DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

slapd-ldap(5)




SLAPD-LDAP(5)             FILE FORMATS              SLAPD-LDAP(5)


NAME

     slapd-ldap - LDAP backend to slapd


SYNOPSIS

     ETCDIR/slapd.conf


DESCRIPTION

     The LDAP backend to slapd(8)  is  not  an  actual  database;
     instead  it  acts as a proxy to forward incoming requests to
     another LDAP server. While processing requests it will  also
     chase  referrals,  so  that  referrals  are  fully processed
     instead of being returned to the slapd client.

     Sessions that explicitly  Bind  to  the  back-ldap  database
     always  create  their  own  private connection to the remote
     LDAP  server.  Anonymous  sessions  will  share   a   single
     anonymous  connection  to  the  remote  server. For sessions
     bound through other mechanisms, all sessions with  the  same
     DN  will  share the same connection. This connection pooling
     strategy can enhance the proxy's efficiency by reducing  the
     overhead of repeatedly making/breaking multiple connections.


CONFIGURATION

     These slapd.conf options apply to the LDAP backend database.
     That  is,  they  must follow a "database ldap" line and come
     before any subsequent "backend" or "database" lines.   Other
     database  options  are described in the slapd.conf(5) manual
     page.

     Note: It is strongly recommended to set

          lastmod  off

     for every ldap and meta database.  This  is  because  opera-
     tional attributes related to entry creation and modification
     should not be used, as they could be passed  to  the  target
     servers, generating an error.

     uri <ldapurl>
          LDAP server to use.  Multiple URIs can be set in  in  a
          single  ldapurl  argument,  resulting in the underlying
          library automatically call the first server of the list
          that responds, e.g.

          uri "ldap://host/ ldap://backup-host"

          The URI list is space- or comma-separated.

     server <hostport>
          Obsolete option; same as `uri ldap://<hostport>/'.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    1

SLAPD-LDAP(5)             FILE FORMATS              SLAPD-LDAP(5)

     binddn <administrative DN for access control purposes>
          DN which is used to query the  target  server  for  acl
          checking;  it  should  have  read  access on the target
          server to attributes used on the proxy for  acl  check-
          ing.  There is no risk of giving away such values; they
          are only used to check permissions.

     bindpw <password>
          Password used with the bind DN above.

     proxyauthzdn <administrative DN for proxyAuthz purposes>
          DN which is used to propagate the client's identity  to
          the  target by means of the proxyAuthz control when the
          client does not belong to  the  DIT  fragment  that  is
          being  proxyied  by  back-ldap.   This  is  useful when
          operations performed by users bound to another  backend
          are  propagated  through  back-ldap.  This requires the
          entry with proxyauthzdn identity on the  remote  server
          to  have  proxyAuthz  privileges  on a wide set of DNs,
          e.g.  saslAuthzTo=dn.regex:.*, and the remote server to
          have   sasl-authz-policy   set  to  to  or  both.   See
          slapd.conf(5) for details on these statements  and  for
          remarks and drawbacks about their usage.

     proxyauthzpw <password>
          Password used with the proxy authz DN above.

     proxy-whoami
          Turns on proxying of the WhoAmI extended operation.  If
          this  option  is  given, back-ldap will replace slapd's
          original WhoAmI routine with its own. On slapd sessions
          that   were  authenticated  by  back-ldap,  the  WhoAmI
          request will be forwarded to the  remote  LDAP  server.
          Other  sessions  will be handled by the local slapd, as
          before. This option is  mainly  useful  in  conjunction
          with Proxy Authorization.

     rebind-as-user
          If this option is given, the client's bind  credentials
          are remembered for rebinds when chasing referrals.

     suffixmassage <suffix> <massaged (remote) suffix>
          DNs ending with <suffix> in a request  are  changed  to
          end  with <remote suffix> before sending the request to
          the remote server, and <remote suffix> in  the  results
          are  changed  back to <suffix> before returning them to
          the client.  The <suffix> field must be  defined  as  a
          valid suffix for the current database.


| *}

     map {attribute | objectclass} [<local name> | *] {<foreign  name>
          Map attribute names and object classes from the foreign

OpenLDAP LDVERSION  Last change: RELEASEDATE                    2

SLAPD-LDAP(5)             FILE FORMATS              SLAPD-LDAP(5)

          server to different values on  the  local  slapd.   The
          reason is that some attributes might not be part of the
          local slapd's schema, some  attribute  names  might  be
          different but serve the same purpose, etc.  If local or
          foreign name is `*', the name is preserved.   If  local
          name is omitted, the foreign name is removed.  Unmapped
          names are preseved if both local and foreign  name  are
          `*',  and  removed if local name is omitted and foreign
          name is `*'.

     rewrite*
          The rewrite options are described  in  the  "REWRITING"
          section of the slapd-meta(5) manual page.


EXAMPLES

     This maps the OpenLDAP  objectclass  `groupOfNames'  to  the
     Active Directory objectclass `group':

          map objectclass groupOfNames group

     This presents a  limited  attribute  set  from  the  foreign
     server:

          map attribute cn *
          map attribute sn *
          map attribute manager *
          map attribute description *
          map attribute *

     These lines map cn, sn, manager, and  description  to  them-
     selves,  and  any  other  attribute  gets "removed" from the
     object before it is sent to the client (or sent  up  to  the
     LDAP  server).   This is obviously a simplistic example, but
     you get the point.


FILES

     ETCDIR/slapd.conf
          default slapd configuration file


SEE ALSO

     slapd.conf(5), slapd-meta(5), slapd(8), ldap(3).


AUTHOR

     Howard Chu, with enhancements by Pierangelo Masarati

OpenLDAP LDVERSION  Last change: RELEASEDATE                    3


Man(1) output converted with man2html