processing requests it will also
|
|
chase referrals, so that referrals are fully processed instead of being
|
|
returned to the slapd client.
|
|
|
|
Sessions that explicitly Bind to the back-ldap database always create their
|
|
own private connection to the remote LDAP server. Anonymous sessions will
|
|
share a single anonymous connection to the remote server. For sessions bound
|
|
through other mechanisms, all sessions with the same DN will share the
|
|
same connection. This connection pooling strategy can enhance the proxy's
|
|
efficiency by reducing the overhead of repeatedly making/breaking multiple
|
|
connections.
|
|
|
|
The ldap database can also act as an information service, i.e. the identity
|
|
of locally authenticated clients is asserted to the remote server, possibly
|
|
in some modified form.
|
|
For this purpose, the proxy binds to the remote server with some
|
|
administrative identity, and, if required, authorizes the asserted identity.
|
|
See the
|
|
.IR idassert- *
|
|
rules below.
|
|
The administrative identity of the proxy, on the remote server, must be
|
|
allowed to authorize by means of appropriate
|
|
.B authzTo
|
|
rules; see
|
|
.BR slapd.conf (5)
|
|
for details.
|
|
|
|
.SH CONFIGURATION
|
|
These
|
|
.B slapd.conf
|
|
options apply to the LDAP backend database.
|
|
That is, they must follow a "database ldap" line and come before any
|
|
subsequent "backend" or "database" lines.
|
|
Other database options are described in the
|
|
.BR slapd.conf (5)
|
|
manual page.
|
|
.LP
|
|
Note: In early versions of back-ldap it was recommended to always set
|
|
.LP
|
|
.RS
|
|
.nf
|
|
lastmod off
|
|
.fi
|
|
.RE
|
|
.LP
|
|
for every
|
|
.B ldap
|
|
and
|
|
.B meta
|
|
database.
|
|
This is because operational attributes related to entry creation and
|
|
modification should not be proxied, as they could be mistakenly written
|
|
to the target server(s), generating an error.
|
|
The current implementation automatically sets lastmod to off, so its use
|
|
is redundant and should be omitted, because the lastmod directive will
|
|
be deprecated in the future.
|
|
|
|
.TP
|
|
.B uri <ldapurl>
|
|
LDAP server to use. Multiple URIs can be set in in a single
|
|
.B ldapurl
|
|
argument, resulting in the underlying library automatically
|
|
call the first server of the list that responds, e.g.
|
|
|
|
\fBuri "ldap://host/ ldap://backup-host"\fP
|
|
|
|
The URI list is space- or comma-separated.
|
|
This statement is mandatory.
|
|
.\".TP
|
|
.\".B server <hostport>
|
|
.\"Obsolete option; same as `uri ldap://<hostport>/'.
|
|
.HP
|
|
.hy 0
|
|
.B acl-bind
|
|
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
|
.RS
|
|
Allows to define the parameters of the authentication method that is
|
|
internally used by the proxy to collect info related to access control.
|
|
The identity defined by this directive, according to the properties
|
|
associated to the authentication method, is supposed to have read access
|
|
on the target server to attributes used on the proxy for ACL checking.
|
|
The
|
|
.B secprops
|
|
field is currently ignored.
|
|
There is no risk of giving away such values; they are only used to
|
|
check permissions.
|
|
The default is to use
|
|
.BR simple ,
|
|
with empty binddn and credentials,
|
|
which means that the related operations will be performed anonymously.
|
|
|
|
.B This identity is by no means implicitly used by the proxy
|
|
.B when the client connects anonymously.
|
|
See the
|
|
.B idassert-bind
|
|
feature instead.
|
|
This directive obsoletes
|
|
.BR acl-authcDN ,
|
|
and
|
|
.BR acl-passwd .
|
|
.RE
|
|
|
|
.HP
|
|
.hy 0
|
|
.B idassert-bind
|
|
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
|
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
|
|
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
|
|
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
|
|
.RS
|
|
Allows to define the parameters of the authentication method that is
|
|
internally used by the proxy to authorize connections that are
|
|
authenticated by other databases.
