Commit 0304049d authored by Gavin Henry's avatar Gavin Henry
Browse files

Formatting, spelling and Note: para styles.

parent 23efb86d
personal_ws-1.1 en 1598
personal_ws-1.1 en 1634
commonName
bla
Masarati
subjectAltName
api
BhY
olcSyncrepl
olcSyncRepl
olcSyncrepl
adamsom
adamson
CER
......@@ -38,8 +38,8 @@ DIB
dev
reqNewSuperior
librewrite
memberOf
memberof
memberOf
BSI
updateref
buf
......@@ -64,6 +64,7 @@ CRP
postread
csn
xvfB
checkpass
neverDerefaliases
dns
DN's
......@@ -87,8 +88,8 @@ dlopen
eng
AttributeValue
attributevalue
EOF
DUA
EOF
inputfile
DSP
refreshDone
......@@ -123,10 +124,10 @@ iff
contextCSN
auditModify
auditSearch
openldap
OpenLDAP
resultCode
openldap
resultcode
resultCode
sysconfig
indices
blen
......@@ -137,14 +138,17 @@ directoryString
database's
iscritical
gss
qbuaQ
ZKKuqbEKJfKSXhUbHG
invalidAttributeSyntax
subtree
Kartik
newparent
DkMTwBl
memcalloc
ing
filtertype
XKqkdPOmY
regcomp
ldapmodify
includedir
......@@ -159,13 +163,13 @@ argv
kdz
notAllowedOnRDN
hostport
starttls
StartTLS
starttls
ldb
servercredp
ldd
ipv
IPv
ipv
hyc
joe
bindmethods
......@@ -189,16 +193,16 @@ attrstyle
directoryOperation
creatorsName
mem
oldpasswdfile
oldPasswdFile
oldpasswdfile
uniqueMember
krb
libpath
acknowledgements
jts
createTimestamp
LLL
MIB
LLL
OpenSSL
openssl
LOF
......@@ -217,6 +221,7 @@ LDAPMatchingRule
bool
LRL
CPPFLAGS
yWpR
schemadir
desc
lud
......@@ -232,14 +237,15 @@ oid
msg
attr
caseExactOrderingMatch
TmkzUAb
Subbarao
aeeiib
oidlen
submatches
olc
PEM
PDU
olc
OLF
PDU
LDAPSchemaExtensionItem
auth
Pierangelo
......@@ -249,6 +255,7 @@ subdirectories
OLP
pwdPolicyChecker
subst
mux
singleLevel
cleartext
numattrsets
......@@ -277,9 +284,9 @@ rdn
wZFQrDD
OTP
olcSizeLimit
pos
sbi
PRD
sbi
pos
pre
sudoadm
stringal
......@@ -287,6 +294,7 @@ retoidp
sdf
efgh
accesslog
PSH
sed
cond
qdescrs
......@@ -296,9 +304,10 @@ ldapmodrdn
sel
bvec
TBC
HtZhZS
stringbv
Sep
SHA
Sep
ptr
conn
pwd
......@@ -315,8 +324,8 @@ myOID
supportedSASLMechanism
supportedSASLmechanism
realnamingcontext
SMD
UCD
SMD
keytab
portnumber
uncached
......@@ -329,8 +338,8 @@ sasldb
UCS
searchDN
keytbl
tgz
UDP
tgz
freemods
prepend
errText
......@@ -347,22 +356,22 @@ crit
objectClassViolation
ssf
ldapfilter
rwm
TOC
vec
TOC
rwm
pwdChangedTime
tls
peernamestyle
xpasswd
tmp
SRP
tmp
SSL
dupbv
CPUs
SRV
entrymods
rwx
sss
rwx
reqNewRDN
nopresent
rebindproc
......@@ -372,11 +381,13 @@ syncIdSet
cron
accesslevel
accessor's
czBJdDqS
keyval
alloc
saslpasswd
README
maxentries
QWGWZpj
ttl
undefinedAttributeType
peercred
......@@ -417,10 +428,11 @@ memberURL
sudoers
pwdMaxFailure
pseudorootdn
MezRroT
GDBM
LIBRELEASE
DSAs
DSA's
DSAs
realloc
booleanMatch
compareTrue
......@@ -432,6 +444,7 @@ rwxrwxrwx
al
realself
cd
aQ
ar
olcDatabaseConfig
de
......@@ -447,6 +460,7 @@ dn
fG
DS
fi
EO
allmail
du
eq
......@@ -477,8 +491,8 @@ pwdMinLength
iZ
ldapdelete
xyz
RDBMs
rdbms
RDBMs
extparam
mk
ng
