From: Howard Chu Date: Sat, 15 Jun 2002 01:00:50 +0000 (+0000) Subject: Cleanup grammar, etc. X-Git-Tag: NO_SLAP_OP_BLOCKS~1444 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=bdd0c38571bf81dc245f49e2b6615ea77771d52e;p=openldap Cleanup grammar, etc. --- diff --git a/doc/guide/admin/config.sdf b/doc/guide/admin/config.sdf index 7dc2b9e1eb..c0d62ee356 100644 --- a/doc/guide/admin/config.sdf +++ b/doc/guide/admin/config.sdf @@ -27,7 +27,7 @@ H2: Local Directory Service with Referrals In this configuration, you run a slapd which provides directory service for your local domain and configure it to return referrals to a -{{superior}} service capable of requests outside your local domain. +{{superior}} service capable of handling requests outside your local domain. You may run this service yourself or use one provided to you. This configuration is shown in Figure 3.2. @@ -47,7 +47,7 @@ is shown in figure 3.3. !import "config_repl.gif"; align="center"; title="Replicated Directory Services" FT[align="Center"] Figure 3.3: Replicated Directory Services -This configuration can be used in conjunction with either of first +This configuration can be used in conjunction with either of the first two configurations in situations where a single slapd does not provide the required reliability or availability. diff --git a/doc/guide/admin/dbtools.sdf b/doc/guide/admin/dbtools.sdf index 5e30e75ac2..a829a9bb8b 100644 --- a/doc/guide/admin/dbtools.sdf +++ b/doc/guide/admin/dbtools.sdf @@ -143,7 +143,7 @@ For example: > directory /usr/local/var/openldap-data -Finally, you need to specify which indexes you want to build. This +Finally, you need to specify which indices you want to build. This is done by one or more index options. > index { | default} [pres,eq,approx,sub,none] @@ -153,15 +153,16 @@ For example: > index cn,sn,uid pres,eq,sub > index objectClass eq -This would create presence, equality and substring indexes for +This would create presence, equality and substring indices for the {{EX:cn}}, {{EX:sn}}, and {{EX:uid}} attributes and an equality -index for the {{EX:objectClass}} attribute. See the configuration -file section for more information on this option. +index for the {{EX:objectClass}} attribute. See +{{SECT:The slapd Configuration File}} section +for more information on this option. H3: The {{EX:slapadd}} program Once you've configured things to your liking, you create the primary -database and associated indexes by running the {{slapadd}}(8) +database and associated indices by running the {{slapadd}}(8) program: > slapadd -l -f @@ -178,7 +179,7 @@ section). > -f Specifies the slapd configuration file that tells where to create -the indexes, what indexes to create, etc. +the indices, what indices to create, etc. > -d diff --git a/doc/guide/admin/install.sdf b/doc/guide/admin/install.sdf index a38727bb7d..0922915155 100644 --- a/doc/guide/admin/install.sdf +++ b/doc/guide/admin/install.sdf @@ -23,8 +23,8 @@ The project makes available two series of packages for {{general use}}. The project makes {{releases}} as new features and bug fixes come available. Though the project takes steps to improve stablity of these releases, it is common for problems to arise -only after {{release}}. The latest {{release}} which has -demonstrated stability through general use. +only after {{release}}. The {{Stable}} release is the latest +{{release}} which has demonstrated stability through general use. Users of OpenLDAP Software can choose, depending on their desire for the {{latest features}} versus {{demonstrated stability}}, @@ -57,7 +57,7 @@ you may have to download and install a number of additional software packages. This section details commonly needed third party software packages you might have to install. Note that some of these third party packages may depend on additional software -packages. Install each package per installation instructions +packages. Install each package per the installation instructions provided with it. @@ -114,7 +114,7 @@ H3: Database Software OpenLDAP's {{slapd}}(8) primary database backend, {{TERM:BDB}}, requires {{ORG[expand]Sleepycat}} {{PRD:Berkeley DB}}, version 4. If not available at configure time, you will not be able build -{{slapd}}(8) with primary database backend. +{{slapd}}(8) with this primary database backend. Your operating system may provide {{PRD:Berkeley DB}}, version 4, in the base system