[deployment-guide/comm-rel: 663/727] Adjusted the markup a bit, so that I can work with it.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 13:21:28 UTC 2010
commit 9c20867bb8b308524a0fb02c9cd6b46fb9a30eb1
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Thu Sep 16 11:10:36 2010 +0200
Adjusted the markup a bit, so that I can work with it.
.../Lightweight_Directory_Access_Protocol_LDAP.xml | 1159 ++++++++------------
1 files changed, 443 insertions(+), 716 deletions(-)
---
diff --git a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
index 7c95f9b..10490cb 100644
--- a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
+++ b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
@@ -1,417 +1,240 @@
<?xml version='1.0'?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<chapter
- id="ch-Lightweight_Directory_Access_Protocol_LDAP">
+<chapter id="ch-Lightweight_Directory_Access_Protocol_LDAP">
<title>Lightweight Directory Access Protocol (LDAP)</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>definition of</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>Lightweight Directory Access Protocol</primary>
- <see>LDAP</see>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>OpenLDAP</primary>
- <see>LDAP</see>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>X.500</primary>
- <see>LDAP</see>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>X.500 Lite</primary>
- <see>LDAP</see>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>LDAPv2</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>LDAPv3</secondary>
- </indexterm>
- <para>The <firstterm>Lightweight Directory Access Protocol</firstterm> (<firstterm>LDAP</firstterm>) is a set of open protocols used to access centrally stored information over a network. It is based on the <firstterm>X.500</firstterm> standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "<firstterm>X.500 Lite</firstterm>." The X.500 standard is a directory that contains hierarchical and categorized information, which could include information such as names, addresses, and phone numbers.</para>
- <para>Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories can store a variety of information and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.</para>
- <para>In many cases, LDAP is used as a virtual phone directory, allowing users to easily access contact information for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository of information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.</para>
- <para>LDAP is a client/server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the server either answers the query locally, or it can refer the querent to an LDAP server which does have the answer. If the client application is attempting to modify information within an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.</para>
- <para>This chapter refers to the configuration and use of OpenLDAP 2.0, an open source implementation of the LDAPv2 and LDAPv3 protocols.</para>
- <section
- id="s1-ldap-adv">
+ <para>
+ The <firstterm>Lightweight Directory Access Protocol</firstterm> (<firstterm>LDAP</firstterm>) is a set of open protocols used to access centrally stored information over a network. It is based on the <firstterm>X.500</firstterm> standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "<firstterm>X.500 Lite</firstterm>." The X.500 standard is a directory that contains hierarchical and categorized information, which could include information such as names, addresses, and phone numbers.
+ </para>
+ <para>
+ Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories can store a variety of information and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.
+ </para>
+ <para>
+ In many cases, LDAP is used as a virtual phone directory, allowing users to easily access contact information for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository of information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.
+ </para>
+ <para>
+ LDAP is a client/server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the server either answers the query locally, or it can refer the querent to an LDAP server which does have the answer. If the client application is attempting to modify information within an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.
+ </para>
+ <para>
+ This chapter refers to the configuration and use of OpenLDAP 2.0, an open source implementation of the LDAPv2 and LDAPv3 protocols.
+ </para>
+ <section id="s1-ldap-adv">
<title>Why Use LDAP?</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>advantages of</secondary>
- </indexterm>
- <para>The main benefit of using LDAP is that information for an entire organization can be consolidated into a central repository. For example, rather than managing user lists for each group within an organization, LDAP can be used as a central directory accessible from anywhere on the network. And because LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive data can be protected from prying eyes.</para>
- <para>LDAP also supports a number of back-end databases in which to store directories. This allows administrators the flexibility to deploy the database best suited for the type of information the server is to disseminate. Because LDAP also has a well-defined client Application Programming Interface (API), the number of LDAP-enabled applications are numerous and increasing in quantity and quality.</para>
- <section
- id="s1-ldap-v3">
+ <para>
+ The main benefit of using LDAP is that information for an entire organization can be consolidated into a central repository. For example, rather than managing user lists for each group within an organization, LDAP can be used as a central directory accessible from anywhere on the network. And because LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive data can be protected from prying eyes.
+ </para>
+ <para>
+ LDAP also supports a number of back-end databases in which to store directories. This allows administrators the flexibility to deploy the database best suited for the type of information the server is to disseminate. Because LDAP also has a well-defined client Application Programming Interface (API), the number of LDAP-enabled applications are numerous and increasing in quantity and quality.
+ </para>
+ <section id="s1-ldap-v3">
<title>OpenLDAP Features</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>OpenLDAP features</secondary>
- </indexterm>
- <para>OpenLDAP includes a number of important features.</para>
+ <para>
+ OpenLDAP includes a number of important features.
+ </para>
<itemizedlist>
<listitem>
<para>
- <emphasis>LDAPv3 Support</emphasis> — OpenLDAP supports Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the changes in the protocol since LDAPv2 are designed to make LDAP more secure.</para>
+ <emphasis>LDAPv3 Support</emphasis> — OpenLDAP supports Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the changes in the protocol since LDAPv2 are designed to make LDAP more secure.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>IPv6 Support</emphasis> — OpenLDAP supports the next generation Internet Protocol version 6.</para>
+ <emphasis>IPv6 Support</emphasis> — OpenLDAP supports the next generation Internet Protocol version 6.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>LDAP Over IPC</emphasis> — OpenLDAP can communicate within a system using interprocess communication (IPC). This enhances security by eliminating the need to communicate over a network.</para>
+ <emphasis>LDAP Over IPC</emphasis> — OpenLDAP can communicate within a system using interprocess communication (IPC). This enhances security by eliminating the need to communicate over a network.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>Updated C API</emphasis> — Improves the way programmers can connect to and use LDAP directory servers.</para>
+ <emphasis>Updated C API</emphasis> — Improves the way programmers can connect to and use LDAP directory servers.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>LDIFv1 Support</emphasis> — Provides full compliance with the LDAP Data Interchange Format (LDIF) version 1.</para>
+ <emphasis>LDIFv1 Support</emphasis> — Provides full compliance with the LDAP Data Interchange Format (LDIF) version 1.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>Enhanced Stand-Alone LDAP Server</emphasis> — Includes an updated access control system, thread pooling, better tools, and much more.</para>
+ <emphasis>Enhanced Stand-Alone LDAP Server</emphasis> — Includes an updated access control system, thread pooling, better tools, and much more.
+ </para>
</listitem>
</itemizedlist>
</section>
</section>
- <section
- id="s1-ldap-terminology">
+ <section id="s1-ldap-terminology">
<title>LDAP Terminology</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>terminology</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>LDIF</secondary>
- <tertiary>format of</tertiary>
- </indexterm>
- <para>Any discussion of LDAP requires a basic understanding of a set of LDAP-specific terms:</para>
+ <para>
+ Any discussion of LDAP requires a basic understanding of a set of LDAP-specific terms:
+ </para>
<itemizedlist>
<listitem>
<para>
- <firstterm>entry</firstterm> — A single unit within an LDAP directory. Each entry is identified by its unique <firstterm>Distinguished Name (DN)</firstterm>.</para>
+ <firstterm>entry</firstterm> — A single unit within an LDAP directory. Each entry is identified by its unique <firstterm>Distinguished Name (DN)</firstterm>.
+ </para>
</listitem>
<listitem>
<para>
- <firstterm>attributes</firstterm> — Information directly associated with an entry. For example, an organization could be represented as an LDAP entry. Attributes associated with the organization might include a fax number, an address, and so on. People can also be represented as entries in an LDAP directory, with common attributes such as the person's telephone number and email address.</para>
- <para>Some attributes are required, while other attributes are optional. An <firstterm>objectclass</firstterm> definition sets which attributes are required for each entry. Objectclass definitions are found in various schema files, located in the <filename>/etc/openldap/schema/</filename> directory. For more information, refer to <xref
- linkend="s1-ldap-files-schemas"/>.</para>
- <para>The assertion of an attribute and its corresponding value is also referred to as a <firstterm>Relative Distinguished Name</firstterm> (RDN). An RDN is only unique per entry, whereas a DN is globally unique.</para>
+ <firstterm>attributes</firstterm> — Information directly associated with an entry. For example, an organization could be represented as an LDAP entry. Attributes associated with the organization might include a fax number, an address, and so on. People can also be represented as entries in an LDAP directory, with common attributes such as the person's telephone number and email address.
