directory-fortress-core git commit: General readme improvements.

[sm...@apache.org]

Repository: directory-fortress-core
Updated Branches:
  refs/heads/master cd5e8f9c7 -> 53673c634


General readme improvements.


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/53673c63
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/53673c63
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/53673c63

Branch: refs/heads/master
Commit: 53673c6345a395a519c616189e6b9bba52b1db5b
Parents: cd5e8f9
Author: Shawn McKinney <sm...@apache.org>
Authored: Thu Jul 5 18:57:17 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Thu Jul 5 18:57:17 2018 -0500

----------------------------------------------------------------------
 README-PROPERTIES.md       | 59 ++++++++++++++++++++++++++++++++---------
 README-QUICKSTART-SLAPD.md |  4 ++-
 README.md                  | 17 ++++++++----
 build.properties.example   | 10 ++++---
 slapd.properties.example   | 12 +++++----
 5 files changed, 75 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README-PROPERTIES.md
----------------------------------------------------------------------
diff --git a/README-PROPERTIES.md b/README-PROPERTIES.md
index fe0f525..93eb587 100644
--- a/README-PROPERTIES.md
+++ b/README-PROPERTIES.md
@@ -51,7 +51,7 @@ This section describes the properties needed to control fortress core.
 
  ```
  # Else if OpenLDAP server:
- ldap.server.type=slapd
+ ldap.server.type=openldap
  ```
 
  ```
@@ -94,11 +94,27 @@ This section describes the properties needed to control fortress core.
  # Used for SSL Connection to LDAP Server:
  enable.ldap.ssl=true
  enable.ldap.ssl.debug=true
- trust.store=/fully/qualified/path/and/file/name/to/java/truststore
  trust.store.password=changeit
- trust.store.set.prop=true
  ```
 
+ a. Trust store can found on the classpath
+
+ ```
+ trust.store.onclasspath=true
+ trust.store=mytruststorename
+ ```
+
+ b. Trust store can found as fully qualified filename:
+
+ ```
+ trust.store.onclasspath=false
+ trust.store=/fully/qualified/path/and/file/name/to/java/mytruststorename
+ ```
+
+ * Question: Should I access my truststore from classpath or as fully qualified?
+ * Answer: It's usually best find on classpath, that way it can be bundled inside the impl's jar or war files.
+ * Except, when using SSL in processes where JDBC also is using SSL. Due to limitations in how JDBC works, must specify as fully-qualified name.
+
 7. To use REST instead of LDAP.  Points to fortress-rest instance.
 
  ```
@@ -123,12 +139,23 @@ This section describes the properties needed to control fortress core.
  apacheds.pwpolicy.root=ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
  ```
 
-10. LDAP Directory Information Tree Directives
+10. LDAP Directory Information Tree (DIT) Samples
 
  ```
- # Define the high-level structure of LDAP DIT:
+ # Define the high-level structure of LDAP DIT
+ # For a two-part domain context, e.g. dc=example,dc=com:
+ suffix.name=example
+ suffix.dc=com
  suffix=dc=example,dc=com
+ suffix=dc=${suffix.name},dc=${suffix.dc}
+ # Else, for a three-part domain context, e.g. dc=foo, dc=example,dc=com:
+ suffix.name=foo
+ suffix.dc=example
+ suffix.dc2=com
+ suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}
+ # The Config container must be specified in the properties file.
  config.root=ou=Config,dc=example,dc=com
+ # The other fortress containers may either be in the build.properties file, or loaded into the config node.
  user.root=ou=People,dc=example,dc=com
  pwpolicy.root=ou=Policies,dc=example,dc=com
  role.root=ou=Roles,ou=RBAC,dc=example,dc=com
@@ -138,11 +165,11 @@ This section describes the properties needed to control fortress core.
  permou.root=ou=OS-P,ou=ARBAC,dc=example,dc=com
  adminrole.root=ou=AdminRoles,ou=ARBAC,dc=example,dc=com
  adminperm.root=ou=AdminPerms,ou=ARBAC,dc=example,dc=com
- audit.root=cn=log
  group.root=ou=Groups,dc=example,dc=com
- example.root=ou=Examples,dc=example,dc=com
  ```
 
+ Note: See the [README-CONFIG](./README-CONFIG.md)) guide for more info how fortress finds its properties.
+
 11. Define the delegated administration super admin role.  Any user who is assigned this role will bypass all ARBAC02 security checks, when they are enabled.
 
