svn commit: r44568 - head/en_US.ISO8859-1/books/handbook/network-servers
Dru Lavigne
dru at FreeBSD.org
Tue Apr 15 21:22:38 UTC 2014
Author: dru
Date: Tue Apr 15 21:22:38 2014
New Revision: 44568
URL: http://svnweb.freebsd.org/changeset/doc/44568
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:10:40 2014 (r44567)
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Apr 15 21:22:38 2014 (r44568)
@@ -2145,48 +2145,48 @@ TWO (,hotel,test-domain)
<indexterm><primary>LDAP</primary></indexterm>
- <para>The Lightweight Directory Access
- Protocol (<acronym>LDAP</acronym>) is an application layer protocol used to access,
- modify, and authenticate objects using a distributed directory
- information service. Think of it as a phone or record book
- which stores several levels of hierarchical, homogeneous
+ <para>The Lightweight Directory Access Protocol
+ (<acronym>LDAP</acronym>) is an application layer protocol used
+ to access, modify, and authenticate objects using a distributed
+ directory information service. Think of it as a phone or record
+ book which stores several levels of hierarchical, homogeneous
information. It is used in Active Directory and
<application>OpenLDAP</application> networks and allows users to
- access to several levels of internal information utilizing
- a single account. For example, email authentication, pulling
+ access to several levels of internal information utilizing a
+ single account. For example, email authentication, pulling
employee contact information, and internal website
- authentication might all make use of a single user account in the
- <acronym>LDAP</acronym> server's record base.</para>
+ authentication might all make use of a single user account in
+ the <acronym>LDAP</acronym> server's record base.</para>
- <para>This section provides a quick start guide for configuring
- an <acronym>LDAP</acronym> server on a &os; system.
- It assumes that the administrator already has a design plan
- which includes the type of information to
- store, what that information will be used for, which users should
- have access to that information, and how to secure this
- information from unauthorized access.</para>
+ <para>This section provides a quick start guide for configuring an
+ <acronym>LDAP</acronym> server on a &os; system. It assumes
+ that the administrator already has a design plan which includes
+ the type of information to store, what that information will be
+ used for, which users should have access to that information,
+ and how to secure this information from unauthorized
+ access.</para>
<sect2>
<title><acronym>LDAP</acronym> Terminology and Structure</title>
<para><acronym>LDAP</acronym> uses several terms which should be
- understood before starting the configuration.
- All directory entries consist of
- a group of <firstterm>attributes</firstterm>. Each of these
- attribute sets contains a unique identifier known as a
- <firstterm>Distinguished Name</firstterm> (<acronym>DN</acronym>)
- which is normally built
- from several other attributes such as the common or
+ understood before starting the configuration. All directory
+ entries consist of a group of
+ <firstterm>attributes</firstterm>. Each of these attribute
+ sets contains a unique identifier known as a
+ <firstterm>Distinguished Name</firstterm>
+ (<acronym>DN</acronym>) which is normally built from several
+ other attributes such as the common or
<firstterm>Relative Distinguished Name</firstterm>
- (<acronym>RDN</acronym>).
- Similar to how directories have absolute and relative paths,
- consider a <acronym>DN</acronym> as an absolute path and the
- <acronym>RDN</acronym> as the relative path.</para>
+ (<acronym>RDN</acronym>). Similar to how directories have
+ absolute and relative paths, consider a <acronym>DN</acronym>
+ as an absolute path and the <acronym>RDN</acronym> as the
+ relative path.</para>
<para>An example <acronym>LDAP</acronym> entry looks like the
- following. This example searches for the entry for the specified user
- account (<literal>uid</literal>), organizational unit
- (<literal>ou</literal>), and organization
+ following. This example searches for the entry for the
+ specified user account (<literal>uid</literal>),
+ organizational unit (<literal>ou</literal>), and organization
(<literal>o</literal>):</para>
<screen>&prompt.user; <userinput>ldapsearch -xb "uid=<replaceable>trhodes</replaceable>,ou=<replaceable>users</replaceable>,o=<replaceable>example.com</replaceable>"</userinput>
@@ -2215,9 +2215,9 @@ result: 0 Success
<para>This example entry shows the values for the
<literal>dn</literal>, <literal>mail</literal>,
<literal>cn</literal>, <literal>uid</literal>, and
- <literal>telephoneNumber</literal>
- attributes. The <acronym>cn</acronym> attribute
- is the <acronym>RDN</acronym>.</para>
+ <literal>telephoneNumber</literal> attributes. The
+ <acronym>cn</acronym> attribute is the
+ <acronym>RDN</acronym>.</para>
<para>More information about <acronym>LDAP</acronym> and its
terminology can be found at <uri
@@ -2230,20 +2230,18 @@ result: 0 Success
<indexterm><primary>LDAP Server</primary></indexterm>
<para>&os; does not provide a built-in <acronym>LDAP</acronym>
- server. Begin the configuration by installing the
- <package role="port">net/openldap24-server</package> package or
- port. Since the port has many configurable
- options, it is recommended that the default options are
- reviewed to see if the package is sufficient, and to instead
- compile the port if any options should be changed.
