provide the directory service. Typically a global service defines
a uniform {{namespace}} which gives the same view of the data no
matter where you are in relation to the data itself. The Internet
-{{TERM[expand]DNS}} is an example of a globally distributed directory
-service.
+{{TERM[expand]DNS}} (DNS) is an example of a globally distributed
+directory service.
H2: What is LDAP?
The tree may also be arranged based upon Internet domain names.
This naming approach is becoming increasing popular as it allows
-for directory services to be locating using the {{TERM[expand]DNS}}.
+for directory services to be locating using the {{DNS}}.
Figure 1.2 shows an example LDAP directory tree using domain-based
naming.
The value(s) in the two attributes are of the same form as the
output of the replacement pattern of a {{EX:saslRegexp}} directive:
-either a DN or an LDAP URL. For example, if a saslAuthzTo value is
-a DN, that DN is one the authenticated user can authorize to. On
-the other hand, if the {{EX:saslAuthzTo}} value is an LDAP URL,
-the URL is used as an internal search of the LDAP database, and
-the authenticated user can become ANY DN returned by the search.
+either a DN or an LDAP URL. For example, if a {{EX:saslAuthzTo}}
+value is a DN, that DN is one the authenticated user can authorize
+to. On the other hand, if the {{EX:saslAuthzTo}} value is an LDAP
+URL, the URL is used as an internal search of the LDAP database,
+and the authenticated user can become ANY DN returned by the search.
If an LDAP entry looked like:
> dn: cn=WebUpdate,dc=example,dc=com
H4: Policy Configuration
-The decision of which type of rules to use, saslAuthzFrom or
-saslAuthzTo, will depend on the site's situation. For example, if
+The decision of which type of rules to use, {{EX:saslAuthzFrom}} or
+{{EX:saslAuthzTo}}, will depend on the site's situation. For example, if
the set of people who may become a given identity can easily be
written as a search filter, then a single destination rule could
be written. If the set of people is not easily defined by a search
rules.
Destination rules are extremely powerful. If ordinary users have
-access to write the saslAuthzTo attribute in their own entries, then
+access to write the {{EX:saslAuthzTo}} attribute in their own entries, then
they can write rules that would allow them to authorize as anyone else.
-As such, when using destination rules, the saslAuthzTo attribute
+As such, when using destination rules, the {{EX:saslAuthzTo}} attribute
should be protected with an ACL that only allows privileged users
to set its values.
H2: Server Certificates
The DN of a server certificate must use the CN attribute
-to name the server, and the CN must carry the server's
+to name the server, and the {{EX:CN}} must carry the server's
fully qualified domain name. Additional alias names and wildcards
-may be present in the subjectAltName certificate extension.
+may be present in the {{EX:subjectAltName}} certificate extension.
More details on server certificate names are in {{REF:RFC2830}}.
H2: Client Certificates
projects / openldap / commitdiff