directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From seelm...@apache.org
Subject svn commit: r574057 [3/3] - in /directory/studio/trunk/studio-ldifeditor-help: ./ META-INF/ about_files/ resources/ resources/css/ resources/icons/ resources/icons/ovr16/ resources/images/ resources/rfc/ src/ src/main/ src/main/resources/
Date Sun, 09 Sep 2007 19:52:10 GMT
Added: directory/studio/trunk/studio-ldifeditor-help/resources/rfc/rfc2829.txt
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/resources/rfc/rfc2829.txt?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/resources/rfc/rfc2829.txt (added)
+++ directory/studio/trunk/studio-ldifeditor-help/resources/rfc/rfc2829.txt Sun Sep  9 12:52:02 2007
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group                                            M. Wahl
+Request for Comments: 2829                        Sun Microsystems, Inc.
+Category: Standards Track                                  H. Alvestrand
+                                                             EDB Maxware
+                                                               J. Hodges
+                                                             Oblix, Inc.
+                                                               R. Morgan
+                                                University of Washington
+                                                                May 2000
+
+
+                    Authentication Methods for LDAP
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document specifies particular combinations of security
+   mechanisms which are required and recommended in LDAP [1]
+   implementations.
+
+1. Introduction
+
+   LDAP version 3 is a powerful access protocol for directories.
+
+   It offers means of searching, fetching and manipulating directory
+   content, and ways to access a rich set of security functions.
+
+   In order to function for the best of the Internet, it is vital that
+   these security functions be interoperable; therefore there has to be
+   a minimum subset of security functions that is common to all
+   implementations that claim LDAPv3 conformance.
+
+   Basic threats to an LDAP directory service include:
+
+      (1)   Unauthorized access to data via data-fetching operations,
+
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 1]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+      (2)   Unauthorized access to reusable client authentication
+            information by monitoring others' access,
+
+      (3)   Unauthorized access to data by monitoring others' access,
+
+      (4)   Unauthorized modification of data,
+
+      (5)   Unauthorized modification of configuration,
+
+      (6)   Unauthorized or excessive use of resources (denial of
+            service), and
+
+      (7)   Spoofing of directory: Tricking a client into believing that
+            information came from the directory when in fact it did not,
+            either by modifying data in transit or misdirecting the
+            client's connection.
+
+   Threats (1), (4), (5) and (6) are due to hostile clients.  Threats
+   (2), (3) and (7) are due to hostile agents on the path between client
+   and server, or posing as a server.
+
+   The LDAP protocol suite can be protected with the following security
+   mechanisms:
+
+      (1)   Client authentication by means of the SASL [2] mechanism
+            set, possibly backed by the TLS credentials exchange
+            mechanism,
+
+      (2)   Client authorization by means of access control based on the
+            requestor's authenticated identity,
+
+      (3)   Data integrity protection by means of the TLS protocol or
+            data-integrity SASL mechanisms,
+
+      (4)   Protection against snooping by means of the TLS protocol or
+            data-encrypting SASL mechanisms,
+
+      (5)   Resource limitation by means of administrative limits on
+            service controls, and
+
+      (6)   Server authentication by means of the TLS protocol or SASL
+            mechanism.
+
+   At the moment, imposition of access controls is done by means outside
+   the scope of the LDAP protocol.
+
+   In this document, the term "user" represents any application which is
+   an LDAP client using the directory to retrieve or store information.
+
+
+
+Wahl, et al.                Standards Track                     [Page 2]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [3].
+
+2.  Example deployment scenarios
+
+   The following scenarios are typical for LDAP directories on the
+   Internet, and have different security requirements. (In the
+   following, "sensitive" means data that will cause real damage to the
+   owner if revealed; there may be data that is protected but not
+   sensitive).  This is not intended to be a comprehensive list, other
+   scenarios are possible, especially on physically protected networks.
+
+      (1)   A read-only directory, containing no sensitive data,
+            accessible to "anyone", and TCP connection hijacking or IP
+            spoofing is not a problem.  This directory requires no
+            security functions except administrative service limits.
+
+      (2)   A read-only directory containing no sensitive data; read
+            access is granted based on identity.  TCP connection
+            hijacking is not currently a problem. This scenario requires
+            a secure authentication function.
+
+      (3)   A read-only directory containing no sensitive data; and the
+            client needs to ensure that the directory data is
+            authenticated by the server and not modified while being
+            returned from the server.
+
+      (4)   A read-write directory, containing no sensitive data; read
+            access is available to "anyone", update access to properly
+            authorized persons.  TCP connection hijacking is not
+            currently a problem.  This scenario requires a secure
+            authentication function.
+
+      (5)   A directory containing sensitive data.  This scenario
+            requires session confidentiality protection AND secure
+            authentication.
+
+3.  Authentication and Authorization:  Definitions and Concepts
+
+   This section defines basic terms, concepts, and interrelationships
+   regarding authentication, authorization, credentials, and identity.
+   These concepts are used in describing how various security approaches
+   are utilized in client authentication and authorization.
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 3]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+3.1.  Access Control Policy
+
+   An access control policy is a set of rules defining the protection of
+   resources, generally in terms of the capabilities of persons or other
+   entities accessing those resources.  A common expression of an access
+   control policy is an access control list.  Security objects and
+   mechanisms, such as those described here, enable the expression of
+   access control policies and their enforcement.  Access control
+   policies are typically expressed in terms of access control
+   attributes as described below.
+
+3.2.  Access Control Factors
+
+   A request, when it is being processed by a server, may be associated
+   with a wide variety of security-related factors (section 4.2 of [1]).
+   The server uses these factors to determine whether and how to process
+   the request.  These are called access control factors (ACFs).  They
+   might include source IP address, encryption strength, the type of
+   operation being requested, time of day, etc.  Some factors may be
+   specific to the request itself, others may be associated with the
+   connection via which the request is transmitted, others (e.g. time of
+   day) may be "environmental".
+
+   Access control policies are expressed in terms of access control
+   factors.  E.g., a request having ACFs i,j,k can perform operation Y
+   on resource Z. The set of ACFs that a server makes available for such
+   expressions is implementation-specific.
+
+3.3.  Authentication, Credentials, Identity
+
+   Authentication credentials are the evidence supplied by one party to
+   another, asserting the identity of the supplying party (e.g. a user)
+   who is attempting to establish an association with the other party
+   (typically a server).  Authentication is the process of generating,
+   transmitting, and verifying these credentials and thus the identity
+   they assert.  An authentication identity is the name presented in a
+   credential.