- In most cases, the defaults are fine.
- However, if SQL support is needed, this option must be
- enabled and the port compiled using the instructions in <xref
- linkend="ports-using"/>.</para>
-
- <para>Next, create the directories to hold the
- data and to store the
- certificates:</para>
+ server. Begin the configuration by installing the <package
+ role="port">net/openldap24-server</package> package or port.
+ Since the port has many configurable options, it is
+ recommended that the default options are reviewed to see if
+ the package is sufficient, and to instead compile the port if
+ any options should be changed. In most cases, the defaults
+ are fine. However, if SQL support is needed, this option must
+ be enabled and the port compiled using the instructions in
+ <xref linkend="ports-using"/>.</para>
+
+ <para>Next, create the directories to hold the data and to store
+ the certificates:</para>
<screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput>
&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen>
@@ -2254,21 +2252,20 @@ result: 0 Success
<para>The next phase is to configure the certificate authority.
The following commands must be executed from
- <filename>/usr/local/etc/openldap/private</filename>.
- This is important as the file permissions
- need to be restrictive and users should not have access to
- these files. To create the certificate authority,
- start with this command and follow the prompts:</para>
+ <filename>/usr/local/etc/openldap/private</filename>. This is
+ important as the file permissions need to be restrictive and
+ users should not have access to these files. To create the
+ certificate authority, start with this command and follow the
+ prompts:</para>
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen>
<para>The entries for the prompts may be generic
<emphasis>except</emphasis> for the
<literal>Common Name</literal>. This entry must be
- <emphasis>different</emphasis> than the system hostname.
- If this will be a self signed certificate,
- prefix the hostname with
- <literal>CA</literal> for certificate authority.</para>
+ <emphasis>different</emphasis> than the system hostname. If
+ this will be a self signed certificate, prefix the hostname
+ with <literal>CA</literal> for certificate authority.</para>
<para>The next task is to create a certificate signing request
and a private key. Input this command and follow the
@@ -2277,24 +2274,23 @@ result: 0 Success
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen>
<para>During the certificate generation process, be sure to
- correctly set the <literal>Common Name</literal> attribute. Once
- complete, sign the key:</para>
+ correctly set the <literal>Common Name</literal> attribute.
+ Once complete, sign the key:</para>
<screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen>
- <para>The final part of the certificate generation process
- is to generate and sign the client certificates:</para>
+ <para>The final part of the certificate generation process is to
+ generate and sign the client certificates:</para>
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput>
&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
<para>Remember to use the same <literal>Common Name</literal>
- attribute when prompted.
- When finished, ensure
- that a total of eight (8) new files have been generated
- through the proceeding commands. If so, the next step is to
- edit <filename>/usr/local/etc/openldap/slapd.conf</filename>
- and add the following options:</para>
+ attribute when prompted. When finished, ensure that a total
+ of eight (8) new files have been generated through the
+ proceeding commands. If so, the next step is to edit
+ <filename>/usr/local/etc/openldap/slapd.conf</filename> and
+ add the following options:</para>
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
@@ -2302,18 +2298,17 @@ TLSCertificateKeyFile /usr/local/etc/ope
TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting>
<para>Then, edit
- <filename>/usr/local/etc/openldap/ldap.conf</filename> and
- add the following lines:</para>
+ <filename>/usr/local/etc/openldap/ldap.conf</filename> and add
+ the following lines:</para>
<programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
<para>While editing this file, uncomment the following entries
- and set them to the desired values:
- <option>BASE</option>,
- <option>URI</option>, <option>SIZELIMIT</option>
- and <option>TIMELIMIT</option>. Set the
- <option>URI</option> to contain <option>ldap://</option> and
+ and set them to the desired values: <option>BASE</option>,
+ <option>URI</option>, <option>SIZELIMIT</option> and
+ <option>TIMELIMIT</option>. Set the <option>URI</option> to
+ contain <option>ldap://</option> and
<option>ldaps://</option>. Then, add two entries pointing to
the certificate authority. When finished, the entries should
look similar to the following:</para>
@@ -2332,10 +2327,9 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</pro
<screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen>
- <para>This command will prompt for the password and,
- if the process does not fail, a password hash will be added
- to the end of <filename>slapd.conf</filename>.
