From: Gavin Henry <ghenry@openldap.org>
Date: Wed, 7 Nov 2007 23:52:55 +0000 (+0000)
Subject: ITS#5217 and ITS#5216
X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~449
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=6078879299fb5724ebd359fa8a7299de9c3e313b;p=openldap

ITS#5217 and ITS#5216
---

diff --git a/doc/guide/admin/Makefile b/doc/guide/admin/Makefile
index 2c8b5f1ada..d4ee50883a 100644
--- a/doc/guide/admin/Makefile
+++ b/doc/guide/admin/Makefile
@@ -56,12 +56,15 @@ sdf-src: \
 
 sdf-img: \
 	../images/LDAPlogo.gif \
+	allmail-en.png \
+	allusersgroup-en.png \
 	config_dit.png \
 	config_local.png \
 	config_ref.png \
 	config_repl.gif \
 	intro_dctree.png \
 	intro_tree.png \
+	refint.png 
 
 guide.html: guide.sdf sdf-src sdf-img
 	sdf -2html guide.sdf
diff --git a/doc/guide/admin/allmail-en.png b/doc/guide/admin/allmail-en.png
new file mode 100644
index 0000000000..a50a0ffb39
Binary files /dev/null and b/doc/guide/admin/allmail-en.png differ
diff --git a/doc/guide/admin/allusersgroup-en.png b/doc/guide/admin/allusersgroup-en.png
new file mode 100644
index 0000000000..e8e2b17573
Binary files /dev/null and b/doc/guide/admin/allusersgroup-en.png differ
diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf
index f89ab2a6bf..6bab96dcf2 100644
--- a/doc/guide/admin/overlays.sdf
+++ b/doc/guide/admin/overlays.sdf
@@ -211,11 +211,86 @@ H2: Dynamic Lists
    
 H3: Overview
 
-This overlay allows expansion of dynamic groups and more.
-
+This overlay allows expansion of dynamic groups and lists. Instead of having the
+group members or list attributes hard coded, this overlay allows us to define
+an LDAP search whose results will make up the group or list.
 
 H3: Dynamic List Configuration
 
+This module can behave both as a dynamic list and dynamic group, depending on
+the configuration. The syntax is as follows:
+
+>       overlay dynlist
+>       dynlist-attrset <group-oc> <URL-ad> [member-ad]
+
+The parameters to the {{F:dynlist-attrset}} directive have the following meaning:
+* {{F:<group-oc>}}: specifies which object class triggers the subsequent LDAP search.
+Whenever an entry with this object class is retrieved, the search is performed.
+* {{F:<URL-ad>}}: is the name of the attribute which holds the search URI. It
+has to be a subtype of {{F:labeledURI}}. The attributes and values present in
+the search result are added to the entry unless {{F:member-ad}} is used (see
+below).
+* {{F:member-ad}}: if present, changes the overlay behaviour into a dynamic group.
+Instead of inserting the results of the search in the entry, the distinguished name
+of the results are added as values of this attribute.
+
+Here is an example which will allow us to have an email alias which automatically
+expands to all user's emails according to our LDAP filter:
+
+In {{slapd.conf}}(5):
+>       overlay dynlist
+>       dynlist-attrset nisMailAlias labeledURI
+
+This means that whenever an entry which has the {{F:nisMailAlias}} object class is
+retrieved, the search specified in the {{F:labeledURI}} attribute is performed.
+
+Let's say we have this entry in our directory:
+>       cn=all,ou=aliases,dc=example,dc=com
+>       cn: all
+>       objectClass: nisMailAlias
+>       labeledURI: ldap:///ou=People,dc=example,dc=com?mail?one?(objectClass=inetOrgPerson)
+
+If this entry is retrieved, the search specified in {{F:labeledURI}} will be
+performed and the results will be added to the entry just as if they have always
+been there. In this case, the search filter selects all entries directly
+under {{F:ou=People}} that have the {{F:inetOrgPerson}} object class and retrieves
+the {{F:mail}} attribute, if it exists.
+
+This is what gets added to the entry when we have two users under {{F:ou=People}}
+that match the filter:
+!import "allmail-en.png"; align="center"; title="Dynamic list for email aliases"
+FT[align="Center"] Figure X.Y: Dynamic List for all emails
+
+The configuration for a dynamic group is similar. Let's see an example which would
+automatically populate an {{F:allusers}} group with all the user accounts in the
+directory.
+
+In {{F:slapd.conf}}(5):
+>       overlay dynlist
+>       dynlist-attrset groupOfNames labeledURI member
+
+Let's apply it to the following entry:
+>       cn=allusers,ou=group,dc=example,dc=com
+>       cn: all
+>       objectClass: groupOfNames
+>       labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
+
+The behaviour is similar to the dynamic list configuration we had before:
+whenever an entry with the {{F:groupOfNames}} object class is retrieved, the
+search specified in the {{F:labeledURI}} attribute is performed. But this time,
+only the distinguished names of the results are added, and as values of the
+{{F:member}} attribute.
+
+This is what we get:
+!import "allusersgroup-en.png"; align="center"; title="Dynamic group for all users"
+FT[align="Center"] Figure X.Y: Dynamic Group for all users
+
+Note that a side effect of this scheme of dymamic groups is that the members
+need to be specified as full DNs. So, if you are planning in using this for
+{{F:posixGroup}}s, be sure to use RFC2307bis and some attribute which can hold
+distinguished names. The {{F:memberUid}} attribute used in the {{F:posixGroup}}
+object class can hold only names, not DNs, and is therefore not suitable for
+dynamic groups.
 
