Changeset View
Standalone View
chapter.xml
Show First 20 Lines • Show All 2,239 Lines • ▼ Show 20 Lines | # [...more groups to follow]</programlisting> | ||||
<sect1 xml:id="network-ldap"> | <sect1 xml:id="network-ldap"> | ||||
<info> | <info> | ||||
<title>Lightweight Directory Access Protocol | <title>Lightweight Directory Access Protocol | ||||
(<acronym>LDAP</acronym>)</title> | (<acronym>LDAP</acronym>)</title> | ||||
<authorgroup> | <authorgroup> | ||||
<author> | <author> | ||||
<personname> | <personname> | ||||
<firstname>Rocky</firstname> | |||||
<surname>Hotas</surname> | |||||
</personname> | |||||
<contrib>Draft by </contrib> | |||||
</author> | |||||
</authorgroup> | |||||
<authorgroup> | |||||
<author> | |||||
<personname> | |||||
<firstname>Tom</firstname> | <firstname>Tom</firstname> | ||||
<surname>Rhodes</surname> | <surname>Rhodes</surname> | ||||
</personname> | </personname> | ||||
<contrib>Written by </contrib> | <contrib>Originally contributed by </contrib> | ||||
</author> | </author> | ||||
</authorgroup> | </authorgroup> | ||||
</info> | </info> | ||||
<indexterm><primary>LDAP</primary></indexterm> | <indexterm><primary>LDAP</primary></indexterm> | ||||
<para>The Lightweight Directory Access Protocol | <para>The Lightweight Directory Access Protocol | ||||
(<acronym>LDAP</acronym>) is an application layer protocol used | (<acronym>LDAP</acronym>) is an application layer protocol used | ||||
▲ Show 20 Lines • Show All 71 Lines • ▼ Show 20 Lines | <acronym>RDN</acronym>.</para> | ||||
<para>More information about <acronym>LDAP</acronym> and its | <para>More information about <acronym>LDAP</acronym> and its | ||||
terminology can be found at <uri | terminology can be found at <uri | ||||
xlink:href="http://www.openldap.org/doc/admin24/intro.html">http://www.openldap.org/doc/admin24/intro.html</uri>.</para> | xlink:href="http://www.openldap.org/doc/admin24/intro.html">http://www.openldap.org/doc/admin24/intro.html</uri>.</para> | ||||
</sect2> | </sect2> | ||||
<sect2 xml:id="ldap-config"> | <sect2 xml:id="ldap-config"> | ||||
<title>Configuring an <acronym>LDAP</acronym> Server</title> | <title>Configuring an <acronym>LDAP</acronym> Server</title> | ||||
wblock: This colon just splices two sentences together. Please just use short, separate sentences. | |||||
<indexterm><primary>LDAP Server</primary></indexterm> | <indexterm><primary>LDAP Server</primary></indexterm> | ||||
Done Inline ActionsWhat does "default package" mean? "can be" is passive. Please do not say "simply", it can be seen as patronizing by someone who does not find the process simple. "with" is a little odd. wblock: What does "default package" mean?
"can be" is passive.
Please do not say "simply", it can be… | |||||
<para>&os; does not provide a built-in <acronym>LDAP</acronym> | <para>&os; does not provide a built-in <acronym>LDAP</acronym> | ||||
server. Begin the configuration by installing the <package | server. Begin the configuration by installing <package | ||||
role="port">net/openldap24-server</package> package or port. | role="port">net/openldap-server</package> package or | ||||
Done Inline ActionsIf we need to tell the user that they must be root, it should be done before they are told to run the command. But I doubt that it is necessary in... well, whatever chapter this is. Advanced Networking, I think, but there is no context. Please see https://wiki.freebsd.org/action/show/Phabricator?action=show&redirect=CodeReview about including context with diffs. It is also useful to generate the diff from the top-level doc directory so the path to the file includes the parent directory with the chapter name. PS: "root shell" is a vague term. Elsewhere, we just tell people to run commands as root. wblock: If we need to tell the user that they must be root, it should be done before they are told to… | |||||
Done Inline ActionsI still have problems running from the top of the source tree, but anyway I increased the context in the diff. rockyhotas_post.com: I still have problems running from the top of the source tree, but anyway I increased the… | |||||
Done Inline ActionsAs specified in the summary, it is "28.5. Lightweight Directory Access Protocol (LDAP)" chapter of the Handbook. This is the source file: https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml?view=log rockyhotas_post.com: As specified in the summary, it is "28.5. Lightweight Directory Access Protocol (LDAP)" chapter… | |||||
Since the port has many configurable options, it is | port: | ||||
Done Inline ActionsAs above, probably not necessary. wblock: As above, probably not necessary. | |||||
recommended that the default options are reviewed to see if | |||||
the package is sufficient, and to instead compile the port if | |||||
any options should be changed. In most cases, the defaults | |||||
are fine. However, if SQL support is needed, this option must | |||||
be enabled and the port compiled using the instructions in | |||||
<xref linkend="ports-using"/>.</para> | |||||
<para>Next, create the directories to hold the data and to store | <screen>&prompt.root; <userinput>pkg install openldap-server</userinput></screen> | ||||
the certificates:</para> | |||||
<screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput> | There is a large set of default options enabled in | ||||
&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> | the <link | ||||
xlink:href="&url.articles.linux-users;/software.html"> | |||||
package</link>. To review them: | |||||
<command>pkg info openldap-server</command>. If they are not | |||||
sufficient (for example if SQL support is needed), please | |||||
Done Inline ActionsPlease avoid asides (interruptions in parentheses, like this one) as they interrupt the flow of sentences and the train of thought. Try to avoid listing or labeling steps with "first" and "next" and "then", these usually add no value and make for a halting sentence. <para>Create directories to hold the data and certificates:</para> wblock: Please avoid asides (interruptions in parentheses, like this one) as they interrupt the flow of… | |||||