......@@ -533,6 +547,7 @@ cacert
notAllowedOnNonLeaf
attrname
olcTLSCipherSuite
Xr
x's
xw
octetStringMatch
......@@ -541,8 +556,8 @@ ZZ
LDVERSION
testAttr
backend
backend's
backends
backend's
BerValues
Solaris
structs
......@@ -554,9 +569,9 @@ ostring
policyDN
testObject
pwdMaxAge
bindDn
bindDN
binddn
bindDN
bindDn
distributedOperation
schemachecking
strvals
......@@ -588,6 +603,7 @@ serverctrls
recursivegroup
integerMatch
moduledir
BlpQmtczb
dynstyle
bindpw
AUTHNAME
......@@ -598,14 +614,14 @@ IEEE
regex
SIGINT
slappasswd
errAbsObject
errABsObject
errAbsObject
ldapexop
objectidentifier
objectIdentifier
objectidentifier
deallocators
MirrorMode
mirrormode
MirrorMode
loopDetect
SIGHUP
authMethodNotSupported
......@@ -622,8 +638,8 @@ filtercomp
expr
syntaxes
memrealloc
returnCode
returncode
returnCode
OpenLDAP's
exts
bitstringa
......@@ -638,6 +654,7 @@ ietf
olcSchemaConfig
bitstrings
bvalues
hmev
realdnattr
attrpair
affectsMultipleDSAs
......@@ -646,8 +663,8 @@ lastName
lldap
cachesize
slapauth
attributetype
attributeType
attributetype
GSER
olcDbNosync
typedef
......@@ -664,14 +681,16 @@ monitoredObject
TLSVerifyClient
noidlen
LDAPNOINIT
pwdGraceAuthNLimit
pwdGraceAuthnLimit
pwdGraceAuthNLimit
hnPk
userpassword
userPassword
noanonymous
LIBVERSION
symas
dcedn
glibc
sublevel
chroot
posixGroup
......@@ -682,12 +701,14 @@ frontend
someotherdomain
proxying
organisations
IMAP
rewriteMap
monitoredInfo
modrdn
ModRDN
modrDN
ModRDN
modrdn
HREF
DQTxCYEApdUtNXGgdUac
inline
multiproxy
reqSizeLimit
......@@ -698,8 +719,8 @@ reqReferral
rlookups
siiiib
LTSTATIC
timeLimitExceeded
timelimitExceeded
timeLimitExceeded
XKYnrjvGT
subtrees
unixODBC
......@@ -711,8 +732,8 @@ reqDN
dnstyle
inet
schemas
pwdPolicySubEntry
pwdPolicySubentry
pwdPolicySubEntry
reqId
scanf
olcBackend
......@@ -721,6 +742,7 @@ Arial
init
runtime
onelevel
YtNFk
impl
Autoconf
stderr
......@@ -737,6 +759,7 @@ olcModuleList
pwdSafeModify
html
multimaster
GCmfuqEvm
testrun
rewriteEngine
slapdindex
......@@ -751,8 +774,8 @@ POSIX
pathname
noSuchObject
proxyOld
berelement
BerElement
berelement
sbiod
plugin
http
......@@ -762,8 +785,8 @@ ldbm
numericStringSubstringsMatch
internet
storages
whoami
WhoAmI
whoami
criticality
addBlanks
logins
......@@ -772,6 +795,7 @@ dbnum
operationsError
homePhone
testTwo
BmIwN
ldif
entryAlreadyExists
plaintext
......@@ -903,6 +927,7 @@ concat
realanonymous
invalue
refreshOnly
pwcheck
filesystem
Naur
unwillingToPerform
......@@ -924,6 +949,7 @@ negttl
logevels
AAQSkZJRgABAAAAAQABAAD
strcast
aUihad
failover
constraintViolation
cacheable
......@@ -968,6 +994,7 @@ basename
groupOfUniqueNames
DHAVE
ludp
oPdklp
entryUUID
ldapapiinfo
SampleLDAP
......@@ -1013,12 +1040,14 @@ typeB
nelems
subord
namingViolation
PCOq
inappropriateAuthentication
mixin
suders
syntaxOID
olcTLSCACertificateFile
IGJlZ
userPrincipalName
TLSCipherSuite
auditlog
runningslapd
......@@ -1059,6 +1088,7 @@ searchResultEntry