+
+   There are many forms of authentication credentials -- the form used
+   depends upon the particular authentication mechanism negotiated by
+   the parties.  For example: X.509 certificates, Kerberos tickets,
+   simple identity and password pairs.  Note that an authentication
+   mechanism may constrain the form of authentication identities used
+   with it.
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 4]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+3.4.  Authorization Identity
+
+   An authorization identity is one kind of access control factor.  It
+   is the name of the user or other entity that requests that operations
+   be performed.  Access control policies are often expressed in terms
+   of authorization identities; e.g., entity X can perform operation Y
+   on resource Z.
+
+   The authorization identity bound to an association is often exactly
+   the same as the authentication identity presented by the client, but
+   it may be different.  SASL allows clients to specify an authorization
+   identity distinct from the authentication identity asserted by the
+   client's credentials.  This permits agents such as proxy servers to
+   authenticate using their own credentials, yet request the access
+   privileges of the identity for which they are proxying [2].  Also,
+   the form of authentication identity supplied by a service like TLS
+   may not correspond to the authorization identities used to express a
+   server's access control  policy, requiring a server-specific mapping
+   to be done.  The method by which a server composes and validates an
+   authorization identity from the authentication credentials supplied
+   by a client is implementation-specific.
+
+4. Required security mechanisms
+
+   It is clear that allowing any implementation, faced with the above
+   requirements, to pick and choose among the possible alternatives is
+   not a strategy that is likely to lead to interoperability. In the
+   absence of mandates, clients will be written that do not support any
+   security function supported by the server, or worse, support only
+   mechanisms like cleartext passwords that provide clearly inadequate
+   security.
+
+   Active intermediary attacks are the most difficult for an attacker to
+   perform, and for an implementation to protect against.  Methods that
+   protect only against hostile client and passive eavesdropping attacks
+   are useful in situations where the cost of protection against active
+   intermediary attacks is not justified based on the perceived risk of
+   active intermediary attacks.
+
+   Given the presence of the Directory, there is a strong desire to see
+   mechanisms where identities take the form of a Distinguished Name and
+   authentication data can be stored in the directory; this means that
+   either this data is useless for faking authentication (like the Unix
+   "/etc/passwd" file format used to be), or its content is never passed
+   across the wire unprotected - that is, it's either updated outside
+   the protocol or it is only updated in sessions well protected against
+   snooping.  It is also desirable to allow authentication methods to
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 5]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+   carry authorization identities based on existing forms of user
+   identities for backwards compatibility with non-LDAP-based
+   authentication services.
+
+   Therefore, the following implementation conformance requirements are
+   in place:
+
+      (1)   For a read-only, public directory, anonymous authentication,
+            described in section 5, can be used.
+
+      (2)   Implementations providing password-based authenticated
+            access MUST support authentication using the DIGEST-MD5 SASL
+            mechanism [4], as described in section 6.1.  This provides
+            client authentication with protection against passive
+            eavesdropping attacks, but does not provide protection
+            against active intermediary attacks.
+
+      (3)   For a directory needing session protection and
+            authentication, the Start TLS extended operation [5], and
+            either the simple authentication choice or the SASL EXTERNAL
+            mechanism, are to be used together.  Implementations SHOULD
+            support authentication with a password as described in
+            section 6.2, and SHOULD support authentication with a
+            certificate as described in section 7.1.  Together, these
+            can provide integrity and disclosure protection of
+            transmitted data, and authentication of client and server,
+            including protection against active intermediary attacks.
+
+   If TLS is negotiated, the client MUST discard all information about
+   the server fetched prior to the TLS negotiation.  In particular, the
+   value of supportedSASLMechanisms MAY be different after TLS has been
+   negotiated (specifically, the EXTERNAL mechanism or the proposed
+   PLAIN mechanism are likely to only be listed after a TLS negotiation
+   has been performed).
+
+   If a SASL security layer is negotiated, the client MUST discard all
+   information about the server fetched prior to SASL.  In particular,
+   if the client is configured to support multiple SASL mechanisms, it
+   SHOULD fetch supportedSASLMechanisms both before and after the SASL
+   security layer is negotiated and verify that the value has not
+   changed after the SASL security layer was negotiated.  This detects
+   active attacks which remove supported SASL mechanisms from the
+   supportedSASLMechanisms list, and allows the client to ensure that it
+   is using the best mechanism supported by both client and server
+   (additionally, this is a SHOULD to allow for environments where the
+   supported SASL mechanisms list is provided to the client through a
+   different trusted source, e.g. as part of a digitally signed object).
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 6]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+5. Anonymous authentication
+
+   Directory operations which modify entries or access protected
+   attributes or entries generally require client authentication.
+   Clients which do not intend to perform any of these operations
+   typically use anonymous authentication.
+
+   LDAP implementations MUST support anonymous authentication, as
+   defined in section 5.1.
+
+   LDAP implementations MAY support anonymous authentication with TLS,
+   as defined in section 5.2.
+
+   While there MAY be access control restrictions to prevent access to
+   directory entries, an LDAP server SHOULD allow an anonymously-bound
+   client to retrieve the supportedSASLMechanisms attribute of the root
+   DSE.
+
+   An LDAP server MAY use other information about the client provided by
+   the lower layers or external means to grant or deny access even to
+   anonymously authenticated clients.
+
+5.1. Anonymous authentication procedure
+
+   An LDAP client which has not successfully completed a bind operation
+   on a connection is anonymously authenticated.
+
+   An LDAP client MAY also specify anonymous authentication in a bind
+   request by using a zero-length OCTET STRING with the simple
+   authentication choice.
+
+5.2. Anonymous authentication and TLS
+
+   An LDAP client MAY use the Start TLS operation [5] to negotiate the
+   use of TLS security [6].  If the client has not bound beforehand,
+   then until the client uses the EXTERNAL SASL mechanism to negotiate
+   the recognition of the client's certificate, the client is
+   anonymously authenticated.
+
+   Recommendations on TLS ciphersuites are given in section 10.
+
+   An LDAP server which requests that clients provide their certificate
+   during TLS negotiation MAY use a local security policy to determine
+   whether to successfully complete TLS negotiation if the client did
+   not present a certificate which could be validated.
+
+
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 7]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+6. Password-based authentication
+
+   LDAP implementations MUST support authentication with a password
+   using the DIGEST-MD5 SASL mechanism for password protection, as
+   defined in section 6.1.
