Document comment character in ldap.conf

Clarify what is and is not supported in TLS_KEYPW
Mention that gsk8capicmd can be used to create a stash file

doc/sudoers.ldap.cat

@@ -285,6 +285,8 @@ DDEESSCCRRIIPPTTIIOONN
      by ssuuddoo are honored.  Configuration options are listed below in upper
      case but are parsed in a case-independent manner.
 
+     The pound sign (`#') is used to indicate a comment.  Both the comment
+     character and any text after it, up to the end of the line, are ignored.
      Long lines can be continued with a backslash (`\') as the last character
      on the line.  Note that leading white space is removed from the beginning
      of lines even when the continuation character is used.
@@ -472,13 +474,21 @@ DDEESSCCRRIIPPTTIIOONN
      TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
            The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
            database on clients using the Tivoli Directory Server LDAP library.
+           This should be a simple string without quotes.  The password may
+           not include the comment character (`#') and escaping of special
+           characters with a backslash (`\') is not supported.  If this option
+           is used, _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid
+           exposing the password.  Alternately, a _s_t_a_s_h _f_i_l_e can be used to
+           store the password in encrypted form (see below).
+
            If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
            exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file
            specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
            .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with
            Tivoli Directory Server is encrypted with the password
-           ssl_password.  This option is only supported by the Tivoli LDAP
-           libraries.
+           ssl_password.  The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the
+           key database and create a _s_t_a_s_h _f_i_l_e.  This option is only
+           supported by the Tivoli LDAP libraries.
 
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
@@ -800,4 +810,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.8                      August 19, 2013                     Sudo 1.8.8
+Sudo 1.8.8                      August 30, 2013                     Sudo 1.8.8

doc/sudoers.ldap.man.in

@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "8" "August 19, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -513,6 +513,11 @@ are honored.
 Configuration options are listed below in upper case but are parsed
 in a case-independent manner.
 .PP
+The pound sign
+(`#')
+is used to indicate a comment.
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
 Long lines can be continued with a backslash
 (`\e')
 as the last character on the line.
@@ -837,6 +842,19 @@ The
 \fBTLS_KEYPW\fR
 contains the password used to decrypt the key database on clients
 using the Tivoli Directory Server LDAP library.
+This should be a simple string without quotes.
+The password may not include the comment character
+(`#')
+and escaping of special characters with a backslash
+(`\e')
+is not supported.
+If this option is used,
+\fI@ldap_conf@\fR
+must not be world-readable to avoid exposing the password.
+Alternately, a
+\fIstash file\fR
+can be used to store the password in encrypted form (see below).
+.sp
 If no
 \fBTLS_KEYPW\fR
 is specified, a
@@ -856,6 +874,10 @@ The default
 \fRldapkey.kdb\fR
 that ships with Tivoli Directory Server is encrypted with the password
 \fRssl_password\fR.
+The
+\fIgsk8capicmd\fR
+utility can be used to manage the key database and create a
+\fIstash file\fR.
 This option is only supported by the Tivoli LDAP libraries.
 .PD
 .TP 6n

doc/sudoers.ldap.mdoc.in

@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 19, 2013
+.Dd August 30, 2013
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -482,6 +482,11 @@ are honored.
 Configuration options are listed below in upper case but are parsed
 in a case-independent manner.
 .Pp
+The pound sign
+.Pq Ql #
+is used to indicate a comment.
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
 Long lines can be continued with a backslash
 .Pq Ql \e
 as the last character on the line.
@@ -769,6 +774,19 @@ The
 .Sy TLS_KEYPW
 contains the password used to decrypt the key database on clients
 using the Tivoli Directory Server LDAP library.
+This should be a simple string without quotes.
+The password may not include the comment character
+.Pq Ql #
+and escaping of special characters with a backslash
+.Pq Ql \e
+is not supported.
+If this option is used,
+.Pa @ldap_conf@
+must not be world-readable to avoid exposing the password.
+Alternately, a
+.Em stash file
+can be used to store the password in encrypted form (see below).
+.Pp
 If no
 .Sy TLS_KEYPW
 is specified, a
@@ -788,6 +806,10 @@ The default
 .Li ldapkey.kdb
 that ships with Tivoli Directory Server is encrypted with the password
 .Li ssl_password .
+The
+.Em gsk8capicmd
+utility can be used to manage the key database and create a
+.Em stash file .
 This option is only supported by the Tivoli LDAP libraries.
 .It Sy TLS_RANDFILE Ar file name
 The