consider recompiling the port using the appropriate <link | |||||
Done Inline Actions"If the directories to store the data and certificates do not exist already, create them with:" sevan: "If the directories to store the data and certificates do not exist already, create them with:" | |||||
xlink:href="&url.books.handbook;/ports-using.html"> | |||||
framework</link>.</para> | |||||
<para>Copy over the database configuration file:</para> | <para>The installation creates the directory | ||||
<filename>/var/db/openldap-data</filename> to hold the data. | |||||
Done Inline ActionsAvoid "should" unless making a recommendation. I can't tell what it is recommending here, a name or location or something else. wblock: Avoid "should" unless making a recommendation. I can't tell what it is recommending here, a… | |||||
The directory to store the certificates must be | |||||
created:</para> | |||||
<screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen> | <screen>&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> | ||||
Done Inline Actions"Anyway"? "may" is usually used for permission, "might" means the possibility of something happening. I don't understand what this sentence is trying to say. wblock: "Anyway"?
"may" is usually used for permission, "might" means the possibility of something… | |||||
Done Inline ActionsThe old guide expects that a DB_CONFIG.example file is saved in the mentioned directory. But the package doesn't carry such a file, so there is a mismatch between the guide and the package. The sentence is saying: "if you installed openldap24-server but the file doesn't exists, try to download it". rockyhotas_post.com: The old guide expects that a DB_CONFIG.example file is saved in the mentioned directory. But… | |||||
<para>The next phase is to configure the certificate authority. | <para>The next phase is to configure the certificate authority. | ||||
The following commands must be executed from | The following commands must be executed from | ||||
Done Inline ActionsIndentation problems, and the caption of the link hides the URL instead of naming it. wblock: Indentation problems, and the caption of the link hides the URL instead of naming it. | |||||
<filename>/usr/local/etc/openldap/private</filename>. This is | <filename>/usr/local/etc/openldap/private</filename>. This is | ||||
important as the file permissions need to be restrictive and | important as the file permissions need to be restrictive and | ||||
users should not have access to these files. To create the | users should not have access to these files. More detailed | ||||
information about certificates and their parameters can be | |||||
found in <xref linkend="openssl"/>. To create the | |||||
certificate authority, start with this command and follow the | certificate authority, start with this command and follow the | ||||
prompts:</para> | prompts:</para> | ||||
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> | <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> | ||||
Done Inline ActionsPlease avoid the informal "you": https://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/writing-style.html wblock: Please avoid the informal "you": https://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp… | |||||
<para>The entries for the prompts may be generic | <para>The entries for the prompts may be generic | ||||
<emphasis>except</emphasis> for the | <emphasis>except</emphasis> for the | ||||
<literal>Common Name</literal>. This entry must be | <literal>Common Name</literal>. This entry must be | ||||
<emphasis>different</emphasis> than the system hostname. If | <emphasis>different</emphasis> than the system hostname. If | ||||
this will be a self signed certificate, prefix the hostname | this will be a self signed certificate, prefix the hostname | ||||
with <literal>CA</literal> for certificate authority.</para> | with <literal>CA</literal> for certificate authority.</para> | ||||
<para>The next task is to create a certificate signing request | <para>The next task is to create a certificate signing request | ||||
and a private key. Input this command and follow the | and a private key. Input this command and follow the | ||||
prompts:</para> | prompts:</para> | ||||
Done Inline ActionsThere is a strange space between the and OpenLDAP... remko: There is a strange space between the and OpenLDAP... | |||||
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen> | <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen> | ||||
<para>During the certificate generation process, be sure to | <para>During the certificate generation process, be sure to | ||||
correctly set the <literal>Common Name</literal> attribute. | correctly set the <literal>Common Name</literal> attribute. | ||||
Once complete, sign the key:</para> | The Certificate Signing Request must be signed with the | ||||
Certificate Authority in order to be used as a valid | |||||
certificate:</para> | |||||
<screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> | <screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> | ||||
<para>The final part of the certificate generation process is to | <para>The final part of the certificate generation process is to | ||||
generate and sign the client certificates:</para> | generate and sign the client certificates:</para> | ||||
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> | <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> | ||||
&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> | &prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> | ||||
<para>Remember to use the same <literal>Common Name</literal> | <para>Remember to use the same <literal>Common Name</literal> | ||||
attribute when prompted. When finished, ensure that a total | attribute when prompted. When finished, ensure that a total | ||||
of eight (8) new files have been generated through the | of eight (8) new files have been generated through the | ||||