+
+   LDAP implementations SHOULD support authentication with the "simple"
+   password choice when the connection is protected against
+   eavesdropping using TLS, as defined in section 6.2.
+
+6.1. Digest authentication
+
+   An LDAP client MAY determine whether the server supports this
+   mechanism by performing a search request on the root DSE, requesting
+   the supportedSASLMechanisms attribute, and checking whether the
+   string "DIGEST-MD5" is present as a value of this attribute.
+
+   In the first stage of authentication, when the client is performing
+   an "initial authentication" as defined in section 2.1 of [4], the
+   client sends a bind request in which the version number is 3, the
+   authentication choice is sasl, the sasl mechanism name is "DIGEST-
+   MD5", and the credentials are absent.  The client then waits for a
+   response from the server to this request.
+
+   The server will respond with a bind response in which the resultCode
+   is saslBindInProgress, and the serverSaslCreds field is present.  The
+   contents of this field is a string defined by "digest-challenge" in
+   section 2.1.1 of [4].  The server SHOULD include a realm indication
+   and MUST indicate support for UTF-8.
+
+   The client will send a bind request with a distinct message id, in
+   which the version number is 3, the authentication choice is sasl, the
+   sasl mechanism name is "DIGEST-MD5", and the credentials contain the
+   string defined by "digest-response" in section 2.1.2 of [4].  The
+   serv-type is "ldap".
+
+   The server will respond with a bind response in which the resultCode
+   is either success, or an error indication.  If the authentication is
+   successful and the server does not support subsequent authentication,
+   then the credentials field is absent.  If the authentication is
+   successful and the server supports subsequent authentication, then
+   the credentials field contains the string defined by "response-auth"
+   in section 2.1.3 of [4].   Support for subsequent authentication is
+   OPTIONAL in clients and servers.
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                     [Page 8]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+6.2. "simple" authentication choice under TLS encryption
+
+   A user who has a directory entry containing a userPassword attribute
+   MAY authenticate to the directory by performing a simple password
+   bind sequence following the negotiation of a TLS ciphersuite
+   providing connection confidentiality [6].
+
+   The client will use the Start TLS operation [5] to negotiate the use
+   of TLS security [6] on the connection to the LDAP server.  The client
+   need not have bound to the directory beforehand.
+
+   For this authentication procedure to be successful, the client and
+   server MUST negotiate a ciphersuite which contains a bulk encryption
+   algorithm of appropriate strength.  Recommendations on cipher suites
+   are given in section 10.
+
+   Following the successful completion of TLS negotiation, the client
+   MUST send an LDAP bind request with the version number of 3, the name
+   field containing the name of the user's entry, and the "simple"
+   authentication choice, containing a password.
+
+   The server will, for each value of the userPassword attribute in the
+   named user's entry, compare these for case-sensitive equality with
+   the client's presented password.  If there is a match, then the
+   server will respond with resultCode success, otherwise the server
+   will respond with resultCode invalidCredentials.
+
+6.3. Other authentication choices with TLS
+
+   It is also possible, following the negotiation of TLS, to perform a
+   SASL authentication which does not involve the exchange of plaintext
+   reusable passwords.  In this case the client and server need not
+   negotiate a ciphersuite which provides confidentiality if the only
+   service required is data integrity.
+
+7. Certificate-based authentication
+
+   LDAP implementations SHOULD support authentication via a client
+   certificate in TLS, as defined in section 7.1.
+
+7.1. Certificate-based authentication with TLS
+
+   A user who has a public/private key pair in which the public key has
+   been signed by a Certification Authority may use this key pair to
+   authenticate to the directory server if the user's certificate is
+   requested by the server.  The user's certificate subject field SHOULD
+   be the name of the user's directory entry, and the Certification
+   Authority must be sufficiently trusted by the directory server to
+
+
+
+Wahl, et al.                Standards Track                     [Page 9]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+   have issued the certificate in order that the server can process the
+   certificate.  The means by which servers validate certificate paths
+   is outside the scope of this document.
+
+   A server MAY support mappings for certificates in which the subject
+   field name is different from the name of the user's directory entry.
+   A server which supports mappings of names MUST be capable of being
+   configured to support certificates for which no mapping is required.
+
+   The client will use the Start TLS operation [5] to negotiate the use
+   of TLS security [6] on the connection to the LDAP server.  The client
+   need not have bound to the directory beforehand.
+
+   In the TLS negotiation, the server MUST request a certificate.  The
+   client will provide its certificate to the server, and MUST perform a
+   private key-based encryption, proving it has the private key
+   associated with the certificate.
+
+   As deployments will require protection of sensitive data in transit,
+   the client and server MUST negotiate a ciphersuite which contains a
+   bulk encryption algorithm of appropriate strength.  Recommendations
+   of cipher suites are given in section 10.
+
+   The server MUST verify that the client's certificate is valid. The
+   server will normally check that the certificate is issued by a known
+   CA, and that none of the certificates on the client's certificate
+   chain are invalid or revoked.  There are several procedures by which
+   the server can perform these checks.
+
+   Following the successful completion of TLS negotiation, the client
+   will send an LDAP bind request with the SASL "EXTERNAL" mechanism.
+
+8. Other mechanisms
+
+   The LDAP "simple" authentication choice is not suitable for
+   authentication on the Internet where there is no network or transport
+   layer confidentiality.
+
+   As LDAP includes native anonymous and plaintext authentication
+   methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are not used
+   with LDAP.  If an authorization identity of a form different from a
+   DN is requested by the client, a mechanism that protects the password
+   in transit SHOULD be used.
+
+   The following SASL-based mechanisms are not considered in this
+   document: KERBEROS_V4, GSSAPI and SKEY.
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 10]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+   The "EXTERNAL" SASL mechanism can be used to request the LDAP server
+   make use of security credentials exchanged by a lower layer. If a TLS
+   session has not been established between the client and server prior
+   to making the SASL EXTERNAL Bind request and there is no other
+   external source of authentication credentials (e.g.  IP-level
+   security [8]), or if, during the process of establishing the TLS
+   session, the server did not request the client's authentication
+   credentials, the SASL EXTERNAL bind MUST fail with a result code of
+   inappropriateAuthentication.  Any client authentication and
+   authorization state of the LDAP association is lost, so the LDAP
+   association is in an anonymous state after the failure.