+ </para>
+ <para>
+ Some attributes are required, while other attributes are optional. An <firstterm>objectclass</firstterm> definition sets which attributes are required for each entry. Objectclass definitions are found in various schema files, located in the <filename>/etc/openldap/schema/</filename> directory. For more information, refer to <xref linkend="s1-ldap-files-schemas" />.
+ </para>
+ <para>
+ The assertion of an attribute and its corresponding value is also referred to as a <firstterm>Relative Distinguished Name</firstterm> (RDN). An RDN is only unique per entry, whereas a DN is globally unique.
+ </para>
</listitem>
<listitem>
<para>
- <firstterm>LDIF</firstterm> — The <firstterm>LDAP Data Interchange Format</firstterm> (LDIF) is an ASCII text representation of LDAP entries. Files used for importing data to LDAP servers must be in LDIF format. An LDIF entry looks similar to the following example:</para>
- <screen>
-[<<replaceable>id</replaceable>>] dn: <<replaceable>distinguished name</replaceable>>
+ <firstterm>LDIF</firstterm> — The <firstterm>LDAP Data Interchange Format</firstterm> (LDIF) is an ASCII text representation of LDAP entries. Files used for importing data to LDAP servers must be in LDIF format. An LDIF entry looks similar to the following example:
+ </para>
+ <screen>[<<replaceable>id</replaceable>>] dn: <<replaceable>distinguished name</replaceable>>
<<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>>
<<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>>
-<<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>>
-</screen>
- <para>Each entry can contain as many <command><<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>></command> pairs as needed. A blank line indicates the end of an entry.</para>
+<<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>></screen>
+ <para>
+ Each entry can contain as many <command><<replaceable>attrtype</replaceable>>: <<replaceable>attrvalue</replaceable>></command> pairs as needed. A blank line indicates the end of an entry.
+ </para>
<warning>
<title>Caution</title>
- <para>All <command><<replaceable>attrtype</replaceable>></command> and <command><<replaceable>attrvalue</replaceable>></command> pairs <emphasis>must</emphasis> be defined in a corresponding schema file to use this information.</para>
+ <para>
+ All <command><<replaceable>attrtype</replaceable>></command> and <command><<replaceable>attrvalue</replaceable>></command> pairs <emphasis>must</emphasis> be defined in a corresponding schema file to use this information.
+ </para>
</warning>
- <para>Any value enclosed within a <command><</command> and a <command>></command> is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <command><<replaceable>id</replaceable>></command>. The <command><<replaceable>id</replaceable>></command> is a number determined by the application used to edit the entry.</para>
+ <para>
+ Any value enclosed within a <command><</command> and a <command>></command> is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <command><<replaceable>id</replaceable>></command>. The <command><<replaceable>id</replaceable>></command> is a number determined by the application used to edit the entry.
+ </para>
</listitem>
</itemizedlist>
</section>
- <section
- id="s1-ldap-daemonsutils">
+ <section id="s1-ldap-daemonsutils">
<title>OpenLDAP Daemons and Utilities</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>daemons</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>utilities</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>OpenLDAP suite</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slapd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slapd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slurpd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slurpd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slapadd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slapadd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slapcat</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slapcat</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slapindex</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slapindex</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>slappasswd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>slappasswd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>ldapmodify</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>ldapmodify</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>ldappasswd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>ldappasswd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>ldapadd</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>ldapadd</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>ldapsearch</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>ldapsearch</command>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <command>ldapdelete</command> command</primary>
- <seealso>LDAP</seealso>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>applications</secondary>
- <tertiary>
- <command>ldapdelete</command>
- </tertiary>
- </indexterm>
- <para>The suite of OpenLDAP libraries and tools are included within the following packages:</para>
+ <para>
+ The suite of OpenLDAP libraries and tools are included within the following packages:
+ </para>
<itemizedlist>
<listitem>
<para>
- <filename>openldap</filename> — Contains the libraries necessary to run the OpenLDAP server and client applications.</para>
+ <filename>openldap</filename> — Contains the libraries necessary to run the OpenLDAP server and client applications.
+ </para>
</listitem>
<listitem>
<para>
- <filename>openldap-clients</filename> — Contains command line tools for viewing and modifying directories on an LDAP server.</para>
+ <filename>openldap-clients</filename> — Contains command line tools for viewing and modifying directories on an LDAP server.
+ </para>
</listitem>
<listitem>
<para>
- <filename>openldap-servers</filename> — Contains the servers and other utilities necessary to configure and run an LDAP server.</para>
+ <filename>openldap-servers</filename> — Contains the servers and other utilities necessary to configure and run an LDAP server.
+ </para>
</listitem>
</itemizedlist>
- <para>There are two servers contained in the <filename>openldap-servers</filename> package: the <firstterm>Standalone LDAP Daemon</firstterm> (<command>/usr/sbin/slapd</command>) and the <firstterm>Standalone LDAP Update Replication Daemon</firstterm> (<command>/usr/sbin/slurpd</command>).</para>
- <para>The <command>slapd</command> daemon is the standalone LDAP server while the <command>slurpd</command> daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The <command>slurpd</command> daemon is only used when dealing with multiple LDAP servers.</para>
- <para>To perform administrative tasks, the <filename>openldap-servers</filename> package installs the following utilities into the <filename>/usr/sbin/</filename> directory:</para>
+ <para>
+ There are two servers contained in the <filename>openldap-servers</filename> package: the <firstterm>Standalone LDAP Daemon</firstterm> (<command>/usr/sbin/slapd</command>) and the <firstterm>Standalone LDAP Update Replication Daemon</firstterm> (<command>/usr/sbin/slurpd</command>).
+ </para>
+ <para>
+ The <command>slapd</command> daemon is the standalone LDAP server while the <command>slurpd</command> daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The <command>slurpd</command> daemon is only used when dealing with multiple LDAP servers.
+ </para>
+ <para>
+ To perform administrative tasks, the <filename>openldap-servers</filename> package installs the following utilities into the <filename>/usr/sbin/</filename> directory:
+ </para>
<itemizedlist>
<listitem>
<para>
- <command>slapadd</command> — Adds entries from an LDIF file to an LDAP directory. For example, the command <command>/usr/sbin/slapadd -l <replaceable>ldif-input</replaceable>
- </command> reads in the LDIF file, <filename><replaceable>ldif-input</replaceable>
- </filename>, containing the new entries.</para>
+ <command>slapadd</command> — Adds entries from an LDIF file to an LDAP directory. For example, the command <command>/usr/sbin/slapadd -l <replaceable>ldif-input</replaceable></command> reads in the LDIF file, <filename><replaceable>ldif-input</replaceable></filename>, containing the new entries.
+ </para>
<important>
<title>Important</title>
- <para>Only the root user may use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:</para>
+ <para>
+ Only the root user may use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:
+ </para>
<screen>chown -R ldap /var/lib/ldap</screen>
</important>
</listitem>
<listitem>
<para>
- <command>slapcat</command> — Pulls entries from an LDAP directory in the default format, <firstterm>Sleepycat Software's Berkeley DB</firstterm> system, and saves them in an LDIF file. For example, the command <command>/usr/sbin/slapcat -l <replaceable>ldif-output</replaceable>
- </command> outputs an LDIF file called <filename><replaceable>ldif-output</replaceable>
- </filename> containing the entries from the LDAP directory.</para>
+ <command>slapcat</command> — Pulls entries from an LDAP directory in the default format, <firstterm>Sleepycat Software's Berkeley DB</firstterm> system, and saves them in an LDIF file. For example, the command <command>/usr/sbin/slapcat -l <replaceable>ldif-output</replaceable></command> outputs an LDIF file called <filename><replaceable>ldif-output</replaceable></filename> containing the entries from the LDAP directory.