proceeding commands. If so, the next step is to edit | proceeding commands.</para> | ||||
<filename>/usr/local/etc/openldap/slapd.conf</filename> and | |||||
add the following options:</para> | |||||
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 | <para>The daemon running the OpenLDAP server is | ||||
TLSCertificateFile /usr/local/etc/openldap/server.crt | <filename>slapd</filename>. Its configuration can be | ||||
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key | performed through a <filename>slapd.conf</filename> | ||||
TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting> | configuration file, or through a database file | ||||
<filename>slapd.ldif</filename>. | |||||
The former way is deprecated by OpenLDAP:</para> | |||||
<para>Then, edit | <tip> | ||||
<filename>/usr/local/etc/openldap/ldap.conf</filename> and add | <para>The use of <filename>slapd.ldif</filename> is | ||||
the following lines:</para> | strongly recommended.</para> | ||||
</tip> | |||||
<programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt | <para>Configuration examples for | ||||
Done Inline Actionsto create even the -> to create the remko: to create even the -> to create the | |||||
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> | <filename>slapd.ldif</filename> can be found <link xlink:href= | ||||
"http://www.openldap.org/doc/admin24/slapdconf2.html"> | |||||
here</link> and in | |||||
<filename>/usr/local/etc/openldap/slapd.ldif.sample</filename>. | |||||
Each part of this file is uniquely identified through a | |||||
<literal>dn:</literal> (Distinguished Name), beginning with the | |||||
<emphasis>global configuration</emphasis> entry. Be sure that | |||||
no blank lines are between the <literal>dn:</literal> statement | |||||
and the desired end of the section. Options are documented in | |||||
<link xlink:href="https://www.freebsd.org/cgi/man.cgi?query=slapd-config&manpath=FreeBSD+11.0-RELEASE+and+Ports"> | |||||
slapd-config(5)</link>. In the following example, TLS will | |||||
bcrUnsubmitted Done Inline ActionsThere must not be a space between the closing > and slapd-config(5)</link>. Even though the link is long and the page can not be broken earlier, it must be there or there is a visual extra space in the output. bcr: There must not be a space between the closing > and slapd-config(5)</link>. Even though the… | |||||
be used to implement a secure channel.</para> | |||||
<para>While editing this file, uncomment the following entries | <programlisting># | ||||
and set them to the desired values: <option>BASE</option>, | # See slapd-config(5) for details on configuration options. | ||||
<option>URI</option>, <option>SIZELIMIT</option> and | # This file should NOT be world readable. | ||||
<option>TIMELIMIT</option>. Set the <option>URI</option> to | # | ||||
contain <option>ldap://</option> and | dn: cn=config | ||||
<option>ldaps://</option>. Then, add two entries pointing to | objectClass: olcGlobal | ||||
the certificate authority. When finished, the entries should | cn: config | ||||
look similar to the following:</para> | # | ||||
# | |||||
# Define global ACLs to disable default read access. | |||||
# | |||||
olcArgsFile: /var/run/openldap/slapd.args | |||||
olcPidFile: /var/run/openldap/slapd.pid | |||||
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt | |||||
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key | |||||
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt | |||||
#olcTLSCipherSuite: HIGH | |||||
olcTLSProtocolMin: 3.1 | |||||
olcTLSVerifyClient: never</programlisting> | |||||
<programlisting>BASE dc=example,dc=com | <para>The Certificate Authority, server certificate and server | ||||
URI ldap:// ldaps:// | private key files must be specified here. It is recommended | ||||
Done Inline ActionsThese two lines can be wrapped to the previous lines and redone. remko: These two lines can be wrapped to the previous lines and redone. | |||||
to let the clients choose the security cipher and omit option | |||||
<literal>olcTLSCipherSuite</literal> (incompatible with TLS | |||||
clients other than <filename>openssl</filename>). Option | |||||
<literal>olcTLSProtocolMin</literal> lets the server require a | |||||
minimum security level: it is recommended. While | |||||
verification is mandatory for the server, it is not for the | |||||
client: <literal>olcTLSVerifyClient: never</literal>.</para> | |||||
SIZELIMIT 12 | <para>The second part is about the backend modules and can be | ||||
TIMELIMIT 15 | configured as follows:</para> | ||||
TLS_CACERT /usr/local/etc/openldap/ca.crt | <programlisting># | ||||
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> | # Load dynamic backend modules: | ||||
# | |||||
dn: cn=module,cn=config | |||||
objectClass: olcModuleList | |||||
cn: module | |||||
olcModulepath: /usr/local/libexec/openldap | |||||
olcModuleload: back_mdb.la | |||||
#olcModuleload: back_bdb.la | |||||
#olcModuleload: back_hdb.la | |||||
#olcModuleload: back_ldap.la | |||||
#olcModuleload: back_passwd.la | |||||
#olcModuleload: back_shell.la</programlisting> | |||||
<para>The default password for the server should then be | <para>The third part is devoted to load the needed <literal> | ||||
changed:</para> | ldif</literal> schemas to be used by the databases: they | ||||
are essential.</para> | |||||
<screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen> | <programlisting>dn: cn=schema,cn=config | ||||
objectClass: olcSchemaConfig | |||||
Done Inline ActionsGrammar is a bit fractured here. I don't understand what this is saying. (But as a general rule, ciphers that aren't in the "HIGH" set should *never* be used unless absolutely required for compatibility with ancient clients, and even that contains a bunch of ciphers that should not be enabled.) wollman: Grammar is a bit fractured here. I don't understand what this is saying. (But as a general… | |||||
Not Done Inline ActionsYes, I understand. This part needed a complete rephrasing. As you can see in the new diff, it has been shrunk.
