Linux Man Page Viewer
The following form allows you to view linux man pages.
The primary purpose of this slapd(8) backend is to map a naming context
defined in a database running in the same slapd(8) instance into a vir-
tual naming context, with attributeType and objectClass manipulation,
if required. It requires the slapo-rwm(5) overlay.
This backend and the above mentioned overlay are experimental.
The following slapd.conf directives apply to the relay backend
database. That is, they must follow a "database relay" line and come
before any subsequent "backend" or "database" lines. Other database
options are described in the slapd.conf(5) manual page; only the suffix
directive is allowed by the relay backend.
relay <real naming context>
The naming context of the database that is presented under a
virtual naming context. The presence of this directive implies
that one specific database, i.e. the one serving the real naming
context, will be presented under a virtual naming context.
The relay database does not automatically rewrite the naming context of
requests and responses. For this purpose, the slapo-rwm(5) overlay
must be explicitly instantiated, and configured as appropriate. Usu-
ally, the rwm-suffixmassage directive suffices if only naming context
rewriting is required.
One important issue is that access rules are based on the identity that
issued the operation. After massaging from the virtual to the real
naming context, the frontend sees the operation as performed by the
identity in the real naming context. Moreover, since back-relay
bypasses the real database frontend operations by short-circuiting
operations through the internal backend API, the original database
access rules do not apply but in selected cases, i.e. when the backend
itself applies access control. As a consequence, the instances of the
relay database must provide own access rules that are consistent with
those of the original database, possibly adding further specific
restrictions. So, access rules in the relay database must refer to
identities in the real naming context. Examples are reported in the
If no relay directive is given, the relay database does not refer to
any specific database, but the most appropriate one is looked-up after
To implement a plain virtual naming context mapping that refers to a
single database, use
To implement a plain virtual naming context mapping that looks up the
real naming context for each operation, use
This is useful, for instance, to relay different databases that share
the terminal portion of the naming context (the one that is rewritten).
To implement the old-fashioned suffixalias, e.g. mapping the virtual to
the real naming context, but not the results back from the real to the
virtual naming context, use
Note that the slapo-rwm(5) overlay is instantiated, but the rewrite
rules are written explicitly, rather than automatically as with the
rwm-suffixmassage statement, to map all the virtual to real naming con-
text data flow, but none of the real to virtual.
access to dn.subtree="dc=example,dc=com"
by dn.exact="cn=Supervisor,dc=example,dc=com" write
by * read
The relay backend does not honor any of the access control semantics
described in slapd.access(5); all access control is delegated to the
relayed database(s). Only read (=r) access to the entry pseudo-
attribute and to the other attribute values of the entries returned by
the search operation is honored, which is performed by the frontend.
default slapd configuration file
slapd.conf(5), slapd-config(5), slapo-rwm(5), slapd(8).
OpenLDAP 2.4.40 2014/09/20 SLAPD-RELAY(5)