[Fedora-directory-commits] directoryconsole/help/en/help configtab_chaindb.html, 1.2, 1.3 configtab_chaindb7.html, 1.1, 1.2 configtab_replication.html, 1.2, 1.3 configtab_replication2.html, 1.2, 1.3 configtab_replication3.html, 1.3, 1.4 configtab_replication6.html, 1.1, 1.2 configtab_replication7.html, 1.1, 1.2 configtab_synchronization3.html, 1.1, 1.2 replication_wizard.html, 1.2, 1.3 replication_wizard5.html, 1.1, 1.2 synchronization_wizard1.html, 1.1, 1.2 synchronization_wizard2.html, 1.2, 1.3
Richard Allen Megginson
rmeggins at fedoraproject.org
Tue Mar 3 00:14:02 UTC 2009
- Previous message (by thread): [Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel BlankPanel.java, 1.3, 1.4 DSTabbedPanel.java, 1.1.1.1, 1.2 PluginPanel.java, 1.3, 1.4
- Next message (by thread): [Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel/replication AgreementDestinationPanel.java, 1.2, 1.3 WindowsAgreementDestinationPanel.java, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/directoryconsole/help/en/help
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11483/directoryconsole/help/en/help
Modified Files:
configtab_chaindb.html configtab_chaindb7.html
configtab_replication.html configtab_replication2.html
configtab_replication3.html configtab_replication6.html
configtab_replication7.html configtab_synchronization3.html
replication_wizard.html replication_wizard5.html
synchronization_wizard1.html synchronization_wizard2.html
Log Message:
Resolves: bug 481213
Bug Description: Update replication, winsync, chaining online help about connections and authentication
Reviewed by: nhosoi (Thanks!)
Fix Description: Updated the online help to reflect the new UI.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: configtab_chaindb.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_chaindb.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- configtab_chaindb.html 19 Nov 2007 18:21:38 -0000 1.2
+++ configtab_chaindb.html 3 Mar 2009 00:13:59 -0000 1.3
@@ -20,36 +20,92 @@
</p>
<p class="text">
-<b>Bind DN.</b> DN of an administrative user by the database link to bind to the remote server. If this field is left blank, the database link binds as anonymous. Note that the bind DN cannot be the directory manager.
+<b>Authentication Mechanism</b>
</p>
<p class="text">
-<b>Password.</b> Password for the administrative user, in plain text. If no password is provided, it means that the database link can bind as anonymous.
+<b>Server TLS/SSL Certificate (requires TLS/SSL server set up). </b>Select this option if you want the chaining server to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Remote Server(s) Information section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.
</p>
<p class="text">
-<b>Remote server(s) information. </b>In this section you provide information about the remote data sources used by the database link.
+To use this option, you must first do the following:
</p>
<ul>
+<li>
+Configure TLS/SSL for both the local and remote servers.
+</li>
+
+<li>
+Configure your remote server to recognize your local server's certificate as the chaining user DN (certificate mapping).
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/GSSAPI (requires Kerberos keytab). </b>Select this option if you want the local server to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Remote Server(s) Information section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
+</p>
+
+<ul>
+<li>
+Configure Kerberos for both your local and remote servers and assign each one a Kerberos server keytab.
+</li>
+
+<li>
+Configure a SASL mapping on your remote server to map the local server's Kerberos principal to a chaing user DN.
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/DIGEST-MD5 (SASL user id and password). </b>Select this option if you want the local server to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the remote server with the appropriate SASL mapping to use this option.
+</p>
+
+<p class="text">
+<b>Simple Authentication. </b>Select this option if you want the local server to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.
+</p>
+
+<p class="text">
+<b>Bind As. </b>DN of an administrative user by the database link to bind to the remote server. If this field is left blank, the database link binds as anonymous. Note that the bind DN cannot be the directory manager.
+</p>
+
+<p class="text">
+<b>Password. </b>Password for the administrative user, in plain text. If no password is provided, it means that the database link can bind as anonymous.
+</p>
+
+<p class="text">
+<b>Remote Server(s) Information. </b>In this section you provide information about the remote data sources used by the database link.
+</p>
+
+<ul>
+<p class="text">
+<b>Use LDAP (no encryption). </b>If you want the local server to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication.
