directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r866770 [3/9] - in /websites/staging/directory/trunk/content: ./ apacheds/ apacheds/advanced-ug/ apacheds/basic-ug/ apacheds/configuration/ apacheds/kerberos-ug/ api/ api/gen-docs/ api/gen-docs/latest/ api/groovy-api/ api/user-guide/ studio/
Date Fri, 21 Jun 2013 10:04:40 GMT
Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.1-adding-entries.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.1-adding-entries.html (original)
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.1-adding-entries.html Fri Jun 21 10:04:38 2013
@@ -140,42 +140,42 @@
 <h1 id="211-adding-entries">2.1.1 - Adding Entries</h1>
 <p>We will see how to add new entries into the server. Assuming that we have already created a partition (see <a href="1.4.3-adding-partition.html">Adding a partition</a>), we will use this added partition as a root for the entry addition. We will also create the <em>ou=people</em> entry.</p>
 <p>We try to add a new user to the "Seven Seas" partition. The data for the entry is inspired by "Peter Pan" and provided by this LDIF file (<a href="resources/captain-hook-hierarchy.ldif">Captain hook</a>): </p>
-<div class="codehilite"><pre><span class="c1"># File captain_hook.ldif</span>
-<span class="n">dn:</span> <span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">objectclass:</span> <span class="n">organizationalUnit</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-<span class="n">ou:</span> <span class="n">people</span>
-
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">objectclass:</span> <span class="n">inetOrgPerson</span>
-<span class="n">objectclass:</span> <span class="n">organizationalPerson</span>
-<span class="n">objectclass:</span> <span class="n">person</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-<span class="n">cn:</span> <span class="n">James</span> <span class="n">Hook</span>
-<span class="n">description:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="ow">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="err">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
-<span class="n">sn:</span> <span class="n">Hook</span>
-<span class="n">mail:</span> <span class="n">jhook</span><span class="nv">@neverland</span>
-<span class="n">userpassword:</span> <span class="n">peterPan</span>
+<div class="codehilite"><pre><span class="c"># File captain_hook.ldif</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalUnit</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">ou</span><span class="p">:</span> <span class="n">people</span>
+
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">James</span> <span class="n">Hook</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="nb">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="o">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">Hook</span>
+<span class="n">mail</span><span class="p">:</span> <span class="n">jhook</span><span class="p">@</span><span class="n">neverland</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="n">peterPan</span>
 </pre></div>
 
 
 <p>The first entry creates the <em>ou=people</em> container, which is necessary otherwise we can't inject the second entry.</p>
 <h2 id="using-the-command-line">Using the command line</h2>
 <p>You have to use an authorized user to inject the entry, here, <em>cn=Horatio Nelson,ou=people,o=sevenSeas</em> :</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="nv">$</span>
+<div class="codehilite"><pre>$ <span class="n">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+$
 </pre></div>
 
 
 <p>Afterwards a new entry is successfully created within the "Seven Seas" partition by user "Horatio Nelson". The '+' sign in the attributes list of the <em>ldapsearch</em> command causes ApacheDS to return the operational attributes, which demonstrate this.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="err">&quot;(</span><span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">)&quot;</span> <span class="err">+</span>
-<span class="nf">version</span><span class="err">:</span> <span class="err">1</span>
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">accessControlSubentries</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">sevenSeasAuthorizationRequirementsACISubentry</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">creatorsName</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">Horatio</span> <span class="nf">Nelson</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">createTimestamp</span><span class="err">:</span> <span class="err">20061203140109</span><span class="nf">Z</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">b</span> &quot;<span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">)</span>&quot; <span class="o">+</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">accessControlSubentries</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">creatorsName</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">createTimestamp</span><span class="p">:</span> 20061203140109<span class="n">Z</span>
 </pre></div>
 