  ```
@@ -263,29 +290,35 @@ This section describes the properties needed to control fortress core.
  group.properties=ftProps
  ```
 
-20. Disable OpenLDAP audit operations.  If server type is OpenLDAP *ldap.server.type-slapd*, setting this value to true will disable all auditing operations.  Default is false.
+20. Enable RFC2307bis support for Users and Roles (groups)
+ Setting this prop to true requires the RFC2307bis schema to be present in ldap server. This defines the posixAccount and posixGroup object classes as auxiliary not structural.
+ This will add uidNumber, gidNumber, uidNumber and homeDirectory to Users and gidNumber to Roles. Those attributes are required and will be automatically generated if not otherwise passed in.
+
+ ```
+ # Boolean value. If true, requires rfc2307bis schema because posixUser and posixGroup must be auxiliary object classes to work with ftRls which is structural..
+ rfc2307=true
+ ```
+
+21. Disable OpenLDAP audit operations.  If server type is OpenLDAP *ldap.server.type-slapd*, setting this value to true will disable all auditing operations.  Default is false.
 
  ```
  disable.audit=true
  ```
 
-21. Define delimiter to use for storage of fortress temporal constraints in LDAP.  It is used to delimit fields that are combined into a single attribute, i.e. ftConstraint.
+22. Define delimiter to use for storage of fortress temporal constraints in LDAP.  It is used to delimit fields that are combined into a single attribute, i.e. ftConstraint.
 
   ```
   # Use '$' as delimiter
   attr.delimiter=$
   ```
 
-22. These properties still have some wiring inside fortress but aren't typically used or needed.
+23. These properties still have some wiring inside fortress but aren't typically used or needed.
 
  ```
  dao.connector=apache
-
  #keep alphanumerics and dashes
  regXSafetext=^A-Za-z0-9- .
-
  crypto.prop=${crypto.prop}
-
  clientside.sorting=true
  ```
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README-QUICKSTART-SLAPD.md
----------------------------------------------------------------------
diff --git a/README-QUICKSTART-SLAPD.md b/README-QUICKSTART-SLAPD.md
index 7028521..a4ab562 100644
--- a/README-QUICKSTART-SLAPD.md
+++ b/README-QUICKSTART-SLAPD.md
@@ -75,7 +75,9 @@ ________________________________________________________________________________
  cp slapd.properties.example slapd.properties
  ```
 
- *[slapd.properties.example](slapd.properties.example) contains the slapd default config. Learn more about how the config works: [README-CONFIG](README-CONFIG.md)*
+ *[slapd.properties.example](slapd.properties.example) contains the slapd default config.
+ * Learn more about how the config works: [README-CONFIG](README-CONFIG.md).
+ * Learn more about what properties there are: [README-PROPERTIES](README-PROPERTIES.md).
 
 3. Download the latest OpenLDAP binaries for your platform:
  [Symas OpenLDAP Silver Edition](https://downloads.symas.com/products/symas-openldap-directory-silver-edition/)

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index f577ec3..aea9cc2 100644
--- a/README.md
+++ b/README.md
@@ -325,14 +325,20 @@ ________________________________________________________________________________
  vi slapd.properties
  ```
 
-3. Set the LDAP Host and port properties.  Either a valid host name or IP address can be used.  If you are running on the same platform as your LDAP server, localhost will do.
+3. Tell the runtime using OpenLDAP:
+
+ ```
+ ldap.server.type=openldap
+ ```
+
+4. Set the LDAP Host and port properties.  Either a valid host name or IP address can be used.  If you are running on the same platform as your LDAP server, localhost will do.
 
  ```
  host=localhost
  port=389
  ```
 
-4. Set the suffix name and domain component.  These may be set according to your requirements.  For example **suffix.name=example** and **suffix.dc=com** turns into **dc=example,dc=com**.
+5. Set the suffix name and domain component.  These may be set according to your requirements.  For example **suffix.name=example** and **suffix.dc=com** turns into **dc=example,dc=com**.
 
  ```
  suffix.name=example
@@ -348,7 +354,7 @@ ________________________________________________________________________________
   suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}
  ```
 
-5. Add to the file to enable LDAP connection pool parameters.
+6. Add to the file to enable LDAP connection pool parameters.
 
