1SLAPD-LDAP(5)                 File Formats Manual                SLAPD-LDAP(5)
2
3
4

NAME

6       slapd-ldap - LDAP backend to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The LDAP backend to slapd(8) is not an actual database; instead it acts
13       as a proxy to forward incoming requests to another LDAP  server.  While
14       processing requests it will also chase referrals, so that referrals are
15       fully processed instead of being returned to the slapd client.
16
17       Sessions that explicitly Bind to the back-ldap database  always  create
18       their  own private connection to the remote LDAP server. Anonymous ses‐
19       sions will share a single anonymous connection to  the  remote  server.
20       For sessions bound through other mechanisms, all sessions with the same
21       DN will share the same connection. This connection pooling strategy can
22       enhance  the  proxy's efficiency by reducing the overhead of repeatedly
23       making/breaking multiple connections.
24
25       The ldap database can also act as  an  information  service,  i.e.  the
26       identity  of  locally  authenticated  clients is asserted to the remote
27       server, possibly in some modified form.  For this  purpose,  the  proxy
28       binds  to  the remote server with some administrative identity, and, if
29       required, authorizes the asserted identity.  See the  idassert-*  rules
30       below.  The administrative identity of the proxy, on the remote server,
31       must be allowed to authorize by means of appropriate authzTo rules; see
32       slapd.conf(5) for details.
33
34       The  proxy instance of slapd(8) must contain schema information for the
35       attributes and objectClasses used in filters, request DNs and  request-
36       related data in general.  It should also contain schema information for
37       the data returned by the proxied server.  It is the  responsibility  of
38       the  proxy  administrator to keep the schema of the proxy lined up with
39       that of the proxied server.
40
41
42       Note: When looping back to the same instance of slapd(8), each  connec‐
43       tion requires a new thread; as a consequence, slapd(8) must be compiled
44       with thread support, and the threads parameter may need some tuning; in
45       those  cases, one may consider using slapd-relay(5) instead, which per‐
46       forms the relayed operation internally and thus reuses the same connec‐
47       tion.
48
49

