.TH SLAPD-META 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2015 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2024 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.LP
Note: When looping back to the same instance of \fBslapd\fP(8),
-each connection requires a new thread; as a consequence, \fBslapd\fP(8)
-must be compiled with thread support, and the \fBthreads\fP parameter
-may need some tuning; in those cases, unless the multiple target feature
-is required, one may consider using \fBslapd\-relay\fP(5) instead,
+each connection requires a new thread; as a consequence, the \fBslapd\fP(8)
+\fBthreads\fP parameter may need some tuning. In those cases, unless the
+multiple target feature is required, one may consider using \fBslapd\-relay\fP(5) instead,
which performs the relayed operation internally and thus reuses
the same connection.
.SH EXAMPLES
There are examples in various places in this document, as well as in the
-slapd/back\-meta/data/ directory in the OpenLDAP source tree.
+slapd/back-meta/data/ directory in the OpenLDAP source tree.
.SH CONFIGURATION
These
.B slapd.conf
to all backends.
They are:
+.TP
+.B conn\-pool\-max <int>
+This directive defines the maximum size of the privileged connections pool.
+
.TP
.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
.TP
.B onerr {CONTINUE|report|stop}
-This directive allows to select the behavior in case an error is returned
+This directive allows one to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.
If the value is set to \fBstop\fP, the search is terminated as soon
as an error is returned by one target, and the error is immediately
propagated to the client.
-If the value is set to \fBreport\fP, the search is continuated to the end
+If the value is set to \fBreport\fP, the search is continued to the end
but, in case at least one target returned an error code, the first
non-success error code is returned.
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
identity (the identity defined in each
-.B idassert-bind
+.B idassert\-bind
directive) to be deferred until actually needed by subsequent operations.
Otherwise, all binds as the rootdn are propagated to the targets.
.TP
.B acl\-passwd <password>
Password used with the
-.B
-acl\-authcDN
+.B acl\-authcDN
above.
.TP
.TP
.B client\-pr {accept-unsolicited|DISABLE|<size>}
-This feature allows to use RFC 2696 Paged Results control when performing
+This feature allows one to use RFC 2696 Paged Results control when performing
search operations with a specific target,
irrespective of the client's request.
When set to a numeric value, Paged Results control is always
used with \fIsize\fP as the page size.
-When set to \fIaccept-unsolicited\fP, unsolicited Paged Results
+When set to \fIaccept\-unsolicited\fP, unsolicited Paged Results
control responses are accepted and honored
for compatibility with broken remote DSAs.
The client is not exposed to paged results handling
.I local
identities are authorized to exploit the identity assertion feature.
The string
-.B <authz-regexp>
+.B <authz\-regexp>
follows the rules defined for the
.I authzFrom
attribute.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
-Allows to define the parameters of the authentication method that is
+Allows one to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
The identity defined by this directive, according to the properties
.B none
is the default, i.e. no \fIidentity assertion\fP is performed.
-The authz parameter is used to instruct the SASL bind to exploit
+The
+.B authz
+parameter is used to instruct the SASL bind to exploit
.B native
SASL authorization, if available; since connections are cached,
this should only be used when authorizing with a fixed identity
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow"..
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
.B keepalive
parameter is ignored otherwise, and system-wide settings are used.
+.TP
+.B tcp\-user\-timeout <milliseconds>
+If non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.
+
.TP
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
.TP
.B subtree\-{exclude|include} "<rule>"
-This directive allows to indicate what subtrees are actually served
+This directive allows one to indicate what subtrees are actually served
by a target.
The syntax of the supported rules is
.TP
.B timeout [<op>=]<val> [...]
-This directive allows to set per-operation timeouts.
+This directive allows one to set per-operation timeouts.
Operations can be
\fB<op> ::= bind, add, delete, modrdn, modify, compare, search\fP
is destroyed, according to RFC4511.
.TP
-.B tls {[try\-]start|[try\-]propagate}
-execute the StartTLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the StartTLS operation only if the original
-connection did.
+.B tls {none|[try\-]start|[try\-]propagate|ldaps}
+.B [starttls=no]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
+.B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
+.B [tls_crlcheck=none|peer|all]
+.RS
+Specify TLS settings regular connections.
+
+If the first parameter is not "none" then this configures the TLS
+settings to be used for regular connections.
+The StartTLS extended operation will be used when establishing the
+connection unless the URI directive protocol scheme is \fBldaps://\fP.
+In that case this keyword may only be set to "ldaps" and the StartTLS
+operation will not be used.
+
+With \fBpropagate\fP, the proxy issues the StartTLS operation only if
+the original connection has a TLS layer set up.
The \fBtry\-\fP prefix instructs the proxy to continue operations
-if the StartTLS operation failed; its use is highly deprecated.
+if the StartTLS operation failed; its use is \fBnot\fP recommended.
+
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand",
+.B tls_reqsan
+which defaults to "allow", and
+.B starttls
+which is overshadowed by the first keyword and thus ignored.
+
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
+.RE
.SH SCENARIOS
A powerful (and in some sense dangerous) rewrite engine has been added
above scenarios.
.SH ACLs
Note on ACLs: at present you may add whatever ACL rule you desire
-to to the Meta (and LDAP) backends.
+to the Meta (and LDAP) backends.
However, the meaning of an ACL on a proxy may require some
considerations.
Two philosophies may be considered:
Rules are made of a regex match pattern, a substitution pattern
and a set of actions, described by a set of flags.
In case of match a string rewriting is performed according to the
-substitution pattern that allows to refer to substrings matched in the
+substitution pattern that allows one to refer to substrings matched in the
incoming string.
The actions, if any, are finally performed.
The substitution pattern allows map resolution of substrings.
.SH "Additional configuration syntax:"
.TP
.B rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
-Allows to define a map that transforms substring rewriting into
+Allows one to define a map that transforms substring rewriting into
something else.
The map is referenced inside the substitution pattern of a rule.
.TP
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
+.BR slapd\-asyncmeta (5),
.BR slapd\-ldap (5),
.BR slapo\-pcache (5),
.BR slapd (8),