or as an optional software component. If not, @@ -127,7 +127,7 @@ the latest release, version 4.0, is recommended. This package is required if you wish to use the {{TERM:BDB}} database backend. OpenLDAP's {{slapd}}(8) LDBM backend supports a variety of data -base managers {{PRD:Berkeley DB}} and {{PRD:GDBM}}. {{PRD:GDBM}} +base managers including {{PRD:Berkeley DB}} and {{PRD:GDBM}}. {{PRD:GDBM}} is available from {{ORG:FSF}}'s download site {{URL: ftp://ftp.gnu.org/pub/gnu/gdbm/}}. @@ -144,8 +144,8 @@ of the OpenLDAP FAQ {{URL: http://www.openldap.org/faq/}}. H3: TCP Wrappers -{{slapd}}(8) supports TCP wrappers (IP level access control filters) -if preinstalled. Use of TCP wrappers or other IP-level access +{{slapd}}(8) supports TCP Wrappers (IP level access control filters) +if preinstalled. Use of TCP Wrappers or other IP-level access filters (such as those provided by an IP-level firewall) is recommended for servers containing non-public information. @@ -181,9 +181,9 @@ environment variables. > [[env] settings] ./configure [options] As an example, let's assume that we want to install OpenLDAP with -LDBM backend and TCP wrapper support. By default, LDBM -is enabled and TCP wrappers is not. So, we just need to specify -{{EX:--with-wrappers}} to include TCP wrapper support: +BDB backend and TCP Wrappers support. By default, BDB +is enabled and TCP Wrappers is not. So, we just need to specify +{{EX:--with-wrappers}} to include TCP Wrappers support: > ./configure --with-wrappers @@ -247,7 +247,7 @@ By default OpenLDAP is installed in {{F:/usr/local}}. If you changed this setting with the {{EX:--prefix}} configure option, it will be installed in the location you provided. -Typically, the installation typically requires super-user priviledges. +Typically, the installation requires {{super-user}} privileges. From the top level OpenLDAP source directory, type: > su root -c 'make install' @@ -255,5 +255,5 @@ From the top level OpenLDAP source directory, type: You should examine the output of this command carefully to make sure everything is installed correctly. You will find the configuration files for {{slapd}}(8) in {{F:/usr/local/etc/openldap}} by default. See the -{{SECT:The slapd Configuration File}} chapter for additional information. +chapter {{SECT:The slapd Configuration File}} for additional information. diff --git a/doc/guide/admin/intro.sdf b/doc/guide/admin/intro.sdf index bbc7f10200..6a232bdcb1 100644 --- a/doc/guide/admin/intro.sdf +++ b/doc/guide/admin/intro.sdf @@ -16,14 +16,14 @@ provided by {{slapd}}(8). H2: What is a directory service? -A directory is specialized database optimized for reading, browsing +A directory is a specialized database optimized for reading, browsing and searching. Directories tend to contain descriptive, attribute-based information and support sophisticated filtering capabilities. Directories generally do not support complicated transaction or roll-back schemes found in database management systems designed for handling high-volume complex updates. Directory updates are typically simple all-or-nothing changes, if they are allowed at -all. Directories are tuned to give quick-response to high-volume +all. Directories are tuned to give quick response to high-volume lookup or search operations. They may have the ability to replicate information widely in order to increase availability and reliability, while reducing response time. When directory information is @@ -64,8 +64,8 @@ collection of attributes that has a globally-unique {{TERM[expand]DN}} the entry's attributes has a {{type}} and one or more {{values}}. The types are typically mnemonic strings, like "{{EX:cn}}" for common name, or "{{EX:mail}}" for email address. The syntax of -values depend on the attribute type is. For example, {{EX:cn}} -attribute might be the value {{EX:Babs Jensen}}. A {{EX:mail}} +values depend on the attribute type. For example, a {{EX:cn}} +attribute might contain the value {{EX:Babs Jensen}}. A {{EX:mail}} attribute might contain the value "{{EX:babs@example.com}}". A {{EX:jpegPhoto}} attribute would contain a photograph in the JPEG (binary) format. @@ -73,7 +73,7 @@ attribute might contain the value "{{EX:babs@example.com}}". A {{How is the information arranged?