From d0a77750fb1a53519cdf587d7746dfea7604e65d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 18 May 2001 02:45:46 +0000 Subject: [PATCH] Misc updates --- doc/guide/admin/intro.sdf | 3 +- doc/guide/admin/master.sdf | 3 + doc/guide/admin/preface.sdf | 8 ++- doc/guide/admin/quickstart.sdf | 19 ++--- doc/guide/admin/slapdconfig.sdf | 121 ++++++++++++++++---------------- doc/guide/plain.sdf | 4 +- doc/guide/preamble.sdf | 6 +- doc/guide/release/copyright.sdf | 2 +- 8 files changed, 86 insertions(+), 80 deletions(-) diff --git a/doc/guide/admin/intro.sdf b/doc/guide/admin/intro.sdf index 01d45a47bb..90debedd59 100644 --- a/doc/guide/admin/intro.sdf +++ b/doc/guide/admin/intro.sdf @@ -285,8 +285,7 @@ reasonable defaults, making your job much easier. {{slapd}} also has its limitations, of course. The main LDBM database backend does not handle range queries or negation queries -very well. These features and more will be coming in a future -release. +very well. H2: What is slurpd and what can it do? diff --git a/doc/guide/admin/master.sdf b/doc/guide/admin/master.sdf index 8772e6d565..c7a54b008a 100644 --- a/doc/guide/admin/master.sdf +++ b/doc/guide/admin/master.sdf @@ -33,6 +33,9 @@ PB: !include "config.sdf"; chapter PB: +!include "security.sdf"; chapter +PB: + !include "install.sdf"; chapter PB: diff --git a/doc/guide/admin/preface.sdf b/doc/guide/admin/preface.sdf index 6fc854954e..d95f2c1540 100644 --- a/doc/guide/admin/preface.sdf +++ b/doc/guide/admin/preface.sdf @@ -9,7 +9,7 @@ P1: Preface # document's copyright P2[notoc] Copyright -Copyright 1998-2000, The {{ORG[expand]OLF}}, {{All Rights Reserved}}. +Copyright 1998-2001, The {{ORG[expand]OLF}}, {{All Rights Reserved}}. Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}. @@ -17,6 +17,7 @@ Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}. P2[notoc] Scope of this Document This document provides a guide for installing OpenLDAP 2.1 Software +({{URL:http://www.openldap.org/software/}}) on {{TERM:UNIX}} (and UNIX-like) systems. The document is aimed at experienced system administrators but who may not have prior experience operating {{TERM:LDAP}}-based directory software. @@ -44,8 +45,9 @@ The {{ORG[expand]OLP}} is comprised of a team of volunteers. This document would not be possible without their contribution of time and energy. The OpenLDAP Project would also like to thank the {{ORG[expand]UMLDAP}} -for building the foundation of LDAP software and information -to which OpenLDAP Software is built upon. +for building the foundation of LDAP software and information to +which OpenLDAP Software is built upon. This document is based upon +U-Mich LDAP document: {{The SLAPD and SLURPD Administrators Guide}}. P2[notoc] Amendments diff --git a/doc/guide/admin/quickstart.sdf b/doc/guide/admin/quickstart.sdf index d785a13515..29c01a52ec 100644 --- a/doc/guide/admin/quickstart.sdf +++ b/doc/guide/admin/quickstart.sdf @@ -1,5 +1,5 @@ # $OpenLDAP$ -# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved. +# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. H1: A Quick-Start Guide @@ -17,9 +17,10 @@ OpenLDAP Software FAQ). If you intend to run OpenLDAP seriously, you should review the all of this document before attempt to install the software. -Note: This quick start guide does not use strong authentication nor -any privacy and integrity protection services. These services are -described in other chapters of the OpenLDAP Administrator's Guide. +Note: This quick start guide does not use strong authentication +nor any integrity or confidential protection services. These +services are described in other chapters of the OpenLDAP Administrator's +Guide. .{{S: }} @@ -265,10 +266,12 @@ backend arrangements, etc. Note that by default, the {{slapd}}(8) database grants {{read access to everybody}} excepting the {{super-user}} (as specified by the -{{EX:rootdn}} configuration directive). It is highly recommended that -you establish controls to restrict access to authorized users. Access -controls are discussed in the {{SECT:Access Control}} section of the -{{SECT:The slapd Configuration File}} chapter. +{{EX:rootdn}} configuration directive). It is highly recommended +that you establish controls to restrict access to authorized users. +Access controls are discussed in the {{SECT:Access Control}} section +of the {{SECT:The slapd Configuration File}} chapter. You are also +encouraged to read {{SECT:Security Considerations}}, {{SECT:Using +SASL}} and {{SECT:Using TLS}} sections. The following chapters provide more detailed