Please, refer now to the new version of this text. If you think that your suggestion about ciphers and "HIGH" must still be specified, I can add it. rockyhotas_post.com: Yes, I understand. This part needed a complete rephrasing. As you can see in the new diff, it… | |||||
Not Done Inline ActionsNew version looks OK to me. While I'd still prefer to see policy enforced on the server side, but if there is a significant population of clients that still can't do modern TLS, then I suppose that suggestion would be counterproductive. wollman: New version looks OK to me. While I'd still prefer to see policy enforced on the server side… | |||||
cn: schema | |||||
<para>This command will prompt for the password and, if the | include: file:///usr/local/etc/openldap/schema/core.ldif | ||||
process does not fail, a password hash will be added to the | include: file:///usr/local/etc/openldap/schema/cosine.ldif | ||||
Done Inline ActionsPlease wrap the previous line with this one and try to make sure that the line does not exceed the max.. remko: Please wrap the previous line with this one and try to make sure that the line does not exceed… | |||||
end of <filename>slapd.conf</filename>. Several hashing | include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif | ||||
formats are supported. Refer to the manual page for | include: file:///usr/local/etc/openldap/schema/nis.ldif</programlisting> | ||||
<command>slappasswd</command> for more information.</para> | |||||
<para>Next, edit | <para>Then, the frontend configuration follows:</para> | ||||
<filename>/usr/local/etc/openldap/slapd.conf</filename> and | |||||
add the following lines:</para> | |||||
<programlisting>password-hash {sha} | <programlisting># Frontend settings | ||||
allow bind_v2</programlisting> | # | ||||
dn: olcDatabase={-1}frontend,cn=config | |||||
objectClass: olcDatabaseConfig | |||||
objectClass: olcFrontendConfig | |||||
olcDatabase: {-1}frontend | |||||
olcAccess: to * by * read | |||||
# | |||||
# Sample global access control policy: | |||||
# Root DSE: allow anyone to read it | |||||
# Subschema (sub)entry DSE: allow anyone to read it | |||||
# Other DSEs: | |||||
# Allow self write access | |||||
# Allow authenticated users read access | |||||
# Allow anonymous users to authenticate | |||||
# | |||||
#olcAccess: to dn.base="" by * read | |||||
#olcAccess: to dn.base="cn=Subschema" by * read | |||||
#olcAccess: to * | |||||
# by self write | |||||
# by users read | |||||
# by anonymous auth | |||||
# | |||||
# if no access controls are present, the default policy | |||||
# allows anyone and everyone to read anything but restricts | |||||
# updates to rootdn. (e.g., "access to * by * read") | |||||
# | |||||
# rootdn can always read and write EVERYTHING! | |||||
# | |||||
olcPasswordHash: {SSHA} | |||||
# {SSHA} is already the default for olcPasswordHash</programlisting> | |||||
<para>The <option>suffix</option> in this file must be updated | <para>The following section describes the configuration | ||||
to match the <option>BASE</option> used in | backend: this will be the <emphasis>only way</emphasis> to | ||||
<filename>/usr/local/etc/openldap/ldap.conf</filename> and | access the global configuration for the system | ||||
<option>rootdn</option> should also be set. A recommended | administrator, once this procedure is completed. Thus, it | ||||
value for <option>rootdn</option> is something like | is <emphasis>extremely important</emphasis> that all the | ||||
<option>cn=Manager</option>. Before saving this file, place | needed options are specified here. In particular, a root | ||||
the <option>rootpw</option> in front of the password output | password must be chosen: together with the default | ||||
from <command>slappasswd</command> and delete the old | administrator username <literal>cn=config</literal>, it will | ||||
<option>rootpw</option>. The end result should | let the server administrator to later edit the configuration | ||||
look similar to this:</para> | as the super-user. Note that, without the specification of | ||||
a <literal>olcRootPW</literal> here, after this file is | |||||
imported as a configuration file for <filename> | |||||
slapd</filename>, no one will be able to modify this | |||||
global configuration. This is highly undesirable. | |||||
If anyway something is wrong with the actual configuration, | |||||
later will be shown a way to delete (and hopefully replace) | |||||
it. | |||||
A password can be generated using <filename> | |||||
bcrUnsubmitted Done Inline ActionsSame as above: no space between <filename> and slappasswd</filename> bcr: Same as above: no space between <filename> and slappasswd</filename> | |||||
slappasswd</filename> in a shell and its entire output must | |||||
be used as a value for <literal>olcRootPW</literal>.</para> | |||||
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 | <programlisting>dn: olcDatabase={0}config,cn=config | ||||
TLSCertificateFile /usr/local/etc/openldap/server.crt | objectClass: olcDatabaseConfig | ||||
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key | olcDatabase: {0}config | ||||
