8296
8296
msgid "ntp.org, home of the Network Time Protocol project"
8299
#: serverguide/C/network-auth.xml:13(title)
8299
#: serverguide/C/network-auth.xml:14(title)
8300
8300
msgid "Network Authentication"
8303
#: serverguide/C/network-auth.xml:15(para)
8304
msgid "This section explains various Network Authentication protocols."
8303
#: serverguide/C/network-auth.xml:16(para)
8304
msgid "This section applies LDAP to network authentication."
8307
#: serverguide/C/network-auth.xml:19(title)
8307
#: serverguide/C/network-auth.xml:21(title)
8308
8308
msgid "OpenLDAP Server"
8311
#: serverguide/C/network-auth.xml:20(para)
8312
msgid "LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc."
8315
#: serverguide/C/network-auth.xml:28(para)
8316
msgid "To describe LDAP quickly, all information is stored in a tree structure. With <application>OpenLDAP</application> you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:"
8319
#: serverguide/C/network-auth.xml:37(para)
8320
msgid "\"People\" node where your users will be stored"
8323
#: serverguide/C/network-auth.xml:40(para)
8324
msgid "\"Groups\" node where your groups will be stored"
8327
#: serverguide/C/network-auth.xml:44(para)
8328
msgid "Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com."
8331
#: serverguide/C/network-auth.xml:54(para)
8332
msgid "First, install the <application>OpenLDAP</application> server daemon <application>slapd</application> and <application>ldap-utils</application>, a package containing LDAP management utilities:"
8335
#: serverguide/C/network-auth.xml:60(command)
8311
#: serverguide/C/network-auth.xml:23(para)
8312
msgid "The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in <ulink url=\"http://tools.ietf.org/html/rfc4510\">RFC4510</ulink>, and the LDAP implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 (Oneiric)."
8315
#: serverguide/C/network-auth.xml:29(para)
8316
msgid "So this protocol accesses LDAP directories. Here are some key concepts and terms:"
8319
#: serverguide/C/network-auth.xml:36(para)
8320
msgid "A LDAP directory is a tree of data <emphasis>entries</emphasis> that is hierarchical in nature and is called the Directory Information Tree (DIT)."
8323
#: serverguide/C/network-auth.xml:43(para)
8324
msgid "An entry consists of a set of <emphasis>attributes</emphasis>."
8327
#: serverguide/C/network-auth.xml:49(para)
8328
msgid "An attribute has a <emphasis>type</emphasis> (a name/description) and one or more <emphasis>values</emphasis>."
8331
#: serverguide/C/network-auth.xml:55(para)
8332
msgid "Every attribute must be defined in at least one <emphasis>objectClass</emphasis>."
8335
#: serverguide/C/network-auth.xml:61(para)
8336
msgid "Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an objectclass is actually considered as a special kind of attribute)."
8339
#: serverguide/C/network-auth.xml:68(para)
8340
msgid "Each entry has a unique identifier: it's <emphasis>Distinguished Name</emphasis> (DN or dn). This consists of it's <emphasis>Relative Distinguished Name</emphasis> (RDN) followed by the parent entry's DN."
8343
#: serverguide/C/network-auth.xml:75(para)
8344
msgid "The entry's DN is not an attribute. It is not considered part of the entry itself."
8347
#: serverguide/C/network-auth.xml:83(para)
8348
msgid "The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and <emphasis>node</emphasis> have certain connotations but they all essentially mean the same thing as <emphasis>entry</emphasis>, the technically correct term."
8351
#: serverguide/C/network-auth.xml:89(para)
8352
msgid "For example, below we have a single entry consisting of 11 attributes. It's DN is \"cn=John Doe,dc=example,dc=com\"; it's RDN is \"cn=John Doe\"; and it's parent DN is \"dc=example,dc=com\"."
8355
#: serverguide/C/network-auth.xml:94(programlisting)
8357
msgid "\n dn: cn=John Doe,dc=example,dc=com\n cn: John Doe\n givenName: John\n sn: Doe\n telephoneNumber: +1 888 555 6789\n telephoneNumber: +1 888 555 1232\n mail: john@example.com\n manager: cn=Larry Smith,dc=example,dc=com\n objectClass: inetOrgPerson\n objectClass: organizationalPerson\n objectClass: person\n objectClass: top\n"
8360
#: serverguide/C/network-auth.xml:109(para)
8361
msgid "The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data Interchange Format). Any information that you feed into your DIT must also be in such a format. It is defined in <ulink url=\"http://tools.ietf.org/html/rfc2849\">RFC2849</ulink>."
8364
#: serverguide/C/network-auth.xml:114(para)
8365
msgid "Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses, and a mail server's configuration."
8368
#: serverguide/C/network-auth.xml:123(para)
8369
msgid "Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages <application>slapd</application> and <application>ldap-utils</application> respectively."
8372
#: serverguide/C/network-auth.xml:128(para)
8373
msgid "The installation of slapd will create a working configuration. In particular, it will create a database instance that you can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. If you want something different, edit <filename>/etc/hosts</filename> and replace the domain name with one that will give you the suffix you desire. For instance, if you want a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have a line similar to this:"
8376
#: serverguide/C/network-auth.xml:136(programlisting)
8378
msgid "\n127.0.1.1 hostname.example.com\thostname\n"
8381
#: serverguide/C/network-auth.xml:140(para)
8382
msgid "You can revert the change after package installation."
8385
#: serverguide/C/network-auth.xml:145(para)
8386
msgid "This guide will use a database suffix of <emphasis>dc=example,dc=com</emphasis>."
8389
#: serverguide/C/network-auth.xml:150(para)
8390
msgid "Proceed with the install:"
8393
#: serverguide/C/network-auth.xml:155(command)
8336
8394
msgid "sudo apt-get install slapd ldap-utils"
8339
#: serverguide/C/network-auth.xml:63(para)
8340
msgid "By default <application>slapd</application> is configured with minimal options needed to run the <application>slapd</application> daemon."
8343
#: serverguide/C/network-auth.xml:68(para)
8344
msgid "The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be <emphasis>dc=example,dc=com</emphasis>."
8347
#: serverguide/C/network-auth.xml:76(title)
8348
msgid "Populating LDAP"
8351
#: serverguide/C/network-auth.xml:78(para)
8352
msgid "<application>OpenLDAP</application> uses a separate directory which contains the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The <emphasis>cn=config</emphasis> DIT is used to dynamically configure the <application>slapd</application> daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service."
8355
#: serverguide/C/network-auth.xml:86(para)
8356
msgid "The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a \"classical\" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc."
8359
#: serverguide/C/network-auth.xml:95(para)
8360
msgid "For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details."
8363
#: serverguide/C/network-auth.xml:103(para)
8364
msgid "Remember to change <emphasis>dc=example,dc=com</emphasis> in the following examples to match your LDAP configuration."
8367
#: serverguide/C/network-auth.xml:108(para)
8368
msgid "First, some additional schema files need to be loaded. In a terminal enter:"
8371
#: serverguide/C/network-auth.xml:113(command) serverguide/C/network-auth.xml:715(command)
8372
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif"
8375
#: serverguide/C/network-auth.xml:114(command) serverguide/C/network-auth.xml:716(command)
8376
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif"
8379
#: serverguide/C/network-auth.xml:115(command) serverguide/C/network-auth.xml:717(command)
8380
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif"
8383
#: serverguide/C/network-auth.xml:118(para)
8384
msgid "Next, copy the following example LDIF file, naming it <filename>backend.example.com.ldif</filename>, somewhere on your system:"
8387
#: serverguide/C/network-auth.xml:123(programlisting)
8389
msgid "\n# Load dynamic backend modules\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: /usr/lib/ldap\nolcModuleload: back_hdb.la\n\n# Database settings\ndn: olcDatabase=hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {1}hdb\nolcSuffix: dc=example,dc=com\nolcDbDirectory: /var/lib/ldap\nolcRootDN: cn=admin,dc=example,dc=com\nolcRootPW: secret\nolcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500\nolcDbIndex: objectClass eq\nolcLastMod: TRUE\nolcDbCheckpoint: 512 30\nolcAccess: to attrs=userPassword by dn=\"cn=admin,dc=example,dc=com\" write by anonymous auth by self write by * none\nolcAccess: to attrs=shadowLastChange by self write by * read\nolcAccess: to dn.base=\"\" by * read\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n\n"
8392
#: serverguide/C/network-auth.xml:155(para)
8393
msgid "Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing."
8396
#: serverguide/C/network-auth.xml:160(para)
8397
msgid "Now add the LDIF to the directory:"
8400
#: serverguide/C/network-auth.xml:165(command) serverguide/C/network-auth.xml:759(command)
8401
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif"
8404
#: serverguide/C/network-auth.xml:168(para)
8405
msgid "The frontend directory is now ready to be populated. Create a <filename>frontend.example.com.ldif</filename> with the following contents:"
8408
#: serverguide/C/network-auth.xml:173(programlisting)
8410
msgid "\n# Create top-level object in domain\ndn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectclass: organization\no: Example Organization\ndc: Example\ndescription: LDAP Example \n\n# Admin user.\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword: secret\n\ndn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups\n\ndn: uid=john,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: john\nsn: Doe\ngivenName: John\ncn: John Doe\ndisplayName: John Doe\nuidNumber: 1000\ngidNumber: 10000\nuserPassword: password\ngecos: John Doe\nloginShell: /bin/bash\nhomeDirectory: /home/john\nshadowExpire: -1\nshadowFlag: 0\nshadowWarning: 7\nshadowMin: 8\nshadowMax: 999999\nshadowLastChange: 10877\nmail: john.doe@example.com\npostalCode: 31000\nl: Toulouse\no: Example\nmobile: +33 (0)6 xx xx xx xx\nhomePhone: +33 (0)5 xx xx xx xx\ntitle: System Administrator\npostalAddress: \ninitials: JD\n\ndn: cn=example,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: example\ngidNumber: 10000\n"
8413
#: serverguide/C/network-auth.xml:236(para)
8414
msgid "In this example the directory structure, a user, and a group have been setup. In other examples you might see the <emphasis>objectClass: top</emphasis> added in every entry, but that is the default behaviour so you do not have to add it explicitly."
8417
#: serverguide/C/network-auth.xml:243(para)
8418
msgid "Add the entries to the LDAP directory:"
8421
#: serverguide/C/network-auth.xml:249(command) serverguide/C/network-auth.xml:770(command)
8422
msgid "sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif"
8425
#: serverguide/C/network-auth.xml:252(para)
8426
msgid "We can check that the content has been correctly added with the <application>ldapsearch</application> utility. Execute a search of the LDAP directory:"
8429
#: serverguide/C/network-auth.xml:258(command)
8430
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
8433
#: serverguide/C/network-auth.xml:259(computeroutput)
8435
msgid "\ndn: uid=john,ou=people,dc=example,dc=com\ncn: John Doe\nsn: Doe\ngivenName: John\n"
8438
#: serverguide/C/network-auth.xml:267(para)
8439
msgid "Just a quick explanation:"
8442
#: serverguide/C/network-auth.xml:273(para)
8443
msgid "<emphasis>-x:</emphasis> will not use SASL authentication method, which is the default."
8446
#: serverguide/C/network-auth.xml:279(para)
8447
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
8450
#: serverguide/C/network-auth.xml:287(title)
8451
msgid "Further Configuration"
8454
#: serverguide/C/network-auth.xml:290(para)
8455
msgid "The <emphasis>cn=config</emphasis> tree can be manipulated using the utilities in the <application>ldap-utils</application> package. For example:"
8458
#: serverguide/C/network-auth.xml:298(para)
8459
msgid "Use <application>ldapsearch</application> to view the tree, entering the admin password set during installation or reconfiguration:"
8462
#: serverguide/C/network-auth.xml:304(command)
8463
msgid "sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"
8466
#: serverguide/C/network-auth.xml:308(computeroutput)
8468
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=config\n\ndn: cn=module{0},cn=config\n\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: olcDatabase={-1}frontend,cn=config\n\ndn: olcDatabase={0}config,cn=config\n\ndn: olcDatabase={1}hdb,cn=config\n"
8471
#: serverguide/C/network-auth.xml:334(para)
8472
msgid "The output above is the current configuration options for the <emphasis>cn=config</emphasis> backend database. Your output may be vary."
8475
#: serverguide/C/network-auth.xml:342(para)
8476
msgid "As an example of modifying the <emphasis>cn=config</emphasis> tree, add another attribute to the index list using <application>ldapmodify</application>:"
8479
#: serverguide/C/network-auth.xml:348(command) serverguide/C/network-auth.xml:1006(command) serverguide/C/network-auth.xml:1177(command) serverguide/C/network-auth.xml:1213(command)
8480
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:///"
8483
#: serverguide/C/network-auth.xml:356(userinput)
8485
msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uidNumber eq"
8488
#: serverguide/C/network-auth.xml:352(computeroutput)
8490
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
8493
#: serverguide/C/network-auth.xml:364(para)
8494
msgid "Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to exit the utility."
8497
#: serverguide/C/network-auth.xml:371(para)
8498
msgid "<application>ldapmodify</application> can also read the changes from a file. Copy and paste the following into a file named <filename>uid_index.ldif</filename>:"
8501
#: serverguide/C/network-auth.xml:376(programlisting)
8503
msgid "\ndn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uid eq,pres,sub\n"
8397
#: serverguide/C/network-auth.xml:158(para)
8398
msgid "Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose. This allows one to dynamically configure slapd without the need to restart the service. This configuration database consists of a collection of text-based LDIF files located under <filename>/etc/ldap/slapd.d</filename>. This way of working is known by several names: the slapd-config method, the RTC method (Real Time Configuration), or the cn=config method. You can still use the traditional flat-file method (slapd.conf) but it's not recommended; the functionality will be eventually phased out."
8401
#: serverguide/C/network-auth.xml:167(para)
8402
msgid "Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd configuration and this guide reflects that."
8405
#: serverguide/C/network-auth.xml:173(para)
8406
msgid "During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the <emphasis>rootDN</emphasis> of your database instance. By default, this user's DN is <emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is no administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it. We will see how to do this later on."
8409
#: serverguide/C/network-auth.xml:180(para)
8410
msgid "Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included \"core\" schema, a pre-requisite for any schema to work."
8413
#: serverguide/C/network-auth.xml:188(title)
8414
msgid "Post-install Inspection"
8417
#: serverguide/C/network-auth.xml:190(para)
8418
msgid "The installation process set up 2 DITs. One for slapd-config and one for your own data (dc=example,dc=com). Let's take a look."
8421
#: serverguide/C/network-auth.xml:197(para)
8422
msgid "This is what the slapd-config database/DIT looks like. Recall that this database is LDIF-based and lives under <filename>/etc/ldap/slapd.d</filename>:"
8425
#: serverguide/C/network-auth.xml:203(computeroutput)
8427
msgid "\n /etc/ldap/slapd.d/\n\n\t├── cn=config\n\t│ ├── cn=module{0}.ldif\n\t│ ├── cn=schema\n\t│ │ ├── cn={0}core.ldif\n\t│ │ ├── cn={1}cosine.ldif\n\t│ │ ├── cn={2}nis.ldif\n\t│ │ └── cn={3}inetorgperson.ldif\n\t│ ├── cn=schema.ldif\n\t│ ├── olcBackend={0}hdb.ldif\n\t│ ├── olcDatabase={0}config.ldif\n\t│ ├── olcDatabase={-1}frontend.ldif\n\t│ └── olcDatabase={1}hdb.ldif\n\t└── cn=config.ldif\n"
8430
#: serverguide/C/network-auth.xml:223(para)
8431
msgid "Do not edit the slapd-config database directly. Make changes via the LDAP protocol (utilities)."
8434
#: serverguide/C/network-auth.xml:231(para)
8435
msgid "This is what the slapd-config DIT looks like via the LDAP protocol:"
8438
#: serverguide/C/network-auth.xml:236(command)
8439
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"
8442
#: serverguide/C/network-auth.xml:237(computeroutput)
8444
msgid "\ndn: cn=config\n\ndn: cn=module{0},cn=config\n\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: olcBackend={0}hdb,cn=config\n\ndn: olcDatabase={-1}frontend,cn=config\n\ndn: olcDatabase={0}config,cn=config\n\ndn: olcDatabase={1}hdb,cn=config\n"
8447
#: serverguide/C/network-auth.xml:262(para) serverguide/C/network-auth.xml:353(para)
8448
msgid "Explanation of entries:"
8451
#: serverguide/C/network-auth.xml:269(para)
8452
msgid "<emphasis>cn=config</emphasis>: global settings"
8455
#: serverguide/C/network-auth.xml:275(para)
8456
msgid "<emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module"
8459
#: serverguide/C/network-auth.xml:281(para)
8460
msgid "<emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level schema"
8463
#: serverguide/C/network-auth.xml:287(para)
8464
msgid "<emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core schema"
8467
#: serverguide/C/network-auth.xml:293(para)
8468
msgid "<emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema"
8471
#: serverguide/C/network-auth.xml:299(para)
8472
msgid "<emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema"
8475
#: serverguide/C/network-auth.xml:305(para)
8476
msgid "<emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the inetorgperson schema"
8479
#: serverguide/C/network-auth.xml:311(para)
8480
msgid "<emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type"
8483
#: serverguide/C/network-auth.xml:317(para)
8484
msgid "<emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, default settings for other databases"
8487
#: serverguide/C/network-auth.xml:323(para)
8488
msgid "<emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration database (cn=config)"
8491
#: serverguide/C/network-auth.xml:329(para)
8492
msgid "<emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com)"
8495
#: serverguide/C/network-auth.xml:340(para)
8496
msgid "This is what the dc=example,dc=com DIT looks like:"
8499
#: serverguide/C/network-auth.xml:345(command)
8500
msgid "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn"
8503
#: serverguide/C/network-auth.xml:346(computeroutput)
8505
msgid "\ndn: dc=example,dc=com\n\ndn: cn=admin,dc=example,dc=com\n"
8508
#: serverguide/C/network-auth.xml:360(para)
8509
msgid "<emphasis>dc=example,dc=com</emphasis>: base of the DIT"
8512
#: serverguide/C/network-auth.xml:366(para)
8513
msgid "<emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for this DIT (set up during package install)"
8516
#: serverguide/C/network-auth.xml:380(title)
8517
msgid "Modifying/Populating your Database"
8506
8520
#: serverguide/C/network-auth.xml:382(para)
8507
msgid "Then execute <application>ldapmodify</application>:"
8510
#: serverguide/C/network-auth.xml:387(command)
8511
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"
8514
#: serverguide/C/network-auth.xml:391(computeroutput)
8516
msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
8519
#: serverguide/C/network-auth.xml:399(para)
8520
msgid "The file method is very useful for large changes."
