Date: Tue, 15 Apr 2014 21:22:38 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44568 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201404152122.s3FLMcGo042243@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Apr 15 21:22:38 2014 New Revision: 44568 URL: http://svnweb.freebsd.org/changeset/doc/44568 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:10:40 2014 (r44567) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:22:38 2014 (r44568) @@ -2145,48 +2145,48 @@ TWO (,hotel,test-domain) <indexterm><primary>LDAP</primary></indexterm> - <para>The Lightweight Directory Access - Protocol (<acronym>LDAP</acronym>) is an application layer protocol used to access, - modify, and authenticate objects using a distributed directory - information service. Think of it as a phone or record book - which stores several levels of hierarchical, homogeneous + <para>The Lightweight Directory Access Protocol + (<acronym>LDAP</acronym>) is an application layer protocol used + to access, modify, and authenticate objects using a distributed + directory information service. Think of it as a phone or record + book which stores several levels of hierarchical, homogeneous information. It is used in Active Directory and <application>OpenLDAP</application> networks and allows users to - access to several levels of internal information utilizing - a single account. For example, email authentication, pulling + access to several levels of internal information utilizing a + single account. For example, email authentication, pulling employee contact information, and internal website - authentication might all make use of a single user account in the - <acronym>LDAP</acronym> server's record base.</para> + authentication might all make use of a single user account in + the <acronym>LDAP</acronym> server's record base.</para> - <para>This section provides a quick start guide for configuring - an <acronym>LDAP</acronym> server on a &os; system. - It assumes that the administrator already has a design plan - which includes the type of information to - store, what that information will be used for, which users should - have access to that information, and how to secure this - information from unauthorized access.</para> + <para>This section provides a quick start guide for configuring an + <acronym>LDAP</acronym> server on a &os; system. It assumes + that the administrator already has a design plan which includes + the type of information to store, what that information will be + used for, which users should have access to that information, + and how to secure this information from unauthorized + access.</para> <sect2> <title><acronym>LDAP</acronym> Terminology and Structure</title> <para><acronym>LDAP</acronym> uses several terms which should be - understood before starting the configuration. - All directory entries consist of - a group of <firstterm>attributes</firstterm>. Each of these - attribute sets contains a unique identifier known as a - <firstterm>Distinguished Name</firstterm> (<acronym>DN</acronym>) - which is normally built - from several other attributes such as the common or + understood before starting the configuration. All directory + entries consist of a group of + <firstterm>attributes</firstterm>. Each of these attribute + sets contains a unique identifier known as a + <firstterm>Distinguished Name</firstterm> + (<acronym>DN</acronym>) which is normally built from several + other attributes such as the common or <firstterm>Relative Distinguished Name</firstterm> - (<acronym>RDN</acronym>). - Similar to how directories have absolute and relative paths, - consider a <acronym>DN</acronym> as an absolute path and the - <acronym>RDN</acronym> as the relative path.</para> + (<acronym>RDN</acronym>). Similar to how directories have + absolute and relative paths, consider a <acronym>DN</acronym> + as an absolute path and the <acronym>RDN</acronym> as the + relative path.</para> <para>An example <acronym>LDAP</acronym> entry looks like the - following. This example searches for the entry for the specified user - account (<literal>uid</literal>), organizational unit - (<literal>ou</literal>), and organization + following. This example searches for the entry for the + specified user account (<literal>uid</literal>), + organizational unit (<literal>ou</literal>), and organization (<literal>o</literal>):</para> <screen>&prompt.user; <userinput>ldapsearch -xb "uid=<replaceable>trhodes</replaceable>,ou=<replaceable>users</replaceable>,o=<replaceable>example.com</replaceable>"</userinput> @@ -2215,9 +2215,9 @@ result: 0 Success <para>This example entry shows the values for the <literal>dn</literal>, <literal>mail</literal>, <literal>cn</literal>, <literal>uid</literal>, and - <literal>telephoneNumber</literal> - attributes. The <acronym>cn</acronym> attribute - is the <acronym>RDN</acronym>.