+</p>
+
+<p class="text">
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the local server to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
+</p>
+
<p class="text">
-<b>Use a secure LDAP connection between servers.</b> Selecting this checkbox indicates that the connection between the server and the remote server is secure.
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the local server to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
</p>
<p class="text">
-<b>Remote Server.</b> The name of the remote data source.
+<b>Remote Server. </b>The name of the remote data source. If using one of the TLS/SSL or SASL/GSSAPI connection types, you must use the fully qualified host and domain name, and this name must be able to be resolved on both the local and remote servers.
</p>
<p class="text">
-<b>Remote server port.</b> The port number on the remote data source used by the database link.
+<b>Remote server port. </b>The port number on the remote data source used by the database link. If using LDAPS, use the secure LDAPS port number (default 636). Otherwise, use the regular LDAP port number (default 389). StartTLS uses the regular LDAP port number.
</p>
<p class="text">
-<b>Failover Server(s).</b> You can specify optional servers for failover in the event that the primary remote server is unavailable. This field contains the name of an alternative remote server. Click Add to add the name and port number to the list.
+<b>Failover Server(s). </b>You can specify optional servers for failover in the event that the primary remote server is unavailable. This field contains the name of an alternative remote server. If using one of the TLS/SSL or SASL/GSSAPI connection types, you must use the fully qualified host and domain name, and this name must be able to be resolved on both the local and remote servers. Click Add to add the name and port number to the list.
</p>
<p class="text">
-<b>Port.</b> Port number of an alternative remote server.
+<b>Port.</b> Port number of an alternative remote server. If using LDAPS, use the secure LDAPS port number (default 636). Otherwise, use the regular LDAP port number (default 389). StartTLS uses the regular LDAP port number.
</p>
</ul>
Index: configtab_chaindb7.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_chaindb7.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- configtab_chaindb7.html 13 Aug 2007 22:28:09 -0000 1.1
+++ configtab_chaindb7.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -3,7 +3,7 @@
</p>
<p class="text">
-Use the authentication tab to set the attributes required for your new database link to connect with a remote data source on another server.
+Use the authentication tab to set the attributes required for your new database link to authenticate to and connect with a remote data source on another server.
</p>
<p class="text">
@@ -11,7 +11,71 @@
</p>
<p class="text">
-<b>Remote server URL. </b>The LDAP URL of the remote server to which this database link connects. The LDAP URL syntax is <br><code>ldap://</code><span class="variable">server</span><code>:[</code><span class="variable">port</span><code>][</code> <span class="variable">server</span><code>[:</code><span class="variable">port</span><code>]]/</code>
+<b>Connection Type</b>
+</p>
+
+<p class="text">
+<b>Use LDAP (no encryption). </b>If you want the local server to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication.
+</p>
+
+<p class="text">
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the local server to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
+</p>
+
+<p class="text">
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the local server to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
+</p>
+
+<p class="text">
+<b>Remote server URL. </b>The LDAP URL of the remote server to which this database link connects. The LDAP URL syntax is <br><code>ldap(s)://</code><span class="variable">server</span><code>:[</code><span class="variable">port</span><code>][</code> <span class="variable">server</span><code>[:</code><span class="variable">port</span><code>]]/</code> NOTE: If using LDAPS, all servers specified in the URL must use LDAPS, and you must specify the LDAPS port number. You cannot mix LDAP with LDAPS.
+</p>
+
+<p class="text">
+<b>Authentication Mechanism</b>
+</p>
+
+<p class="text">
+<b>Server TLS/SSL Certificate (requires TLS/SSL server set up). </b>Select this option if you want the chaining server to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Remote Server(s) Information section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
+</p>
+
+<ul>
+<li>
+Configure TLS/SSL for both the local and remote servers.
+</li>
+
+<li>
+Configure your remote server to recognize your local server's certificate as the chaining user DN (certificate mapping).
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/GSSAPI (requires Kerberos keytab). </b>Select this option if you want the local server to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Remote Server(s) Information section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
+</p>
+
+<ul>
+<li>
+Configure Kerberos for both your local and remote servers and assign each one a Kerberos server keytab.
+</li>
+
+<li>
+Configure a SASL mapping on your remote server to map the local server's Kerberos principal to a chaing user DN.