8523
#: serverguide/C/network-auth.xml:406(para)
8524
msgid "Adding additional <emphasis>schemas</emphasis> to <application>slapd</application> requires the schema to be converted to LDIF format. The <filename role=\"directory\">/etc/ldap/schema</filename> directory contains some schema files already converted to LDIF format as demonstrated in the previous section. Fortunately, the <application>slapd</application> program can be used to automate the conversion. The following example will add the <emphasis>dyngroup.schema</emphasis>:"
8527
#: serverguide/C/network-auth.xml:416(para)
8528
msgid "First, create a conversion <filename>schema_convert.conf</filename> file containing the following lines:"
8531
#: serverguide/C/network-auth.xml:421(programlisting)
8533
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\n"
8536
#: serverguide/C/network-auth.xml:439(para) serverguide/C/network-auth.xml:1677(para)
8537
msgid "Next, create a temporary directory to hold the output:"
8540
#: serverguide/C/network-auth.xml:444(command) serverguide/C/network-auth.xml:1682(command) serverguide/C/network-auth.xml:2727(command)
8541
msgid "mkdir /tmp/ldif_output"
8521
msgid "Let's introduce some content to our database. We will add the following:"
8524
#: serverguide/C/network-auth.xml:389(para)
8525
msgid "a node called <emphasis>People</emphasis> (to store users)"
8528
#: serverguide/C/network-auth.xml:395(para)
8529
msgid "a node called <emphasis>Groups</emphasis> (to store groups)"
8532
#: serverguide/C/network-auth.xml:401(para)
8533
msgid "a group called <emphasis>miners</emphasis>"
8536
#: serverguide/C/network-auth.xml:407(para)
8537
msgid "a user called <emphasis>john</emphasis>"
8540
#: serverguide/C/network-auth.xml:414(para)
8541
msgid "Create the following LDIF file and call it <filename>add_content.ldif</filename>:"
8544
#: serverguide/C/network-auth.xml:418(programlisting)
8546
msgid "\ndn: ou=People,dc=example,dc=com\nobjectClass: organizationalUnit\nou: People\n\ndn: ou=Groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: Groups\n\ndn: cn=miners,ou=Groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: miners\ngidNumber: 5000\n\ndn: uid=john,ou=People,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: john\nsn: Doe\ngivenName: John\ncn: John Doe\ndisplayName: John Doe\nuidNumber: 10000\ngidNumber: 5000\nuserPassword: johnldap\ngecos: John Doe\nloginShell: /bin/bash\nhomeDirectory: /home/john\n"
8544
8549
#: serverguide/C/network-auth.xml:450(para)
8545
msgid "Now using <application>slapcat</application> convert the schema files to LDIF:"
8548
#: serverguide/C/network-auth.xml:455(command)
8549
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={5}dyngroup,cn=schema,cn=config\" > /tmp/cn=dyngroup.ldif"
8552
#: serverguide/C/network-auth.xml:458(para)
8553
msgid "Adjust the configuration file name and temporary directory names if yours are different. It may be worthwhile to keep the <filename>ldif_output</filename> directory around in case you want to add additional schemas in the future."
8556
#: serverguide/C/network-auth.xml:465(para)
8557
msgid "The <emphasis>\"cn={5}\"</emphasis> index number may change according to the configuration ordering. To find out the correct number execute the following:"
8560
#: serverguide/C/network-auth.xml:470(command)
8561
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup"
8564
#: serverguide/C/network-auth.xml:472(para)
8565
msgid "Replace <emphasis>dyngroup</emphasis> with the appropriate schema name."
8568
#: serverguide/C/network-auth.xml:480(para)
8569
msgid "Edit the <filename>/tmp/cn\\=dyngroup.ldif</filename> file, changing the following attributes:"
8572
#: serverguide/C/network-auth.xml:484(programlisting)
8574
msgid "\ndn: cn=dyngroup,cn=schema,cn=config\n...\ncn: dyngroup\n"
8577
#: serverguide/C/network-auth.xml:490(para) serverguide/C/network-auth.xml:1714(para)
8578
msgid "And remove the following lines from the bottom of the file:"
8581
#: serverguide/C/network-auth.xml:494(programlisting)
8583
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\ncreatorsName: cn=config\ncreateTimestamp: 20080826021140Z\nentryCSN: 20080826021140.791425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080826021140Z\n"
8586
#: serverguide/C/network-auth.xml:505(para) serverguide/C/network-auth.xml:1729(para) serverguide/C/network-auth.xml:2773(para)
8587
msgid "The attribute values will vary, just be sure the attributes are removed."
8590
#: serverguide/C/network-auth.xml:513(para) serverguide/C/network-auth.xml:1737(para)
8591
msgid "Finally, using the <application>ldapadd</application> utility, add the new schema to the directory:"
8594
#: serverguide/C/network-auth.xml:519(command)
8595
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=dyngroup.ldif"
8598
#: serverguide/C/network-auth.xml:525(para)
8599
msgid "There should now be a <emphasis>dn: cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree."
8602
#: serverguide/C/network-auth.xml:535(title)
8603
msgid "LDAP Replication"
8606
#: serverguide/C/network-auth.xml:537(para)
8607
msgid "LDAP often quickly becomes a highly critical service to the network. Multiple systems will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to setup a redundant system through replication."
8610
#: serverguide/C/network-auth.xml:543(para)
8611
msgid "Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model. A provider sends directory changes to consumers."
8614
#: serverguide/C/network-auth.xml:550(title)
8550
msgid "It's important that uid and gid values in your directory do not collide with local values. Use high number ranges."
8553
#: serverguide/C/network-auth.xml:455(para)
8554
msgid "Add the content:"
8557
#: serverguide/C/network-auth.xml:460(command)
8558
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif"
8561
#: serverguide/C/network-auth.xml:462(application)
8565
#: serverguide/C/network-auth.xml:461(computeroutput)
8567
msgid "\nEnter LDAP Password: <placeholder-1/>\nadding new entry \"ou=People,dc=example,dc=com\"\n\nadding new entry \"ou=Groups,dc=example,dc=com\"\n\nadding new entry \"cn=miners,ou=Groups,dc=example,dc=com\"\n\nadding new entry \"uid=john,ou=People,dc=example,dc=com\"\n"
8570
#: serverguide/C/network-auth.xml:473(para)
8571
msgid "We can check that the information has been correctly added with the <application>ldapsearch</application> utility:"
8574
#: serverguide/C/network-auth.xml:478(command)
8575
msgid "ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber"
8578
#: serverguide/C/network-auth.xml:479(computeroutput)
8580
msgid "\ndn: uid=john,ou=People,dc=example,dc=com\ncn: John Doe\ngidNumber: 5000\n"
8583
#: serverguide/C/network-auth.xml:486(para)
8584
msgid "Explanation of switches:"
8587
#: serverguide/C/network-auth.xml:493(para)
8588
msgid "<emphasis>-x:</emphasis> \"simple\" binding; will not use the default SASL method"
8591
#: serverguide/C/network-auth.xml:499(para)
8592
msgid "<emphasis>-LLL:</emphasis> disable printing extraneous information"
8595
#: serverguide/C/network-auth.xml:505(para)
8596
msgid "<emphasis>uid=john:</emphasis> a \"filter\" to find the john user"
8599
#: serverguide/C/network-auth.xml:511(para)
8600
msgid "<emphasis>cn gidNumber:</emphasis> requests certain attributes to be displayed (the default is to show all attributes)"
8603
#: serverguide/C/network-auth.xml:521(title)
8604
msgid "Modifying the slapd Configuration Database"
8607
#: serverguide/C/network-auth.xml:523(para)
8608
msgid "The slapd-config DIT can also be queried and modified. Here are a few examples."
8611
#: serverguide/C/network-auth.xml:530(para)
8612
msgid "Use <application>ldapmodify</application> to add an \"Index\" (DbIndex attribute) to your <application>{1}hdb,cn=config</application> database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents:"
8615
#: serverguide/C/network-auth.xml:535(programlisting)
8617
msgid "\ndn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uid eq,pres,sub\n"
8620
#: serverguide/C/network-auth.xml:541(para)
8621
msgid "Then issue the command:"
8624
#: serverguide/C/network-auth.xml:546(command)
8625
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"
8628
#: serverguide/C/network-auth.xml:547(computeroutput)
8630
msgid "\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
8633
#: serverguide/C/network-auth.xml:552(para)
8634
msgid "You can confirm the change in this way:"
8637
#: serverguide/C/network-auth.xml:557(command)
8638
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex"
8641
#: serverguide/C/network-auth.xml:558(computeroutput)
8643
msgid "\ndn: olcDatabase={1}hdb,cn=config\nolcDbIndex: objectClass eq\nolcDbIndex: uid eq,pres,sub\n"
8646
#: serverguide/C/network-auth.xml:568(para)
8647
msgid "Let's add a schema. It will first need to be converted to LDIF format. You can find unconverted schemas in addition to converted ones in the <filename role=\"directory\">/etc/ldap/schema</filename> directory."
8650
#: serverguide/C/network-auth.xml:574(para)
8651
msgid "It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system."
8654
#: serverguide/C/network-auth.xml:579(para)
8655
msgid "In the following example we'll add the CORBA schema."
8658
#: serverguide/C/network-auth.xml:586(para)
8659
msgid "Create the conversion configuration file <filename>schema_convert.conf</filename> containing the following lines:"
8662
#: serverguide/C/network-auth.xml:591(programlisting)
8664
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/ldapns.schema\ninclude /etc/ldap/schema/pmi.schema\n"
8667
#: serverguide/C/network-auth.xml:611(para)
8668
msgid "Create the output directory <filename>ldif_output</filename>."
8671
#: serverguide/C/network-auth.xml:617(para) serverguide/C/network-auth.xml:2133(para)
8672
msgid "Determine the index of the schema:"
8675
#: serverguide/C/network-auth.xml:622(command)
8676
msgid "slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema"
8679
#: serverguide/C/network-auth.xml:623(computeroutput)
8681
msgid "\ncn={1}corba,cn=schema,cn=config\n"
8684
#: serverguide/C/network-auth.xml:629(para)
8685
msgid "When slapd injests objects with the same parent DN it will create an <emphasis>index</emphasis> for that object. An index is contained within braces: <application>{X}</application>."
8688
#: serverguide/C/network-auth.xml:638(para)
8689
msgid "Use <application>slapcat</application> to perform the conversion:"
8692
#: serverguide/C/network-auth.xml:643(command)
8693
msgid "slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif"
8696
#: serverguide/C/network-auth.xml:646(para)
8697
msgid "The converted schema is now in <filename>cn=corba.ldif</filename>"
8700
#: serverguide/C/network-auth.xml:652(para)
8701
msgid "Edit <filename>cn=corba.ldif</filename> to arrive at the following attributes:"
8704
#: serverguide/C/network-auth.xml:656(programlisting)
8706
msgid "\ndn: cn=corba,cn=schema,cn=config\n...\ncn: corba\n"
8709
#: serverguide/C/network-auth.xml:662(para)
8710
msgid "Also remove the following lines from the bottom:"
8713
#: serverguide/C/network-auth.xml:666(programlisting)
8715
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 52109a02-66ab-1030-8be2-bbf166230478\ncreatorsName: cn=config\ncreateTimestamp: 20110829165435Z\nentryCSN: 20110829165435.935248Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20110829165435Z\n"
8718
#: serverguide/C/network-auth.xml:676(para) serverguide/C/network-auth.xml:2182(para)
8719
msgid "Your attribute values will vary."
8722
#: serverguide/C/network-auth.xml:682(para)
8723
msgid "Finally, use <application>ldapadd</application> to add the new schema to the slapd-config DIT:"
8726
#: serverguide/C/network-auth.xml:687(command)
8727
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=corba.ldif"
8730
#: serverguide/C/network-auth.xml:688(computeroutput)
8732
msgid "\nadding new entry \"cn=corba,cn=schema,cn=config\"\n"
8735
#: serverguide/C/network-auth.xml:696(para)
8736
msgid "Confirm currently loaded schemas:"
8739
#: serverguide/C/network-auth.xml:701(command)
8740
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
8743
#: serverguide/C/network-auth.xml:702(computeroutput)
8745
msgid "\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: cn={4}corba,cn=schema,cn=config\n"
8748
#: serverguide/C/network-auth.xml:726(para)
8749
msgid "For external applications and clients to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the appropriate client-side documentation for details."
8752
#: serverguide/C/network-auth.xml:735(title) serverguide/C/dns.xml:505(title)
8756
#: serverguide/C/network-auth.xml:737(para)
8757
msgid "Activity logging for slapd is indispensible when implementing an OpenLDAP-based solution yet it must be manually enabled after software installation. Otherwise, only rudimentary messages will appear in the logs. Logging, like any other slapd configuration, is enabled via the slapd-config database."
8760
#: serverguide/C/network-auth.xml:743(para)
8761
msgid "OpenLDAP comes with multiple logging subsystems (levels) with each one containing the lower one (additive). A good level to try is <emphasis>stats</emphasis>. The <ulink url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html\">slapd-config</ulink> man page has more to say on the different subsystems."
8764
#: serverguide/C/network-auth.xml:749(para)
8765
msgid "Create the file <filename>logging.ldif</filename> with the following contents:"
8768
#: serverguide/C/network-auth.xml:753(programlisting)
8770
msgid "\ndn: cn=config\nchangetype: modify\nadd: olcLogLevel\nolcLogLevel: stats\n"
8773
#: serverguide/C/network-auth.xml:760(para)
8774
msgid "Implement the change:"
8777
#: serverguide/C/network-auth.xml:765(command)
8778
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif"
8781
#: serverguide/C/network-auth.xml:768(para)
8782
msgid "This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system is in production. While in this verbose mode your host's syslog engine (rsyslog) may have a hard time keeping up and may drop messages:"
8785
#: serverguide/C/network-auth.xml:774(programlisting)
8787
msgid "\nrsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting\n"
8790
#: serverguide/C/network-auth.xml:778(para)
8791
msgid "You may consider a change to rsyslog's configuration. In <filename>/etc/rsyslog.conf</filename>, put:"
8794
#: serverguide/C/network-auth.xml:782(programlisting)
8796
msgid "\n# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0)\n$SystemLogRateLimitInterval 0\n"
8799
#: serverguide/C/network-auth.xml:787(para)
8800
msgid "And then restart the rsyslog daemon:"
8803
#: serverguide/C/network-auth.xml:792(command)
8804
msgid "sudo service rsyslog restart"
8807
#: serverguide/C/network-auth.xml:798(title)
8811
#: serverguide/C/network-auth.xml:800(para)
8812
msgid "The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment, it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become unresponsive. This is done through <emphasis>LDAP replication</emphasis>."
8815
#: serverguide/C/network-auth.xml:806(para)
8816
msgid "Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This allows changes to be synchronized using a <emphasis>Consumer</emphasis> - <emphasis>Provider</emphasis> model. The specific kind of replication we will implement in this guide is a combination of the following modes: <emphasis>refreshAndPersist</emphasis> and <emphasis>delta-syncrepl</emphasis>. This has the Provider push changed entries to the Consumer as soon as they're made but, in addition, only actual changes will be sent, not entire entries."
8819
#: serverguide/C/network-auth.xml:815(title)
8615
8820
msgid "Provider Configuration"
8618
#: serverguide/C/network-auth.xml:552(para)
8619
msgid "The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>."
8622
#: serverguide/C/network-auth.xml:560(para)
8623
msgid "First, configure the provider server. Copy the following to a file named <filename>provider_sync.ldif</filename>:"
8626
#: serverguide/C/network-auth.xml:565(programlisting)
8823
#: serverguide/C/network-auth.xml:817(para)
8824
msgid "Begin by configuring the <emphasis>Provider</emphasis>."
8827
#: serverguide/C/network-auth.xml:824(para)
8828
msgid "Create an LDIF file with the following contents and name it <filename>provider_sync.ldif</filename>:"
8831
#: serverguide/C/network-auth.xml:828(programlisting)
8628
8833
msgid "\n# Add indexes to the frontend db.\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryCSN eq\n-\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n\n#Load the syncprov and accesslog modules.\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n-\nadd: olcModuleLoad\nolcModuleLoad: accesslog\n\n# Accesslog database definitions\ndn: olcDatabase={2}hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {2}hdb\nolcDbDirectory: /var/lib/ldap/accesslog\nolcSuffix: cn=accesslog\nolcRootDN: cn=admin,dc=example,dc=com\nolcDbIndex: default eq\nolcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart\n\n# Accesslog db syncprov.\ndn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpNoPresent: TRUE\nolcSpReloadHint: TRUE\n\n# syncrepl Provider for primary db\ndn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpNoPresent: TRUE\n\n# accesslog overlay definitions for primary db\ndn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config\nobjectClass: olcOverlayConfig\nobjectClass: olcAccessLogConfig\nolcOverlay: accesslog\nolcAccessLogDB: cn=accesslog\nolcAccessLogOps: writes\nolcAccessLogSuccess: TRUE\n# scan the accesslog DB every day, and purge entries older than 7 days\nolcAccessLogPurge: 07+00:00 01+00:00\n"
8631
#: serverguide/C/network-auth.xml:627(para)
8632
msgid "The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding:"
8635
#: serverguide/C/network-auth.xml:632(programlisting)
8836
#: serverguide/C/network-auth.xml:887(para)
8837
msgid "Change the rootDN in the LDIF file to match the one you have for your directory."