PIII
olcDbShmKey
substr
testsaslauthd
reqRespControls
XXXXXXXXXX
MANSECT
......@@ -1081,6 +1111,7 @@ dcObject
supportedControl
addprinc
logbase
oMxg
filterlist
generalizedTimeMatch
Google
......@@ -1204,6 +1235,7 @@ lucyB
entryUUIDs
reqEntries
sockbuf
wrongpassword
olcSaslSecprops
olcSaslSecProps
dnSubtreeMatch
......@@ -1296,6 +1328,7 @@ SMTP
srvtab
ldapadd
sprintf
spasswd
monitorCounterObject
Instanstantiation
olcDbConfig
......@@ -1362,6 +1395,7 @@ argsfile
attrvalue
deallocate
msgid
ilOzQ
modulepath
logfile
Supr
......@@ -1513,6 +1547,7 @@ ABNF
dnpattern
perror
MSSQL
VUld
SmVuc
ACIs
errmsgp
......@@ -1552,8 +1587,8 @@ wBDARESEhgVG
multi
aaa
ldaprc
updatedn
UpdateDN
updatedn
LDAPBASE
LDAPAPIFeatureInfo
authzTo
......@@ -1593,7 +1628,8 @@ ber
slimit
ali
attributeoptions
BfQ
uidNumber
CAs
CA's
CAs
namingContext
......@@ -58,7 +58,8 @@ to the server. For example, the {{host_options}}(5) rule:
allows only incoming connections from the private network {{F:10.0.0.0}}
and localhost ({{F:127.0.0.1}}) to access the directory service.
Note that IP addresses are used as {{slapd}}(8) is not normally
Note: IP addresses are used as {{slapd}}(8) is not normally
configured to perform reverse lookups.
It is noted that TCP wrappers require the connection to be accepted.
......@@ -127,10 +128,11 @@ requested by providing a valid name and password.
An anonymous bind results in an {{anonymous}} authorization
association. Anonymous bind mechanism is enabled by default, but
can be disabled by specifying "{{EX:disallow bind_anon}}" in
{{slapd.conf}}(5). Note that disabling the anonymous bind mechanism
does not prevent anonymous access to the directory. To require
authentication to access the directory, one should instead
specify "{{EX:require authc}}".
{{slapd.conf}}(5).
Note: Disabling the anonymous bind mechanism does not prevent
anonymous access to the directory. To require authentication to
access the directory, one should instead specify "{{EX:require authc}}".
An unauthenticated bind also results in an {{anonymous}} authorization
association. Unauthenticated bind mechanism is disabled by default,
......@@ -158,19 +160,19 @@ binds to use encryption of DES equivalent or better.
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".
Note: An unsuccessful bind always results in the session having
Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization association.
H3: SASL method
The LDAP {{TERM:SASL}} method allows the use of any SASL authentication
mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
H2: Password Storage
LDAP passwords are normally stored in the {{userPassword}} attribute.
RFC4519 specifies that passwords are not stored in encrypted form,
{{REF:RFC4519}} specifies that passwords are not stored in encrypted form,
but this can create an unwanted security exposure so {{slapd}} provides
several options for the administrator to choose from.