 
@@ -185,29 +185,29 @@
 <p>Then select the LDIF file containing the entry :</p>
 <p><img alt="LDIF import" src="ldif-import-file-select.png" /></p>
 <p>When imported, the <em>log</em> windows should contain this message :</p>
-<div class="codehilite"><pre><span class="c1">#!RESULT OK</span>
-<span class="c1">#!CONNECTION ldap://localhost:10389</span>
-<span class="c1">#!DATE 2012-10-30T14:36:21.294</span>
-<span class="n">dn:</span> <span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">changetype:</span> <span class="n">add</span>
-<span class="n">ou:</span> <span class="n">people</span>
-<span class="n">objectclass:</span> <span class="n">organizationalUnit</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-
-<span class="c1">#! RESULT OK</span>
-<span class="c1">#! CONNECTION ldap://localhost:10389</span>
-<span class="c1">#! DATE 2012-10-30T14:36:21.320</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">changetype:</span> <span class="n">add</span>
-<span class="n">mail:</span> <span class="n">jhook</span><span class="nv">@neverland</span>
-<span class="n">userpassword:</span> <span class="n">peterPan</span>
-<span class="n">description:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="ow">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="err">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
-<span class="n">objectclass:</span> <span class="n">inetOrgPerson</span>
-<span class="n">objectclass:</span> <span class="n">organizationalPerson</span>
-<span class="n">objectclass:</span> <span class="n">person</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-<span class="n">sn:</span> <span class="n">Hook</span>
-<span class="n">cn:</span> <span class="n">James</span> <span class="n">Hook</span>
+<div class="codehilite"><pre><span class="c">#!RESULT OK</span>
+<span class="c">#!CONNECTION ldap://localhost:10389</span>
+<span class="c">#!DATE 2012-10-30T14:36:21.294</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="n">add</span>
+<span class="n">ou</span><span class="p">:</span> <span class="n">people</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalUnit</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+
+<span class="c">#! RESULT OK</span>
+<span class="c">#! CONNECTION ldap://localhost:10389</span>
+<span class="c">#! DATE 2012-10-30T14:36:21.320</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="n">add</span>
+<span class="n">mail</span><span class="p">:</span> <span class="n">jhook</span><span class="p">@</span><span class="n">neverland</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="n">peterPan</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="nb">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="o">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">Hook</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">James</span> <span class="n">Hook</span>
 </pre></div>
 
 

Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.2-deleting-entries.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.2-deleting-entries.html (original)
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/2.1.2-deleting-entries.html Fri Jun 21 10:04:38 2013
@@ -146,17 +146,17 @@
 <h2 id="using-the-command-line">Using the command line</h2>
 <p>You have to use an authorized user to delete the entry, here, <em>cn=Horatio Nelson,ou=people,o=sevenSeas</em> :</p>
 <p>With an LDIF file (<a href="resources/captain-hook-delete.ldif">Captain hook delete</a>) with an appropriate change entry, this can easily be accomplished, if the bind user is allowed to do so. Here is the content of this <em>LDIF</em> file :</p>
-<div class="codehilite"><pre><span class="c1"># File captain_hook_delete.ldif</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">changetype:</span> <span class="nb">delete</span>
+<div class="codehilite"><pre><span class="c"># File captain_hook_delete.ldif</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="nb">delete</span>
 </pre></div>
 
 
 <p>and here is the command line to use :</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapdel</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="nv">$</span>
+<div class="codehilite"><pre>$ <span class="n">ldapdel</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+$
 </pre></div>
 
 
@@ -164,11 +164,11 @@
 <p>With studio, just select the entry you want to delete, and select the "Delete" menu :</p>
 <p><img alt="Delete entry with studio" src="images/delete-entry.png" /></p>
 <p>When deleteed, the <em>log</em> windows should contain this message :</p>
-<div class="codehilite"><pre><span class="c1">#!RESULT OK</span>
-<span class="c1">#!CONNECTION ldap://localhost:10389</span>
-<span class="c1">#!DATE 2012-10-30T14:57:47.399</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">SevenSeans</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">com</span>
-<span class="n">changetype:</span> <span class="nb">delete</span>
+<div class="codehilite"><pre><span class="c">#!RESULT OK</span>
+<span class="c">#!CONNECTION ldap://localhost:10389</span>
+<span class="c">#!DATE 2012-10-30T14:57:47.399</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">SevenSeans</span><span class="p">,</span><span class="n">dc</span><span class="p">=</span><span class="n">com</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="nb">delete</span>
 </pre></div>
 
