1SLAPD-ASYNCMETA(5)            File Formats Manual           SLAPD-ASYNCMETA(5)
2
3
4

NAME

6       slapd-asyncmeta - asynchronous metadirectory backend to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The asyncmeta backend to slapd(8) performs basic LDAP proxying with re‐
13       spect to a set of remote LDAP servers, called "targets".  The  informa‐
14       tion contained in these servers can be presented as belonging to a sin‐
15       gle Directory Information Tree (DIT).
16
17
18       A good knowledge of the functionality of the slapd-meta(5) backend   is
19       recommended.    This  backend has been designed as an asynchronous ver‐
20       sion of the meta backend. Unlike meta , the operation handling  threads
21       are  no longer pending on the response from the remote server, thus de‐
22       creasing the number of threads necessary to handle the same load. While
23       asyncmeta maintains the functionality of meta and has a largely similar
24       codebase, some changes in operation and some new  configuration  direc‐
25       tives   have   been   added.   Some   configuration  options,  such  as
26       conn-pool-max , conn-ttl , single-conn ,  and  use-temporary-conn  have
27       been removed, as they are no longer relevant.
28
29       New connection handling:
30
31       Unlike meta, which caches bound connections, the asyncmeta works with a
32       configured maximum number of connections per target.  For each  request
33       redirected  to a target, a different connection is selected.  Each con‐
34       nection has a queue, to which the request is added before it is sent to
35       the  remote server, and is removed after the last response for that re‐
36       quest is received.
37        For each new request, a new connection  is  chosen  using  round-robin
38       scheduling.
39
40       Overlays:
41
42       Due  to implementation specifics, there is no guarantee that any of the
43       existing OpenLDAP overlays will work with asyncmeta backend.
44
45

EXAMPLES

47       Refer to slapd-meta(5) for configuration examples.
48
49

CONFIGURATION

51       These slapd.conf options apply to the ASYNCMETA backend database.  That
52       is,  they  must  follow a "database asyncmeta" line and come before any
53       subsequent "backend" or "database" lines.  Other database  options  are
54       described in the slapd.conf(5) manual page.
55
56