TLSCACertificateFile /usr/local/etc/openldap/ca.crt | olcAccess: to * by * none | ||||
rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting> | olcRootPW: {SSHA}iae+lrQZILpiUdf16Z9KmDmSwT77Dj4U</programlisting> | ||||
<para>Finally, enable the <application>OpenLDAP</application> | <para>The last section showed here is about the database | ||||
bcrUnsubmitted Done Inline Actionss/showed/shown/ bcr: s/showed/shown/ | |||||
service in <filename>/etc/rc.conf</filename> and set the | backend, used for the <emphasis>actual contents</emphasis> | ||||
<acronym>URI</acronym>:</para> | of the <acronym>LDAP</acronym> directory. This database can | ||||
be used to add new groups and users as regards the domain | |||||
<literal>domain.example</literal>. Here, the database type | |||||
<literal>mdb</literal> is used and another super-user is | |||||
specified: it will be only able to modify this database and | |||||
not the previous sections of <filename> | |||||
bcrUnsubmitted Done Inline ActionsAnd another superfulous space: <filename>slapd.ldif</filename> bcr: And another superfulous space: <filename>slapd.ldif</filename> | |||||
slapd.ldif</filename>. Here, a username <literal> | |||||
bcrUnsubmitted Done Inline ActionsHere as well. bcr: Here as well. | |||||
olcRootDN</literal> can be specified, being related to the | |||||
domain. A password can be generated as before.</para> | |||||
<programlisting>slapd_enable="YES" | <programlisting>####################################################################### | ||||
slapd_flags="-4 -h ldaps:///"</programlisting> | # LMDB database definitions | ||||
####################################################################### | |||||
# | |||||
dn: olcDatabase=mdb,cn=config | |||||
objectClass: olcDatabaseConfig | |||||
objectClass: olcMdbConfig | |||||
olcDatabase: mdb | |||||
olcDbMaxSize: 1073741824 | |||||
olcSuffix: dc=domain,dc=example | |||||
olcRootDN: cn=mdbadmin,dc=domain,dc=example | |||||
# Cleartext passwords, especially for the rootdn, should | |||||
# be avoided. See slappasswd(8) and slapd-config(5) for details. | |||||
# Use of strong authentication encouraged. | |||||
olcRootPW: {SSHA}X2wHvIWDk6G76CQyCMS1vDCvtICWgn0+ | |||||
# The database directory MUST exist prior to running slapd AND | |||||
# should only be accessible by the slapd and slap tools. | |||||
# Mode 700 recommended. | |||||
olcDbDirectory: /var/db/openldap-data | |||||
# Indices to maintain | |||||
olcDbIndex: objectClass eq</programlisting> | |||||
Done Inline Actionsare here specified -> are specified here. remko: are here specified -> are specified here. | |||||
<para>At this point the server can be started and tested:</para> | <para>In <link xlink:href= | ||||
"http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=tests/data/regressions/its8444;h=8a5e808e63b0de3d2bdaf2cf34fecca8577ca7fd;hb=HEAD"> | |||||
this repository</link>, four examples of <filename> | |||||
bcrUnsubmitted Done Inline Actionsyou can break this one like the following: bcr: you can break this one like the following:
...longurl>this
repository</link> | |||||
slapd.ldif</filename> files are available (they are used | |||||
bcrUnsubmitted Done Inline ActionsLet <filename> and slapd.ldif</filename> come closer together here, too. bcr: Let <filename> and slapd.ldif</filename> come closer together here, too. | |||||
as a 4-way multi master <acronym>LDAP</acronym> server). At | |||||
the bottom of <link | |||||
xlink:href="http://www.openldap.org/doc/admin24/slapdconf2.html"> | |||||
this page</link>, section 5.4, also a way to convert an | |||||
Done Inline Actions&man.slappaswd.8C; does not exist. &man.slappasswd.8; should be the right one.. remko: &man.slappaswd.8C; does not exist. &man.slappasswd.8; should be the right one.. | |||||
Not Done Inline Actionsif we need &man.something then we should add it to the entity's for that. There is $base/share/xml/man-refs.ent which has a lot of those entries, also some for external ones like samba-tool. The build system obviously complaints because the reference is missing :) remko: if we need &man.something then we should add it to the entity's for that. There is… | |||||
bcrUnsubmitted Done Inline ActionsAnd another space that needs to go. You can break the line between "this" and "page". bcr: And another space that needs to go. You can break the line between "this" and "page". | |||||
existing <filename>slapd.conf</filename> into a valid | |||||
<filename>slapd.ldif</filename> is presented. Please note | |||||
that this may introduce some unuseful options.</para> | |||||
<screen>&prompt.root; <userinput>service slapd start</userinput></screen> | <para>Once the <filename>slapd.ldif</filename> configuration | ||||
is completed, this file must be imported in an empty | |||||
directory. It is recommended to create it with the | |||||
following name and location:</para> | |||||
<para>If everything is configured correctly, a search of the | <screen>&prompt.root; <userinput>mkdir /usr/local/etc/openldap/slapd.d/</userinput></screen> | ||||
directory should show a successful connection with a single | |||||
response as in this example:</para> | |||||
