slapd-ldap(5)
SLAPD-LDAP(5) FILE FORMATS SLAPD-LDAP(5)
NAME
slapd-ldap - LDAP backend to slapd
SYNOPSIS
ETCDIR/slapd.conf
DESCRIPTION
The LDAP backend to slapd(8) is not an actual database;
instead it acts as a proxy to forward incoming requests to
another LDAP server. While processing requests it will also
chase referrals, so that referrals are fully processed
instead of being returned to the slapd client.
Sessions that explicitly Bind to the back-ldap database
always create their own private connection to the remote
LDAP server. Anonymous sessions will share a single
anonymous connection to the remote server. For sessions
bound through other mechanisms, all sessions with the same
DN will share the same connection. This connection pooling
strategy can enhance the proxy's efficiency by reducing the
overhead of repeatedly making/breaking multiple connections.
CONFIGURATION
These slapd.conf options apply to the LDAP backend database.
That is, they must follow a "database ldap" line and come
before any subsequent "backend" or "database" lines. Other
database options are described in the slapd.conf(5) manual
page.
Note: It is strongly recommended to set
lastmod off
for every ldap and meta database. This is because opera-
tional attributes related to entry creation and modification
should not be used, as they could be passed to the target
servers, generating an error.
uri <ldapurl>
LDAP server to use. Multiple URIs can be set in in a
single ldapurl argument, resulting in the underlying
library automatically call the first server of the list
that responds, e.g.
uri "ldap://host/ ldap://backup-host"
The URI list is space- or comma-separated.
server <hostport>
Obsolete option; same as `uri ldap://<hostport>/'.
OpenLDAP LDVERSION Last change: RELEASEDATE 1
SLAPD-LDAP(5) FILE FORMATS SLAPD-LDAP(5)
binddn <administrative DN for access control purposes>
DN which is used to query the target server for acl
checking; it should have read access on the target
server to attributes used on the proxy for acl check-
ing. There is no risk of giving away such values; they
are only used to check permissions.
bindpw <password>
Password used with the bind DN above.
proxyauthzdn <administrative DN for proxyAuthz purposes>
DN which is used to propagate the client's identity to
the target by means of the proxyAuthz control when the
client does not belong to the DIT fragment that is
being proxyied by back-ldap. This is useful when
operations performed by users bound to another backend
are propagated through back-ldap. This requires the
entry with proxyauthzdn identity on the remote server
to have proxyAuthz privileges on a wide set of DNs,
e.g. saslAuthzTo=dn.regex:.*, and the remote server to
have sasl-authz-policy set to to or both. See
slapd.conf(5) for details on these statements and for
remarks and drawbacks about their usage.
proxyauthzpw <password>
Password used with the proxy authz DN above.
proxy-whoami
Turns on proxying of the WhoAmI extended operation. If
this option is given, back-ldap will replace slapd's
original WhoAmI routine with its own. On slapd sessions
that were authenticated by back-ldap, the WhoAmI
request will be forwarded to the remote LDAP server.
Other sessions will be handled by the local slapd, as
before. This option is mainly useful in conjunction
with Proxy Authorization.
rebind-as-user
If this option is given, the client's bind credentials
are remembered for rebinds when chasing referrals.
suffixmassage <suffix> <massaged (remote) suffix>
DNs ending with <suffix> in a request are changed to
end with <remote suffix> before sending the request to
the remote server, and <remote suffix> in the results
are changed back to <suffix> before returning them to
the client. The <suffix> field must be defined as a
valid suffix for the current database.
| *}
map {attribute | objectclass} [<local name> | *] {<foreign name>
Map attribute names and object classes from the foreign
OpenLDAP LDVERSION Last change: RELEASEDATE 2
SLAPD-LDAP(5) FILE FORMATS SLAPD-LDAP(5)
server to different values on the local slapd. The
reason is that some attributes might not be part of the
local slapd's schema, some attribute names might be
different but serve the same purpose, etc. If local or
foreign name is `*', the name is preserved. If local
name is omitted, the foreign name is removed. Unmapped
names are preseved if both local and foreign name are
`*', and removed if local name is omitted and foreign
name is `*'.
rewrite*
The rewrite options are described in the "REWRITING"
section of the slapd-meta(5) manual page.
EXAMPLES
This maps the OpenLDAP objectclass `groupOfNames' to the
Active Directory objectclass `group':
map objectclass groupOfNames group
This presents a limited attribute set from the foreign
server:
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
These lines map cn, sn, manager, and description to them-
selves, and any other attribute gets "removed" from the
object before it is sent to the client (or sent up to the
LDAP server). This is obviously a simplistic example, but
you get the point.
FILES
ETCDIR/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-meta(5), slapd(8), ldap(3).
AUTHOR
Howard Chu, with enhancements by Pierangelo Masarati
OpenLDAP LDVERSION Last change: RELEASEDATE 3
Man(1) output converted with
man2html