directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r844147 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/2-server-config.html
Date Fri, 28 Dec 2012 17:35:01 GMT
Author: buildbot
Date: Fri Dec 28 17:35:01 2012
New Revision: 844147

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/2-server-config.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Dec 28 17:35:01 2012
@@ -1 +1 @@
-1426453
+1426588

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/2-server-config.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/2-server-config.html (original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/2-server-config.html Fri
Dec 28 17:35:01 2012
@@ -403,8 +403,189 @@ Note that bold attributes are mandatory
 <li>simpleAuthenticator : handle simple authentication, based on a password</li>
 <li>strongAuthenticator : handle SASL authentication.</li>
 </ul>
-<p>One can add a new <em>Authenticator</em>, </p>
+<p>One can add a new <em>Authenticator</em>, if needed. It's just a matter
of creating a new entry under the <em>ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors</em>
entry, containing the two following elements :</p>
+<table>
+<thead>
+<tr>
+<th>AttributeType</th>
+<th>type</th>
+<th>default value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><strong>ads-authenticatorId</strong></td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>The unique identifier for this Authenticator</td>
+</tr>
+<tr>
+<td>ads-enabled</td>
+<td><em>boolean</em></td>
+<td>false</td>
+<td>Tells if the Partition is enabled</td>
+</tr>
+<tr>
+<td>description</td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>A short optional description</td>
+</tr>
+<tr>
+<td><strong>ads-authenticatorClass</strong></td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>The FQCN for the class implementing the AUthenticator</td>
+</tr>
+</tbody>
+</table>
 <h3 id="password-policies">Password Policies</h3>
+<p>There are many possible configurable options for the <em>PasswordPolicy</em>
system. Here is a list of all the possible elements :</p>
+<table>
+<thead>
+<tr>
+<th>AttributeType</th>
+<th>type</th>
+<th>default value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><strong>ads-pwdId</strong></td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>The unique ID of the <em>PasswordPolicy</em> system</td>
+</tr>
+<tr>
+<td><strong>ads-pwdAttribute</strong></td>
+<td><em>String</em></td>
+<td>userPassword</td>
+<td>The name of the attribute to which the password policy is applied</td>
+</tr>
+<tr>
+<td>ads-pwdMinAge</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>Holds the number of seconds that must elapse between modifications to the password</td>
+</tr>
+<tr>
+<td>ads-pwdMaxAge</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>Holds the number of seconds after which a modified password will expire. If 0,
never expires</td>
+</tr>
+<tr>
+<td>ads-pwdInHistory</td>
+<td><em>boolean</em></td>
+<td>0</td>
+<td>Specifies the maximum number of used passwords stored in the pwdHistory attribute
(0 means no storage)</td>
+</tr>
+<tr>
+<td>ads-pwdCheckQuality</td>
+<td><em>boolean</em></td>
+<td>0</td>
+<td>Indicates how the password quality will be verified while being modified or added
(0 means no check)</td>
+</tr>
+<tr>
+<td>ads-pwdMinLength</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The minimum number of characters that must be used in a password (0 means no limit)</td>
+</tr>
+<tr>
+<td>ads-pwdMaxLength</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The maximum number of characters that may be used in a password (0 means no limit)</td>
+</tr>
+<tr>
+<td>ads-pwdExpireWarning</td>
+<td><em>boolean</em></td>
+<td>0</td>
+<td>The maximum number of seconds before a password is due to expire, and that expiration
warning messages will be returned to an authenticating user (0 means no message wil be sent
to user)</td>
+</tr>
+<tr>
+<td>ads-pwdGraceAuthNLimit</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The number of times an expired password can be used to authenticate (0 means do