+ </para>
</listitem>
<listitem>
<para>
- <command>slapindex</command> — Re-indexes the <command>slapd</command> directory based on the current content. This tool should be run whenever indexing options within <filename>/etc/openldap/slapd.conf</filename> are changed.</para>
+ <command>slapindex</command> — Re-indexes the <command>slapd</command> directory based on the current content. This tool should be run whenever indexing options within <filename>/etc/openldap/slapd.conf</filename> are changed.
+ </para>
</listitem>
<listitem>
<para>
- <command>slappasswd</command> — Generates an encrypted user password value for use with <command>ldapmodify</command> or the <command>rootpw</command> value in the <command>slapd</command> configuration file, <filename>/etc/openldap/slapd.conf</filename>. Execute the <command>/usr/sbin/slappasswd</command> command to create the password.</para>
+ <command>slappasswd</command> — Generates an encrypted user password value for use with <command>ldapmodify</command> or the <command>rootpw</command> value in the <command>slapd</command> configuration file, <filename>/etc/openldap/slapd.conf</filename>. Execute the <command>/usr/sbin/slappasswd</command> command to create the password.
+ </para>
</listitem>
</itemizedlist>
<warning>
<title>Warning</title>
- <para>You must stop <command>slapd</command> by issuing the <command>/sbin/service ldap stop</command> command before using <command>slapadd</command>, <command>slapcat</command> or <command>slapindex</command>. Otherwise, the integrity of the LDAP directory is at risk.</para>
+ <para>
+ You must stop <command>slapd</command> by issuing the <command>/sbin/service ldap stop</command> command before using <command>slapadd</command>, <command>slapcat</command> or <command>slapindex</command>. Otherwise, the integrity of the LDAP directory is at risk.
+ </para>
</warning>
- <para>For more information on using these utilities, refer to their respective man pages.</para>
- <para>The <filename>openldap-clients</filename> package installs tools into <filename>/usr/bin/</filename> which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:</para>
+ <para>
+ For more information on using these utilities, refer to their respective man pages.
+ </para>
+ <para>
+ The <filename>openldap-clients</filename> package installs tools into <filename>/usr/bin/</filename> which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
+ </para>
<itemizedlist>
<listitem>
<para>
- <command>ldapadd</command> — Adds entries to an LDAP directory by accepting input via a file or standard input; <command>ldapadd</command> is actually a hard link to <command>ldapmodify -a</command>.</para>
+ <command>ldapadd</command> — Adds entries to an LDAP directory by accepting input via a file or standard input; <command>ldapadd</command> is actually a hard link to <command>ldapmodify -a</command>.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldapdelete</command> — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.</para>
+ <command>ldapdelete</command> — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldapmodify</command> — Modifies entries in an LDAP directory, accepting input via a file or standard input.</para>
+ <command>ldapmodify</command> — Modifies entries in an LDAP directory, accepting input via a file or standard input.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldappasswd</command> — Sets the password for an LDAP user.</para>
+ <command>ldappasswd</command> — Sets the password for an LDAP user.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldapsearch</command> — Searches for entries in an LDAP directory using a shell prompt.</para>
+ <command>ldapsearch</command> — Searches for entries in an LDAP directory using a shell prompt.
+ </para>
</listitem>
- <!-- RHEL5: ddomingo at redhat.com: new! -->
<listitem>
<para>
- <command>ldapcompare</command> — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.</para>
+ <command>ldapcompare</command> — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldapwhoami</command> — Opens a connection to an LDAP server, binds, and performs a <command>whoami</command> operation.</para>
+ <command>ldapwhoami</command> — Opens a connection to an LDAP server, binds, and performs a <command>whoami</command> operation.
+ </para>
</listitem>
<listitem>
<para>
- <command>ldapmodrdn</command> — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.</para>
+ <command>ldapmodrdn</command> — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
+ </para>
</listitem>
</itemizedlist>
- <para>With the exception of <command>ldapsearch</command>, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.</para>
- <section
- id="s2-ldap-pam-nss">
+ <para>
+ With the exception of <command>ldapsearch</command>, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
+ </para>
+ <section id="s2-ldap-pam-nss">
<title>NSS, PAM, and LDAP</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>using with NSS</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>using with PAM</secondary>
- </indexterm>
- <para>In addition to the OpenLDAP packages, &MAJOROS; includes a package called <filename>nss_ldap</filename>, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.</para>
- <para>The <filename>nss_ldap</filename> package provides the following modules (where <replaceable><version></replaceable> refers to the version of <filename>libnss_ldap</filename> in use):</para>
+ <para>
+ In addition to the OpenLDAP packages, &MAJOROS; includes a package called <filename>nss_ldap</filename>, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
+ </para>
+ <para>
+ The <filename>nss_ldap</filename> package provides the following modules (where <replaceable><version></replaceable> refers to the version of <filename>libnss_ldap</filename> in use):
+ </para>
<itemizedlist>
<listitem>
<para>
@@ -437,399 +260,326 @@
</para>
</listitem>
</itemizedlist>
- <para>The <filename>libnss_ldap-<replaceable><version></replaceable>.so</filename> module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the <firstterm>Nameservice Switch</firstterm> (NSS) interface of <command>glibc</command>. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.</para>
- <!-- RHEL5: ddomingo at redhat.com: above replaces below, less awkward
- <para>The <filename>libnss_ldap-<replaceable><glibc-version></replaceable>.so</filename> module allows applications to look up users, groups, hosts, and other information using an LDAP directory via glibc's <firstterm>Nameservice
- Switch</firstterm> (NSS) interface (replace <replaceable><glibc-version></replaceable> with the version of <filename>libnss_ldap</filename> in use). NSS allows applications to authenticate using LDAP in conjunction with the NIS
- name service and flat authentication files.</para>
- -->
- <para>The <filename>pam_ldap</filename> module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.</para>
<para>
- For more information about configuring PAM, refer to refer to the <citetitle pubwork="chapter">Pluggable Authentication Modules (PAM)</citetitle> chapter of the &MAJOROSVER; 6 <citetitle>Security Guide</citetitle> and the PAM man pages.</para>
+ The <filename>libnss_ldap-<replaceable><version></replaceable>.so</filename> module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the <firstterm>Nameservice Switch</firstterm> (NSS) interface of <command>glibc</command>. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
+ </para>
+ <para>
+ The <filename>pam_ldap</filename> module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
+ </para>
+ <para>
+ For more information about configuring PAM, refer to refer to the <citetitle pubwork="chapter">Pluggable Authentication Modules (PAM)</citetitle> chapter of the &MAJOROSVER; 6 <citetitle>Security Guide</citetitle> and the PAM man pages.
+ </para>
</section>
- <section
- id="s2-ldap-other-apps">
+ <section id="s2-ldap-other-apps">
<title>PHP4, LDAP, and the Apache HTTP Server</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>using with Apache HTTP Server</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>using with PHP4</secondary>
- </indexterm>
- <para>&MAJOROS; includes a package containing an LDAP module for the PHP server-side scripting language.</para>
- <para>The <filename>php-ldap</filename> package adds LDAP support to the PHP4 HTML-embedded scripting language via the <filename>/usr/lib/php4/ldap.so</filename> module. This module allows PHP4 scripts to access information stored in an LDAP directory.</para>
- <para>&MAJOROS; ships with the <filename>mod_authz_ldap</filename> module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The <filename>mod_ssl</filename> module is required when using the <filename>mod_authz_ldap</filename> module.</para>
+ <para>
+ &MAJOROS; includes a package containing an LDAP module for the PHP server-side scripting language.
