svn commit: r44567 - head/en_US.ISO8859-1/books/handbook/network-servers

Tue Apr 15 21:10:40 UTC 2014

Author: dru
Date: Tue Apr 15 21:10:40 2014
New Revision: 44567
URL: http://svnweb.freebsd.org/changeset/doc/44567

Log:
  Initial editorial pass through config section of LDAP.
  Another pass is needed as this section could benefit from either several
  sub-headings or procedures.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
==============================================================================

--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml	Tue Apr 15 20:08:59 2014	(r44566)
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml	Tue Apr 15 21:10:40 2014	(r44567)
@@ -2285,13 +2285,12 @@ result: 0 Success
       <para>The final part of the certificate generation process
 	is to generate and sign the client certificates:</para>
 
-      <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput></screen>
+      <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput>
+&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
 
-      <screen>&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
-
-      <para>Remember, again, to respect the common name attribute.
-	This is a common cause for confusion during the first attempt
-	to configure <acronym>LDAP</acronym>.  In addition, ensure
+      <para>Remember to use the same <literal>Common Name</literal>
+	attribute when prompted.
+	When finished, ensure
 	that a total of eight (8) new files have been generated
 	through the proceeding commands.  If so, the next step is to
 	edit <filename>/usr/local/etc/openldap/slapd.conf</filename>
@@ -2302,60 +2301,58 @@ TLSCertificateFile /usr/local/etc/openld
 TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
 TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting>
 
-      <para>In addition, edit
+      <para>Then, edit
 	<filename>/usr/local/etc/openldap/ldap.conf</filename> and
 	add the following lines:</para>
 
       <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt
 TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
 
-      <para>While editing these this file, set the
-	<option>BASE</option> to the desired values, and uncomment all
-	three of the <option>URI</option>, <option>SIZELIMIT</option>
-	and <option>TIMELIMIT</option> options.  In addition, set the
+      <para>While editing this file, uncomment the following entries
+	and set them to the desired values:
+	<option>BASE</option>,
+	<option>URI</option>, <option>SIZELIMIT</option>
+	and <option>TIMELIMIT</option>.  Set the
 	<option>URI</option> to contain <option>ldap://</option> and
-	<option>ldaps://</option>.</para>
-
-      <para>The resulting file should look similar to the following
-	shown here:</para>
+	<option>ldaps://</option>.  Then, add two entries pointing to
+	the certificate authority.  When finished, the entries should
+	look similar to the following:</para>
 
       <programlisting>BASE    dc=example,dc=com
 URI     ldap:// ldaps://
 
 SIZELIMIT       12
 TIMELIMIT       15
-#DEREF          never
 
 TLS_CACERT /usr/local/etc/openldap/ca.crt
 TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
 
-      <para>A password for the server will need to be created as the
-	default is extremely poor as is normal in this industry.  To
-	do this, issue the following command, sending the output to
-	<filename>slapd.conf</filename>:</para>
+      <para>The default password for the server should then be
+	changed:</para>
 
       <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen>
 
-      <para>There will be a prompt for entering the password and,
+      <para>This command will prompt for the password and,
 	if the process does not fail, a password hash will be added
 	to the end of <filename>slapd.conf</filename>.
-	<command>slappasswd</command> understands several hashing
-	formats, refer to its manual page for more information.</para>
+	Several hashing
+	formats are supported.  Refer to the manual page for
+	<command>slappasswd</command> for more information.</para>
 
-      <para>Edit
+      <para>Next, edit
 	<filename>/usr/local/etc/openldap/slapd.conf</filename> and
 	add the following lines:</para>
 
       <programlisting>password-hash {sha}
 allow bind_v2</programlisting>
 
-      <para>In addition, the <option>suffix</option> in this file must
-	be updated to match the <option>BASE</option> from the
-	previous configuration.  The <option>rootdn</option> option
-	should also be set.  A good recommendation is something like
+      <para>The <option>suffix</option> in this file must
+	be updated to match the <option>BASE</option> used in
+	<filename>/usr/local/etc/openldap/ldap.conf</filename> and <option>rootdn</option>
+	should also be set.  A recommended value for <option>rootdn</option> is something like
 	<option>cn=Manager</option>.  Before saving this file, place
-	the <option>rootpw</option> option in front of the password
-	output from the <command>slappasswd</command> and delete the
+	the <option>rootpw</option> in front of the password
+	output from <command>slappasswd</command> and delete the
 	old <option>rootpw</option> option above.  The end result
 	should look similar to this:</para>
 
@@ -2366,28 +2363,23 @@ TLSCACertificateFile /usr/local/etc/open
 rootpw  {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting>
 