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/DIGEST-MD5 (SASL user id and password). </b>Select this option if you want the local server to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the remote server with the appropriate SASL mapping to use this option.
+</p>
+
+<p class="text">
+<b>Simple Authentication. </b>Select this option if you want the local server to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.
</p>
<p class="text">
Index: configtab_replication.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_replication.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- configtab_replication.html 20 Nov 2007 17:35:08 -0000 1.2
+++ configtab_replication.html 3 Mar 2009 00:13:59 -0000 1.3
@@ -3,11 +3,11 @@
</p>
<p class="text">
-The replication model used in Directory Server 4.1x and the current replication model are different. The former replication model is termed Legacy Replication. Only use this tab if you wish to accept replication updates from a 4.1x Directory Server using legacy replication.
+The replication model used in Directory Server 4.1x and the current replication model are different. The former replication model is termed Legacy Replication. Only use this tab if you wish to accept replication updates from a 4.1x Directory Server using legacy replication.
</p>
<p class="text">
-<b>Enable Legacy Consumer. </b> Select this checkbox if you want this current Directory Server, to act as a legacy consumer. This means that this server can accept updates from a 4.1x supplier server. You must check this checkbox to activate the other fields in this window.
+<b>Enable Legacy Consumer. </b> Select this checkbox if you want this Directory Server to act as a legacy consumer. This means that this server can accept updates from a 4.1x supplier server. You must check this checkbox to activate the other fields in this window.
</p>
<p class="text">
Index: configtab_replication2.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_replication2.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- configtab_replication2.html 20 Nov 2007 17:35:08 -0000 1.2
+++ configtab_replication2.html 3 Mar 2009 00:13:59 -0000 1.3
@@ -3,11 +3,11 @@
</p>
<p class="text">
-Use this tab to configure a server as a supplier server. You must specify supplier attributes on any server that holds the master copy of a directory database.
+Use this tab to configure a server as a supplier server. This applies to any server which supplies updates to another server, whether the server is one of several masters, a single master, or a read-only hub.
</p>
<p class="text">
-<b>Enable Changelog. </b>Check this box if you want this server to record all update operations in a change log so that these changes can be replayed on a consumer server.
+<b>Enable Changelog. </b>A supplier server must keep track of changes that it needs to replay to other servers. The database that keeps track of these changes is called the <b>Changelog</b> database. Check this box if you want this server to record all update operations in a change log so that these changes can be replayed on a consumer server.
</p>
<p class="text">
Index: configtab_replication3.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_replication3.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- configtab_replication3.html 26 Feb 2009 17:49:06 -0000 1.3
+++ configtab_replication3.html 3 Mar 2009 00:13:59 -0000 1.4
@@ -24,7 +24,7 @@
</p>
<p class="text">
-<b>Hub. </b>Select this radio button if you want this Directory Server to accept updates from a supplier server, and replicate changes to consumer servers.
+<b>Hub. </b>Select this radio button if you want this Directory Server to accept updates from one or more supplier server, and replicate changes to consumer servers. Except for replicated operations from suppliers, a hub can service search operations but not update operations. Update operations will be referred to a supplier server.
</p>
<p class="text">
@@ -42,15 +42,15 @@
</p>
<p class="text">
-If the ID is incorrect, the field labels turn red and the Save button is disabled. Dedicated Consumer does not require Replica ID.
+If the ID is incorrect, the field labels turn red and the Save button is disabled. Hub and Dedicated Consumer do not require Replica ID.
</p>
<p class="text">
-<b>Purge delay.</b> The delay you specify in these fields determines how often the state information stored in the replicated entries is purged. Check the Never checkbox if you want to save this information indefinitely.
+<b>Purge delay. </b>The delay you specify in these fields determines how long the server keeps replication state information in the database before it is purged. A longer time means that the risk of needing to perform a replication re-initialization is lower, but you will need more disk space to store the extra data and more memory to cache the extra data. A shorter time means the risk of needing to perform a replication re-initializtion is higher, but you will need less disk space and memory. Check the Never checkbox if you want to save this information indefinitely.
</p>
<p class="text">
-<b>Updatable by a 4.x Replica.</b> Check this checkbox if you want this Directory Server to act as a legacy consumer of a 4.x supplier server.