 H2: Reverse Group Membership Maintenance
 
@@ -458,13 +533,70 @@ H2: Referential Integrity
 
 H3: Overview
 
-This overlay can be used with a backend database such as slapd-bdb (5)
+This overlay can be used with a backend database such as slapd-bdb(5)
 to maintain the cohesiveness of a schema which utilizes reference
 attributes.
 
+Whenever a {{modrdn}} or {{delete}} is performed, that is, when an entry's DN
+is renamed or an entry is removed, the server will search the directory for
+references to this DN (in selected attributes: see below) and update them
+accordingly. If it was a {{delete}} operation, the reference is deleted. If it
+was a {{modrdn}} operation, then the reference is updated with the new DN.
+
+For example, a very common administration task is to maintain group membership
+lists, specially when users are removed from the directory. When an
+user account is deleted or renamed, all groups this user is a member of have to be
+updated. LDAP administrators usually have scripts for that. But we can use the
+{{F:refint}} overlay to automate this task. In this example, if the user is
+removed from the directory, the overlay will take care to remove the user from
+all the groups he/she was a member of. No more scripting for this.
 
 H3: Referential Integrity Configuration
 
+The configuration for this overlay is as follows:
+>       overlay refint
+>       refint_attributes <attribute [attribute ...]>
+>       refint_nothing <string>
+
+* {{F:refint_attributes}}: this parameter specifies a space separated list of
+attributes which will have the referential integrity maintained. When an entry is
+removed or has its DN renamed, the server will do an internal search for any of the
+{{F:refint_attributes}} that point to the affected DN and update them accordingly. IMPORTANT:
+the attributes listed here must have the {{F:distinguishedName}} syntax, that is,
+hold DNs as values.
+* {{F:refint_nothing}}: some times, while trying to maintain the referential
+integrity, the server has to remove the last attribute of its kind from an
+entry. This may be prohibited by the schema: for example, the
+{{F:groupOfNames}} object class requires at least one member. In these cases,
+the server will add the attribute value specified in {{F:refint_nothing}}
+to the entry.
+
+To illustrate this overlay, we will use the group membership scenario.
+
+In {{F:slapd.conf}}:
+>       overlay refint
+>       refint_attributes member
+>       refint_nothing "cn=admin,dc=example,dc=com"
+
+This configuration tells the overlay to maintain the referential integrity of the {{F:member}}
+attribute. This attribute is used in the {{F:groupOfNames}} object class which always needs
+a member, so we add the {{F:refint_nothing}} directive to fill in the group with a standard
+member should all the members vanish.
+
+If we have the following group membership, the refint overlay will
+automatically remove {{F:john}} from the group if his entry is removed from the
+directory:
+
+!import "refint.png"; align="center"; title="Group membership"
+FT[align="Center"] Figure X.Y: Maintaining referential integrity in groups
+
+Notice that if we rename ({{F:modrdn}}) the {{F:john}} entry to, say, {{F:jsmith}}, the refint
+overlay will also rename the reference in the {{F:member}} attribute, so the group membership
+stays correct.
+
+If we removed all users from the directory who are a member of this group, then the end result
+would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
+{{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
 