<screen>&prompt.root; <userinput>ldapsearch -Z</userinput> | <para>The commands suggested at points 9 and 10 in the <link | ||||
xlink:href="http://www.openldap.org/doc/admin24/quickstart.html"> | |||||
OpenLDAP Quick Start guide</link> (which can anyway be | |||||
bcrUnsubmitted Done Inline ActionsI think we don't need "anyway" here. bcr: I think we don't need "anyway" here. | |||||
considered as a reference for all the other operations) are | |||||
currently wrong: instead, it is advisable to use</para> | |||||
<screen>&prompt.root; <userinput>/usr/local/sbin/slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif</userinput></screen> | |||||
<para>This will import the configuration database. To start | |||||
the slapd daemon,</para> | |||||
<screen>&prompt.root; <userinput>/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d/</userinput></screen> | |||||
<para>Option <literal>-d</literal> can be used for debugging, | |||||
as specified in <link xlink:href= | |||||
"https://www.freebsd.org/cgi/man.cgi?query=slapd&sektion=8&manpath=FreeBSD+11.0-RELEASE+and+Ports"> | |||||
slapd(8)</link>. To verify that the server is running and | |||||
bcrUnsubmitted Done Inline ActionsAnd one more space to remove. bcr: And one more space to remove. | |||||
working,</para> | |||||
<screen>&prompt.root; <userinput>ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts</userinput> | |||||
# extended LDIF | # extended LDIF | ||||
# | # | ||||
# LDAPv3 | # LDAPv3 | ||||
# base <dc=example,dc=com> (default) with scope subtree | # base <> with scope baseObject | ||||
# filter: (objectclass=*) | # filter: (objectclass=*) | ||||
# requesting: ALL | # requesting: namingContexts | ||||
# | # | ||||
# | |||||
dn: | |||||
namingContexts: dc=domain,dc=example | |||||
# search result | # search result | ||||
search: 3 | search: 2 | ||||
Done Inline ActionsVery long line, please wrap it. remko: Very long line, please wrap it. | |||||
result: 32 No such object | result: 0 Success | ||||
# numResponses: 1</screen> | # numResponses: 2 | ||||
# numEntries: 1</screen> | |||||
<note> | <para>The server will not still be recognized by any client as | ||||
bcrUnsubmitted Done Inline Actionss/will not still be/will still not be/ bcr: s/will not still be/will still not be/ | |||||
<para>If the command fails and the configuration looks | trusted, anyway. | ||||
correct, stop the <command>slapd</command> service and | The certificates were created in non-standard directories | ||||
bcrUnsubmitted Done Inline ActionsThis line needs to be on the one above. Continuing after the "anyway." bcr: This line needs to be on the one above. Continuing after the "anyway." | |||||
restart it with debugging options:</para> | from the point of view of <filename>openssl</filename>. In | ||||
order for <filename>openssl</filename> to work, the | |||||
directories where the certificates are stored must contain | |||||
symbolic links (whose names are composed by a hash) to the | |||||
certificates. Even if some <filename>openssl</filename> | |||||
commands are already available in a FreeBSD base system, it | |||||
bcrUnsubmitted Done Inline Actionss/FreeBSD/&os;/ bcr: s/FreeBSD/&os;/
s/a/the/ | |||||
is necessary now to explicitly install the package:</para> | |||||
<screen>&prompt.root; <userinput>service slapd stop</userinput> | <screen>&prompt.root; <userinput>pkg install openssl</userinput></screen> | ||||
&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen> | |||||
</note> | |||||
<para>Once the service is responding, the directory can be | <para>This will provide the <link xlink:href= | ||||
populated using <command>ldapadd</command>. In this example, | "https://www.freebsd.org/cgi/man.cgi?query=c_rehash&manpath=FreeBSD+11.0-RELEASE+and+Ports">c_rehash(1)</link> | ||||
a file containing this list of users is first created. Each | tool. Now run</para> | ||||
user should use the following format:</para> | |||||
<programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> | <screen>&prompt.root; <userinput>c_rehash .</userinput></screen> | ||||
objectclass: dcObject | |||||
objectclass: organization | |||||
o: <replaceable>Example</replaceable> | |||||
dc: <replaceable>Example</replaceable> | |||||
dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> | <para>from the directory where the CA is stored (in this | ||||
objectclass: organizationalRole | example, <filename>/usr/local/etc/openldap</filename>, | ||||
cn: <replaceable>Manager</replaceable></programlisting> | which contains the file <filename>ca.crt</filename>). This | ||||
utility must create a symlink for each | |||||
<filename>.pem</filename>, <filename>.crt</filename>, | |||||
<filename>.crl</filename> or <filename>.cer</filename> file | |||||
in the directory. Only this way <filename> | |||||
server.crt</filename> can be recognized as a valid, trusted | |||||
and acceptable certificate. After having verified that | |||||
symlinks have been created, in order to verify if the server | |||||
certificate is trusted (and this is the operation each | |||||
<acronym>LDAP</acronym> client does before accessing the | |||||
server), run (from the <filename>server.crt</filename> | |||||
directory):</para> | |||||