CONFIGURATION

51       These  slapd.conf options apply to the LDAP backend database.  That is,
52       they must follow a "database ldap" line and come before any  subsequent
53       "backend" or "database" lines.  Other database options are described in
54       the slapd.conf(5) manual page.
55
56
57       Note: In early versions of back-ldap it was recommended to always set
58
59              lastmod  off
60
61       for ldap and meta databases.  This  was  required  because  operational
62       attributes  related  to  entry  creation and modification should not be
63       proxied, as they could be mistakenly written to the  target  server(s),
64       generating  an  error.   The  current implementation automatically sets
65       lastmod to off, so its use is redundant and should be omitted.
66
67
68       uri <ldapurl>
69              LDAP server to use.  Multiple URIs can be set in a  single  lda‐
70              purl argument, resulting in the underlying library automatically
71              calling the first server of the list that responds, e.g.
72
73              uri "ldap://host/ ldap://backup-host/"
74
75              The URI list is space- or comma-separated.  Whenever the  server
76              that  responds  is  not  the  first one in the list, the list is
77              rearranged and the responsive server is moved to  the  head,  so
78              that it will be first contacted the next time a connection needs
79              to be created.
80
81       acl-bind       bindmethod=simple|sasl       [binddn=<simple        DN>]
82              [credentials=<simple     password>]    [saslmech=<SASL    mech>]
83              [secprops=<properties>] [realm=<realm>] [authcId=<authentication
84              ID>]   [authzId=<authorization  ID>]  [starttls=no|yes|critical]
85              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
86              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
87              [tls_cipher_suite=<ciphers>]
88              [tls_protocol_min=<major>[.<minor>]]
89              [tls_crlcheck=none|peer|all]
90              Allows one to define the parameters of the authentication method
91              that  is internally used by the proxy to collect info related to
92              access control,  and  whenever  an  operation  occurs  with  the
93              identity of the rootdn of the LDAP proxy database.  The identity
94              defined  by  this  directive,  according   to   the   properties
95              associated  to  the  authentication  method, is supposed to have
96              read access on the target server to attributes used on the proxy
97              for ACL checking.
98
99              There  is no risk of giving away such values; they are only used
100              to check permissions.  The default is to use simple  bind,  with
101              empty  binddn  and  credentials,  which  means  that the related
102              operations will be performed anonymously.  If not  set,  and  if
103              idassert-bind  is defined, this latter identity is used instead.
104              See idassert-bind for details.
105
106              The connection between the proxy database and the remote  server
107              associated to this identity is cached regardless of the lifespan
108              of the client-proxy connection that first established it.
109
110              This identity is not implicitly  used  by  the  proxy  when  the
111              client   connects   anonymously.    The  idassert-bind  feature,
112              instead,  in  some  cases  can  be  crafted  to  implement  that
113              behavior,  which is intrinsically unsafe and should be used with
114              extreme  care.   This  directive  obsoletes   acl-authcDN,   and
115              acl-passwd.
116
117              The  TLS  settings  default  to  the  same as the main slapd TLS
118              settings, except for tls_reqcert which defaults to "demand".
119
120
121       cancel {ABANDON|ignore|exop[-discover]}
122              Defines how  to  handle  operation  cancellation.   By  default,
123              abandon  is  invoked, so the operation is abandoned immediately.
124              If set to ignore, no action is taken and any further response is
125              ignored;  this  may  result  in  further response messages to be
126              queued for that connection,  so  it  is  recommended  that  long
127              lasting  connections  are  timed  out  either by idle-timeout or
128              conn-ttl, so that resources eventually get released.  If set  to
129              exop,  a cancel operation (RFC 3909) is issued, resulting in the
130              cancellation of the  current  operation;  the  cancel  operation
131              waits  for  remote  server  response,  so  its  use  may  not be
132              recommended.  If set to exop-discover,  support  of  the  cancel
133              extended  operation  is  detected by reading the remote server's
134              root DSE.
135
136
137       chase-referrals {YES|no}
138              enable/disable automatic referral chasing, which is delegated to
139              the  underlying  libldap, with rebinding eventually performed if
140              the rebind-as-user directive is used.  The default is  to  chase
141              referrals.
142
143