+<b>Updatable by a 4.x Replica. </b>Check this checkbox if you want this Directory Server to act as a legacy consumer of a 4.x supplier server.
</p>
</ul>
@@ -60,10 +60,10 @@
<ul>
<p class="text">
-<b>Current Supplier DNs.</b> This field lists the supplier bind DNs that supplier servers must use to update this replica. You can now specify multiple supplier bind DNs per replica, but only one supplier DN per replication agreement. Use the "<b>Enter a new Supplier DN</b>" field to specify a new supplier DN and click Add to add it to this list. If you have configured replication over SSL, specify the DN of the entry that contains the supplier's certificate in the "<b>Enter a new Supplier DN</b>" field and click Add to add it to this list.
+<b>Current Supplier DNs. </b>This field lists the supplier bind DNs that supplier servers must use to update this replica. You can specify multiple supplier bind DNs per replica, but only one supplier DN per replication agreement. Use the "<b>Enter a new Supplier DN</b>" field to specify a new supplier DN and click Add to add it to this list. If you have configured replication over SSL, specify the DN of the entry that contains the supplier's certificate in the "<b>Enter a new Supplier DN</b>" field and click Add to add it to this list.
</p>
<p class="text">
-<b>Current URLs for referrals (Optional).</b> Directory Server uses the information contained in the replication agreement to create referrals from the consumer server to the appropriate supplier servers. This field lists the URLs you specify in addition to the automatic URLs which will be set up automatically. If you want the consumer to return an <code>ldaps://</code> URL, so that clients will bind to the supplier servers using SSL, enter the URL in the "Enter a new URL" field and click Add to add it to this list of current URLs. In the same way, if you have a cascading replication scenario and you want the referral returned to clients to point to the original supplier instead of the hub supplier, enter the corresponding URL in the "Enter a new URL" field and click Add to add it to this list of current URLs.
+<b>Current URLs for referrals (Optional). </b>Directory Server uses the information contained in the replication agreement to create referrals from the consumer server to the appropriate supplier servers. This field lists the URLs you specify in addition to the automatic URLs which will be set up automatically. If you want the consumer to return an <code>ldaps://</code> URL, so that clients will bind to the supplier servers using SSL, enter the URL in the "Enter a new URL" field and click Add to add it to this list of current URLs. In the same way, if you have a cascading replication scenario and you want the referral returned to clients to point to the original supplier instead of the hub supplier, enter the corresponding URL in the "Enter a new URL" field and click Add to add it to this list of current URLs.
</p>
</ul>
Index: configtab_replication6.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_replication6.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- configtab_replication6.html 13 Aug 2007 22:28:09 -0000 1.1
+++ configtab_replication6.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -3,39 +3,73 @@
</p>
<p class="text">
-Use the Connection tab to display the type of connection used by your replica during replication. You can use this tab to modify the user bind name and password. You cannot change the connection type. To change the connection type, re-create the replication agreement.
+Use the Connection tab to display and configure the type of connection and authentication used by your replica during replication. You cannot change the connection type to or from "Use TLS/SSL (TLS/SSL encryption with LDAPS)" since this would require changing the port number. If you want to do this, re-create the agreement.
</p>
<p class="text">
-<b>Using Encrypted SSL Connection. </b>When selected, specifies that the supplier and consumer servers use SSL for secure communication.
+<b>Use LDAP (no encryption). </b>If you want the supplier and consumer servers to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication (see below).
</p>
<p class="text">
-<b>SSL Client Authentication. </b>When selected, this option specifies that the supplier and consumer servers use certificates for secure communication. SSL client authentication is not used unless the "Using Encrypted SSL Connection" checkbox is selected. The Bind As and Password fields are unavailable with this option because the server will use its security certificate to authenticate to the consumer server.
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the supplier and consumer servers to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
</p>
<p class="text">
-To select this option, you must first do the following:
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the supplier and consumer servers to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
+</p>
+
+<p class="text">
+<b>Authentication Mechanism</b>
+</p>
+
+<p class="text">
+<b>Server TLS/SSL Certificate (requires TLS/SSL server set up). </b>Select this option if you want the supplier to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Connection section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
+</p>
+
+<ul>
+<li>
+Configure TLS/SSL for both your supplier and consumer servers.