+ </para>
+ <para>
+ The <filename>php-ldap</filename> package adds LDAP support to the PHP4 HTML-embedded scripting language via the <filename>/usr/lib/php4/ldap.so</filename> module. This module allows PHP4 scripts to access information stored in an LDAP directory.
+ </para>
+ <para>
+ &MAJOROS; ships with the <filename>mod_authz_ldap</filename> module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The <filename>mod_ssl</filename> module is required when using the <filename>mod_authz_ldap</filename> module.
+ </para>
<important>
<title>Important</title>
- <para>The <filename>mod_authz_ldap</filename> module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental <filename>mod_auth_ldap</filename> module, which is not included with &MAJOROS;. Refer to the Apache Software Foundation website online at <ulink
- url="http://www.apache.org/">http://www.apache.org/</ulink> for details on the status of this module.</para>
+ <para>
+ The <filename>mod_authz_ldap</filename> module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental <filename>mod_auth_ldap</filename> module, which is not included with &MAJOROS;. Refer to the Apache Software Foundation website online at <ulink url="http://www.apache.org/" /> for details on the status of this module.
+ </para>
</important>
</section>
- <section
- id="s2-ldap-applications">
+ <section id="s2-ldap-applications">
<title>LDAP Client Applications</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>client applications</secondary>
- </indexterm>
- <para>There are graphical LDAP clients available which support creating and modifying directories, but they are <emphasis>not</emphasis> included with &MAJOROS;.</para>
- <para>Other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, <application>Mozilla</application>, <application>Ekiga</application>, and <application>Evolution</application>.</para>
+ <para>
+ There are graphical LDAP clients available which support creating and modifying directories, but they are <emphasis>not</emphasis> included with &MAJOROS;.
+ </para>
+ <para>
+ Other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, <application>Mozilla</application>, <application>Ekiga</application>, and <application>Evolution</application>.
+ </para>
</section>
</section>
- <section
- id="s1-ldap-files">
+ <section id="s1-ldap-files">
<title>OpenLDAP Configuration Files</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/openldap/ldap.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/openldap/slapd.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/ldap.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/openldap/schema/</filename> directory</tertiary>
- </indexterm>
- <para>OpenLDAP configuration files are installed into the <filename>/etc/openldap/</filename> directory. The following is a brief list highlighting the most important directories and files:</para>
+ <para>
+ OpenLDAP configuration files are installed into the <filename>/etc/openldap/</filename> directory. The following is a brief list highlighting the most important directories and files:
+ </para>
<itemizedlist>
<listitem>
<para>
- <filename>/etc/openldap/ldap.conf</filename> — This is the configuration file for all <emphasis>client</emphasis> applications which use the OpenLDAP libraries such as <command>ldapsearch</command>, <command>ldapadd</command>, Sendmail, <application>Evolution</application>, and <application>Ekiga</application>.</para>
+ <filename>/etc/openldap/ldap.conf</filename> — This is the configuration file for all <emphasis>client</emphasis> applications which use the OpenLDAP libraries such as <command>ldapsearch</command>, <command>ldapadd</command>, Sendmail, <application>Evolution</application>, and <application>Ekiga</application>.
+ </para>
</listitem>
<listitem>
<para>
- <filename>/etc/openldap/slapd.conf</filename> — This is the configuration file for the <command>slapd</command> daemon. Refer to <xref
- linkend="s2-ldap-files-slapd-conf"/> for more information.</para>
+ <filename>/etc/openldap/slapd.conf</filename> — This is the configuration file for the <command>slapd</command> daemon. Refer to <xref linkend="s2-ldap-files-slapd-conf"/> for more information.
+ </para>
</listitem>
<listitem>
<para>
- <filename>/etc/openldap/schema/</filename> directory — This subdirectory contains the schema used by the <command>slapd</command> daemon. Refer to <xref
- linkend="s1-ldap-files-schemas"/> for more information.</para>
+ <filename>/etc/openldap/schema/</filename> directory — This subdirectory contains the schema used by the <command>slapd</command> daemon. Refer to <xref linkend="s1-ldap-files-schemas"/> for more information.
+ </para>
</listitem>
</itemizedlist>
<note>
<title>Note</title>
- <para>If the <filename>nss_ldap</filename> package is installed, it creates a file named <filename>/etc/ldap.conf</filename>. This file is used by the PAM and NSS modules supplied by the <filename>nss_ldap</filename> package. Refer to <xref
- linkend="s1-ldap-pam"/> for more information.</para>
+ <para>
+ If the <filename>nss_ldap</filename> package is installed, it creates a file named <filename>/etc/ldap.conf</filename>. This file is used by the PAM and NSS modules supplied by the <filename>nss_ldap</filename> package. Refer to <xref linkend="s1-ldap-pam"/> for more information.
+ </para>
</note>
</section>
- <section
- id="s1-ldap-files-schemas">
+ <section id="s1-ldap-files-schemas">
<title>The <filename>/etc/openldap/schema/</filename> Directory</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/openldap/schema/</filename> directory</tertiary>
- </indexterm>
- <para>The <filename>/etc/openldap/schema/</filename> directory holds LDAP definitions, previously located in the <filename>slapd.at.conf</filename> and <filename>slapd.oc.conf</filename> files. The <filename>/etc/openldap/schema/redhat/</filename> directory holds customized schemas distributed by Red Hat for &MAJOROS;.</para>
- <para>All <firstterm>attribute syntax definitions</firstterm> and <firstterm>objectclass definitions</firstterm> are now located in the different schema files. The various schema files are referenced in <filename>/etc/openldap/slapd.conf</filename> using <filename>include</filename> lines, as shown in this example:</para>
- <screen>
-include /etc/openldap/schema/core.schema
-include /etc/openldap/schema/cosine.schema
-include /etc/openldap/schema/inetorgperson.schema
-include /etc/openldap/schema/nis.schema
-include /etc/openldap/schema/rfc822-MailMember.schema
-include /etc/openldap/schema/redhat/autofs.schema
-</screen>
+ <para>
+ The <filename>/etc/openldap/schema/</filename> directory holds LDAP definitions, previously located in the <filename>slapd.at.conf</filename> and <filename>slapd.oc.conf</filename> files. The <filename>/etc/openldap/schema/redhat/</filename> directory holds customized schemas distributed by Red Hat for &MAJOROS;.
+ </para>
+ <para>
+ All <firstterm>attribute syntax definitions</firstterm> and <firstterm>objectclass definitions</firstterm> are now located in the different schema files. The various schema files are referenced in <filename>/etc/openldap/slapd.conf</filename> using <filename>include</filename> lines, as shown in this example:
+ </para>
+ <screen>include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/rfc822-MailMember.schema
+include /etc/openldap/schema/redhat/autofs.schema</screen>
<warning>
<title>Caution</title>
- <para>Do not modify schema items defined in the schema files installed by OpenLDAP.</para>
+ <para>
+ Do not modify schema items defined in the schema files installed by OpenLDAP.
+ </para>
</warning>
- <para>It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a <filename>local.schema</filename> file in the <filename>/etc/openldap/schema/</filename> directory. Reference this new schema within <filename>slapd.conf</filename> by adding the following line below the default <filename>include</filename> schema lines:</para>
- <screen>include /etc/openldap/schema/local.schema</screen>
- <para>Next, define new attribute types and object classes within the <filename>local.schema</filename> file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the <filename>local.schema</filename> file.</para>
- <para>Extending the schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Refer to <ulink
- url="http://www.openldap.org/doc/admin/schema.html">http://www.openldap.org/doc/admin/schema.html</ulink> for information.</para>
+ <para>
+ It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a <filename>local.schema</filename> file in the <filename>/etc/openldap/schema/</filename> directory. Reference this new schema within <filename>slapd.conf</filename> by adding the following line below the default <filename>include</filename> schema lines:
+ </para>
+ <screen>include /etc/openldap/schema/local.schema</screen>
+ <para>
+ Next, define new attribute types and object classes within the <filename>local.schema</filename> file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the <filename>local.schema</filename> file.