}} In LDAP, directory entries are arranged in a hierarchical tree-like structure. Traditionally, this structure reflected the geographic and/or organizational -boundaries. Entries representing countries appeared at the top of +boundaries. Entries representing countries appear at the top of the tree. Below them are entries representing states and national organizations. Below them might be entries representing organizational units, people, printers, documents, or just about anything else @@ -86,7 +86,7 @@ FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming) The tree may also be arranged based upon Internet domain names. This naming approach is becoming increasing popular as it allows -for directory services to be locating using the {{DNS}}. +for directory services to be located using the {{DNS}}. Figure 1.2 shows an example LDAP directory tree using domain-based naming. @@ -156,9 +156,9 @@ H2: What about X.500? Technically, {{TERM:LDAP}} is a directory access protocol to an {{TERM:X.500}} directory service, the {{TERM:OSI}} directory service. -Initially, LDAP clients accessed gateways to directory service. -This gateway ran LDAP (between the client and gateway) and X.500's -{{TERM[expand]DAP}} ({{TERM:DAP}}) (between the gateway and the +Initially, LDAP clients accessed gateways to the X.500 directory service. +This gateway ran LDAP between the client and gateway and X.500's +{{TERM[expand]DAP}} ({{TERM:DAP}}) between the gateway and the X.500 server. DAP is a heavyweight protocol that operates over a full OSI protocol stack and requires a significant amount of computing resources. LDAP is designed to operate over @@ -190,11 +190,11 @@ replication. H2: What is the difference between LDAPv2 and LDAPv3? -LDAPv3 was developed in late 1990's to replace LDAPv2. +LDAPv3 was developed in the late 1990's to replace LDAPv2. LDAPv3 adds the following features to LDAP: - Strong Authentication via {{TERM:SASL}} - - Integrity and Confidential Protections via {{TERM:TLS}} (SSL) + - Integrity and Confidentiality Protection via {{TERM:TLS}} (SSL) - Internationalization through the use of Unicode - Referrals and Continuations - Extensibility (controls and extended operations) @@ -240,7 +240,7 @@ and other criteria. {{slapd}} supports both {{static}} and {{B:Internationalization}}: {{slapd}} supports Unicode and language tags. -{{B:Choice of databases backends}}: {{slapd}} comes with a variety +{{B:Choice of database backends}}: {{slapd}} comes with a variety of different database backends you can choose from. They include {{TERM:BDB}}, a high-performance transactional database backend; {{TERM:LDBM}}, a lightweight DBM based backend; {{SHELL}}, a backend @@ -270,7 +270,7 @@ programming languages ({{PRD:Perl}}, {{shell}}, {{PRD:SQL}}, and {{B:Threads}}: {{slapd}} is threaded for high performance. A single multi-threaded {{slapd}} process handles all incoming requests using a pool of threads. This reduces the amount of system overhead -required while proving high performance. +required while providing high performance. {{B:Replication}}: {{slapd}} can be configured to maintain replica copies of its database. This {{single-master/multiple-slave}} diff --git a/doc/guide/admin/quickstart.sdf b/doc/guide/admin/quickstart.sdf index f3467dad2b..5f7515eed8 100644 --- a/doc/guide/admin/quickstart.sdf +++ b/doc/guide/admin/quickstart.sdf @@ -7,7 +7,7 @@ H1: A Quick-Start Guide The following is a quick start guide to OpenLDAP 2.1 software, including the stand-alone LDAP daemon, {{slapd}}(8). -It is meant to step you through the basic steps needed to install +It is meant to walk you through the basic steps needed to install and configure OpenLDAP software. It should be used in conjunction with the other chapters of this document, manual pages, and other materials provided with the distribution (e.g. the {{F:INSTALL}} @@ -70,7 +70,7 @@ software and installation procedures. +{{B: Run {{EX:configure}}}} . You will need to run the provided {{EX:configure}} script to -{{configure}} to the distribution for building on your system. The +{{configure}} the distribution for building on your system. The {{EX:configure}} script accepts many command line options that enable or disable optional software features. Usually the defaults are okay, but you may want to change them. To get a complete list of options @@ -78,8 +78,8 @@ that {{EX:configure}} accepts, use the {{EX:--help}} option: ..