Date: Sat, 1 Jun 2013 01:45:51 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41806 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201306010145.r511jpHH062761@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Sat Jun 1 01:45:51 2013 New Revision: 41806 URL: http://svnweb.freebsd.org/changeset/doc/41806 Log: I have no clue how an "svn diff > file; svn revert chapter.xml; aspell -c file; patch chapter.xml < file" caused two sections, but kill the bad one. *sigh* Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sat Jun 1 01:32:07 2013 (r41805) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sat Jun 1 01:45:51 2013 (r41806) @@ -2606,284 +2606,6 @@ nis_client_flags="-S <replaceable>NIS do </sect2> </sect1> - <sect1 id="netserv-ldap"> - <sect1info> - <authorgroup> - <author> - <firstname>Tom</firstname> - <surname>Rhodes</surname> - <contrib>Written by </contrib> - </author> - </authorgroup> - </sect1info> - <title>&os; and <acronym>LDAP</acronym></title> - - <indexterm><primary>LDAP</primary></indexterm> - - <para><acronym>LDAP</acronym>, the Lightweight Directory Access - Protocol, is an application layer protocol used to access, - modify, and authenticate (bind) using a distributed directory - information service. Think of it as a phone or record book which - stores several levels of hierarchical, homogeneous information. - It is often used in networks where users often need access to - several levels of internal information utilizing a single - account. For example, email authentication, pulling employee - contact information, and internal website authentication might - all make use of a single user in the <acronym>LDAP</acronym> - server's record base.</para> - - <para>This section will not provide a history or the implementation - details of the protocol. These sections were authored to get an - <acronym>LDAP</acronym> server and/or client configured both - quickly and securely; however, any information base requires - planning and this is no exception.</para> - - <para>Planning should include what type of information will be - stored, what that information will be used for, whom should - have access to said information, and how to secure this - information from prying eyes.</para> - - <sect2> - <title><acronym>LDAP</acronym> Terminology and Structure</title> - - <para>Before continuing, several parts of <acronym>LDAP</acronym> - must be explained to prevent confusion. And confusion with - this configuration is relatively simple. To begin, all - directory entries consist of a group of - <emphasis>attributes</emphasis>. Each of these attribute sets - contain a name, a unique identifier known as a - <acronym>DN</acronym> or distinguished name normally built from - several other attributes such as the <acronym>RDN</acronym>. - The <acronym>RDN</acronym> or relative distinguished name, is - a more common name for the attribute. Like directories have - absolute and relative paths, consider a <acronym>DN</acronym> - as an absolute path and the <acronym>RDN</acronym> as the - relative path.</para> - - <para>As an example, an entry might look like the - following:</para> - - <screen>&prompt.user; ldapsearch -xb "uid=trhodes,ou=users,o=example.com"</screen> - - <programlisting># extended LDIF -# -# LDAPv3 -# base <uid=trhodes,ou=users,o=example.com> with scope subtree -# filter: (objectclass=*) -# requesting: ALL -# - -# trhodes, users, example.com -dn: uid=trhodes,ou=users,o=example.com -mail: trhodes@example.com -cn: Tom Rhodes -uid: trhodes -telephoneNumber: (xxx) xxx-xxxx - -# search result -search: 2 -result: 0 Success - -# numResponses: 2 -# numEntries: 1</programlisting> - - <para>In this example, it is very obvious what the various - attributes are; however, the <acronym>cn</acronym> attribute - should be noticed. This is the <acronym>RDN</acronym> discussed - previously. In addition, there is a unique user id provided - here. It is common practice to have specific uid or uuids for - entries to ease in any future migration.</para> - </sect2> - - <sect2> - <title>Configuring an <acronym>LDAP</acronym> Server</title> - - <indexterm><primary>LDAP Server</primary></indexterm> - - <para>To configure &os; to act as an <acronym>LDAP</acronym> - server, the OpenLDAP port needs installed. This may be - accomplished using the <command>pkg_add</command> command - or by installing the - <filename role="port">net/openldap24-server</filename> - port. Building the port is recommended as the administrator - may select a great deal of options at this time and disable - some options. In most cases, the defaults will be fine; - however, this is the time to enable SQL support if - needed.</para> - - <para>A few directories will be required from this point on, - at minimal, a data directory and a directory to store the - certificates in. Create them both with the following - commands:</para> - - <screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput></screen> - - <screen>&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> - - <para>Copy over the database configuration file:</para> - - <screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen> - - <para>The next phase is to configure the <acronym>SSL</acronym> - certificates. While creating certificates is discussed in - the <link linkend="openssl">OpenSSL</link> section in this - book, a certificate authority is needed so a different method - will be used. It is recommended that this section be reviewed - prior to configuring to ensure correct information is entered - during the certificate creation process below.</para> - - <para>The following commands must be executed in the - <filename class="directory"> - /usr/local/etc/openldap/private</filename> directory. This - is important as the file permissions will need to be restrictive - and users should not have access to these files directly. To - create the certificates, issues the following commands.