SLAPD-LDAP(5)							File Formats Manual						     SLAPD-LDAP(5)

NAME

       slapd-ldap - LDAP backend to slapd

SYNOPSIS

       /etc/openldap/slapd.conf

DESCRIPTION

       The  LDAP  backend  to  slapd(8) is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server.
       While processing requests it will also chase referrals, so that referrals are fully processed  instead  of  being  returned  to	the  slapd
       client.

CONFIGURATION

       These  slapd.conf  options apply to the LDAP backend database.  That is, they must follow a "database ldap" line and come before any subse-
       quent "backend" or "database" lines.  Other database options are described in the slapd.conf(5) manual page.

       Note: It is strongly recommended to set
	      lastmod  off
       for every ldap and meta database.  This is because operational attributes related to entry creation and modification should not be used, as
       they could be passed to the target servers, generating an error.

       uri <ldapurl>
	      LDAP  server  to	use.   Multiple URIs can be set in in a single ldapurl argument, resulting in the underlying library automatically
	      call the first server of the list that responds, e.g.

	      uri "ldap://host/ ldap://backup-host"

	      The URI list is space- or comma-separated.

       server <hostport>
	      Obsolete option; same as `uri ldap://<hostport>/'.

       binddn <administrative DN for access control purposes>
	      DN which is used to query the target server for acl checking; it should have read access on the target server to attributes used	on
	      the proxy for acl checking.  There is no risk of giving away such values; they are only used to check permissions.

       bindpw <password>
	      Password used with the bind DN above.

       rebind-as-user
	      If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals.

       suffixmassage <suffix> <massaged (remote) suffix>
	      DNs  ending  with <suffix> in a request are changed to end with <remote suffix> before sending the request to the remote server, and
	      <remote suffix> in the results are changed back to <suffix> before returning them to the client.	The <suffix> field must be defined
	      as a valid suffix for the current database.

       map {attribute | objectclass} [<local name> | *] {<foreign name> | *}
	      Map  attribute  names  and  object  classes from the foreign server to different values on the local slapd.  The reason is that some
	      attributes might not be part of the local slapd's schema, some attribute names might be different but serve the same  purpose,  etc.
	      If  local or foreign name is `*', the name is preserved.	If local name is omitted, the foreign name is removed.	Unmapped names are
	      preseved if both local and foreign name are `*', and removed if local name is omitted and foreign name is `*'.

       rewrite*
	      The rewrite options are described in the "REWRITING" section of the slapd-meta(5) manual page.

EXAMPLES

       This maps the OpenLDAP objectclass `groupOfNames' to the Active Directory objectclass `group':

	      map objectclass groupOfNames group

       This presents a limited attribute set from the foreign server:

	      map attribute cn *
	      map attribute sn *
	      map attribute manager *
	      map attribute description *
	      map attribute *

       These lines map cn, sn, manager, and description to themselves, and any other attribute gets "removed" from the object before it is sent to
       the client (or sent up to the LDAP server).  This is obviously a simplistic example, but you get the point.

FILES

       /etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-meta(5), slapd(8), ldap(3).

OpenLDAP 2.1.X							    RELEASEDATE 						     SLAPD-LDAP(5)