 H2: Return Code
 
diff --git a/doc/guide/admin/refint.png b/doc/guide/admin/refint.png
new file mode 100644
index 0000000000..41843e7c3c
Binary files /dev/null and b/doc/guide/admin/refint.png differ
diff --git a/doc/guide/images/src/allmail-en.svg b/doc/guide/images/src/allmail-en.svg
new file mode 100644
index 0000000000..baefb543d3
--- /dev/null
+++ b/doc/guide/images/src/allmail-en.svg
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="487.42709"
+   height="139.10474"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/palestra"
+   sodipodi:docname="allmail-en.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape"
+   inkscape:export-filename="/home/andreas/palestra/ppolicy.png"
+   inkscape:export-xdpi="136.2"
+   inkscape:export-ydpi="136.2">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lend"
+       style="overflow:visible">
+      <path
+         id="path3186"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lstart"
+       style="overflow:visible">
+      <path
+         id="path3183"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(0.8,0,0,0.8,10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Send"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Send"
+       style="overflow:visible">
+      <path
+         id="path3198"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.2,0,0,-0.2,-1.2,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lstart"
+       style="overflow:visible">
+      <path
+         id="path3201"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(1.1,0,0,1.1,1.1,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="2.351189"
+     inkscape:cx="115.68184"
+     inkscape:cy="40.808267"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="false"
+     inkscape:window-width="1272"
+     inkscape:window-height="724"
+     inkscape:window-x="0"
+     inkscape:window-y="24" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-29.405584,-34.695505)">
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="116.88309"
+       y="48.033184"
+       id="text2170"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         id="tspan2172"
+         x="116.88309"
+         y="48.033184">DN: cn=all,ou=aliases,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="63.033184"
+         id="tspan2174">cn: all</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="78.033184"
+         id="tspan5373">objectClass: <tspan
+   style="font-weight:bold"
+   id="tspan5377">nisMailAlias</tspan></tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="92.036435"
+         id="tspan3404"
+         style="font-size:11px;font-weight:bold">labeledURI: <tspan
+   style="font-weight:normal"
+   id="tspan5513">ldap:///ou=People,dc=example,dc=com?mail?</tspan></tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="105.78643"
+         id="tspan3413"
+         style="font-size:11px;font-weight:normal">   one?(objectClass=inetOrgPerson)</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="120.53318"
+         id="tspan2180">mail: john@example.com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="135.53318"
+         id="tspan3411">mail: mary@example.com</tspan></text>
+    <rect
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1.15456796px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="rect7321"
+       width="403.52588"
+       height="106.68739"
+       x="112.72952"
+       y="35.272789"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <rect
+       style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+       id="rect7323"
+       width="168.38275"
+       height="31.950695"
+       x="113.71371"
+       y="107.91574"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="28.755194"
+       y="104.6917"
+       id="text4394"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         x="28.755194"
+         y="104.6917"
+         id="tspan5371">search</tspan><tspan
+         sodipodi:role="line"
+         x="28.755194"
+         y="119.6917"
+         id="tspan2187">results</tspan></text>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 108.91035,92.832512 C 59.12768,98.112492 59.881964,116.96956 108.15606,124.51239"
+       id="path4400"
+       sodipodi:nodetypes="cc"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <path
+       style="opacity:1;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;marker-start:url(#Arrow1Lstart);marker-end:url(#Arrow1Lend);stroke-miterlimit:4;stroke-dasharray:1, 1;stroke-dashoffset:0;stroke-opacity:1"
+       d="M 417.4481,61.482433 C 381.50911,141.44198 176.87108,164.40908 132.69882,105.71538"
+       id="path5515"
