Commit fdbcfbe5 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

document idle-timeout; cleanup

parent 1b42fde3
......@@ -93,21 +93,19 @@ internally used by the proxy to collect info related to access control.
The identity defined by this directive, according to the properties
associated to the authentication method, is supposed to have read access
on the target server to attributes used on the proxy for ACL checking.
The
.B secprops
field is currently ignored.
There is no risk of giving away such values; they are only used to
check permissions.
The default is to use
.BR simple ,
with empty binddn and credentials,
.BR simple
bind, with empty \fIbinddn\fP and \fIcredentials\fP,
which means that the related operations will be performed anonymously.
.B This identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
See the
The
.B idassert-bind
feature instead.
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl-authcDN ,
and
......@@ -334,6 +332,11 @@ Note: if the timelimit is exceeded, the operation is abandoned;
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
.TP
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
as a side-effect, some of the traditional directives have been
......
......@@ -154,6 +154,18 @@ because they are legal in the <naming context>, and we don't want to use
URL-encoded <naming context>s), and the additional URIs must have
no <naming context> part. This causes the underlying library
to contact the first server of the list that responds.
For example, if \fIl1.foo.com\fP and \fIl2.foo.com\fP are shadows
of the same server, the directive
.LP
.nf
suffix "\fBdc=foo,dc=com\fP"
uri "ldap://l1.foo.com/\fBdc=foo,dc=com\fP ldap://l2.foo.com/"
.fi
.RE
.RS
causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
does not respond.
.RE
.TP
......@@ -228,6 +240,11 @@ so the client will not know if the operation eventually succeeded or not.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
This directive, if present, sets the DN that will be substituted to
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment