Date: Tue, 15 Apr 2014 21:10:40 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44567 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201404152110.s3FLAepD035058@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Apr 15 21:10:40 2014 New Revision: 44567 URL: http://svnweb.freebsd.org/changeset/doc/44567 Log: Initial editorial pass through config section of LDAP. Another pass is needed as this section could benefit from either several sub-headings or procedures. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 20:08:59 2014 (r44566) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:10:40 2014 (r44567) @@ -2285,13 +2285,12 @@ result: 0 Success <para>The final part of the certificate generation process is to generate and sign the client certificates:</para> - <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput></screen> + <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> +&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> - <screen>&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> - - <para>Remember, again, to respect the common name attribute. - This is a common cause for confusion during the first attempt - to configure <acronym>LDAP</acronym>. In addition, ensure + <para>Remember to use the same <literal>Common Name</literal> + attribute when prompted. + When finished, ensure that a total of eight (8) new files have been generated through the proceeding commands. If so, the next step is to edit <filename>/usr/local/etc/openldap/slapd.conf</filename> @@ -2302,60 +2301,58 @@ TLSCertificateFile /usr/local/etc/openld TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting> - <para>In addition, edit + <para>Then, edit <filename>/usr/local/etc/openldap/ldap.conf</filename> and add the following lines:</para> <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> - <para>While editing these this file, set the - <option>BASE</option> to the desired values, and uncomment all - three of the <option>URI</option>, <option>SIZELIMIT</option> - and <option>TIMELIMIT</option> options. In addition, set the + <para>While editing this file, uncomment the following entries + and set them to the desired values: + <option>BASE</option>, + <option>URI</option>, <option>SIZELIMIT</option> + and <option>TIMELIMIT</option>. Set the <option>URI</option> to contain <option>ldap://</option> and - <option>ldaps://</option>.</para> - - <para>The resulting file should look similar to the following - shown here:</para> + <option>ldaps://</option>. Then, add two entries pointing to + the certificate authority. When finished, the entries should + look similar to the following:</para> <programlisting>BASE dc=example,dc=com URI ldap:// ldaps:// SIZELIMIT 12 TIMELIMIT 15 -#DEREF never TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> - <para>A password for the server will need to be created as the - default is extremely poor as is normal in this industry. To - do this, issue the following command, sending the output to - <filename>slapd.conf</filename>:</para> + <para>The default password for the server should then be + changed:</para> <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen> - <para>There will be a prompt for entering the password and, + <para>This command will prompt for the password and, if the process does not fail, a password hash will be added to the end of <filename>slapd.conf</filename>. - <command>slappasswd</command> understands several hashing - formats, refer to its manual page for more information.</para> + Several hashing + formats are supported. Refer to the manual page for + <command>slappasswd</command> for more information.</para> - <para>Edit + <para>Next, edit <filename>/usr/local/etc/openldap/slapd.conf</filename> and add the following lines:</para> <programlisting>password-hash {sha} allow bind_v2</programlisting> - <para>In addition, the <option>suffix</option> in this file must - be updated to match the <option>BASE</option> from the - previous configuration. The <option>rootdn</option> option - should also be set. A good recommendation is something like + <para>The <option>suffix</option> in this file must + be updated to match the <option>BASE</option> used in + <filename>/usr/local/etc/openldap/ldap.conf</filename> and <option>rootdn</option> + should also be set. A recommended value for <option>rootdn</option> is something like <option>cn=Manager</option>. Before saving this file, place - the <option>rootpw</option> option in front of the password - output from the <command>slappasswd</command> and delete the + the <option>rootpw</option> in front of the password + output from <command>slappasswd</command> and delete the old <option>rootpw</option> option above. The end result should look similar to this:</para> @@ -2366,28 +2363,23 @@ TLSCACertificateFile /usr/local/etc/open rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting> <para>Finally, enable the <application>OpenLDAP</application> - service in <filename>rc.conf</filename>. At this time, - setting up a <acronym>URI</acronym> and providing the group - and user to run as may be useful. Edit - <filename>/etc/rc.conf</filename> and add the following - lines:</para> + service in <filename>/etc/rc.conf</filename> and set + the <acronym>URI</acronym>:</para> <programlisting>slapd_enable="YES" slapd_flags="-4 -h ldaps:///"</programlisting> - <para>At this point the server should be ready to be brought - up and tested. To perform this task, issue the following - command:</para> + <para>At this point the server can be started + and tested:</para> <screen>&prompt.root; <userinput>service slapd start</userinput></screen> - <para>If everything was configured correctly, a search of the + <para>If everything is configured correctly, a search of the directory should show a successful connection with a single response as in this example:</para> - <screen>&prompt.root; <userinput>ldapsearch -Z</userinput></screen> - - <programlisting># extended LDIF + <screen>&prompt.root; <userinput>ldapsearch -Z</userinput> +# extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree @@ -2399,55 +2391,49 @@ slapd_flags="-4 -h ldaps:///"</programli search: 3 result: 32 No such object -# numResponses: 1</programlisting> - - <para>Considering the service should now be responding, as it - is above, the directory may be populated using the - <command>ldapadd</command> command. In this example, there - is a file containing a list of users to be added to this - particular directory. First, create a file to be imported - with the following dataset:</para> - - <programlisting>dn: dc=example,dc=com -objectclass: dcObject -objectclass: organization -o: Example -dc: Example - -dn: cn=Manager,dc=example,dc=com -objectclass: organizationalRole -cn: Manager</programlisting> +# numResponses: 1</screen> <note> - <para>To debug any of the following, stop the - <command>slapd</command> service using the - <command>service</command> command and start it using with - debugging options. To accomplish this, issue the following - command:</para> + <para>If the command fails and the configuration looks + correct, stop the + <command>slapd</command> service and restart it with + debugging options:</para> - <screen>&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen> + <screen>&prompt.root; <userinput>service slapd stop</userinput> +&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen> </note> - <para>To import this datafile, issue the following command, - assuming the file is <filename>import.ldif</filename>:</para> + <para>Once the service is responding, + the directory can be populated using + <command>ldapadd</command>. In this example, + a file containing this list of users is first created. Each + user should use the following format:</para> - <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f <replaceable>import.ldif</replaceable></userinput></screen> + <programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> +objectclass: dcObject +objectclass: organization +o: <replaceable>Example</replaceable> +dc: <replaceable>Example</replaceable> + +dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> +objectclass: organizationalRole +cn: <replaceable>Manager</replaceable></programlisting> - <para>There will be a request for the password specified - earlier, and the output should look like this:</para> + <para>To import this file, specify the file name. + The following command will prompt for the password specified + earlier and the output should look something like this:</para> - <screen>Enter LDAP Password: + <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput> +Enter LDAP Password: adding new entry "dc=example,dc=com" adding new entry "cn=Manager,dc=example,dc=com"</screen> <para>Verify the data was added by issuing a search on the - server using <command>ldapsearch</command>. In this case - the output should look like this:</para> - - <screen>&prompt.user; <userinput>ldapsearch -Z</userinput></screen> + server using <command>ldapsearch</command>:</para> - <screen># extended LDIF + <screen>&prompt.user; <userinput>ldapsearch -Z</userinput> +# extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree @@ -2474,9 +2460,7 @@ result: 0 Success # numResponses: 3 # numEntries: 2</screen> - <para>It is of course advisable to read about the structure of - <acronym>LDAP</acronym> directories and the various manual - pages mentioned in this section. At this point, the server + <para>At this point, the server should be configured and functioning properly.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404152110.s3FLAepD035058>