 

Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/2.2.1-simple-search.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/basic-ug/2.2.1-simple-search.html (original)
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/2.2.1-simple-search.html Fri Jun 21 10:04:38 2013
@@ -149,12 +149,12 @@
 <p>There are several other options, which will be exposed in the next chapter.</p>
 <h2 id="doing-a-simple-search-on-the-command-line">Doing a Simple Search on the command line</h2>
 <p>Here is an exemple of search done on the base we have created :</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="err">&quot;(</span><span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">)&quot;</span> <span class="err">+</span>
-<span class="nf">version</span><span class="err">:</span> <span class="err">1</span>
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">accessControlSubentries</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">sevenSeasAuthorizationRequirementsACISubentry</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">creatorsName</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">Horatio</span> <span class="nf">Nelson</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">createTimestamp</span><span class="err">:</span> <span class="err">20061203140109</span><span class="nf">Z</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">b</span> &quot;<span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">)</span>&quot; <span class="o">+</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">accessControlSubentries</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">creatorsName</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">createTimestamp</span><span class="p">:</span> 20061203140109<span class="n">Z</span>
 </pre></div>
 
 

Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/3.1-authentication-options.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/basic-ug/3.1-authentication-options.html (original)
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/3.1-authentication-options.html Fri Jun 21 10:04:38 2013
@@ -179,39 +179,38 @@
 <p><em>Authentication</em> is the process of determining whether someone (or something) in fact is what he/she/it asserts to be. </p>
 <p>Within ApacheDS you will likely want to authenticate clients in order to check whether they are allowed to read, add or manipulate certain data stored within the directory. The latter, i.e. whether an authenticated client is permitted to do something, is deduced during <em>authorization</em>.</p>
 <p>Quite often, the process of authentication is delegated to a directory service by other software components. Because in doing so, authentication data (e.g. username, password) and authorization data (e.g. group relationships) are stored and managed centrally in the directory, and all connected software solutions benefit from it. The integration sections of this guide provide examples for Apache Tomcat, Apache HTTP servers, and others.</p>
-<p>ApacheDS 2.0 supports simple authentication and anonymous binds while storing passwords within <em>userPassword</em> attributes in user entries. Passwords can be stored in clear text or one-way encrypted with a hash algorithm like MD5 or SHA1. Since version 1.5.1, SASL mechanism are supported as well. We start with anonymous binds.<br />
-</p>
+<p>ApacheDS 2.0 supports simple authentication and anonymous binds while storing passwords within <em>userPassword</em> attributes in user entries. Passwords can be stored in clear text or one-way encrypted with a hash algorithm like MD5 or SHA1. Since version 1.5.1, SASL mechanism are supported as well. We start with anonymous binds.  </p>
 <h2 id="simple-binds">Simple binds</h2>
 <p>Authentication via simple bind is widely used. The method is supported by ApacheDS 2.0 for all person entries stored within any partition, if they contain a password attribute. How does it work? An LDAP client provides the DN of a user entry and a password to the server, the parameters of the bind operation. ApacheDS checks whether the given password is the same as the one stored in the <em>userpassword</em> attribute of the given entry. If not, the bind operation fails (LDAP error code 49, LDAP_INVALID_CREDENTIALS), and the user is not authenticated.</p>
 <h3 id="using-command-line-tools">Using command line tools</h3>
 <p>Assume this entry from the Seven Seas partition is stored within the directory (only a fragment with the relevant attributes is shown).</p>
-<div class="codehilite"><pre><span class="err">dn:</span> <span class="err">cn=Horatio</span> <span class="err">Hornblower,ou=people,o=sevenSeas</span>
-<span class="err">object</span><span class="kd">class</span><span class="err">:</span> <span class="err">person</span>
-<span class="err">objectclass:</span> <span class="err">organizationalPerson</span>
-<span class="err">cn:</span> <span class="err">Horatio</span> <span class="err">Hornblower</span>
-<span class="err">sn:</span> <span class="err">Hornblower</span>
-<span class="err">userpassword:</span> <span class="err">pass</span>
-<span class="err">...</span>
+<div class="codehilite"><pre><span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">organizationalPerson</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">Horatio</span> <span class="n">Hornblower</span>
+<span class="n">sn</span><span class="o">:</span> <span class="n">Hornblower</span>
+<span class="n">userpassword</span><span class="o">:</span> <span class="n">pass</span>
+<span class="o">...</span>
 </pre></div>
 