+
+9. Authorization Identity
+
+   The authorization identity is carried as part of the SASL credentials
+   field in the LDAP Bind request and response.
+
+   When the "EXTERNAL" mechanism is being negotiated, if the credentials
+   field is present, it contains an authorization identity of the
+   authzId form described below.
+
+   Other mechanisms define the location of the authorization identity in
+   the credentials field.
+
+   The authorization identity is a string in the UTF-8 character set,
+   corresponding to the following ABNF [7]:
+
+   ; Specific predefined authorization (authz) id schemes are
+   ; defined below -- new schemes may be defined in the future.
+
+   authzId    = dnAuthzId / uAuthzId
+
+   ; distinguished-name-based authz id.
+   dnAuthzId  = "dn:" dn
+   dn         = utf8string    ; with syntax defined in RFC 2253
+
+   ; unspecified userid, UTF-8 encoded.
+   uAuthzId   = "u:" userid
+   userid     = utf8string    ; syntax unspecified
+
+   A utf8string is defined to be the UTF-8 encoding of one or more ISO
+   10646 characters.
+
+   All servers which support the storage of authentication credentials,
+   such as passwords or certificates, in the directory MUST support the
+   dnAuthzId choice.
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 11]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+   The uAuthzId choice allows for compatibility with client applications
+   which wish to authenticate to a local directory but do not know their
+   own Distinguished Name or have a directory entry.  The format of the
+   string is defined as only a sequence of UTF-8 encoded ISO 10646
+   characters, and further interpretation is subject to prior agreement
+   between the client and server.
+
+   For example, the userid could identify a user of a specific directory
+   service, or be a login name or the local-part of an RFC 822 email
+   address. In general a uAuthzId MUST NOT be assumed to be globally
+   unique.
+
+   Additional authorization identity schemes MAY be defined in future
+   versions of this document.
+
+10. TLS Ciphersuites
+
+   The following ciphersuites defined in [6] MUST NOT be used for
+   confidentiality protection of passwords or data:
+
+         TLS_NULL_WITH_NULL_NULL
+         TLS_RSA_WITH_NULL_MD5
+         TLS_RSA_WITH_NULL_SHA
+
+   The following ciphersuites defined in [6] can be cracked easily (less
+   than a week of CPU time on a standard CPU in 1997).  The client and
+   server SHOULD carefully consider the value of the password or data
+   being protected before using these ciphersuites:
+
+         TLS_RSA_EXPORT_WITH_RC4_40_MD5
+         TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+         TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
+         TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
+
+   The following ciphersuites are vulnerable to man-in-the-middle
+   attacks, and SHOULD NOT be used to protect passwords or sensitive
+   data, unless the network configuration is such that the danger of a
+   man-in-the-middle attack is tolerable:
+
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 12]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+         TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
+         TLS_DH_anon_WITH_RC4_128_MD5
+         TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
+         TLS_DH_anon_WITH_DES_CBC_SHA
+         TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
+
+   A client or server that supports TLS MUST support at least
+   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
+
+11. SASL service name for LDAP
+
+   For use with SASL [2], a protocol must specify a service name to be
+   used with various SASL mechanisms, such as GSSAPI.  For LDAP, the
+   service name is "ldap", which has been registered with the IANA as a
+   GSSAPI service name.
+
+12. Security Considerations
+
+   Security issues are discussed throughout this memo; the
+   (unsurprising) conclusion is that mandatory security is important,
+   and that session encryption is required when snooping is a problem.
+
+   Servers are encouraged to prevent modifications by anonymous users.
+   Servers may also wish to minimize denial of service attacks by timing
+   out idle connections, and returning the unwillingToPerform result
+   code rather than performing computationally expensive operations
+   requested by unauthorized clients.
+
+   A connection on which the client has not performed the Start TLS
+   operation or negotiated a suitable SASL mechanism for connection
+   integrity and encryption services is subject to man-in-the-middle
+   attacks to view and modify information in transit.
+
+   Additional security considerations relating to the EXTERNAL mechanism
+   to negotiate TLS can be found in [2], [5] and [6].
+
+13. Acknowledgements
+
+   This document is a product of the LDAPEXT Working Group of the IETF.
+   The contributions of its members is greatly appreciated.
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 13]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+14. Bibliography
+
+   [1] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
+       Protocol (v3)", RFC 2251, December 1997.
+
+   [2] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC
+       2222, October 1997.
+
+   [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+       Levels", BCP 14, RFC 2119, March 1997.
+
+   [4] Leach, P. and C. Newman, "Using Digest Authentication as a SASL
+       Mechanism", RFC 2831, May 2000.
+
+   [5] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory Access
+       Protocol (v3): Extension for Transport Layer Security", RFC 2830,
+       May 2000.
+
+   [6] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
+       2246, January 1999.
+
+   [7] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
+       Specifications: ABNF", RFC 2234, November 1997.
+
+   [8] Kent, S. and R. Atkinson, "Security Architecture for the Internet
+       Protocol", RFC 2401, November 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 14]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+15. Authors' Addresses
+
+   Mark Wahl
+   Sun Microsystems, Inc.
+   8911 Capital of Texas Hwy #4140
+   Austin TX 78759
+   USA
+
+   EMail: M.Wahl@innosoft.com
+
+
+   Harald Tveit Alvestrand
+   EDB Maxware
+   Pirsenteret
+   N-7462 Trondheim, Norway
+
+   Phone: +47 73 54 57 97
+   EMail: Harald@Alvestrand.no
+
+
+   Jeff Hodges
+   Oblix, Inc.