+</li>
+
+<li>
+Configure your consumer server to recognize your supplier server's certificate as the supplier DN (certificate mapping).
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/GSSAPI (requires Kerberos keytab). </b>Select this option if you want the supplier to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Connection section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
</p>
<ul>
<li>
-Configure SSL for both your supplier and consumer server.
+Configure Kerberos for both your supplier and consumer servers and assign each one a Kerberos server keytab.
</li>
<li>
-Configure your consumer server to recognize your supplier server's certificate as the supplier DN.
+Configure a SASL mapping on your consumer server to map the supplier's server Kerberos principal to a supplier DN.
</li>
</ul>
<p class="text">
-<b>Simple Authentication. </b>When selected, this option specifies that the supplier and consumer servers use simple authentication during communication.
+<b>SASL/DIGEST-MD5 (SASL user id and password). </b>Select this option if you want the supplier to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the consumer server with the appropriate SASL mapping to use this option.
+</p>
+
+<p class="text">
+<b>Simple Authentication. </b>Select this option if you want the supplier to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.
</p>
<p class="text">
-<b>Bind As. </b>You can update the supplier bind DN in the Bind As text box.
+<b>Bind As. </b>If you are using Simple or SASL/DIGEST-MD5 authentication, enter the supplier bind DN or SASL user id defined on the consumer server in the Bind As text box.
</p>
<p class="text">
-<b>Password. </b>You can update the password corresponding to the supplier bind DN in the Password field.
+<b>Password. </b>Enter the password for the Supplier DN or SASL user id in the Password field.
</p>
Index: configtab_replication7.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_replication7.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- configtab_replication7.html 13 Aug 2007 22:28:09 -0000 1.1
+++ configtab_replication7.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -7,9 +7,9 @@
</p>
<p class="text">
-<b>Host Name. </b>Enter the host name of the supplier or consumer server as appropriate.
+<b>Host Name. </b>Enter the host name of the consumer server. If you are using TLS/SSL or SASL/GSSAPI, you should use a fully qualified host and domain name. Make sure the host name you use will resolve correctly on both the supplier and consumer server.
</p>
<p class="text">
-<b>Port Number. </b>Enter the port number of the supplier or consumer server as appropriate.
+<b>Port Number. </b>Enter the port number of the supplier or consumer server as appropriate. If you are using TLS/SSL over LDAPS, you must enter the secure LDAPS port number (default 636). Otherwise, enter the regular LDAP port number (default 389).
</p>
Index: configtab_synchronization3.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/configtab_synchronization3.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- configtab_synchronization3.html 13 Aug 2007 22:28:09 -0000 1.1
+++ configtab_synchronization3.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -3,15 +3,19 @@
</p>
<p class="text">
-Use the Connection tab to display the type of connection used by your servers during synchronization. You can use this tab to modify the user bind name and password. You cannot change the connection type since this would require changing the port number. To change the connection type, re-create the synchronization agreement.
+Use the Connection tab to display the type of connection used by your servers during synchronization. You can use this tab to modify the user bind name and password. You cannot change the connection type to or from "Use TLS/SSL (TLS/SSL encryption with LDAPS)" since this would require changing the port number. If you want to do this, re-create the synchronization agreement.
</p>
<p class="text">
-<b>Using Encrypted SSL Connection. </b>When selected, specifies that the supplier and consumer servers use SSL for secure communication.
+<b>Use LDAP (no encryption). </b>If you want the directory server to use plain LDAP with no security to connect to Windows, select this radio button.
</p>
<p class="text">
-<b>SSL Client Authentication. </b>Client authentication is no used for synchronization; this option is ignored if selected.
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the directory server to use TLS/SSL for secure communication using LDAPS to connect to Windows, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
+</p>
+
+<p class="text">
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the directory server to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
</p>
<p class="text">
@@ -25,3 +29,12 @@
<p class="text">
<b>Password. </b>You can update the password corresponding to the bind DN in the Password field.
</p>
+
+<p class="text">
+<b>New Windows User Sync </b>Check this checkbox if you want to add new Windows users automatically to the Directory Server.
+</p>
+
+<p class="text">
+<b>New Windows Group Sync </b>Check this checkbox if you want to add new Windows groups automatically to the Directory Server.
