1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
.TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2004-2021 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo\-translucent \- Translucent Proxy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Translucent Proxy overlay can be used with a backend database such as
.BR slapd\-bdb (5)
to create a "translucent proxy". Entries retrieved from a remote LDAP
server may have some or all attributes overridden, or new attributes
added, by entries in the local database before being presented to the
client.
.LP
A
.BR search
operation is first populated with entries from the remote LDAP server, the
attributes of which are then overridden with any attributes defined in the
local database. Local overrides may be populated with the
.BR add ,
.B modify ,
and
.B modrdn
operations, the use of which is restricted to the root user.
.LP
A
.BR compare
operation will perform a comparison with attributes defined in the local
database record (if any) before any comparison is made with data in the
remote database.
.SH CONFIGURATION
The Translucent Proxy overlay uses a proxied database,
typically a (set of) remote LDAP server(s), which is configured with the options shown in
.BR slapd\-ldap (5),
.BR slapd\-meta (5)
or similar.
These
.B slapd.conf
options are specific to the Translucent Proxy overlay; they must appear
after the
.B overlay
directive that instantiates the
.B translucent
overlay.
.TP
.B translucent_strict
By default, attempts to delete attributes in either the local or remote
databases will be silently ignored. The
.B translucent_strict
directive causes these modifications to fail with a Constraint Violation.
.TP
.B translucent_no_glue
This configuration option disables the automatic creation of "glue" records
for an
.B add
or
.B modrdn
operation, such that all parents of an entry added to the local database
must be created by hand. Glue records are always created for a
.B modify
operation.
.TP
.B translucent_local <attr[,attr...]>
Specify a list of attributes that should be searched for in the local database
when used in a search filter. By default, search filters are only handled by
the remote database. With this directive, search filters will be split into a
local and remote portion, and local attributes will be searched locally.
.TP
.B translucent_remote <attr[,attr...]>
Specify a list of attributes that should be searched for in the remote database
when used in a search filter. This directive complements the
.B translucent_local
directive. Attributes may be specified as both local and remote if desired.
.LP
If neither
.B translucent_local
nor
.B translucent_remote
are specified, the default behavior is to search the remote database with the
complete search filter. If only
.B translucent_local
is specified, searches will only be run on the local database. Likewise, if only
.B translucent_remote
is specified, searches will only be run on the remote database. In any case, both
the local and remote entries corresponding to a search result will be merged
before being returned to the client.
.TP
.B translucent_bind_local
Enable looking for locally stored credentials for simple bind when binding
to the remote database fails. Disabled by default.
.TP
.B translucent_pwmod_local
Enable RFC 3062 Password Modification extended operation on locally stored
credentials. The operation only applies to entries that exist in the remote
database. Disabled by default.
.SH ACCESS CONTROL
Access control is delegated to either the remote DSA(s) or to the local database
backend for
.B auth
and
.B write
operations.
It is delegated to the remote DSA(s) and to the frontend for
.B read
operations.
Local access rules involving data returned by the remote DSA(s) should be designed
with care. In fact, entries are returned by the remote DSA(s) only based on the
remote fraction of the data, based on the identity the operation is performed as.
As a consequence, local rules might only be allowed to see a portion
of the remote data.
.SH CAVEATS
.LP
The Translucent Proxy overlay will disable schema checking in the local database,
so that an entry consisting of overlay attributes need not adhere to the
complete schema.
.LP
Because the translucent overlay does not perform any DN rewrites, the local
and remote database instances must have the same suffix. Other configurations
will probably fail with No Such Object and other errors.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd\-ldap (5).
|