......@@ -183,7 +185,7 @@ on the value, so a Unix {{crypt}}-style password might look like this:
> userPassword: {CRYPT}.7D8U/PCF00Hw
In general is is safest to store passwords in a salted hashed format
In general, it is safest to store passwords in a salted hashed format
like SSHA. This makes it very hard for an attacker to derive passwords
from stolen backups or by obtaining access to the on-disk {{slapd}}
database.
......@@ -215,6 +217,10 @@ transferred to or from an existing Unix password file without having
to know the cleartext form. Both forms of {{crypt}} include salt so
they have some resistance to dictionary attacks.
Note: Since this scheme uses the operation system's {{crypt(3)}} hash function,
it is therefore operation system specific.
H3: MD5 password storage scheme
This scheme simply takes the MD5 hash of the password and stores it in
......@@ -247,7 +253,7 @@ of salt leaves the scheme exposed to dictionary attacks.
H3: SSHA password storage scheme
This is the salted version of the SHA scheme. It is believed to be the
most secure password storage sheme supported by {{slapd}}.
most secure password storage scheme supported by {{slapd}}.
These values represent the same password:
......@@ -260,18 +266,21 @@ This is not really a password storage scheme at all. It uses the
value of the {{userPassword}} attribute to delegate password
verification to another process. See below for more information.
Note that this is not the same as using SASL to authenticate the LDAP
Note: This is not the same as using SASL to authenticate the LDAP
session.
H3: KERBEROS password storage scheme
This is not really a password storage scheme at all. It uses the
value of the {{userPassword}} attribute to delegate password
verification to Kerberos. Note that this is not the same as using
Kerberos authentication of the LDAP session. This scheme could be said
to defeat the advantages of Kerberos by causing the Kerberos password
to be exposed to the {{slapd}} server (and possibly on the network as
well).
verification to Kerberos.
Note: This is not the same as using Kerberos authentication of
the LDAP session.
This scheme could be said to defeat the advantages of Kerberos by
causing the Kerberos password to be exposed to the {{slapd}} server
(and possibly on the network as well).
H2: Pass-Through authentication
......@@ -285,10 +294,11 @@ server, another LDAP server, or anything supported by the PAM mechanism.
The server must be built with the {{EX:--enable-spasswd}}
configuration option to enable pass-through authentication.
Note that this is not the same as using a SASL mechanism to
authenticate the LDAP session. Pass-Through authentication works only
with plaintext passwords, as used in the "simple bind" and "SASL
PLAIN" authentication mechanisms.
Note: This is not the same as using a SASL mechanism to
authenticate the LDAP session.
Pass-Through authentication works only with plaintext passwords, as
used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}}
Pass-Through authentication is selective: it only affects users whose
{{userPassword}} attribute has a value marked with the "{SASL}"
......@@ -301,10 +311,12 @@ mechanism and are used to identify the account whose password is to be
verified. This allows arbitrary mapping between entries in OpenLDAP
and accounts known to the backend authentication service.
Note that there is no support for changing passwords in the backend
via {{slapd}}. It would be wise to use access control to prevent users
from changing their passwords through LDAP where they have
pass-through authentication enabled.
Note: There is no support for changing passwords in the backend
via {{slapd}}.
It would be wise to use access control to prevent users from changing
their passwords through LDAP where they have pass-through authentication
enabled.
H3: Configuring slapd to use an authentication provider
......@@ -318,7 +330,7 @@ file to be considered is confusingly named {{slapd.conf}} and is
typically found in the SASL library directory, often
{{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL
when talking LDAP to {{slapd}} as well as the use of SASL backends for
pass-through authentication. See {{EX:options.html}} in the Cyrus SASL
pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}}
docs for full details. Here is a simple example for a server that will
use {{saslauthd}} to verify passwords:
......@@ -331,7 +343,7 @@ H3: Configuring saslauthd
{{saslauthd}} is capable of using many different authentication