{{EX:./configure --help}} -. However, given that you using this guide, we'll assume you'll -are brave enough to just let {{EX:configure}} to determine +. However, given that you are using this guide, we'll assume you +are brave enough to just let {{EX:configure}} determine what's best: ..{{EX:./configure}} @@ -122,8 +122,8 @@ be skipped. .{{S: }} +{{B:Install the software}}. -. You are now ready to install the software, this usually requires -{{super-user}} privledges: +. You are now ready to install the software; this usually requires +{{super-user}} privileges: ..{{EX:su root -c 'make install'}} @@ -136,7 +136,7 @@ whatever installation prefix was used by {{EX:configure}}). . Use your favorite editor to edit the provided {{slapd.conf}}(5) example (usually installed as {{F:/usr/local/etc/openldap/slapd.conf}}) -to contain an BDB database definition of the form: +to contain a BDB database definition of the form: ..{{EX:database bdb}} ..{{EX:suffix "dc=,dc="}} @@ -272,8 +272,8 @@ to everybody}} excepting the {{super-user}} (as specified by the {{EX:rootdn}} configuration directive). It is highly recommended that you establish controls to restrict access to authorized users. Access controls are discussed in the {{SECT:Access Control}} section -of the {{SECT:The slapd Configuration File}} chapter. You are also -encouraged to read {{SECT:Security Considerations}}, {{SECT:Using +of {{SECT:The slapd Configuration File}} chapter. You are also +encouraged to read the {{SECT:Security Considerations}}, {{SECT:Using SASL}} and {{SECT:Using TLS}} sections. The following chapters provide more detailed information on making, diff --git a/doc/guide/admin/referrals.sdf b/doc/guide/admin/referrals.sdf index 9387e81193..f4057d1c12 100644 --- a/doc/guide/admin/referrals.sdf +++ b/doc/guide/admin/referrals.sdf @@ -25,7 +25,7 @@ Subordinate knowledge information is maintained in the directory as a special {{referral}} object at the delegate point. The referral object acts as a delegation point, gluing two services together. -This mechanism allows for hierarchical directory services to to be +This mechanism allows for hierarchical directory services to be constructed. A referral object has a structural object class of @@ -84,7 +84,7 @@ Superior knowledge information may be specified using the {{EX:referral}} directive. The value is a list of {{TERM:URI}}s referring to superior directory services. For servers without immediate superiors, such as for {{EX:a.example.net}} in the example -above, the server can be configured to use directory service with +above, the server can be configured to use a directory service with {{global knowledge}}, such as the {{OpenLDAP Root Service}} ({{URL:http://www.openldap.org/faq/index.cgi?file=393}}). @@ -96,8 +96,8 @@ as follows: > referral ldap://a.example.net/ -The server uses this information to generate referrals to -operations acting upon operations not within or subordinate +The server uses this information to generate referrals for +operations acting upon entries not within or subordinate to any of the naming contexts held by the server. For those familiar with X.500, this use of the {{EX:ref}} attribute diff --git a/doc/guide/admin/replication.sdf b/doc/guide/admin/replication.sdf index ed32a9431a..d25c2b59c8 100644 --- a/doc/guide/admin/replication.sdf +++ b/doc/guide/admin/replication.sdf @@ -98,7 +98,7 @@ This section details commonly used {{slurpd}}(8) command-line options. This option sets the slurpd debug level to {{EX: }}. When level is a `?' character, the various debugging levels are -printed and slapd exits, regardless of any other options +printed and slurpd exits, regardless of any other options you give it. Current debugging levels (a subset of slapd's debugging levels) are @@ -240,8 +240,14 @@ Suffix Database In general, you should copy each file found in the database {{EX: directory}} unless you know it is not used by {{slapd}}(8). -Note: The copy process assumes homogeneous servers with -identically configured OpenLDAP installations. +Note: This copy process assumes homogeneous servers with +identically configured OpenLDAP installations. Alternatively, +you may use {{slapcat}} to output the master's database in LDIF +format and use the LDIF with {{slapadd}} to populate the +slave. Using LDIF avoids any potential incompatibilities due +to differing server architectures or software configurations. +See the {{SECT:Database Creation and Maintenance Tools}} +chapter for details on these tools. H3: Configure