Formatting, spelling and Note: para styles.

2026-01-09 08:23:35 -05:00 · 2008-05-26 14:27:00 +00:00 · 2008-05-26 14:27:00 +00:00 · 0304049dfc
commit 0304049dfc
parent 23efb86d09
2 changed files with 114 additions and 66 deletions
--- a/doc/guide/admin/aspell.en.pws
+++ b/doc/guide/admin/aspell.en.pws
@ -1,12 +1,12 @@
-personal_ws-1.1 en 1598 
+personal_ws-1.1 en 1634 
 commonName
 bla
 Masarati
 subjectAltName
 api
 BhY
-olcSyncrepl
 olcSyncRepl
+olcSyncrepl
 adamsom
 adamson
 CER
@ -38,8 +38,8 @@ DIB
 dev
 reqNewSuperior
 librewrite
-memberOf
 memberof
+memberOf
 BSI
 updateref
 buf
@ -64,6 +64,7 @@ CRP
 postread
 csn
 xvfB
+checkpass
 neverDerefaliases
 dns
 DN's
@ -87,8 +88,8 @@ dlopen
 eng
 AttributeValue
 attributevalue
-EOF
 DUA
+EOF
 inputfile
 DSP
 refreshDone
@ -123,10 +124,10 @@ iff
 contextCSN
 auditModify
 auditSearch
-openldap
 OpenLDAP
-resultCode
+openldap
 resultcode
+resultCode
 sysconfig
 indices
 blen
@ -137,14 +138,17 @@ directoryString
 database's
 iscritical
 gss
+qbuaQ
 ZKKuqbEKJfKSXhUbHG
 invalidAttributeSyntax
 subtree
 Kartik
 newparent
+DkMTwBl
 memcalloc
 ing
 filtertype
+XKqkdPOmY
 regcomp
 ldapmodify
 includedir
@ -159,13 +163,13 @@ argv
 kdz
 notAllowedOnRDN
 hostport
-starttls
 StartTLS
+starttls
 ldb
 servercredp
 ldd
-ipv
 IPv
+ipv
 hyc
 joe
 bindmethods
@ -189,16 +193,16 @@ attrstyle
 directoryOperation
 creatorsName
 mem
-oldpasswdfile
 oldPasswdFile
+oldpasswdfile
 uniqueMember
 krb
 libpath
 acknowledgements
 jts
 createTimestamp
-LLL
 MIB
+LLL
 OpenSSL
 openssl
 LOF
@ -217,6 +221,7 @@ LDAPMatchingRule
 bool
 LRL
 CPPFLAGS
+yWpR
 schemadir
 desc
 lud
@ -232,14 +237,15 @@ oid
 msg
 attr
 caseExactOrderingMatch
+TmkzUAb
 Subbarao
 aeeiib
 oidlen
 submatches
-olc
 PEM
-PDU
+olc
 OLF
+PDU
 LDAPSchemaExtensionItem
 auth
 Pierangelo
@ -249,6 +255,7 @@ subdirectories
 OLP
 pwdPolicyChecker
 subst
+mux
 singleLevel
 cleartext
 numattrsets
@ -277,9 +284,9 @@ rdn
 wZFQrDD
 OTP
 olcSizeLimit
-pos
-sbi
 PRD
+sbi
+pos
 pre
 sudoadm
 stringal
@ -287,6 +294,7 @@ retoidp
 sdf
 efgh
 accesslog
+PSH
 sed
 cond
 qdescrs
@ -296,9 +304,10 @@ ldapmodrdn
 sel
 bvec
 TBC
+HtZhZS
 stringbv
-Sep
 SHA
+Sep
 ptr
 conn
 pwd
@ -315,8 +324,8 @@ myOID
 supportedSASLMechanism
 supportedSASLmechanism
 realnamingcontext
-SMD
 UCD
+SMD
 keytab
 portnumber
 uncached
@ -329,8 +338,8 @@ sasldb
 UCS
 searchDN
 keytbl
-tgz
 UDP
+tgz
 freemods
 prepend
 errText
@ -347,22 +356,22 @@ crit
 objectClassViolation
 ssf
 ldapfilter
-rwm
-TOC
 vec
+TOC
+rwm
 pwdChangedTime
 tls
 peernamestyle
 xpasswd
-tmp
 SRP
+tmp
 SSL
 dupbv
 CPUs
 SRV
 entrymods
-rwx
 sss
+rwx
 reqNewRDN
 nopresent
 rebindproc
@ -372,11 +381,13 @@ syncIdSet
 cron
 accesslevel
 accessor's
+czBJdDqS
 keyval
 alloc
 saslpasswd
 README
 maxentries
+QWGWZpj
 ttl
 undefinedAttributeType
 peercred
@ -417,10 +428,11 @@ memberURL
 sudoers
 pwdMaxFailure
 pseudorootdn
+MezRroT
 GDBM
 LIBRELEASE
-DSAs
 DSA's
+DSAs
 realloc
 booleanMatch
 compareTrue
@ -432,6 +444,7 @@ rwxrwxrwx
 al
 realself
 cd
+aQ
 ar
 olcDatabaseConfig
 de
@ -447,6 +460,7 @@ dn
 fG
 DS
 fi
+EO
 allmail
 du
 eq
@ -477,8 +491,8 @@ pwdMinLength
 iZ
 ldapdelete
 xyz
-RDBMs
 rdbms
+RDBMs
 extparam
 mk
 ng
@ -533,6 +547,7 @@ cacert
 notAllowedOnNonLeaf
 attrname
 olcTLSCipherSuite
+Xr
 x's
 xw
 octetStringMatch
@ -541,8 +556,8 @@ ZZ
 LDVERSION
 testAttr
 backend
-backend's
 backends
+backend's
 BerValues
 Solaris
 structs
@ -554,9 +569,9 @@ ostring
 policyDN
 testObject
 pwdMaxAge
-bindDn
-bindDN
 binddn
+bindDN
+bindDn
 distributedOperation
 schemachecking
 strvals
