SLAPD-RELAY(5)SLAPD-RELAY(5)NAMEslapd-relay - relay backend to slapd
SYNOPSIS
/etc/openldap/slapd.conf
DESCRIPTION
The primary purpose of this slapd(8) backend is to map a naming context
defined in a database running in the same slapd(8) instance into a vir‐
tual naming context, with attributeType and objectClass manipulation,
if required. It requires the rwm overlay.
This backend and the above mentioned overlay are experimental.
CONFIGURATION
The following slapd.conf directives apply to the relay backend data‐
base. That is, they must follow a "database relay" line and come
before any subsequent "backend" or "database" lines. Other database
options are described in the slapd.conf(5) manual page; only the suffix
directive is required by the relay backend.
relay <real naming context> [massage]
The naming context of the database that is presented under a
virtual naming context. The presence of this directive implies
that one specific database, i.e. the one serving the real naming
context, will be presented under a virtual naming context. This
directive automatically instantiates the rwm overlay. If the
optional massage keyword is present, the suffix massaging is
automatically configured as well; otherwise, specific massaging
instructions are required by means of the rewrite directives
described in slapo-rwm(5).
ACCESS RULES
One important issue is that access rules are based on the identity that
issued the operation. After massaging from the virtual to the real
naming context, the frontend sees the operation as performed by the
identity in the real naming context. Moreover, since back-relay
bypasses the real database frontend operations by short-circuiting
operations thru the internal backend API, the original database access
rules do not apply but in selected cases, i.e. when the backend itself
applies access control. As a consequence, the instances of the relay
database must provide own access rules that are consistent with those
of the original database, possibly adding further specific restric‐
tions. So, access rules in the relay database must refer to identities
in the real naming context. Examples are reported in the EXAMPLES sec‐
tion.
SCENARIOS
If no relay directive is given, the relay database does not refer to
any specific database, but the most appropriate one is looked-up after
rewriting the request DN for the operation that is being handled.
This allows to write carefully crafted rewrite rules that cause some of
the requests to be directed to one database, and some to another; e.g.,
authentication can be mapped to one database, and searches to another,
or different target databases can be selected based on the DN of the
request, and so.
Another possibility is to map the same operation to different databases
based on details of the virtual naming context, e.g. groups on one
database and persons on another.
Caveats
The rwm overlay is experimental.
EXAMPLES
To implement a plain virtual naming context mapping that refers to a
single database, use
database relay
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context" massage
To implement a plain virtual naming context mapping that looks up the
real naming context for each operation, use
database relay
suffix "dc=virtual,dc=naming,dc=context"
overlay rwm
suffixmassage "dc=real,dc=naming,dc=context"
This is useful, for instance, to relay different databases that share
the terminal portion of the naming context (the one that is rewritten).
To implement the old-fashioned suffixalias, e.g. mapping the virtual to
the real naming context, but not the results back from the real to the
virtual naming context, use
database relay
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context"
rewriteEngine on
rewriteContext default
rewriteRule "dc=virtual,dc=naming,dc=context"
"dc=real,dc=naming,dc=context" ":@"
rewriteContext searchFilter
rewriteContext searchEntryDN
rewriteContext searchAttrDN
rewriteContext matchedDN
Note that the virtual database is bound to a single real database, so
the rwm overlay is automatically instantiated, but the rewrite rules
are written explicitly to map all the virtual to real naming context
data flow, but none of the real to virtual.
Access rules:
database bdb
suffix "dc=example,dc=com"
# skip...
access to dn.subtree="dc=example,dc=com"
by dn.exact="cn=Supervisor,dc=example,dc=com" write
by * read
database relay
suffix "o=Example,c=US"
relay "dc=example,dc=com" massage
# skip ...
access to dn.subtree="o=Example,c=US"
by dn.exact="cn=Supervisor,dc=example,dc=com" write
by dn.exact="cn=Relay Supervisor,dc=example,dc=com" write
by * read
Note that, in both databases, the identities (the <who> clause) are in
the real naming context, i.e. `dc=example,dc=com', while the targets
(the <what> clause) are in the real and in the virtual naming context,
respectively.
ACCESS CONTROL
The relay backend does not honor any of the access control semantics
described in slapd.access(5); all access control is delegated to the
relayed database(s). Only read (=r) access to the entry pseudo-
attribute and to the other attribute values of the entries returned by
the search operation is honored, which is performed by the frontend.
FILES
/etc/openldap/slapd.conf
default slapd configuration file
SEE ALSOslapd.conf(5), slapo-rwm(5), slapd(8).
OpenLDAP 2.3.27 2006/08/19 SLAPD-RELAY(5)