+       transform="translate(11.556417,34.695505)"
+       sodipodi:nodetypes="cc" />
+    <rect
+       inkscape:export-ydpi="136.2"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       y="81.541206"
+       x="417.55688"
+       height="12.386127"
+       width="24.625708"
+       id="rect6492"
+       style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1" />
+  </g>
+</svg>
diff --git a/doc/guide/images/src/allusersgroup-en.svg b/doc/guide/images/src/allusersgroup-en.svg
new file mode 100644
index 0000000000..75b8ee0737
--- /dev/null
+++ b/doc/guide/images/src/allusersgroup-en.svg
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="419.4133"
+   height="107.84196"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/palestra"
+   sodipodi:docname="allusersgroup-en.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape"
+   inkscape:export-filename="/home/andreas/palestra/ppolicy.png"
+   inkscape:export-xdpi="136.2"
+   inkscape:export-ydpi="136.2">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow2Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lstart"
+       style="overflow:visible">
+      <path
+         id="path3201"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(1.1,0,0,1.1,1.1,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="2.3724279"
+     inkscape:cx="216.23418"
+     inkscape:cy="53.920976"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="true"
+     inkscape:window-width="1280"
+     inkscape:window-height="953"
+     inkscape:window-x="0"
+     inkscape:window-y="24"
+     inkscape:guide-bbox="true" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-29.134918,-34.695504)">
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="116.88309"
+       y="48.033184"
+       id="text2170"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         id="tspan2172"
+         x="116.88309"
+         y="48.033184">DN: cn=allusers,ou=group,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="63.033184"
+         id="tspan2174">cn: all</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="78.033184"
+         id="tspan5379">objectClass: <tspan
+   style="font-weight:bold"
+   id="tspan5396">groupOfNames</tspan></tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="92.036435"
+         id="tspan3413"
+         style="font-size:11px;font-weight:bold">labeledURI<tspan
+   style="font-weight:normal"
+   id="tspan5410">: ldap:///ou=People,dc=example,dc=com??</tspan></tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="105.78643"
+         style="font-size:11px;font-weight:normal"
+         id="tspan5386">    one?(objectClass=inetOrgPerson)</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="120.53318"
+         id="tspan2180"><tspan
+   style="font-weight:bold"
+   id="tspan5400">member</tspan>: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="135.53318"
+         id="tspan3411"><tspan
+   style="font-weight:bold"
+   id="tspan5404">member</tspan>: uid=mary,ou=people,dc=example,dc=com</tspan></text>
+    <rect
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1.05301607px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="rect7321"
+       width="335.34296"
+       height="106.78895"
+       x="112.67875"
+       y="35.222012"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <rect
+       style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+       id="rect7323"
+       width="329.5397"
+       height="29.000132"
+       x="114.97823"
+       y="110.02328"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="28.484528"
+       y="99.799805"
+       id="text4394"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         x="28.484528"
+         y="99.799805"
+         id="tspan5390">DNs of</tspan><tspan
+         sodipodi:role="line"
+         x="28.484528"
+         y="114.7998"
+         id="tspan2186">search</tspan><tspan
+         sodipodi:role="line"
+         x="28.484528"
+         y="129.7998"
+         id="tspan2188">results</tspan></text>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 108.91035,92.832512 C 59.12768,98.112492 59.881964,116.96956 108.15606,124.51239"
+       id="path4400"
+       sodipodi:nodetypes="cc"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+  </g>
+</svg>
diff --git a/doc/guide/images/src/refint.svg b/doc/guide/images/src/refint.svg
new file mode 100644
index 0000000000..5a118f762c
--- /dev/null
+++ b/doc/guide/images/src/refint.svg
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="412.04193"
+   height="172.80376"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/palestra"