+   18922 Forge Drive
+   Cupertino, CA 95014
+   USA
+
+   Phone: +1-408-861-6656
+   EMail: JHodges@oblix.com
+
+
+   RL "Bob" Morgan
+   Computing and Communications
+   University of Washington
+   Seattle, WA 98105
+   USA
+
+   Phone: +1-206-221-3307
+   EMail: rlmorgan@washington.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 15]
+
+RFC 2829            Authentication Methods for LDAP             May 2000
+
+
+16.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et al.                Standards Track                    [Page 16]
+

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/0_index.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/0_index.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/0_index.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/0_index.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "../../../docbook-xml/docbookx.dtd"[
+
+  <!ENTITY gettingstarted SYSTEM "1_gettingstarted.xml">
+  <!ENTITY tasks SYSTEM "3_tasks.xml">
+  <!ENTITY reference SYSTEM "4_reference.xml">
+  <!ENTITY tipsntricks SYSTEM "5_tipsntricks.xml">
+  <!ENTITY whatsnew SYSTEM "6_whatsnew.xml">
+  
+]>
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+<book>
+
+	<bookinfo>
+		<title>Apache Directory Studio</title>
+		<subtitle>LDIF Editor User's Guide</subtitle>
+		<releaseinfo>Version 1.0.0</releaseinfo>
+		<copyright>
+			<year>2007</year>
+			<holder>Apache Software Foundation</holder>
+		</copyright>
+		<legalnotice>
+			<literallayout class="monospaced">
+				Licensed to the Apache Software Foundation (ASF) under one
+				or more contributor license agreements.  See the NOTICE file
+				distributed with this work for additional information
+				regarding copyright ownership.  The ASF licenses this file
+				to you under the Apache License, Version 2.0 (the
+				"License"); you may not use this file except in compliance
+				with the License.  You may obtain a copy of the License at
+				
+				  <ulink url="http://www.apache.org/licenses/LICENSE-2.0">http://www.apache.org/licenses/LICENSE-2.0</ulink>
+				
+				Unless required by applicable law or agreed to in writing,
+				software distributed under the License is distributed on an
+				"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+				KIND, either express or implied.  See the License for the
+				specific language governing permissions and limitations
+				under the License.
+			</literallayout>		
+		</legalnotice>	
+	</bookinfo>
+
+	&gettingstarted;
+	&tasks;
+	&reference;
+	&tipsntricks;
+	&whatsnew;
+
+</book>

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/1_gettingstarted.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/1_gettingstarted.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/1_gettingstarted.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/1_gettingstarted.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,979 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<chapter id="gettingstarted">
+	<title>Getting started</title>
+	
+	<para>
+		This getting started guide provides a brief introduction to the Apache Directory Studio LDIF Editor. 
+	</para>
+	
+	<section id="gettingstarted_download_install">
+		<title>Download and installation</title>
+		<para>
+		 	Beside the integration in Apache Directory Studio the Apache Directory Studio LDIF Editor could also be installed
+		 	as a plug-in into a regular Eclipse installation. This section describes this
+		 	alternative. 
+		 </para>
+		 <para>
+			Using the Eclipse Install/Update Manager is the easiest way to 
+			install the Apache Directory Studio LDIF Editor plug-in.
+			From workbench menu choose
+			<emphasis role="strong">
+			<menuchoice>
+				<guimenu>Help</guimenu>
+				<guisubmenu>Software Updates</guisubmenu>
+				<guimenuitem>Find and Install...</guimenuitem>
+			</menuchoice>
+			</emphasis>
+			. 
+		</para>
+		<para>
+			In the opened wizard choose 
+			<emphasis role="strong">Search for new features to install</emphasis> 
+			and click <emphasis role="strong">Next</emphasis>.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50"
+							fileref="images/gettingstarted_install_1.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			Next please specify the Apache Directory Studio update site. Click the <emphasis role="strong">New Remote Site...</emphasis> button.
+			In the dialog input the following and press <emphasis role="strong">OK</emphasis>:
+			<itemizedlist>
+				<listitem>Name: Apache Directory Studio Update Site</listitem>
+				<listitem>URL: http://directory.apache.org/studio/update/1.x</listitem>
+			</itemizedlist>
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50"
+							fileref="images/gettingstarted_install_2.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			Make sure the new update site is checked an press 
+			<emphasis role="strong">Finish</emphasis>.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50"
+							fileref="images/gettingstarted_install_3.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			Now the install manager checks the update site and presents the search results. Select the
+			feature you want to install - of course the Apache Directory Studio LDIF Editor - and click 
+			<emphasis role="strong">Next</emphasis>.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50"
+							fileref="images/gettingstarted_install_4.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			Accept the license agreement, the Apache Directory Studio LDIF Editor is distributed under the 
+			Apache License, Version 2.0.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50" 
+							fileref="images/gettingstarted_install_5.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			In the next dialog ensure that the Apache Directory Studio LDIF Editor feature is selected and 
+			click to <emphasis role="strong">Finish</emphasis>.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50" 
+							fileref="images/gettingstarted_install_6.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			Now the install manager loads the necessary files. When download is finished
+			you have to verify the installation, please click to 
+			<emphasis role="strong">Install</emphasis>.
+			<screenshot>
+				<mediaobject>
+					<imageobject>
+						<imagedata scale="50"
+							fileref="images/gettingstarted_install_7.png" format="PNG" />
+					</imageobject>
+				</mediaobject>
+			</screenshot>
+		</para>
+		<para>
+			After installation it is recommended to restart the Eclipse workbench.
+		</para>
+		
+	</section>
+	
+	
+	<section id="gettingstarted_overview">
+		<title>Overview</title>
+		  
+		<para>
+			The LDIF editor could be used to edit LDIF files. 
+			It could handle LDIF content files as well as LDIF changetype files.
+			Files with appendix *.ldif are automatically handled by the LDIF editor.
+		</para>
+		
+		<simplesect id="gettingstarted_overview_limitations">
+		<title>Limitations</title>
+			<para>
+				The LDIF editor is still in development. 
+				The handling of big LDIF files is a problem because the complete file 
+				is loaded into memory which may cause an OutOfMemoryException.
+				The syntax check doesn't work correctly. The error annotations and 
+				displayed messages are not very helpful at the moment.
+				Currently there is no URL support (jpegImage:&lt;file://)
+			</para>	
+		</simplesect>
+		
+		<simplesect id="gettingstarted_overview_screenshots">
+			<title>Example screenshot</title>
+			<para>
+				<screenshot>
+					<mediaobject>
+						<imageobject>
+							<imagedata scale="50"
+								fileref="images/tools_ldif_editor_15.png" format="PNG" />
+						</imageobject>
+					</mediaobject>
+				</screenshot>
+			</para>			
+		</simplesect>
+		
+		<simplesect id="gettingstarted_overview_syntax_coloring">
+			<title>Syntax coloring</title>
+			<para>
+				Syntax coloring helps you to distinguish the different elements of a LDIF file. 