 
 <p>In the following search command, a user tries to bind with the given DN (option -D) but a wrong password (option -w). The bind fails and the command terminates without performing the search.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">w</span> <span class="n">wrong</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">base</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">ldap_simple_bind:</span> <span class="n">Invalid</span> <span class="n">credentials</span>
-<span class="n">ldap_simple_bind:</span> <span class="n">additional</span> <span class="n">info:</span> <span class="n">Bind</span> <span class="n">failed:</span> <span class="n">null</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">\\</span>
+    <span class="o">-</span><span class="n">w</span> <span class="n">wrong</span> <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">base</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">ldap_simple_bind</span><span class="p">:</span> <span class="n">Invalid</span> <span class="n">credentials</span>
+<span class="n">ldap_simple_bind</span><span class="p">:</span> <span class="n">additional</span> <span class="n">info</span><span class="p">:</span> <span class="n">Bind</span> <span class="n">failed</span><span class="p">:</span> <span class="n">null</span>
 </pre></div>
 
 
 <p>If the user provides the correct password during the call of the ldapsearch command, the bind operation succeeds and the seach operation is performed afterwards.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">base</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">ou:</span> <span class="n">people</span>
-<span class="n">description:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
-<span class="n">objectclass:</span> <span class="n">organizationalUnit</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">\\</span>
+    <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">base</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">ou</span><span class="p">:</span> <span class="n">people</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalUnit</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
 </pre></div>
 
 
@@ -260,38 +259,38 @@
 
 
 <p>If the DN of a user entry and the fitting password are provided as command line arguments, the program binds successfully and performs a search:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">java</span> <span class="n">SimpleBindDemo</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="n">pass</span>
-<span class="n">ou</span><span class="o">=</span><span class="n">people:</span> <span class="n">javax</span><span class="o">.</span><span class="n">naming</span><span class="o">.</span><span class="n">directory</span><span class="o">.</span><span class="n">DirContext</span>
-<span class="n">ou</span><span class="o">=</span><span class="n">groups:</span> <span class="n">javax</span><span class="o">.</span><span class="n">naming</span><span class="o">.</span><span class="n">directory</span><span class="o">.</span><span class="n">DirContext</span>
+<div class="codehilite"><pre>$ <span class="n">java</span> <span class="n">SimpleBindDemo</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="n">pass</span>
+<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">:</span> <span class="n">javax</span><span class="p">.</span><span class="n">naming</span><span class="p">.</span><span class="n">directory</span><span class="p">.</span><span class="n">DirContext</span>
+<span class="n">ou</span><span class="p">=</span><span class="n">groups</span><span class="p">:</span> <span class="n">javax</span><span class="p">.</span><span class="n">naming</span><span class="p">.</span><span class="n">directory</span><span class="p">.</span><span class="n">DirContext</span>
 </pre></div>
 
 
 <p>On the other hand, providing an incorrect password results in a failed bind operation. JNDI maps it to a <em>NamingException</em>:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">java</span> <span class="n">SimpleBindDemo</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="n">quatsch</span>
-<span class="p">[</span><span class="n">LDAP:</span> <span class="n">error</span> <span class="n">code</span> <span class="mi">49</span> <span class="o">-</span> <span class="n">Bind</span> <span class="n">failed:</span> <span class="n">null</span><span class="p">]</span>
+<div class="codehilite"><pre>$ <span class="n">java</span> <span class="n">SimpleBindDemo</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="n">quatsch</span>
+<span class="p">[</span><span class="n">LDAP</span><span class="p">:</span> <span class="n">error</span> <span class="n">code</span> 49 <span class="o">-</span> <span class="n">Bind</span> <span class="n">failed</span><span class="p">:</span> <span class="n">null</span><span class="p">]</span>
 </pre></div>
 