8840
#: serverguide/C/network-auth.xml:894(para)
8841
msgid "The <application>apparmor</application> profile for slapd will need to be adjusted for the accesslog database location. Edit <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> by adding the following:"
8844
#: serverguide/C/network-auth.xml:900(programlisting)
8637
msgid "\n /var/lib/ldap/accesslog/ r,\n /var/lib/ldap/accesslog/** rwk,\n"
8640
#: serverguide/C/network-auth.xml:637(para)
8641
msgid "Then create the directory, reload the <application>apparmor</application> profile, and copy the <filename>DB_CONFIG</filename> file:"
8644
#: serverguide/C/network-auth.xml:643(command)
8846
msgid "\n/var/lib/ldap/accesslog/ r,\n/var/lib/ldap/accesslog/** rwk,\n"
8849
#: serverguide/C/network-auth.xml:905(para)
8850
msgid "Create a directory, set up a databse config file, and reload the apparmor profile:"
8853
#: serverguide/C/network-auth.xml:910(command)
8645
8854
msgid "sudo -u openldap mkdir /var/lib/ldap/accesslog"
8648
#: serverguide/C/network-auth.xml:644(command)
8649
msgid "sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/"
8652
#: serverguide/C/network-auth.xml:649(para)
8653
msgid "Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above removes the need to adjust permissions for the new directory later."
8656
#: serverguide/C/network-auth.xml:658(para)
8657
msgid "Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory:"
8660
#: serverguide/C/network-auth.xml:662(programlisting)
8662
msgid "\nolcRootDN: cn=admin,dc=example,dc=com\n"
8665
#: serverguide/C/network-auth.xml:670(para)
8666
msgid "Next, add the LDIF file using the <application>ldapadd</application> utility:"
8669
#: serverguide/C/network-auth.xml:675(command)
8670
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif"
8673
#: serverguide/C/network-auth.xml:682(para)
8674
msgid "Restart <application>slapd</application>:"
8677
#: serverguide/C/network-auth.xml:687(command) serverguide/C/network-auth.xml:1062(command) serverguide/C/network-auth.xml:1249(command)
8678
msgid "sudo /etc/init.d/slapd restart"
8681
#: serverguide/C/network-auth.xml:693(para)
8682
msgid "The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis> server."
8685
#: serverguide/C/network-auth.xml:700(title)
8686
msgid "Consumer Configuration"
8689
#: serverguide/C/network-auth.xml:705(para)
8690
msgid "On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the <emphasis>Syncrepl</emphasis> configuration steps."
8693
#: serverguide/C/network-auth.xml:710(para)
8694
msgid "Add the additional schema files:"
8697
#: serverguide/C/network-auth.xml:720(para)
8698
msgid "Also, create, or copy from the provider server, the <filename>backend.example.com.ldif</filename>"
8701
#: serverguide/C/network-auth.xml:724(programlisting)
8703
msgid "\n# Load dynamic backend modules\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: /usr/lib/ldap\nolcModuleload: back_hdb.la\n\n# Database settings\ndn: olcDatabase=hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {1}hdb\nolcSuffix: dc=example,dc=com\nolcDbDirectory: /var/lib/ldap\nolcRootDN: cn=admin,dc=example,dc=com\nolcRootPW: secret\nolcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500\nolcDbIndex: objectClass eq\nolcLastMod: TRUE\nolcDbCheckpoint: 512 30\nolcAccess: to attrs=userPassword by dn=\"cn=admin,dc=example,dc=com\" write by anonymous auth by self write by * none\nolcAccess: to attrs=shadowLastChange by self write by * read\nolcAccess: to dn.base=\"\" by * read\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
8706
#: serverguide/C/network-auth.xml:754(para)
8707
msgid "And add the LDIF by entering:"
8710
#: serverguide/C/network-auth.xml:765(para)
8711
msgid "Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it:"
8714
#: serverguide/C/network-auth.xml:773(para)
8715
msgid "The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis> options."
8718
#: serverguide/C/network-auth.xml:781(para)
8719
msgid "Now create a file named <filename>consumer_sync.ldif</filename> containing:"
8722
#: serverguide/C/network-auth.xml:785(programlisting)
8724
msgid "\n#Load the syncprov module.\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n\n# syncrepl specific indices\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n-\nadd: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=admin,dc=example,dc=com\" \n credentials=secret searchbase=\"dc=example,dc=com\" logbase=\"cn=accesslog\" \n logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" schemachecking=on \n type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n-\nadd: olcUpdateRef\nolcUpdateRef: ldap://ldap01.example.com\n"
8727
#: serverguide/C/network-auth.xml:808(para)
8728
msgid "You will probably want to change the following attributes:"
8731
#: serverguide/C/network-auth.xml:813(para)
8732
msgid "<emphasis>ldap01.example.com</emphasis> to your server's hostname."
8735
#: serverguide/C/network-auth.xml:814(emphasis)
8739
#: serverguide/C/network-auth.xml:815(emphasis)
8743
#: serverguide/C/network-auth.xml:816(emphasis)
8747
#: serverguide/C/network-auth.xml:817(emphasis)
8748
msgid "olcUpdateRef:"
8751
#: serverguide/C/network-auth.xml:823(para)
8752
msgid "Add the LDIF file to the configuration tree:"
8755
#: serverguide/C/network-auth.xml:828(command)
8756
msgid "sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"
8759
#: serverguide/C/network-auth.xml:834(para)
8760
msgid "The frontend database should now sync between servers. You can add additional servers using the steps above as the need arises."
8763
#: serverguide/C/network-auth.xml:844(programlisting)
8765
msgid "127.0.0.1\tldap01.example.com ldap01"
8768
#: serverguide/C/network-auth.xml:840(para)
8769
msgid "The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename> by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information. Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
8772
#: serverguide/C/network-auth.xml:852(title)
8773
msgid "Setting up ACL"
8776
#: serverguide/C/network-auth.xml:854(para)
8777
msgid "Authentication requires access to the password field, that should be not accessible by default. Also, in order for users to change their own password, using <command>passwd</command> or other utilities, <emphasis>shadowLastChange</emphasis> needs to be accessible once a user has authenticated."
8780
#: serverguide/C/network-auth.xml:861(para)
8781
msgid "To view the Access Control List (ACL) for the <emphasis>cn=config</emphasis> tree, use the <application>ldapsearch</application> utility:"
8784
#: serverguide/C/network-auth.xml:867(command)
8785
msgid "sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess"
8788
#: serverguide/C/network-auth.xml:871(computeroutput)
8790
msgid "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: olcDatabase={0}config,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external\n ,cn=auth manage by * break\n"
8793
#: serverguide/C/network-auth.xml:880(para)
8794
msgid "To see the ACL for the frontend tree enter:"
8797
#: serverguide/C/network-auth.xml:885(command)
8798
msgid "sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess"
8801
#: serverguide/C/network-auth.xml:891(title)
8805
#: serverguide/C/network-auth.xml:893(para)
8806
msgid "When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL)."
8809
#: serverguide/C/network-auth.xml:898(para)
8810
msgid "The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application> is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be used to create certificates."
8813
#: serverguide/C/network-auth.xml:907(para)
8814
msgid "First, install <application>gnutls-bin</application> by entering the following in a terminal:"
8857
#: serverguide/C/network-auth.xml:911(command)
8858
msgid "sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog"
8817
8861
#: serverguide/C/network-auth.xml:912(command)
8818
msgid "sudo apt-get install gnutls-bin"
8862
msgid "sudo service apparmor reload"
8821
8865
#: serverguide/C/network-auth.xml:918(para)
8822
msgid "Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA):"
8866
msgid "Add the new content and, due to the apparmor change, restart the daemon:"
8825
8869
#: serverguide/C/network-auth.xml:923(command)
8870
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif"
8873
#: serverguide/C/network-auth.xml:924(command) serverguide/C/network-auth.xml:1392(command) serverguide/C/network-auth.xml:1577(command)
8874
msgid "sudo service slapd restart"
8877
#: serverguide/C/network-auth.xml:931(para)
8878
msgid "The Provider is now configured."
8881
#: serverguide/C/network-auth.xml:938(title)
8882
msgid "Consumer Configuration"
8885
#: serverguide/C/network-auth.xml:940(para)
8886
msgid "And now configure the <emphasis>Consumer</emphasis>."
8889
#: serverguide/C/network-auth.xml:947(para)
8890
msgid "Install the software by going through <xref linkend=\"openldap-server-installation\"/>. Make sure the slapd-config databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same."
8893
#: serverguide/C/network-auth.xml:954(para)
8894
msgid "Create an LDIF file with the following contents and name it <filename>consumer_sync.ldif</filename>:"
8897
#: serverguide/C/network-auth.xml:958(programlisting)
8899
msgid "\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n-\nadd: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=admin,dc=example,dc=com\" \n credentials=secret searchbase=\"dc=example,dc=com\" logbase=\"cn=accesslog\" \n logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" schemachecking=on \n type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n-\nadd: olcUpdateRef\nolcUpdateRef: ldap://ldap01.example.com\n"
8902
#: serverguide/C/network-auth.xml:979(para)
8903
msgid "Ensure the following attributes have the correct values:"
8906
#: serverguide/C/network-auth.xml:984(para)
8907
msgid "<emphasis>ldap01.example.com</emphasis> (Provider server's hostname or IP address)"
8910
#: serverguide/C/network-auth.xml:985(para)
8911
msgid "<emphasis>binddn</emphasis> (the admin DN you're using)"
8914
#: serverguide/C/network-auth.xml:986(para)
8915
msgid "<emphasis>credentials</emphasis> (the admin DN password you're using)"
8918
#: serverguide/C/network-auth.xml:987(para)
8919
msgid "<emphasis>searchbase</emphasis> (the database suffix you're using)"
8922
#: serverguide/C/network-auth.xml:988(para)
8923
msgid "<emphasis>olcUpdateRef:</emphasis> (Provider server's hostname or IP address)"
8926
#: serverguide/C/network-auth.xml:995(para)
8927
msgid "Add the new content:"
8930
#: serverguide/C/network-auth.xml:1000(command)
8931
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"
8934
#: serverguide/C/network-auth.xml:1007(para)
8935
msgid "You're done. The two databases (suffix: dc=example,dc=com) should now be synchronizing."
8938
#: serverguide/C/network-auth.xml:1011(para)
8939
msgid "To test if it worked simply query, on the Consumer, the DNs in the database:"
8942
#: serverguide/C/network-auth.xml:1016(command)
8943
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn"
8946
#: serverguide/C/network-auth.xml:1019(para)
8947
msgid "You should see the user 'john' and the group 'miners' as well as the nodes 'People' and 'Groups'."
8950
#: serverguide/C/network-auth.xml:1028(title)
8951
msgid "Access Control"
8954
#: serverguide/C/network-auth.xml:1030(para)
8955
msgid "The management of what type of access (read, write, etc) users should be granted to resources is known as <emphasis>access control</emphasis>. The configuration directives involved are called <emphasis>access control lists</emphasis> or ACL."
8958
#: serverguide/C/network-auth.xml:1035(para)
8959
msgid "When we installed the slapd package various ACL were set up automatically. We will look at a few important consequences of those defaults and, in so doing, we'll get an idea of how ACLs work and how they're configured."
8962
#: serverguide/C/network-auth.xml:1040(para)
8963
msgid "To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The frontend database is the second to be consulted and the ACL to be applied is the first to match (\"first match wins\") among these 2 ACL sources. The following commands will give, respectively, the ACLs of the hdb database (\"dc=example,dc=com\") and those of the frontend database:"
8966
#: serverguide/C/network-auth.xml:1049(command)
8967
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess"
8970
#: serverguide/C/network-auth.xml:1050(computeroutput)
8972
msgid "\ndn: olcDatabase={1}hdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\nolcAccess: {1}to dn.base=\"\" by * read\nolcAccess: {2}to * by self write by dn=\"cn=admin,dc=example,dc=com\" write by *\n read\n"
8975
#: serverguide/C/network-auth.xml:1060(para)
8976
msgid "The rootDN always has full rights to it's database. Including it in an ACL does provide an explicit configuration but it also causes slapd to incure a performance penalty."
8979
#: serverguide/C/network-auth.xml:1067(command)
8980
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess"
8983
#: serverguide/C/network-auth.xml:1068(computeroutput)
8985
msgid "\ndn: olcDatabase={-1}frontend,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\nolcAccess: {1}to dn.exact=\"\" by * read\nolcAccess: {2}to dn.base=\"cn=Subschema\" by * read\n"
8988
#: serverguide/C/network-auth.xml:1076(para)
8989
msgid "The very first ACL is crucial:"
8992
#: serverguide/C/network-auth.xml:1080(programlisting)
8994
msgid "\nolcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\n"
8997
#: serverguide/C/network-auth.xml:1084(para)
8998
msgid "This can be represented differently for easier digestion:"
9001
#: serverguide/C/network-auth.xml:1088(programlisting)
9003
msgid "\nto attrs=userPassword\n\tby self write\n\tby anonymous auth\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * none\n\nto attrs=shadowLastChange\n\tby self write\n\tby anonymous auth\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * none\n"
9006
#: serverguide/C/network-auth.xml:1102(para)
9007
msgid "This compound ACL (there are 2) enforces the following:"
9010
#: serverguide/C/network-auth.xml:1109(para)
9011
msgid "Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> attribute for the initial connection to occur. Perhaps counter-intuitively, 'by anonymous auth' is needed even when anonymous access to the DIT is unwanted. Once the remote end is connected, howerver, authentication can occur (see next point)."
9014
#: serverguide/C/network-auth.xml:1117(para)
9015
msgid "Authentication can happen because all users have 'read' (due to 'by self write') access to the <emphasis>userPassword</emphasis> attribute."
9018
#: serverguide/C/network-auth.xml:1123(para)
9019
msgid "The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by all other users, with the exception of the rootDN, who has complete access to it."
9022
#: serverguide/C/network-auth.xml:1130(para)
9023
msgid "In order for users to change their own password, using <command>passwd</command> or other utilities, the <emphasis>shadowLastChange</emphasis> attribute needs to be accessible once a user has authenticated."
9026
#: serverguide/C/network-auth.xml:1138(para)
9027
msgid "This DIT can be searched anonymously because of 'by * read' in this ACL:"
9030
#: serverguide/C/network-auth.xml:1142(programlisting)
9032
msgid "\nto *\n\tby self write\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * read\n"
9035
#: serverguide/C/network-auth.xml:1149(para)
9036
msgid "If this is unwanted then you need to change the ACLs. To force authentication during a bind request you can alternatively (or in combination with the modified ACL) use the 'olcRequire: authc' directive."
9039
#: serverguide/C/network-auth.xml:1154(para)
9040
msgid "As previously mentioned, there is no administrative account created for the slapd-config database. There is, however, a SASL identity that is granted full access to it. It represents the localhost's superuser (root/sudo). Here it is:"
9043
#: serverguide/C/network-auth.xml:1159(programlisting)
9045
msgid "\ndn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth \n"
9048
#: serverguide/C/network-auth.xml:1163(para)
9049
msgid "The following command will display the ACLs of the slapd-config database:"
9052
#: serverguide/C/network-auth.xml:1168(command)
9053
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={0}config)' olcAccess"
9056
#: serverguide/C/network-auth.xml:1169(computeroutput)
9058
msgid "\ndn: olcDatabase={0}config,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n"
9061
#: serverguide/C/network-auth.xml:1175(para)
9062
msgid "Since this is a SASL identity we need to use a SASL <emphasis>mechanism</emphasis> when invoking the LDAP utility in question and and we have seen it plenty of times in this guide. It is the EXTERNAL mechanism. See the previous command for an example. Note that:"
9065
#: serverguide/C/network-auth.xml:1183(para)
9066
msgid "You must use <emphasis>sudo</emphasis> to become the root identity in order for the ACL to match."
9069
#: serverguide/C/network-auth.xml:1189(para)
9070
msgid "The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain sockets). This means you must use the <emphasis>ldapi</emphasis> URI format."
9073
#: serverguide/C/network-auth.xml:1197(para)
9074
msgid "A succinct way to get all the ACLs is like this:"
9077
#: serverguide/C/network-auth.xml:1202(command)
9078
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcAccess=*)' olcAccess olcSuffix"
9081
#: serverguide/C/network-auth.xml:1205(para)
9082
msgid "There is much to say on the topic of access control. See the man page for <ulink url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html\">slapd.access</ulink>."
9085
#: serverguide/C/network-auth.xml:1213(title)
9089
#: serverguide/C/network-auth.xml:1215(para)
9090
msgid "When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS)."
9093
#: serverguide/C/network-auth.xml:1220(para)
9094
msgid "Here, we will be our own <emphasis>Certificate Authority</emphasis> and then create and sign our LDAP server certificate as that CA. Since <application>slapd</application> is compiled using the <application>gnutls</application> library, we will use the <application>certtool</application> utility to complete these tasks."
9097
#: serverguide/C/network-auth.xml:1229(para)
9098
msgid "Install the <application>gnutls-bin</application> and <application>gnutls-bin</application> packages:"
9101
#: serverguide/C/network-auth.xml:1234(command)
9102
msgid "sudo apt-get install gnutls-bin ssl-cert"
9105
#: serverguide/C/network-auth.xml:1240(para)
9106
msgid "Create a private key for the Certificate Authority:"
9109
#: serverguide/C/network-auth.xml:1245(command)
8826
9110
msgid "sudo sh -c \"certtool --generate-privkey > /etc/ssl/private/cakey.pem\""
8829
#: serverguide/C/network-auth.xml:929(para)
8830
msgid "Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing:"
9113
#: serverguide/C/network-auth.xml:1251(para)
9114
msgid "Create the template/file <filename>/etc/ssl/ca.info</filename> to define the CA:"
8833
#: serverguide/C/network-auth.xml:933(programlisting)
9117
#: serverguide/C/network-auth.xml:1255(programlisting)
8835
9119
msgid "\ncn = Example Company\nca\ncert_signing_key\n"
8838
#: serverguide/C/network-auth.xml:942(para)
8839
msgid "Now create the self-signed CA certificate:"
8842
#: serverguide/C/network-auth.xml:947(command)
8843
msgid "sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem"
8846
#: serverguide/C/network-auth.xml:954(para)
9122
#: serverguide/C/network-auth.xml:1264(para)
9123
msgid "Create the self-signed CA certificate:"
9126
#: serverguide/C/network-auth.xml:1269(command)
9127
msgid "sudo certtool --generate-self-signed \\ --load-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ca.info \\ --outfile /etc/ssl/certs/cacert.pem"
9130
#: serverguide/C/network-auth.xml:1278(para)
8847
9131
msgid "Make a private key for the server:"
8850
#: serverguide/C/network-auth.xml:959(command)
8851
msgid "sudo sh -c \"certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem\""
8854
#: serverguide/C/network-auth.xml:963(para)
8855
msgid "Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep filenames and paths straight."
