From 0304049dfc709407d567cce5d4827f11672c0cd1 Mon Sep 17 00:00:00 2001 From: Gavin Henry Date: Mon, 26 May 2008 14:27:00 +0000 Subject: [PATCH] Formatting, spelling and Note: para styles. --- doc/guide/admin/aspell.en.pws | 116 ++++++++++++++++++++++------------ doc/guide/admin/security.sdf | 64 +++++++++++-------- 2 files changed, 114 insertions(+), 66 deletions(-) diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index b523bfba19..e779d4e8d3 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,12 +1,12 @@ -personal_ws-1.1 en 1598 +personal_ws-1.1 en 1634 commonName bla Masarati subjectAltName api BhY -olcSyncrepl olcSyncRepl +olcSyncrepl adamsom adamson CER @@ -38,8 +38,8 @@ DIB dev reqNewSuperior librewrite -memberOf memberof +memberOf BSI updateref buf @@ -64,6 +64,7 @@ CRP postread csn xvfB +checkpass neverDerefaliases dns DN's @@ -87,8 +88,8 @@ dlopen eng AttributeValue attributevalue -EOF DUA +EOF inputfile DSP refreshDone @@ -123,10 +124,10 @@ iff contextCSN auditModify auditSearch -openldap OpenLDAP -resultCode +openldap resultcode +resultCode sysconfig indices blen @@ -137,14 +138,17 @@ directoryString database's iscritical gss +qbuaQ ZKKuqbEKJfKSXhUbHG invalidAttributeSyntax subtree Kartik newparent +DkMTwBl memcalloc ing filtertype +XKqkdPOmY regcomp ldapmodify includedir @@ -159,13 +163,13 @@ argv kdz notAllowedOnRDN hostport -starttls StartTLS +starttls ldb servercredp ldd -ipv IPv +ipv hyc joe bindmethods @@ -189,16 +193,16 @@ attrstyle directoryOperation creatorsName mem -oldpasswdfile oldPasswdFile +oldpasswdfile uniqueMember krb libpath acknowledgements jts createTimestamp -LLL MIB +LLL OpenSSL openssl LOF @@ -217,6 +221,7 @@ LDAPMatchingRule bool LRL CPPFLAGS +yWpR schemadir desc lud @@ -232,14 +237,15 @@ oid msg attr caseExactOrderingMatch +TmkzUAb Subbarao aeeiib oidlen submatches -olc PEM -PDU +olc OLF +PDU LDAPSchemaExtensionItem auth Pierangelo @@ -249,6 +255,7 @@ subdirectories OLP pwdPolicyChecker subst +mux singleLevel cleartext numattrsets @@ -277,9 +284,9 @@ rdn wZFQrDD OTP olcSizeLimit -pos -sbi PRD +sbi +pos pre sudoadm stringal @@ -287,6 +294,7 @@ retoidp sdf efgh accesslog +PSH sed cond qdescrs @@ -296,9 +304,10 @@ ldapmodrdn sel bvec TBC +HtZhZS stringbv -Sep SHA +Sep ptr conn pwd @@ -315,8 +324,8 @@ myOID supportedSASLMechanism supportedSASLmechanism realnamingcontext -SMD UCD +SMD keytab portnumber uncached @@ -329,8 +338,8 @@ sasldb UCS searchDN keytbl -tgz UDP +tgz freemods prepend errText @@ -347,22 +356,22 @@ crit objectClassViolation ssf ldapfilter -rwm -TOC vec +TOC +rwm pwdChangedTime tls peernamestyle xpasswd -tmp SRP +tmp SSL dupbv CPUs SRV entrymods -rwx sss +rwx reqNewRDN nopresent rebindproc @@ -372,11 +381,13 @@ syncIdSet cron accesslevel accessor's +czBJdDqS keyval alloc saslpasswd README maxentries +QWGWZpj ttl undefinedAttributeType peercred @@ -417,10 +428,11 @@ memberURL sudoers pwdMaxFailure pseudorootdn +MezRroT GDBM LIBRELEASE -DSAs DSA's +DSAs realloc booleanMatch compareTrue @@ -432,6 +444,7 @@ rwxrwxrwx al realself cd +aQ ar olcDatabaseConfig de @@ -447,6 +460,7 @@ dn fG DS fi +EO allmail du eq @@ -477,8 +491,8 @@ pwdMinLength iZ ldapdelete xyz -RDBMs rdbms +RDBMs extparam mk ng @@ -533,6 +547,7 @@ cacert notAllowedOnNonLeaf attrname olcTLSCipherSuite +Xr x's xw octetStringMatch @@ -541,8 +556,8 @@ ZZ LDVERSION testAttr backend -backend's backends +backend's BerValues Solaris structs @@ -554,9 +569,9 @@ ostring policyDN testObject pwdMaxAge -bindDn -bindDN binddn +bindDN +bindDn