Commit 899b9f01 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent 22282351
......@@ -36,8 +36,8 @@ Public License.
---
Portions Copyright 1999-2003 Howard Y.H. Chu.
Portions Copyright 1999-2003 Symas Corporation.
Portions Copyright 1999-2005 Howard Y.H. Chu.
Portions Copyright 1999-2005 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
......
#!/bin/sh
##
## GNU shtool -- The GNU Portable Shell Tool
## Copyright (c) 1994-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1994-2005 Ralf S. Engelschall <rse@engelschall.com>
##
## See http://www.gnu.org/software/shtool/ for more information.
## See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
##
## Version: 2.0.1 (11-Aug-2004)
## Version: 2.0.2 (15-Jun-2005)
## Contents: 6/19 available modules
##
......@@ -67,8 +67,8 @@ if [ $# -eq 0 ]; then
exit 1
fi
if [ ".$1" = ".-h" ] || [ ".$1" = ".--help" ]; then
echo "This is GNU shtool, version 2.0.1 (11-Aug-2004)"
echo "Copyright (c) 1994-2004 Ralf S. Engelschall <rse@engelschall.com>"
echo "This is GNU shtool, version 2.0.2 (15-Jun-2005)"
echo "Copyright (c) 1994-2005 Ralf S. Engelschall <rse@engelschall.com>"
echo "Report bugs to <bug-shtool@gnu.org>"
echo ''
echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]"
......@@ -136,11 +136,11 @@ if [ ".$1" = ".-h" ] || [ ".$1" = ".--help" ]; then
exit 0
fi
if [ ".$1" = ".-v" ] || [ ".$1" = ".--version" ]; then
echo "GNU shtool 2.0.1 (11-Aug-2004)"
echo "GNU shtool 2.0.2 (15-Jun-2005)"
exit 0
fi
if [ ".$1" = ".-r" ] || [ ".$1" = ".--recreate" ]; then
shtoolize -obuild/shtool echo move install mkdir mkln subst
shtoolize -oshtool echo move install mkdir mkln subst
exit 0
fi
if [ ".$1" = ".-d" ] || [ ".$1" = ".--debug" ]; then
......@@ -404,6 +404,7 @@ esac
# establish a temporary file on request
if [ ".$gen_tmpfile" = .yes ]; then
# create (explicitly) secure temporary directory
if [ ".$TMPDIR" != . ]; then
tmpdir="$TMPDIR"
elif [ ".$TEMPDIR" != . ]; then
......@@ -411,10 +412,19 @@ if [ ".$gen_tmpfile" = .yes ]; then
else
tmpdir="/tmp"
fi
tmpfile="$tmpdir/.shtool.$$"
rm -f $tmpfile >/dev/null 2>&1
touch $tmpfile
chmod 600 $tmpfile
tmpdir="$tmpdir/.shtool.$$"
( umask 077
rm -rf "$tmpdir" >/dev/null 2>&1 || true
mkdir "$tmpdir" >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "$msgprefix:Error: failed to create temporary directory \`$tmpdir'" 1>&2
exit 1
fi
)
# create (implicitly) secure temporary file
tmpfile="$tmpdir/shtool.tmp"
touch "$tmpfile"
fi
# utility function: map string to lower case
......@@ -431,7 +441,7 @@ util_upper () {
shtool_exit () {
rc="$1"
if [ ".$gen_tmpfile" = .yes ]; then
rm -f $tmpfile >/dev/null 2>&1 || true
rm -rf "$tmpdir" >/dev/null 2>&1 || true
fi
exit $rc
}
......@@ -445,7 +455,7 @@ case $tool in
echo )
##
## echo -- Print string with optional construct expansion
## Copyright (c) 1998-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1998-2005 Ralf S. Engelschall <rse@engelschall.com>
##
text="$*"
......@@ -743,7 +753,7 @@ echo )
move )
##
## move -- Move files with simultaneous substitution
## Copyright (c) 1999-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1999-2005 Ralf S. Engelschall <rse@engelschall.com>
##
src="$1"
......@@ -835,7 +845,7 @@ move )
install )
##
## install -- Install a program, script or datafile
## Copyright (c) 1997-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1997-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# special case: "shtool install -d <dir> [...]" internally
......@@ -998,7 +1008,7 @@ install )
mkdir )
##
## mkdir -- Make one or more directories
## Copyright (c) 1996-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1996-2005 Ralf S. Engelschall <rse@engelschall.com>
##
errstatus=0
......@@ -1086,7 +1096,7 @@ mkdir )
mkln )
##
## mkln -- Make link with calculation of relative paths
## Copyright (c) 1998-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 1998-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# determine source(s) and destination
......@@ -1237,7 +1247,7 @@ mkln )
subst )
##
## subst -- Apply sed(1) substitution operations
## Copyright (c) 2001-2004 Ralf S. Engelschall <rse@engelschall.com>
## Copyright (c) 2001-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# remember optional list of file(s)
......