8858
#: serverguide/C/network-auth.xml:972(para)
8859
msgid "To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing:"
8862
#: serverguide/C/network-auth.xml:976(programlisting)
9134
#: serverguide/C/network-auth.xml:1283(command)
9135
msgid "sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile /etc/ssl/private/ldap01_slapd_key.pem"
9138
#: serverguide/C/network-auth.xml:1289(para)
9139
msgid "Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep things clear."
9142
#: serverguide/C/network-auth.xml:1298(para)
9143
msgid "Create the <filename>/etc/ssl/ldap01.info</filename> info file containing:"
9146
#: serverguide/C/network-auth.xml:1302(programlisting)
8864
msgid "\norganization = Example Company\ncn = ldap01.example.com\ntls_www_server\nencryption_key\nsigning_key\n"
8867
#: serverguide/C/network-auth.xml:987(para)
9148
msgid "\norganization = Example Company\ncn = ldap01.example.com\ntls_www_server\nencryption_key\nsigning_key\nexpiration_days = 3650\n"
9151
#: serverguide/C/network-auth.xml:1311(para)
9152
msgid "The above certificate is good for 10 years. Adjust accordingly."
9155
#: serverguide/C/network-auth.xml:1317(para)
8868
9156
msgid "Create the server's certificate:"
8871
#: serverguide/C/network-auth.xml:992(command)
8872
msgid "sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem"
8875
#: serverguide/C/network-auth.xml:1000(para)
8876
msgid "Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new configuration options:"
8879
#: serverguide/C/network-auth.xml:1011(userinput)
8881
msgid "dn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem"
8884
#: serverguide/C/network-auth.xml:1010(computeroutput) serverguide/C/network-auth.xml:1181(computeroutput)
8886
msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"cn=config\"\n"
8889
#: serverguide/C/network-auth.xml:1026(para)
8890
msgid "Adjust the <filename>ldap01_slapd_cert.pem</filename>, <filename>ldap01_slapd_key.pem</filename>, and <filename>cacert.pem</filename> names if yours are different."
8893
#: serverguide/C/network-auth.xml:1032(para)
8894
msgid "Next, edit <filename>/etc/default/slapd</filename> uncomment the <emphasis>SLAPD_SERVICES</emphasis> option:"
8897
#: serverguide/C/network-auth.xml:1036(programlisting)
8899
msgid "\nSLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"
8902
#: serverguide/C/network-auth.xml:1040(para)
8903
msgid "Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
8906
#: serverguide/C/network-auth.xml:1045(command)
9159
#: serverguide/C/network-auth.xml:1322(command)
9160
msgid "sudo certtool --generate-certificate \\ --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem \\ --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ldap01.info \\ --outfile /etc/ssl/certs/ldap01_slapd_cert.pem"
9163
#: serverguide/C/network-auth.xml:1334(para)
9164
msgid "Create the file <filename>certinfo.ldif</filename> with the following contents (adjust accordingly):"
9167
#: serverguide/C/network-auth.xml:1338(programlisting)
9169
msgid "\ndn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem\n"
9172
#: serverguide/C/network-auth.xml:1350(para)
9173
msgid "Use the <application>ldapmodify</application> command to tell slapd about our TLS work via the slapd-config database:"
9176
#: serverguide/C/network-auth.xml:1355(command)
9177
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif"
9180
#: serverguide/C/network-auth.xml:1358(para)
9181
msgid "Contratry to popular belief, you do not need <emphasis>ldaps://</emphasis> in <filename>/etc/default/slapd</filename> in order to use encryption. You should have just:"
9184
#: serverguide/C/network-auth.xml:1363(programlisting)
9186
msgid "\nSLAPD_SERVICES=\"ldap:/// ldapi:///\"\n"
9189
#: serverguide/C/network-auth.xml:1368(para)
9190
msgid "LDAP over TLS/SSL (ldaps://) is deprecated in favour of <emphasis>StartTLS</emphasis>. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636."
9193
#: serverguide/C/network-auth.xml:1376(para)
9194
msgid "Tighten up ownership and permissions:"
9197
#: serverguide/C/network-auth.xml:1381(command) serverguide/C/network-auth.xml:1498(command)
8907
9198
msgid "sudo adduser openldap ssl-cert"
8910
#: serverguide/C/network-auth.xml:1046(command)
9201
#: serverguide/C/network-auth.xml:1382(command)
8911
9202
msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem"
8914
#: serverguide/C/network-auth.xml:1047(command)
9205
#: serverguide/C/network-auth.xml:1383(command)
8915
9206
msgid "sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem"
8918
#: serverguide/C/network-auth.xml:1051(para)
8919
msgid "If the <filename role=\"directory\">/etc/ssl/private</filename> and <filename>/etc/ssl/private/server.key</filename> have different permissions, adjust the commands appropriately."
8922
#: serverguide/C/network-auth.xml:1057(para)
8923
msgid "Finally, restart <application>slapd</application>:"
8926
#: serverguide/C/network-auth.xml:1065(para)
8927
msgid "The <application>slapd</application> daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication."
8930
#: serverguide/C/network-auth.xml:1071(para)
8931
msgid "If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key."
8934
#: serverguide/C/network-auth.xml:1083(title)
8935
msgid "TLS Replication"
8938
#: serverguide/C/network-auth.xml:1085(para)
8939
msgid "If you have setup <application>Syncrepl</application> between servers, it is prudent to encrypt the replication traffic using <emphasis>Transport Layer Security (TLS)</emphasis>. For details on setting up replication see <xref linkend=\"openldap-server-replication\"/>."
8942
#: serverguide/C/network-auth.xml:1091(para)
8943
msgid "Assuming you have followed the above instructions and created a CA certificate and server certificate on the <emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the <emphasis>Consumer</emphasis> server."
8946
#: serverguide/C/network-auth.xml:1100(para)
8947
msgid "Create a new key for the Consumer server:"
8950
#: serverguide/C/network-auth.xml:1105(command)
9209
#: serverguide/C/network-auth.xml:1384(command)
9210
msgid "sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem"
9213
#: serverguide/C/network-auth.xml:1387(para)
9214
msgid "Restart OpenLDAP:"
9217
#: serverguide/C/network-auth.xml:1395(para)
9218
msgid "Check your host's logs (/var/log/syslog) to see if the server has started properly."
9221
#: serverguide/C/network-auth.xml:1402(title)
9222
msgid "Replication and TLS"
9225
#: serverguide/C/network-auth.xml:1404(para)
9226
msgid "If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work."
9229
#: serverguide/C/network-auth.xml:1410(para)
9230
msgid "The assumption here is that you have set up replication between Provider and Consumer according to <xref linkend=\"openldap-server-replication\"/> and have configured TLS for authentication on the Provider by following <xref linkend=\"openldap-tls\"/>."
9233
#: serverguide/C/network-auth.xml:1415(para)
9234
msgid "As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer."
9237
#: serverguide/C/network-auth.xml:1426(para) serverguide/C/network-auth.xml:1583(para)
9238
msgid "On the Provider,"
9241
#: serverguide/C/network-auth.xml:1430(para)
9242
msgid "Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key:"
9245
#: serverguide/C/network-auth.xml:1435(command)
8951
9246
msgid "mkdir ldap02-ssl"
8954
#: serverguide/C/network-auth.xml:1106(command)
9249
#: serverguide/C/network-auth.xml:1436(command)
8955
9250
msgid "cd ldap02-ssl"
8958
#: serverguide/C/network-auth.xml:1107(command)
8959
msgid "certtool --generate-privkey > ldap02_slapd_key.pem"
8962
#: serverguide/C/network-auth.xml:1111(para)
8963
msgid "Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the files to the Consumer server."
8966
#: serverguide/C/network-auth.xml:1120(para)
8967
msgid "Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your locality and server:"
8970
#: serverguide/C/network-auth.xml:1125(programlisting)
9253
#: serverguide/C/network-auth.xml:1437(command)
9254
msgid "sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile ldap02_slapd_key.pem"
9257
#: serverguide/C/network-auth.xml:1442(para)
9258
msgid "Create an info file, <filename>ldap02.info</filename>, for the Consumer server, adjusting it's values accordingly:"
9261
#: serverguide/C/network-auth.xml:1446(programlisting)
8972
msgid "\ncountry = US\nstate = North Carolina\nlocality = Winston-Salem\norganization = Example Company\ncn = ldap02.salem.edu\ntls_www_client\nencryption_key\nsigning_key\n"
8975
#: serverguide/C/network-auth.xml:1139(para)
8976
msgid "Create the certificate:"
8979
#: serverguide/C/network-auth.xml:1144(command)
8980
msgid "sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template ldap02.info --outfile ldap02_slapd_cert.pem"
8983
#: serverguide/C/network-auth.xml:1152(para)
8984
msgid "Copy the <filename>cacert.pem</filename> to the directory:"
8987
#: serverguide/C/network-auth.xml:1157(command)
9263
msgid "\norganization = Example Company\ncn = ldap02.example.com\ntls_www_server\nencryption_key\nsigning_key\nexpiration_days = 3650\n"
9266
#: serverguide/C/network-auth.xml:1455(para)
9267
msgid "Create the Consumer's certificate:"
9270
#: serverguide/C/network-auth.xml:1460(command)
9271
msgid "sudo certtool --generate-certificate \\ --load-privkey ldap02_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem \\ --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template ldap02.info \\ --outfile ldap02_slapd_cert.pem"
9274
#: serverguide/C/network-auth.xml:1468(para)
9275
msgid "Get a copy of the CA certificate:"
9278
#: serverguide/C/network-auth.xml:1473(command)
8988
9279
msgid "cp /etc/ssl/certs/cacert.pem ."
8991
#: serverguide/C/network-auth.xml:1163(para)
8992
msgid "The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy <filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>, and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>."
8995
#: serverguide/C/network-auth.xml:1172(para)
8996
msgid "Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering:"
8999
#: serverguide/C/network-auth.xml:1182(userinput)
9001
msgid "dn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem"
9004
#: serverguide/C/network-auth.xml:1199(para)
9005
msgid "As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis> parameter to the <emphasis>SLAPD_SERVICES</emphasis> option."
9008
#: serverguide/C/network-auth.xml:1207(para)
9009
msgid "Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's <emphasis>cn=config</emphasis> tree by entering the following in a terminal:"
9012
#: serverguide/C/network-auth.xml:1220(userinput)
9014
msgid "\ndn: olcDatabase={1}hdb,cn=config\nreplace: olcSyncrepl\nolcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=ad\n min,dc=example,dc=com\" credentials=secret searchbase=\"dc=example,dc=com\" logbas\n e=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" s\n chemachecking=on type=refreshAndPersist retry=\"60 +\" syncdata=accesslog starttls=yes"
9017
#: serverguide/C/network-auth.xml:1217(computeroutput)
9019
msgid "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
9022
#: serverguide/C/network-auth.xml:1232(para)
9023
msgid "If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit <filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
9026
#: serverguide/C/network-auth.xml:1237(programlisting)
9028
msgid "\nTLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem\nTLS_KEY /etc/ssl/private/ldap02_slapd_key.pem\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"
9031
#: serverguide/C/network-auth.xml:1244(para)
9032
msgid "Finally, restart <application>slapd</application> on each of the servers:"
9035
#: serverguide/C/network-auth.xml:1257(title)
9282
#: serverguide/C/network-auth.xml:1476(para)
9283
msgid "We're done. Now transfer the <filename>ldap02-ssl</filename> directory to the Consumer. Here we use scp (adjust accordingly):"
9286
#: serverguide/C/network-auth.xml:1481(command)
9290
#: serverguide/C/network-auth.xml:1482(command)
9291
msgid "scp -r ldap02-ssl user@consumer:"
9294
#: serverguide/C/network-auth.xml:1488(para) serverguide/C/network-auth.xml:1536(para)
9295
msgid "On the Consumer,"
9298
#: serverguide/C/network-auth.xml:1492(para)
9299
msgid "Configure TLS authentication:"
9302
#: serverguide/C/network-auth.xml:1497(command)
9303
msgid "sudo apt-get install ssl-cert"
9306
#: serverguide/C/network-auth.xml:1499(command)
9307
msgid "sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs"
9310
#: serverguide/C/network-auth.xml:1500(command)
9311
msgid "sudo cp ldap02_slapd_key.pem /etc/ssl/private"
9314
#: serverguide/C/network-auth.xml:1501(command)
9315
msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem"
9318
#: serverguide/C/network-auth.xml:1502(command)
9319
msgid "sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem"
9322
#: serverguide/C/network-auth.xml:1503(command)
9323
msgid "sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem"
9326
#: serverguide/C/network-auth.xml:1506(para)
9327
msgid "Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the following contents (adjust accordingly):"
9330
#: serverguide/C/network-auth.xml:1510(programlisting)
9332
msgid "\ndn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem\n"
9335
#: serverguide/C/network-auth.xml:1522(para)
9336
msgid "Configure the slapd-config database:"
9339
#: serverguide/C/network-auth.xml:1527(command)
9340
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif"
9343
#: serverguide/C/network-auth.xml:1530(para)
9344
msgid "Configure <filename>/etc/default/slapd</filename> as on the Provider (SLAPD_SERVICES)."
9347
#: serverguide/C/network-auth.xml:1540(para)
9348
msgid "Configure TLS for Consumer-side replication. Modify the existing <emphasis>olcSyncrepl</emphasis> attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s)."
9351
#: serverguide/C/network-auth.xml:1545(para)
9352
msgid "Create the file <filename>consumer_sync_tls.ldif</filename> with the following contents:"
9355
#: serverguide/C/network-auth.xml:1549(programlisting)
9357
msgid "\ndn: olcDatabase={1}hdb,cn=config\nreplace: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple\n binddn=\"cn=admin,dc=example,dc=com\" credentials=secret searchbase=\"dc=example,dc=com\"\n logbase=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\"\n schemachecking=on type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n <application>starttls=critical tls_reqcert=demand</application>\n"
9360
#: serverguide/C/network-auth.xml:1559(para)
9361
msgid "The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace')."
9364
#: serverguide/C/network-auth.xml:1564(para)
9365
msgid "Implement these changes:"
9368
#: serverguide/C/network-auth.xml:1569(command)
9369
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif"
9372
#: serverguide/C/network-auth.xml:1572(para)
9373
msgid "And restart slapd:"
9376
#: serverguide/C/network-auth.xml:1587(para)
9377
msgid "Check to see that a TLS session has been established. In <filename>/var/log/syslog</filename>, providing you have 'conns'-level logging set up, you should see messages similar to:"
9380
#: serverguide/C/network-auth.xml:1592(programlisting)
9382
msgid "\nslapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)\nslapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037\nslapd[3620]: conn=1047 op=0 STARTTLS\nslapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=\nslapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128\nslapd[3620]: conn=1047 op=1 BIND dn=\"cn=admin,dc=example,dc=com\" method=128\nslapd[3620]: conn=1047 op=1 BIND dn=\"cn=admin,dc=example,dc=com\" mech=SIMPLE ssf=0\nslapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text\n"
9385
#: serverguide/C/network-auth.xml:1610(title)
9036
9386
msgid "LDAP Authentication"
9039
#: serverguide/C/network-auth.xml:1259(para)
9040
msgid "Once you have a working LDAP server, the <application>auth-client-config</application> and <application>libnss-ldap</application> packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:"
9389
#: serverguide/C/network-auth.xml:1612(para)
9390
msgid "Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. On Ubuntu, this has been traditionally accomplishd by installing the <application>libnss-ldap</application> package. This package will bring in other tools that will assist you in the configuration step. Install this package now:"
9043
#: serverguide/C/network-auth.xml:1266(command)
9393
#: serverguide/C/network-auth.xml:1619(command)
9044
9394
msgid "sudo apt-get install libnss-ldap"
9047
#: serverguide/C/network-auth.xml:1269(para)
9048
msgid "During the install a menu dialog will ask you connection details about your LDAP server."
9051
#: serverguide/C/network-auth.xml:1273(para)
9052
msgid "If you make a mistake when entering your information you can execute the dialog again using:"
9055
#: serverguide/C/network-auth.xml:1278(command)
9397
#: serverguide/C/network-auth.xml:1622(para)
9398
msgid "You will be prompted for details of your LDAP server. If you make a mistake you can try again using:"
9401
#: serverguide/C/network-auth.xml:1627(command)
9056
9402
msgid "sudo dpkg-reconfigure ldap-auth-config"
9059
#: serverguide/C/network-auth.xml:1281(para)
9405
#: serverguide/C/network-auth.xml:1630(para)
9060
9406
msgid "The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu edit this file accordingly."
9063
#: serverguide/C/network-auth.xml:1286(para)
9064
msgid "Now that <application>libnss-ldap</application> is configured enable the <application>auth-client-config</application> LDAP profile by entering:"
9409
#: serverguide/C/network-auth.xml:1635(para)
9410
msgid "Now configure the LDAP profile for NSS:"
9067
#: serverguide/C/network-auth.xml:1292(command)
9413
#: serverguide/C/network-auth.xml:1640(command)
9068
9414
msgid "sudo auth-client-config -t nss -p lac_ldap"
9071
#: serverguide/C/network-auth.xml:1297(para)
9072
msgid "<emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>."
9075
#: serverguide/C/network-auth.xml:1302(para)
9076
msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."
9079
#: serverguide/C/network-auth.xml:1307(para)
9080
msgid "<emphasis>lac_ldap:</emphasis> the <application>auth-client-config</application> profile that is part of the <application>ldap-auth-config</application> package."