 
 <p>In real life, you obviously want to separate most of the configuration data from the source code, for instance with the help of the <em>jndi.properties</em> file.</p>
 <h2 id="passwords-stored-one-way-encrypted">Passwords stored one-way encrypted</h2>
 <p>If passwords are stored in the directory in clear like above, the administrator (<em>uid=admin,ou=system</em>) is able to read them. This holds true even if authorization is enabled. The passwords would also be visible in exported LDIF files. This is often unacceptable.</p>
-<p><DIV class="warning" markdown="1">
+<DIV class="warning" markdown="1">
 Not only the administrator will be able to read your password, or be visible in LDIF files, but if one does not use SSL, the the password is transmitted in clear text above the wire...
-</DIV></p>
+</DIV>
+
 <h3 id="passwords-not-stored-in-clear-text">Passwords not stored in clear text</h3>
 <p>ApacheDS does also support simple binds, if user passwords are stored one-way encrypted. An LDAP client, which creates user entries, applies a hash-function (SHA for instance) to the user passwords beforehand, and stores the users with these fingerprints as <em>userpassword</em> values (instead of the clear text values), for instance:</p>
-<div class="codehilite"><pre><span class="err">dn:</span> <span class="err">cn=Horatio</span> <span class="err">Hornblower,ou=people,o=sevenSeas</span>
-<span class="err">object</span><span class="kd">class</span><span class="err">:</span> <span class="err">person</span>
-<span class="err">objectclass:</span> <span class="err">organizationalPerson</span>
-<span class="err">cn:</span> <span class="err">Horatio</span> <span class="err">Hornblower</span>
-<span class="err">sn:</span> <span class="err">Hornblower</span>
-<span class="err">userpassword:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="err">nU4eI71bcnBGqeO0t9tXvY1u5oQ=</span>
-<span class="err">...</span>
+<div class="codehilite"><pre><span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">organizationalPerson</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">Horatio</span> <span class="n">Hornblower</span>
+<span class="n">sn</span><span class="o">:</span> <span class="n">Hornblower</span>
+<span class="n">userpassword</span><span class="o">:</span> <span class="o">{</span><span class="n">SHA</span><span class="o">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="o">=</span>
+<span class="o">...</span>
 </pre></div>
 
 
-<p>The value "{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=" means that <em>SHA</em> (Secure Hash Algorithm) was applied to the password, and "nU4eI71bcnBGqeO0t9tXvY1u5oQ=" was the result (Base-64 encoded). Please note that it is not possible to calculate the source ("pass" in our case) back from the result. This is why it is called one-way encrypted -- it is rather difficult to decrypt it. One may guess many times, calculate the hash values (the algorithms are public) and compare the result. But this would take a long time, especially if you choose a more complex password than we did ("pass").<br />
-</p>
+<p>The value "{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=" means that <em>SHA</em> (Secure Hash Algorithm) was applied to the password, and "nU4eI71bcnBGqeO0t9tXvY1u5oQ=" was the result (Base-64 encoded). Please note that it is not possible to calculate the source ("pass" in our case) back from the result. This is why it is called one-way encrypted -- it is rather difficult to decrypt it. One may guess many times, calculate the hash values (the algorithms are public) and compare the result. But this would take a long time, especially if you choose a more complex password than we did ("pass").  </p>
 <h3 id="but-how-to-obtain-the-hash-value-for-a-password">But how to obtain the hash value for a password?</h3>
 <p>With some lines of code, it is quite easy to accomplish this task programatically in Java:</p>
 <div class="codehilite"><pre><span class="kn">import</span> <span class="nn">java.security.MessageDigest</span><span class="o">;</span>
@@ -322,31 +321,34 @@ Not only the administrator will be able 
 <p><img alt="Password Edit" src="images/password-edit-ls.png" /></p>
 <h3 id="from-an-ldap-client-point-of-view">From an LDAP client point of view</h3>
 <p>From an LDAP client point of view, the behavior during authentication is the same as with passwords stored in clear. During a simple bind, a client sends DN and password (unencrypted, i.e. no hash algorithm applied) to the server. If ApacheDS detects, that the user password for the given DN is stored in the directory with a hash function applied, it calculates the hash value of the given password with the appropriate algorithm (this is why the algorithm is stored together with the hashed password). Afterwards it compares the result with the stored attribute value. In case of a match, the bind operation ends successfully:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="o">\\</span> 
-    <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">base</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">ou:</span> <span class="n">people</span>
-<span class="n">description:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
-<span class="n">objectclass:</span> <span class="n">organizationalUnit</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">\\</span> 
+    <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">base</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">ou</span><span class="p">:</span> <span class="n">people</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalUnit</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
 </pre></div>
 
