1SLAPD-RELAY(5) File Formats Manual SLAPD-RELAY(5)
2
6 slapd-relay - relay backend to slapd
7
9 /etc/openldap/slapd.conf
10
12 The primary purpose of this slapd(8) backend is to map a naming context
13 defined in a database running in the same slapd(8) instance into a vir‐
14 tual naming context, with attributeType and objectClass manipulation,
15 if required. It requires the rwm overlay.
16 This backend and the above mentioned overlay are experimental.
18
20 The following slapd.conf directives apply to the relay backend data‐
21 base. That is, they must follow a "database relay" line and come
22 before any subsequent "backend" or "database" lines. Other database
23 options are described in the slapd.conf(5) manual page; only the suffix
24 directive is required by the relay backend.
25 relay <real naming context> [massage]
27 The naming context of the database that is presented under a
28 virtual naming context. The presence of this directive implies
29 that one specific database, i.e. the one serving the real naming
30 context, will be presented under a virtual naming context. This
31 directive automatically instantiates the rwm overlay. If the
32 optional massage keyword is present, the suffix massaging is
33 automatically configured as well; otherwise, specific massaging
34 instructions are required by means of the rewrite directives
35 described in slapo-rwm(5).
36
39 One important issue is that access rules are based on the identity that
40 issued the operation. After massaging from the virtual to the real
41 naming context, the frontend sees the operation as performed by the
42 identity in the real naming context. Moreover, since back-relay
43 bypasses the real database frontend operations by short-circuiting
44 operations thru the internal backend API, the original database access
45 rules do not apply but in selected cases, i.e. when the backend itself
46 applies access control. As a consequence, the instances of the relay
47 database must provide own access rules that are consistent with those
48 of the original database, possibly adding further specific restric‐
49 tions. So, access rules in the relay database must refer to identities
50 in the real naming context. Examples are reported in the EXAMPLES sec‐
51 tion.
52
55 If no relay directive is given, the relay database does not refer to
56 any specific database, but the most appropriate one is looked-up after
57 rewriting the request DN for the operation that is being handled.
58 This allows to write carefully crafted rewrite rules that cause some of
60 the requests to be directed to one database, and some to another; e.g.,
61 authentication can be mapped to one database, and searches to another,
62 or different target databases can be selected based on the DN of the
63 request, and so.
64 Another possibility is to map the same operation to different databases
66 based on details of the virtual naming context, e.g. groups on one
67 database and persons on another.
68
70 The rwm overlay is experimental.
71
73 To implement a plain virtual naming context mapping that refers to a
74 single database, use
75 database relay
77 suffix "dc=virtual,dc=naming,dc=context"
78 relay "dc=real,dc=naming,dc=context" massage
79 To implement a plain virtual naming context mapping that looks up the
81 real naming context for each operation, use
82 database relay
84 suffix "dc=virtual,dc=naming,dc=context"
85 overlay rwm
86 suffixmassage "dc=real,dc=naming,dc=context"
87 This is useful, for instance, to relay different databases that share
89 the terminal portion of the naming context (the one that is rewritten).
90 To implement the old-fashioned suffixalias, e.g. mapping the virtual to
92 the real naming context, but not the results back from the real to the
93 virtual naming context, use
94 database relay
96 suffix "dc=virtual,dc=naming,dc=context"
97 relay "dc=real,dc=naming,dc=context"
98 rewriteEngine on
99 rewriteContext default
100 rewriteRule "dc=virtual,dc=naming,dc=context"
101 "dc=real,dc=naming,dc=context" ":@"
102 rewriteContext searchFilter
103 rewriteContext searchEntryDN
104 rewriteContext searchAttrDN
105 rewriteContext matchedDN
106 Note that the virtual database is bound to a single real database, so
108 the rwm overlay is automatically instantiated, but the rewrite rules
109 are written explicitly to map all the virtual to real naming context
110 data flow, but none of the real to virtual.
111 Access rules:
113 database bdb
115 suffix "dc=example,dc=com"
116 # skip...
117 access to dn.subtree="dc=example,dc=com"
118 by dn.exact="cn=Supervisor,dc=example,dc=com" write
119 by * read
120 database relay
122 suffix "o=Example,c=US"
123 relay "dc=example,dc=com" massage
124 # skip ...
125 access to dn.subtree="o=Example,c=US"
126 by dn.exact="cn=Supervisor,dc=example,dc=com" write
127 by dn.exact="cn=Relay Supervisor,dc=example,dc=com" write
128 by * read
129 Note that, in both databases, the identities (the <who> clause) are in
131 the real naming context, i.e. `dc=example,dc=com', while the targets
132 (the <what> clause) are in the real and in the virtual naming context,
133 respectively.
134
136 The relay backend does not honor any of the access control semantics
137 described in slapd.access(5); all access control is delegated to the
138 relayed database(s). Only read (=r) access to the entry pseudo-
139 attribute and to the other attribute values of the entries returned by
140 the search operation is honored, which is performed by the frontend.
141
143 /etc/openldap/slapd.conf
144 default slapd configuration file
145
147 slapd.conf(5), slapo-rwm(5), slapd(8).
148OpenLDAP 2.3.34 2007/2/16 SLAPD-RELAY(5)