9083
#: serverguide/C/network-auth.xml:1314(para)
9084
msgid "Using the <application>pam-auth-update</application> utility, configure the system to use LDAP for authentication:"
9087
#: serverguide/C/network-auth.xml:1319(command)
9417
#: serverguide/C/network-auth.xml:1643(para)
9418
msgid "Configure the system to use LDAP for authentication:"
9421
#: serverguide/C/network-auth.xml:1648(command)
9088
9422
msgid "sudo pam-auth-update"
9091
#: serverguide/C/network-auth.xml:1322(para)
9092
msgid "From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need."
9095
#: serverguide/C/network-auth.xml:1326(para)
9096
msgid "You should now be able to login using user credentials stored in the LDAP directory."
9099
#: serverguide/C/network-auth.xml:1331(para)
9100
msgid "If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> for details."
9103
#: serverguide/C/network-auth.xml:1339(title)
9425
#: serverguide/C/network-auth.xml:1651(para)
9426
msgid "From the menu, choose LDAP and any other authentication mechanisms you need."
9429
#: serverguide/C/network-auth.xml:1655(para)
9430
msgid "You should now be able to log in using LDAP-based credentials."
9433
#: serverguide/C/network-auth.xml:1659(para)
9434
msgid "LDAP clients will need to refer to multiple servers if replication is in use. In <filename>/etc/ldap.conf</filename> you would have something like:"
9437
#: serverguide/C/network-auth.xml:1664(programlisting)
9439
msgid "\nuri ldap://ldap01.example.com ldap://ldap02.example.com\n"
9442
#: serverguide/C/network-auth.xml:1668(para)
9443
msgid "The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive."
9446
#: serverguide/C/network-auth.xml:1672(para)
9447
msgid "If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> for details."
9450
#: serverguide/C/network-auth.xml:1678(para)
9451
msgid "An alternative to the <application>libnss-ldap</application> package is the <application>libnss-ldapd</application> package. This, however, will bring in the <application>nscd</application> package which is problably not wanted. Simply remove it afterwards."
9454
#: serverguide/C/network-auth.xml:1688(title)
9104
9455
msgid "User and Group Management"
9107
#: serverguide/C/network-auth.xml:1341(para)
9108
msgid "The <application>ldap-utils</application> package comes with multiple utilities to manage the directory, but the long string of options needed, can make them a burden to use. The <application>ldapscripts</application> package contains configurable scripts to easily manage LDAP users and groups."
9111
#: serverguide/C/network-auth.xml:1347(para)
9112
msgid "To install the package, from a terminal enter:"
9115
#: serverguide/C/network-auth.xml:1352(command)
9458
#: serverguide/C/network-auth.xml:1690(para)
9459
msgid "The <application>ldap-utils</application> package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use. The <application>ldapscripts</application> package contains wrapper scripts to these utilities that some people find easier to use."
9462
#: serverguide/C/network-auth.xml:1696(para)
9463
msgid "Install the package:"
9466
#: serverguide/C/network-auth.xml:1701(command)
9116
9467
msgid "sudo apt-get install ldapscripts"
9119
#: serverguide/C/network-auth.xml:1355(para)
9120
msgid "Next, edit the config file <filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and changing the following to match your environment:"
9470
#: serverguide/C/network-auth.xml:1704(para)
9471
msgid "Then edit the file <filename>/etc/ldapscripts/ldapscripts.conf</filename> to arrive at something similar to the following:"
9123
#: serverguide/C/network-auth.xml:1360(programlisting)
9474
#: serverguide/C/network-auth.xml:1708(programlisting)
9125
9476
msgid "\nSERVER=localhost\nBINDDN='cn=admin,dc=example,dc=com'\nBINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\nSUFFIX='dc=example,dc=com'\nGSUFFIX='ou=Groups'\nUSUFFIX='ou=People'\nMSUFFIX='ou=Computers'\nGIDSTART=10000\nUIDSTART=10000\nMIDSTART=10000\n"
9128
#: serverguide/C/network-auth.xml:1373(para)
9129
msgid "Now, create the <filename>ldapscripts.passwd</filename> file to allow authenticated access to the directory:"
9479
#: serverguide/C/network-auth.xml:1721(para)
9480
msgid "Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN access to the directory:"
9132
#: serverguide/C/network-auth.xml:1378(command)
9483
#: serverguide/C/network-auth.xml:1726(command)
9133
9484
msgid "sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
9136
#: serverguide/C/network-auth.xml:1379(command)
9487
#: serverguide/C/network-auth.xml:1727(command)
9137
9488
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
9140
#: serverguide/C/network-auth.xml:1383(para)
9141
msgid "Replace <quote>secret</quote> with the actual password for your LDAP admin user."
9144
#: serverguide/C/network-auth.xml:1388(para)
9145
msgid "The <application>ldapscripts</application> are now ready to help manage your directory. The following are some examples of how to use the scripts:"
9148
#: serverguide/C/network-auth.xml:1395(para)
9491
#: serverguide/C/network-auth.xml:1731(para)
9492
msgid "Replace <quote>secret</quote> with the actual password for your database's rootDN user."
9495
#: serverguide/C/network-auth.xml:1736(para)
9496
msgid "The scripts are now ready to help manage your directory. Here are some examples of how to use them:"
9499
#: serverguide/C/network-auth.xml:1743(para)
9149
9500
msgid "Create a new user:"
9152
#: serverguide/C/network-auth.xml:1399(command)
9503
#: serverguide/C/network-auth.xml:1748(command)
9153
9504
msgid "sudo ldapadduser george example"
9156
#: serverguide/C/network-auth.xml:1401(para)
9507
#: serverguide/C/network-auth.xml:1751(para)
9157
9508
msgid "This will create a user with uid <emphasis role=\"italic\">george</emphasis> and set the user's primary group (gid) to <emphasis role=\"italic\">example</emphasis>"
9160
#: serverguide/C/network-auth.xml:1407(para)
9511
#: serverguide/C/network-auth.xml:1758(para)
9161
9512
msgid "Change a user's password:"
9164
#: serverguide/C/network-auth.xml:1411(command)
9515
#: serverguide/C/network-auth.xml:1763(command)
9165
9516
msgid "sudo ldapsetpasswd george"
9168
#: serverguide/C/network-auth.xml:1412(computeroutput)
9519
#: serverguide/C/network-auth.xml:1764(computeroutput)
9170
9521
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
9173
#: serverguide/C/network-auth.xml:1413(userinput)
9524
#: serverguide/C/network-auth.xml:1765(userinput)
9175
9526
msgid "New Password: "
9178
#: serverguide/C/network-auth.xml:1414(userinput)
9529
#: serverguide/C/network-auth.xml:1766(userinput)
9180
9531
msgid "New Password (verify): "
9183
#: serverguide/C/network-auth.xml:1418(para)
9534
#: serverguide/C/network-auth.xml:1772(para)
9184
9535
msgid "Delete a user:"
9187
#: serverguide/C/network-auth.xml:1422(command)
9538
#: serverguide/C/network-auth.xml:1777(command)
9188
9539
msgid "sudo ldapdeleteuser george"
9191
#: serverguide/C/network-auth.xml:1427(para)
9542
#: serverguide/C/network-auth.xml:1783(para)
9192
9543
msgid "Add a group:"
9195
#: serverguide/C/network-auth.xml:1431(command)
9546
#: serverguide/C/network-auth.xml:1788(command)
9196
9547
msgid "sudo ldapaddgroup qa"
9199
#: serverguide/C/network-auth.xml:1435(para)
9550
#: serverguide/C/network-auth.xml:1794(para)
9200
9551
msgid "Delete a group:"
9203
#: serverguide/C/network-auth.xml:1439(command)
9554
#: serverguide/C/network-auth.xml:1799(command)
9204
9555
msgid "sudo ldapdeletegroup qa"
9207
#: serverguide/C/network-auth.xml:1443(para)
9558
#: serverguide/C/network-auth.xml:1805(para)
9208
9559
msgid "Add a user to a group:"
9211
#: serverguide/C/network-auth.xml:1447(command)
9562
#: serverguide/C/network-auth.xml:1810(command)
9212
9563
msgid "sudo ldapaddusertogroup george qa"
9215
#: serverguide/C/network-auth.xml:1449(para)
9566
#: serverguide/C/network-auth.xml:1813(para)
9216
9567
msgid "You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis role=\"italic\">george</emphasis>."
9219
#: serverguide/C/network-auth.xml:1455(para)
9570
#: serverguide/C/network-auth.xml:1820(para)
9220
9571
msgid "Remove a user from a group:"
9223
#: serverguide/C/network-auth.xml:1459(command)
9574
#: serverguide/C/network-auth.xml:1825(command)
9224
9575
msgid "sudo ldapdeleteuserfromgroup george qa"
9227
#: serverguide/C/network-auth.xml:1461(para)
9578
#: serverguide/C/network-auth.xml:1828(para)
9228
9579
msgid "The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role=\"italic\">qa</emphasis> group."
9231
#: serverguide/C/network-auth.xml:1467(para)
9582
#: serverguide/C/network-auth.xml:1835(para)
9232
9583
msgid "The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the <application>ldapmodify</application> utility. For example:"
9235
#: serverguide/C/network-auth.xml:1472(command)
9586
#: serverguide/C/network-auth.xml:1841(command)
9236
9587
msgid "sudo ldapmodifyuser george"
9239
#: serverguide/C/network-auth.xml:1473(computeroutput)
9590
#: serverguide/C/network-auth.xml:1842(computeroutput)
9241
9592
msgid "# About to modify the following entry :\ndn: uid=george,ou=People,dc=example,dc=com\nobjectClass: account\nobjectClass: posixAccount\ncn: george\nuid: george\nuidNumber: 1001\ngidNumber: 1001\nhomeDirectory: /home/george\nloginShell: /bin/bash\ngecos: george\ndescription: User account\nuserPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n\n# Enter your modifications here, end with CTRL-D.\ndn: uid=george,ou=People,dc=example,dc=com"
9244
#: serverguide/C/network-auth.xml:1489(userinput)
9595
#: serverguide/C/network-auth.xml:1858(userinput)
9246
9597
msgid "replace: gecos\ngecos: George Carlin"
9249
#: serverguide/C/network-auth.xml:1492(para)
9600
#: serverguide/C/network-auth.xml:1862(para)
9250
9601
msgid "The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>."
9253
#: serverguide/C/network-auth.xml:1497(para)
9254
msgid "Another great feature of <application>ldapscripts</application>, is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
9604
#: serverguide/C/network-auth.xml:1868(para)
9605
msgid "A nice feature of <application>ldapscripts</application> is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
9257
#: serverguide/C/network-auth.xml:1504(programlisting)
9608
#: serverguide/C/network-auth.xml:1874(programlisting)
9259
9610
msgid "\nUTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
9262
#: serverguide/C/network-auth.xml:1508(para)
9613
#: serverguide/C/network-auth.xml:1878(para)
9263
9614
msgid "There are <emphasis role=\"italic\">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory. Copy or rename the <filename>ldapadduser.template.sample</filename> file to <filename>/etc/ldapscripts/ldapadduser.template</filename>:"
9266
#: serverguide/C/network-auth.xml:1515(command)
9267
msgid "sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template"
9270
#: serverguide/C/network-auth.xml:1518(para)
9271
msgid "Edit the new template to add the desired attributes. The following will create new user's as with an <emphasis>objectClass</emphasis> of <emphasis>inetOrgPerson</emphasis>:"
9274
#: serverguide/C/network-auth.xml:1523(programlisting)
9617
#: serverguide/C/network-auth.xml:1885(command)
9618
msgid "sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \\ /etc/ldapscripts/ldapadduser.template"
9621
#: serverguide/C/network-auth.xml:1889(para)
9622
msgid "Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:"
9625
#: serverguide/C/network-auth.xml:1894(programlisting)
9276
9627
msgid "\ndn: uid=<user>,<usuffix>,<suffix>\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\ncn: <user>\nsn: <ask>\nuid: <user>\nuidNumber: <uid>\ngidNumber: <gid>\nhomeDirectory: <home>\nloginShell: <shell>\ngecos: <user>\ndescription: User account\ntitle: Employee\n"
9279
#: serverguide/C/network-auth.xml:1539(para)
9280
msgid "Notice the <emphasis><ask></emphasis> option used for the <emphasis>ssn</emphasis> value. Using <ask> will configure <application>ldapadduser</application> to prompt you for the attribute value during user creation."
9283
#: serverguide/C/network-auth.xml:1547(para)
9284
msgid "There are more useful scripts in the package, to see a full list enter: <command>dpkg -L ldapscripts | grep bin</command>"
9287
#: serverguide/C/network-auth.xml:1556(para)
9288
msgid "The <ulink url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP Ubuntu Wiki</ulink> page has more details."
9291
#: serverguide/C/network-auth.xml:1561(para)
9292
msgid "For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP Home Page</ulink>"
9295
#: serverguide/C/network-auth.xml:1566(para)
9296
msgid "Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System Administration</ulink>"
9299
#: serverguide/C/network-auth.xml:1572(para)
9300
msgid "Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering newer versions of OpenLDAP."
9303
#: serverguide/C/network-auth.xml:1578(para)
9304
msgid "For more information on <application>auth-client-config</application> see the man page: <command>man auth-client-config</command>."
9307
#: serverguide/C/network-auth.xml:1583(para)
9308
msgid "For more details regarding the <application>ldapscripts</application> package see the man pages: <command>man ldapscripts</command>, <command>man ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
9311
#: serverguide/C/network-auth.xml:1593(title)
9630
#: serverguide/C/network-auth.xml:1910(para)
9631
msgid "Notice the <emphasis><ask></emphasis> option used for the <emphasis>sn</emphasis> attribute. This will make <application>ldapadduser</application> prompt you for it's value."
9634
#: serverguide/C/network-auth.xml:1918(para)
9635
msgid "There are utilities in the package that were not covered here. Here is a complete list:"
9638
#: serverguide/C/network-auth.xml:1923(ulink)
9639
msgid "ldaprenamemachine"
9642
#: serverguide/C/network-auth.xml:1924(ulink)
9646
#: serverguide/C/network-auth.xml:1925(ulink)
9647
msgid "ldapdeleteuserfromgroup"
9650
#: serverguide/C/network-auth.xml:1926(ulink)
9654
#: serverguide/C/network-auth.xml:1927(ulink)
9658
#: serverguide/C/network-auth.xml:1928(ulink)
9662
#: serverguide/C/network-auth.xml:1929(ulink)
9663
msgid "ldapmodifyuser"
9666
#: serverguide/C/network-auth.xml:1930(ulink)
9667
msgid "ldaprenameuser"
9670
#: serverguide/C/network-auth.xml:1931(ulink)
9674
#: serverguide/C/network-auth.xml:1932(ulink)
9675
msgid "ldapaddusertogroup"
9678
#: serverguide/C/network-auth.xml:1933(ulink)
9679
msgid "ldapsetpasswd"
9682
#: serverguide/C/network-auth.xml:1934(ulink)
9686
#: serverguide/C/network-auth.xml:1935(ulink)
9687
msgid "ldapaddgroup"
9690
#: serverguide/C/network-auth.xml:1936(ulink)
9691
msgid "ldapdeletegroup"
9694
#: serverguide/C/network-auth.xml:1937(ulink)
9695
msgid "ldapmodifygroup"
9698
#: serverguide/C/network-auth.xml:1938(ulink)
9699
msgid "ldapdeletemachine"
9702
#: serverguide/C/network-auth.xml:1939(ulink)
9703
msgid "ldaprenamegroup"
9706
#: serverguide/C/network-auth.xml:1940(ulink)
9707
msgid "ldapaddmachine"
9710
#: serverguide/C/network-auth.xml:1941(ulink)
9711
msgid "ldapmodifymachine"
9714
#: serverguide/C/network-auth.xml:1942(ulink)
9715
msgid "ldapsetprimarygroup"
9718
#: serverguide/C/network-auth.xml:1943(ulink)
9719
msgid "ldapdeleteuser"
9722
#: serverguide/C/network-auth.xml:1954(para)
9723
msgid "The primary resource is the upstream documentation: <ulink url=\"http://www.openldap.org/\">www.openldap.org</ulink>"
9726
#: serverguide/C/network-auth.xml:1960(para)
9727
msgid "There are many man pages that come with the slapd package. Here are some important ones, especially considering the material presented in this guide:"
9730
#: serverguide/C/network-auth.xml:1966(ulink)
9734
#: serverguide/C/network-auth.xml:1967(ulink)
9735
msgid "slapd-config"
9738
#: serverguide/C/network-auth.xml:1968(ulink)
9739
msgid "slapd.access"
9742
#: serverguide/C/network-auth.xml:1969(ulink)
9743
msgid "slapo-syncprov"
9746
#: serverguide/C/network-auth.xml:1975(para)
9747
msgid "Other man pages:"
9750
#: serverguide/C/network-auth.xml:1980(ulink)
9751
msgid "auth-client-config"
9754
#: serverguide/C/network-auth.xml:1981(ulink)
9755
msgid "pam-auth-update"
9758
#: serverguide/C/network-auth.xml:1987(para)
9759
msgid "Zytrax's <ulink url=\"http://www.zytrax.com/books/ldap/\">LDAP for Rocket Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP"
9762
#: serverguide/C/network-auth.xml:1993(para)
9763
msgid "A Ubuntu community <ulink url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP wiki</ulink> page has a collection of notes"
9766
#: serverguide/C/network-auth.xml:1999(para)
9767
msgid "O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System Administration</ulink> (textbook; 2003)"
9770
#: serverguide/C/network-auth.xml:2005(para)
9771
msgid "Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book\">Mastering OpenLDAP</ulink> (textbook; 2007)"
9774
#: serverguide/C/network-auth.xml:2016(title)
9312
9775
msgid "Samba and LDAP"
9315
#: serverguide/C/network-auth.xml:1595(para)
9316
msgid "This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See <xref linkend=\"openldap-server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on setting up OpenLDAP. For more information on installing and configuring Samba see <xref linkend=\"windows-networking\"/>."