+</p>
+
Index: replication_wizard.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/replication_wizard.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- replication_wizard.html 20 Nov 2007 17:35:08 -0000 1.2
+++ replication_wizard.html 3 Mar 2009 00:13:59 -0000 1.3
@@ -7,7 +7,7 @@
</p>
<p class="text">
-<b>Supplier. </b>This field contains a static display of the name and port number of the supplier server in this agreement.
+<b>Supplier. </b>This field contains a static display of the name and port number of the supplier server in this agreement. <b>NOTE:</b> This field is only used for naming purposes. If you have chosen to perform replication using TLS/SSL with LDAPS, using the secure port, the <b>Supplier</b> field may still display the non-secure port number - this is ok. Please refer to the Connection and Authentication values below to see if the connection is really using TLS/SSL or not.
</p>
<p class="text">
@@ -20,11 +20,25 @@
<ul>
<p class="text">
-<b>Using Encrypted SSL Connection. </b>If you want the supplier and consumer servers to use SSL for secure communication, select this checkbox. To use this option, you must have first configured your servers to use SSL.
+<b>Use LDAP (no encryption). </b>If you want the supplier and consumer servers to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication (see below).
</p>
<p class="text">
-<b>SSL Client Authentication. </b>Select this option if you want the supplier and consumer servers to use certificates for secure communication. You cannot use SSL client authentication unless the "Using Encrypted SSL Connection" checkbox is selected. The "Bind As" and Password fields are unavailable with this option because the servers will use security certificates to authenticate to each other.
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the supplier and consumer servers to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
+</p>
+
+<p class="text">
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the supplier and consumer servers to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
+</p>
+
+</ul>
+<p class="text">
+<b>Authentication Mechanism</b>
+</p>
+
+<ul>
+<p class="text">
+<b>Server TLS/SSL Certificate (requires TLS/SSL server set up). </b>Select this option if you want the supplier to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Connection section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.
</p>
<p class="text">
@@ -33,24 +47,46 @@
<ul>
<li>
-Configure SSL for both your supplier and consumer servers.
+Configure TLS/SSL for both your supplier and consumer servers.
</li>
<li>
-Configure your consumer server to recognize your supplier server's certificate as the supplier DN.
+Configure your consumer server to recognize your supplier server's certificate as the supplier DN (certificate mapping).
</li>
</ul>
<p class="text">
-<b>Simple Authentication. </b>Select this option if you want the supplier and consumer servers to use simple authentication during communication. If you select the "Using Encrypted SSL Connection" checkbox and you specify this option, the simple authentication will take place over a secure channel but without certificates.
+<b>SASL/GSSAPI (requires Kerberos keytab). </b>Select this option if you want the supplier to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Connection section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.
+</p>
+
+<p class="text">
+To use this option, you must first do the following:
+</p>
+
+<ul>
+<li>
+Configure Kerberos for both your supplier and consumer servers and assign each one a Kerberos server keytab.
+</li>
+
+<li>
+Configure a SASL mapping on your consumer server to map the supplier's server Kerberos principal to a supplier DN.
+</li>
+</ul>
+
+<p class="text">
+<b>SASL/DIGEST-MD5 (SASL user id and password). </b>Select this option if you want the supplier to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the consumer server with the appropriate SASL mapping to use this option.
+</p>
+
+<p class="text">
+<b>Simple Authentication. </b>Select this option if you want the supplier to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.
</p>
<p class="text">
-<b>Bind As. </b>If you are not using SSL, or you are using SSL with simple authentication, enter the supplier bind DN defined on the consumer server in the Bind As text box.
+<b>Bind As. </b>If you are using Simple or SASL/DIGEST-MD5 authentication, enter the supplier bind DN or SASL user id defined on the consumer server in the Bind As text box.
</p>
<p class="text">
-<b>Password. </b>If you are not using SSL, or you are using SSL with simple authentication, enter the Supplier DN password in the Password field.
+<b>Password. </b>Enter the password for the Supplier DN or SASL user id in the Password field.
</p>
</ul>
Index: replication_wizard5.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/replication_wizard5.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- replication_wizard5.html 13 Aug 2007 22:28:09 -0000 1.1
+++ replication_wizard5.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -7,7 +7,7 @@
</p>
<p class="text">
-<b>Name. </b>Enter a meaningful name for the replication agreement. This field is required.