+ </para>
+ <para>
+ Extending the schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Refer to <ulink url="http://www.openldap.org/doc/admin/schema.html" /> for information.
+ </para>
</section>
- <section
- id="s1-ldap-quickstart">
+ <section id="s1-ldap-quickstart">
<title>OpenLDAP Setup Overview</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>setting up</secondary>
- </indexterm>
- <para>This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs:</para>
+ <para>
+ This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs:
+ </para>
<itemizedlist>
<listitem>
<para>
- <ulink
- url="http://www.openldap.org/doc/admin/quickstart.html">http://www.openldap.org/doc/admin/quickstart.html</ulink> — The <citetitle>Quick-Start Guide</citetitle> on the OpenLDAP website.</para>
+ <ulink url="http://www.openldap.org/doc/admin/quickstart.html" /> — The <citetitle>Quick-Start Guide</citetitle> on the OpenLDAP website.
+ </para>
</listitem>
<listitem>
<para>
- <ulink
- url="http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html"/> — The <citetitle>LDAP Linux HOWTO</citetitle> from the Linux Documentation Project.</para>
+ <ulink url="http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html" /> — The <citetitle>LDAP Linux HOWTO</citetitle> from the Linux Documentation Project.
+ </para>
</listitem>
- <!-- RHEL5: ddomingo at redhat.com: above replaces below, mirror dead.
- <listitem>
- <para><ulink url="http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html">http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html</ulink> — The <citetitle>LDAP Linux HOWTO</citetitle> from the Linux Documentation Project, mirrored on the &RH; website.</para>
- </listitem> -->
</itemizedlist>
- <para>The basic steps for creating an LDAP server are as follows:</para>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <para>
+ The basic steps for creating an LDAP server are as follows:
+ </para>
+ <orderedlist>
<listitem>
- <para>Install the <filename>openldap</filename>, <filename>openldap-servers</filename>, and <filename>openldap-clients</filename> RPMs.</para>
+ <para>
+ Install the <filename>openldap</filename>, <filename>openldap-servers</filename>, and <filename>openldap-clients</filename> RPMs.
+ </para>
</listitem>
<listitem>
- <para>Edit the <filename>/etc/openldap/slapd.conf</filename> file to specify the LDAP domain and server. Refer to <xref
- linkend="s2-ldap-files-slapd-conf"/> for more information.</para>
+ <para>
+ Edit the <filename>/etc/openldap/slapd.conf</filename> file to specify the LDAP domain and server. Refer to <xref linkend="s2-ldap-files-slapd-conf"/> for more information.
+ </para>
</listitem>
<listitem>
- <para>Start <command>slapd</command> with the command:</para>
+ <para>
+ Start <command>slapd</command> with the command:
+ </para>
<screen>/sbin/service ldap start</screen>
- <para>After configuring LDAP, use <command>chkconfig</command>, <command>/usr/sbin/ntsysv</command>, or the <application>Services Configuration Tool</application> to configure LDAP to start at boot time. For more information about configuring services, refer to <xref
- linkend="ch-Controlling_Access_to_Services"/>.</para>
+ <para>
+ After configuring LDAP, use <command>chkconfig</command>, <command>/usr/sbin/ntsysv</command>, or the <application>Services Configuration Tool</application> to configure LDAP to start at boot time. For more information about configuring services, refer to <xref linkend="ch-Controlling_Access_to_Services"/>.
+ </para>
</listitem>
<listitem>
- <para>Add entries to an LDAP directory with <command>ldapadd</command>.</para>
+ <para>
+ Add entries to an LDAP directory with <command>ldapadd</command>.
+ </para>
</listitem>
<listitem>
- <para>Use <command>ldapsearch</command> to determine if <command>slapd</command> is accessing the information correctly.</para>
+ <para>
+ Use <command>ldapsearch</command> to determine if <command>slapd</command> is accessing the information correctly.
+ </para>
</listitem>
<listitem>
- <para>At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.</para>
+ <para>
+ At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
+ </para>
</listitem>
</orderedlist>
- <section
- id="s2-ldap-files-slapd-conf">
- <title>Editing <filename>/etc/openldap/slapd.conf</filename>
- </title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>configuration files</secondary>
- <tertiary>
- <filename>/etc/openldap/slapd.conf</filename>
- </tertiary>
- </indexterm>
- <para>To use the <command>slapd</command> LDAP server, modify its configuration file, <filename>/etc/openldap/slapd.conf</filename>, to specify the correct domain and server.</para>
- <para>The <command>suffix</command> line names the domain for which the LDAP server provides information and should be changed from:</para>
- <screen>suffix "dc=your-domain,dc=com"</screen>
- <para>Edit it accordingly so that it reflects a fully qualified domain name. For example:</para>
- <screen>suffix "dc=example,dc=com"</screen>
- <para>The <command>rootdn</command> entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The <command>rootdn</command> user can be thought of as the root user for the LDAP directory. In the configuration file, change the <command>rootdn</command> line from its default value as in the following example:</para>
- <screen>rootdn "cn=root,dc=example,dc=com"</screen>
- <para>When populating an LDAP directory over a network, change the <command>rootpw</command> line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:</para>
+ <section id="s2-ldap-files-slapd-conf">
+ <title>Editing <filename>/etc/openldap/slapd.conf</filename></title>
+ <para>
+ To use the <command>slapd</command> LDAP server, modify its configuration file, <filename>/etc/openldap/slapd.conf</filename>, to specify the correct domain and server.
+ </para>
+ <para>
+ The <command>suffix</command> line names the domain for which the LDAP server provides information and should be changed from:
+ </para>
+ <screen>suffix "dc=your-domain,dc=com"</screen>
+ <para>
+ Edit it accordingly so that it reflects a fully qualified domain name. For example:
+ </para>
+ <screen>suffix "dc=example,dc=com"</screen>
+ <para>
+ The <command>rootdn</command> entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The <command>rootdn</command> user can be thought of as the root user for the LDAP directory. In the configuration file, change the <command>rootdn</command> line from its default value as in the following example:
+ </para>
+ <screen>rootdn "cn=root,dc=example,dc=com"</screen>
+ <para>
+ When populating an LDAP directory over a network, change the <command>rootpw</command> line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
+ </para>
<screen>slappasswd</screen>
- <para>When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.</para>
- <para>Next, copy the newly created encrypted password into the <filename>/etc/openldap/slapd.conf</filename> on one of the <command>rootpw</command> lines and remove the hash mark (<command>#</command>).</para>
- <para>When finished, the line should look similar to the following example:</para>
+ <para>
+ When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
+ </para>
+ <para>
+ Next, copy the newly created encrypted password into the <filename>/etc/openldap/slapd.conf</filename> on one of the <command>rootpw</command> lines and remove the hash mark (<command>#</command>).
+ </para>
+ <para>
+ When finished, the line should look similar to the following example:
+ </para>
<screen>rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u</screen>
<warning>
<title>Warning</title>
- <para>LDAP passwords, including the <command>rootpw</command> directive specified in <filename>/etc/openldap/slapd.conf</filename>, are sent over the network <emphasis>unencrypted</emphasis>, unless TLS encryption is enabled.</para>
- <para>To enable TLS encryption, review the comments in <filename>/etc/openldap/slapd.conf</filename> and refer to the man page for <filename>slapd.conf</filename>.</para>
+ <para>
+ LDAP passwords, including the <command>rootpw</command> directive specified in <filename>/etc/openldap/slapd.conf</filename>, are sent over the network <emphasis>unencrypted</emphasis>, unless TLS encryption is enabled.
