From 1b635156ab6a496efb57138ea1f0cfbca888dfbb Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 6 Oct 2000 21:16:36 +0000 Subject: [PATCH] s/saslregex/sasl-regex/ Other minor updates --- doc/man/man5/slapd.conf.5 | 118 ++++++++++++++++++-------------------- servers/slapd/config.c | 4 +- 2 files changed, 59 insertions(+), 63 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index bd36aca34d..039356364f 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -235,13 +235,6 @@ in place of the numeric OID in objectclass and attribute definitions. The name can also be used with a suffix of the form ":xx" in which case the value "oid.xx" will be used. .TP -.B pidfile -The ( absolute ) name of a file that will hold the -.B slapd -server's process ID ( see -.BR getpid (2) -) if started without the debugging command line option. -.TP .B password-hash The to use for userPassword generation. One of .BR {SSHA} , @@ -256,6 +249,13 @@ and The default is .BR {SSHA} . .TP +.B pidfile +The ( absolute ) name of a file that will hold the +.B slapd +server's process ID ( see +.BR getpid (2) +) if started without the debugging command line option. +.TP .B referral Specify the referral to pass back when .BR slapd (8) @@ -288,54 +288,10 @@ set conditions within a particular database). .B sasl-host Used to specify the fully qualified domain name used for SASL processing. .TP -.B sasl-realm -Used to specify Cyrus SASL realm. -.TP -.B sasl-secprops -Used to specify Cyrus SASL security properties. -The -.B none -flag (without any other properities) causes the flag properites -defaults ("noanonymous,noplain") to be cleared. -The -.B noplain -flag disables mechanisms susceptible to simple passive attacks. -The -.B noactive -flag disables mechanisms susceptible to active attacks. -The -.B nodict -flag disables mechanisms susceptible to passive dictionary attacks. -The -.B noanonyous -flag disables mechanisms which support anonymous login. -The -.B forwardsec -flag require forward secrecy between sessions. -The -.B passcred -require mechanisms which pass client credentials (and allow -mechanisms which can pass credentials to do so). -The -.B minssf= -property specifies the minimum acceptable -.I security strength factor -as an integer approximate to effective key length used for -encryption. 0 (zero) implies no protection, 1 implies integrity -protection only, 56 allows DES or other weak ciphers, 112 -allows triple DES and other strong ciphers, 128 allows RC4, -Blowfish and other modern strong ciphers. The default is 0. -The -.B maxssf= -property specifies the maximum acceptable -.I security strength factor -as an integer (see minssf description). The default is INT_MAX. -The -.B maxbufsize= -property specifies the maximum security layer receive buffer -size allowed. 0 disables security layers. The default is 65536. +.B sasl-realm +Specify SASL realm. Default is empty. .TP -.B saslregexp +.B sasl-regexp Used by the SASL authorization mechanism to convert a SASL authenticated username to an LDAP DN. When an authorization request is received, the SASL .B USERNAME, REALM, @@ -360,7 +316,7 @@ regular expression that are enclosed in parenthesis, e.g. .RS .RS .TP -.B uid=(.*)+realm=.* +.B uid=(.*)\\\\+realm=.* .RE .RE @@ -381,7 +337,7 @@ The replaced SASL name can be either a DN or an LDAP URI. If the latter, the sla server will use the URI to search its own database, and if the search returns exactly one entry, the SASL name is replaced by the DN of that entry. Multiple -.B saslregexp +.B sasl-regexp options can be given in the configuration file to allow for multiple matching and replacement patterns. The matching patterns are checked in the order they appear in the file, stopping at the first successful match. @@ -392,6 +348,50 @@ and it will appear in SASL names that include a REALM, be careful to escape the plus sign with a double backslash \\\\+ to remove the character's special meaning. .RE .TP +.B sasl-secprops +Used to specify Cyrus SASL security properties. +The +.B none +flag (without any other properities) causes the flag properites +default, "noanonymous,noplain", to be cleared. +The +.B noplain +flag disables mechanisms susceptible to simple passive attacks. +The +.B noactive +flag disables mechanisms susceptible to active attacks. +The +.B nodict +flag disables mechanisms susceptible to passive dictionary attacks. +The +.B noanonyous +flag disables mechanisms which support anonymous login. +The +.B forwardsec +flag require forward secrecy between sessions. +The +.B passcred +require mechanisms which pass client credentials (and allow +mechanisms which can pass credentials to do so). +The +.B minssf= +property specifies the minimum acceptable +.I security strength factor +as an integer approximate to effective key length used for +encryption. 0 (zero) implies no protection, 1 implies integrity +protection only, 56 allows DES or other weak ciphers, 112 +allows triple DES and other strong ciphers, 128 allows RC4, +Blowfish and other modern strong ciphers. The default is 0. +The +.B maxssf= +property specifies the maximum acceptable +.I security strength factor +as an integer (see minssf description). The default is INT_MAX. +The +.B maxbufsize= +property specifies the maximum security layer receive buffer +size allowed. 0 disables security layers. The default is 65536. +.TP .B schemacheck { on | off } Turn schema checking on or off. The default is on. .TP @@ -446,12 +446,6 @@ Turn schema checking on or off. The default is on. Specify the maximum number of entries to return from a search operation. The default size limit is 500. .TP -.B sasl-realm -Specify SASL realm. Default is empty. -.TP -.B sasl-secprops -Cyrus SASL security properties. Default is "noanonymous,noplain". -.TP .B srvtab Specify the srvtab file in which the kerberos keys necessary for authenticating clients using kerberos can be found. This option is only diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 992d5ff658..06f6425c73 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -313,7 +313,9 @@ read_config( const char *fname ) global_realm = ch_strdup( cargv[1] ); } - } else if ( !strcasecmp( cargv[0], "saslregexp" ) ) { + } else if ( !strcasecmp( cargv[0], "sasl-regexp" ) + || !strcasecmp( cargv[0], "saslregexp" ) ) + { int rc; if ( cargc != 3 ) { Debug( LDAP_DEBUG_ANY, -- 2.39.5