286
287
Target <target> must be defined.
290
.B idassert-authzFrom <authz-regexp>
291
if defined, selects what
293
identities are authorized to exploit the identity assertion feature.
296
follows the rules defined for the
303
for details on the syntax of this field.
308
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
309
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
310
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
311
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
314
.B [tls_cacert=<file>]
315
.B [tls_cacertdir=<path>]
316
.B [tls_reqcert=never|allow|try|demand]
317
.B [tls_ciphersuite=<ciphers>]
318
.B [tls_crlcheck=none|peer|all]
320
Allows to define the parameters of the authentication method that is
321
internally used by the proxy to authorize connections that are
322
authenticated by other databases.
323
The identity defined by this directive, according to the properties
324
associated to the authentication method, is supposed to have auth access
325
on the target server to attributes used on the proxy for authentication
326
and authorization, and to be allowed to authorize the users.
327
This requires to have
329
privileges on a wide set of DNs, e.g.
330
.BR authzTo=dn.subtree:"" ,
331
and the remote server to have
339
for details on these statements and for remarks and drawbacks about
341
The supported bindmethods are
343
\fBnone|simple|sasl\fP
347
is the default, i.e. no \fIidentity assertion\fP is performed.
349
The authz parameter is used to instruct the SASL bind to exploit
351
SASL authorization, if available; since connections are cached,
352
this should only be used when authorizing with a fixed identity
353
(e.g. by means of the
358
Otherwise, the default
360
is used, i.e. the proxyAuthz control (Proxied Authorization, RFC 4370)
361
is added to all operations.
363
The supported modes are:
365
\fB<mode> := {legacy|anonymous|none|self}\fP
371
is given, the proxy always authorizes that identity.
372
.B <authorization ID>
379
The former is supposed to be expanded by the remote server according
380
to the authz rules; see
383
In the latter case, whether or not the
385
prefix is present, the string must pass DN validation and normalization.
389
which implies that the proxy will either perform a simple bind as the
391
or a SASL bind as the
393
and assert the client's identity when it is not anonymous.
394
Direct binds are always proxied.
395
The other modes imply that the proxy will always either perform a simple bind
398
or a SASL bind as the
401
.BR idassert-authzFrom
402
rules (see below), in which case the operation will fail;
403
eventually, it will assert some other identity according to
405
Other identity assertion modes are
409
which respectively mean that the
416
which means that no proxyAuthz control will be used, so the
420
identity will be asserted.
421
For all modes that require the use of the
423
control, on the remote server the proxy identity must have appropriate
425
permissions, or the asserted identities must have appropriate
427
permissions. Note, however, that the ID assertion feature is mostly
428
useful when the asserted identities do not exist on the remote server.
432
\fBoverride,[non-]prescriptive\fP
436
flag is used, identity assertion takes place even when the database
437
is authorizing for the identity of the client, i.e. after binding
438
with the provided identity, and thus authenticating it, the proxy
439
performs the identity assertion using the configured identity and
440
authentication method.
444
flag is used (the default), operations fail with
445
\fIinappropriateAuthentication\fP
446
for those identities whose assertion is not allowed by the
447
.B idassert-authzFrom
451
flag is used, operations are performed anonymously for those identities
452
whose assertion is not allowed by the
453
.B idassert-authzFrom
456
The TLS settings default to the same as the main slapd TLS settings,
459
which defaults to "demand".
461
The identity associated to this directive is also used for privileged
462
operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
463
is not. See \fBacl-bind\fP for details.
289
467
.B idle-timeout <time>
290
468
This directive causes a cached connection to be dropped an recreated
291
469
after it has been idle for the specified time.