<para>To import this file, specify the file name. The following | <screen>&prompt.root; <userinput>openssl verify -verbose -CApath . server.crt</userinput></screen> | ||||
command will prompt for the password specified earlier and the | |||||
output should look something like this:</para> | |||||
<screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput> | <para>If <filename>slapd</filename> was running, it must now | ||||
Enter LDAP Password: | be restarted before using the server. | ||||
adding new entry "dc=example,dc=com" | Please, carefully read the comments included in | ||||
bcrUnsubmitted Done Inline ActionsMove this sentence up one line. bcr: Move this sentence up one line. | |||||
<filename>/usr/local/etc/rc.d/slapd</filename>, to make a | |||||
correct configuration to run <filename>slapd</filename> at | |||||
boot. | |||||
An additional option is needed if the | |||||
bcrUnsubmitted Done Inline ActionsSame here, move the sentence up to start after "boot." bcr: Same here, move the sentence up to start after "boot." | |||||
<literal>cn=config</literal> style (that is: the file | |||||
<filename>slapd.ldif</filename>) is used for configuration. | |||||
Done Inline Actionswon' t -> will not remko: won' t -> will not | |||||
You could put in <filename>/etc/rc.conf</filename> the | |||||
following lines:</para> | |||||
adding new entry "cn=Manager,dc=example,dc=com"</screen> | <programlisting>lapd_enable="YES" | ||||
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ | |||||
ldap://0.0.0.0/"' | |||||
slapd_sockets="/var/run/openldap/ldapi" | |||||
slapd_cn_config="YES"</programlisting> | |||||
<para>Verify the data was added by issuing a search on the | <para><filename>slapd</filename> does not provide debugging at | ||||
server using <command>ldapsearch</command>:</para> | boot, but <filename>dmesg -a</filename>, <filename> | ||||
/var/log/messages</filename> and (in particular) | |||||
bcrUnsubmitted Done Inline Actionsno space here between <filename> and /var/log/messages</filename> bcr: no space here between <filename> and /var/log/messages</filename> | |||||
<filename>/var/log/debug.log</filename> can be checked.</para> | |||||
<screen>&prompt.user; <userinput>ldapsearch -Z</userinput> | <para>The <acronym>LDAP</acronym> users database is still | ||||
# extended LDIF | empty. An example, which adds a group called | ||||
# | <literal>team</literal> and a user called | ||||
# LDAPv3 | <literal>john</literal> to the | ||||
# base <dc=example,dc=com> (default) with scope subtree | <systemitem class="systemname">domain.example</systemitem> | ||||
# filter: (objectclass=*) | database is here provided. Create a file <filename> | ||||
bcrUnsubmitted Done Inline Actionss/here provided/provided here/ bcr: s/here provided/provided here/ | |||||
# requesting: ALL | domain.ldif</filename> with the following contents:</para> | ||||
bcrUnsubmitted Done Inline ActionsNo space here. bcr: No space here. | |||||
# | |||||
# example.com | <screen>&prompt.root; <userinput>cat domain.ldif</userinput> | ||||
dn: dc=example,dc=com | dn: dc=domain,dc=example | ||||
objectClass: dcObject | objectClass: dcObject | ||||
objectClass: organization | objectClass: organization | ||||
o: Example | o: domain.example | ||||
dc: Example | dc: domain | ||||
# Manager, example.com | dn: ou=groups,dc=domain,dc=example | ||||
dn: cn=Manager,dc=example,dc=com | objectClass: top | ||||
objectClass: organizationalRole | objectClass: organizationalunit | ||||
cn: Manager | ou: groups | ||||
# search result | dn: ou=users,dc=domain,dc=example | ||||
search: 3 | objectClass: top | ||||
result: 0 Success | objectClass: organizationalunit | ||||
ou: users | |||||
# numResponses: 3 | dn: cn=team,ou=groups,dc=domain,dc=example | ||||
# numEntries: 2</screen> | objectClass: top | ||||
objectClass: posixGroup | |||||
Done Inline ActionsI think there is a small mistake here. It should probably be: slapd_enable="YES" joel_lopes-da-silva.com: I think there is a small mistake here. It should probably be: `slapd_enable="YES"` | |||||
Not Done Inline ActionsSure, it is like you wrote: slapd_enable="YES". Thank you rockyhotas_post.com: Sure, it is like you wrote: `slapd_enable="YES"`. Thank you | |||||
cn: team | |||||
gidNumber: 10001 | |||||
<para>At this point, the server should be configured and | dn: uid=john,ou=users,dc=domain,dc=example | ||||
Done Inline Actionsdoesn' t -> does not remko: doesn' t -> does not | |||||
functioning properly.</para> | objectClass: top | ||||
objectClass: account | |||||
objectClass: posixAccount | |||||
objectClass: shadowAccount | |||||
cn: John McUser | |||||
uid: john | |||||
uidNumber: 10001 | |||||
gidNumber: 10001 | |||||
homeDirectory: /home/john/ | |||||
loginShell: /usr/bin/bash | |||||
userPassword: secret</screen> | |||||
<para>Instead of being <literal>secret</literal>, the password | |||||
in the last line of <filename>domain.ldif</filename> for | |||||
<literal>john</literal> can be generated with | |||||
<filename>slappasswd</filename>. Be careful about the | |||||
default shell path: | |||||
bcrUnsubmitted Done Inline ActionsNo line break here. bcr: No line break here. | |||||
