From owner-svn-doc-head@FreeBSD.ORG Tue Apr 15 21:22:38 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D15A3483; Tue, 15 Apr 2014 21:22:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB61F1E4B; Tue, 15 Apr 2014 21:22:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3FLMccO042244; Tue, 15 Apr 2014 21:22:38 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3FLMcGo042243; Tue, 15 Apr 2014 21:22:38 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404152122.s3FLMcGo042243@svn.freebsd.org> From: Dru Lavigne Date: Tue, 15 Apr 2014 21:22:38 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44568 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 21:22:38 -0000 Author: dru Date: Tue Apr 15 21:22:38 2014 New Revision: 44568 URL: http://svnweb.freebsd.org/changeset/doc/44568 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:10:40 2014 (r44567) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:22:38 2014 (r44568) @@ -2145,48 +2145,48 @@ TWO (,hotel,test-domain) LDAP - The Lightweight Directory Access - Protocol (LDAP) is an application layer protocol used to access, - modify, and authenticate objects using a distributed directory - information service. Think of it as a phone or record book - which stores several levels of hierarchical, homogeneous + The Lightweight Directory Access Protocol + (LDAP) is an application layer protocol used + to access, modify, and authenticate objects using a distributed + directory information service. Think of it as a phone or record + book which stores several levels of hierarchical, homogeneous information. It is used in Active Directory and OpenLDAP networks and allows users to - access to several levels of internal information utilizing - a single account. For example, email authentication, pulling + access to several levels of internal information utilizing a + single account. For example, email authentication, pulling employee contact information, and internal website - authentication might all make use of a single user account in the - LDAP server's record base. + authentication might all make use of a single user account in + the LDAP server's record base. - This section provides a quick start guide for configuring - an LDAP server on a &os; system. - It assumes that the administrator already has a design plan - which includes the type of information to - store, what that information will be used for, which users should - have access to that information, and how to secure this - information from unauthorized access. + This section provides a quick start guide for configuring an + LDAP server on a &os; system. It assumes + that the administrator already has a design plan which includes + the type of information to store, what that information will be + used for, which users should have access to that information, + and how to secure this information from unauthorized + access. <acronym>LDAP</acronym> Terminology and Structure LDAP uses several terms which should be - understood before starting the configuration. - All directory entries consist of - a group of attributes. Each of these - attribute sets contains a unique identifier known as a - Distinguished Name (DN) - which is normally built - from several other attributes such as the common or + understood before starting the configuration. All directory + entries consist of a group of + attributes. Each of these attribute + sets contains a unique identifier known as a + Distinguished Name + (DN) which is normally built from several + other attributes such as the common or Relative Distinguished Name - (RDN). - Similar to how directories have absolute and relative paths, - consider a DN as an absolute path and the - RDN as the relative path. + (RDN). Similar to how directories have + absolute and relative paths, consider a DN + as an absolute path and the RDN as the + relative path. An example LDAP entry looks like the - following. This example searches for the entry for the specified user - account (uid), organizational unit - (ou), and organization + following. This example searches for the entry for the + specified user account (uid), + organizational unit (ou), and organization (o): &prompt.user; ldapsearch -xb "uid=trhodes,ou=users,o=example.com" @@ -2215,9 +2215,9 @@ result: 0 Success This example entry shows the values for the dn, mail, cn, uid, and - telephoneNumber - attributes. The cn attribute - is the RDN. + telephoneNumber attributes. The + cn attribute is the + RDN. More information about LDAP and its terminology can be found at LDAP Server &os; does not provide a built-in LDAP - server. Begin the configuration by installing the - net/openldap24-server package or - port. Since the port has many configurable - options, it is recommended that the default options are - reviewed to see if the package is sufficient, and to instead - compile the port if any options should be changed. - In most cases, the defaults are fine. - However, if SQL support is needed, this option must be - enabled and the port compiled using the instructions in . - - Next, create the directories to hold the - data and to store the - certificates: + server. Begin the configuration by installing the net/openldap24-server package or port. + Since the port has many configurable options, it is + recommended that the default options are reviewed to see if + the package is sufficient, and to instead compile the port if + any options should be changed. In most cases, the defaults + are fine. However, if SQL support is needed, this option must + be enabled and the port compiled using the instructions in + . + + Next, create the directories to hold the data and to store + the certificates: &prompt.root; mkdir /var/db/openldap-data &prompt.root; mkdir /usr/local/etc/openldap/private @@ -2254,21 +2252,20 @@ result: 0 Success The next phase is to configure the certificate authority. The following commands must be executed from - /usr/local/etc/openldap/private. - This is important as the file permissions - need to be restrictive and users should not