fix 3372: fix typos, and impove pve-gui docs

[pve-docs.git] / pveum.adoc

diff --git a/pveum.adoc b/pveum.adoc
index 7f8bd67762dfb96b6d79b833759cc7110d6cc335..b5eea290efa3778e19513a0413d63bab483b937d 100644 (file)
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -163,6 +163,12 @@ configured via the `bind_dn` property in `/etc/pve/domains.cfg`. Its
 password then has to be stored in `/etc/pve/priv/ldap/<realmname>.pw`
 (e.g. `/etc/pve/priv/ldap/my-ldap.pw`). This file should contain a
 single line containing the raw password.
++
+To verify certificates, you need to to set `capath`. You can set it either
+directly to the CA certificate of your LDAP server, or to the system path
+containing all trusted CA certificates (`/etc/ssl/certs`).
+Additionally, you need to set the `verify` option, which can also be doen over
+the web interface.
 
 Microsoft Active Directory::
 
@@ -174,16 +180,22 @@ encryption can be configured.
 Syncing LDAP-based realms
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-It is possible to sync users and groups for LDAP based realms using
-  pveum sync <realm>
-or in the `Authentication` panel of the GUI. Users and groups are synced
-to `/etc/pve/user.cfg`.
+[thumbnail="screenshot/gui-datacenter-realm-add-ldap.png"]
+
+It is possible to sync users and groups for LDAP based realms. You can use the
+CLI command
+
+----
+  pveum realm sync <realm>
+----
+or in the `Authentication` panel of the GUI. Users and groups are synced to the
+cluster-wide user configuration file `/etc/pve/user.cfg`.
 
 Requirements and limitations
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The `bind_dn` is used to query the users and groups. This account
-needs access to all desired entries.
+The `bind_dn` is used to query the users and groups. This account needs access
+to all desired entries.
 
 The fields which represent the names of the users and groups can be configured
 via the `user_attr` and `group_name_attr` respectively. Only entries which
@@ -193,9 +205,12 @@ Groups are synced with `-$realm` attached to the name, to avoid naming
 conflicts. Please make sure that a sync does not overwrite manually created
 groups.
 
+[[pveum_ldap_sync_options]]
 Options
 ^^^^^^^
 
+[thumbnail="screenshot/gui-datacenter-realm-add-ldap-sync-options.png"]
+
 The main options for syncing are:
 
 * `dry-run`: No data is written to the config. This is useful if you want to
@@ -270,7 +285,7 @@ password into the user's 'Key IDs' field.
 Please refer to the https://developers.yubico.com/OTP/[YubiKey OTP]
 documentation for how to use the
 https://www.yubico.com/products/services-software/yubicloud/[YubiCloud] or
-https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/[host
+https://developers.yubico.com/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/[host
 your own verification server].
 
 [[pveum_user_configured_totp]]