openldap/doc/man/man5/slapo-chain.5

106 lines
3.6 KiB
Groff

.TH SLAPO-CHAIN 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2005 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-chain \- chain overlay
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B chain
overlay to
.BR slapd (8)
allows automatic referral chasing.
Any time a referral is returned (except for bind operations),
it is chased by using an instance of the ldap backend.
If operations are performed with an identity (i.e. after a bind),
that identity can be asserted while chasing the referrals
by means of the \fIidentity assertion\fP feature of back-ldap
(see
.BR slapd-ldap (5)
for details), which is essentially based on the
.B proxyAuthz
control (see \fIdraft-weltman-ldapv3-proxy\fP for details).
.LP
The config directives that are specific to the
.B chain
overlay can be prefixed by
.BR chain\- ,
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
.LP
There are very few chain overlay specific directives; however, directives
related to the instances of the \fIldap\fP backend that may be implicitly
instantiated by the overlay may assume a special meaning when used
in conjunction with this overlay. They are described in
.BR slapd-ldap (5).
.TP
.B overlay chain
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return referrals.
It is useless in conjunction with the \fIslapd-ldap\fP and \fIslapd-meta\fP
backends because they already exploit the libldap specific referral chase
feature.
[Note: this may change in the future, as the \fBldap\fP(5) and
\fBmeta\fP(5) backends might no longer chase referrals on their own.]
.\".TP
.\".B chain-chaining [resolve=<r>] [continuation=<c>] [critical]
.\"This directive enables the \fIchaining\fP control
.\"(see \fIdraft-sermersheim-ldap-chaining\fP for details)
.\"with the desired resolve and continuation behaviors and criticality.
.\"The values \fBr\fP and \fBc\fP can be any of
.\".BR chainingPreferred ,
.\".BR chainingRequired ,
.\".BR referralsPreferred ,
.\".BR referralsRequired .
.\"[This control is experimental and its support may change in the future.]
.TP
.B chain-cache-uris {FALSE|true}
This directive instructs the \fIchain\fP overlay to cache
connections to URIs parsed out of referrals that are not predefined,
to be reused for later chaining.
.TP
.B chain-uri <ldapuri>
This directive instantiates a new underlying \fIldap\fP database
and instructs it about which URI to contact to chase referrals.
As opposed to what stated in \fBslapd-ldap\fP(5), only one URI
can appear after this directive.
.LP
Directives for configuring the underlying ldap database may also
be required, as shown here:
.LP
.RS
.nf
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
.fi
.RE
.LP
Any valid directives for the ldap database may be used; see
.BR slapd-ldap (5)
for details.
Multiple occurrences of the \fBchain-uri\fP directive may appear,
to define multiple "trusted" URIs where operations with
\fIidentity assertion\fP are chained.
All URIs not listed in the configuration are chained anonymously.
All \fBslapd-ldap\fP(5) directives appearing before the first
occurrence of \fBchain-uri\fP are shared among all operations,
unless specifically overridden inside each URI configuration.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-ldap (5),
.BR slapd (8).
.SH AUTHOR
Originally implemented by Howard Chu; extended by Pierangelo Masarati.