the master slapd for replication diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index 44f84f8c65..3a52fcdb63 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -42,7 +42,7 @@ briefly outlines security considerations. Some mechanisms, such as PLAIN and LOGIN, offer no greater security over LDAP "simple" authentication. Like "simple" authentication, such mechanisms should not be used unless you have adequate security -protections in place. It is recommended that these mechanism be +protections in place. It is recommended that these mechanisms be used only in conjunction with {{TERM[expand]TLS}} (TLS). Use of PLAIN and LOGIN are not discussed further in this document. @@ -57,7 +57,7 @@ password mechanisms. The CRAM-MD5 mechanism is deprecated in favor of DIGEST-MD5. Use of {{SECT:DIGEST-MD5}} is discussed below. The KERBEROS_V4 mechanism utilizes Kerberos IV to provide secure -authentication services. There are also GSSAPI based mechanisms +authentication services. There is also a GSSAPI based mechanism which is generally used in conjunction with Kerberos V. Kerberos is viewed as a secure, distributed authentication system suitable for both small and large enterprises. Use of {{SECT:KERBEROS_V4}} @@ -94,7 +94,7 @@ H3: KERBEROS_V4 This section describes the use of the SASL KERBEROS_V4 mechanism with OpenLDAP. It will be assumed that you are familiar with the -workings of Kerberos IV security system, and that your site has +workings of the Kerberos IV security system, and that your site has Kerberos IV deployed. Your users should be familiar with authentication policy, how to receive credentials in a Kerberos ticket cache, and how to refresh expired credentials. @@ -259,7 +259,7 @@ of the user. Anything from the authentication request DN that matched a string in parenthesis in the search pattern is stored in the variable "$1". That variable "$1" can appear in the replacement pattern, and will be replaced by the string from the authentication -request DN. If there were multiple sets of parenthesis in the search +request DN. If there were multiple sets of parentheses in the search pattern, the variables $2, $3, etc are used. For example, suppose the user's authentication identity is written diff --git a/doc/guide/admin/schema.sdf b/doc/guide/admin/schema.sdf index 57ee01cc92..7eac76a151 100644 --- a/doc/guide/admin/schema.sdf +++ b/doc/guide/admin/schema.sdf @@ -96,7 +96,7 @@ OID Assignment You are, of course, free to design a hierarchy suitable to your organizational needs under your organization's OID. No matter what hierarchy you choose, you should maintain a registry of -assignments you make. This can be a simple flat file or a +assignments you make. This can be a simple flat file or something more sophisticated such as the {{OpenLDAP OID Registry}} ({{URL:http://www.openldap.org/faq/index.cgi?file=197}}). @@ -106,12 +106,12 @@ service) see {{URL:http://www.alvestrand.no/harald/objectid/}}. .{{Under no circumstances should you use a fictitious OID!}} To obtain a fully registered OID at {{no cost}}, apply for -an OID under {{ORG[expand]IANA}} (IANA) maintained +an OID under the {{ORG[expand]IANA}} (IANA) maintained {{Private Enterprise}} arch. Any private enterprise (organization) may request an OID to be assigned under this arch. Just fill out the {{ORG:IANA}} form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}} and your official OID will be sent to you usually within a few days. -Your base OID will be something like {{EX:1.3.6.1.4.1.X}} were {{EX:X}} +Your base OID will be something like {{EX:1.3.6.1.4.1.X}} where {{EX:X}} is an integer. Note: Don't let the "MIB/SNMP" statement on the IANA page confuse you. @@ -199,7 +199,7 @@ where Attribute Type Description is defined by the following where whsp is a space ('{{EX: }}'), numericoid is a globally unique OID in dotted-decimal form (e.g. {{EX:1.1.0}}), qdescrs is one or more names, woid is either the name or OID optionally followed -length specifier (e.g {{EX:{10}}}). +by a length specifier (e.g {{EX:{10}}}). For example, the attribute types {{EX:name}} and {{EX:cn}} are defined in {{F:core.schema}} as: @@ -218,7 +218,7 @@ and a brief description. Each name is an alias for the OID. {{slapd}}(8) returns the first listed name when returning results. The first attribute, {{EX:name}}, holds values of {{EX:directoryString}} -(UTF-8 encoded Unicode) syntax. The