@ -588,6 +603,7 @@ serverctrls
 recursivegroup
 integerMatch
 moduledir
+BlpQmtczb
 dynstyle
 bindpw
 AUTHNAME
@ -598,14 +614,14 @@ IEEE
 regex
 SIGINT
 slappasswd
-errAbsObject
 errABsObject
+errAbsObject
 ldapexop
-objectidentifier
 objectIdentifier
+objectidentifier
 deallocators
-MirrorMode
 mirrormode
+MirrorMode
 loopDetect
 SIGHUP
 authMethodNotSupported
@ -622,8 +638,8 @@ filtercomp
 expr
 syntaxes
 memrealloc
-returnCode
 returncode
+returnCode
 OpenLDAP's
 exts
 bitstringa
@ -638,6 +654,7 @@ ietf
 olcSchemaConfig
 bitstrings
 bvalues
+hmev
 realdnattr
 attrpair
 affectsMultipleDSAs
@ -646,8 +663,8 @@ lastName
 lldap
 cachesize
 slapauth
-attributetype
 attributeType
+attributetype
 GSER
 olcDbNosync
 typedef
@ -664,14 +681,16 @@ monitoredObject
 TLSVerifyClient
 noidlen
 LDAPNOINIT
-pwdGraceAuthNLimit
 pwdGraceAuthnLimit
+pwdGraceAuthNLimit
 hnPk
+userpassword
 userPassword
 noanonymous
 LIBVERSION
 symas
 dcedn
+glibc
 sublevel
 chroot
 posixGroup
@ -682,12 +701,14 @@ frontend
 someotherdomain
 proxying
 organisations
+IMAP
 rewriteMap
 monitoredInfo
-modrdn
-ModRDN
 modrDN
+ModRDN
+modrdn
 HREF
+DQTxCYEApdUtNXGgdUac
 inline
 multiproxy
 reqSizeLimit
@ -698,8 +719,8 @@ reqReferral
 rlookups
 siiiib
 LTSTATIC
-timeLimitExceeded
 timelimitExceeded
+timeLimitExceeded
 XKYnrjvGT
 subtrees
 unixODBC
@ -711,8 +732,8 @@ reqDN
 dnstyle
 inet
 schemas
-pwdPolicySubEntry
 pwdPolicySubentry
+pwdPolicySubEntry
 reqId
 scanf
 olcBackend
@ -721,6 +742,7 @@ Arial
 init
 runtime
 onelevel
+YtNFk
 impl
 Autoconf
 stderr
@ -737,6 +759,7 @@ olcModuleList
 pwdSafeModify
 html
 multimaster
+GCmfuqEvm
 testrun
 rewriteEngine
 slapdindex
@ -751,8 +774,8 @@ POSIX
 pathname
 noSuchObject
 proxyOld
-berelement
 BerElement
+berelement
 sbiod
 plugin
 http
@ -762,8 +785,8 @@ ldbm
 numericStringSubstringsMatch
 internet
 storages
-whoami
 WhoAmI
+whoami
 criticality
 addBlanks
 logins
@ -772,6 +795,7 @@ dbnum
 operationsError
 homePhone
 testTwo
+BmIwN
 ldif
 entryAlreadyExists
 plaintext
@ -903,6 +927,7 @@ concat
 realanonymous
 invalue
 refreshOnly
+pwcheck
 filesystem
 Naur
 unwillingToPerform
@ -924,6 +949,7 @@ negttl
 logevels
 AAQSkZJRgABAAAAAQABAAD
 strcast
+aUihad
 failover
 constraintViolation
 cacheable
@ -968,6 +994,7 @@ basename
 groupOfUniqueNames
 DHAVE
 ludp
+oPdklp
 entryUUID
 ldapapiinfo
 SampleLDAP
@ -1013,12 +1040,14 @@ typeB
 nelems
 subord
 namingViolation
+PCOq
 inappropriateAuthentication
 mixin
 suders
 syntaxOID
 olcTLSCACertificateFile
 IGJlZ
+userPrincipalName
 TLSCipherSuite
 auditlog
 runningslapd
@ -1059,6 +1088,7 @@ searchResultEntry
 PIII
 olcDbShmKey
 substr
+testsaslauthd
 reqRespControls
 XXXXXXXXXX
 MANSECT
@ -1081,6 +1111,7 @@ dcObject
 supportedControl
 addprinc
 logbase
+oMxg
 filterlist
 generalizedTimeMatch
 Google
@ -1204,6 +1235,7 @@ lucyB
 entryUUIDs
 reqEntries
 sockbuf
+wrongpassword
 olcSaslSecprops
 olcSaslSecProps
 dnSubtreeMatch
@ -1296,6 +1328,7 @@ SMTP
 srvtab
 ldapadd
 sprintf
+spasswd
 monitorCounterObject
 Instanstantiation
 olcDbConfig
@ -1362,6 +1395,7 @@ argsfile
 attrvalue
 deallocate
 msgid
+ilOzQ
 modulepath
 logfile
 Supr
@ -1513,6 +1547,7 @@ ABNF
 dnpattern
 perror
 MSSQL
+VUld
 SmVuc
 ACIs
 errmsgp
@ -1552,8 +1587,8 @@ wBDARESEhgVG
 multi
 aaa
 ldaprc
-updatedn
 UpdateDN
+updatedn
 LDAPBASE
 LDAPAPIFeatureInfo
 authzTo
@ -1593,7 +1628,8 @@ ber
 slimit
 ali
 attributeoptions
+BfQ
 uidNumber
-CAs
 CA's
+CAs
 namingContext
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@ -58,7 +58,8 @@ to the server.  For example, the {{host_options}}(5) rule:

 allows only incoming connections from the private network {{F:10.0.0.0}}
 and localhost ({{F:127.0.0.1}}) to access the directory service.
-Note that IP addresses are used as {{slapd}}(8) is not normally
+
+Note: IP addresses are used as {{slapd}}(8) is not normally
 configured to perform reverse lookups.

 It is noted that TCP wrappers require the connection to be accepted.
@ -127,10 +128,11 @@ requested by providing a valid name and password.
 An anonymous bind results in an {{anonymous}} authorization
 association.  Anonymous bind mechanism is enabled by default, but
 can be disabled by specifying "{{EX:disallow bind_anon}}" in
-{{slapd.conf}}(5).  Note that disabling the anonymous bind mechanism
-does not prevent anonymous access to the directory.  To require
-authentication to access the directory, one should instead
-specify "{{EX:require authc}}".
+{{slapd.conf}}(5).  
+
+Note: Disabling the anonymous bind mechanism does not prevent 
+anonymous access to the directory. To require authentication to 
+access the directory, one should instead specify "{{EX:require authc}}".

 An unauthenticated bind also results in an {{anonymous}} authorization
 association.  Unauthenticated bind mechanism is disabled by default,
@ -158,19 +160,19 @@ binds to use encryption of DES equivalent or better.
 The user/password authenticated bind mechanism can be completely
 disabled by setting "{{EX:disallow bind_simple}}".

-Note:  An unsuccessful bind always results in the session having
+Note: An unsuccessful bind always results in the session having
 an {{anonymous}} authorization association.


 H3: SASL method

 The LDAP {{TERM:SASL}} method allows the use of any SASL authentication
-mechanism.  The {{SECT:Using SASL}} section discusses the use of SASL.
+mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.