+ </para>
+ <para>
+ To enable TLS encryption, review the comments in <filename>/etc/openldap/slapd.conf</filename> and refer to the man page for <filename>slapd.conf</filename>.
+ </para>
</warning>
- <para>For added security, the <command>rootpw</command> directive should be commented out after populating the LDAP directory by preceding it with a hash mark (<command>#</command>).</para>
- <para>When using the <command>/usr/sbin/slapadd</command> command line tool locally to populate the LDAP directory, use of the <command>rootpw</command> directive is not necessary.</para>
+ <para>
+ For added security, the <command>rootpw</command> directive should be commented out after populating the LDAP directory by preceding it with a hash mark (<command>#</command>).
+ </para>
+ <para>
+ When using the <command>/usr/sbin/slapadd</command> command line tool locally to populate the LDAP directory, use of the <command>rootpw</command> directive is not necessary.
+ </para>
<important>
<title>Important</title>
- <para>Only the root user can use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:</para>
+ <para>
+ Only the root user can use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:
+ </para>
<screen>chown -R ldap /var/lib/ldap</screen>
</important>
</section>
</section>
- <section
- id="s1-ldap-pam">
+ <section id="s1-ldap-pam">
<title>Configuring a System to Authenticate Using OpenLDAP</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- </indexterm>
- <para>This section provides a brief overview of how to configure OpenLDAP user authentication. Unless you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the references provided in <xref
- linkend="s1-ldap-additional-resources"/> for more information.</para>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>packages</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>editing <filename>slapd.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>setting up clients</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>editing <filename>/etc/ldap.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>editing <filename>/etc/openldap/ldap.conf</filename>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>
- <application>Authentication Configuration Tool</application>
- </tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <application>Authentication Configuration Tool</application>
- </primary>
- <secondary>and LDAP</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>editing <filename>/etc/nsswitch.conf</filename>
- </tertiary>
- </indexterm>
- <!-- RHEL5: ddomingo at redhat.com: edited was <variablelist> -->
+ <para>
+ This section provides a brief overview of how to configure OpenLDAP user authentication. Unless you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the references provided in <xref linkend="s1-ldap-additional-resources"/> for more information.
+ </para>
<formalpara>
<title>Install the Necessary LDAP Packages.</title>
- <para>First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the <filename>openldap-servers</filename> package.</para>
+ <para>
+ First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the <filename>openldap-servers</filename> package.
+ </para>
</formalpara>
- <para>The <filename>openldap</filename>, <filename>openldap-clients</filename>, and <filename>nss_ldap</filename> packages need to be installed on all LDAP client machines.</para>
+ <para>
+ The <filename>openldap</filename>, <filename>openldap-clients</filename>, and <filename>nss_ldap</filename> packages need to be installed on all LDAP client machines.
+ </para>
<bridgehead>Edit the Configuration Files</bridgehead>
<itemizedlist>
<listitem>
- <para>On the server, edit the <filename>/etc/openldap/slapd.conf</filename> file on the LDAP server to make sure it matches the specifics of the organization. Refer to <xref
- linkend="s2-ldap-files-slapd-conf"/> for instructions about editing <filename>slapd.conf</filename>.</para>
+ <para>
+ On the server, edit the <filename>/etc/openldap/slapd.conf</filename> file on the LDAP server to make sure it matches the specifics of the organization. Refer to <xref linkend="s2-ldap-files-slapd-conf"/> for instructions about editing <filename>slapd.conf</filename>.
+ </para>
</listitem>
<listitem>
- <para>On the client machines, both <filename>/etc/ldap.conf</filename> and <filename>/etc/openldap/ldap.conf</filename> need to contain the proper server and search base information for the organization.</para>
- <para>To do this, run the graphical <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the <guilabel>User Information</guilabel> tab.</para>
- <para>It is also possible to edit these files by hand.</para>
+ <para>
+ On the client machines, both <filename>/etc/ldap.conf</filename> and <filename>/etc/openldap/ldap.conf</filename> need to contain the proper server and search base information for the organization.
+ </para>
+ <para>
+ To do this, run the graphical <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the <guilabel>User Information</guilabel> tab.
+ </para>
+ <para>
+ It is also possible to edit these files by hand.
+ </para>
</listitem>
<listitem>
- <para>On the client machines, the <filename>/etc/nsswitch.conf</filename> must be edited to use LDAP.</para>
- <para>To do this, run the <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the <guilabel>User Information</guilabel> tab.</para>
- <para>If editing <filename>/etc/nsswitch.conf</filename> by hand, add <command>ldap</command> to the appropriate lines.</para>
- <para>For example:</para>
- <screen>
-passwd: files ldap
+ <para>
+ On the client machines, the <filename>/etc/nsswitch.conf</filename> must be edited to use LDAP.
+ </para>
+ <para>
+ To do this, run the <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the <guilabel>User Information</guilabel> tab.
+ </para>
+ <para>
+ If editing <filename>/etc/nsswitch.conf</filename> by hand, add <command>ldap</command> to the appropriate lines.
+ </para>
+ <para>
+ For example:
+ </para>
+ <screen>passwd: files ldap
shadow: files ldap
-group: files ldap
-</screen>
+group: files ldap</screen>
</listitem>
</itemizedlist>
- <section
- id="s2-ldap-pamd">
+ <section id="s2-ldap-pamd">
<title>PAM and LDAP</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>authentication using</secondary>
- <tertiary>PAM</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>
- <application>Authentication Configuration Tool</application>
- </primary>
- <secondary>and LDAP</secondary>
- </indexterm>
<para>
- To have standard PAM-enabled applications use LDAP for authentication, run the <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the the <guilabel>Authentication</guilabel> tab. For more information about configuring PAM, refer to the <citetitle pubwork="chapter">Pluggable Authentication Modules (PAM)</citetitle> chapter of the &MAJOROSVER; <citetitle>Security Guide</citetitle> and the PAM man pages.</para>
+ To have standard PAM-enabled applications use LDAP for authentication, run the <application>Authentication Configuration Tool</application> (<command>system-config-authentication</command>) and select <guilabel>Enable LDAP Support</guilabel> under the the <guilabel>Authentication</guilabel> tab. For more information about configuring PAM, refer to the <citetitle pubwork="chapter">Pluggable Authentication Modules (PAM)</citetitle> chapter of the &MAJOROSVER; <citetitle>Security Guide</citetitle> and the PAM man pages.
+ </para>
</section>
- <section
- id="s2-ldap-migrate">
+ <section id="s2-ldap-migrate">
<title>Migrating Old Authentication Information to LDAP Format</title>
- <para>The <filename>/usr/share/openldap/migration/</filename> directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.</para>
+ <para>
+ The <filename>/usr/share/openldap/migration/</filename> directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
+ </para>
<note>
<title>Note</title>
- <para>Perl must be installed on the system to use these scripts.</para>
+ <para>
+ Perl must be installed on the system to use these scripts.
+ </para>
</note>
- <para>First, modify the <filename>migrate_common.ph</filename> file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:</para>
- <screen>
-<command>$DEFAULT_MAIL_DOMAIN = "<replaceable>example</replaceable>";</command>
- </screen>
- <para>The default base should also be changed to something like:</para>
- <screen>
-<command>$DEFAULT_BASE = "dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>";</command>
- </screen>
- <para>The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using <xref
- linkend="tb-ldap-migratescripts"/>, decide which script to run to migrate the user database.</para>
- <para>Run the appropriate script based on the existing name service.</para>
- <para>The <filename>README</filename> and the <filename>migration-tools.txt</filename> files in the <filename>/usr/share/openldap/migration/</filename> directory provide more details on how to migrate the information.</para>
- <table
- id="tb-ldap-migratescripts">
+ <para>
+ First, modify the <filename>migrate_common.ph</filename> file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
+ </para>
+ <screen><command>$DEFAULT_MAIL_DOMAIN = "<replaceable>example</replaceable>";</command></screen>
+ <para>
+ The default base should also be changed to something like:
+ </para>
+ <screen><command>$DEFAULT_BASE = "dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>";</command></screen>
+ <para>
+ The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using <xref linkend="tb-ldap-migratescripts"/>, decide which script to run to migrate the user database.
