From: Kurt Zeilenga Date: Thu, 16 Feb 2006 02:59:53 +0000 (+0000) Subject: Misc updates from HEAD X-Git-Tag: OPENLDAP_REL_ENG_2_3_20~13 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=30c82cca51ea27d9f72c6a0a1df6649eb1e3b333;p=openldap Misc updates from HEAD --- diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index b9c104307b..0ea616992c 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -100,7 +100,7 @@ when DN is empty). .B bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. .B update_anon -allow unauthenticated (anonymous) update operations to be processed +allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits). .TP .B argsfile diff --git a/doc/man/man5/slapo-accesslog.5 b/doc/man/man5/slapo-accesslog.5 index 5d795cb4ce..2a28cd82a4 100644 --- a/doc/man/man5/slapo-accesslog.5 +++ b/doc/man/man5/slapo-accesslog.5 @@ -21,8 +21,6 @@ These options apply to the Access Logging overlay. They should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP .B logdb diff --git a/doc/man/man5/slapo-auditlog.5 b/doc/man/man5/slapo-auditlog.5 index 4ef0348858..3cdf4132db 100644 --- a/doc/man/man5/slapo-auditlog.5 +++ b/doc/man/man5/slapo-auditlog.5 @@ -21,8 +21,6 @@ This option applies to the Audit Logging overlay. It should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP .B auditlog diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 0512386a3e..060446794f 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -23,6 +23,12 @@ resets, acceptable password content, and even grace logins. Different groups of users may be associated with different password policies, and there is no limit to the number of password policies that may be created. +.P +Note that some of the policies do not take effect when the operation +is performed with the +.B rootdn +identity; all the operations, when performed with any other identity, +may be subjected to constraints, like access control. .SH CONFIGURATION These @@ -39,9 +45,11 @@ and no default is given, then no policies will be enforced. .TP .B ppolicy_hash_cleartext Specify that cleartext passwords present in Add and Modify requests should -be hashed before being stored in the database. This violates the X.500 +be hashed before being stored in the database. This violates the X.500/LDAP information model, but may be needed to compensate for LDAP clients that -don't use the Password Modify exop to manage passwords. +don't use the Password Modify extended operation to manage passwords. It +is recommended that when this option is used that compare, search, and +read access be denied to all directory users. .TP .B ppolicy_use_lockout A client will always receive an LDAP @@ -74,7 +82,7 @@ object class. The definition of that class is as follows: MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ - pwdCheckSyntax $ pwdMinLength $ + pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthnLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ @@ -124,7 +132,7 @@ Note: in this implementation, the only value accepted for .B pwdAttribute is -.RI " userPassword ". +.IR " userPassword ". .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.1 @@ -173,6 +181,9 @@ attribute is not present, or if its value is zero (0), used passwords will not be stored in .B pwdHistory and thus any previously-used password may be reused. +No history checking occurs if the password is being modified by the +.BR rootdn , +although the password is saved in the history. .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.4 @@ -207,7 +218,7 @@ error refusing the password. .P When syntax checking is enabled (see also the -.B pwdCheckSyntax +.B pwdCheckQuality attribute), this attribute contains the minimum number of characters that will be accepted in a password. If this attribute is not present, minimum password length is not @@ -215,12 +226,12 @@ enforced. If the server is unable to check the length of the password, whether due to a client-side hashed password or some other reason, the server will, depending on the value of -.BR pwdCheckSyntax , +.BR pwdCheckQuality , either accept the password without checking it (if -.B pwdCheckSyntax +.B pwdCheckQuality is zero (0) or one (1)) or refuse it (if -.B pwdCheckSyntax +.B pwdCheckQuality is two (2)). .LP .RS 4 @@ -654,8 +665,7 @@ field is in GMT format. .B pwdGraceUseTime This attribute contains the list of timestamps of logins made after the user password in the DN has expired. These post-expiration -logins are known as -.RI " "grace logins" ." +logins are known as "\fIgrace logins\fP". If too many .I grace logins have been used (please refer to the diff --git a/doc/man/man5/slapo-refint.5 b/doc/man/man5/slapo-refint.5 index 84fc3705be..514b9c22c9 100644 --- a/doc/man/man5/slapo-refint.5 +++ b/doc/man/man5/slapo-refint.5 @@ -30,8 +30,6 @@ These options apply to the Referential Integrity overlay. They should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP .B refint_attributes diff --git a/doc/man/man5/slapo-syncprov.5 b/doc/man/man5/slapo-syncprov.5 index dab218f1ed..170cc15947 100644 --- a/doc/man/man5/slapo-syncprov.5 +++ b/doc/man/man5/slapo-syncprov.5 @@ -31,8 +31,6 @@ These options apply to the Syncrepl Provider overlay. They should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP .B syncprov-checkpoint diff --git a/doc/man/man5/slapo-unique.5 b/doc/man/man5/slapo-unique.5 index 7e8ad6126e..7f15231378 100644 --- a/doc/man/man5/slapo-unique.5 +++ b/doc/man/man5/slapo-unique.5 @@ -33,8 +33,6 @@ These options apply to the Attribute Uniqueness overlay. They should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP .B unique_base diff --git a/doc/man/man5/slapo-valsort.5 b/doc/man/man5/slapo-valsort.5 index 5541a03b85..3e8618fa7d 100644 --- a/doc/man/man5/slapo-valsort.5 +++ b/doc/man/man5/slapo-valsort.5 @@ -27,8 +27,6 @@ These options apply to the Value Sorting overlay. They should appear after the .B overlay -directive and before any subsequent -.B database directive. .TP valsort-attr <\fIattribute\fP> <\fIbaseDN\fP> (<\fIsort-method\fP> | weighted [<\fIsort-method\fP>])