+				By default the following colors and fonts are used:
+			</para>	
+			<informaltable frame="all">
+				<tgroup cols="3">
+					<colspec colname="Element" colwidth="2*" />
+					<colspec colname="Color" colwidth="1*" />
+					<colspec colname="Example" colwidth="2*" />
+					<thead>
+						<row>
+							<entry>Element</entry>
+							<entry>Color</entry>
+							<entry>Example</entry>
+						</row>
+					</thead>
+					<tbody>
+						<row>
+							<entry>distinguished name</entry>
+							<entry>black and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_1.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>attributes</entry>
+							<entry>violett and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_2.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>values</entry>
+							<entry>blue</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_3.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>changetype add</entry>
+							<entry>green and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_4.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>changetype modify</entry>
+							<entry>yellow and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_5.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>changetype delete</entry>
+							<entry>red and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_6.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>changetype moddn/modrdn</entry>
+							<entry>blue and bold</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_7.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>keywords</entry>
+							<entry>gray</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_8.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+						<row>
+							<entry>comments</entry>
+							<entry>dark green</entry>
+							<entry>
+								<screenshot>
+									<mediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em"
+												fileref="images/tools_ldif_editor_9.png" format="PNG" />
+										</imageobject>
+									</mediaobject>
+								</screenshot>
+							</entry>
+						</row>
+					</tbody>
+				</tgroup>
+			</informaltable>
+			<para>
+				These colors and fonts could be changed in the 
+				<link linkend="gettingstarted_preferences">
+					LDIF Editor Syntax Coloring preferences
+				</link>.
+			</para>		
+		</simplesect>
+  
+	</section>
+	
+	<section id="gettingstarted_working">
+		<title>Working with the LDIF editor</title>
+		<simplesect id="gettingstarted_working_using">
+			<title>Using LDIF editor</title>
+			<para>
+				To create a new LDIF file choose <emphasis role="strong">File -> New </emphasis>, 
+				expand <emphasis role="strong">LDAP Browser</emphasis>, 
+				select 
+				<emphasis role="strong">
+					<guiicon>
+						<inlinemediaobject>
+							<imageobject>
+								<imagedata contentdepth="1em" fileref="icons/browser_ldifeditor.gif"
+									format="GIF" />
+							</imageobject>
+						</inlinemediaobject>
+					</guiicon>
+					LDIF File
+				</emphasis> 
+				and press the Finish button.
+			</para>
+			<para>
+				To open an existing LDIF file choose <emphasis role="strong">File -> Open File</emphasis>, 
+				that opens a file dialog where you could select the LDIF file. 
+				Within Eclipse you could also open a LDIF file from Navigator view.
+			</para>
+			<para>
+				To save the modified LDIF choose <emphasis role="strong">File -> Save</emphasis>
+				or <emphasis role="strong">File -> Save as</emphasis> and select a save location 
+				and enter the file name.
+			</para>
+			<para>
+				The LDIF editor also supports default editor functionality like Copy/Paste, 
+				Undo/Redo and a Find/Replace dialog, see Edit menu. 
+			</para>
+		</simplesect>
+		
+		<simplesect id="gettingstarted_working_connect">
+			<title>Connect with directory and its schema</title>
+			<para>
+				The LDIF editor could be connected to a directory server and its schema. 
+				A prerequirement is that the connection is defined. 
+				Then you could select a connection from the drop-down list.
+				Doing this will provide you the following features:
+				<itemizedlist>
+					<listitem>
+						<para>
+							The Content Assistent will provide better attribute proposals.
+						</para>
+					</listitem>
+					<listitem>
+						<para>
+							The best value provider is choosen as default value editor.
+						</para>
+					</listitem>
+					<listitem>
+						<para>
+							The LDIF could be imported into the selected directory by invoking the 
+							<emphasis role="strong">
+								<guiicon>
+									<inlinemediaobject>
+										<imageobject>
+											<imagedata contentdepth="1em" fileref="icons/execute.gif"
+												format="GIF" />
+										</imageobject>
+									</inlinemediaobject>
+								</guiicon>
+							</emphasis> 
+							execute button.
+						</para>
+					</listitem>
+				</itemizedlist>			
+			</para>
+		</simplesect>
+	
+		<simplesect id="gettingstarted_working_content_assistent">
+			<title>Content Assistent</title>
+			<para>
+				The LDIF editor provides a context-sensitive content assistent.
+				To start content assistence press 
+				<emphasis role="strong">Ctrl+Space</emphasis>, 
+				then a popup with proposals is shown. 
+				You could select one using the cursur keys or the mouse, press 
+				<emphasis role="strong">Enter</emphasis> to apply 
+				the selected proposal. To close the popup press the 
+				<emphasis role="strong">ESC</emphasis> key.
+				The following list shows the supported proposals:
+			</para>
+			<itemizedlist>
+				<listitem>
+					<para>
+						When starting a new record a popup with record templates is shown.
+						<screenshot>
+							<mediaobject>
+								<imageobject>
+									<imagedata scale="50"
+										fileref="images/tools_ldif_editor_10.png" format="PNG" />
+								</imageobject>
+							</mediaobject>
+						</screenshot>
+					</para>
+				</listitem>
+				<listitem>
+					<para>
+						When writing an attribute in a content or add record a popup with 
+						a list with matching attributes is shown.
+						<screenshot>
+							<mediaobject>
+								<imageobject>
+									<imagedata scale="50"
+										fileref="images/tools_ldif_editor_12.png" format="PNG" />
+								</imageobject>
+							</mediaobject>
+						</screenshot>
+					</para>
+				</listitem>
+				<listitem>
+					<para>
+						In an modify record the popup lists possible modify item templates.
+						<screenshot>
+							<mediaobject>
+								<imageobject>
+									<imagedata scale="50"
+										fileref="images/tools_ldif_editor_11.png" format="PNG" />
+								</imageobject>
+							</mediaobject>
+						</screenshot>
+					</para>
+				</listitem>
+			</itemizedlist>
+		</simplesect>
+	
+		<simplesect id="gettingstarted_working_value_editors">
+			<title>Value Editors</title>
+			<para>
+				In LDIF values may only contain a subset of ASCII characters. 
+				Values with other characters (like accent mark) and even asiatic characters 
+				must be encoded using BASE-64. Also binary data like images or certificates
+				must be encoded. 
+			</para>
+			<para>
+				To edit such values Value editors could be used.
+			</para>
+			<para>
+				To start a Value editor move the cursor to the attribute or value and select 
+				<emphasis role="strong">Edit Value</emphasis> from context menu or press 
+				<emphasis role="strong">F7</emphasis>.
+				This opens the default value editor dialog. 