144       conn-ttl <time>
145              This  directive  causes  a  cached  connection to be dropped and
146              recreated after a given ttl, regardless of being idle or not.
147
148
149       idassert-authzFrom <authz-regexp>
150              if defined, selects what  local  identities  are  authorized  to
151              exploit  the  identity  assertion  feature.   The string <authz-
152              regexp> mostly follows  the  rules  defined  for  the  authzFrom
153              attribute.   See slapd.conf(5), section related to authz-policy,
154              for details on the syntax of this field.  This parameter differs
155              from  the  documented  behavior in relation to the meaning of *,
156              which in this case allows anonymous rather than denies.
157
158
159       idassert-bind    bindmethod=none|simple|sasl    [binddn=<simple    DN>]
160              [credentials=<simple     password>]    [saslmech=<SASL    mech>]
161              [secprops=<properties>] [realm=<realm>] [authcId=<authentication
162              ID>]  [authzId=<authorization  ID>]  [authz={native|proxyauthz}]
163              [mode=<mode>]     [flags=<flags>]     [starttls=no|yes|critical]
164              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
165              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
166              [tls_cipher_suite=<ciphers>]        [tls_protocol_min=<version>]
167              [tls_crlcheck=none|peer|all]
168              Allows one to define the parameters of the authentication method
169              that  is  internally  used by the proxy to authorize connections
170              that are authenticated by other  databases.   Direct  binds  are
171              always proxied without any idassert handling.
172
173              The  identity  defined  by  this  directive,  according  to  the
174              properties associated to the authentication method, is  supposed
175              to  have  auth access on the target server to attributes used on
176              the proxy  for  authentication  and  authorization,  and  to  be
177              allowed   to   authorize  the  users.   This  requires  to  have
178              proxyAuthz   privileges   on   a   wide   set   of   DNs,   e.g.
179              authzTo=dn.subtree:"",   and   the   remote   server   to   have
180              authz-policy set to to or both.  See slapd.conf(5)  for  details
181              on  these  statements  and for remarks and drawbacks about their
182              usage.  The supported bindmethods are
183
184              none|simple|sasl
185
186              where none  is  the  default,  i.e.  no  identity  assertion  is
187              performed.
188
189              The authz parameter is used to instruct the SASL bind to exploit
190              native SASL authorization, if available; since  connections  are
191              cached,  this  should only be used when authorizing with a fixed
192              identity (e.g. by means of the authzDN or  authzID  parameters).
193              Otherwise,  the  default proxyauthz is used, i.e. the proxyAuthz
194              control (Proxied  Authorization,  RFC  4370)  is  added  to  all
195              operations.
196
197              The supported modes are:
198
199              <mode> := {legacy|anonymous|none|self}
200
201              If <mode> is not present, and authzId is given, the proxy always
202              authorizes that identity.  <authorization ID> can be
203
204              u:<user>
205
206              [dn:]<DN>
207
208              The former is supposed to  be  expanded  by  the  remote  server
209              according to the authz rules; see slapd.conf(5) for details.  In
210              the latter case, whether or not the dn: prefix is  present,  the
211              string must pass DN validation and normalization.
212
213              The  default  mode  is legacy, which implies that the proxy will
214              either perform a simple bind as the authcDN or a  SASL  bind  as
215              the  authcID  and  assert  the  client's identity when it is not
216              anonymous.  The other modes imply that  the  proxy  will  always
217              either  perform  a  simple bind as the authcDN or a SASL bind as
218              the authcID, unless restricted by idassert-authzFrom rules  (see
219              below),  in  which  case the operation will fail; eventually, it
220              will assert some other  identity  according  to  <mode>.   Other
221              identity   assertion   modes   are  anonymous  and  self,  which
222              respectively mean that the empty or the client's  identity  will
223              be  asserted;  none, which means that no proxyAuthz control will
224              be used,  so  the  authcDN  or  the  authcID  identity  will  be
225              asserted.   For all modes that require the use of the proxyAuthz
226              control, on the remote  server  the  proxy  identity  must  have
227              appropriate authzTo permissions, or the asserted identities must
228              have appropriate authzFrom permissions.  Note, however, that the
229              ID   assertion  feature  is  mostly  useful  when  the  asserted
230              identities do not exist on the remote server.
231
232              Flags can be