9319
#: serverguide/C/network-auth.xml:1605(para)
9320
msgid "There are three packages needed when integrating Samba with LDAP. <application>samba</application>, <application>samba-doc</application>, and <application>smbldap-tools</application> packages . To install the packages, from a terminal enter:"
9323
#: serverguide/C/network-auth.xml:1611(command)
9778
#: serverguide/C/network-auth.xml:2018(para)
9779
msgid "This section covers the integration of Samba with LDAP. The Samba server's role will be that of a \"standalone\" server and the LDAP directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba requires in order to function (in any of it's 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory that can accept authentication requests. See <xref linkend=\"openldap-server\"/> for details on fulfilling this requirement. Once this section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly."
9782
#: serverguide/C/network-auth.xml:2027(title)
9783
msgid "Software Installation"
9786
#: serverguide/C/network-auth.xml:2029(para)
9787
msgid "There are three packages needed when integrating Samba with LDAP: <application>samba</application>, <application>samba-doc</application>, and <application>smbldap-tools</application> packages."
9790
#: serverguide/C/network-auth.xml:2034(para)
9791
msgid "Strictly speaking, the <application>smbldap-tools</application> package isn't needed, but unless you have some other way to manage the various Samaba entities (users, groups, computers) in an LDAP context then you should install it."
9794
#: serverguide/C/network-auth.xml:2039(para)
9795
msgid "Install these packages now:"
9798
#: serverguide/C/network-auth.xml:2044(command)
9324
9799
msgid "sudo apt-get install samba samba-doc smbldap-tools"
9327
#: serverguide/C/network-auth.xml:1614(para)
9328
msgid "Strictly speaking the <application>smbldap-tools</application> package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed."
9331
#: serverguide/C/network-auth.xml:1621(title)
9332
msgid "OpenLDAP Configuration"
9335
#: serverguide/C/network-auth.xml:1623(para)
9336
msgid "In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes."
9339
#: serverguide/C/network-auth.xml:1631(para)
9340
msgid "The Samba attributes are defined in the <filename>samba.schema</filename> file which is part of the <application>samba-doc</application> package. The schema file needs to be unzipped and copied to <filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
9343
#: serverguide/C/network-auth.xml:1638(command)
9344
msgid "sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/"
9347
#: serverguide/C/network-auth.xml:1639(command)
9802
#: serverguide/C/network-auth.xml:2050(title)
9803
msgid "LDAP Configuration"
9806
#: serverguide/C/network-auth.xml:2052(para)
9807
msgid "We will now configure the LDAP server so that it can accomodate Samba data. We will perform three tasks in this section:"
9810
#: serverguide/C/network-auth.xml:2059(para)
9811
msgid "Import a schema"
9814
#: serverguide/C/network-auth.xml:2063(para)
9815
msgid "Index some entries"
9818
#: serverguide/C/network-auth.xml:2067(para)
9822
#: serverguide/C/network-auth.xml:2073(title)
9823
msgid "Samba schema"
9826
#: serverguide/C/network-auth.xml:2075(para)
9827
msgid "In order for OpenLDAP to be used as a backend for Samba, logically, the DIT will need to use attributes that can properly describe Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let's do this now."
9830
#: serverguide/C/network-auth.xml:2081(para)
9831
msgid "For more information on schemas and their installation see <xref linkend=\"openldap-configuration\"/>."
9834
#: serverguide/C/network-auth.xml:2089(para)
9835
msgid "The schema is found in the now-installed <application>samba-doc</application> package. It needs to be unzipped and copied to the <filename>/etc/ldap/schema</filename> directory:"
9838
#: serverguide/C/network-auth.xml:2095(command)
9839
msgid "sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema"
9842
#: serverguide/C/network-auth.xml:2096(command)
9348
9843
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
9351
#: serverguide/C/network-auth.xml:1645(para)
9352
msgid "The <emphasis>samba</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."
9355
#: serverguide/C/network-auth.xml:1653(para) serverguide/C/network-auth.xml:2698(para)
9356
msgid "First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar descriptive name, containing the following lines:"
9359
#: serverguide/C/network-auth.xml:1658(programlisting)
9361
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/samba.schema\n"
9364
#: serverguide/C/network-auth.xml:1688(para) serverguide/C/network-auth.xml:2733(para)
9365
msgid "Now use <application>slapcat</application> to convert the schema files:"
9368
#: serverguide/C/network-auth.xml:1693(command)
9369
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}samba,cn=schema,cn=config\" > /tmp/cn=samba.ldif"
9372
#: serverguide/C/network-auth.xml:1696(para) serverguide/C/network-auth.xml:2741(para)
9373
msgid "Change the above file and path names to match your own if they are different."
9376
#: serverguide/C/network-auth.xml:1703(para)
9377
msgid "Edit the generated <filename>/tmp/cn\\=samba.ldif</filename> file by removing <emphasis>{XX}</emphasis> at the top of the file, where <emphasis>\"{XX}\"</emphasis> is the index number in curly braces:"
9380
#: serverguide/C/network-auth.xml:1708(programlisting)
9846
#: serverguide/C/network-auth.xml:2102(para)
9847
msgid "Have the configuration file <filename>schema_convert.conf</filename> that contains the following lines:"
9850
#: serverguide/C/network-auth.xml:2106(programlisting)
9852
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/ldapns.schema\ninclude /etc/ldap/schema/pmi.schema\ninclude /etc/ldap/schema/samba.schema\n"
9855
#: serverguide/C/network-auth.xml:2127(para)
9856
msgid "Have the directory <filename>ldif_output</filename> hold output."
9859
#: serverguide/C/network-auth.xml:2138(command)
9860
msgid "slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema"
9863
#: serverguide/C/network-auth.xml:2139(computeroutput)
9865
msgid "\ndn: cn={14}samba,cn=schema,cn=config\n"
9868
#: serverguide/C/network-auth.xml:2147(para)
9869
msgid "Convert the schema to LDIF format:"
9872
#: serverguide/C/network-auth.xml:2152(command)
9873
msgid "slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif"
9876
#: serverguide/C/network-auth.xml:2158(para)
9877
msgid "Edit the generated <filename>cn=samba.ldif</filename> file by removing index information to arrive at:"
9880
#: serverguide/C/network-auth.xml:2162(programlisting)
9382
9882
msgid "\ndn: cn=samba,cn=schema,cn=config\n...\ncn: samba\n"
9385
#: serverguide/C/network-auth.xml:1718(programlisting)
9885
#: serverguide/C/network-auth.xml:2168(para)
9886
msgid "Remove the bottom lines:"
9889
#: serverguide/C/network-auth.xml:2172(programlisting)
9387
9891
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\ncreatorsName: cn=config\ncreateTimestamp: 20080827045234Z\nentryCSN: 20080827045234.341425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080827045234Z\n"
9390
#: serverguide/C/network-auth.xml:1743(command)
9391
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=samba.ldif"
9394
#: serverguide/C/network-auth.xml:1746(para)
9395
msgid "If you have not followed <xref linkend=\"openldap-server\"/>, you can add the schema by entering:"
9398
#: serverguide/C/network-auth.xml:1751(command)
9399
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=samba.ldif"
9402
#: serverguide/C/network-auth.xml:1757(para)
9403
msgid "There should now be a <emphasis>dn: cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next sequential schema, entry in the cn=config tree."
9406
#: serverguide/C/network-auth.xml:1765(para)
9407
msgid "Copy and paste the following into a file named <filename>samba_indexes.ldif</filename>:"
9410
#: serverguide/C/network-auth.xml:1769(programlisting)
9894
#: serverguide/C/network-auth.xml:2188(para)
9895
msgid "Add the new schema:"
9898
#: serverguide/C/network-auth.xml:2193(command)
9899
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=samba.ldif"
9902
#: serverguide/C/network-auth.xml:2196(para)
9903
msgid "To query and view this new schema:"
9906
#: serverguide/C/network-auth.xml:2201(command)
9907
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'"
9910
#: serverguide/C/network-auth.xml:2211(title)
9911
msgid "Samba indices"
9914
#: serverguide/C/network-auth.xml:2213(para)
9915
msgid "Now that slapd knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a way to improve performance when a client performs a filtered search on the DIT."
9918
#: serverguide/C/network-auth.xml:2218(para)
9919
msgid "Create the file <filename>samba_indices.ldif</filename> with the following contents:"
9922
#: serverguide/C/network-auth.xml:2222(programlisting)
9412
9924
msgid "\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: uidNumber eq\nolcDbIndex: gidNumber eq\nolcDbIndex: loginShell eq\nolcDbIndex: uid eq,pres,sub\nolcDbIndex: memberUid eq,pres,sub\nolcDbIndex: uniqueMember eq,pres\nolcDbIndex: sambaSID eq\nolcDbIndex: sambaPrimaryGroupSID eq\nolcDbIndex: sambaGroupType eq\nolcDbIndex: sambaSIDList eq\nolcDbIndex: sambaDomainName eq\nolcDbIndex: default sub\n"
9415
#: serverguide/C/network-auth.xml:1787(para)
9416
msgid "Using the <application>ldapmodify</application> utility load the new indexes:"
9419
#: serverguide/C/network-auth.xml:1792(command)
9420
msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"
9423
#: serverguide/C/network-auth.xml:1794(para)
9424
msgid "If all went well you should see the new indexes using <application>ldapsearch</application>:"
9427
#: serverguide/C/network-auth.xml:1799(command)
9428
msgid "ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
9431
#: serverguide/C/network-auth.xml:1805(para)
9927
#: serverguide/C/network-auth.xml:2240(para)
9928
msgid "Using the <application>ldapmodify</application> utility load the new indices:"
9931
#: serverguide/C/network-auth.xml:2245(command)
9932
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif"
9935
#: serverguide/C/network-auth.xml:2248(para)
9936
msgid "If all went well you should see the new indices using <application>ldapsearch</application>:"
9939
#: serverguide/C/network-auth.xml:2253(command)
9940
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex"
9943
#: serverguide/C/network-auth.xml:2259(title)
9944
msgid "Adding Samba LDAP objects"
9947
#: serverguide/C/network-auth.xml:2261(para)
9432
9948
msgid "Next, configure the <application>smbldap-tools</application> package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:"
9435
#: serverguide/C/network-auth.xml:1811(command)
9951
#: serverguide/C/network-auth.xml:2267(command)
9436
9952
msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"
9439
#: serverguide/C/network-auth.xml:1812(command)
9955
#: serverguide/C/network-auth.xml:2268(command)
9440
9956
msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"
9443
#: serverguide/C/network-auth.xml:1815(para)
9444
msgid "Once you have answered the questions, there should be <filename>/etc/smbldap-tools/smbldap.conf</filename> and <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately."
9447
#: serverguide/C/network-auth.xml:1825(para)
9448
msgid "The <application>smbldap-populate</application> script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with <application>slapcat</application> before executing the command:"
9451
#: serverguide/C/network-auth.xml:1832(command)
9959
#: serverguide/C/network-auth.xml:2271(para)
9960
msgid "You may need to comment out the strict pragma in the <filename>configure.pl</filename> file."
9963
#: serverguide/C/network-auth.xml:2275(para)
9964
msgid "Once you have answered the questions, the files <filename>/etc/smbldap-tools/smbldap.conf</filename> and <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> should be generated. If you made any mistakes while executing the script you can always edit the files afterwards."
9967
#: serverguide/C/network-auth.xml:2281(para)
9968
msgid "The <application>smbldap-populate</application> script will add the LDAP objects required for Samba. It is a good idea to first make a backup of your entire directory using <application>slapcat</application>:"
9971
#: serverguide/C/network-auth.xml:2287(command)
9452
9972
msgid "sudo slapcat -l backup.ldif"
9455
#: serverguide/C/network-auth.xml:1838(para)
9456
msgid "Once you have a current backup execute <application>smbldap-populate</application> by entering:"
9975
#: serverguide/C/network-auth.xml:2290(para)
9976
msgid "Once you have a backup proceed to populate your directory:"
9459
#: serverguide/C/network-auth.xml:1843(command)
9979
#: serverguide/C/network-auth.xml:2295(command)
9460
9980
msgid "sudo smbldap-populate"
9463
#: serverguide/C/network-auth.xml:1847(para)
9464
msgid "You can create an LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. This allows you to look over the changes making sure everything is correct."
9467
#: serverguide/C/network-auth.xml:1855(para)
9468
msgid "Your LDAP directory now has the necessary domain information to authenticate Samba users."
9471
#: serverguide/C/network-auth.xml:1861(title)
9983
#: serverguide/C/network-auth.xml:2298(para)
9984
msgid "You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e' switch. Alternatively, you can take the LDIF file and import it's data per usual."
9987
#: serverguide/C/network-auth.xml:2304(para)
9988
msgid "Your LDAP directory now has the necessary information to authenticate Samba users."
9991
#: serverguide/C/network-auth.xml:2313(title)
9472
9992
msgid "Samba Configuration"
9475
#: serverguide/C/network-auth.xml:1863(para)
9476
msgid "There a multiple ways to configure Samba for details on some common configurations see <xref linkend=\"windows-networking\"/>. To configure Samba to use LDAP, edit the main Samba configuration file <filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb backend</emphasis> option and adding the following:"
9995
#: serverguide/C/network-auth.xml:2315(para)
9996
msgid "There are multiple ways to configure Samba. For details on some common configurations see <xref linkend=\"windows-networking\"/>. To configure Samba to use LDAP, edit it's configuration file <filename>/etc/samba/smb.conf</filename> commenting out the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones:"
9479
#: serverguide/C/network-auth.xml:1869(programlisting)
9999
#: serverguide/C/network-auth.xml:2321(programlisting)
9481
10001
msgid "\n# passdb backend = tdbsam\n\n# LDAP Settings\n passdb backend = ldapsam:ldap://hostname\n ldap suffix = dc=example,dc=com\n ldap user suffix = ou=People\n ldap group suffix = ou=Groups\n ldap machine suffix = ou=Computers\n ldap idmap suffix = ou=Idmap\n ldap admin dn = cn=admin,dc=example,dc=com\n ldap ssl = start tls\n ldap passwd sync = yes\n...\n add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
9484
#: serverguide/C/network-auth.xml:1886(para)
10004
#: serverguide/C/network-auth.xml:2338(para)
10005
msgid "Change the values to match your environment."
10008
#: serverguide/C/network-auth.xml:2342(para)
9485
10009
msgid "Restart <application>samba</application> to enable the new settings:"
9488
#: serverguide/C/network-auth.xml:1895(para)
9489
msgid "Now Samba needs to know the LDAP admin password. From a terminal prompt enter:"
9492
#: serverguide/C/network-auth.xml:1900(command)
9493
msgid "sudo smbpasswd -w secret"
9496
#: serverguide/C/network-auth.xml:1904(para)
9497
msgid "Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin password."
9500
#: serverguide/C/network-auth.xml:1909(para)
9501
msgid "If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the <filename>samba.schema</filename> file. Add the Samba attributes to existing users using the <application>smbpasswd</application> utility, replacing <emphasis role=\"italic\">username</emphasis> with an actual user:"
9504
#: serverguide/C/network-auth.xml:1917(command)
10012
#: serverguide/C/network-auth.xml:2351(para)
10013
msgid "Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):"
10016
#: serverguide/C/network-auth.xml:2356(command)
10017
msgid "sudo smbpasswd -w password"
10020
#: serverguide/C/network-auth.xml:2359(para)
10021
msgid "If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra attributes. The <application>smbpasswd</application> utility can do this as well (your host will need to be able to see (enumerate) those users via NSS; install and configure either <application>libnss-ldapd</application> or <application>libnss-ldap</application>):"
10024
#: serverguide/C/network-auth.xml:2367(command)
9505
10025
msgid "sudo smbpasswd -a username"
9508
#: serverguide/C/network-auth.xml:1920(para)
9509
msgid "You will then be asked to enter the user's password."
9512
#: serverguide/C/network-auth.xml:1924(para)
9513
msgid "To add new user, group, and machine accounts use the utilities from the <application>smbldap-tools</application> package. Here are some examples:"
9516
#: serverguide/C/network-auth.xml:1931(para)
9517
msgid "To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:"
9520
#: serverguide/C/network-auth.xml:1935(command)
10028
#: serverguide/C/network-auth.xml:2370(para)
10029
msgid "You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable."
10032
#: serverguide/C/network-auth.xml:2374(para)
10033
msgid "To manage user, group, and machine accounts use the utilities provided by the <application>smbldap-tools</application> package. Here are some examples:"
10036
#: serverguide/C/network-auth.xml:2382(para)
10037
msgid "To add a new user:"
10040
#: serverguide/C/network-auth.xml:2387(command)
9521
10041
msgid "sudo smbldap-useradd -a -P username"
9524
#: serverguide/C/network-auth.xml:1937(para)
9525
msgid "The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> options calls the <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user."
9528
#: serverguide/C/network-auth.xml:1943(para)
9529
msgid "To remove a user from the directory enter:"
9532
#: serverguide/C/network-auth.xml:1947(command)
10044
#: serverguide/C/network-auth.xml:2390(para)
10045
msgid "The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user."
10048
#: serverguide/C/network-auth.xml:2397(para)
10049
msgid "To remove a user:"
10052
#: serverguide/C/network-auth.xml:2402(command)
9533
10053
msgid "sudo smbldap-userdel username"
9536
#: serverguide/C/network-auth.xml:1949(para)
9537
msgid "The <application>smbldap-userdel</application> utility also has a <emphasis>-r</emphasis> option to remove the user's home directory."
9540
#: serverguide/C/network-auth.xml:1954(para)
9541
msgid "Use <application>smbldap-groupadd</application> to add a group, replacing groupname with an appropriate group:"
9544
#: serverguide/C/network-auth.xml:1958(command)
10056
#: serverguide/C/network-auth.xml:2405(para)
10057
msgid "In the above command, use the <emphasis>-r</emphasis> option to remove the user's home directory."
10060
#: serverguide/C/network-auth.xml:2411(para)
10061
msgid "To add a group:"
10064
#: serverguide/C/network-auth.xml:2416(command)
9545
10065
msgid "sudo smbldap-groupadd -a groupname"
9548
#: serverguide/C/network-auth.xml:1960(para)
9549
msgid "Similar to <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes."