......@@ -243,7 +243,7 @@ OL_ARG_ENABLE(sql,[ --enable-sql enable sql backend no|yes|mod],
dnl ----------------------------------------------------------------
dnl SLAPD Overlay Options
Overlays="accesslog denyop dyngroup dynlist glue lastmod ppolicy proxycache \
refint rwm syncprov translucent unique"
refint retcode rwm syncprov translucent unique"
AC_ARG_WITH(xxslapoverlays,[
SLAPD Overlay Options:])
......@@ -268,6 +268,8 @@ OL_ARG_ENABLE(proxycache,[ --enable-proxycache Proxy Cache overlay no|yes|m
no, [no yes mod])
OL_ARG_ENABLE(refint,[ --enable-refint Referential Integrity overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(retcode,[ --enable-retcode Return Code testing overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(rwm,[ --enable-rwm Rewrite/Remap overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(syncprov,[ --enable-syncprov Syncrepl Provider overlay no|yes|mod],
......@@ -533,6 +535,7 @@ BUILD_LASTMOD=no
BUILD_PPOLICY=no
BUILD_PROXYCACHE=no
BUILD_REFINT=no
BUILD_RETCODE=no
BUILD_RWM=no
BUILD_SYNCPROV=no
BUILD_TRANSLUCENT=no
......@@ -2877,6 +2880,18 @@ if test "$ol_enable_refint" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
fi
if test "$ol_enable_retcode" != no ; then
BUILD_RETCODE=$ol_enable_retcode
if test "$ol_enable_retcode" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS retcode.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS retcode.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_RETCODE,$MFLAG,[define for Referential Integrity overlay])
fi
if test "$ol_enable_rwm" != no ; then
BUILD_REWRITE=yes
BUILD_RWM=$ol_enable_rwm
......@@ -2991,6 +3006,7 @@ dnl overlays
AC_SUBST(BUILD_PPOLICY)
AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_REFINT)
AC_SUBST(BUILD_RETCODE)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SYNCPROV)
AC_SUBST(BUILD_TRANSLUCENT)
......
......@@ -16,7 +16,7 @@ The Kerberos support is written for Heimdal using its hdb-ldap backend.
If a PasswordModify is performed on an entry that has the krb5KDCEntry
objectclass, then the krb5Key and krb5KeyVersionNumber will be updated
using the new password in the PasswordModify request. Additionally, a
new "{K5KEY}" password hash mechanism is provided. krb5KDCEntries that
new "{K5KEY}" password hash mechanism is provided. For krb5KDCEntries that
have this hash specifier in their userPassword attribute, Simple Binds
will be checked against the Kerberos keys of the Entry. No data is
needed after the "{K5KEY}" hash specifier in the userPassword, it is
......@@ -50,7 +50,10 @@ paths are used. You can change the DEFS macro if you only want one or the
other of Kerberos or Samba support.
This overlay is only set up to be built as a dynamically loaded module.
If you need to build it statically, you will have to move it into the
On most platforms, in order for the module to be usable, all of the
library dependencies must also be available as shared libraries.
If you need to build the overlay statically, you will have to move it into the
slapd/overlays directory and edit the Makefile and overlays.c to reference
it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC,
and add the relevant libraries to the main slapd link command.
Copyright 1998-2001 The OpenLDAP Foundation
Copyright 1998-2005 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.