+ </para>
+ <para>
+ Run the appropriate script based on the existing name service.
+ </para>
+ <para>
+ The <filename>README</filename> and the <filename>migration-tools.txt</filename> files in the <filename>/usr/share/openldap/migration/</filename> directory provide more details on how to migrate the information.
+ </para>
+ <table id="tb-ldap-migratescripts">
<title>LDAP Migration Scripts</title>
- <tgroup
- cols="3">
- <colspec
- colname="existing"
- colnum="1"
- colwidth="30*"/>
- <colspec
- colname="running"
- colnum="2"
- colwidth="20*"/>
- <colspec
- colname="use"
- colnum="3"
- colwidth="50*"/>
+ <tgroup cols="3">
+ <colspec colname="existing" colnum="1" colwidth="30*" />
+ <colspec colname="running" colnum="2" colwidth="20*" />
+ <colspec colname="use" colnum="3" colwidth="50*" />
<thead>
<row>
<entry>
- Existing name service
- </entry>
+ Existing name service
+ </entry>
<entry>
- Is LDAP running?
- </entry>
+ Is LDAP running?
+ </entry>
<entry>
- Script to Use
- </entry>
+ Script to Use
+ </entry>
</row>
</thead>
<tbody>
<row>
<entry>
<filename>/etc</filename> flat files
- </entry>
+ </entry>
<entry>
- yes
- </entry>
+ yes
+ </entry>
<entry>
<filename>migrate_all_online.sh</filename>
</entry>
@@ -837,54 +587,54 @@ group: files ldap
<row>
<entry>
<filename>/etc</filename> flat files
- </entry>
+ </entry>
<entry>
- no
- </entry>
+ no
+ </entry>
<entry>
<filename>migrate_all_offline.sh</filename>
</entry>
</row>
<row>
<entry>
- NetInfo
- </entry>
+ NetInfo
+ </entry>
<entry>
- yes
- </entry>
+ yes
+ </entry>
<entry>
<filename>migrate_all_netinfo_online.sh</filename>
</entry>
</row>
<row>
<entry>
- NetInfo
- </entry>
+ NetInfo
+ </entry>
<entry>
- no
- </entry>
+ no
+ </entry>
<entry>
<filename>migrate_all_netinfo_offline.sh</filename>
</entry>
</row>
<row>
<entry>
- NIS (YP)
- </entry>
+ NIS (YP)
+ </entry>
<entry>
- yes
- </entry>
+ yes
+ </entry>
<entry>
<filename>migrate_all_nis_online.sh</filename>
</entry>
</row>
<row>
<entry>
- NIS (YP)
- </entry>
+ NIS (YP)
+ </entry>
<entry>
- no
- </entry>
+ no
+ </entry>
<entry>
<filename>migrate_all_nis_offline.sh</filename>
</entry>
@@ -894,64 +644,46 @@ group: files ldap
</table>
</section>
</section>
- <section
- id="s1-ldap-migrate">
+ <section id="s1-ldap-migrate">
<title>Migrating Directories from Earlier Releases</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>setting up</secondary>
- <tertiary>migrating older directories</tertiary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>upgrading directories</secondary>
- </indexterm>
- <!-- RHEL5: TBD12: RHEL 5.2 mentioned below-->
- <para>With &MAJOROS;, OpenLDAP uses Sleepycat Software's Berkeley DB system as its on-disk storage format for directories. Earlier versions of OpenLDAP used <firstterm>GNU Database Manager</firstterm> (<firstterm>gdbm</firstterm>). For this reason, before upgrading an LDAP implementation to &MAJOROS; 5.2, original LDAP data should first be exported before the upgrade, and then reimported afterwards. This can be achieved by performing the following steps:</para>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <para>
+ With &MAJOROS;, OpenLDAP uses Sleepycat Software's Berkeley DB system as its on-disk storage format for directories. Earlier versions of OpenLDAP used <firstterm>GNU Database Manager</firstterm> (<firstterm>gdbm</firstterm>). For this reason, before upgrading an LDAP implementation to &MAJOROS; 5.2, original LDAP data should first be exported before the upgrade, and then reimported afterwards. This can be achieved by performing the following steps:
+ </para>
+ <orderedlist>
<listitem>
- <para>Before upgrading the operating system, run the command <command>/usr/sbin/slapcat -l <replaceable>ldif-output</replaceable>
- </command>. This outputs an LDIF file called <filename><replaceable>ldif-output</replaceable>
- </filename> containing the entries from the LDAP directory.</para>
+ <para>
+ Before upgrading the operating system, run the command <command>/usr/sbin/slapcat -l <replaceable>ldif-output</replaceable></command>. This outputs an LDIF file called <filename><replaceable>ldif-output</replaceable></filename> containing the entries from the LDAP directory.
+ </para>
</listitem>
<listitem>
- <para>Upgrade the operating system, being careful not to reformat the partition containing the LDIF file.</para>
+ <para>
+ Upgrade the operating system, being careful not to reformat the partition containing the LDIF file.
+ </para>
</listitem>
<listitem>
- <para>Re-import the LDAP directory to the upgraded Berkeley DB format by executing the command <command>/usr/sbin/slapadd -l <replaceable>ldif-output</replaceable>
- </command>.</para>
+ <para>
+ Re-import the LDAP directory to the upgraded Berkeley DB format by executing the command <command>/usr/sbin/slapadd -l <replaceable>ldif-output</replaceable></command>.
+ </para>
</listitem>
</orderedlist>
</section>
- <section
- id="s1-ldap-additional-resources">
+ <section id="s1-ldap-additional-resources">
<title>Additional Resources</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>additional resources</secondary>
- </indexterm>
- <para>The following resources offer additional information on LDAP. It is highly recommended that you review these, especially the OpenLDAP website and the LDAP HOWTO, before configuring LDAP on your system(s).</para>
- <section
- id="s2-ldap-installed-docs">
+ <para>
+ The following resources offer additional information on LDAP. It is highly recommended that you review these, especially the OpenLDAP website and the LDAP HOWTO, before configuring LDAP on your system(s).
+ </para>
+ <section id="s2-ldap-installed-docs">
<title>Installed Documentation</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>additional resources</secondary>
- <tertiary>installed documentation</tertiary>
- </indexterm>
<itemizedlist>
<listitem>
<para>
- <filename>/usr/share/docs/openldap-<replaceable><versionnumber></replaceable>/</filename> directory — Contains a general <filename>README</filename> document and miscellaneous information.</para>
+ <filename>/usr/share/docs/openldap-<replaceable><versionnumber></replaceable>/</filename> directory — Contains a general <filename>README</filename> document and miscellaneous information.
+ </para>
</listitem>
<listitem>
- <para>LDAP related man pages — There are a number of man pages for the various applications and configuration files involved with LDAP. The following is a list of some of the more important man pages.</para>
+ <para>
+ LDAP related man pages — There are a number of man pages for the various applications and configuration files involved with LDAP. The following is a list of some of the more important man pages.