have access to - these files. To create the certificate authority, - start with this command and follow the prompts: + /usr/local/etc/openldap/private. This is + important as the file permissions need to be restrictive and + users should not have access to these files. To create the + certificate authority, start with this command and follow the + prompts: &prompt.root; openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt The entries for the prompts may be generic except for the Common Name. This entry must be - different than the system hostname. - If this will be a self signed certificate, - prefix the hostname with - CA for certificate authority. + different than the system hostname. If + this will be a self signed certificate, prefix the hostname + with CA for certificate authority. The next task is to create a certificate signing request and a private key. Input this command and follow the @@ -2277,24 +2274,23 @@ result: 0 Success &prompt.root; openssl req -days 365 -nodes -new -keyout server.key -out server.csr During the certificate generation process, be sure to - correctly set the Common Name attribute. Once - complete, sign the key: + correctly set the Common Name attribute. + Once complete, sign the key: &prompt.root; openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial - The final part of the certificate generation process - is to generate and sign the client certificates: + The final part of the certificate generation process is to + generate and sign the client certificates: &prompt.root; openssl req -days 365 -nodes -new -keyout client.key -out client.csr &prompt.root; openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key Remember to use the same Common Name - attribute when prompted. - When finished, ensure - that a total of eight (8) new files have been generated - through the proceeding commands. If so, the next step is to - edit /usr/local/etc/openldap/slapd.conf - and add the following options: + attribute when prompted. When finished, ensure that a total + of eight (8) new files have been generated through the + proceeding commands. If so, the next step is to edit + /usr/local/etc/openldap/slapd.conf and + add the following options: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/server.crt @@ -2302,18 +2298,17 @@ TLSCertificateKeyFile /usr/local/etc/ope TLSCACertificateFile /usr/local/etc/openldap/ca.crt Then, edit - /usr/local/etc/openldap/ldap.conf and - add the following lines: + /usr/local/etc/openldap/ldap.conf and add + the following lines: TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 While editing this file, uncomment the following entries - and set them to the desired values: - , - , - and . Set the - to contain and + and set them to the desired values: , + , and + . Set the to + contain and . Then, add two entries pointing to the certificate authority. When finished, the entries should look similar to the following: @@ -2332,10 +2327,9 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3&prompt.root; slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf - This command will prompt for the password and, - if the process does not fail, a password hash will be added - to the end of slapd.conf. - Several hashing + This command will prompt for the password and, if the + process does not fail, a password hash will be added to the + end of slapd.conf. Several hashing formats are supported. Refer to the manual page for slappasswd for more information. @@ -2346,15 +2340,16 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3password-hash {sha} allow bind_v2 - The in this file must - be updated to match the used in - /usr/local/etc/openldap/ldap.conf and - should also be set. A recommended value for is something like + The in this file must be updated + to match the used in + /usr/local/etc/openldap/ldap.conf and + should also be set. A recommended + value for is something like . Before saving this file, place - the in front of the password - output from slappasswd and delete the - old option above. The end result - should look similar to this: + the in front of the password output + from slappasswd and delete the old + option above. The end result should + look similar to this: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/server.crt @@ -2363,14 +2358,13 @@ TLSCACertificateFile /usr/local/etc/open rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= Finally, enable the OpenLDAP - service in /etc/rc.conf and set - the URI: + service in /etc/rc.conf and set the + URI: slapd_enable="YES" slapd_flags="-4 -h ldaps:///" - At this point the server can be started - and tested: + At this point the server can be started and tested: &prompt.root; service slapd start @@ -2395,17 +2389,15 @@ result: 32 No such object If the command fails and the configuration looks - correct, stop the - slapd service and restart it with - debugging options: + correct, stop the slapd service and + restart it with debugging options: &prompt.root; service slapd stop &prompt.root; /usr/local/libexec/slapd -d -1 - Once the service is responding, - the directory can be populated using - ldapadd. In this example, + Once the service is responding, the directory can be + populated using ldapadd. In this example, a file containing this list of users is first created. Each user should use the following format: @@ -2419,9 +2411,9 @@ dn: cn=ManagerManager - To import this file, specify the file name. - The following command will prompt for the password specified - earlier and the output should look something like this: + To import this file, specify the file name. The following + command will prompt for the password specified earlier and the + output should look something like this: &prompt.root; ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f import.ldif Enter LDAP Password: @@ -2460,8 +2452,8 @@ result: 0 Success # numResponses: 3 # numEntries: 2 - At this point, the server - should be configured and functioning properly. + At this point, the server should be configured and + functioning properly.