if it does not exist in the system where the user tries to log | |||||
in, an error can be generated and the user could not be able | |||||
to actually log in. A symlink can be created, or a different | |||||
shell can be used to avoid this. For the structure of the | |||||
<literal>ldif</literal> files and the <acronym>LDAP</acronym> | |||||
directory, see the OpenLDAP documentation. Such data can be | |||||
added to the database using the <literal>mdb</literal> | |||||
administrator:</para> | |||||
<screen>&prompt.root; <userinput>ldapadd -W -D "cn=mdbadmin,dc=domain,dc=example" -f domain.ldif</userinput></screen> | |||||
<para>If instead a global option is to be modified, a | |||||
<emphasis>different user</emphasis> must be considered: as | |||||
anticipated, it is the <emphasis>global</emphasis> | |||||
super-user. Let us assume that the option | |||||
<literal>olcTLSCipherSuite: HIGH:MEDIUM:SSLv3</literal> was | |||||
specified before and now it must be deleted. The | |||||
instructions for the modification can be stored in the file | |||||
<filename>global_mod</filename>. | |||||
It must not contain the previous value of the option to be | |||||
bcrUnsubmitted Done Inline ActionsMove this one up to continue the line. bcr: Move this one up to continue the line. | |||||
deleted in the last line: this means that | |||||
<literal>olcTLSCipherSuite: HIGH:MEDIUM:SSLv3</literal> must | |||||
not be included as last line.</para> | |||||
<screen>&prompt.root; <userinput>cat global_mod</userinput> | |||||
dn: cn=config | |||||
changetype: modify | |||||
delete: olcTLSCipherSuite</screen> | |||||
<para>The modifications can be applied with</para> | |||||
<screen>&prompt.root; <userinput>ldapmodify -f global_mod -x -D "cn=config" -W</userinput></screen> | |||||
<para><literal>cn=config</literal> is the | |||||
<literal>dn</literal> (Distinguished Name) of the entry | |||||
(section) of the database to be modified. | |||||
Use <literal>ldapmodify</literal> to delete a single line | |||||
of the database; <literal>ldapdelete</literal> is used to | |||||
delete an entire entry (section) instead. | |||||
Each database section has its own administrator and it must | |||||
bcrUnsubmitted Done Inline ActionsMove this one up, too. bcr: Move this one up, too. | |||||
be specified while applying a modification. | |||||
The global super-user, whose name is by default | |||||
bcrUnsubmitted Done Inline ActionsThis can also go on on the previous line. bcr: This can also go on on the previous line. | |||||
<literal>cn=config</literal>, should have a password set by | |||||
<literal>olcRootPW</literal> in the | |||||
<literal>dn: olcDatabase={0}config,cn=config</literal> | |||||
section. It is the one who must used here. If something | |||||
goes wrong, or if this root administrator cannot access the | |||||
configuration backend, it is possible to completeley delete | |||||
the current configuration. It can be done by removing the | |||||
directory that was previously created:</para> | |||||
<screen>&prompt.root; <userinput>rm -rf /usr/local/etc/openldap/slapd.d/</userinput></screen> | |||||
<para><filename>slapd.ldif</filename> can then be edited and | |||||
imported again. Please note that this procedure | |||||
is not to be considered as ordinary, nor normal: | |||||
bcrUnsubmitted Done Inline Actionsno break here after the colon (:). The "it" will certainly fit into this line and then wrap like normal. bcr: no break here after the colon (:). The "it" will certainly fit into this line and then wrap… | |||||
it will not have side effects, but it should be followed | |||||
<emphasis>only</emphasis> when no other solution is | |||||
suitable.</para> | |||||
<para>This is the configuration of the server only. The | |||||
client, which can be the server itself, and/or another | |||||
machine, relies upon other configuration files: a dedicated | |||||
guide must be followed for them.</para> | |||||
</sect2> | </sect2> | ||||
</sect1> | </sect1> | ||||
<sect1 xml:id="network-dhcp"> | <sect1 xml:id="network-dhcp"> | ||||
<!-- | <!-- | ||||
<sect1info> | <sect1info> | ||||
<authorgroup> | <authorgroup> | ||||
<author> | <author> | ||||
<firstname>Greg</firstname> | <firstname>Greg</firstname> | ||||
<surname>Sutter</surname> | <surname>Sutter</surname> | ||||
<contrib>Written by </contrib> | <contrib>Written by </contrib> | ||||
</author> | </author> | ||||
Done Inline ActionsPlease do not use contractions. "It will not have side effects". remko: Please do not use contractions. "It will not have side effects". | |||||
</authorgroup> | </authorgroup> | ||||
</sect1info> | </sect1info> | ||||
--> | --> | ||||
<title>Dynamic Host Configuration Protocol | <title>Dynamic Host Configuration Protocol | ||||
(<acronym>DHCP</acronym>)</title> | (<acronym>DHCP</acronym>)</title> | ||||
<indexterm> | <indexterm> | ||||
<primary>Dynamic Host Configuration Protocol</primary> | <primary>Dynamic Host Configuration Protocol</primary> | ||||
▲ Show 20 Lines • Show All 3,198 Lines • Show Last 20 Lines |
This colon just splices two sentences together. Please just use short, separate sentences.