- Several hashing
+ <para>This command will prompt for the password and, if the
+ process does not fail, a password hash will be added to the
+ end of <filename>slapd.conf</filename>. Several hashing
formats are supported. Refer to the manual page for
<command>slappasswd</command> for more information.</para>
@@ -2346,15 +2340,16 @@ TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</pro
<programlisting>password-hash {sha}
allow bind_v2</programlisting>
- <para>The <option>suffix</option> in this file must
- be updated to match the <option>BASE</option> used in
- <filename>/usr/local/etc/openldap/ldap.conf</filename> and <option>rootdn</option>
- should also be set. A recommended value for <option>rootdn</option> is something like
+ <para>The <option>suffix</option> in this file must be updated
+ to match the <option>BASE</option> used in
+ <filename>/usr/local/etc/openldap/ldap.conf</filename> and
+ <option>rootdn</option> should also be set. A recommended
+ value for <option>rootdn</option> is something like
<option>cn=Manager</option>. Before saving this file, place
- the <option>rootpw</option> in front of the password
- output from <command>slappasswd</command> and delete the
- old <option>rootpw</option> option above. The end result
- should look similar to this:</para>
+ the <option>rootpw</option> in front of the password output
+ from <command>slappasswd</command> and delete the old
+ <option>rootpw</option> option above. The end result should
+ look similar to this:</para>
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
@@ -2363,14 +2358,13 @@ TLSCACertificateFile /usr/local/etc/open
rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting>
<para>Finally, enable the <application>OpenLDAP</application>
- service in <filename>/etc/rc.conf</filename> and set
- the <acronym>URI</acronym>:</para>
+ service in <filename>/etc/rc.conf</filename> and set the
+ <acronym>URI</acronym>:</para>
<programlisting>slapd_enable="YES"
slapd_flags="-4 -h ldaps:///"</programlisting>
- <para>At this point the server can be started
- and tested:</para>
+ <para>At this point the server can be started and tested:</para>
<screen>&prompt.root; <userinput>service slapd start</userinput></screen>
@@ -2395,17 +2389,15 @@ result: 32 No such object
<note>
<para>If the command fails and the configuration looks
- correct, stop the
- <command>slapd</command> service and restart it with
- debugging options:</para>
+ correct, stop the <command>slapd</command> service and
+ restart it with debugging options:</para>
<screen>&prompt.root; <userinput>service slapd stop</userinput>
&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
</note>
- <para>Once the service is responding,
- the directory can be populated using
- <command>ldapadd</command>. In this example,
+ <para>Once the service is responding, the directory can be
+ populated using <command>ldapadd</command>. In this example,
a file containing this list of users is first created. Each
user should use the following format:</para>
@@ -2419,9 +2411,9 @@ dn: cn=<replaceable>Manager</replaceable
objectclass: organizationalRole
cn: <replaceable>Manager</replaceable></programlisting>
- <para>To import this file, specify the file name.
- The following command will prompt for the password specified
- earlier and the output should look something like this:</para>
+ <para>To import this file, specify the file name. The following
+ command will prompt for the password specified earlier and the
+ output should look something like this:</para>
<screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput>
Enter LDAP Password:
@@ -2460,8 +2452,8 @@ result: 0 Success
# numResponses: 3
# numEntries: 2</screen>
- <para>At this point, the server
- should be configured and functioning properly.</para>
+ <para>At this point, the server should be configured and
+ functioning properly.</para>
</sect2>
</sect1>
More information about the svn-doc-all
mailing list