</para> + <literal>telephoneNumber</literal> attributes. The + <acronym>cn</acronym> attribute is the + <acronym>RDN</acronym>.</para> <para>More information about <acronym>LDAP</acronym> and its terminology can be found at <uri @@ -2230,20 +2230,18 @@ result: 0 Success <indexterm><primary>LDAP Server</primary></indexterm> <para>&os; does not provide a built-in <acronym>LDAP</acronym> - server. Begin the configuration by installing the - <package role="port">net/openldap24-server</package> package or - port. Since the port has many configurable - options, it is recommended that the default options are - reviewed to see if the package is sufficient, and to instead - compile the port if any options should be changed. - In most cases, the defaults are fine. - However, if SQL support is needed, this option must be - enabled and the port compiled using the instructions in <xref - linkend="ports-using"/>.</para> - - <para>Next, create the directories to hold the - data and to store the - certificates:</para> + server. Begin the configuration by installing the <package + role="port">net/openldap24-server</package> package or port. + Since the port has many configurable options, it is + recommended that the default options are reviewed to see if + the package is sufficient, and to instead compile the port if + any options should be changed. In most cases, the defaults + are fine. However, if SQL support is needed, this option must + be enabled and the port compiled using the instructions in + <xref linkend="ports-using"/>.</para> + + <para>Next, create the directories to hold the data and to store + the certificates:</para> <screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput> &prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> @@ -2254,21 +2252,20 @@ result: 0 Success <para>The next phase is to configure the certificate authority. The following commands must be executed from - <filename>/usr/local/etc/openldap/private</filename>. - This is important as the file permissions - need to be restrictive and users should not have access to - these files. To create the certificate authority, - start with this command and follow the prompts:</para> + <filename>/usr/local/etc/openldap/private</filename>. This is + important as the file permissions need to be restrictive and + users should not have access to these files. To create the + certificate authority, start with this command and follow the + prompts:</para> <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> <para>The entries for the prompts may be generic <emphasis>except</emphasis> for the <literal>Common Name</literal>. This entry must be - <emphasis>different</emphasis> than the system hostname. - If this will be a self signed certificate, - prefix the hostname with - <literal>CA</literal> for certificate authority.</para> + <emphasis>different</emphasis> than the system hostname. If + this will be a self signed certificate, prefix the hostname + with <literal>CA</literal> for certificate authority.</para> <para>The next task is to create a certificate signing request and a private key. Input this command and follow the @@ -2277,24 +2274,23 @@ result: 0 Success <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen> <para>During the certificate generation process, be sure to - correctly set the <literal>Common Name</literal> attribute. Once - complete, sign the key:</para> + correctly set the <literal>Common Name</literal> attribute. + Once complete, sign the key:</para> <screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> - <para>The final part of the certificate generation process - is to generate and sign the client certificates:</para> + <para>The final part of the certificate generation process is to + generate and sign the client certificates:</para> <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> &prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> <para>Remember to use the same <literal>Common Name</literal> - attribute when prompted. - When finished, ensure - that a total of eight (8) new files have been generated - through the proceeding commands. If so, the next step is to - edit <filename>/usr/local/etc/openldap/slapd.conf</filename> - and add the following options:</para> + attribute when prompted. When finished, ensure that a total + of eight (8) new files have been generated through the + proceeding commands. If so, the next step is to edit + <filename>/usr/local/etc/openldap/slapd.conf</filename> and + add the following options:</para> <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/server.crt @@ -2302,18 +2298,17 @@ TLSCertificateKeyFile /usr/local/etc/ope TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting> <para>Then, edit - <filename>/usr/local/etc/openldap/ldap.conf</filename> and - add the following lines:</para> + <filename>/usr/local/etc/openldap/ldap.conf</filename> and add + the following lines:</para> <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> <para>While