information on making, installing, and running {{slapd}}(8). diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index a97f1117cc..c34f63ba2c 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -663,36 +663,35 @@ to grant specific permissions. H3: Access Control Evaluation -When evaluating whether some requester should be given -access to an entry and/or attribute, slapd compares the entry -and/or attribute to the {{EX:}} selectors given in the -configuration file. Access directives local to the current -database are examined first, followed by global access -directives. Within this priority, access directives are -examined in the order in which they appear in the config file. -Slapd stops with the first {{EX:}} selector that matches the -entry and/or attribute. The corresponding access directive is -the one slapd will use to evaluate access. - -Next, slapd compares the entity requesting access to the -{{EX:}} selectors within the access directive selected above -in the order in which they appear. It stops with the first {{EX:}} -selector that matches the requester. This determines the -access the entity requesting access has to the entry and/or -attribute. +When evaluating whether some requester should be given access to +an entry and/or attribute, slapd compares the entry and/or attribute +to the {{EX:}} selectors given in the configuration file. +For each entry, access control provided in the database which holds +the entry (or the first database if not held in any database) apply +first, followed by the global access directivies. Within this +priority, access directives are examined in the order in which they +appear in the config file. Slapd stops with the first {{EX:}} +selector that matches the entry and/or attribute. The corresponding +access directive is the one slapd will use to evaluate access. + +Next, slapd compares the entity requesting access to the {{EX:}} +selectors within the access directive selected above in the order +in which they appear. It stops with the first {{EX:}} selector +that matches the requester. This determines the access the entity +requesting access has to the entry and/or attribute. Finally, slapd compares the access granted in the selected -{{EX:}} clause to the access requested by the client. If it -allows greater or equal access, access is granted. Otherwise, +{{EX:}} clause to the access requested by the client. If +it allows greater or equal access, access is granted. Otherwise, access is denied. -The order of evaluation of access directives makes their -placement in the configuration file important. If one access -directive is more specific than another in terms of the entries -it selects, it should appear first in the config file. Similarly, if -one {{EX:}} selector is more specific than another it should -come first in the access directive. The access control -examples given below should help make this clear. +The order of evaluation of access directives makes their placement +in the configuration file important. If one access directive is +more specific than another in terms of the entries it selects, it +should appear first in the config file. Similarly, if one {{EX:}} +selector is more specific than another it should come first in the +access directive. The access control examples given below should +help make this clear. @@ -809,10 +808,9 @@ means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host {{EX:root.openldap.org}}. -Line 4 is a global access control. It is used only if -no database access controls match or when the target -objects are not under the control of any database (such as -the Root DSE). +Line 4 is a global access control. It applies to all +entries (after any applicable database-specific access +controls). The next section of the configuration file defines an LDBM backend that will handle queries for things in the @@ -851,40 +849,41 @@ E: 30. by self write E: 31. by dn="cn=Admin,dc=example,dc=com" write E: 32. by * read -Line 5 is a comment. The start of the database definition is -marked by the database keyword on line 6. Line 7 specifies -the DN suffix for queries to pass to this database. Line 8 -specifies the directory in which the database files will live. +Line 5 is a comment. The start of the database definition is marked +by the database keyword on line 6. Line 7 specifies the DN suffix +for queries to pass to this database. Line 8 specifies the directory +in which the database files will live. -Lines 9 and 10 identify the database "super user" entry and -associated