       <para>Finally, enable the <application>OpenLDAP</application>
-	service in <filename>rc.conf</filename>.  At this time,
-	setting up a <acronym>URI</acronym> and providing the group
-	and user to run as may be useful.  Edit
-	<filename>/etc/rc.conf</filename> and add the following
-	lines:</para>
+	service in <filename>/etc/rc.conf</filename> and set
+	the <acronym>URI</acronym>:</para>
 
       <programlisting>slapd_enable="YES"
 slapd_flags="-4 -h ldaps:///"</programlisting>
 
-      <para>At this point the server should be ready to be brought
-	up and tested.  To perform this task, issue the following
-	command:</para>
+      <para>At this point the server can be started
+	and tested:</para>
 
       <screen>&prompt.root; <userinput>service slapd start</userinput></screen>
 
-      <para>If everything was configured correctly, a search of the
+      <para>If everything is configured correctly, a search of the
 	directory should show a successful connection with a single
 	response as in this example:</para>
 
-      <screen>&prompt.root; <userinput>ldapsearch -Z</userinput></screen>
-
-      <programlisting># extended LDIF
+      <screen>&prompt.root; <userinput>ldapsearch -Z</userinput>
+# extended LDIF
 #
 # LDAPv3
 # base <dc=example,dc=com> (default) with scope subtree
@@ -2399,55 +2391,49 @@ slapd_flags="-4 -h ldaps:///"</programli
 search: 3
 result: 32 No such object
 
-# numResponses: 1</programlisting>
-
-      <para>Considering the service should now be responding, as it
-	is above, the directory may be populated using the
-	<command>ldapadd</command> command.  In this example, there
-	is a file containing a list of users to be added to this
-	particular directory.  First, create a file to be imported
-	with the following dataset:</para>
-
-      <programlisting>dn: dc=example,dc=com
-objectclass: dcObject
-objectclass: organization
-o: Example
-dc: Example
-
-dn: cn=Manager,dc=example,dc=com
-objectclass: organizationalRole
-cn: Manager</programlisting>
+# numResponses: 1</screen>
 
       <note>
-	<para>To debug any of the following, stop the
-	  <command>slapd</command> service using the
-	  <command>service</command> command and start it using with
-	  debugging options.  To accomplish this, issue the following
-	  command:</para>
+	<para>If the command fails and the configuration looks
+	  correct, stop the
+	  <command>slapd</command> service and restart it with
+	  debugging options:</para>
 
-	<screen>&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
+	<screen>&prompt.root; <userinput>service slapd stop</userinput>
+&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
       </note>
 
-      <para>To import this datafile, issue the following command,
-	assuming the file is <filename>import.ldif</filename>:</para>
+      <para>Once the service is responding,
+	the directory can be populated using
+	<command>ldapadd</command>.  In this example,
+	a file containing this list of users is first created.  Each
+	user should use the following format:</para>
 
-      <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f <replaceable>import.ldif</replaceable></userinput></screen>
+      <programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
+objectclass: dcObject
+objectclass: organization
+o: <replaceable>Example</replaceable>
+dc: <replaceable>Example</replaceable>
+
+dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
+objectclass: organizationalRole
+cn: <replaceable>Manager</replaceable></programlisting>
 
-      <para>There will be a request for the password specified
-	earlier, and the output should look like this:</para>
+      <para>To import this file, specify the file name.
+	The following command will prompt for the password specified
+	earlier and the output should look something like this:</para>
 
-      <screen>Enter LDAP Password:
+      <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput>
+Enter LDAP Password:
 adding new entry "dc=example,dc=com"
 
 adding new entry "cn=Manager,dc=example,dc=com"</screen>
 
       <para>Verify the data was added by issuing a search on the
-	server using <command>ldapsearch</command>.  In this case
-	the output should look like this:</para>
-
-      <screen>&prompt.user; <userinput>ldapsearch -Z</userinput></screen>
+	server using <command>ldapsearch</command>:</para>
 
-      <screen># extended LDIF
+      <screen>&prompt.user; <userinput>ldapsearch -Z</userinput>
+# extended LDIF
 #
 # LDAPv3
 # base <dc=example,dc=com> (default) with scope subtree
@@ -2474,9 +2460,7 @@ result: 0 Success
 # numResponses: 3
 # numEntries: 2</screen>
 
-      <para>It is of course advisable to read about the structure of
-	<acronym>LDAP</acronym> directories and the various manual
-	pages mentioned in this section.  At this point, the server
+      <para>At this point, the server
 	should be configured and functioning properly.</para>
     </sect2>
   </sect1>