A copy of this license is available in file LICENSE in the
A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>
<http://www.OpenLDAP.org/license.html>.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
......@@ -20,14 +20,14 @@ at <http://www.umich.edu/~dirsvcs/ldap/>.
This work also contains materials derived from public sources.
Additional information about OpenLDAP software can be obtained at
Additional information about OpenLDAP can be obtained at
<http://www.openldap.org/>.
---
Portions Copyright 1998-2003 Kurt D. Zeilenga.
Portions Copyright 1998-2003 Net Boolean Incorporated.
Portions Copyright 2001-2003 IBM Corporation.
Portions Copyright 1998-2005 Kurt D. Zeilenga.
Portions Copyright 1998-2005 Net Boolean Incorporated.
Portions Copyright 2001-2005 IBM Corporation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
......@@ -36,8 +36,8 @@ Public License.
---
Portions Copyright 1999-2003 Howard Y.H. Chu.
Portions Copyright 1999-2003 Symas Corporation.
Portions Copyright 1999-2005 Howard Y.H. Chu.
Portions Copyright 1999-2005 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
......@@ -55,7 +55,8 @@ All rights reserved.
Redistribution and use in source and binary forms are permitted
provided that this notice is preserved and that due credit is given
to the University of Michigan at Ann Arbor. The name of the University
may not be used to endorse or promote products derived from this
software without specific prior written permission. This software
is provided ``as is'' without express or implied warranty.
to the University of Michigan at Ann Arbor. The name of the
University may not be used to endorse or promote products derived
from this software without specific prior written permission. This
software is provided ``as is'' without express or implied warranty.
......@@ -774,9 +774,10 @@ Directives in this category apply to both the {{TERM:BDB}}
and the {{TERM:HDB}} database.
They are used in an olcDatabase entry in addition to the generic
database directives defined above. For a complete reference
of BDB/HDB configuration directives, see {{slapd-bdb}}(5). BDB and
HDB database entries must have the {{EX:olcBdbConfig}} objectClass in
addition to the {{EX:olcDatabaseConfig}} class.
of BDB/HDB configuration directives, see {{slapd-bdb}}(5). In
addition to the {{EX:olcDatabaseConfig}} objectClass, BDB and HDB
database entries must have the {{EX:olcBdbConfig}} and
{{EX:olcHdbConfig}} objectClass, respectively.
H4: olcDbDirectory: <directory>
......@@ -970,7 +971,7 @@ H4: Sample Entry
>dn: olcDatabase=hdb,cn=config
>objectClass: olcDatabaseConfig
>objectClass: olcBdbConfig
>objectClass: olcHdbConfig
>olcDatabase: hdb
>olcSuffix: "dc=example,dc=com"
>olcDbDirectory: /usr/local/var/openldap-data
......
......@@ -91,7 +91,7 @@ ________________<BR>
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
________________<BR>
<SMALL>&copy; Copyright 2003, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
<SMALL>&copy; Copyright 2005, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
!endblock
!endmacro
......
......@@ -128,7 +128,7 @@ makes control critical.
.BI \-S \ attribute
Sort the entries returned based on \fIattribute\fP. The default is not
to sort entries returned. If \fIattribute\fP is a zero-length string (""),
the entries are sorted by the components of their Distingished Name. See
the entries are sorted by the components of their Distinguished Name. See
.BR ldap_sort (3)
for more details. Note that
.B ldapsearch
......
......@@ -88,7 +88,7 @@ points to
.B bv_len
octets.
.B bv_val
is not necessarly terminated by a NUL (zero) octet.
is not necessarily terminated by a NUL (zero) octet.
.BR ber_bvfree ()
frees a BerValue, pointed to by \fIbv\fP, returned from this API. If \fIbv\fP
is NULL, the routine does nothing.
......
......@@ -60,9 +60,9 @@ Errors can be interpreted by calling
.BR ldap_err2string (3).
.SH LDAP versions
This library supports version 3 of the Lightweight Directory Access
Protocol (LDAPv3) as defined in RFC 3377. It also supports a varient
Protocol (LDAPv3) as defined in RFC 3377. It also supports a variant
of version 2 of LDAP as defined by U-Mich LDAP and, to some degree,
RFC 1777. Version 2 (all varients) should be viewed as obsolete.