233
234              override,[non-]prescriptive,proxy-authz-[non-]critical
235
236              When the override flag is used, identity assertion  takes  place
237              even  when  the  database is authorizing for the identity of the
238              client, i.e. after binding with the provided identity, and  thus
239              authenticating  it,  the  proxy  performs the identity assertion
240              using the configured identity and authentication method.
241
242              When the prescriptive flag is  used  (the  default),  operations
243              fail with inappropriateAuthentication for those identities whose
244              assertion is not allowed by the idassert-authzFrom patterns.  If
245              the  non-prescriptive  flag  is  used,  operations are performed
246              anonymously for those identities whose assertion is not  allowed
247              by the idassert-authzFrom patterns.
248
249              When  the  proxy-authz-non-critical  flag is used (the default),
250              the proxyAuthz control is not marked as critical,  in  violation
251              of RFC 4370.  Use of proxy-authz-critical is recommended.
252
253              The  TLS  settings  default  to  the  same as the main slapd TLS
254              settings, except for tls_reqcert which defaults to "demand".
255
256              The identity associated to  this  directive  is  also  used  for
257              privileged  operations  whenever  idassert-bind  is  defined and
258              acl-bind is not.  See acl-bind for details.
259
260              This  directive  obsoletes  idassert-authcDN,   idassert-passwd,
261              idassert-mode, and idassert-method.
262
263
264       idassert-passthru <authz-regexp>
265              if  defined,  selects  what local identities bypass the identity
266              assertion feature.  Those identities need to  be  known  by  the
267              remote  host.   The  string  <authz-regexp>  follows  the  rules
268              defined for the authzFrom attribute.  See slapd.conf(5), section
269              related  to  authz-policy,  for  details  on  the syntax of this
270              field.
271
272
273
274       idle-timeout <time>
275              This directive causes a  cached  connection  to  be  dropped  an
276              recreated after it has been idle for the specified time.
277
278
279       keepalive <idle>:<probes>:<interval>
280              The  keepalive  parameter  sets  the values of idle, probes, and
281              interval used to check whether a socket is alive;  idle  is  the
282              number  of  seconds a connection needs to remain idle before TCP
283              starts sending keepalive probes; probes is the maximum number of
284              keepalive probes TCP should send before dropping the connection;
285              interval is interval in  seconds  between  individual  keepalive
286              probes.   Only  some  systems support the customization of these
287              values;  the  keepalive  parameter  is  ignored  otherwise,  and
288              system-wide settings are used.
289
290
291       network-timeout <time>
292              Sets  the  network  timeout  value after which poll(2)/select(2)
293              following a connect(2) returns in  case  of  no  activity.   The
294              value   is   in   seconds,  and  it  can  be  specified  as  for
295              idle-timeout.
296
297
298       norefs <NO|yes>
299              If yes, do not return search reference responses.   By  default,
300              they are returned unless request is LDAPv2.
301
302
303       omit-unknown-schema <NO|yes>
304              If  yes,  do not return objectClasses or attributes that are not
305              known to the local server.  The default is to return all  schema
306              elements.
307
308
309       noundeffilter <NO|yes>
310              If  yes,  return  success  instead  of  searching if a filter is
311              undefined or  contains  undefined  portions.   By  default,  the
312              search  is  propagated  after  replacing undefined portions with
313              (!(objectClass=*)), which corresponds to the empty result set.
314
315
316       onerr {CONTINUE|stop}
317              This directive allows one to select  the  behavior  in  case  an
318              error  is  returned  by  the remote server during a search.  The
319              default, continue, consists in returning success.  If the  value
320              is set to stop, the error is returned to the client.
321
322
323       protocol-version {0,2,3}
324              This  directive  indicates what protocol version must be used to
325              contact the remote server.  If set to 0 (the default), the proxy
326              uses the same protocol version used by the client, otherwise the
327              requested    protocol    is    used.     The    proxy    returns
328              unwillingToPerform if an operation that is incompatible with the
329              requested protocol is attempted.
330
331
332       proxy-whoami {NO|yes}
333              Turns on proxying of the  WhoAmI  extended  operation.  If  this
334              option  is given, back-ldap will replace slapd's original WhoAmI
335              routine with its own. On slapd sessions that were  authenticated
