document available authentication types and formats.

with tweaks from jmc@

2 files changed, 56 insertions, 4 deletions

diff --git a/usr.sbin/ldapd/ldapd.8 b/usr.sbin/ldapd/ldapd.8
index e6bd09d153e..767afa3978e 100644
--- a/usr.sbin/ldapd/ldapd.8
+++ b/usr.sbin/ldapd/ldapd.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ldapd.8,v 1.8 2010/11/10 08:00:54 martinh Exp $
+.\"	$OpenBSD: ldapd.8,v 1.9 2011/01/28 09:26:22 martinh Exp $
 .\"
 .\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 10 2010 $
+.Dd $Mdocdate: January 28 2011 $
 .Dt LDAPD 8
 .Os
 .Sh NAME
@@ -70,6 +70,49 @@ together with the
 .Fl d
 flag produces debug traces of decoded BER messages on stderr.
 .El
+.Sh AUTHENTICATION
+.Nm
+can authenticate users via simple binds or SASL with the PLAIN
+mechanism.
+.Pp
+When using simple binds, the bind DN entry must exist in a namespace
+and have a
+.Ic userPassword
+attribute.
+The following formats of the
+.Ic userPassword
+attribute are recognized:
+.Bl -tag -width Ds
+.It Ic {SHA}digest
+Verify the password against the SHA-1 digest.
+.It Ic {SSHA}digest
+Verify the password against the salted SHA-1 digest.
+.It Ic {CRYPT}hash
+Verify the password against the
+.Xr crypt 3
+hash.
+.It Ic {BSDAUTH}username
+Use BSD Authentication with the given username and authentication style
+.Dq auth-ldap .
+This is similar to using SASL PLAIN authentication with
+.Ar username
+as the authentication ID.
+.It Ic {BSDAUTH}username#class
+Same as above, but overrides the login class.
+.El
+.Pp
+Without a prefix, the
+.Ic userPassword
+attribute is compared literally with the provided plain text password.
+.Pp
+When using SASL binds, the authentication ID should be a valid
+username for BSD Authentication.
+.Pp
+For plain text passwords to be accepted, the connection must be
+considered secure, either by using an encrypted connection, or by
+using the
+.Ic secure
+keyword in the configuration file.
 .Sh FILES
 .Bl -tag -width "/var/run/ldapd.sockXXXXXXX" -compact
 .It Pa /etc/ldapd.conf
@@ -86,6 +129,7 @@ database files
 .El
 .Sh SEE ALSO
 .Xr ldapd.conf 5 ,
+.Xr login.conf 5 ,
 .Xr ldapctl 8
 .Rs
 .%R RFC 4511
diff --git a/usr.sbin/ldapd/ldapd.conf.5 b/usr.sbin/ldapd/ldapd.conf.5
index ffa6e074a1e..e5584d4c859 100644
--- a/usr.sbin/ldapd/ldapd.conf.5
+++ b/usr.sbin/ldapd/ldapd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ldapd.conf.5,v 1.12 2010/11/04 20:22:34 martinh Exp $
+.\"	$OpenBSD: ldapd.conf.5,v 1.13 2011/01/28 09:26:22 martinh Exp $
 .\"
 .\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: November 4 2010 $
+.Dd $Mdocdate: January 28 2011 $
 .Dt LDAPD.CONF 5
 .Os
 .Sh NAME
@@ -130,6 +130,10 @@ local namespaces.
 .It rootpw Ar password
 Password for the root user.
 Specified either in plain text, or in hashed format.
+See
+.Sx AUTHENTICATION
+in
+.Xr ldapd 8 .
 .It schema Ar filename
 Add schema definitions from the specified file.
 For a description of the schema file syntax see
@@ -165,6 +169,10 @@ The distinguished name must have the same suffix as the namespace.
 .It rootpw Ar password
 Password for the root user.
 Specified either in plain text, or in hashed format.
+See
+.Sx AUTHENTICATION
+in
+.Xr ldapd 8 .
 .It index Ar attribute
 Maintain an index on the specified attribute.
 This index can be used for equality, presence, prefix substring and range searches.