+<b>Name. </b>Enter a meaningful name for the replication agreement. This field is required. This field will be used to create the name of the configuration entry (the CN value), so it's better to choose something short yet meaningful and without a lot of special characters.
</p>
<p class="text">
Index: synchronization_wizard1.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/synchronization_wizard1.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- synchronization_wizard1.html 13 Aug 2007 22:28:09 -0000 1.1
+++ synchronization_wizard1.html 3 Mar 2009 00:13:59 -0000 1.2
@@ -7,7 +7,7 @@
</p>
<p class="text">
-<b>Name. </b>Enter a meaningful name for the synchronization agreement. This field is required.
+<b>Name. </b>Enter a meaningful name for the agreement. This field is required. This field will be used to create the name of the configuration entry (the CN value), so it's better to choose something short yet meaningful and without a lot of special characters.
</p>
<p class="text">
Index: synchronization_wizard2.html
===================================================================
RCS file: /cvs/dirsec/directoryconsole/help/en/help/synchronization_wizard2.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- synchronization_wizard2.html 20 Nov 2007 17:35:08 -0000 1.2
+++ synchronization_wizard2.html 3 Mar 2009 00:13:59 -0000 1.3
@@ -36,11 +36,11 @@
</p>
<p class="text">
-<b>Domain Controller Host. </b>This is the hostname of the domain controller in the Windows domain you wish to use for sync operations. This name must be resolvable and, if SSL is being used, must match the CN of the certificate issued to the domain controller. That is normally the fully qualified DNS name. For example: <span style="font-family: courier new,courier,monospace;">dc01.example.com</span>
+<b>Domain Controller Host. </b>This is the hostname of the domain controller in the Windows domain you wish to use for sync operations. This name must be resolvable and, if TLS/SSL (StartTLS or LDAPS) is being used, must match the CN of the certificate issued to the domain controller. That is normally the fully qualified DNS name. For example: <span style="font-family: courier new,courier,monospace;">dc01.example.com</span>
</p>
<p class="text">
-<b>Port Num. </b>The Windows domain controller port number. By default, this is 389; this is automatically reset to 636 if you check the "Using encrypted SSL connection" checkbox (even if you had previously set a different value).
+<b>Port Num. </b>The Windows domain controller port number. By default, this is 389; this is automatically reset to 636 if you check the "Use TLS/SSL (TLS/SSL encryption with LDAPS)." checkbox (even if you had previously set a different value). It is better to choose the connection type first, then change this port number field if necessary.
</p>
</ul>
@@ -50,11 +50,19 @@
<ul>
<p class="text">
-<b>Using Encrypted SSL Connection. </b>If you want the Directory Server and Windows servers to use SSL for secure communication, select this checkbox. To use this option, you must have first configured your servers to use SSL. It is strongly recommended that you use an SSL connection. Passwords will not be synchronized if you do not enable SSL.
+<b>Use LDAP (no encryption). </b>If you want the supplier and consumer servers to use plain LDAP with no security, select this radio button.
</p>
<p class="text">
-<b>Bind As. </b>Enter the supplier bind DN defined on the Windows server in the Bind As text box. This must be a valid DN.
+<b>Use TLS/SSL (TLS/SSL encryption with LDAPS). </b><b>Deprecated.</b> If you want the supplier and consumer servers to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. <b>This is Deprecated - use StartTLS instead.</b>
+</p>
+
+<p class="text">
+<b>Use StartTLS (TLS/SSL encryption with LDAP). </b>If you want the supplier and consumer servers to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.
+</p>
+
+<p class="text">
+<b>Bind As. </b>Enter the supplier bind DN defined on the Windows server in the Bind As text box. This must be a valid DN. This user must be able to read, write, and use the DirSync control in the specified subtree.
</p>
<p class="text">
- Previous message (by thread): [Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel BlankPanel.java, 1.3, 1.4 DSTabbedPanel.java, 1.1.1.1, 1.2 PluginPanel.java, 1.3, 1.4
- Next message (by thread): [Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel/replication AgreementDestinationPanel.java, 1.2, 1.3 WindowsAgreementDestinationPanel.java, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list