SPECIAL CONFIGURATION DIRECTIVES

58       Target configuration starts with the "uri" directive.  All the configu‐
59       ration directives that are not specific to targets  should  be  defined
60       first  for  clarity,  including  those that are common to all backends.
61       They are:
62
63
64       default-target none
65              This directive forces the backend to reject all those operations
66              that  must  resolve  to a single target in case none or multiple
67              targets are selected.  They include: add, delete,  modify,  mod‐
68              rdn;  compare  is  not  included, as well as bind since, as they
69              don't alter entries, in case of multiple matches an  attempt  is
70              made  to perform the operation on any candidate target, with the
71              constraint that at most one must succeed.   This  directive  can
72              also  be  used when processing targets to mark a specific target
73              as default.
74
75
76       dncache-ttl {DISABLED|forever|<ttl>}
77              This directive sets the time-to-live  of  the  DN  cache.   This
78              caches  the  target that holds a given DN to speed up target se‐
79              lection in case multiple targets would result from  an  uncached
80              search;  forever means cache never expires; disabled means no DN
81              caching; otherwise a valid ( > 0 ) ttl is required, in the  for‐
82              mat illustrated for the idle-timeout directive.
83
84
85       onerr {CONTINUE|report|stop}
86              This  directive allows one to select the behavior in case an er‐
87              ror is returned by one target during  a  search.   The  default,
88              continue, consists in continuing the operation, trying to return
89              as much data as possible.  If the value  is  set  to  stop,  the
90              search is terminated as soon as an error is returned by one tar‐
91              get, and the error is immediately propagated to the client.   If
92              the  value  is set to report, the search is continued to the end
93              but, in case at least one target returned  an  error  code,  the
94              first non-success error code is returned.
95
96
97       max-timeout-ops <number>
98              Specify  the  number  of  consecutive  timed out requests, after
99              which the connection will be considered faulty and dropped.
100
101
102       max-pending-ops <number>
103              The maximum number of pending requests stored in a  connection's
104              queue.   The  default  is  128.  When  this  number is exceeded,
105              LDAP_BUSY will be returned to the client.
106
107
108       max-target-conns <number>
109              The  maximum  number   of   connections   per   target.   Unlike
110              slapd-meta(5), no new connections will be created once this num‐
111              ber is reached. The default value is 255.
112
113
114       norefs <NO|yes>
115              If yes, do not return search reference responses.   By  default,
116              they  are  returned unless request is LDAPv2.  If set before any
117              target specification, it affects all targets, unless  overridden
118              by any per-target directive.
119
120
121       noundeffilter <NO|yes>
122              If yes, return success instead of searching if a filter is unde‐
123              fined or contains undefined portions.  By default, the search is
124              propagated  after  replacing  undefined portions with (!(object‐
125              Class=*)), which corresponds to the empty result  set.   If  set
126              before  any target specification, it affects all targets, unless
127              overridden by any per-target directive.
128
129
130       protocol-version {0,2,3}
131              This directive indicates what protocol version must be  used  to
132              contact the remote server.  If set to 0 (the default), the proxy
133              uses the same protocol version used by the client, otherwise the
134              requested  protocol  is used.  The proxy returns unwillingToPer‐
135              form if an operation that is  incompatible  with  the  requested
136              protocol  is attempted.  If set before any target specification,
137              it affects all targets, unless overridden by any per-target  di‐
138              rective.
139
140
141       pseudoroot-bind-defer {YES|no}
142              This  directive,  when  set to yes, causes the authentication to
143              the remote servers with the pseudo-root identity  (the  identity
144              defined  in  each  idassert-bind directive) to be deferred until
145              actually needed by subsequent operations.  Otherwise, all  binds
146              as the rootdn are propagated to the targets.
147
148
149       quarantine <interval>,<num>[;<interval>,<num>[...]]
150              Turns  on  quarantine of URIs that returned LDAP_UNAVAILABLE, so
151              that an attempt to reconnect only occurs at given intervals  in‐
152              stead  of  any time a client requests an operation.  The pattern
153              is: retry only after at least  interval  seconds  elapsed  since
154              last  attempt, for exactly num times; then use the next pattern.
155              If num for the last pattern is "+", it retries  forever;  other‐
156              wise,  no more retries occur.  This directive must appear before
157              any target specification; it affects all targets with  the  same
158              pattern.
159
160
161       rebind-as-user {NO|yes}
162              If  this  option is given, the client's bind credentials are re‐
163              membered for rebinds, when trying to re-establish a broken  con‐
164              nection,  or  when chasing a referral, if chase-referrals is set
165              to yes.
166
167
168       session-tracking-request {NO|yes}
169              Adds session tracking control for all requests.  The client's IP
170              and  hostname,  and  the identity associated to each request, if
171              known, are sent to the remote server for informational purposes.
172              This  directive is incompatible with setting protocol-version to
173              2.  If set before any target specification, it affects all  tar‐
174              gets, unless overridden by any per-target directive.
175
176

