manpagez: man pages & more
man slapo-translucent(5)
Home | html | info | man
slapo-translucent(5)                                      slapo-translucent(5)




NAME

       slapo-translucent - Translucent Proxy overlay to slapd


SYNOPSIS

       /opt/local/etc/openldap/slapd.conf


DESCRIPTION

       The  Translucent Proxy overlay can be used with a backend database such
       as slapd-bdb(5) to create a  "translucent  proxy".   Entries  retrieved
       from  a  remote LDAP server may have some or all attributes overridden,
       or new attributes added, by entries in the local database before  being
       presented to the client.

       A search operation is first populated with entries from the remote LDAP
       server, the attributes of which are then overridden with any attributes
       defined  in  the  local database. Local overrides may be populated with
       the add, modify , and modrdn operations, the use of which is restricted
       to the root user.

       A  compare  operation will perform a comparison with attributes defined
       in the local database record (if any) before  any  comparison  is  made
       with data in the remote database.


CONFIGURATION

       The Translucent Proxy overlay uses a proxied database, typically a (set
       of) remote LDAP server(s), which is configured with the  options  shown
       in  slapd-ldap(5),  slapd-meta(5) or similar.  These slapd.conf options
       are specific to the Translucent Proxy overlay; they must  appear  after
       the overlay directive that instantiates the translucent overlay.

       translucent_strict
              By default, attempts to delete attributes in either the local or
              remote  databases  will  be  silently  ignored.   The   translu-
              cent_strict  directive causes these modifications to fail with a
              Constraint Violation.

       translucent_no_glue
              This configuration option disables  the  automatic  creation  of
              "glue"  records  for  an  add or modrdn operation, such that all
              parents of an entry added to the local database must be  created
              by hand. Glue records are always created for a modify operation.

       translucent_local <attr[,attr...]>
              Specify a list of attributes that should be searched for in  the
              local  database when used in a search filter. By default, search
              filters are only handled  by  the  remote  database.  With  this
              directive,  search filters will be split into a local and remote
              portion, and local attributes will be searched locally.

       translucent_remote <attr[,attr...]>
              Specify a list of attributes that should be searched for in  the
              remote  database  when  used  in a search filter. This directive
              complements the translucent_local directive. Attributes  may  be
              specified as both local and remote if desired.

       If  neither translucent_local nor translucent_remote are specified, the
       default behavior is to search the remote  database  with  the  complete
       search  filter.  If  only translucent_local is specified, searches will
       only be run on the local database. Likewise, if only translucent_remote
       is  specified, searches will only be run on the remote database. In any
       case, both the local and  remote  entries  corresponding  to  a  search
       result will be merged before being returned to the client.


       translucent_bind_local
              Enable  looking  for  locally stored credentials for simple bind
              when binding to the remote database fails.  Disabled by default.


       translucent_pwmod_local
              Enable  RFC  3062  Password  Modification  extended operation on
              locally stored  credentials.   The  operation  only  applies  to
              entries that exist in the remote database.  Disabled by default.



ACCESS CONTROL

       Access control is delegated to either the remote DSA(s) or to the local
       database backend for auth and write operations.  It is delegated to the
       remote DSA(s) and to the frontend for read  operations.   Local  access
       rules  involving  data returned by the remote DSA(s) should be designed
       with care.  In fact, entries are returned by  the  remote  DSA(s)  only
       based  on  the  remote  fraction of the data, based on the identity the
       operation is performed as.  As a consequence, local rules might only be
       allowed to see a portion of the remote data.



CAVEATS

       The Translucent Proxy overlay will disable schema checking in the local
       database, so that an entry consisting of overlay  attributes  need  not
       adhere to the complete schema.

       Because  the translucent overlay does not perform any DN rewrites,  the
       local and remote database instances must have the same  suffix.   Other
       configurations will probably fail with No Such Object and other errors.


FILES

       /opt/local/etc/openldap/slapd.conf
              default slapd configuration file


SEE ALSO

       slapd.conf(5), slapd-config(5), slapd-ldap(5).



OpenLDAP 2.4.40                   2014/09/20              slapo-translucent(5)

openldap 2.4.40 - Generated Tue Oct 11 16:10:07 CDT 2016
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.