+				You could also open a custom value editor by choosing one from 
+				<emphasis role="strong">Edit Value With</emphasis> in context menu.
+			</para>
+			<para>
+				To apply a modified value press the <emphasis role="strong">OK</emphasis> 
+				button in the value editor dialog, the previous value is replaced by the new value. 
+				Of course in LDIF they are displayed BASE-64 encoded.
+			</para>
+		</simplesect>
+		
+		<simplesect id="gettingstarted_working_record_editors">
+			<title>LDIF record editor</title>
+			<para>
+				It is possible to use the well-known Entry editor to edit content 
+				records and add records. Move the cursor to the record and choose 
+				<emphasis role="strong">Edit Record</emphasis> from context menu or 
+				press <emphasis role="strong">F8</emphasis>.
+				This opens the LDIF record editor. 
+				You can add, modify and delete attributes. 
+				To apply the modification press <emphasis role="strong">OK</emphasis>, 
+				the previous record is replaced by the new one.
+				<screenshot>
+					<mediaobject>
+						<imageobject>
+							<imagedata scale="50"
+								fileref="images/tools_ldif_editor_13.png" format="PNG" />
+						</imageobject>
+					</mediaobject>
+				</screenshot>			
+			</para>
+		</simplesect>
+	
+		<simplesect id="gettingstarted_working_base64">
+			<title>Reading BASE-64 values</title>
+			<para>
+				There are two ways to make BASE-64 values human readable:
+			</para>
+			<itemizedlist>
+				<listitem>
+					<para>
+						Move the mouse over the value, a tooltip with the value is displayed. 
+						This works only for text-based values, not for binary values.
+						<screenshot>
+							<mediaobject>
+								<imageobject>
+									<imagedata scale="50"
+										fileref="images/tools_ldif_editor_14.png" format="PNG" />
+								</imageobject>
+							</mediaobject>
+						</screenshot>
+					</para>
+				</listitem>
+				<listitem>
+					<para>
+						Open the value editor.
+					</para>
+				</listitem>
+			</itemizedlist>
+		</simplesect>
+	
+		<simplesect id="gettingstarted_working_error_annotations">
+			<title>Error annotations</title>
+			<para>
+				Syntax errors are displayed using error annotations. 
+				In the ruler the error icon 
+				<guiicon>
+					<inlinemediaobject>
+						<imageobject>
+							<imagedata contentdepth="1em"
+								fileref="icons/error.gif" format="GIF" />
+						</imageobject>
+					</inlinemediaobject>
+				</guiicon>
+				is displayed.
+				Additional the erroneous content is red squiggled.
+			</para>
+			<para>
+				Note: The support for error annotations is still in development and has to be improved.
+				The displayed messages are not very useful at the moment.
+			</para>
+		</simplesect>
+		
+		<simplesect id="gettingstarted_working_formatting">
+			<title>Formatting</title>
+			<para>
+				To format the document or the selected record according the 
+				<link linkend="gettingstarted_preferences">
+					LDIF Editor preferences
+				</link>
+				choose <emphasis role="strong">Format</emphasis> from context menu.
+			</para>
+		</simplesect>
+		
+		<simplesect id="gettingstarted_working_folding">
+			<title>Folding</title>
+			<para>
+				Multi-lined comments, records and multi-lined values could be folded. 
+				There is a <emphasis role="strong">(+)</emphasis> and 
+				<emphasis role="strong">(-)</emphasis> in the left ruler to collapse 
+				and expand these. By default multi-lined comments and multi-lined
+				values are folded. This behaviour could be changed in 
+				<link linkend="gettingstarted_preferences">
+					LDIF Editor preferences
+				</link>.
+			</para>
+		</simplesect>
+		
+		<simplesect id="tools_ldif_editor_line_numbers">
+			<title>Line numbers</title>
+			<para>
+				To show/hide line numbers toggle the 
+				<emphasis role="strong">Show Line Number</emphasis> 
+				in the context menu of the left ruler.
+			</para>
+		</simplesect>		  
+	</section>
+	
+	<section id="gettingstarted_outline">
+		<title>Outline</title>
+		<para>
+			The Outline view shows the distinguished names of all the records 
+			in the LDIF file, the icon indicates the record type.
+			The following icons are used:
+		</para>
+		<informaltable frame="all">
+			<tgroup cols="2">
+				<colspec colname="Icon" align="center" colwidth="1*" />
+				<colspec colname="Description" colwidth="2*" />
+				<thead>
+					<row>
+						<entry>Icon</entry>
+						<entry>Description</entry>
+					</row>
+				</thead>
+				<tbody>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/entry_default.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Content record</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_add.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Add record</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_modify.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Modify record</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_delete.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Delete record</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_rename.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Moddn/Modrdn record</entry>
+					</row>
+				</tbody>
+			</tgroup>
+		</informaltable>
+		<para>
+			When expanding the DNs the detail of a record are shown:
+		</para>
+		<informaltable frame="all">
+			<tgroup cols="2">
+				<colspec colname="Icon" align="center" colwidth="1*" />
+				<colspec colname="Description" colwidth="2*" />
+				<thead>
+					<row>
+						<entry>Icon</entry>
+						<entry>Description</entry>
+					</row>
+				</thead>
+				<tbody>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_attribute.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Attribute</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_value.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Value</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_mod_add.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Changetype add</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_mod_replace.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Changetype modify</entry>
+					</row>
+					<row>
+						<entry>
+							<guiicon>
+								<inlinemediaobject>
+									<imageobject>
+										<imagedata contentdepth="1em"
+											fileref="icons/ldif_mod_delete.gif" format="GIF" />
+									</imageobject>
+								</inlinemediaobject>
+							</guiicon>
+						</entry>
+						<entry>Changetype delete</entry>
+					</row>
+				</tbody>
+			</tgroup>
+		</informaltable>
+		<para>
+			When selecting an element in the Outline view the corresponding 
+			element is selected in LDIF editor.
+		</para>
+	</section>
+		  
+	<section id="gettingstarted_preferences">
+		<title>LDIF Editor preferences</title>
+		<para>
+			On the LDIF Editor preference pages you can configure the LDIF editor.