|
|
The identity defined by this directive, according to the properties
|
|
associated to the authentication method, is supposed to have auth access
|
|
on the target server to attributes used on the proxy for authentication
|
|
and authorization, and to be allowed to authorize the users.
|
|
This requires to have
|
|
.B proxyAuthz
|
|
privileges on a wide set of DNs, e.g.
|
|
.BR authzTo=dn.subtree:"" ,
|
|
and the remote server to have
|
|
.B authz-policy
|
|
set to
|
|
.B to
|
|
or
|
|
.BR both .
|
|
See
|
|
.BR slapd.conf (5)
|
|
for details on these statements and for remarks and drawbacks about
|
|
their usage.
|
|
The supported bindmethods are
|
|
|
|
\fBnone|simple|sasl\fP
|
|
|
|
where
|
|
.B none
|
|
is the default, i.e. no \fIidentity assertion\fP is performed.
|
|
|
|
The authz parameter is used to instruct the SASL bind to exploit
|
|
.B native
|
|
SASL authorization, if available; since connections are cached,
|
|
this should only be used when authorizing with a fixed identity
|
|
(e.g. by means of the
|
|
.B authzDN
|
|
or
|
|
.B authzID
|
|
parameters).
|
|
Otherwise, the default
|
|
.B proxyauthz
|
|
is used, i.e. the proxyAuthz control is added to all operations.
|
|
|
|
The supported modes are:
|
|
|
|
\fB<mode> := {legacy|anonymous|none|self}\fP
|
|
|
|
If
|
|
.B <mode>
|
|
is not present, and
|
|
.B authzId
|
|
is given, the proxy always authorizes that identity.
|
|
.B <authorization ID>
|
|
can be
|
|
|
|
\fBu:<user>\fP
|
|
|
|
\fB[dn:]<DN>\fP
|
|
|
|
The former is supposed to be expanded by the remote server according
|
|
to the authz rules; see
|
|
.BR slapd.conf (5)
|
|
for details.
|
|
In the latter case, whether or not the
|
|
.B dn:
|
|
prefix is present, the string must pass DN validation and normalization.
|
|
|
|
The default mode is
|
|
.BR legacy ,
|
|
which implies that the proxy will either perform a simple bind as the
|
|
.I authcDN
|
|
or a SASL bind as the
|
|
.I authcID
|
|
and assert the client's identity when it is not anonymous.
|
|
Direct binds are always proxied.
|
|
The other modes imply that the proxy will always either perform a simple bind
|
|
as the
|
|
.IR authcDN
|
|
or a SASL bind as the
|
|
.IR authcID ,
|
|
unless restricted by
|
|
.BR idassert-authzFrom
|
|
rules (see below), in which case the operation will fail;
|
|
eventually, it will assert some other identity according to
|
|
.BR <mode> .
|
|
Other identity assertion modes are
|
|
.BR anonymous
|
|
and
|
|
.BR self ,
|
|
which respectively mean that the
|
|
.I empty
|
|
or the
|
|
.IR client 's
|
|
identity
|
|
will be asserted;
|
|
.BR none ,
|
|
which means that no proxyAuthz control will be used, so the
|
|
.I authcDN
|
|
or the
|
|
.I authcID
|
|
identity will be asserted.
|
|
For all modes that require the use of the
|
|
.I proxyAuthz
|
|
control, on the remote server the proxy identity must have appropriate
|
|
.I authzTo
|
|
permissions, or the asserted identities must have appropriate
|
|
.I authzFrom
|
|
permissions. Note, however, that the ID assertion feature is mostly
|
|
useful when the asserted identities do not exist on the remote server.
|
|
|
|
Flags can be
|
|
|
|
\fBoverride,{prescriptive|non-prescriptive}\fP
|
|
|
|
When the
|
|
.B override
|
|
flag is used, identity assertion takes place even when the database
|
|
is authorizing for the identity of the client, i.e. after binding
|
|
with the provided identity, and thus authenticating it, the proxy
|
|
performs the identity assertion using the configured identity and
|
|
authentication method.
|
|
|
|
When the
|
|
.B prescriptive
|
|
flag is used (the default), operations fail with
|
|
\fIinappropriateAuthentication\fP
|
|
for those identities whose assertion is not allowed by the
|
|
.B idassert-authzFrom
|
|
patterns.