 
 <p>Providing the hashed value of the <em>userPassword</em> attribute instead of the original value will be rejected by ApacheDS:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Hornblower,ou=people,o=sevenSeas&quot;</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">w</span> <span class="s">&quot;{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=&quot;</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">base</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">ldap_simple_bind:</span> <span class="n">Invalid</span> <span class="n">credentials</span>
-<span class="n">ldap_simple_bind:</span> <span class="n">additional</span> <span class="n">info:</span> <span class="n">Bind</span> <span class="n">failed:</span> <span class="n">null</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">\\</span>
+    <span class="o">-</span><span class="n">w</span> &quot;<span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="p">=</span>&quot; <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">base</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">ldap_simple_bind</span><span class="p">:</span> <span class="n">Invalid</span> <span class="n">credentials</span>
+<span class="n">ldap_simple_bind</span><span class="p">:</span> <span class="n">additional</span> <span class="n">info</span><span class="p">:</span> <span class="n">Bind</span> <span class="n">failed</span><span class="p">:</span> <span class="n">null</span>
 </pre></div>
 
 
 <p>This is intended. If someone was able to catch this value (from an LDIF export for instance), s/he must still provide the password itself in order to get authenticated.</p>
-<p><DIV class="note" markdown="1">
-<strong>Be Warned: Limited security added</strong></p>
-<p>Please note that storing user passwords one-way encrypted only adds limited security. During the bind operation, the credentials are still transmitted unencrypted, if no SSL/TLS communication is used (thus you should definitely consider to do so). </p>
-<p>Furthermore, if someone gets an LDIF file with userpassword values digested with SHA etc., s/he may be able to determine some of the passwords with brute force. Calculation of hash functions can be done very fast, and the attacker can attempt millions of values with ease, without you getting notice of it. Therefore protect your data, even if one-way encryption is applied to the passwords!
-</DIV></p>
+<DIV class="note" markdown="1">
+**Be Warned: Limited security added**
+
+Please note that storing user passwords one-way encrypted only adds limited security. During the bind operation, the credentials are still transmitted unencrypted, if no SSL/TLS communication is used (thus you should definitely consider to do so). 
+
+Furthermore, if someone gets an LDIF file with userpassword values digested with SHA etc., s/he may be able to determine some of the passwords with brute force. Calculation of hash functions can be done very fast, and the attacker can attempt millions of values with ease, without you getting notice of it. Therefore protect your data, even if one-way encryption is applied to the passwords!
+</DIV>
+
 <h2 id="anonymous-binds">Anonymous binds</h2>
 <p>In some occasions it is appropriate to allow LDAP clients to permit operations without authentication. If data managed by the directory service is well known by all clients, it is not uncommon to allow search operations (not manipulation) within this data to all clients -- without providing credentials. An example for this are enterprise wide telephone books, if clients access the directory service from the intranet.</p>
 <h3 id="enabledisable-anonymous-binds">Enable/disable anonymous binds</h3>
@@ -354,47 +356,49 @@ Not only the administrator will be able 
 <h3 id="example-server-behavior-with-anonymous-binds-disabled">Example: Server behavior with anonymous binds disabled</h3>
 <p>Assume anonymous binds are disabled and our sample partition <em>Seven Seaes</em> present in the server. Here is an example with a search operation performed by a command line tool as a client. It tries to connect anonymously (no DN and password given, i.e. options -D and -w missing) to the server. Afterwards the entry <em>ou=people,o=sevenSeas</em> should be displayed.</p>
 <p>See the command and the resulting error message provided by the server below </p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">ldap_search:</span> <span class="n">Insufficient</span> <span class="n">access</span>
-<span class="n">ldap_search:</span> <span class="n">additional</span> <span class="n">info:</span> <span class="n">failed</span> <span class="n">on</span> <span class="n">search</span> <span class="n">operation:</span> <span class="n">Anonymous</span> <span class="n">binds</span> <span class="n">have</span> <span class="n">been</span> <span class="n">disabled</span><span class="o">!</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">ldap_search</span><span class="p">:</span> <span class="n">Insufficient</span> <span class="n">access</span>
+<span class="n">ldap_search</span><span class="p">:</span> <span class="n">additional</span> <span class="n">info</span><span class="p">:</span> <span class="n">failed</span> <span class="n">on</span> <span class="n">search</span> <span class="n">operation</span><span class="p">:</span> <span class="n">Anonymous</span> <span class="n">binds</span> <span class="n">have</span> <span class="n">been</span> <span class="n">disabled</span>!
 </pre></div>
 
 
 <h3 id="example-server-behavior-with-anonymous-binds-enabled">Example: Server behavior with anonymous binds enabled</h3>
 <p>Now the same command performed against ApacheDS 1.5 with anonymous access enabled as described above. The behavior is different -- the entry is visible. </p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">base</span> <span class="s">&quot;(objectclass=*)&quot;</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">ou:</span> <span class="n">people</span>
-<span class="n">description:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
-<span class="n">objectclass:</span> <span class="n">organizationalUnit</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">base</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot;
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">ou</span><span class="p">:</span> <span class="n">people</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">Contains</span> <span class="n">entries</span> <span class="n">which</span> <span class="n">describe</span> <span class="n">persons</span> <span class="p">(</span><span class="n">seamen</span><span class="p">)</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalUnit</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
 </pre></div>
 
 
 <h3 id="other-clients">Other clients</h3>
 <p>The examples above have used a command line tool. Of course graphical tools and programmatical access (JNDI etc.) allow anonymous binds as well. Below is a screen shot from the configuration dialog of <a href="http://directory.apache.org/studio/">Apache Directory Studio</a> as an example. During configuration of the connection data ("New LDAP Connection", for instance), the option <em>Anonymous Authentication</em> leads to anonymous binds. Other UI tools offer this feature as well.</p>
 <p><img alt="Authentication options" src="authentication-options-ls.png" /></p>
-<p><DIV class="note" markdown="1">
-<strong>Use this feature wisely</strong></p>
-<p>With anonymous access enabled it is not only possible to search the directory without providing username and password. With autorization disabled, anonymous users may also be able to modify data. It is therefore highly recommended to enable and configure the authorization subsystem as well. Learn more about authorization in the [3.2. Basic authorization] section.
-</DIV></p>
+<DIV class="note" markdown="1">
+**Use this feature wisely**
+
+With anonymous access enabled it is not only possible to search the directory without providing username and password. With autorization disabled, anonymous users may also be able to modify data. It is therefore highly recommended to enable and configure the authorization subsystem as well. Learn more about authorization in the [3.2. Basic authorization] section.
+</DIV>
+
 <h2 id="how-to-authenticate-a-user-by-uid-and-password">How to authenticate a user by uid and password?</h2>
 <p>If you want to use simple binds with user DN and password within a Java component, in order to authenticate users programatically, in practice one problem arises: Most users do not know their DN. Therefore they will not be able to enter it. And even if they know it, it would be frequently very laborious due to the length of the DN. It would be easier for a user if s/he only has to probvide a short, unique <em>ID</em> and the password, like in this web form</p>
 <p><img alt="Confluence Logon" src="confluence-logon.png" /></p>
 <p>Usually the ID is an attribute within the user's entry. In our sample data (Seven Seas), each user entry contains the <em>uid</em> attribute, for instance uid=hhornblo for Captain Hornblower:</p>
-<div class="codehilite"><pre><span class="err">dn:</span> <span class="err">cn=Horatio</span> <span class="err">Hornblower,ou=people,o=sevenSeas</span>
-<span class="err">object</span><span class="kd">class</span><span class="err">:</span> <span class="err">person</span>
-<span class="err">objectclass:</span> <span class="err">organizationalPerson</span>
-<span class="err">objectclass:</span> <span class="err">inetOrgPerson</span>
-<span class="err">objectclass:</span> <span class="err">top</span>
-<span class="err">cn:</span> <span class="err">Horatio</span> <span class="err">Hornblower</span>
-<span class="err">description:</span> <span class="err">Capt.</span> <span class="err">Horatio</span> <span class="err">Hornblower,</span> <span class="err">R.N</span>
-<span class="err">givenname:</span> <span class="err">Horatio</span>
-<span class="err">sn:</span> <span class="err">Hornblower</span>
-<span class="err">uid:</span> <span class="err">hhornblo</span>
-<span class="err">mail:</span> <span class="err">hhornblo@royalnavy.mod.uk</span>
-<span class="err">userpassword:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="err">nU4eI71bcnBGqeO0t9tXvY1u5oQ=</span>
+<div class="codehilite"><pre><span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">top</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">Horatio</span> <span class="n">Hornblower</span>
+<span class="n">description</span><span class="o">:</span> <span class="n">Capt</span><span class="o">.</span> <span class="n">Horatio</span> <span class="n">Hornblower</span><span class="o">,</span> <span class="n">R</span><span class="o">.</span><span class="na">N</span>
+<span class="n">givenname</span><span class="o">:</span> <span class="n">Horatio</span>
+<span class="n">sn</span><span class="o">:</span> <span class="n">Hornblower</span>
+<span class="n">uid</span><span class="o">:</span> <span class="n">hhornblo</span>
+<span class="n">mail</span><span class="o">:</span> <span class="n">hhornblo</span><span class="err">@</span><span class="n">royalnavy</span><span class="o">.</span><span class="na">mod</span><span class="o">.</span><span class="na">uk</span>
+<span class="n">userpassword</span><span class="o">:</span> <span class="o">{</span><span class="n">SHA</span><span class="o">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="o">=</span>
 </pre></div>
 