+		</para>
+
+		<simplesect id="gettingstarted_preferences_main">
+			<title>LDIF Editor</title>
+			<para>On the LDIF Editor main preference page you can configure 
+				common settings.</para>
+			<para>
+				<screenshot>
+					<mediaobject>
+						<imageobject>
+							<imagedata scale="50"
+								fileref="images/tools_preferences_ldif_editor.png"
+								format="PNG" />
+						</imageobject>
+					</mediaobject>
+				</screenshot>
+			</para>
+			<para>
+				<informaltable frame="all">
+					<tgroup cols="3">
+						<colspec colname="Option" colwidth="1*" />
+						<colspec colname="Description" colwidth="2*" />
+						<colspec colname="Default" colwidth="1*" />
+						<thead>
+							<row>
+								<entry>Option</entry>
+								<entry>Description</entry>
+								<entry>Default</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>
+									Text Editors
+								</entry>
+								<entry>
+									Opens the general text editor preferences.
+								</entry>
+								<entry>-</entry>
+							</row>
+							<row>
+								<entry>
+									Text Formats
+								</entry>
+								<entry>
+									Opens the LDIF text format preferences.
+								</entry>
+								<entry>-</entry>
+							</row>
+							<row>
+								<entry>
+									Enable Folding
+								</entry>
+								<entry>
+									Enables folding for multi-lined comments,
+									mulit-lined values and records.
+								</entry>
+								<entry>on</entry>
+							</row>
+							<row>
+								<entry>
+									Initially fold: Comments
+								</entry>
+								<entry>
+									Folds multi-lined comments when opening
+									the LDIF editor.
+								</entry>
+								<entry>on</entry>
+							</row>
+							<row>
+								<entry>
+									Initially fold: Records
+								</entry>
+								<entry>
+									Folds records when opening the LDIF editor.
+								</entry>
+								<entry>off</entry>
+							</row>
+							<row>
+								<entry>
+									Initially fold: Wrapped lines
+								</entry>
+								<entry>
+									Folds multi-lined values when opening
+									the LDIF editor.
+								</entry>
+								<entry>on</entry>
+							</row>
+							<row>
+								<entry>
+									Select whole attribute or value on double click
+								</entry>
+								<entry>
+									If checked the whole attribute description or value
+									is selected on double click.
+								</entry>
+								<entry>on</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</informaltable>
+			</para>
+		</simplesect>
+
+		<simplesect id="gettingstarted_preferences_content_assistent">
+			<title>Content Assistant</title>
+			<para>On the Content Assistant preference page you can configure 
+				content assistent settings.</para>
+			<para>
+				<screenshot>
+					<mediaobject>
+						<imageobject>
+							<imagedata scale="50"
+								fileref="images/tools_preferences_ldif_editor_content_assistant.png"
+								format="PNG" />
+						</imageobject>
+					</mediaobject>
+				</screenshot>
+			</para>
+			<para>
+				<informaltable frame="all">
+					<tgroup cols="3">
+						<colspec colname="Option" colwidth="1*" />
+						<colspec colname="Description" colwidth="2*" />
+						<colspec colname="Default" colwidth="1*" />
+						<thead>
+							<row>
+								<entry>Option</entry>
+								<entry>Description</entry>
+								<entry>Default</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>
+									Insert single proposal automatically
+								</entry>
+								<entry>
+									If checked single proposals are inserted 
+									automatically when invoking Strg+Space.
+								</entry>
+								<entry>on</entry>
+							</row>
+							<row>
+								<entry>
+									Enable auto activation
+								</entry>
+								<entry>
+									If checked the content assistant is activated
+									after you pause typing for the defined period.
+								</entry>
+								<entry>on and 200ms</entry>
+							</row>
+							<row>
+								<entry>
+									Smart insert attribute name in modification items
+								</entry>
+								<entry>
+									If checked attribute names are inserted in 
+									modification items when a new line is started.
+								</entry>
+								<entry>on</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</informaltable>
+			</para>
+		</simplesect>
+		
+		<simplesect id="gettingstarted_preferences_syntax_coloring">
+			<title>Syntax Coloring</title>
+			<para>On the Syntax Coloring preference page you can configure 
+				fonts and colors.</para>
+			<para>
+				<screenshot>
+					<mediaobject>
+						<imageobject>
+							<imagedata scale="50"
+								fileref="images/tools_preferences_ldif_editor_syntax_coloring.png"
+								format="PNG" />
+						</imageobject>
+					</mediaobject>
+				</screenshot>
+			</para>
+			<para>
+				To modify color and font options select a element from the list. The color could be 
+				changed by invoking the color button. The font options could be changed by 
+				toggeling the Bold, Italic, Strikethrough and Underline check boxes.
+			</para>
+			<para>
+				Changes are immediately displayed in the preview.
+			</para>
+		</simplesect>
+		
+	</section>
+	
+	
+	
+	
+</chapter>

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/3_tasks.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/3_tasks.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/3_tasks.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/3_tasks.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,24 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<chapter id="tasks">
+	<title>Tasks</title>
+	<para>
+	   TODO...
+	</para>
+</chapter>

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/4_reference.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/4_reference.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/4_reference.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/4_reference.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,31 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<chapter id="reference">
+	<title>Reference</title>
+	<simplesect id="reference_rfcs">
+		<title>RFCs</title>
+		<simplelist>
+			<member>
+				<ulink url="rfc/rfc2849.txt">
+					RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification
+				</ulink>
+			</member>			
+		</simplelist>
+	</simplesect>
+</chapter>

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/5_tipsntricks.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/5_tipsntricks.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/5_tipsntricks.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/5_tipsntricks.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,24 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<chapter id="tipsandtricks">
+	<title>Tips and tricks</title>
+	<para>
+	   TODO...
+	</para>
+</chapter>
\ No newline at end of file

Added: directory/studio/trunk/studio-ldifeditor-help/src/main/resources/6_whatsnew.xml
URL: http://svn.apache.org/viewvc/directory/studio/trunk/studio-ldifeditor-help/src/main/resources/6_whatsnew.xml?rev=574057&view=auto
==============================================================================
--- directory/studio/trunk/studio-ldifeditor-help/src/main/resources/6_whatsnew.xml (added)
+++ directory/studio/trunk/studio-ldifeditor-help/src/main/resources/6_whatsnew.xml Sun Sep  9 12:52:02 2007
@@ -0,0 +1,28 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<chapter id="whatsnew">
+	<title>Release Notes</title>
+	<simplesect id="whatsnew_1.0.0">
+		<title>Version 1.0.0</title>
+		<para>
+			Initial release.
+		</para>
+	</simplesect>
+	
+</chapter>
\ No newline at end of file



Mime
View raw message