password. This entry is not subject to access -control or size or time limit restrictions. +Lines 9 and 10 identify the database "super user" entry and associated +password. This entry is not subject to access control or size or +time limit restrictions. Lines 11 through 18 are for replication. Line 11 specifies the -replication log file (where changes to the database are logged -\- this file is written by slapd and read by slurpd). Lines 12 -through 14 specify the hostname and port for a replicated -host, the DN to bind as when performing updates, the bind -method (simple) and the credentials (password) for the -binddn. Lines 15 through 18 specify a second replication site. -See the {{SECT:Replication with slurpd}} chapter for more -information on these directives. - -Lines 20 through 22 indicate the indexes to maintain for -various attributes. - -Lines 24 through 32 specify access control for entries in the -database. For all entries, the {{EX:userPassword}} attribute is -writable by the entry itself and by the "admin" entry. It may be -used for authentication/authorization purposes, but is otherwise -not readable. All other attributes are writable by the entry and -the "admin" entry, but may be read by authenticated users. - -The next section of the example configuration file defines -another LDBM database. This one handles queries involving -the {{EX:dc=example,dc=net}} subtree. Note that without -line 38, the read access would be allowed due to the -global access rule at line 4. +replication log file (where changes to the database are logged \- +this file is written by slapd and read by slurpd). Lines 12 through +14 specify the hostname and port for a replicated host, the DN to +bind as when performing updates, the bind method (simple) and the +credentials (password) for the binddn. Lines 15 through 18 specify +a second replication site. See the {{SECT:Replication with slurpd}} +chapter for more information on these directives. + +Lines 20 through 22 indicate the indexes to maintain for various +attributes. + +Lines 24 through 32 specify access control for entries in the this +database. As this is the first database, the controls also apply +to entries not held in any database (such as the Root DSE). For +all applicable entries, the {{EX:userPassword}} attribute is writable +by the entry itself and by the "admin" entry. It may be used for +authentication/authorization purposes, but is otherwise not readable. +All other attributes are writable by the entry and the "admin" +entry, but may be read by authenticated users. + +The next section of the example configuration file defines another +LDBM database. This one handles queries involving the +{{EX:dc=example,dc=net}} subtree. Note that without line 38, the +read access would be allowed due to the global access rule at line +4. E: 33. # ldbm definition for example.net E: 34. database ldbm diff --git a/doc/guide/plain.sdf b/doc/guide/plain.sdf index b3184b3e71..5668af150c 100644 --- a/doc/guide/plain.sdf +++ b/doc/guide/plain.sdf @@ -1,5 +1,5 @@ # $OpenLDAP$ -# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved. +# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. # template for plain documents @@ -12,7 +12,7 @@ !endmacro !macro HTML_FOOTER {{INLINE:}} -{{INLINE:______________
}} +{{INLINE:________________
}} [[c]] Copyright 2001, {{INLINE:OpenLDAP Foundation}}, {{EMAIL: info@OpenLDAP.org}} diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf index e5f7003739..dfb4bb15bf 100644 --- a/doc/guide/preamble.sdf +++ b/doc/guide/preamble.sdf @@ -1,5 +1,5 @@ # $OpenLDAP$ -# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved. +# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. # @@ -53,7 +53,7 @@ !block inline; expand

-______________
+________________
© Copyright 2001, OpenLDAP Foundation, info@OpenLDAP.org !endblock @@ -89,7 +89,7 @@ ______________
!block inline; expand

-______________
+________________
© Copyright 2001, OpenLDAP Foundation, info@OpenLDAP.org !endblock diff --git a/doc/guide/release/copyright.sdf b/doc/guide/release/copyright.sdf index 06861cb2db..50e489f9ef 100644 --- a/doc/guide/release/copyright.sdf +++ b/doc/guide/release/copyright.sdf @@ -12,7 +12,7 @@ H1: OpenLDAP Software Copyright Notices H2: OpenLDAP Copyright Notice -[[copyright]] 1998-2000 The OpenLDAP Foundation, Redwood City, California, USA +[[copyright]] 1998-2001 The OpenLDAP Foundation, Redwood City, California, USA All rights reserved. Redistribution and use in source and binary forms are permitted -- 2.39.5