9552
#: serverguide/C/network-auth.xml:1965(para)
9553
msgid "To add a user to a group use <application>smbldap-groupmod</application>:"
9556
#: serverguide/C/network-auth.xml:1969(command)
10068
#: serverguide/C/network-auth.xml:2419(para)
10069
msgid "As for <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes."
10072
#: serverguide/C/network-auth.xml:2425(para)
10073
msgid "To make an existing user a member of a group:"
10076
#: serverguide/C/network-auth.xml:2430(command)
9557
10077
msgid "sudo smbldap-groupmod -m username groupname"
9560
#: serverguide/C/network-auth.xml:1971(para)
9561
msgid "Be sure to replace <emphasis>username</emphasis> with a real user. Also, the <emphasis>-m</emphasis> option can add more than one user at a time by listing them in <emphasis>comma separated</emphasis> format."
9564
#: serverguide/C/network-auth.xml:1977(para)
9565
msgid "<application>smbldap-groupmod</application> can also be used to remove a user from a group:"
9568
#: serverguide/C/network-auth.xml:1981(command)
10080
#: serverguide/C/network-auth.xml:2433(para)
10081
msgid "The <emphasis>-m</emphasis> option can add more than one user at a time by listing them in comma-separated format."
10084
#: serverguide/C/network-auth.xml:2439(para)
10085
msgid "To remove a user from a group:"
10088
#: serverguide/C/network-auth.xml:2444(command)
9569
10089
msgid "sudo smbldap-groupmod -x username groupname"
9572
#: serverguide/C/network-auth.xml:1985(para)
9573
msgid "Additionally, the <application>smbldap-useradd</application> utility can add Samba machine accounts:"
10092
#: serverguide/C/network-auth.xml:2450(para)
10093
msgid "To add a Samba machine account:"
9576
#: serverguide/C/network-auth.xml:1989(command)
10096
#: serverguide/C/network-auth.xml:2455(command)
9577
10097
msgid "sudo smbldap-useradd -t 0 -w username"
9580
#: serverguide/C/network-auth.xml:1991(para)
9581
msgid "Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the <emphasis>add machine script</emphasis> option in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>."
9584
#: serverguide/C/network-auth.xml:2000(para)
9585
msgid "There are more useful utilities and options in the <application>smbldap-tools</application> package. The man page for each utility provides more details."
9588
#: serverguide/C/network-auth.xml:2011(para)
9589
msgid "There are multiple places where LDAP and Samba is documented in the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO Collection</ulink>."
9592
#: serverguide/C/network-auth.xml:2017(para)
9593
msgid "Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html\">passdb section</ulink>."
9596
#: serverguide/C/network-auth.xml:2023(para)
9597
msgid "Another good site is <ulink url=\"http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
9600
#: serverguide/C/network-auth.xml:2029(para)
9601
msgid "Again, for more information on <application>smbldap-tools</application> see the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-groupadd</command>, <command>man smbldap-populate</command>, etc."
9604
#: serverguide/C/network-auth.xml:2036(para)
9605
msgid "Also, there is a list of <ulink url=\"https://help.ubuntu.com/community/Samba#samba-ldap\">Ubuntu wiki</ulink> articles with more information."
9608
#: serverguide/C/network-auth.xml:2045(title)
10100
#: serverguide/C/network-auth.xml:2458(para)
10101
msgid "Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the <emphasis>add machine script</emphasis> parameter in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>."
10104
#: serverguide/C/network-auth.xml:2467(para)
10105
msgid "There are utilities in the <application>smbldap-tools</application> package that were not covered here. Here is a complete list:"
10108
#: serverguide/C/network-auth.xml:2472(ulink)
10109
msgid "smbldap-groupadd"
10112
#: serverguide/C/network-auth.xml:2473(ulink)
10113
msgid "smbldap-groupdel"
10116
#: serverguide/C/network-auth.xml:2474(ulink)
10117
msgid "smbldap-groupmod"
10120
#: serverguide/C/network-auth.xml:2475(ulink)
10121
msgid "smbldap-groupshow"
10124
#: serverguide/C/network-auth.xml:2476(ulink)
10125
msgid "smbldap-passwd"
10128
#: serverguide/C/network-auth.xml:2477(ulink)
10129
msgid "smbldap-populate"
10132
#: serverguide/C/network-auth.xml:2478(ulink)
10133
msgid "smbldap-useradd"
10136
#: serverguide/C/network-auth.xml:2479(ulink)
10137
msgid "smbldap-userdel"
10140
#: serverguide/C/network-auth.xml:2480(ulink)
10141
msgid "smbldap-userinfo"
10144
#: serverguide/C/network-auth.xml:2481(ulink)
10145
msgid "smbldap-userlist"
10148
#: serverguide/C/network-auth.xml:2482(ulink)
10149
msgid "smbldap-usermod"
10152
#: serverguide/C/network-auth.xml:2483(ulink)
10153
msgid "smbldap-usershow"
10156
#: serverguide/C/network-auth.xml:2494(para)
10157
msgid "For more information on installing and configuring Samba see <xref linkend=\"windows-networking\"/> of this Ubuntu Server Guide."
10160
#: serverguide/C/network-auth.xml:2500(para)
10161
msgid "There are multiple places where LDAP and Samba is documented in the upstream <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO Collection</ulink>."
10164
#: serverguide/C/network-auth.xml:2507(para)
10165
msgid "Regarding the above, see specifically the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html\">passdb section</ulink>."
10168
#: serverguide/C/network-auth.xml:2513(para)
10169
msgid "Although dated (2007), the <ulink url=\"http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/\">Linux Samba-OpenLDAP HOWTO</ulink> contains valuable notes."
10172
#: serverguide/C/network-auth.xml:2519(para)
10173
msgid "The main page of the <ulink url=\"https://help.ubuntu.com/community/Samba#samba-ldap\">Samba Ubuntu community documentation</ulink> has a plethora of links to articles that may prove useful."
10176
#: serverguide/C/network-auth.xml:2532(title)
9609
10177
msgid "Kerberos"
9612
#: serverguide/C/network-auth.xml:2047(para)
10180
#: serverguide/C/network-auth.xml:2534(para)
9613
10181
msgid "<application>Kerberos</application> is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO)."
9616
#: serverguide/C/network-auth.xml:2053(para)
10184
#: serverguide/C/network-auth.xml:2540(para)
9617
10185
msgid "This section covers installation and configuration of a Kerberos server, and some example client configurations."
9620
#: serverguide/C/network-auth.xml:2060(para)
10188
#: serverguide/C/network-auth.xml:2547(para)
9621
10189
msgid "If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:"
9624
#: serverguide/C/network-auth.xml:2067(para)
10192
#: serverguide/C/network-auth.xml:2554(para)
9625
10193
msgid "<emphasis>Principal:</emphasis> any users, computers, and services provided by servers need to be defined as Kerberos Principals."
9628
#: serverguide/C/network-auth.xml:2072(para)
10196
#: serverguide/C/network-auth.xml:2559(para)
9629
10197
msgid "<emphasis>Instances:</emphasis> are used for service principals and special administrative principals."
9632
#: serverguide/C/network-auth.xml:2077(para)
10200
#: serverguide/C/network-auth.xml:2564(para)
9633
10201
msgid "<emphasis>Realms:</emphasis> the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to uppercase (EXAMPLE.COM)."
9636
#: serverguide/C/network-auth.xml:2083(para)
10204
#: serverguide/C/network-auth.xml:2570(para)
9637
10205
msgid "<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC."
9640
#: serverguide/C/network-auth.xml:2089(para)
10208
#: serverguide/C/network-auth.xml:2576(para)
9641
10209
msgid "<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC."
9644
#: serverguide/C/network-auth.xml:2095(para)
10212
#: serverguide/C/network-auth.xml:2582(para)
9645
10213
msgid "<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to clients upon request."
9648
#: serverguide/C/network-auth.xml:2100(para)
10216
#: serverguide/C/network-auth.xml:2587(para)
9649
10217
msgid "<emphasis>Tickets:</emphasis> confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session."
9652
#: serverguide/C/network-auth.xml:2106(para)
10220
#: serverguide/C/network-auth.xml:2593(para)
9653
10221
msgid "<emphasis>Keytab Files:</emphasis> are files extracted from the KDC principal database and contain the encryption key for a service or host."
9656
#: serverguide/C/network-auth.xml:2113(para)
10224
#: serverguide/C/network-auth.xml:2600(para)
9657
10225
msgid "To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which contains a database of Principals. When a user principal logs into a workstation, configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password."
9660
#: serverguide/C/network-auth.xml:2122(title)
10228
#: serverguide/C/network-auth.xml:2609(title)
9661
10229
msgid "Kerberos Server"
9664
#: serverguide/C/network-auth.xml:2126(para)
10232
#: serverguide/C/network-auth.xml:2613(para)
9665
10233
msgid "Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the <emphasis>example.com</emphasis> domain configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
9668
#: serverguide/C/network-auth.xml:2132(para)
10236
#: serverguide/C/network-auth.xml:2619(para)
9669
10237
msgid "Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the <emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up NTP see <xref linkend=\"NTP\"/>."
9672
#: serverguide/C/network-auth.xml:2139(para)
10240
#: serverguide/C/network-auth.xml:2626(para)
9673
10241
msgid "The first step in installing a Kerberos Realm is to install the <application>krb5-kdc</application> and <application>krb5-admin-server</application> packages. From a terminal enter:"
9676
#: serverguide/C/network-auth.xml:2145(command) serverguide/C/network-auth.xml:2320(command)
10244
#: serverguide/C/network-auth.xml:2632(command) serverguide/C/network-auth.xml:2807(command)
9677
10245
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
9680
#: serverguide/C/network-auth.xml:2148(para)
10248
#: serverguide/C/network-auth.xml:2635(para)
9681
10249
msgid "You will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm."
9684
#: serverguide/C/network-auth.xml:2153(para)
10252
#: serverguide/C/network-auth.xml:2640(para)
9685
10253
msgid "Next, create the new realm with the <application>kdb5_newrealm</application> utility:"
9688
#: serverguide/C/network-auth.xml:2158(command)
10256
#: serverguide/C/network-auth.xml:2645(command)
9689
10257
msgid "sudo krb5_newrealm"
9692
#: serverguide/C/network-auth.xml:2165(para)
10260
#: serverguide/C/network-auth.xml:2652(para)
9693
10261
msgid "The questions asked during installation are used to configure the <filename>/etc/krb5.conf</filename> file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the <application>krb5-kdc</application> daemon."
9696
#: serverguide/C/network-auth.xml:2173(para)
10264
#: serverguide/C/network-auth.xml:2660(para)
9697
10265
msgid "Now that the KDC running an admin user is needed. It is recommended to use a different username from your everyday username. Using the <application>kadmin.local</application> utility in a terminal prompt enter:"
9700
#: serverguide/C/network-auth.xml:2179(command) serverguide/C/network-auth.xml:2975(command)
10268
#: serverguide/C/network-auth.xml:2666(command) serverguide/C/network-auth.xml:3460(command)
9701
10269
msgid "sudo kadmin.local"
9704
#: serverguide/C/network-auth.xml:2180(computeroutput)
10272
#: serverguide/C/network-auth.xml:2667(computeroutput)
9706
10274
msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local:"
9709
#: serverguide/C/network-auth.xml:2181(userinput)
10277
#: serverguide/C/network-auth.xml:2668(userinput)
9711
10279
msgid " addprinc steve/admin"
9714
#: serverguide/C/network-auth.xml:2182(computeroutput)
10282
#: serverguide/C/network-auth.xml:2669(computeroutput)
9716
10284
msgid "WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve/admin@EXAMPLE.COM\": \nRe-enter password for principal \"steve/admin@EXAMPLE.COM\": \nPrincipal \"steve/admin@EXAMPLE.COM\" created.\nkadmin.local:"
9719
#: serverguide/C/network-auth.xml:2186(userinput)
10287
#: serverguide/C/network-auth.xml:2673(userinput)
9724
#: serverguide/C/network-auth.xml:2189(para)
10292
#: serverguide/C/network-auth.xml:2676(para)
9725
10293
msgid "In the above example <emphasis role=\"italic\">steve</emphasis> is the <emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> is an <emphasis>Instance</emphasis>, and <emphasis role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis role=\"italic\">\"every day\"</emphasis> Principal would be <emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user rights."
9728
#: serverguide/C/network-auth.xml:2197(para)
10296
#: serverguide/C/network-auth.xml:2684(para)
9729
10297
msgid "Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with your Realm and admin username."
9732
#: serverguide/C/network-auth.xml:2205(para)
10300
#: serverguide/C/network-auth.xml:2692(para)
9733
10301
msgid "Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the <filename>/etc/krb5kdc/kadm5.acl</filename> file:"
9736
#: serverguide/C/network-auth.xml:2210(programlisting)
10304
#: serverguide/C/network-auth.xml:2697(programlisting)
9738
10306
msgid "\nsteve/admin@EXAMPLE.COM *\n"
9741
#: serverguide/C/network-auth.xml:2214(para)
10309
#: serverguide/C/network-auth.xml:2701(para)
9742
10310
msgid "This entry grants <emphasis>steve/admin</emphasis> the ability to perform any operation on all principals in the realm."
9745
#: serverguide/C/network-auth.xml:2221(para)
10313
#: serverguide/C/network-auth.xml:2708(para)
9746
10314
msgid "Now restart the <application>krb5-admin-server</application> for the new ACL to take affect:"
9749
#: serverguide/C/network-auth.xml:2226(command)
10317
#: serverguide/C/network-auth.xml:2713(command)
9750
10318
msgid "sudo /etc/init.d/krb5-admin-server restart"
9753
#: serverguide/C/network-auth.xml:2232(para)
10321
#: serverguide/C/network-auth.xml:2719(para)
9754
10322
msgid "The new user principal can be tested using the <application>kinit utility</application>:"
9757
#: serverguide/C/network-auth.xml:2237(command)
10325
#: serverguide/C/network-auth.xml:2724(command)
9758
10326
msgid "kinit steve/admin"
9761
#: serverguide/C/network-auth.xml:2238(computeroutput)
10329
#: serverguide/C/network-auth.xml:2725(computeroutput)
9763
10331
msgid "steve/admin@EXAMPLE.COM's Password:"
9766
#: serverguide/C/network-auth.xml:2241(para)
10334
#: serverguide/C/network-auth.xml:2728(para)
9767
10335
msgid "After entering the password, use the <application>klist</application> utility to view information about the Ticket Granting Ticket (TGT):"
9770
#: serverguide/C/network-auth.xml:2247(command) serverguide/C/network-auth.xml:2582(command)
10338
#: serverguide/C/network-auth.xml:2734(command) serverguide/C/network-auth.xml:3069(command)
9774
#: serverguide/C/network-auth.xml:2248(computeroutput)
10342
#: serverguide/C/network-auth.xml:2735(computeroutput)
9776
10344
msgid "Credentials cache: FILE:/tmp/krb5cc_1000\n Principal: steve/admin@EXAMPLE.COM\n\n Issued Expires Principal\nJul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
9779
#: serverguide/C/network-auth.xml:2255(para)
10347
#: serverguide/C/network-auth.xml:2742(para)
9780
10348
msgid "You may need to add an entry into the <filename>/etc/hosts</filename> for the KDC. For example:"
9783
#: serverguide/C/network-auth.xml:2259(programlisting)
10351
#: serverguide/C/network-auth.xml:2746(programlisting)
9785
10353
msgid "\n192.168.0.1 kdc01.example.com kdc01\n"
9788
#: serverguide/C/network-auth.xml:2263(para)
10356
#: serverguide/C/network-auth.xml:2750(para)
9789
10357
msgid "Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
9792
#: serverguide/C/network-auth.xml:2270(para)
10360
#: serverguide/C/network-auth.xml:2757(para)
9793
10361
msgid "In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to <filename>/etc/named/db.example.com</filename>:"
9796
#: serverguide/C/network-auth.xml:2275(programlisting)
10364
#: serverguide/C/network-auth.xml:2762(programlisting)
9798
10366
msgid "\n_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
9801
#: serverguide/C/network-auth.xml:2285(para)
10369
#: serverguide/C/network-auth.xml:2772(para)
9802
10370
msgid "Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and <emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary KDC."
9805
#: serverguide/C/network-auth.xml:2291(para)
10373
#: serverguide/C/network-auth.xml:2778(para)
9806
10374
msgid "See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
9809
#: serverguide/C/network-auth.xml:2298(para)
10377
#: serverguide/C/network-auth.xml:2785(para)
9810
10378
msgid "Your new Kerberos Realm is now ready to authenticate clients."
9813
#: serverguide/C/network-auth.xml:2305(title)
10381
#: serverguide/C/network-auth.xml:2792(title)
9814
10382
msgid "Secondary KDC"
9817
#: serverguide/C/network-auth.xml:2307(para)
10385
#: serverguide/C/network-auth.xml:2794(para)
9818
10386
msgid "Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the primary becomes unavailable."
9821
#: serverguide/C/network-auth.xml:2315(para)
10389
#: serverguide/C/network-auth.xml:2802(para)
9822
10390
msgid "First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC:"
9825
#: serverguide/C/network-auth.xml:2326(para)
10393
#: serverguide/C/network-auth.xml:2813(para)
9826
10394
msgid "Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:"
9829
#: serverguide/C/network-auth.xml:2331(command)
10397
#: serverguide/C/network-auth.xml:2818(command)
9830
10398
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
9833
#: serverguide/C/network-auth.xml:2335(para)
10401
#: serverguide/C/network-auth.xml:2822(para)
9834
10402
msgid "After, issuing any <application>kadmin</application> commands you will be prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal password."