editing this file, uncomment the following entries - and set them to the desired values: - <option>BASE</option>, - <option>URI</option>, <option>SIZELIMIT</option> - and <option>TIMELIMIT</option>. Set the - <option>URI</option> to contain <option>ldap://</option> and + and set them to the desired values: <option>BASE</option>, + <option>URI</option>, <option>SIZELIMIT</option> and + <option>TIMELIMIT</option>. Set the <option>URI</option> to + contain <option>ldap://</option> and <option>ldaps://</option>. Then, add two entries pointing to the certificate authority. When finished, the entries should look similar to the following:</para> @@ -2332,10 +2327,9 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</pro <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen> - <para>This command will prompt for the password and, - if the process does not fail, a password hash will be added - to the end of <filename>slapd.conf</filename>. - Several hashing + <para>This command will prompt for the password and, if the + process does not fail, a password hash will be added to the + end of <filename>slapd.conf</filename>. Several hashing formats are supported. Refer to the manual page for <command>slappasswd</command> for more information.</para> @@ -2346,15 +2340,16 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</pro <programlisting>password-hash {sha} allow bind_v2</programlisting> - <para>The <option>suffix</option> in this file must - be updated to match the <option>BASE</option> used in - <filename>/usr/local/etc/openldap/ldap.conf</filename> and <option>rootdn</option> - should also be set. A recommended value for <option>rootdn</option> is something like + <para>The <option>suffix</option> in this file must be updated + to match the <option>BASE</option> used in + <filename>/usr/local/etc/openldap/ldap.conf</filename> and + <option>rootdn</option> should also be set. A recommended + value for <option>rootdn</option> is something like <option>cn=Manager</option>. Before saving this file, place - the <option>rootpw</option> in front of the password - output from <command>slappasswd</command> and delete the - old <option>rootpw</option> option above. The end result - should look similar to this:</para> + the <option>rootpw</option> in front of the password output + from <command>slappasswd</command> and delete the old + <option>rootpw</option> option above. The end result should + look similar to this:</para> <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/server.crt @@ -2363,14 +2358,13 @@ TLSCACertificateFile /usr/local/etc/open rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting> <para>Finally, enable the <application>OpenLDAP</application> - service in <filename>/etc/rc.conf</filename> and set - the <acronym>URI</acronym>:</para> + service in <filename>/etc/rc.conf</filename> and set the + <acronym>URI</acronym>:</para> <programlisting>slapd_enable="YES" slapd_flags="-4 -h ldaps:///"</programlisting> - <para>At this point the server can be started - and tested:</para> + <para>At this point the server can be started and tested:</para> <screen>&prompt.root; <userinput>service slapd start</userinput></screen> @@ -2395,17 +2389,15 @@ result: 32 No such object <note> <para>If the command fails and the configuration looks - correct, stop the - <command>slapd</command> service and restart it with - debugging options:</para> + correct, stop the <command>slapd</command> service and + restart it with debugging options:</para> <screen>&prompt.root; <userinput>service slapd stop</userinput> &prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen> </note> - <para>Once the service is responding, - the directory can be populated using - <command>ldapadd</command>. In this example, + <para>Once the service is responding, the directory can be + populated using <command>ldapadd</command>. In this example, a file containing this list of users is first created. Each user should use the following format:</para> @@ -2419,9 +2411,9 @@ dn: cn=<replaceable>Manager</replaceable objectclass: organizationalRole cn: <replaceable>Manager</replaceable></programlisting> - <para>To import this file, specify the file name. - The following command will prompt for the password specified - earlier and the output should look something like this:</para> + <para>To import this file, specify the file name. The following + command will prompt for the password specified earlier and the + output should look something like this:</para> <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput> Enter LDAP Password: @@ -2460,8 +2452,8 @@ result: 0 Success # numResponses: 3 # numEntries: 2</screen> - <para>At this point, the server - should be configured and functioning properly.</para> + <para>At this point, the server should be configured and + functioning properly.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404152122.s3FLMcGo042243>