os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial editorial pass through config section of LDAP.

Browse source 
Another pass is needed as this section could benefit from either several
sub-headings or procedures.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-15 21:10:40 +00:00
parent e3c64240f5
commit 081f9885f2
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44567
1 changed files with 64 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

144
en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
View file

@ -2285,13 +2285,12 @@ result: 0 Success
<para>The final part of the certificate generation process
is to generate and sign the client certificates:</para>
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput></screen>
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput>
&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
<screen>&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
<para>Remember, again, to respect the common name attribute.
This is a common cause for confusion during the first attempt
to configure <acronym>LDAP</acronym>. In addition, ensure
<para>Remember to use the same <literal>Common Name</literal>
attribute when prompted.
When finished, ensure
that a total of eight (8) new files have been generated
through the proceeding commands. If so, the next step is to
edit <filename>/usr/local/etc/openldap/slapd.conf</filename>
@ -2302,60 +2301,58 @@ TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting>
<para>In addition, edit
<para>Then, edit
<filename>/usr/local/etc/openldap/ldap.conf</filename> and
add the following lines:</para>
<programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
<para>While editing these this file, set the
<option>BASE</option> to the desired values, and uncomment all
three of the <option>URI</option>, <option>SIZELIMIT</option>
and <option>TIMELIMIT</option> options. In addition, set the
<para>While editing this file, uncomment the following entries
and set them to the desired values:
<option>BASE</option>,
<option>URI</option>, <option>SIZELIMIT</option>
and <option>TIMELIMIT</option>. Set the
<option>URI</option> to contain <option>ldap://</option> and
<option>ldaps://</option>.</para>
<para>The resulting file should look similar to the following
shown here:</para>
<option>ldaps://</option>. Then, add two entries pointing to
the certificate authority. When finished, the entries should
look similar to the following:</para>
<programlisting>BASE dc=example,dc=com
URI ldap:// ldaps://
SIZELIMIT 12
TIMELIMIT 15
#DEREF never
TLS_CACERT /usr/local/etc/openldap/ca.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
<para>A password for the server will need to be created as the
default is extremely poor as is normal in this industry. To
do this, issue the following command, sending the output to
<filename>slapd.conf</filename>:</para>
<para>The default password for the server should then be
changed:</para>
<screen>&prompt.root; <userinput>slappasswd -h "{SHA}" &gt;&gt; /usr/local/etc/openldap/slapd.conf</userinput></screen>
<para>There will be a prompt for entering the password and,
<para>This command will prompt for the password and,
if the process does not fail, a password hash will be added
to the end of <filename>slapd.conf</filename>.
<command>slappasswd</command> understands several hashing
formats, refer to its manual page for more information.</para>
Several hashing
formats are supported. Refer to the manual page for
<command>slappasswd</command> for more information.</para>
<para>Edit
<para>Next, edit
<filename>/usr/local/etc/openldap/slapd.conf</filename> and
add the following lines:</para>
<programlisting>password-hash {sha}
allow bind_v2</programlisting>
<para>In addition, the <option>suffix</option> in this file must
be updated to match the <option>BASE</option> from the
previous configuration. The <option>rootdn</option> option
should also be set. A good recommendation is something like
<para>The <option>suffix</option> in this file must
be updated to match the <option>BASE</option> used in
<filename>/usr/local/etc/openldap/ldap.conf</filename> and <option>rootdn</option>
should also be set. A recommended value for <option>rootdn</option> is something like
<option>cn=Manager</option>. Before saving this file, place
the <option>rootpw</option> option in front of the password
output from the <command>slappasswd</command> and delete the
the <option>rootpw</option> in front of the password
output from <command>slappasswd</command> and delete the
old <option>rootpw</option> option above. The end result
should look similar to this:</para>
@ -2366,28 +2363,23 @@ TLSCACertificateFile /usr/local/etc/openldap/ca.crt
rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting>
<para>Finally, enable the <application>OpenLDAP</application>
service in <filename>rc.conf</filename>. At this time,
setting up a <acronym>URI</acronym> and providing the group
and user to run as may be useful. Edit
<filename>/etc/rc.conf</filename> and add the following
lines:</para>
service in <filename>/etc/rc.conf</filename> and set
the <acronym>URI</acronym>:</para>
<programlisting>slapd_enable="YES"
slapd_flags="-4 -h ldaps:///"</programlisting>
<para>At this point the server should be ready to be brought
up and tested. To perform this task, issue the following
command:</para>
<para>At this point the server can be started
and tested:</para>
<screen>&prompt.root; <userinput>service slapd start</userinput></screen>
<para>If everything was configured correctly, a search of the
<para>If everything is configured correctly, a search of the
directory should show a successful connection with a single
response as in this example:</para>
<screen>&prompt.root; <userinput>ldapsearch -Z</userinput></screen>
<programlisting># extended LDIF
<screen>&prompt.root; <userinput>ldapsearch -Z</userinput>
# extended LDIF
#
# LDAPv3
# base &lt;dc=example,dc=com&gt; (default) with scope subtree
@ -2399,55 +2391,49 @@ slapd_flags="-4 -h ldaps:///"</programlisting>
search: 3
result: 32 No such object
# numResponses: 1</programlisting>
<para>Considering the service should now be responding, as it
is above, the directory may be populated using the
<command>ldapadd</command> command. In this example, there
is a file containing a list of users to be added to this
particular directory. First, create a file to be imported
with the following dataset:</para>
<programlisting>dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example
dc: Example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager</programlisting>
# numResponses: 1</screen>
<note>
<para>To debug any of the following, stop the
<command>slapd</command> service using the
<command>service</command> command and start it using with
debugging options. To accomplish this, issue the following
command:</para>
<para>If the command fails and the configuration looks
correct, stop the
<command>slapd</command> service and restart it with
debugging options:</para>
<screen>&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
<screen>&prompt.root; <userinput>service slapd stop</userinput>
&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
</note>
<para>To import this datafile, issue the following command,
assuming the file is <filename>import.ldif</filename>:</para>
<para>Once the service is responding,
the directory can be populated using
<command>ldapadd</command>. In this example,
a file containing this list of users is first created. Each
user should use the following format:</para>
<screen>&prompt.root; <userinput>ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f <replaceable>import.ldif</replaceable></userinput></screen>
<programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
objectclass: dcObject
objectclass: organization
o: <replaceable>Example</replaceable>
dc: <replaceable>Example</replaceable>
<para>There will be a request for the password specified
earlier, and the output should look like this:</para>
dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
objectclass: organizationalRole
cn: <replaceable>Manager</replaceable></programlisting>
<screen>Enter LDAP Password:
<para>To import this file, specify the file name.
The following command will prompt for the password specified
earlier and the output should look something like this:</para>
<screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput>
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"</screen>
<para>Verify the data was added by issuing a search on the
server using <command>ldapsearch</command>. In this case
the output should look like this:</para>
server using <command>ldapsearch</command>:</para>
<screen>&prompt.user; <userinput>ldapsearch -Z</userinput></screen>
<screen># extended LDIF
<screen>&prompt.user; <userinput>ldapsearch -Z</userinput>
# extended LDIF
#
# LDAPv3
# base &lt;dc=example,dc=com&gt; (default) with scope subtree
@ -2474,9 +2460,7 @@ result: 0 Success
# numResponses: 3
# numEntries: 2</screen>
<para>It is of course advisable to read about the structure of
<acronym>LDAP</acronym> directories and the various manual
pages mentioned in this section. At this point, the server
<para>At this point, the server
should be configured and functioning properly.</para>
</sect2>
</sect1>