336              by back-ldap, the WhoAmI request will be forwarded to the remote
337              LDAP server. Other sessions will be handled by the local  slapd,
338              as  before.  This  option  is  mainly useful in conjunction with
339              Proxy Authorization.
340
341
342       quarantine <interval>,<num>[;<interval>,<num>[...]]
343              Turns on quarantine of URIs that returned  LDAP_UNAVAILABLE,  so
344              that  an  attempt  to  reconnect  only occurs at given intervals
345              instead of any time a client requests an operation.  The pattern
346              is:  retry  only  after  at least interval seconds elapsed since
347              last attempt, for exactly num times; then use the next  pattern.
348              If  num  for  the  last  pattern  is  "+",  it  retries forever;
349              otherwise, no more retries occur.  The process can be  restarted
350              by resetting the olcDbQuarantine attribute of the database entry
351              in the configuration backend.
352
353
354       rebind-as-user {NO|yes}
355              If this option is  given,  the  client's  bind  credentials  are
356              remembered  for  rebinds,  when  trying to re-establish a broken
357              connection, or when chasing a referral,  if  chase-referrals  is
358              set to yes.
359
360
361       session-tracking-request {NO|yes}
362              Adds session tracking control for all requests.  The client's IP
363              and hostname, and the identity associated to  each  request,  if
364              known, are sent to the remote server for informational purposes.
365              This directive is incompatible with setting protocol-version  to
366              2.
367
368
369       single-conn {NO|yes}
370              Discards current cached connection when the client rebinds.
371
372
373       t-f-support {NO|yes|discover}
374              enable  if  the remote server supports absolute filters (see RFC
375              4526 for details).  If set to discover, support is  detected  by
376              reading the remote server's root DSE.
377
378
379       timeout [<op>=]<val> [...]
380              This   directive  allows  one  to  set  per-operation  timeouts.
381              Operations can be
382
383              <op> ::= bind, add, delete, modrdn, modify, compare, search
384
385              The overall duration  of  the  search  operation  is  controlled
386              either  by  the  timelimit  parameter or by server-side enforced
387              time limits (see  timelimit  and  limits  in  slapd.conf(5)  for
388              details).   This  timeout parameter controls how long the target
389              can be irresponsive before the operation is aborted.  Timeout is
390              meaningless  for  the  remaining operations, unbind and abandon,
391              which do not imply any response, while it is not yet implemented
392              in  currently supported extended operations.  If no operation is
393              specified, the timeout val affects all supported operations.
394
395              Note: if the timelimit is exceeded, the operation  is  cancelled
396              (according  to  the  cancel  directive);  the  protocol does not
397              provide any means to rollback operations, so the client will not
398              be  notified  about  the  result  of  the  operation,  which may
399              eventually succeeded or not.  In case the  timeout  is  exceeded
400              during  a bind operation, the connection is destroyed, according
401              to RFC4511.
402
403              Note: in some cases, this backend may issue binds prior to other
404              operations  (e.g.  to  bind  anonymously or with some prescribed
405              identity according to the  idassert-bind  directive).   In  this
406              case,  the timeout of the operation that resulted in the bind is
407              used.
408
409
410       tls       {none|[try-]start|[try-]propagate|ldaps}        [starttls=no]
411              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
412              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
413              [tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
414              Specify TLS settings for regular connections.
415
416              The  first  parameter only applies to ldap:// connections and so
417              at the moment, none and ldaps are equivalent.
418
419              With propagate, the proxy issues StartTLS operation only if  the
420              original  connection  has  a  TLS layer set up.  The try- prefix
421              instructs the proxy  to  continue  operations  if  the  StartTLS
422              operation failed; its use is not recommended.
423
424              The  TLS  settings  default  to  the  same as the main slapd TLS
425              settings, except for tls_reqcert which defaults to "demand"  and
426              starttls  which  is  overshadowed  by the first keyword and thus
427              ignored.
428
429
430       use-temporary-conn {NO|yes}
431              when  set  to  yes,  create  a  temporary  connection   whenever
432              competing  with  other threads for a shared one; otherwise, wait
433              until the shared connection is available.
434
435