TARGET SPECIFICATION

178       Target specification starts with a "uri" directive:
179
180
181       uri <protocol>://[<host>]/<naming context> [...]
182              Identical to meta.  See slapd-meta(5) for details.
183
184
185       acl-authcDN <administrative DN for access control purposes>
186              DN which is used to query the target server for acl checking, as
187              in the LDAP backend; it is supposed to have read access  on  the
188              target  server to attributes used on the proxy for acl checking.
189              There is no risk of giving away such values; they are only  used
190              to  check  permissions.  The acl-authcDN identity is by no means
191              implicitly used by the proxy when  the  client  connects  anony‐
192              mously.
193
194
195       acl-passwd <password>
196              Password used with the acl-authcDN above.
197
198
199       bind-timeout <microseconds>
200              This  directive  defines the timeout, in microseconds, used when
201              polling for response after an asynchronous bind connection.  See
202              slapd-meta(5) for details.
203
204
205       chase-referrals {YES|no}
206              enable/disable automatic referral chasing, which is delegated to
207              the underlying libldap, with rebinding eventually  performed  if
208              the  rebind-as-user  directive is used.  The default is to chase
209              referrals.  If set before any target specification,  it  affects
210              all targets, unless overridden by any per-target directive.
211
212
213       client-pr {accept-unsolicited|DISABLE|<size>}
214              This  feature  allows  one to use RFC 2696 Paged Results control
215              when performing search operations with a specific target,  irre‐
216              spective of the client's request. See slapd-meta(5) for details.
217
218
219       default-target [<target>]
220              The  "default-target"  directive  can also be used during target
221              specification.  With no arguments it marks the current target as
222              the  default.   The optional number marks target <target> as the
223              default one, starting from 1.  Target <target> must be defined.
224
225
226       filter <pattern>
227              This directive allows specifying a regex(5) pattern to  indicate
228              what search filter terms are actually served by a target.
229
230              In  a  search  request, if the search filter matches the pattern
231              the target is considered while fulfilling the request; otherwise
232              the  target is ignored. There may be multiple occurrences of the
233              filter directive for each target.
234
235
236       idassert-authzFrom <authz-regexp>
237              if defined, selects what local identities are authorized to  ex‐
238              ploit the identity assertion feature.  The string <authz-regexp>
239              follows the rules defined  for  the  authzFrom  attribute.   See
240              slapd.conf(5),  section  related to authz-policy, for details on
241              the syntax of this field.
242
243
244       idassert-bind    bindmethod=none|simple|sasl    [binddn=<simple    DN>]
245              [credentials=<simple     password>]    [saslmech=<SASL    mech>]
246              [secprops=<properties>] [realm=<realm>] [authcId=<authentication
247              ID>]  [authzId=<authorization  ID>]  [authz={native|proxyauthz}]
248              [mode=<mode>]     [flags=<flags>]     [starttls=no|yes|critical]
249              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
250              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
251              [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
252              [tls_ecname=<names>]        [tls_protocol_min=<major>[.<minor>]]
253              [tls_crlcheck=none|peer|all] Allows one to define the parameters
254              of the authentication method that  is  internally  used  by  the
255              proxy  to  authorize connections that are authenticated by other
256              databases. See slapd-meta(5) for details.
257
258
259       idle-timeout <time>
260              This directive causes a a persistent connection  to  be  dropped
261              after  it   has been idle for the specified time. The connection
262              will be re-created the next time  it  is  selected  for  use.  A
263              connection  is  considered idle if no attempts have been made by
264              the backend to use it to send a request to the  backend  server.
265              If there are still pending requests in its queue, the connection
266              will be dropped after the last request one has either received a
267              result or has timed out.
268
269              [<d>d][<h>h][<m>m][<s>[s]]
270
271              where  <d>,  <h>,  <m> and <s> are respectively treated as days,
272              hours,  minutes  and  seconds.   If  set   before   any   target
273              specification,  it affects all targets, unless overridden by any
274              per-target directive.
275
276
277       keepalive <idle>:<probes>:<interval>
278              The keepalive parameter sets the values  of  idle,  probes,  and
279              interval  used  to  check whether a socket is alive; idle is the
280              number of seconds a connection needs to remain idle  before  TCP
281              starts sending keepalive probes; probes is the maximum number of
282              keepalive probes TCP should send before dropping the connection;
283              interval  is  interval  in  seconds between individual keepalive
284              probes.  Only some systems support the  customization  of  these
285              values;  the  keepalive  parameter  is  ignored  otherwise,  and
286              system-wide settings are used.
287
288