not allow a expired password for authentication)</td>
+</tr>
+<tr>
+<td>ads-pwdGraceExpire</td>
+<td><em>boolean</em></td>
+<td>0</td>
+<td>Specifies the number of seconds the grace authentications are valid  (0 means no
limit)</td>
+</tr>
+<tr>
+<td>ads-pwdLockout</td>
+<td><em>boolean</em></td>
+<td>false</td>
+<td>Flag to indicate if the account needs to be locked after a specified number of</td>
+</tr>
+<tr>
+<td>consecutive failed bind attempts. The maximum number of consecutive failed bind
attempts is specified in ads-pwdMaxFailure</td>
+<td></td>
+<td></td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdLockoutDuration</td>
+<td><em>int</em></td>
+<td>300</td>
+<td>The number of seconds that the password cannot be used to authenticate due to too
many failed bind attempts</td>
+</tr>
+<tr>
+<td>ads-pwdMaxFailure</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The number of consecutive failed bind attempts after which the password may not
be used to authenticate (0 means no limit)</td>
+</tr>
+<tr>
+<td>ads-pwdFailureCountInterval</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The number of seconds after which the password failures are purged from the failure
counter (0 means reset all the pwdFailureTimes after a successful authentication)</td>
+</tr>
+<tr>
+<td>ads-pwdMustChange</td>
+<td><em>boolean</em></td>
+<td>false</td>
+<td>Flag to indicate if the password must be changed by the user after they bind to
the directory after a password is set or reset by a password administrator</td>
+</tr>
+<tr>
+<td>ads-pwdAllowUserChange</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Indicates whether users can change their own passwords</td>
+</tr>
+<tr>
+<td>ads-pwdSafeModify</td>
+<td><em>boolean</em></td>
+<td>false</td>
+<td>Flag to specify whether or not the existing password must be sent along with the
new password when being changed</td>
+</tr>
+<tr>
+<td>ads-pwdMinDelay</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The number of seconds to delay responding to the first failed authentication attempt
(0 means no delay)</td>
+</tr>
+<tr>
+<td>ads-pwdMaxDelay</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The maximum number of seconds to delay when responding to a failed authentication
attempt (no delay) 0 means</td>
+</tr>
+<tr>
+<td>ads-pwdMaxIdle</td>
+<td><em>int</em></td>
+<td>0</td>
+<td>The number of seconds an account may remain unused before it becomes locked (0
means infinite)</td>
+</tr>
+</tbody>
+</table>
 <h3 id="partitions">Partitions</h3>
 <p>The <em>Partition</em> is the part of the server storing your data.
There are many parts that need to be configured in order to obtain the best performances out
of the server. It's also the part of the configuraton you are the more likely to modify, adding
new <em>Partitions</em> or adding new <em>Indexes</em>.</p>
 <p>A <em>Partition</em> have the following configurable elements :</p>
@@ -641,6 +822,18 @@ Note that bold attributes are mandatory
 </thead>
 <tbody>
 <tr>
+<td>ads-enabled</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Tells if the LdapServer system is enabled</td>
+</tr>
+<tr>
+<td>description</td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>A short optional description</td>
+</tr>
+<tr>
 <td><strong>ads-confidentialityRequired</strong></td>
 <td><em>boolean</em></td>
 <td>false</td>
@@ -840,6 +1033,50 @@ Note that bold attributes are mandatory
 </tbody>
 </table>
 <h3 id="extended-op-handlers">Extended Op Handlers</h3>
+<p>An LDAP server can handle <em>ExtendedOperations</em>, assuming it has
the code to do so. In <strong>ApacheDS</strong>, we do that by associating a <em>Java</em>
class with each <em>ExtendedOperation</em>. We may provide more <em>ExtendedOperations</em>
in the future. The list of supported <em>ExtendedOperations</em> is given below
:</p>
+<ul>
+<li>CertGenerationRequest : Generate a certificate on demand</li>
+<li>GracefulShutdownRequest : Requires the server to shutdown gracefully</li>
+<li>StartTLSExtendedOperation : Process the StartTLS request</li>
+<li>StoredProcedureExtendedOperation : Execute a Stored procedure</li>
