1SLAPO-TRANSLUCENT(5)          File Formats Manual         SLAPO-TRANSLUCENT(5)
2
3
4

NAME

6       slapo-translucent - Translucent Proxy overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Translucent Proxy overlay can be used with a backend database such
13       as slapd-mdb(5) to create a  "translucent  proxy".   Entries  retrieved
14       from  a  remote LDAP server may have some or all attributes overridden,
15       or new attributes added, by entries in the local database before  being
16       presented to the client.
17
18       A search operation is first populated with entries from the remote LDAP
19       server, the attributes of which are then overridden with any attributes
20       defined  in  the  local database. Local overrides may be populated with
21       the add, modify , and modrdn operations, the use of which is restricted
22       to the root user.
23
24       A  compare  operation will perform a comparison with attributes defined
25       in the local database record (if any) before  any  comparison  is  made
26       with data in the remote database.
27

CONFIGURATION

29       The Translucent Proxy overlay uses a proxied database, typically a (set
30       of) remote LDAP server(s), which is configured with the  options  shown
31       in  slapd-ldap(5),  slapd-meta(5) or similar.  These slapd.conf options
32       are specific to the Translucent Proxy overlay; they must  appear  after
33       the overlay directive that instantiates the translucent overlay.
34
35       translucent_strict
36              By default, attempts to delete attributes in either the local or
37              remote  databases  will  be  silently  ignored.   The   translu‐
38              cent_strict  directive causes these modifications to fail with a
39              Constraint Violation.
40
41       translucent_no_glue
42              This configuration option disables  the  automatic  creation  of
43              "glue"  records  for  an  add or modrdn operation, such that all
44              parents of an entry added to the local database must be  created
45              by hand. Glue records are always created for a modify operation.
46
47       translucent_local <attr[,attr...]>
48              Specify  a list of attributes that should be searched for in the
49              local database when used in a search filter. By default,  search
50              filters  are  only handled by the remote database. With this di‐
51              rective, search filters will be split into a  local  and  remote
52              portion, and local attributes will be searched locally.
53
54       translucent_remote <attr[,attr...]>
55              Specify  a list of attributes that should be searched for in the
56              remote database when used in a  search  filter.  This  directive
57              complements  the  translucent_local directive. Attributes may be
58              specified as both local and remote if desired.
59
60       If neither translucent_local nor translucent_remote are specified,  the
61       default  behavior  is  to  search the remote database with the complete
62       search filter. If only translucent_local is  specified,  searches  will
63       only be run on the local database. Likewise, if only translucent_remote
64       is specified, searches will only be run on the remote database. In  any
65       case,  both  the local and remote entries corresponding to a search re‐
66       sult will be merged before being returned to the client.
67
68
69       translucent_bind_local
70              Enable looking for locally stored credentials  for  simple  bind
71              when binding to the remote database fails.  Disabled by default.
72
73
74       translucent_pwmod_local
75              Enable  RFC 3062 Password Modification extended operation on lo‐
76              cally stored credentials.  The operation only applies to entries
77              that exist in the remote database.  Disabled by default.
78
79

ACCESS CONTROL

81       Access control is delegated to either the remote DSA(s) or to the local
82       database backend for auth and write operations.  It is delegated to the
83       remote  DSA(s)  and  to the frontend for read operations.  Local access
84       rules involving data returned by the remote DSA(s) should  be  designed
85       with  care.   In  fact,  entries are returned by the remote DSA(s) only
86       based on the remote fraction of the data, based on the identity the op‐
87       eration  is  performed as.  As a consequence, local rules might only be
88       allowed to see a portion of the remote data.
89
90

CAVEATS

92       The Translucent Proxy overlay will disable schema checking in the local
93       database,  so  that  an entry consisting of overlay attributes need not
94       adhere to the complete schema.
95
96       Because the translucent overlay does not perform any DN rewrites,   the
97       local  and  remote database instances must have the same suffix.  Other
98       configurations will probably fail with No Such Object and other errors.
99

FILES

101       /etc/openldap/slapd.conf
102              default slapd configuration file
103

SEE ALSO

105       slapd.conf(5), slapd-config(5), slapd-ldap(5).
106
107
108
109OpenLDAP 2.6.6                    2023/07/31              SLAPO-TRANSLUCENT(5)
Impressum