+ </para>
<variablelist>
<varlistentry>
<term>Client Applications</term>
@@ -959,36 +691,43 @@ group: files ldap
<itemizedlist>
<listitem>
<para>
- <command>man ldapadd</command> — Describes how to add entries to an LDAP directory.</para>
+ <command>man ldapadd</command> — Describes how to add entries to an LDAP directory.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldapdelete</command> — Describes how to delete entries within an LDAP directory.</para>
+ <command>man ldapdelete</command> — Describes how to delete entries within an LDAP directory.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldapmodify</command> — Describes how to modify entries within an LDAP directory.</para>
+ <command>man ldapmodify</command> — Describes how to modify entries within an LDAP directory.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldapsearch</command> — Describes how to search for entries within an LDAP directory.</para>
+ <command>man ldapsearch</command> — Describes how to search for entries within an LDAP directory.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldappasswd</command> — Describes how to set or change the password of an LDAP user.</para>
+ <command>man ldappasswd</command> — Describes how to set or change the password of an LDAP user.
+ </para>
</listitem>
- <!-- RHEL5: ddomingo at redhat.com: added new client app man pages -->
<listitem>
<para>
- <command>man ldapcompare</command> — Describes how to use the <command>ldapcompare</command> tool.</para>
+ <command>man ldapcompare</command> — Describes how to use the <command>ldapcompare</command> tool.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldapwhoami</command> — Describes how to use the <command>ldapwhoami</command> tool.</para>
+ <command>man ldapwhoami</command> — Describes how to use the <command>ldapwhoami</command> tool.
+ </para>
</listitem>
<listitem>
<para>
- <command>man ldapmodrdn</command> — Describes how to modify the RDNs of entries.</para>
+ <command>man ldapmodrdn</command> — Describes how to modify the RDNs of entries.
+ </para>
</listitem>
</itemizedlist>
</listitem>
@@ -999,11 +738,13 @@ group: files ldap
<itemizedlist>
<listitem>
<para>
- <command>man slapd</command> — Describes command line options for the LDAP server.</para>
+ <command>man slapd</command> — Describes command line options for the LDAP server.
+ </para>
</listitem>
<listitem>
<para>
- <command>man slurpd</command> — Describes command line options for the LDAP replication server.</para>
+ <command>man slurpd</command> — Describes command line options for the LDAP replication server.
+ </para>
</listitem>
</itemizedlist>
</listitem>
@@ -1014,19 +755,23 @@ group: files ldap
<itemizedlist>
<listitem>
<para>
- <command>man slapadd</command> — Describes command line options used to add entries to a <command>slapd</command> database.</para>
+ <command>man slapadd</command> — Describes command line options used to add entries to a <command>slapd</command> database.
+ </para>
</listitem>
<listitem>
<para>
- <command>man slapcat</command> — Describes command line options used to generate an LDIF file from a <command>slapd</command> database.</para>
+ <command>man slapcat</command> — Describes command line options used to generate an LDIF file from a <command>slapd</command> database.
+ </para>
</listitem>
<listitem>
<para>
- <command>man slapindex</command> — Describes command line options used to regenerate an index based upon the contents of a <command>slapd</command> database.</para>
+ <command>man slapindex</command> — Describes command line options used to regenerate an index based upon the contents of a <command>slapd</command> database.
+ </para>
</listitem>
<listitem>
<para>
- <command>man slappasswd</command> — Describes command line options used to generate user passwords for LDAP directories.</para>
+ <command>man slappasswd</command> — Describes command line options used to generate user passwords for LDAP directories.
+ </para>
</listitem>
</itemizedlist>
</listitem>
@@ -1037,11 +782,13 @@ group: files ldap
<itemizedlist>
<listitem>
<para>
- <command>man ldap.conf</command> — Describes the format and options available within the configuration file for LDAP clients.</para>
+ <command>man ldap.conf</command> — Describes the format and options available within the configuration file for LDAP clients.
+ </para>
</listitem>
<listitem>
<para>
- <command>man slapd.conf</command> — Describes the format and options available within the configuration file referenced by both the LDAP server applications (<command>slapd</command> and <command>slurpd</command>) and the LDAP administrative tools (<command>slapadd</command>, <command>slapcat</command>, and <command>slapindex</command>).</para>
+ <command>man slapd.conf</command> — Describes the format and options available within the configuration file referenced by both the LDAP server applications (<command>slapd</command> and <command>slurpd</command>) and the LDAP administrative tools (<command>slapadd</command>, <command>slapcat</command>, and <command>slapindex</command>).
+ </para>
</listitem>
</itemizedlist>
</listitem>
@@ -1050,68 +797,48 @@ group: files ldap
</listitem>
</itemizedlist>
</section>
- <section
- id="s2-ldap-additional-resources-web">
+ <section id="s2-ldap-additional-resources-web">
<title>Useful Websites</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>additional resources</secondary>
- <tertiary>useful websites</tertiary>
- </indexterm>
<itemizedlist>
<listitem>
<para>
- <ulink
- url="http://www.openldap.org">http://www.openldap.org/</ulink> — Home of the OpenLDAP Project. This website contains a wealth of information about configuring OpenLDAP as well as a future roadmap and version changes.</para>
+ <ulink url="http://www.openldap.org/" /> — Home of the OpenLDAP Project. This website contains a wealth of information about configuring OpenLDAP as well as a future roadmap and version changes.
+ </para>
</listitem>
- <!-- RHEL5: ddomingo at redhat.com: link is dead, 404 error
- <listitem>
- <para><ulink url="http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html">http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html</ulink> — A comprehensive, relevant, and updated LDAP HOWTO.</para>
- </listitem>
- -->
<listitem>
<para>
- <ulink
- url="http://www.padl.com">http://www.padl.com/</ulink> — Developers of <filename>nss_ldap</filename> and <filename>pam_ldap</filename>, among other useful LDAP tools.</para>
+ <ulink url="http://www.padl.com/" /> — Developers of <filename>nss_ldap</filename> and <filename>pam_ldap</filename>, among other useful LDAP tools.
+ </para>
</listitem>
<listitem>
<para>
- <ulink
- url="http://www.kingsmountain.com/ldapRoadmap.shtml">http://www.kingsmountain.com/ldapRoadmap.shtml</ulink> — Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.</para>
+ <ulink url="http://www.kingsmountain.com/ldapRoadmap.shtml" /> — Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.
+ </para>
</listitem>
- <!-- RHEL5: ddomingo at redhat.com: link redirects to another domain, and 404s
- <listitem>
- <para><ulink url="http://www.newarchitectmag.com/archives/2000/05/wilcox/">http://www.newarchitectmag.com/archives/2000/05/wilcox/</ulink> — A useful look at managing groups in LDAP.</para>
- </listitem> -->
<listitem>
<para>
- <ulink
- url="http://www.ldapman.org/articles/">http://www.ldapman.org/articles/</ulink> — Articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.</para>
+ <ulink url="http://www.ldapman.org/articles/" /> — Articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
+ </para>
</listitem>
</itemizedlist>
</section>
- <section
- id="s2-ldap-related-books">
+ <section id="s2-ldap-related-books">
<title>Related Books</title>
- <indexterm
- significance="normal">
- <primary>LDAP</primary>
- <secondary>additional resources</secondary>
- <tertiary>related books</tertiary>
- </indexterm>
<itemizedlist>
<listitem>
<para>
- <citetitle>OpenLDAP by Example</citetitle> by John Terpstra and Benjamin Coles; Prentice Hall.</para>
+ <citetitle>OpenLDAP by Example</citetitle> by John Terpstra and Benjamin Coles; Prentice Hall.
+ </para>
</listitem>
<listitem>
<para>
- <citetitle>Implementing LDAP</citetitle> by Mark Wilcox; Wrox Press, Inc.</para>
+ <citetitle>Implementing LDAP</citetitle> by Mark Wilcox; Wrox Press, Inc.
+ </para>
</listitem>
<listitem>
<para>
- <citetitle>Understanding and Deploying LDAP Directory Services</citetitle> by Tim Howes et al.; Macmillan Technical Publishing.</para>
+ <citetitle>Understanding and Deploying LDAP Directory Services</citetitle> by Tim Howes et al.; Macmillan Technical Publishing.
+ </para>
</listitem>
</itemizedlist>
</section>
More information about the docs-commits
mailing list