+</ul>
+<p>Adding a new <em>ExntedeOperatonHandler</em> is just a matter of adding
a new entry under the <em>ou=extendedOpHandlers</em> entry, with the given elements
:</p>
+<table>
+<thead>
+<tr>
+<th>AttributeType</th>
+<th>type</th>
+<th>default value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>ads-enabled</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Tells if the ExtendedOpHandler system is enabled</td>
+</tr>
+<tr>
+<td>description</td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>A short optional description</td>
+</tr>
+<tr>
+<td><strong>ads-extendedOpId</strong></td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>The ExtendedOpHandler unique identifier</td>
+</tr>
+<tr>
+<td><strong>ads-extendedOpHandlerClass</strong></td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>The class FQCN that implements the handler</td>
+</tr>
+</tbody>
+</table>
 <h3 id="sasl-mechanisms">SASL Mechanisms</h3>
 <p>We have various SASL mechanisms, which can be configured. the list of supported
SASL mechanisms is :</p>
 <ul>
@@ -894,7 +1131,111 @@ Note that bold attributes are mandatory
 </tbody>
 </table>
 <h3 id="kerberos-server">Kerberos Server</h3>
-<p>To be added...</p>
+<p>The <em>KerberosServer</em> configuration is an important part of the
configuration. It deoends on a <em>DirectoryService</em> too, as most of the informations
managed by a <em>KerberosServer</em> are store there.</p>
+<p>The list of attributes that can be modified is exposed in the following table. </p>
+<table>
+<thead>
+<tr>
+<th>AttributeType</th>
+<th>type</th>
+<th>default value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>ads-enabled</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Tells if the KerberosServer is enabled</td>
+</tr>
+<tr>
+<td>description</td>
+<td><em>String</em></td>
+<td>N/A</td>
+<td>A short optional description</td>
+</tr>
+<tr>
+<td>ads-krbAllowableClockSkew</td>
+<td><em>int</em></td>
+<td>300000</td>
+<td>The allowable clock skew in milliseconds (5 minutes)</td>
+</tr>
+<tr>
+<td>ads-krbEncryptionTypes</td>
+<td><em>List<String></em></td>
+<td></td>
+<td>The encryption types</td>
+</tr>
+<tr>
+<td>ads-krbEmptyAddressesAllowed</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether empty addresses are allowed</td>
+</tr>
+<tr>
+<td>ads-krbForwardableAllowed</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether forwardable addresses are allowed</td>
+</tr>
+<tr>
+<td>ads-krbPaEncTimestampRequired</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether pre-authentication by encrypted timestamp is required</td>
+</tr>
+<tr>
+<td>ads-krbPostdatedAllowed</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether postdated tickets are allowed</td>
+</tr>
+<tr>
+<td>ads-krbProxiableAllowed</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether proxiable addresses are allowed</td>
+</tr>
+<tr>
+<td>ads-krbRenewableAllowed</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether renewable tickets are allowed</td>
+</tr>
+<tr>
+<td>ads-krbKdcPrincipal</td>
+<td><em>String</em></td>
+<td>krbtgt/EXAMPLE.COM@EXAMPLE.COM</td>
+<td>The service principal name</td>
+</tr>
+<tr>
+<td>ads-krbMaximumRenewableLifetime</td>
+<td><em>long</em></td>
+<td>1000 * 60 * 60 * 24 * 7</td>
+<td>The maximum renewable lifetime in millisconds (7 days)</td>
+</tr>
+<tr>
+<td>ads-krbMaximumTicketLifetime</td>
+<td><em>long</em></td>
+<td>1000 * 60 * 60 * 24</td>
+<td>he maximum ticket lifetime in milliseconds (24 h)</td>
+</tr>
+<tr>
+<td>ads-krbPrimaryRealm</td>
+<td><em>String</em></td>
+<td>EXAMPLE.COM</td>
+<td>The primary realm</td>
+</tr>
+<tr>
+<td>ads-krbBodyChecksumVerified</td>
+<td><em>boolean</em></td>
+<td>true</td>
+<td>Whether to verify the body checksum</td>
+</tr>
+</tbody>
+</table>
+<p>Of course, a <em>Transport</em> has to be defined under the <em>KerberosServer</em>
entry (see <a href="[">Transports</a>#transports)).</p>
 <h3 id="http-server">Http Server</h3>
 <p>To be added...</p>
 <h3 id="http-web-apps">Http Web Apps</h3>



Mime
View raw message