distributedOperation schemachecking strvals @@ -588,6 +603,7 @@ serverctrls recursivegroup integerMatch moduledir +BlpQmtczb dynstyle bindpw AUTHNAME @@ -598,14 +614,14 @@ IEEE regex SIGINT slappasswd -errAbsObject errABsObject +errAbsObject ldapexop -objectidentifier objectIdentifier +objectidentifier deallocators -MirrorMode mirrormode +MirrorMode loopDetect SIGHUP authMethodNotSupported @@ -622,8 +638,8 @@ filtercomp expr syntaxes memrealloc -returnCode returncode +returnCode OpenLDAP's exts bitstringa @@ -638,6 +654,7 @@ ietf olcSchemaConfig bitstrings bvalues +hmev realdnattr attrpair affectsMultipleDSAs @@ -646,8 +663,8 @@ lastName lldap cachesize slapauth -attributetype attributeType +attributetype GSER olcDbNosync typedef @@ -664,14 +681,16 @@ monitoredObject TLSVerifyClient noidlen LDAPNOINIT -pwdGraceAuthNLimit pwdGraceAuthnLimit +pwdGraceAuthNLimit hnPk +userpassword userPassword noanonymous LIBVERSION symas dcedn +glibc sublevel chroot posixGroup @@ -682,12 +701,14 @@ frontend someotherdomain proxying organisations +IMAP rewriteMap monitoredInfo -modrdn -ModRDN modrDN +ModRDN +modrdn HREF +DQTxCYEApdUtNXGgdUac inline multiproxy reqSizeLimit @@ -698,8 +719,8 @@ reqReferral rlookups siiiib LTSTATIC -timeLimitExceeded timelimitExceeded +timeLimitExceeded XKYnrjvGT subtrees unixODBC @@ -711,8 +732,8 @@ reqDN dnstyle inet schemas -pwdPolicySubEntry pwdPolicySubentry +pwdPolicySubEntry reqId scanf olcBackend @@ -721,6 +742,7 @@ Arial init runtime onelevel +YtNFk impl Autoconf stderr @@ -737,6 +759,7 @@ olcModuleList pwdSafeModify html multimaster +GCmfuqEvm testrun rewriteEngine slapdindex @@ -751,8 +774,8 @@ POSIX pathname noSuchObject proxyOld -berelement BerElement +berelement sbiod plugin http @@ -762,8 +785,8 @@ ldbm numericStringSubstringsMatch internet storages -whoami WhoAmI +whoami criticality addBlanks logins @@ -772,6 +795,7 @@ dbnum operationsError homePhone testTwo +BmIwN ldif entryAlreadyExists plaintext @@ -903,6 +927,7 @@ concat realanonymous invalue refreshOnly +pwcheck filesystem Naur unwillingToPerform @@ -924,6 +949,7 @@ negttl logevels AAQSkZJRgABAAAAAQABAAD strcast +aUihad failover constraintViolation cacheable @@ -968,6 +994,7 @@ basename groupOfUniqueNames DHAVE ludp +oPdklp entryUUID ldapapiinfo SampleLDAP @@ -1013,12 +1040,14 @@ typeB nelems subord namingViolation +PCOq inappropriateAuthentication mixin suders syntaxOID olcTLSCACertificateFile IGJlZ +userPrincipalName TLSCipherSuite auditlog runningslapd @@ -1059,6 +1088,7 @@ searchResultEntry PIII olcDbShmKey substr +testsaslauthd reqRespControls XXXXXXXXXX MANSECT @@ -1081,6 +1111,7 @@ dcObject supportedControl addprinc logbase +oMxg filterlist generalizedTimeMatch Google @@ -1204,6 +1235,7 @@ lucyB entryUUIDs reqEntries sockbuf +wrongpassword olcSaslSecprops olcSaslSecProps dnSubtreeMatch @@ -1296,6 +1328,7 @@ SMTP srvtab ldapadd sprintf +spasswd monitorCounterObject Instanstantiation olcDbConfig @@ -1362,6 +1395,7 @@ argsfile attrvalue deallocate msgid +ilOzQ modulepath logfile Supr @@ -1513,6 +1547,7 @@ ABNF dnpattern perror MSSQL +VUld SmVuc ACIs errmsgp @@ -1552,8 +1587,8 @@ wBDARESEhgVG multi aaa ldaprc -updatedn UpdateDN +updatedn LDAPBASE LDAPAPIFeatureInfo authzTo @@ -1593,7 +1628,8 @@ ber slimit ali attributeoptions +BfQ uidNumber -CAs CA's +CAs namingContext diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index 45d842008e..bb7a39aa58 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -58,7 +58,8 @@ to the server. For example, the {{host_options}}(5) rule: allows only incoming connections from the private network {{F:10.0.0.0}} and localhost ({{F:127.0.0.1}}) to access the directory service. -Note that IP addresses are used as {{slapd}}(8) is not normally + +Note: IP addresses are used as {{slapd}}(8) is not normally configured to perform reverse lookups. It is noted that TCP wrappers require the connection to be accepted. @@ -127,10 +128,11 @@ requested by providing a valid name and password. An anonymous bind results in an {{anonymous}} authorization association. Anonymous bind mechanism is enabled by default, but can be disabled by specifying "{{EX:disallow bind_anon}}" in -{{slapd.conf}}(5). Note that disabling the anonymous bind mechanism -does not prevent anonymous access to the directory. To require -authentication to access the directory, one should instead -specify "{{EX:require authc}}". +{{slapd.conf}}(5). + +Note: Disabling the anonymous bind mechanism does not prevent +anonymous access to the directory. To require authentication to +access the directory, one should instead specify "{{EX:require authc}}". An unauthenticated bind also results in an {{anonymous}} authorization association. Unauthenticated bind mechanism is disabled by default, @@ -158,19 +160,19 @@ binds to use encryption of DES equivalent or better. The user/password authenticated bind mechanism can be completely disabled by setting "{{EX:disallow bind_simple}}". -Note: An unsuccessful bind always results in the session having +Note: An unsuccessful bind always results in the session having an {{anonymous}} authorization association. H3: SASL method The LDAP {{TERM:SASL}} method allows the use of any SASL authentication -mechanism. The {{SECT:Using SASL}} section discusses the use of SASL. +mechanism. The {{SECT:Using SASL}} section discusses the use of SASL. H2: Password Storage LDAP passwords are normally stored in the {{userPassword}} attribute. -RFC4519 specifies that passwords are not stored in encrypted form, +{{REF:RFC4519}} specifies that passwords are not stored in encrypted form, but this can create an unwanted security exposure so {{slapd}} provides several options for the administrator to choose from. @@ -183,7 +185,7 @@ on the value, so a Unix {{crypt}}-style password might look like this: > userPassword: {CRYPT}.7D8U/PCF00Hw -In general is is safest to store passwords in a salted hashed format +In general, it is safest to store passwords in a salted hashed format like SSHA. This makes it very hard for an attacker to derive passwords from stolen backups or by obtaining access to the on-disk {{slapd}} database. @@ -215,6 +217,10 @@ transferred to or from an existing Unix password file without having to know the cleartext form. Both forms of {{crypt}} include salt so they have some resistance to dictionary attacks. + +Note: Since this scheme uses the operation system's {{crypt(3)}} hash function, +it is therefore operation system specific. + H3: MD5 password storage scheme This scheme simply takes the MD5 hash of the password and stores it in @@ -247,7 +253,7 @@ of salt leaves the scheme exposed to dictionary attacks. H3: SSHA password storage scheme This is the salted version of the SHA scheme. It is believed to be the -most secure password storage sheme supported by {{slapd}}. +most secure password storage scheme supported by {{slapd}}. These values represent the same password: @@ -260,18 +266,21 @@ This is not really a password storage scheme at all. It uses the value of the {{userPassword}} attribute to delegate password verification to another process. See below for more information. -Note that this is not the same as using SASL to authenticate the LDAP +Note: This is not the same as using SASL to authenticate the LDAP session. H3: KERBEROS password storage scheme This is not really a password storage scheme at all. It uses the value of the {{userPassword}} attribute to delegate password -verification to Kerberos. Note that this is not the same as using -Kerberos authentication of the LDAP session. This scheme could be said -to defeat the advantages of Kerberos by causing the Kerberos password -to be exposed to the {{slapd}} server (and possibly on the network as -well). +verification to Kerberos. + +Note: This is not the same as using Kerberos authentication of +the LDAP session. + +This scheme could be said to defeat the advantages of Kerberos by +causing the Kerberos password to be exposed to the {{slapd}} server +(and possibly on the network as well). H2: Pass-Through authentication @@ -285,10 +294,11 @@ server, another LDAP server, or anything supported by the PAM mechanism. The server must be built with the {{EX:--enable-spasswd}} configuration option to enable pass-through authentication. -Note that this is not the same as using a SASL mechanism to -authenticate the LDAP session. Pass-Through authentication works only -with plaintext passwords, as used in the "simple bind" and "SASL -PLAIN" authentication mechanisms. +Note: This is not the same as using a SASL mechanism to +authenticate the LDAP session. + +Pass-Through authentication works only with plaintext passwords, as +used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}} Pass-Through authentication is selective: it only affects users whose {{userPassword}} attribute has a value marked with the "{SASL}" @@ -301,10 +311,12 @@ mechanism and are used to identify the account whose password is to be verified. This allows arbitrary mapping between entries in OpenLDAP and accounts known to the backend authentication service. -Note that there is no support for changing passwords in the backend -via {{slapd}}. It would be wise to use access control to prevent users -from changing their passwords through LDAP where they have -pass-through authentication enabled. +Note: There is no support for changing passwords in the backend +via {{slapd}}. + +It would be wise to use access control to prevent users from changing +their passwords through LDAP where they have pass-through authentication +enabled. H3: Configuring slapd to use an authentication provider @@ -318,7 +330,7 @@ file to be considered is confusingly named {{slapd.conf}} and is typically found in the SASL library directory, often {{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL when talking LDAP to {{slapd}} as well as the use of SASL backends for -pass-through authentication. See {{EX:options.html}} in the Cyrus SASL +pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}} docs for full details. Here is a simple example for a server that will use {{saslauthd}} to verify passwords: @@ -331,7 +343,7 @@ H3: Configuring saslauthd {{saslauthd}} is capable of using many different authentication services: see {{saslauthd(8)}} for details. A common requirement is to delegate some or all authentication to another LDAP server. Here is a -sample {{EX:saslauthd.conf}} that uses AD: +sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD): > ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/ > -- 2.39.5