syntax are specified by OID +(UTF-8 encoded Unicode) syntax. The syntax is specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the directoryString syntax). A length recommendation of 32768 is specified. Servers should support values of this length, but may support longer values @@ -478,10 +478,10 @@ The following demonstrates definition of a set of OID macros and their use in defining schema elements: > objectIdentifier myOID 1.1 -> objectIdentifier mySNMP myOrgOID:1 -> objectIdentifier myLDAP myOrgOID:2 -> objectIdentifier myAttributeType myOrgLDAP:1 -> objectIdentifier myObjectClass myOrgLDAP:2 +> objectIdentifier mySNMP myOID:1 +> objectIdentifier myLDAP myOID:2 +> objectIdentifier myAttributeType myLDAP:1 +> objectIdentifier myObjectClass myLDAP:2 > attributetype ( myAttributeType:3 NAME 'myPhotoURI' > DESC 'URI and optional label referring to a photo' > SUP labeledURI ) diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index 42a9cf8ffa..5f58324bb4 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -23,7 +23,7 @@ information: global, backend specific, and database specific. Global information is specified first, followed by information associated with a particular backend type, which is then followed by information associated with a particular database instance. Global directives can -be overridden in a backend and/or database directives, backend directives +be overridden in backend and/or database directives, and backend directives can be overridden by database directives. Blank lines and comment lines beginning with a '{{EX:#}}' character @@ -69,7 +69,7 @@ and object classes) are also provided in the H2: Configuration File Directives This section details commonly used configuration directives. For -a complete list, see {{slapd.conf}}(5) manual page. This section +a complete list, see the {{slapd.conf}}(5) manual page. This section separates the configuration file directives into global, backend-specific and data-specific categories, describing each directive and its default value (if any), and giving an example of @@ -238,7 +238,7 @@ by database directives. H4: backend This directive marks the beginning of a backend declaration. -{{EX:}} should be one of {{EX:bdb}} or one of other +{{EX:}} should be one of the supported backend types listed in Table 5.2. !block table; align=Center; coltags="EX,N"; \ @@ -259,7 +259,7 @@ tcl TCL Programmable backend \Example: -> database bdb +> backend bdb This marks the beginning of a new {{TERM:BDB}} backend definition. @@ -274,7 +274,7 @@ H4: database This directive marks the beginning of a database instance declaration. -{{EX:}} should be one of {{EX:bdb}} or one of the other +{{EX:}} should be one of the supported backend types listed in Table 5.2. \Example: @@ -374,7 +374,7 @@ Entry-based Example: SASL-based Example: -> rootdn "uid=root@EXAMPLE.COM" +> rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth" H4: rootpw @@ -421,10 +421,10 @@ Entry-based Example: SASL-based Example: -> updatedn "uid=slurpd@EXAMPLE.COM" +> updatedn "uid=slurpd,cn=example.com,cn=digest-md5,cn=auth" -See the {{SECT:Replication}} chapter for more information on how to -use this directive. +See the {{SECT:Replication with slurpd}} chapter for more information +on how to use this directive. H4: updateref @@ -447,7 +447,7 @@ subsequent "backend" or "database" line. H4: directory This directive specifies the directory where the BDB files -containing the database and associated indexes live. +containing the database and associated indices live. \Default: @@ -477,7 +477,7 @@ associated with each open index file. If not supported by the underlying database method, this directive is ignored without comment. Increasing this number uses more memory but can cause a dramatic performance increase, especially during -modifies or when building indexes. +modifies or when building indices. \Default: @@ -493,15 +493,15 @@ of data security. H4: dbnosync -This option causes on-disk database contents not be immediately +This option causes on-disk database contents to not be immediately synchronized with in memory changes upon change. Enabling this option -may improve performance at the expense of data security. +may improve performance at the expense of data integrity. H4: directory This directive specifies the directory where the LDBM files -containing the database and associated indexes live. +containing the database and associated indices live. \Default: @@ -510,9 +510,9 @@ containing the database and associated indexes live. H4: index { | default} [pres,eq,approx,sub,none] -This directive specifies the indexes to maintain for the given +This directive specifies the indices to maintain for the given attribute. If only an {{EX:}} is given, the default -indexes are maintained. +indices are maintained. \Example: @@ -554,13 +554,13 @@ access line is: > ::= access to > [by ]+ -> ::= * | [ dn[.]