289       tcp-user-timeout <milliseconds>
290              If non-zero, corresponds to  the  TCP_USER_TIMEOUT  set  on  the
291              target  connections,  overriding  the  operating system setting.
292              Only some systems support the customization of  this  parameter,
293              it is ignored otherwise and system-wide settings are used.
294
295
296       map {attribute|objectclass} [<local name>|*] {<foreign name>|*}
297              This  maps object classes and attributes as in the LDAP backend.
298              See slapd-ldap(5).
299
300
301       network-timeout <time>
302              Sets the network timeout  value  after  which  poll(2)/select(2)
303              following  a  connect(2)  returns  in  case of no activity while
304              sending an operation to the remote  target.   The  value  is  in
305              milliseconds,  and  it can be specified as for idle-timeout.  If
306              set before any target specification,  it  affects  all  targets,
307              unless overridden by any per-target directive.
308
309
310       nretries {forever|never|<nretries>}
311              This  directive  defines  how many times forwarding an operation
312              should be retried in case of temporary failure in  contacting  a
313              target.  The number of retries is per operation, so if a bind to
314              the  target  is  necessary  first,  the  remaining   number   is
315              decremented.  If  defined  before  any  target specification, it
316              applies to all targets (by default, 3 times); the  global  value
317              can   be   overridden   by   redefinitions  inside  each  target
318              specification.
319
320
321       rewrite* ...
322              The rewrite options are identical to the meta backend.  See  the
323              REWRITING section of slapd-meta(5).
324
325
326       subtree-{exclude|include} <rule>
327              This directive allows one to indicate what subtrees are actually
328              served by a target. See slapd-meta(5) for details.
329
330
331       suffixmassage <local suffix> <remote suffix>
332              slapd-asyncmeta does not support the rewrite engine used by  the
333              LDAP and META backends.  suffixmassage can be used to perform DN
334              suffix rewriting, the same way as  the  obsoleted  suffixmassage
335              directive previously used by the LDAP backend.
336
337
338       t-f-support {NO|yes|discover}
339              enable  if  the remote server supports absolute filters (see RFC
340              4526 for details).  If set to discover, support is  detected  by
341              reading  the remote server's root DSE.  If set before any target
342              specification, it affects all targets, unless overridden by  any
343              per-target directive.
344
345
346       timeout [<op>=]<val> [...]
347              This   directive  allows  one  to  set  per-operation  timeouts.
348              Operations can be
349
350              <op> ::= bind, add, delete, modrdn, modify, compare, search
351
352              By default, the timeout for all operations is 2 seconds.
353
354              See slapd-meta(5) for details.
355
356
357       tls {none|[try-]start|[try-]propagate|ldaps}
358              B     [starttls=no]      [tls_cert=<file>]      [tls_key=<file>]
359              [tls_cacert=<file>]                       [tls_cacertdir=<path>]
360              [tls_reqcert=never|allow|try|demand]
361              [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
362              [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
363              Specify TLS settings regular connections.
364
365              If the first parameter is not "none" then  this  configures  the
366              TLS  settings  to be used for regular connections.  The StartTLS
367              extended operation will be used when establishing the connection
368              unless  the  URI directive protocol scheme is ldaps://.  In that
369              case this keyword may only be set to "ldaps"  and  the  StartTLS
370              operation will not be used.
371
372              With  propagate, the proxy issues the StartTLS operation only if
373              the original connection has a TLS layer set up.  The try- prefix
374              instructs  the  proxy  to  continue  operations  if the StartTLS
375              operation failed; its use is not recommended.
376
377              The TLS settings default to the  same  as  the  main  slapd  TLS
378              settings,  except  for  tls_reqcert  which defaults to "demand",
379              tls_reqsan which defaults to  "allow",  and  starttls  which  is
380              overshadowed by the first keyword and thus ignored.
381
382              If  set before any target specification, it affects all targets,
383              unless overridden by any per-target directive.
384
385

SCENARIOS

387       See slapd-meta(5) for configuration scenarios.
388
389

ACLs

391       ACL behavior is identical to meta. See slapd-meta(5).
392
393

ACCESS CONTROL

395       The asyncmeta backend does not honor all ACL semantics as described  in
396       slapd.access(5).   In  general,  access  checking  is  delegated to the
397       remote server(s).  Only read (=r) access to the entry  pseudo-attribute
398       and to the other attribute values of the entries returned by the search
399       operation is honored, which is performed by the frontend.
400
401

FILES

403       /etc/openldap/slapd.conf
404              default slapd configuration file
405

SEE ALSO

407       slapd.conf(5), slapd-ldap(5), slapd-meta(5), slapo-pcache(5), slapd(8),
408       regex(7), re_format(7).
409

AUTHOR

411       Nadezhda Ivanova, based on back-meta by Pierangelo Masarati.
412
413
414
415OpenLDAP 2.6.6                    2023/07/31                SLAPD-ASYNCMETA(5)
Impressum