+   sodipodi:docname="refint.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.386"
+     inkscape:cx="381.27532"
+     inkscape:cy="98.970161"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="false"
+     inkscape:window-width="1278"
+     inkscape:window-height="724"
+     inkscape:window-x="0"
+     inkscape:window-y="25" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-29.66815,-34.695504)">
+    <g
+       id="g7325"
+       transform="translate(-297.25829,101.81818)">
+      <g
+         transform="translate(233.76623,-28.71069)"
+         id="g7289">
+        <text
+           xml:space="preserve"
+           style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+           x="124.81962"
+           y="80.50071"
+           id="text2160"><tspan
+             sodipodi:role="line"
+             id="tspan2162"
+             x="124.81962"
+             y="80.50071"
+             style="font-weight:normal">DN: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+             sodipodi:role="line"
+             x="124.81962"
+             y="95.50071"
+             id="tspan2164">uid: john</tspan><tspan
+             sodipodi:role="line"
+             x="124.81962"
+             y="110.50071"
+             id="tspan2166">mail: john@example.com</tspan><tspan
+             sodipodi:role="line"
+             x="124.81962"
+             y="125.50071"
+             id="tspan2168">(...)</tspan></text>
+        <rect
+           style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.79348463px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+           id="rect2182"
+           width="298.90784"
+           height="68.027596"
+           x="121.10886"
+           y="65.967438" />
+        <rect
+           style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+           id="rect3159"
+           width="298.28311"
+           height="17.619322"
+           x="121.06046"
+           y="66.674454" />
+      </g>
+      <text
+         xml:space="preserve"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         x="358.58585"
+         y="51.79002"
+         id="text7300"><tspan
+           sodipodi:role="line"
+           id="tspan7302"
+           x="358.58585"
+           y="51.79002"
+           style="font-weight:normal">DN: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+           sodipodi:role="line"
+           x="358.58585"
+           y="66.79002"
+           id="tspan7304">uid: john</tspan><tspan
+           sodipodi:role="line"
+           x="358.58585"
+           y="81.79002"
+           id="tspan7306">mail: john@example.com</tspan><tspan
+           sodipodi:role="line"
+           x="358.58585"
+           y="96.79002"
+           id="tspan7308">(...)</tspan></text>
+      <rect
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.79348463px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+         id="rect7310"
+         width="298.90784"
+         height="68.027596"
+         x="354.87509"
+         y="37.256748" />
+      <rect
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+         id="rect7312"
+         width="298.28311"
+         height="17.619322"
+         x="354.82669"
+         y="37.963764" />
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="116.88309"
+       y="48.033184"
+       id="text2170"><tspan
+         sodipodi:role="line"
+         id="tspan2172"
+         x="116.88309"
+         y="48.033184">DN: cn=tech,ou=group,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="63.033184"
+         id="tspan2174">cn: tech</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="78.033184"
+         id="tspan2176"
+         style="font-weight:normal">member: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="93.033184"
+         id="tspan2178">member: uid=mary,ou=people,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="116.88309"
+         y="108.03318"
+         id="tspan2180">(...)</tspan></text>
+    <rect
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.8948347px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="rect7321"
+       width="328.38803"
+       height="78.748756"
+       x="112.59964"
+       y="35.142921" />
+    <rect
+       style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+       id="rect7323"
+       width="329.30765"
+       height="17.619322"
+       x="112.40244"
+       y="65.054672" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 54.112554,146.87878 C -1.5132611,141.59779 49.816091,72.233662 106.06061,73.285704"
+       id="path7352"
+       sodipodi:nodetypes="cc" />
+  </g>
+</svg>