</para> - - <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> - - <para>The entries for these may be completely generic - <emphasis>except</emphasis> for the - <emphasis>Common Name</emphasis> entry. This entry must have - something different than the system hostname. If the entry - is the hostname, it would be like the hostname is attempting - to verify hostname. In cases with a self signed certificate - like this example, just prefix the hostname with - <acronym>CA</acronym> for certificate authority.</para> - - <para>The next task is to create a certificate signing request - and a private key. To do this, issue the following - commands:</para> - - <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -keyout server.key -out server.csr</userinput></screen> - - <para>During the certificate generation process, be sure to - correctly set the common name attribute. After this has - been completed, the key will need signed:</para> - - <screen>&prompt.root; <userinput>openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> - - <para>The final part of the certificate generation process - is to generate and sign the client certificates:</para> - - <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -keyout client.key -out client.csr</userinput></screen> - - <screen>&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> - - <para>Remember, again, to respect the common name attribute. This - is a common cause for confusion during the first attempt to - configure <acronym>LDAP</acronym>. In addition, ensure that - a total of eight (8) new files have been generated through - the proceeding commands. If so, the next step is to edit - <filename>/usr/local/etc/openldap/slapd.conf</filename> and add - the following options:</para> - - <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 -TLSCertificateFile /usr/local/etc/openldap/server.crt -TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key -TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting> - - <para>In addition, edit - <filename>/usr/local/etc/openldap/ldap.conf</filename> and - add the following lines:</para> - - <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt -TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> - - <para>While editing these this file, set the <option>BASE</option> - to the desired values, and uncomment all three of the - <option>URI</option>, <option>SIZELIMIT</option> and - <option>TIMELIMIT</option> options. In addition, set the - <option>URI</option> to contain <option>ldap://</option> - and <option>ldaps://</option>.</para> - - <para>The resulting file should look similar to the following - shown here:</para> - - <programlisting>BASE dc=example,dc=com -URI ldap:// ldaps:// - -SIZELIMIT 12 -TIMELIMIT 15 -#DEREF never - -TLS_CACERT /usr/local/etc/openldap/ca.crt -TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> - - <para>A password for the server will need to be created as the - default is extremely poor as is normal in this industry. To - do this, issue the following command, sending the output to - <filename>slapd.conf</filename>:</para> - - <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen> - - <para>There will be a prompt for entering the password and, - if the process does not fail, a password hash will be added - to the end of <filename>slapd.conf</filename>. The - <command>slappasswd</command> understands several hashing - formats, refer to the manual page for more information.</para> - - <para>Edit <filename>/usr/local/etc/openldap/slapd.conf</filename> - and add the following lines:</para> - - <programlisting>password-hash {sha} -allow bind_v2</programlisting> - - <para>In addition, the <option>suffix</option> in this file must - be updated to match the <option>BASE</option> from the previous - configuration. The <option>rootdn</option> option should - also be set. A good recommendation is something like - <option>cn=Manager</option>. Before saving this file, place - the <option>rootpw</option> option in front of the password - output from the <command>slappasswd</command> and delete the - old <option>rootpw</option> option above. The end result - should look similar to this:</para> - - <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 -TLSCertificateFile /usr/local/etc/openldap/server.crt -TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key -TLSCACertificateFile /usr/local/etc/openldap/ca.crt -rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting> - - <para>Finally, enable the <application>OpenLDAP</application> - service in <filename>rc.conf</filename>. At this time, - setting up a <acronym>URI</acronym> and providing the group - and user to run as may be useful. - Edit <filename>/etc/rc.conf</filename> and add the following - lines:</para> - - <programlisting>slapd_enable="YES" -slapd_flags="-4 -h ldaps:///"</programlisting> - - <para>At this point the server should be ready to be brought - up and tested. To perform this task, issue the following - command:</para> - - <screen>&prompt.root; <userinput>service slapd start</userinput></screen> - - <para>If everything was configured correctly, a search of the - directory should show a successful connection with a single - response as in this example:</para> - - <screen>&prompt.root; <userinput>ldapsearch -Z</userinput></screen> - - <programlisting># extended LDIF -# -# LDAPv3 -# base <dc=example,dc=com> (default) with scope subtree -# filter: (objectclass=*) -# requesting: ALL -# - -# search result -search: 3 -result: 32 No such object - -# numResponses: 1</programlisting> - - - </sect2> - </sect1> - <sect1 id="network-ldap"> <sect1info> <authorgroup> @@ -2895,7 +2617,7 @@ result: 32 No such object </authorgroup> </sect1info> <title>&os; and <acronym>LDAP</acronym></title> -<!-- XXXTR: Needed here or drop down? --> + <indexterm><primary>LDAP</primary></indexterm> <para><acronym>LDAP</acronym>, the Lightweight Directory Access
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306010145.r511jpHH062761>