SLAPO-TRANSLUCENT(5) | File Formats Manual | SLAPO-TRANSLUCENT(5) |
slapo-translucent - Translucent Proxy overlay to slapd
/etc/ldap/slapd.conf
The Translucent Proxy overlay can be used with a backend database such as slapd-bdb(5) to create a "translucent proxy". Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the client.
A search operation is first populated with entries from the remote LDAP server, the attributes of which are then overridden with any attributes defined in the local database. Local overrides may be populated with the add, modify , and modrdn operations, the use of which is restricted to the root user.
A compare operation will perform a comparison with attributes defined in the local database record (if any) before any comparison is made with data in the remote database.
The Translucent Proxy overlay uses a proxied database, typically a (set of) remote LDAP server(s), which is configured with the options shown in slapd-ldap(5), slapd-meta(5) or similar. These slapd.conf options are specific to the Translucent Proxy overlay; they must appear after the overlay directive that instantiates the translucent overlay.
If neither translucent_local nor translucent_remote are specified, the default behavior is to search the remote database with the complete search filter. If only translucent_local is specified, searches will only be run on the local database. Likewise, if only translucent_remote is specified, searches will only be run on the remote database. In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client.
Access control is delegated to either the remote DSA(s) or to the local database backend for auth and write operations. It is delegated to the remote DSA(s) and to the frontend for read operations. Local access rules involving data returned by the remote DSA(s) should be designed with care. In fact, entries are returned by the remote DSA(s) only based on the remote fraction of the data, based on the identity the operation is performed as. As a consequence, local rules might only be allowed to see a portion of the remote data.
The Translucent Proxy overlay will disable schema checking in the local database, so that an entry consisting of overlay attributes need not adhere to the complete schema.
Because the translucent overlay does not perform any DN rewrites, the local and remote database instances must have the same suffix. Other configurations will probably fail with No Such Object and other errors.
2018/12/19 | OpenLDAP |