RFC 1777. Version 2 (all variants) should be viewed as obsolete.
Version 3 should be used instead.
.LP
For backwards compatibility reasons, the library defaults to version 2.
......
......@@ -184,7 +184,7 @@ is used to turn a DN as returned by
.BR ldap_get_dn (3)
into a more user-friendly form, stripping off all type names. See
"Using the Directory to Achieve User Friendly Naming" (RFC 1781)
for more details on the UFN format. Due to the ambigious nature
for more details on the UFN format. Due to the ambiguous nature
of the format, it is generally only used for display purposes.
The space for the UFN returned is obtained dynamically and the user
is responsible for freeing it via a call to
......
......@@ -62,13 +62,13 @@ the responses of a search operation.
.LP
A search response is made up of zero or
more search entries, zero or more search references, and zero or
more extended parital responses followed by a search result. If
more extended partial responses followed by a search result. If
\fIall\fP is set to 0, search entries will be returned one at a
time as they come in, via separate calls to
.BR ldap_result() .
If it's set to 1, the search
response will only be returned in its entirety, i.e., after all entries,
all references, all extended parital responses, and the final search
all references, all extended partial responses, and the final search
result have been received.
.LP
Upon success, the type of the result received is returned and the
......
......@@ -119,7 +119,7 @@ int code;
These routines are used to parse schema definitions in the syntax
defined in RFC 2252 into structs and handle these structs. These
routines handle four kinds of definitions: syntaxes, matching rules,
attribute types and objectclasses. For each definition kind, four
attribute types and object classes. For each definition kind, four
routines are provided.
.LP
.B ldap_str2xxx()
......
......@@ -56,7 +56,7 @@ the message id of the operation it initiated.
\fIScope\fP is the scope of the search and should be one of LDAP_SCOPE_BASE,
to search the object itself,
LDAP_SCOPE_ONELEVEL, to search the object's immediate children,
or LDAP_SCOPE_SUBTREE, to search the object and all its descendents.
or LDAP_SCOPE_SUBTREE, to search the object and all its descendants.
.LP
\fIFilter\fP is a string
representation of the filter to apply in the search. Simple filters
......
......@@ -55,7 +55,8 @@ The different configuration options are:
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP
library should connect. The URI scheme may be either
.BR ldap or
.B ldap
or
.B ldaps
which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
Each server's name can be specified as a
......@@ -92,6 +93,14 @@ The port may be specified as a number.
is deprecated in favor of
.BR URI.
.TP
.B REFERRALS <on/true/yes/off/false/no>
Specifies if the client should automatically follow referrals returned
by LDAP servers.
The default is on.
Note that the command line tools
.BR ldapsearch (1)
&co always override this option.
.TP
.B SIZELIMIT <integer>
Specifies a size limit to use when performing searches. The
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
......@@ -260,7 +269,7 @@ is immediately terminated. This is the default setting.
.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certicates have not been revoked. This
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
parameter to be set.
......@@ -301,7 +310,9 @@ user ldap configuration file
.I $CWD/ldaprc
local ldap configuration file
.SH "SEE ALSO"
.BR ldap (3)
.BR ldap (3),
.BR openssl (1),
.BR sasl (3)
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS
......
......@@ -38,7 +38,7 @@ or tab, e.g.,
.ft
.fi
.LP
Lines beginning with a sharpe sign ('#') are ignored.
Lines beginning with a sharp sign ('#') are ignored.
.LP
Multiple attribute values are specified on separate lines, e.g.,
.LP
......
......@@ -231,6 +231,10 @@ permissions, or the asserted identities must have appropriate
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
Flags can be
\fBoverride,{prescriptive|non-prescriptive}\fP
When the
.B override
flag is used, identity assertion takes place even when the database
......@@ -239,6 +243,20 @@ with the provided identity, and thus authenticating it, the proxy
performs the identity assertion using the configured identity and
authentication method.
When the
.B prescriptive
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
.B idassert-authzFrom
patterns.
If the
.B non-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
.B idassert-authzFrom
patterns.
