Target specification starts with a "uri" directive:
uri <protocol>://[<host>]/<naming context> [...]
Identical to meta. See slapd-meta(5) for details.
acl-authcDN <administrative DN for access control purposes>
DN which is used to query the target server for acl
checking, as in the LDAP backend; it is supposed to have
read access on the target server to attributes used on the
proxy for acl checking. There is no risk of giving away
such values; they are only used to check permissions. The
acl-authcDN identity is by no means implicitly used by the
proxy when the client connects anonymously.
acl-passwd <password>
Password used with the acl-authcDN above.
bind-timeout <microseconds>
This directive defines the timeout, in microseconds, used
when polling for response after an asynchronous bind
connection. See slapd-meta(5) for details.
chase-referrals {YES|no}
enable/disable automatic referral chasing, which is
delegated to the underlying libldap, with rebinding
eventually performed if the rebind-as-user directive is
used. The default is to chase referrals. If set before
any target specification, it affects all targets, unless
overridden by any per-target directive.
client-pr {accept-unsolicited|DISABLE|<size>}
This feature allows one to use RFC 2696 Paged Results
control when performing search operations with a specific
target, irrespective of the client's request. See
slapd-meta(5) for details.
default-target [<target>]
The "default-target" directive can also be used during
target specification. With no arguments it marks the
current target as the default. The optional number marks
target <target> as the default one, starting from 1.
Target <target> must be defined.
filter <pattern>
This directive allows specifying a regex(5) pattern to
indicate what search filter terms are actually served by a
target.
In a search request, if the search filter matches the
pattern the target is considered while fulfilling the
request; otherwise the target is ignored. There may be
multiple occurrences of the filter directive for each
target.
idassert-authzFrom <authz-regexp>
if defined, selects what local identities are authorized
to exploit the identity assertion feature. The string
<authz-regexp> follows the rules defined for the authzFrom
attribute. See slapd.conf(5), section related to
authz-policy, for details on the syntax of this field.
idassert-bind bindmethod=none|simple|sasl [binddn=<simple DN>]
[credentials=<simple password>] [saslmech=<SASL mech>]
[secprops=<properties>] [realm=<realm>]
[authcId=<authentication ID>] [authzId=<authorization ID>]
[authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
[starttls=no|yes|critical] [tls_cert=<file>]
[tls_key=<file>] [tls_cacert=<file>]
[tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_reqsan=never|allow|try|demand]
[tls_cipher_suite=<ciphers>] [tls_ecname=<names>]
[tls_protocol_min=<major>[.<minor>]]
[tls_crlcheck=none|peer|all] Allows one to define the
parameters of the authentication method that is internally
used by the proxy to authorize connections that are
authenticated by other databases. See slapd-meta(5) for
details.
idle-timeout <time>
This directive causes a a persistent connection to be
dropped after it has been idle for the specified time.
The connection will be re-created the next time it is
selected for use. A connection is considered idle if no
attempts have been made by the backend to use it to send a
request to the backend server. If there are still pending
requests in its queue, the connection will be dropped
after the last request one has either received a result or
has timed out.
[<d>d][<h>h][<m>m][<s>[s]]
where <d>, <h>, <m> and <s> are respectively treated as
days, hours, minutes and seconds. If set before any
target specification, it affects all targets, unless
overridden by any per-target directive.
keepalive <idle>:<probes>:<interval>
The keepalive parameter sets the values of idle, probes,
and interval used to check whether a socket is alive; idle
is the number of seconds a connection needs to remain idle
before TCP starts sending keepalive probes; probes is the
maximum number of keepalive probes TCP should send before
dropping the connection; interval is interval in seconds
between individual keepalive probes. Only some systems
support the customization of these values; the keepalive
parameter is ignored otherwise, and system-wide settings
are used.
tcp-user-timeout <milliseconds>
If non-zero, corresponds to the TCP_USER_TIMEOUT set on
the target connections, overriding the operating system
setting. Only some systems support the customization of
this parameter, it is ignored otherwise and system-wide
settings are used.
map {attribute|objectclass} [<local name>|*] {<foreign name>|*}
This maps object classes and attributes as in the LDAP
backend. See slapd-ldap(5).
network-timeout <time>
Sets the network timeout value after which
poll(2)/select(2) following a connect(2) returns in case
of no activity while sending an operation to the remote
target. The value is in milliseconds, and it can be
specified as for idle-timeout. If set before any target
specification, it affects all targets, unless overridden
by any per-target directive.
nretries {forever|never|<nretries>}
This directive defines how many times forwarding an
operation should be retried in case of temporary failure
in contacting a target. The number of retries is per
operation, so if a bind to the target is necessary first,
the remaining number is decremented. If defined before any
target specification, it applies to all targets (by
default, 3 times); the global value can be overridden by
redefinitions inside each target specification.
rewrite* ...
The rewrite options are identical to the meta backend. See
the REWRITING section of slapd-meta(5).
subtree-{exclude|include} <rule>
This directive allows one to indicate what subtrees are
actually served by a target. See slapd-meta(5) for
details.
suffixmassage <local suffix> <remote suffix>
slapd-asyncmeta does not support the rewrite engine used
by the LDAP and META backends. suffixmassage can be used
to perform DN suffix rewriting, the same way as the
obsoleted suffixmassage directive previously used by the
LDAP backend.
t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters (see
RFC 4526 for details). If set to discover, support is
detected by reading the remote server's root DSE. If set
before any target specification, it affects all targets,
unless overridden by any per-target directive.
timeout [<op>=]<val> [...]
This directive allows one to set per-operation timeouts.
Operations can be
<op> ::= bind, add, delete, modrdn, modify, compare,
search
By default, the timeout for all operations is 2 seconds.
See slapd-meta(5) for details.
tls {none|[try-]start|[try-]propagate|ldaps}
B [starttls=no] [tls_cert=<file>] [tls_key=<file>]
[tls_cacert=<file>] [tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_reqsan=never|allow|try|demand]
[tls_cipher_suite=<ciphers>] [tls_ecname=<names>]
[tls_crlcheck=none|peer|all]
Specify TLS settings regular connections.
If the first parameter is not "none" then this configures
the TLS settings to be used for regular connections. The
StartTLS extended operation will be used when establishing
the connection unless the URI directive protocol scheme is
ldaps://. In that case this keyword may only be set to
"ldaps" and the StartTLS operation will not be used.
propagate issues the StartTLS operation only if the
original connection did. The try- prefix instructs the
proxy to continue operations if the StartTLS operation
failed; its use is highly deprecated. The TLS settings
default to the same as the main slapd TLS settings, except
for tls_reqcert which defaults to "demand", tls_reqsan
which defaults to "allow", and starttls which is
overshadowed by the first keyword and thus ignored.
If set before any target specification, it affects all
targets, unless overridden by any per-target directive.