 H2: Password Storage

 LDAP passwords are normally stored in the {{userPassword}} attribute.
-RFC4519 specifies that passwords are not stored in encrypted form,
+{{REF:RFC4519}} specifies that passwords are not stored in encrypted form,
 but this can create an unwanted security exposure so {{slapd}} provides
 several options for the administrator to choose from.

@ -183,7 +185,7 @@ on the value, so a Unix {{crypt}}-style password might look like this:

 > userPassword: {CRYPT}.7D8U/PCF00Hw

-In general is is safest to store passwords in a salted hashed format
+In general, it is safest to store passwords in a salted hashed format
 like SSHA. This makes it very hard for an attacker to derive passwords
 from stolen backups or by obtaining access to the on-disk {{slapd}}
 database.
@ -215,6 +217,10 @@ transferred to or from an existing Unix password file without having
 to know the cleartext form. Both forms of {{crypt}} include salt so
 they have some resistance to dictionary attacks.

+
+Note: Since this scheme uses the operation system's {{crypt(3)}} hash function, 
+it is therefore operation system specific.
+
 H3: MD5 password storage scheme

 This scheme simply takes the MD5 hash of the password and stores it in
@ -247,7 +253,7 @@ of salt leaves the scheme exposed to dictionary attacks.
 H3: SSHA password storage scheme

 This is the salted version of the SHA scheme. It is believed to be the
-most secure password storage sheme supported by {{slapd}}.
+most secure password storage scheme supported by {{slapd}}.

 These values represent the same password:

@ -260,18 +266,21 @@ This is not really a password storage scheme at all. It uses the
 value of the {{userPassword}} attribute to delegate password
 verification to another process. See below for more information.

-Note that this is not the same as using SASL to authenticate the LDAP
+Note: This is not the same as using SASL to authenticate the LDAP
 session.

 H3: KERBEROS password storage scheme

 This is not really a password storage scheme at all. It uses the
 value of the {{userPassword}} attribute to delegate password
-verification to Kerberos. Note that this is not the same as using
-Kerberos authentication of the LDAP session. This scheme could be said
-to defeat the advantages of Kerberos by causing the Kerberos password
-to be exposed to the {{slapd}} server (and possibly on the network as
-well).
+verification to Kerberos. 
+
+Note: This is not the same as using Kerberos authentication of 
+the LDAP session.
+
+This scheme could be said to defeat the advantages of Kerberos by 
+causing the Kerberos password to be exposed to the {{slapd}} server 
+(and possibly on the network as well).

 H2: Pass-Through authentication

@ -285,10 +294,11 @@ server, another LDAP server, or anything supported by the PAM mechanism.
 The server must be built with the {{EX:--enable-spasswd}}
 configuration option to enable pass-through authentication.

-Note that this is not the same as using a SASL mechanism to
-authenticate the LDAP session. Pass-Through authentication works only
-with plaintext passwords, as used in the "simple bind" and "SASL
-PLAIN" authentication mechanisms.
+Note: This is not the same as using a SASL mechanism to
+authenticate the LDAP session.
+
+Pass-Through authentication works only with plaintext passwords, as 
+used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}}

 Pass-Through authentication is selective: it only affects users whose
 {{userPassword}} attribute has a value marked with the "{SASL}"
@ -301,10 +311,12 @@ mechanism and are used to identify the account whose password is to be
 verified. This allows arbitrary mapping between entries in OpenLDAP
 and accounts known to the backend authentication service.

-Note that there is no support for changing passwords in the backend
-via {{slapd}}. It would be wise to use access control to prevent users
-from changing their passwords through LDAP where they have
-pass-through authentication enabled.
+Note: There is no support for changing passwords in the backend
+via {{slapd}}.
+
+It would be wise to use access control to prevent users from changing 
+their passwords through LDAP where they have pass-through authentication 
+enabled.


 H3: Configuring slapd to use an authentication provider
@ -318,7 +330,7 @@ file to be considered is confusingly named {{slapd.conf}} and is
 typically found in the SASL library directory, often
 {{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL
 when talking LDAP to {{slapd}} as well as the use of SASL backends for
-pass-through authentication. See {{EX:options.html}} in the Cyrus SASL
+pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}}
 docs for full details. Here is a simple example for a server that will
 use {{saslauthd}} to verify passwords:

@ -331,7 +343,7 @@ H3: Configuring saslauthd
 {{saslauthd}} is capable of using many different authentication
 services: see {{saslauthd(8)}} for details. A common requirement is to
 delegate some or all authentication to another LDAP server. Here is a
-sample {{EX:saslauthd.conf}} that uses AD:
+sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD):

 > ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/
 >