This directive obsoletes
.BR idassert-authcDN ,
.BR idassert-passwd ,
......@@ -276,7 +294,7 @@ in conjunction with Proxy Authorization.
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals. Useful when
\fBchase-referrals\fP is set to \fByes\P, useless otherwise.
\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
.TP
.B chase-referrals {YES|no}
......@@ -299,7 +317,7 @@ enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's rootDSE.
support is detected by reading the remote server's root DSE.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
......@@ -342,7 +360,7 @@ and may be dismissed in the future.
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxyied by back-ldap.
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by
.BR idassert-bind ,
and may be dismissed in the future.
......
......@@ -53,7 +53,7 @@ Flush dirty database buffers to disk every
seconds.
Implies
.B dbnosync
(ie. indvidual updates are no longer written to disk).
(ie. individual updates are no longer written to disk).
It attempts to avoid syncs during periods of peak activity by waiting
.B <delayinterval>
seconds if the server is busy, repeating this delay up to
......
......@@ -48,6 +48,6 @@ default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8),
.BR LDIF (5).
.BR ldif (5).
.SH AUTHOR
Eric Stokes
......@@ -50,31 +50,33 @@ Other database options are described in the
.BR slapd.conf (5)
manual page.
.LP
Note: as with the
.B ldap
backend, operational attributes related to entry creation/modification
should not be used, as they would be passed to the target servers,
generating an error.
Moreover, it makes little sense to use such attributes in proxying, as
the proxy server doesn't actually store data, so it should have no
knowledge of such attributes.
While code to strip the modification attributes has been put in place
(and #ifdef'd), it implies unmotivated overhead.
So it is strongly recommended to set
Note: In early versions of back-ldap and back-meta it was recommended to always set
.LP
.RS
.nf
lastmod off
.fi
.RE
.LP
for every
.B ldap
and
.B meta
backend.
database.
This is because operational attributes related to entry creation and
modification should not be proxied, as they could be mistakenly written
to the target server(s), generating an error.
The current implementation automatically sets lastmod to off, so its use
is redundant and should be omitted, because the lastmod directive will
be deprecated in the future.
.SH SPECIAL CONFIGURATION DIRECTIVES
Target configuration starts with the "uri" directive.
All the configuration directives that are not specific to targets
should be defined first for clarity, including those that are common
to all backends.
They are:
.TP
.B default-target none
This directive forces the backend to reject all those operations
......@@ -86,6 +88,7 @@ matches an attempt is made to perform the operation on any candidate
target, with the constraint that at most one must succeed.
This directive can also be used when processing targets to mark a
specific target as default.
.TP
.B dncache-ttl {forever|disabled|<ttl>}
This directive sets the time-to-live of the DN cache.
......@@ -93,6 +96,7 @@ This caches the target that holds a given DN to speed up target
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl in seconds is required.
.TP
.B nretries {forever|never|<nretries>}
This directive defines how many times a bind should be retried
......@@ -103,6 +107,7 @@ the global value can be overridden by redefinitions inside each target
specification.
.SH TARGET SPECIFICATION
Target specification starts with a "uri" directive:
.TP
.B uri <protocol>://[<host>[:<port>]]/<naming context>
The "server" directive that was allowed in the LDAP backend (although
......@@ -130,10 +135,11 @@ Multiple URIs may be defined in a single argument. The URIs must
be separated by TABs (e.g. '\\t'; commas or spaces, unlike back-ldap,
will not work,
because they are legal in the <naming context>, and we don't want to use
URL-encoded <namimg context>s), and the additional URIs must have
URL-encoded <naming context>s), and the additional URIs must have
no <naming context> part. This causes the underlying library
to contact the first server of the list that responds.
.RE
.TP
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
......@@ -141,6 +147,7 @@ With no arguments it marks the current target as the default.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
......@@ -150,33 +157,72 @@ There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
.TP
.B rebind-as-user
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
.TP
.B tls {[try-]start|[try-]propagate}
execute the start TLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the Start TLS exop only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if start TLS failed; its use is highly deprecated.
.TP
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
.TP
.B onerr {CONTINUE|stop}
This directive allows to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.