|
|
If the
|
|
.B non-prescriptive
|
|
flag is used, operations are performed anonymously for those identities
|
|
whose assertion is not allowed by the
|
|
.B idassert-authzFrom
|
|
patterns.
|
|
|
|
This directive obsoletes
|
|
.BR idassert-authcDN ,
|
|
.BR idassert-passwd ,
|
|
.BR idassert-mode ,
|
|
and
|
|
.BR idassert-method .
|
|
.RE
|
|
|
|
.TP
|
|
.B idassert-authzFrom <authz-regexp>
|
|
if defined, selects what
|
|
.I local
|
|
identities are authorized to exploit the identity assertion feature.
|
|
The string
|
|
.B <authz-regexp>
|
|
follows the rules defined for the
|
|
.I authzFrom
|
|
attribute.
|
|
See
|
|
.BR slapd.conf (5),
|
|
section related to
|
|
.BR authz-policy ,
|
|
for details on the syntax of this field.
|
|
|
|
.TP
|
|
.B proxy-whoami {NO|yes}
|
|
Turns on proxying of the WhoAmI extended operation. If this option is
|
|
given, back-ldap will replace slapd's original WhoAmI routine with its
|
|
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
|
|
request will be forwarded to the remote LDAP server. Other sessions will
|
|
be handled by the local slapd, as before. This option is mainly useful
|
|
in conjunction with Proxy Authorization.
|
|
|
|
.TP
|
|
.B rebind-as-user {NO|yes}
|
|
If this option is given, the client's bind credentials are remembered
|
|
for rebinds when chasing referrals. Useful when
|
|
\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
|
|
|
|
.TP
|
|
.B chase-referrals {YES|no}
|
|
enable/disable automatic referral chasing, which is delegated to the
|
|
underlying libldap, with rebinding eventually performed if the
|
|
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
|
|
|
|
.TP
|
|
.B tls {[try-]start|[try-]propagate}
|
|
execute the start TLS extended operation when the connection is initialized;
|
|
only works if the URI directive protocol scheme is not \fBldaps://\fP.
|
|
\fBpropagate\fP issues the Start TLS exop only if the original
|
|
connection did.
|
|
The \fBtry-\fP prefix instructs the proxy to continue operations
|
|
if start TLS failed; its use is highly deprecated.
|
|
|
|
.TP
|
|
.B t-f-support {NO|yes|discover}
|
|
enable if the remote server supports absolute filters
|
|
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
|
|
If set to
|
|
.BR discover ,
|
|
support is detected by reading the remote server's root DSE.
|
|
|
|
.TP
|
|
.B timeout [{add|delete|modify|modrdn}=]<val> [...]
|
|
This directive allows to set per-operation timeouts.
|
|
If no operation is specified, it affects all.
|
|
Currently, only write operations are addressed, because searches
|
|
can already be limited by means of the
|
|
.B limits
|
|
directive (see
|
|
.BR slapd.conf (5)
|
|
for details), and other operations are not supposed to incur into the
|
|
need for timeouts.
|
|
Note: if the timelimit is exceeded, the operation is abandoned;
|
|
the protocol does not provide any means to rollback the operation,
|
|
so the client will not know if the operation eventually succeeded or not.
|
|
|
|
.SH BACKWARD COMPATIBILITY
|
|
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
|
|
as a side-effect, some of the traditional directives have been
|
|
deprecated and should be no longer used.
|
|
|
|
.TP
|
|
.B server <hostname[:port]>
|
|
this directive is no longer supported. Use the
|
|
.B uri
|
|
directive as described above.
|
|
|
|
.TP
|
|
.B acl-authcDN "<administrative DN for access control purposes>"
|
|
DN which is used to query the target server for acl checking; it
|
|
is supposed to have read access on the target server to attributes used
|
|
on the proxy for acl checking.
|
|
There is no risk of giving away such values; they are only used to
|
|
check permissions.
|
|
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
|
.B when the client connects anonymously.
|
|
See the
|
|
.B idassert-*
|
|
feature instead.
|
|
This directive is obsoleted by
|
|
.BR acl-bind ,
|
|
and may dismissed in the future.
|
|
|
|
.TP
|
|
.B acl-passwd <password>
|
|
Password used with the
|
|
.B
|
|
acl-authcDN
|
|
above.
|
|
This directive is obsoleted by
|
|
.BR acl-bind ,
|
|
and may be dismissed in the future.
|
|
|
|
.TP
|
|
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
|
|
DN which is used to propagate the client's identity to the target
|
|
by means of the proxyAuthz control when the client does not
|
|
belong to the DIT fragment that is being proxied by back-ldap.
|
|
This directive is obsoleted by
|
|
.BR idassert-bind ,
|
|
and may be dismissed in the future.
|
|
|
|
.TP
|
|
.B idassert-passwd <password>
|
|
Password used with the
|
|
.B idassert-authcDN
|
|
above.
|
|
This directive is obsoleted by
|
|
.BR idassert-bind ,
|
|
and may be dismissed in the future.
|
|
|
|
.TP
|
|
.B idassert-mode <mode> [<flags>]
|
|
defines what type of
|
|
.I identity assertion
|
|
is used.
|
|
This directive is obsoleted by
|
|
.BR idassert-bind ,
|
|
and may be dismissed in the future.
|
|
|
|
.TP
|
|
.B idassert-method <method> [<saslargs>]
|
|
This directive is obsoleted by
|
|
.BR idassert-bind ,
|
|
and may be dismissed in the future.
|
|
|
|
.TP
|
|
.B suffixmassage, map, rewrite*
|
|
These directives are no longer supported by back-ldap; their
|
|
functionality is now delegated to the
|
|
.B rwm
|
|
overlay. Essentially, add a statement
|
|
|
|
.B overlay rwm
|
|
|
|
first, and prefix all rewrite/map statements with
|
|
.B rwm-
|
|
to obtain the original behavior.
|
|
See
|
|
.BR slapo-rwm (5)
|
|
for details.
|
|
.\" However, to ease update from existing configurations, back-ldap still
|
|
.\" recognizes them and automatically instantiates the
|
|
.\" .B rwm
|
|
.\" overlay if available and not instantiated yet.
|
|
.\" This behavior may change in the future.
|
|
|
|
.SH ACCESS CONTROL
|
|
The
|
|
.B ldap
|
|
backend does not honor all ACL semantics as described in
|
|
.BR slapd.access (5).
|
|
In general, access checking is delegated to the remote server(s).
|
|
Only
|
|
.B read (=r)
|
|
access to the
|
|
.B entry
|
|
pseudo-attribute and to the other attribute values of the entries
|
|
returned by the
|
|
.B search
|
|
operation is honored, which is performed by the frontend.
|
|
|
|
.SH OVERLAYS
|
|
The LDAP backend provides basic proxying functionalities to many overlays.
|
|
The
|
|
.B chain
|
|
overlay, described in
|
|
.BR slapo\-chain (5),
|
|
and the
|
|
.B translucent
|
|
overlay, described in
|
|
.BR slapo\-translucent (5),
|
|
deserve a special mention.
|
|
|
|
Conversely, there are many overlays that are best used in conjunction
|
|
with the LDAP backend.
|
|
The
|
|
.B proxycache
|
|
overlay allows caching of LDAP search requests (queries)
|
|
in a local database.
|
|
See
|
|
.BR slapo\-pcache (5)
|
|
for details.
|
|
The
|
|
.B rwm
|
|
overlay provides DN rewrite and attribute/objectClass mapping
|
|
capabilities to the underlying database.
|
|
See
|
|
.BR slapo\-rwm (5)
|
|
for details.
|
|
|
|
.SH FILES
|
|
.TP
|
|
ETCDIR/slapd.conf
|
|
default slapd configuration file
|
|
.SH SEE ALSO
|
|
.BR slapd.conf (5),
|
|
.BR slapd\-meta (5),
|
|
.BR slapo\-chain (5),
|
|
.BR slapo\-pcache (5),
|
|
.BR slapo\-rwm (5),
|
|
.BR slapo\-translucent (5),
|
|
.BR slapd (8),
|
|
.BR ldap (3).
|
|
.SH AUTHOR
|
|
Howard Chu, with enhancements by Pierangelo Masarati
|