SLAPD-LDAP(5)SLAPD-LDAP(5)NAMEslapd-ldap - LDAP backend to slapd
SYNOPSIS
ETCDIR/slapd.conf
DESCRIPTION
The LDAP backend to slapd(8) is not an actual database;
instead it acts as a proxy to forward incoming requests to
another LDAP server. While processing requests it will
also chase referrals, so that referrals are fully pro-
cessed instead of being returned to the slapd client.
CONFIGURATION
These slapd.conf options apply to the LDAP backend
database. That is, they must follow a "database ldap"
line and come before any subsequent "backend" or
"database" lines. Other database options are described in
the slapd.conf(5) manual page.
Note: It is strongly recommended to set
lastmod off
for every ldap and meta database. This is because opera-
tional attributes related to entry creation and modifica-
tion should not be used, as they could be passed to the
target servers, generating an error.
uri <ldapurl>
LDAP server to use. Multiple URIs can be set in in
a single ldapurl argument, resulting in the under-
lying library automatically call the first server
of the list that responds, e.g.
uri "ldap://host/ ldap://backup-host"
The URI list is space- or comma-separated.
server <hostport>
Obsolete option; same as `uri ldap://<hostport>/'.
binddn <administrative DN for access control purposes>
DN which is used to query the target server for acl
checking; it should have read access on the target
server to attributes used on the proxy for acl
checking. There is no risk of giving away such
values; they are only used to check permissions.
bindpw <password>
Password used with the bind DN above.
rebind-as-user
If this option is given, the client's bind creden-
tials are remembered for rebinds when chasing
referrals.
suffixmassage <suffix> <massaged (remote) suffix>
DNs ending with <suffix> in a request are changed
to end with <remote suffix> before sending the
request to the remote server, and <remote suffix>
in the results are changed back to <suffix> before
returning them to the client. The <suffix> field
must be defined as a valid suffix for the current
database.
map {attribute | objectclass} [<local name> | *] {<foreign
name> | *}
Map attribute names and object classes from the
foreign server to different values on the local
slapd. The reason is that some attributes might
not be part of the local slapd's schema, some
attribute names might be different but serve the
same purpose, etc. If local or foreign name is
`*', the name is preserved. If local name is omit-
ted, the foreign name is removed. Unmapped names
are preseved if both local and foreign name are
`*', and removed if local name is omitted and for-
eign name is `*'.
rewrite*
The rewrite options are described in the "REWRIT-
ING" section of the slapd-meta(5) manual page.
EXAMPLES
This maps the OpenLDAP objectclass `groupOfNames' to the
Active Directory objectclass `group':
map objectclass groupOfNames group
This presents a limited attribute set from the foreign
server:
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
These lines map cn, sn, manager, and description to them-
selves, and any other attribute gets "removed" from the
object before it is sent to the client (or sent up to the
LDAP server). This is obviously a simplistic example, but
you get the point.
FILES
ETCDIR/slapd.conf
default slapd configuration file
SEE ALSOslapd.conf(5), slapd-meta(5), slapd(8), ldap(3).
OpenLDAP LDVERSION RELEASEDATE SLAPD-LDAP(5)
