From owner-svn-doc-all@FreeBSD.ORG Tue Apr 15 21:10:40 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD9B332E; Tue, 15 Apr 2014 21:10:40 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AFCE61CC8; Tue, 15 Apr 2014 21:10:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3FLAekA035059; Tue, 15 Apr 2014 21:10:40 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3FLAepD035058; Tue, 15 Apr 2014 21:10:40 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404152110.s3FLAepD035058@svn.freebsd.org> From: Dru Lavigne Date: Tue, 15 Apr 2014 21:10:40 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44567 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 21:10:40 -0000 Author: dru Date: Tue Apr 15 21:10:40 2014 New Revision: 44567 URL: http://svnweb.freebsd.org/changeset/doc/44567 Log: Initial editorial pass through config section of LDAP. Another pass is needed as this section could benefit from either several sub-headings or procedures. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 20:08:59 2014 (r44566) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:10:40 2014 (r44567) @@ -2285,13 +2285,12 @@ result: 0 Success The final part of the certificate generation process is to generate and sign the client certificates: - &prompt.root; openssl req -days 365 -nodes -new -keyout client.key -out client.csr + &prompt.root; openssl req -days 365 -nodes -new -keyout client.key -out client.csr +&prompt.root; openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key - &prompt.root; openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key - - Remember, again, to respect the common name attribute. - This is a common cause for confusion during the first attempt - to configure LDAP. In addition, ensure + Remember to use the same Common Name + attribute when prompted. + When finished, ensure that a total of eight (8) new files have been generated through the proceeding commands. If so, the next step is to edit /usr/local/etc/openldap/slapd.conf @@ -2302,60 +2301,58 @@ TLSCertificateFile /usr/local/etc/openld TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key TLSCACertificateFile /usr/local/etc/openldap/ca.crt - In addition, edit + Then, edit /usr/local/etc/openldap/ldap.conf and add the following lines: TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 - While editing these this file, set the - to the desired values, and uncomment all - three of the , - and options. In addition, set the + While editing this file, uncomment the following entries + and set them to the desired values: + , + , + and . Set the to contain and - . - - The resulting file should look similar to the following - shown here: + . Then, add two entries pointing to + the certificate authority. When finished, the entries should + look similar to the following: BASE dc=example,dc=com URI ldap:// ldaps:// SIZELIMIT 12 TIMELIMIT 15 -#DEREF never TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 - A password for the server will need to be created as the - default is extremely poor as is normal in this industry. To - do this, issue the following command, sending the output to - slapd.conf: + The default password for the server should then be + changed: &prompt.root; slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf - There will be a prompt for entering the password and, + This command will prompt for the password and, if the process does not fail, a password hash will be added to the end of slapd.conf. - slappasswd understands several hashing - formats, refer to its manual page for more information. + Several hashing + formats are supported. Refer to the manual page for + slappasswd for more information. - Edit + Next, edit /usr/local/etc/openldap/slapd.conf and add the following lines: password-hash {sha} allow bind_v2 - In addition, the in this file must - be updated to match the from the - previous configuration. The option - should also be set. A good recommendation is something like + The in this file must + be updated to match the used in + /usr/local/etc/openldap/ldap.conf and + should also be set. A recommended value for is something like . Before saving this file, place - the option in front of the password - output from the slappasswd and delete the + the in front of the password + output from slappasswd and delete the old option above. The end result should look similar to this: @@ -2366,28 +2363,23 @@ TLSCACertificateFile /usr/local/etc/open rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= Finally, enable the OpenLDAP - service in rc.conf. At this time, - setting up a URI and providing the group - and user to run as may be useful. Edit - /etc/rc.conf and add the following - lines: + service in /etc/rc.conf and set + the URI: slapd_enable="YES" slapd_flags="-4 -h ldaps:///" - At this point the server should be ready to be brought - up and tested. To perform this task, issue the following - command: + At this point the server can be started + and tested: &prompt.root; service slapd start - If everything was configured correctly, a search of the + If everything is configured correctly, a search of the directory should show a successful connection with a single response as in this example: - &prompt.root; ldapsearch -Z - - # extended LDIF + &prompt.root; ldapsearch -Z +# extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree @@ -2399,55 +2391,49 @@ slapd_flags="-4 -h ldaps:///" - - Considering the service should now be responding, as it - is above, the directory may be populated using the - ldapadd command. In this example, there - is a file containing a list of users to be added to this - particular directory. First, create a file to be imported - with the following dataset: - - dn: dc=example,dc=com -objectclass: dcObject -objectclass: organization -o: Example -dc: Example - -dn: cn=Manager,dc=example,dc=com -objectclass: organizationalRole -cn: Manager +# numResponses: 1 - To debug any of the following, stop the - slapd service using the - service command and start it using with - debugging options. To accomplish this, issue the following - command: + If the command fails and the configuration looks + correct, stop the + slapd service and restart it with + debugging options: - &prompt.root; /usr/local/libexec/slapd -d -1 + &prompt.root; service slapd stop +&prompt.root; /usr/local/libexec/slapd -d -1 - To import this datafile, issue the following command, - assuming the file is import.ldif: + Once the service is responding, + the directory can be populated using + ldapadd. In this example, + a file containing this list of users is first created. Each + user should use the following format: - &prompt.root; ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f import.ldif + dn: dc=example,dc=com +objectclass: dcObject +objectclass: organization +o: Example +dc: Example + +dn: cn=Manager,dc=example,dc=com +objectclass: organizationalRole +cn: Manager - There will be a request for the password specified - earlier, and the output should look like this: + To import this file, specify the file name. + The following command will prompt for the password specified + earlier and the output should look something like this: - Enter LDAP Password: + &prompt.root; ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f import.ldif +Enter LDAP Password: adding new entry "dc=example,dc=com" adding new entry "cn=Manager,dc=example,dc=com" Verify the data was added by issuing a search on the - server using ldapsearch. In this case - the output should look like this: - - &prompt.user; ldapsearch -Z + server using ldapsearch: - # extended LDIF + &prompt.user; ldapsearch -Z +# extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree @@ -2474,9 +2460,7 @@ result: 0 Success # numResponses: 3 # numEntries: 2 - It is of course advisable to read about the structure of - LDAP directories and the various manual - pages mentioned in this section. At this point, the server + At this point, the server should be configured and functioning properly.