  ```
  # Here we are testing with slapd's root user.  Never do this in prod envs.
@@ -371,7 +377,7 @@ ________________________________________________________________________________
  user.max.conn=10
  ```
 
-6. Enable the fortress audit and its connection pool.
+7. Enable the fortress audit and its connection pool.
 
  *This step is optional.*
 
@@ -402,7 +408,7 @@ ________________________________________________________________________________
 8. Rebuild the configuration artifacts:
 
  ```
- mvn install
+ mvn clean install
  ```
 
 9. Perform an initial load to the target LDAP server:
@@ -418,6 +424,7 @@ More usage notes of fortress build property files:
  * The [build.properties.example]([build.properties.example) contains defaults for ApacheDS.  This file is required and will activate once renamed to **build.properties**.
  * The [slapd.properties.example](slapd.properties.example) is optional.  Use *only* when OpenLDAP is the target server.  Once renamed to **slapd.properties**, it will override any values found in the **build.properties** file.
  * Learn more about the configuration subsystem: [README-CONFIG](./README-CONFIG.md)
+ * Learn more about what properties there are: [README-PROPERTIES](README-PROPERTIES.md).
  * Don't change the ant substitution parameters within the properties *unless you know what you're doing*.  These are are the settings inside of curly brackets, e.g. **${param1}**.
 
 ___________________________________________________________________________________

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/build.properties.example
----------------------------------------------------------------------
diff --git a/build.properties.example b/build.properties.example
index 4c107d5..4fce889 100644
--- a/build.properties.example
+++ b/build.properties.example
@@ -60,12 +60,16 @@ ldap.port=10389
 #ldap.host=fortressdemo2.com
 # 10636 is default apacheds LDAPS port:
 #ldap.port=10636
+# If you need the ldap api to spit out more info on ssl connections:
 #enable.ldap.ssl.debug=true
-# The trust store is found either on the application's classpath or filepath as specified by trust.store.onclasspath:
-#trust.store=mytruststore
 #trust.store.password=changeit
-# Will pick up the truststore from the classpath if set to true  which is the default.  Otherwise, file must be specified a fully qualified filename:
+# Will pick up the truststore from the classpath if set to true  which is the default.
 #trust.store.onclasspath=true
+#trust.store=mytruststore
+# Otherwise, file must be specified a fully qualified filename:
+#trust.store.onclasspath=false
+#trust.store=/fully/qualified/path/to/mytruststore
+
 
 # These are the connection parameters used for LDAP service account:
 root.dn=uid=admin,ou=system

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/slapd.properties.example
----------------------------------------------------------------------
diff --git a/slapd.properties.example b/slapd.properties.example
index 3d0284a..78b90f2 100644
--- a/slapd.properties.example
+++ b/slapd.properties.example
@@ -88,14 +88,17 @@ log.ops=logops bind writes compare
 #ldap.host=fortressdemo2.com
 # 636 is default LDAPS on OpenLDAP:
 #ldap.port=636
+# If you need the ldap api to spit out more info on ssl connections:
 #enable.ldap.ssl.debug=true
-# The trust store is found either on the application's classpath or filepath as specified by trust.store.onclasspath:
-#trust.store=mytruststore
 #trust.store.password=changeit
-# Will pick up the truststore from the classpath if set to true  which is the default.  Otherwise, file must be specified a fully qualified filename:
+# Will pick up the truststore from the classpath if set to true  which is the default.
 #trust.store.onclasspath=true
+#trust.store=mytruststore
+# Otherwise, file must be specified a fully qualified filename:
+#trust.store.onclasspath=false
+#trust.store=/fully/qualified/path/to/mytruststore
 
-# These are needed for slapd startup SSL configuration:
+# These are needed for OpenLDAP startup script to enable SSL configuration:
 #ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}
 # These are needed for slapd server-side SSL configuration:
 #tls.ca.cert.file=ca-cert.pem
@@ -155,7 +158,6 @@ slapd.module.dir=${openldap.root}/lib64/openldap
 slapd.start=${openldap.root}/etc/solserver start -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
 #slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
 
-
 ########################################################################
 # 4. RBAC ACCELERATOR OVERLAY PROPS
 ########################################################################