manpagez: man pages & more
man slapd-relay(5)
Home | html | info | man
slapd-relay(5)                                                  slapd-relay(5)




NAME

       slapd-relay - relay backend to slapd


SYNOPSIS

       /opt/local/etc/openldap/slapd.conf


DESCRIPTION

       The primary purpose of this slapd(8) backend is to map a naming context
       defined in a database running in the same slapd(8) instance into a vir-
       tual  naming  context, with attributeType and objectClass manipulation,
       if required.  It requires the slapo-rwm(5) overlay.

       This backend and the above mentioned overlay are experimental.


CONFIGURATION

       The following slapd.conf directives apply to the  relay  backend  data-
       base.   That  is,  they  must  follow  a "database relay" line and come
       before any subsequent "backend" or "database"  lines.   Other  database
       options are described in the slapd.conf(5) manual page; only the suffix
       directive is allowed by the relay backend.

       relay <real naming context>
              The naming context of the database that  is  presented  under  a
              virtual  naming context.  The presence of this directive implies
              that one specific database, i.e. the one serving the real naming
              context, will be presented under a virtual naming context.



MASSAGING

       The relay database does not automatically rewrite the naming context of
       requests and responses.  For this  purpose,  the  slapo-rwm(5)  overlay
       must  be  explicitly instantiated, and configured as appropriate.  Usu-
       ally, the rwm-suffixmassage directive suffices if only  naming  context
       rewriting is required.



ACCESS RULES

       One important issue is that access rules are based on the identity that
       issued the operation.  After massaging from the  virtual  to  the  real
       naming  context,  the  frontend  sees the operation as performed by the
       identity in  the  real  naming  context.   Moreover,  since  back-relay
       bypasses  the  real  database  frontend  operations by short-circuiting
       operations through the internal  backend  API,  the  original  database
       access  rules do not apply but in selected cases, i.e. when the backend
       itself applies access control.  As a consequence, the instances of  the
       relay  database  must provide own access rules that are consistent with
       those of  the  original  database,  possibly  adding  further  specific
       restrictions.   So,  access  rules  in the relay database must refer to
       identities in the real naming context.  Examples are  reported  in  the
       EXAMPLES section.



SCENARIOS

       If  no  relay  directive is given, the relay database does not refer to
       any specific database, but the most appropriate one is looked-up  after
       rewriting the request DN for the operation that is being handled.

       This  allows  one  to  write carefully crafted rewrite rules that cause
       some of the requests to be  directed  to  one  database,  and  some  to
       another;  e.g.,  authentication  can  be  mapped  to  one database, and
       searches to another, or different  target  databases  can  be  selected
       based on the DN of the request, and so.

       Another possibility is to map the same operation to different databases
       based on details of the virtual naming  context,  e.g.  groups  on  one
       database and persons on another.



EXAMPLES

       To  implement  a  plain virtual naming context mapping that refers to a
       single database, use

         database                relay
         suffix                  "dc=virtual,dc=naming,dc=context"
         relay                   "dc=real,dc=naming,dc=context"
         overlay                 rwm
         rwm-suffixmassage       "dc=real,dc=naming,dc=context"

       To implement a plain virtual naming context mapping that looks  up  the
       real naming context for each operation, use

         database                relay
         suffix                  "dc=virtual,dc=naming,dc=context"
         overlay                 rwm
         rwm-suffixmassage       "dc=real,dc=naming,dc=context"

       This  is  useful, for instance, to relay different databases that share
       the terminal portion of the naming context (the one that is rewritten).

       To implement the old-fashioned suffixalias, e.g. mapping the virtual to
       the real naming context, but not the results back from the real to  the
       virtual naming context, use

         database                relay
         suffix                  "dc=virtual,dc=naming,dc=context"
         relay                   "dc=real,dc=naming,dc=context"
         overlay                 rwm
         rwm-rewriteEngine       on
         rwm-rewriteContext      default
         rwm-rewriteRule         "dc=virtual,dc=naming,dc=context"
                                 "dc=real,dc=naming,dc=context" ":@"
         rwm-rewriteContext      searchFilter
         rwm-rewriteContext      searchEntryDN
         rwm-rewriteContext      searchAttrDN
         rwm-rewriteContext      matchedDN

       Note  that  the  slapo-rwm(5)  overlay is instantiated, but the rewrite
       rules are written explicitly, rather than  automatically  as  with  the
       rwm-suffixmassage statement, to map all the virtual to real naming con-
       text data flow, but none of the real to virtual.

       Access rules:

         database                bdb
         suffix                  "dc=example,dc=com"
         # skip...
         access to dn.subtree="dc=example,dc=com"
                 by dn.exact="cn=Supervisor,dc=example,dc=com" write
                 by * read

         database                relay
         suffix                  "o=Example,c=US"
         relay                   "dc=example,dc=com"
         overlay                 rwm
         rwm-suffixmassage       "dc=example,dc=com"
         # skip ...
         access to dn.subtree="o=Example,c=US"
                 by dn.exact="cn=Supervisor,dc=example,dc=com" write
                 by dn.exact="cn=Relay Supervisor,dc=example,dc=com" write
                 by * read

       Note that, in both databases, the identities (the <who> clause) are  in
       the  real  naming context, i.e.  `dc=example,dc=com', while the targets
       (the <what> clause) are in the real and in the virtual naming  context,
       respectively.


ACCESS CONTROL

       The  relay  backend  does not honor any of the access control semantics
       described in slapd.access(5); all access control is  delegated  to  the
       relayed  database(s).   Only  read  (=r)  access  to  the entry pseudo-
       attribute and to the other attribute values of the entries returned  by
       the search operation is honored, which is performed by the frontend.


FILES

       /opt/local/etc/openldap/slapd.conf
              default slapd configuration file


SEE ALSO

       slapd.conf(5), slapd-config(5), slapo-rwm(5), slapd(8).



OpenLDAP 2.4.45                   2017/06/01                    slapd-relay(5)

openldap 2.4.45 - Generated Fri Jun 2 09:32:46 CDT 2017
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.