SSF updates

[openldap] / doc / guide / admin / security.sdf

diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 076b40698f6085dfc24e01ddc4a673062a370295..55b167565b93c790d623f0013dff2c25c0a621e0 100644 (file)
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -76,11 +76,29 @@ A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
 and {{TERM:GSSAPI}}, provide integrity and confidentiality protection.
 See the {{SECT:Using SASL}} chapter for more information.
 
-The server uses {{TERM[expand]Security Strength Factors}} (SSF) to
-indicate the relative strength of protection.  A SSF of zero (0)
-indicates no protections are in place.  A SSF of one (1) indicates
-integrity protection are in place.  A SSF greater than one (>1)
-roughly correlates to the effective encryption key length.  For
-example, {{TERM:DES}} is 56, {{TERM:3DES}} is 112, and {{TERM:AES}}
-is 128.
+
+H3: Security Strength Factors
+
+The server uses {{TERM[expand]SSF}}s (SSF) to indicate the relative
+strength of protection.  A SSF of zero (0) indicates no protections
+are in place.  A SSF of one (1) indicates integrity protection are
+in place.  A SSF greater than one (>1) roughly correlates to the
+effective encryption key length.  For example, {{TERM:DES}} is 56,
+{{TERM:3DES}} is 112, and {{TERM:AES}} 128, 192, or 256.
+
+A number of administrative controls rely on SSFs associated with
+TLS and SASL protection in place on an LDAP session.
+
+{{EX:security}} controls disallow operations when appropriate
+protections are not in place.  For example:
+
+>      security ssf=1 update_ssf=112
+
+requires integrity protection for all operations and encryption
+protection, 3DES equivalent, for update operations (e.g. add,
+delete, modify, etc.).  See {{slapd.conf}}(5) for details.
+
+For finer grained control, SSFs may be used in access controls.
+See {{SECT:Access Control}} section of the {{SECT:The slapd
+Configuration File}} for more information.