Provided by: ultrapossum-slapd_0.0.4+2.2.20sb3-1_i386 bug


       slapd-ldap - LDAP backend to slapd




       The LDAP backend to slapd(8) is not an actual database; instead it acts
       as a proxy to forward incoming requests to another LDAP  server.  While
       processing requests it will also chase referrals, so that referrals are
       fully processed instead of being returned to the slapd client.

       Sessions that explicitly Bind to the back-ldap database  always  create
       their  own  private  connection  to  the  remote LDAP server. Anonymous
       sessions will share a single anonymous connection to the remote server.
       For sessions bound through other mechanisms, all sessions with the same
       DN will share the same connection. This connection pooling strategy can
       enhance  the  proxy’s efficiency by reducing the overhead of repeatedly
       making/breaking multiple connections.


       These slapd.conf options apply to the LDAP backend database.  That  is,
       they  must follow a "database ldap" line and come before any subsequent
       "backend" or "database" lines.  Other database options are described in
       the slapd.conf(5) manual page.

       Note: It is strongly recommended to set

              lastmod  off

       for  every  ldap  and  meta  database.   This  is  because  operational
       attributes related to entry creation and  modification  should  not  be
       used,  as  they  could  be  passed to the target servers, generating an

       uri <ldapurl>
              LDAP server to use.  Multiple URIs can be set  in  in  a  single
              ldapurl   argument,   resulting   in   the   underlying  library
              automatically call the first server of the list  that  responds,

              uri "ldap://host/ ldap://backup-host"

              The URI list is space- or comma-separated.

       server <hostport>
              Obsolete option; same as ‘uri ldap://<hostport>/’.

       binddn <administrative DN for access control purposes>
              DN which is used to query the target server for acl checking; it
              should have read access on the target server to attributes  used
              on  the proxy for acl checking.  There is no risk of giving away
              such values; they are only used to check permissions.

       bindpw <password>
              Password used with the bind DN above.

       proxyauthzdn <administrative DN for proxyAuthz purposes>
              DN which is used to  propagate  the  client’s  identity  to  the
              target  by  means of the proxyAuthz control when the client does
              not belong to the DIT fragment that is being proxyied  by  back-
              ldap.   This  is useful when operations performed by users bound
              to another  backend  are  propagated  through  back-ldap.   This
              requires  the  entry  with  proxyauthzdn  identity on the remote
              server to have proxyAuthz privileges on a wide set of DNs,  e.g.
              saslAuthzTo=dn.regex:.*,  and  the  remote  server to have sasl-
              authz-policy set to to or both.  See slapd.conf(5)  for  details
              on  these  statements  and for remarks and drawbacks about their

       proxyauthzpw <password>
              Password used with the proxy authz DN above.

              Turns on proxying of the  WhoAmI  extended  operation.  If  this
              option  is given, back-ldap will replace slapd’s original WhoAmI
              routine with its own. On slapd sessions that were  authenticated
              by back-ldap, the WhoAmI request will be forwarded to the remote
              LDAP server. Other sessions will be handled by the local  slapd,
              as  before.  This  option  is  mainly useful in conjunction with
              Proxy Authorization.

              If this option is  given,  the  client’s  bind  credentials  are
              remembered for rebinds when chasing referrals.

       suffixmassage <suffix> <massaged (remote) suffix>
              DNs  ending  with  <suffix> in a request are changed to end with
              <remote suffix> before sending the request to the remote server,
              and  <remote suffix> in the results are changed back to <suffix>
              before returning them to the client.  The <suffix> field must be
              defined as a valid suffix for the current database.

       map {attribute | objectclass} [<local name> | *] {<foreign name> | *}
              Map  attribute  names and object classes from the foreign server
              to different values on the local slapd.  The reason is that some
              attributes  might  not be part of the local slapd’s schema, some
              attribute names might be different but serve the  same  purpose,
              etc.   If  local  or foreign name is ‘*’, the name is preserved.
              If local name is omitted, the foreign name is removed.  Unmapped
              names  are  preseved if both local and foreign name are ‘*’, and
              removed if local name is omitted and foreign name is ‘*’.

              The rewrite options are described in the "REWRITING" section  of
              the slapd-meta(5) manual page.


       This  maps  the  OpenLDAP  objectclass  ‘groupOfNames’  to  the  Active
       Directory objectclass ‘group’:

              map objectclass groupOfNames group

       This presents a limited attribute set from the foreign server:

              map attribute cn *
              map attribute sn *
              map attribute manager *
              map attribute description *
              map attribute *

       These lines map cn, sn, manager, and description to themselves, and any
       other attribute gets "removed" from the object before it is sent to the
       client (or sent up to the LDAP server).  This is obviously a simplistic
       example, but you get the point.


              default slapd configuration file


       slapd.conf(5), slapd-meta(5), slapd(8), ldap(3).


       Howard Chu, with enhancements by Pierangelo Masarati