 
@@ -497,21 +501,20 @@ Not only the administrator will be able 
 
 
 <p>Some example calls:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">unknown</span> <span class="n">sailor</span>
+<div class="codehilite"><pre>$ <span class="n">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">unknown</span> <span class="n">sailor</span>
 <span class="n">Authentication</span> <span class="n">failed</span>
 
-<span class="nv">$</span> <span class="nv">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">hornblo</span> <span class="n">pass</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+$ <span class="n">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">hornblo</span> <span class="n">pass</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 <span class="n">Authentication</span> <span class="n">successful</span>
 
-<span class="nv">$</span> <span class="nv">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">hornblo</span> <span class="n">quatsch</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="p">[</span><span class="n">LDAP:</span> <span class="n">error</span> <span class="n">code</span> <span class="mi">49</span> <span class="o">-</span> <span class="n">Bind</span> <span class="n">failed:</span> <span class="n">null</span><span class="p">]</span>
+$ <span class="n">java</span> <span class="n">AdvancedBindDemo</span> <span class="n">hornblo</span> <span class="n">quatsch</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="p">[</span><span class="n">LDAP</span><span class="p">:</span> <span class="n">error</span> <span class="n">code</span> 49 <span class="o">-</span> <span class="n">Bind</span> <span class="n">failed</span><span class="p">:</span> <span class="n">null</span><span class="p">]</span>
 </pre></div>
 
 
-<p>The examples consist of an unknown user (an <em>inetOrgPerson</em> entry with uid=unknown does not exist), a successful authenttication, and an attempt with an existing uid but a wrong password.<br />
-</p>
+<p>The examples consist of an unknown user (an <em>inetOrgPerson</em> entry with uid=unknown does not exist), a successful authenttication, and an attempt with an existing uid but a wrong password.  </p>
 <h2 id="resources">Resources</h2>
 <ul>
 <li><a href="http://www.faqs.org/rfcs/rfc2829.html">RFC 2829</a> Authentication Methods for LDAP </li>



Mime
View raw message