|
|
Эта страница руководства для версии 10.9 Mac OS XЕсли Вы выполняете различную версию Mac OS X, просматриваете документацию локально:
Читать страницы руководстваСтраницы руководства предназначаются как справочник для людей, уже понимающих технологию.
|
SLAPO-CHAIN(5) SLAPO-CHAIN(5)
NAME
slapo-chain - chain overlay to slapd
SYNOPSIS
/etc/openldap/slapd.conf
DESCRIPTION
The chain overlay to slapd(8) allows automatic referral chasing. Any time a referral is returned
(except for bind operations), it is chased by using an instance of the ldap backend. If operations
are performed with an identity (i.e. after a bind), that identity can be asserted while chasing the
referrals by means of the identity assertion feature of back-ldap (see slapd-ldap(5) for details),
which is essentially based on the proxied authorization control [RFC 4370]. Referral chasing can be
controlled by the client by issuing the chaining control (see draft-sermersheim-ldap-chaining for
details.)
The config directives that are specific to the chain overlay are prefixed by chain-, to avoid poten-tial potential
tial conflicts with directives specific to the underlying database or to other stacked overlays.
There are very few chain overlay specific directives; however, directives related to the instances of
the ldap backend that may be implicitly instantiated by the overlay may assume a special meaning when
used in conjunction with this overlay. They are described in slapd-ldap(5), and they also need to be
prefixed by chain-.
Note: this overlay is built into the ldap backend; it is not a separate module.
overlay chain
This directive adds the chain overlay to the current backend. The chain overlay may be used
with any backend, but it is mainly intended for use with local storage backends that may
return referrals. It is useless in conjunction with the slapd-ldap and slapd-meta backends
because they already exploit the libldap specific referral chase feature. [Note: this may
change in the future, as the ldap(5) and meta(5) backends might no longer chase referrals on
their own.]
chain-cache-uri {FALSE|true}
This directive instructs the chain overlay to cache connections to URIs parsed out of refer-rals referrals
rals that are not predefined, to be reused for later chaining. These URIs inherit the proper-ties properties
ties configured for the underlying slapd-ldap(5) before any occurrence of the chain-uri direc-tive; directive;
tive; basically, they are chained anonymously.
chain-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the chaining control (see draft-sermersheim-ldap-chaining for details)
with the desired resolve and continuation behaviors and criticality. The resolve parameter
refers to the behavior while discovering a resource, namely when accessing the object indi-cated indicated
cated by the request DN; the continuation parameter refers to the behavior while handling
intermediate responses, which is mostly significant for the search operation, but may affect
extended operations that return intermediate responses. The values r and c can be any of
chainingPreferred, chainingRequired, referralsPreferred, referralsRequired. If the critical
flag affects the control criticality if provided. [This control is experimental and its sup-port support
port may change in the future.]
chain-max-depth <n>
In case a referral is returned during referral chasing, further chasing occurs at most <n>
levels deep. Set to 1 (the default) to disable further referral chasing.
chain-return-error {FALSE|true}
In case referral chasing fails, the real error is returned instead of the original referral.
In case multiple referral URIs are present, only the first error is returned. This behavior
may not be always appropriate nor desirable, since failures in referral chasing might be bet-ter better
ter resolved by the client (e.g. when caused by distributed authentication issues).
chain-uri <ldapuri>
This directive instantiates a new underlying ldap database and instructs it about which URI to
contact to chase referrals. As opposed to what stated in slapd-ldap(5), only one URI can
appear after this directive; all subsequent slapd-ldap(5) directives prefixed by chain- refer
to this specific instance of a remote server.
Directives for configuring the underlying ldap database may also be required, as shown in this exam-ple: example:
ple:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://ldap1.example.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com"
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
Any valid directives for the ldap database may be used; see slapd-ldap(5) for details. Multiple
occurrences of the chain-uri directive may appear, to define multiple "trusted" URIs where operations
with identity assertion are chained. All URIs not listed in the configuration are chained anony-mously. anonymously.
mously. All slapd-ldap(5) directives appearing before the first occurrence of chain-uri are inher-ited inherited
ited by all URIs, unless specifically overridden inside each URI configuration.
FILES
/etc/openldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).
AUTHOR
Originally implemented by Howard Chu; extended by Pierangelo Masarati.
OpenLDAP 2.4.28 2011/11/24 SLAPO-CHAIN(5)
|
Сообщение о проблемах
Способ сообщить о проблеме с этой страницей руководства зависит от типа проблемы:
- Ошибки содержания
- Ошибки отчета в содержании этой документации со ссылками на отзыв ниже.
- Отчеты об ошибках
- Сообщите об ошибках в функциональности описанного инструмента или API через Генератор отчетов Ошибки.
- Форматирование проблем
- Отчет, форматирующий ошибки в интерактивной версии этих страниц со ссылками на отзыв ниже.