slapd-ldap(5)
NAME
slapd-ldap - LDAP backend to slapd
SYNOPSIS
/etc/openldap/slapd.conf
DESCRIPTION
The LDAP backend to slapd(8) is not an actual database; instead it acts
as a proxy to forward incoming requests to another LDAP server. While
processing requests it will also chase referrals, so that referrals are
fully processed instead of being returned to the slapd client.
Sessions that explicitly Bind to the back-ldap database always create
their own private connection to the remote LDAP server. Anonymous ses-
sions will share a single anonymous connection to the remote server.
For sessions bound through other mechanisms, all sessions with the same
DN will share the same connection. This connection pooling strategy can
enhance the proxy's efficiency by reducing the overhead of repeatedly
making/breaking multiple connections.
CONFIGURATION
These slapd.conf options apply to the LDAP backend database. That is,
they must follow a "database ldap" line and come before any subsequent
"backend" or "database" lines. Other database options are described in
the slapd.conf(5) manual page.
Note: It is strongly recommended to set
lastmod off
for every ldap and meta database. This is because operational
attributes related to entry creation and modification should not be
used, as they could be passed to the target servers, generating an
error.
uri <ldapurl>
LDAP server to use. Multiple URIs can be set in in a single
ldapurl argument, resulting in the underlying library automati-
cally call the first server of the list that responds, e.g.
uri "ldap://host/ ldap://backup-host"
The URI list is space- or comma-separated.
server <hostport>
Obsolete option; same as `uri ldap://<hostport>/'.
binddn <administrative DN for access control purposes>
DN which is used to query the target server for acl checking; it
should have read access on the target server to attributes used
on the proxy for acl checking. There is no risk of giving away
such values; they are only used to check permissions.
bindpw <password>
Password used with the bind DN above.
proxyauthzdn <administrative DN for proxyAuthz purposes>
DN which is used to propagate the client's identity to the tar-
get by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxyied by back-ldap.
This is useful when operations performed by users bound to
another backend are propagated through back-ldap. This requires
the entry with proxyauthzdn identity on the remote server to
have proxyAuthz privileges on a wide set of DNs, e.g. saslAu-
thzTo=dn.regex:.*, and the remote server to have sasl-authz-pol-
icy set to to or both. See slapd.conf(5) for details on these
statements and for remarks and drawbacks about their usage.
proxyauthzpw <password>
Password used with the proxy authz DN above.
proxy-whoami
Turns on proxying of the WhoAmI extended operation. If this
option is given, back-ldap will replace slapd's original WhoAmI
routine with its own. On slapd sessions that were authenticated
by back-ldap, the WhoAmI request will be forwarded to the remote
LDAP server. Other sessions will be handled by the local slapd,
as before. This option is mainly useful in conjunction with
Proxy Authorization.
rebind-as-user
If this option is given, the client's bind credentials are
remembered for rebinds when chasing referrals.
suffixmassage <suffix> <massaged (remote) suffix>
DNs ending with <suffix> in a request are changed to end with
<remote suffix> before sending the request to the remote server,
and <remote suffix> in the results are changed back to <suffix>
before returning them to the client. The <suffix> field must be
defined as a valid suffix for the current database.
map {attribute | objectclass} [<local name> | *] {<foreign name> | *}
Map attribute names and object classes from the foreign server
to different values on the local slapd. The reason is that some
attributes might not be part of the local slapd's schema, some
attribute names might be different but serve the same purpose,
etc. If local or foreign name is `*', the name is preserved.
If local name is omitted, the foreign name is removed. Unmapped
names are preseved if both local and foreign name are `*', and
removed if local name is omitted and foreign name is `*'.
rewrite*
The rewrite options are described in the "REWRITING" section of
the slapd-meta(5) manual page.
EXAMPLES
This maps the OpenLDAP objectclass `groupOfNames' to the Active Direc-
tory objectclass `group':
map objectclass groupOfNames group
This presents a limited attribute set from the foreign server:
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
These lines map cn, sn, manager, and description to themselves, and any
other attribute gets "removed" from the object before it is sent to the
client (or sent up to the LDAP server). This is obviously a simplistic
example, but you get the point.
FILES
/etc/openldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-meta(5), slapd(8), ldap(3).
AUTHOR
Howard Chu, with enhancements by Pierangelo Masarati
OpenLDAP 2.2.30 2005/11/18 SLAPD-LDAP(5)
Man(1) output converted with
man2html