=] +> ::= * | [ dn[.]=] > [filter=] [attrs=] -> ::= regex | base | one | subtree | children +> ::= regex | exact | base | one | subtree | children > ::= | , > ::= | entry | children > ::= [* | anonymous | users | self | -> dn[.]=] +> dn[.]=] > [dnattr= ] > [group[/[/][.]]= ] > [peername[.]=] @@ -569,7 +569,6 @@ access line is: > [sockurl[.]=] > [set=] > [aci=] -> ::= regex | exact | base | one | subtree | children > ::= regex | exact > ::= [self]{|} > ::= none | auth | compare | search | read | write @@ -581,7 +580,9 @@ which the access applies, the {{EX:}} part specifies which entities are granted access, and the {{EX:}} part specifies the access granted. Multiple {{EX: }} triplets are supported, allowing many entities to be granted different -access to the same set of entries and attributes. +access to the same set of entries and attributes. Not all of these +access control options are described here; for more details see +the {{slapd.access}}(5) man page. H3: What to control access to @@ -696,9 +697,9 @@ H3: Access Control Evaluation When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the {{EX:}} selectors given in the configuration file. -For each entry, access control provided in the database which holds +For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply -first, followed by the global access directivies. Within this +first, followed by the global access directives. Within this priority, access directives are examined in the order in which they appear in the config file. Slapd stops with the first {{EX:}} selector that matches the entry and/or attribute. The corresponding @@ -832,7 +833,7 @@ E: 3. referral ldap://root.openldap.org E: 4. access to * by * read Line 1 is a comment. Line 2 includes another config file -which containing {{core}} schema definitions. +which contains {{core}} schema definitions. The {{EX:referral}} directive on line 3 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the @@ -842,11 +843,11 @@ Line 4 is a global access control. It applies to all entries (after any applicable database-specific access controls). -The next section of the configuration file defines an BDB +The next section of the configuration file defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. The database is to be replicated to two slave slapds, one on -truelies, the other on judgmentday. Indexes are to be +truelies, the other on judgmentday. Indices are to be maintained for several attributes, and the {{EX:userPassword}} attribute is to be protected from unauthorized access. @@ -884,12 +885,12 @@ by the database keyword on line 6. Line 7 specifies the DN suffix for queries to pass to this database. Line 8 specifies the directory in which the database files will live. -Lines 9 and 10 identify the database "super user" entry and associated +Lines 9 and 10 identify the database {{super-user}} entry and associated password. This entry is not subject to access control or size or time limit restrictions. Lines 11 through 18 are for replication. Line 12 specifies the -replication log file (where changes to the database are logged \- +replication log file (where changes to the database are logged - this file is written by slapd and read by slurpd). Lines 13 through 15 specify the hostname and port for a replicated host, the DN to bind as when performing updates, the bind method (simple) and the @@ -897,10 +898,10 @@ credentials (password) for the binddn. Lines 16 through 18 specify a second replication site. See the {{SECT:Replication with slurpd}} chapter for more information on these directives. -Lines 20 through 22 indicate the indexes to maintain for various +Lines 20 through 22 indicate the indices to maintain for various attributes. -Lines 24 through 32 specify access control for entries in the this +Lines 24 through 32 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the {{EX:userPassword}} attribute is writable