BACKWARD COMPATIBILITY

437       The LDAP backend has been heavily reworked  between  releases  2.2  and
438       2.3,  and  subsequently between 2.3 and 2.4.  As a side-effect, some of
439       the traditional directives have been deprecated and should be no longer
440       used, as they might disappear in future releases.
441
442
443       acl-authcDN <administrative DN for access control purposes>
444              Formerly known as the binddn, it is the DN that is used to query
445              the target server for acl checking; it is supposed to have  read
446              access  on the target server to attributes used on the proxy for
447              acl checking.  There is no risk of giving away such values; they
448              are only used to check permissions.
449
450              The  acl-authcDN  identity is by no means implicitly used by the
451              proxy when the  client  connects  anonymously.   The  idassert-*
452              feature can be used (at own risk) for that purpose instead.
453
454              This  directive  is obsoleted by the binddn arg of acl-bind when
455              bindmethod=simple, and will be dismissed in the future.
456
457
458       acl-passwd <password>
459              Formerly known as the bindpw, it is the password used  with  the
460              above acl-authcDN directive.  This directive is obsoleted by the
461              credentials arg of acl-bind when bindmethod=simple, and will  be
462              dismissed in the future.
463
464
465       idassert-authcDN <administrative DN for proxyAuthz purposes>
466              DN  which  is  used  to  propagate  the client's identity to the
467              target by means of the proxyAuthz control when the  client  does
468              not  belong  to  the DIT fragment that is being proxied by back-
469              ldap.   This  directive  is  obsoleted  by  the  binddn  arg  of
470              idassert-bind  when  bindmethod=simple, and will be dismissed in
471              the future.
472
473
474       idassert-passwd <password>
475              Password used with the idassert-authcDN above.   This  directive
476              is  obsoleted  by  the  crendentials  arg  of idassert-bind when
477              bindmethod=simple, and will be dismissed in the future.
478
479
480       idassert-mode <mode> [<flags>]
481              defines what type of identity assertion is used.  This directive
482              is  obsoleted  by  the  mode  arg  of idassert-bind, and will be
483              dismissed in the future.
484
485
486       idassert-method <method> [<saslargs>]
487              This  directive  is  obsoleted  by   the   bindmethod   arg   of
488              idassert-bind, and will be dismissed in the future.
489
490
491       port <port>
492              this directive is no longer supported.  Use the uri directive as
493              described above.
494
495
496       server <hostname[:port]>
497              this directive is no longer supported.  Use the uri directive as
498              described above.
499
500
501       suffixmassage, map, rewrite*
502              These  directives  are  no  longer supported by back-ldap; their
503              functionality is now delegated to the rwm overlay.  Essentially,
504              add a statement
505
506              overlay rwm
507
508              first, and prefix all rewrite/map statements with rwm- to obtain
509              the original behavior.  See slapo-rwm(5) for details.
510
511

ACCESS CONTROL

513       The ldap backend does not honor  all  ACL  semantics  as  described  in
514       slapd.access(5).   In  general,  access  checking  is  delegated to the
515       remote server(s).  Only read (=r) access to the entry  pseudo-attribute
516       and to the other attribute values of the entries returned by the search
517       operation is honored, which is performed by the frontend.
518
519

OVERLAYS

521       The LDAP  backend  provides  basic  proxying  functionalities  to  many
522       overlays.   The  chain  overlay,  described  in slapo-chain(5), and the
523       translucent  overlay,  described  in  slapo-translucent(5),  deserve  a
524       special mention.
525
526       Conversely,  there  are many overlays that are best used in conjunction
527       with the LDAP backend.  The proxycache overlay allows caching  of  LDAP
528       search requests (queries) in a local database.  See slapo-pcache(5) for
529       details.  The rwm overlay provides DN rewrite and attribute/objectClass
530       mapping  capabilities to the underlying database.  See slapo-rwm(5) for
531       details.
532
533

FILES

535       /etc/openldap/slapd.conf
536              default slapd configuration file
537

SEE ALSO

539       slapd.conf(5),    slapd-config(5),    slapd-meta(5),    slapo-chain(5),
540       slapo-pcache(5), slapo-rwm(5), slapo-translucent(5), slapd(8), ldap(3).
541

AUTHOR

543       Howard Chu, with enhancements by Pierangelo Masarati
544
545
546
547OpenLDAP 2.4.50                   2020/04/28                     SLAPD-LDAP(5)
Impressum