9837
#: serverguide/C/network-auth.xml:2344(para)
10405
#: serverguide/C/network-auth.xml:2831(para)
9838
10406
msgid "Extract the <emphasis>keytab</emphasis> file:"
9841
#: serverguide/C/network-auth.xml:2349(command)
10409
#: serverguide/C/network-auth.xml:2836(command)
9842
10410
msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""
9845
#: serverguide/C/network-auth.xml:2355(para)
10413
#: serverguide/C/network-auth.xml:2842(para)
9846
10414
msgid "There should now be a <filename>keytab.kdc02</filename> in the current directory, move the file to <filename>/etc/krb5.keytab</filename>:"
9849
#: serverguide/C/network-auth.xml:2361(command)
10417
#: serverguide/C/network-auth.xml:2848(command)
9850
10418
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
9853
#: serverguide/C/network-auth.xml:2365(para)
10421
#: serverguide/C/network-auth.xml:2852(para)
9854
10422
msgid "If the path to the <filename>keytab.kdc02</filename> file is different adjust accordingly."
9857
#: serverguide/C/network-auth.xml:2370(para)
10425
#: serverguide/C/network-auth.xml:2857(para)
9858
10426
msgid "Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the <application>klist</application> utility:"
9861
#: serverguide/C/network-auth.xml:2376(command)
10429
#: serverguide/C/network-auth.xml:2863(command)
9862
10430
msgid "sudo klist -k /etc/krb5.keytab"
9865
#: serverguide/C/network-auth.xml:2382(para)
10433
#: serverguide/C/network-auth.xml:2869(para)
9866
10434
msgid "Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC that lists all KDCs for the Realm. For example, on both primary and secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
9869
#: serverguide/C/network-auth.xml:2387(programlisting)
10437
#: serverguide/C/network-auth.xml:2874(programlisting)
9871
10439
msgid "\nhost/kdc01.example.com@EXAMPLE.COM\nhost/kdc02.example.com@EXAMPLE.COM\n"
9874
#: serverguide/C/network-auth.xml:2395(para)
10442
#: serverguide/C/network-auth.xml:2882(para)
9875
10443
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
9878
#: serverguide/C/network-auth.xml:2400(command)
10446
#: serverguide/C/network-auth.xml:2887(command)
9879
10447
msgid "sudo kdb5_util -s create"
9882
#: serverguide/C/network-auth.xml:2406(para)
10450
#: serverguide/C/network-auth.xml:2893(para)
9883
10451
msgid "Now start the <application>kpropd</application> daemon, which listens for connections from the <application>kprop</application> utility. <application>kprop</application> is used to transfer dump files:"
9886
#: serverguide/C/network-auth.xml:2413(command)
10454
#: serverguide/C/network-auth.xml:2900(command)
9887
10455
msgid "sudo kpropd -S"
9890
#: serverguide/C/network-auth.xml:2419(para)
10458
#: serverguide/C/network-auth.xml:2906(para)
9891
10459
msgid "From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file of the principal database:"
9894
#: serverguide/C/network-auth.xml:2424(command)
10462
#: serverguide/C/network-auth.xml:2911(command)
9895
10463
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
9898
#: serverguide/C/network-auth.xml:2430(para)
10466
#: serverguide/C/network-auth.xml:2917(para)
9899
10467
msgid "Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to <filename>/etc/krb5.keytab</filename>:"
9902
#: serverguide/C/network-auth.xml:2435(command)
10470
#: serverguide/C/network-auth.xml:2922(command)
9903
10471
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
9906
#: serverguide/C/network-auth.xml:2436(command)
10474
#: serverguide/C/network-auth.xml:2923(command)
9907
10475
msgid "sudo mv keytab.kdc01 /etc/krb5.keytab"
9910
#: serverguide/C/network-auth.xml:2440(para)
10478
#: serverguide/C/network-auth.xml:2927(para)
9911
10479
msgid "Make sure there is a <emphasis>host</emphasis> for <emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
9914
#: serverguide/C/network-auth.xml:2448(para)
10482
#: serverguide/C/network-auth.xml:2935(para)
9915
10483
msgid "Using the <application>kprop</application> utility push the database to the Secondary KDC:"
9918
#: serverguide/C/network-auth.xml:2453(command)
10486
#: serverguide/C/network-auth.xml:2940(command)
9919
10487
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
9922
#: serverguide/C/network-auth.xml:2457(para)
10490
#: serverguide/C/network-auth.xml:2944(para)
9923
10491
msgid "There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation worked. If there is an error message check <filename>/var/log/syslog</filename> on the secondary KDC for more information."
9926
#: serverguide/C/network-auth.xml:2463(para)
10494
#: serverguide/C/network-auth.xml:2950(para)
9927
10495
msgid "You may also want to create a <application>cron</application> job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour:"
9930
#: serverguide/C/network-auth.xml:2468(programlisting)
10498
#: serverguide/C/network-auth.xml:2955(programlisting)
9932
10500
msgid "\n# m h dom mon dow command\n0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
9935
#: serverguide/C/network-auth.xml:2476(para)
10503
#: serverguide/C/network-auth.xml:2963(para)
9936
10504
msgid "Back on the <emphasis>Secondary KDC</emphasis>, create a <emphasis>stash</emphasis> file to hold the Kerberos master key:"
9939
#: serverguide/C/network-auth.xml:2482(command)
10507
#: serverguide/C/network-auth.xml:2969(command)
9940
10508
msgid "sudo kdb5_util stash"
9943
#: serverguide/C/network-auth.xml:2488(para)
10511
#: serverguide/C/network-auth.xml:2975(para)
9944
10512
msgid "Finally, start the <application>krb5-kdc</application> daemon on the Secondary KDC:"
9947
#: serverguide/C/network-auth.xml:2493(command) serverguide/C/network-auth.xml:3105(command)
10515
#: serverguide/C/network-auth.xml:2980(command) serverguide/C/network-auth.xml:3590(command)
9948
10516
msgid "sudo /etc/init.d/krb5-kdc start"
9951
#: serverguide/C/network-auth.xml:2499(para)
10519
#: serverguide/C/network-auth.xml:2986(para)
9952
10520
msgid "The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets for the Realm. You can test this by stopping the <application>krb5-kdc</application> daemon on the Primary KDC, then use <application>kinit</application> to request a ticket. If all goes well you should receive a ticket from the Secondary KDC."
9955
#: serverguide/C/network-auth.xml:2507(title)
10523
#: serverguide/C/network-auth.xml:2994(title)
9956
10524
msgid "Kerberos Linux Client"
9959
#: serverguide/C/network-auth.xml:2509(para)
10527
#: serverguide/C/network-auth.xml:2996(para)
9960
10528
msgid "This section covers configuring a Linux system as a <application>Kerberos</application> client. This will allow access to any kerberized services once a user has successfully logged into the system."
9963
#: serverguide/C/network-auth.xml:2517(para)
10531
#: serverguide/C/network-auth.xml:3004(para)
9964
10532
msgid "In order to authenticate to a Kerberos Realm, the <application>krb5-user</application> and <application>libpam-krb5</application> packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages enter the following in a terminal prompt:"
9967
#: serverguide/C/network-auth.xml:2524(command)
10535
#: serverguide/C/network-auth.xml:3011(command)
9968
10536
msgid "sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
9971
#: serverguide/C/network-auth.xml:2527(para)
10539
#: serverguide/C/network-auth.xml:3014(para)
9972
10540
msgid "The <application>auth-client-config</application> package allows simple configuration of PAM for authentication from multiple sources, and the <application>libpam-ccreds</application> will cache authentication credentials allowing you to login in case the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while on the corporate network, but will need to be accessed off the network as well."
9975
#: serverguide/C/network-auth.xml:2538(para)
10543
#: serverguide/C/network-auth.xml:3025(para)
9976
10544
msgid "To configure the client in a terminal enter:"
9979
#: serverguide/C/network-auth.xml:2543(command)
10547
#: serverguide/C/network-auth.xml:3030(command)
9980
10548
msgid "sudo dpkg-reconfigure krb5-config"
9983
#: serverguide/C/network-auth.xml:2546(para)
10551
#: serverguide/C/network-auth.xml:3033(para)
9984
10552
msgid "You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server."
9987
#: serverguide/C/network-auth.xml:2552(para)
10555
#: serverguide/C/network-auth.xml:3039(para)
9988
10556
msgid "The <application>dpkg-reconfigure</application> adds entries to the <filename>/etc/krb5.conf</filename> file for your Realm. You should have entries similar to the following:"
9991
#: serverguide/C/network-auth.xml:2557(programlisting)
10559
#: serverguide/C/network-auth.xml:3044(programlisting)
9993
10561
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n...\n[realms]\n EXAMPLE.COM = } \n kdc = 192.168.0.1 \n admin_server = 192.168.0.1\n }\n"
9996
#: serverguide/C/network-auth.xml:2568(para)
10564
#: serverguide/C/network-auth.xml:3055(para)
9997
10565
msgid "You can test the configuration by requesting a ticket using the <application>kinit</application> utility. For example:"
10000
#: serverguide/C/network-auth.xml:2573(command)
10568
#: serverguide/C/network-auth.xml:3060(command)
10001
10569
msgid "kinit steve@EXAMPLE.COM"
10004
#: serverguide/C/network-auth.xml:2574(computeroutput)
10572
#: serverguide/C/network-auth.xml:3061(computeroutput)
10006
10574
msgid "Password for steve@EXAMPLE.COM:"
10009
#: serverguide/C/network-auth.xml:2577(para)
10577
#: serverguide/C/network-auth.xml:3064(para)
10010
10578
msgid "When a ticket has been granted, the details can be viewed using <application>klist</application>:"
10013
#: serverguide/C/network-auth.xml:2583(computeroutput)
10581
#: serverguide/C/network-auth.xml:3070(computeroutput)
10015
10583
msgid "Ticket cache: FILE:/tmp/krb5cc_1000\nDefault principal: steve@EXAMPLE.COM\n\nValid starting Expires Service principal\n07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n renew until 07/25/08 05:18:57\n\n\nKerberos 4 ticket cache: /tmp/tkt1000\nklist: You have no tickets cached"
10018
#: serverguide/C/network-auth.xml:2595(para)
10586
#: serverguide/C/network-auth.xml:3082(para)
10019
10587
msgid "Next, use the <application>auth-client-config</application> to configure the <application>libpam-krb5</application> module to request a ticket during login:"
10022
#: serverguide/C/network-auth.xml:2601(command)
10590
#: serverguide/C/network-auth.xml:3088(command)
10023
10591
msgid "sudo auth-client-config -a -p kerberos_example"
10026
#: serverguide/C/network-auth.xml:2604(para)
10594
#: serverguide/C/network-auth.xml:3091(para)
10027
10595
msgid "You will should now receive a ticket upon successful login authentication."
10030
#: serverguide/C/network-auth.xml:2615(para)
10598
#: serverguide/C/network-auth.xml:3102(para)
10031
10599
msgid "For more information on Kerberos see the <ulink url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
10034
#: serverguide/C/network-auth.xml:2620(para)
10602
#: serverguide/C/network-auth.xml:3107(para)
10035
10603
msgid "The <ulink url=\"https://help.ubuntu.com/community/Kerberos\">Ubuntu Wiki Kerberos</ulink> page has more details."
10038
#: serverguide/C/network-auth.xml:2625(para)
10606
#: serverguide/C/network-auth.xml:3112(para)
10039
10607
msgid "O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive Guide</ulink> is a great reference when setting up Kerberos."
10042
#: serverguide/C/network-auth.xml:2631(para)
10610
#: serverguide/C/network-auth.xml:3118(para)
10043
10611
msgid "Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have Kerberos questions."
10046
#: serverguide/C/network-auth.xml:2641(title)
10614
#: serverguide/C/network-auth.xml:3128(title)
10047
10615
msgid "Kerberos and LDAP"
10050
#: serverguide/C/network-auth.xml:2643(para)
10618
#: serverguide/C/network-auth.xml:3130(para)
10051
10619
msgid "Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application> directory as a principal database. This section covers configuring a primary and secondary kerberos server to use <application>OpenLDAP</application> for the principal database."
10054
#: serverguide/C/network-auth.xml:2651(title)
10622
#: serverguide/C/network-auth.xml:3138(title)
10055
10623
msgid "Configuring OpenLDAP"
10058
#: serverguide/C/network-auth.xml:2653(para)
10626
#: serverguide/C/network-auth.xml:3140(para)
10059
10627
msgid "First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
10062
#: serverguide/C/network-auth.xml:2660(para)
10630
#: serverguide/C/network-auth.xml:3147(para)
10063
10631
msgid "It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See <xref linkend=\"openldap-tls\"/> for details."
10066
#: serverguide/C/network-auth.xml:2667(para)
10634
#: serverguide/C/network-auth.xml:3154(para)
10067
10635
msgid "To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package. From a terminal enter:"
10070
#: serverguide/C/network-auth.xml:2673(command)
10638
#: serverguide/C/network-auth.xml:3160(command)
10071
10639
msgid "sudo apt-get install krb5-kdc-ldap"
10074
#: serverguide/C/network-auth.xml:2678(para)
10642
#: serverguide/C/network-auth.xml:3165(para)
10075
10643
msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"
10078
#: serverguide/C/network-auth.xml:2683(command)
10646
#: serverguide/C/network-auth.xml:3170(command)
10079
10647
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
10082
#: serverguide/C/network-auth.xml:2684(command)
10650
#: serverguide/C/network-auth.xml:3171(command)
10083
10651
msgid "sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
10086
#: serverguide/C/network-auth.xml:2690(para)
10654
#: serverguide/C/network-auth.xml:3177(para)
10087
10655
msgid "The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."
10090
#: serverguide/C/network-auth.xml:2703(programlisting)
10658
#: serverguide/C/network-auth.xml:3185(para)
10659
msgid "First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar descriptive name, containing the following lines:"
10662
#: serverguide/C/network-auth.xml:3190(programlisting)
10092
10664
msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\ninclude /etc/ldap/schema/kerberos.schema\n"
10095
#: serverguide/C/network-auth.xml:2723(para)
10667
#: serverguide/C/network-auth.xml:3210(para)
10096
10668
msgid "Create a temporary directory to hold the LDIF files:"
10099
#: serverguide/C/network-auth.xml:2738(command)
10671
#: serverguide/C/network-auth.xml:3214(command)
10672
msgid "mkdir /tmp/ldif_output"
10675
#: serverguide/C/network-auth.xml:3220(para)
10676
msgid "Now use <application>slapcat</application> to convert the schema files:"
10679
#: serverguide/C/network-auth.xml:3225(command)
10100
10680
msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"
10103
#: serverguide/C/network-auth.xml:2748(para)
10683
#: serverguide/C/network-auth.xml:3228(para)
10684
msgid "Change the above file and path names to match your own if they are different."
10687
#: serverguide/C/network-auth.xml:3235(para)
10104
10688
msgid "Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, changing the following attributes:"
10107
#: serverguide/C/network-auth.xml:2752(programlisting)
10691
#: serverguide/C/network-auth.xml:3239(programlisting)
10109
10693
msgid "\ndn: cn=kerberos,cn=schema,cn=config\n...\ncn: kerberos\n"
10112
#: serverguide/C/network-auth.xml:2758(para)
10696
#: serverguide/C/network-auth.xml:3245(para)
10113
10697
msgid "And remove the following lines from the end of the file:"
10116
#: serverguide/C/network-auth.xml:2762(programlisting)
10700
#: serverguide/C/network-auth.xml:3249(programlisting)
10118
10702
msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\ncreatorsName: cn=config\ncreateTimestamp: 20090111203515Z\nentryCSN: 20090111203515.326445Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20090111203515Z\n"
10121
#: serverguide/C/network-auth.xml:2781(para)
10705
#: serverguide/C/network-auth.xml:3259(para)
10706
msgid "The attribute values will vary, just be sure the attributes are removed."
10709
#: serverguide/C/network-auth.xml:3266(para)
10122
10710
msgid "Load the new schema with <application>ldapadd</application>:"
10125
#: serverguide/C/network-auth.xml:2786(command)
10713
#: serverguide/C/network-auth.xml:3271(command)
10126
10714
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=kerberos.ldif"
10129
#: serverguide/C/network-auth.xml:2792(para)
10717
#: serverguide/C/network-auth.xml:3277(para)
10130
10718
msgid "Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
10133
#: serverguide/C/network-auth.xml:2797(command) serverguide/C/network-auth.xml:2814(command)
10721
#: serverguide/C/network-auth.xml:3282(command) serverguide/C/network-auth.xml:3299(command)
10134
10722
msgid "ldapmodify -x -D cn=admin,cn=config -W"
10137
#: serverguide/C/network-auth.xml:2799(userinput)
10725
#: serverguide/C/network-auth.xml:3284(userinput)
10139
10727
msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: krbPrincipalName eq,pres,sub"
10142
#: serverguide/C/network-auth.xml:2798(computeroutput)
10730
#: serverguide/C/network-auth.xml:3283(computeroutput)
10144
10732
msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\""
10147
#: serverguide/C/network-auth.xml:2809(para)
10735
#: serverguide/C/network-auth.xml:3294(para)
10148
10736
msgid "Finally, update the Access Control Lists (ACL):"
10151
#: serverguide/C/network-auth.xml:2816(userinput)
10739
#: serverguide/C/network-auth.xml:3301(userinput)
10153
10741
msgid "dn: olcDatabase={1}hdb,cn=config\nreplace: olcAccess\nolcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn=\"cn=admin,dc=exampl\n e,dc=com\" write by anonymous auth by self write by * none\n-\nadd: olcAccess\nolcAccess: to dn.base=\"\" by * read\n-\nadd: olcAccess\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"
10156
#: serverguide/C/network-auth.xml:2815(computeroutput)
10744
#: serverguide/C/network-auth.xml:3300(computeroutput)
10158
10746
msgid "Enter LDAP Password: \n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"
10161
#: serverguide/C/network-auth.xml:2836(para)
10749
#: serverguide/C/network-auth.xml:3321(para)
10162
10750
msgid "That's it, your LDAP directory is now ready to serve as a Kerberos principal database."
10165
#: serverguide/C/network-auth.xml:2842(title)
10753
#: serverguide/C/network-auth.xml:3327(title)
10166
10754
msgid "Primary KDC Configuration"
10169
#: serverguide/C/network-auth.xml:2844(para)
10757
#: serverguide/C/network-auth.xml:3329(para)
10170
10758
msgid "With <application>OpenLDAP</application> configured it is time to configure the KDC."
10173
#: serverguide/C/network-auth.xml:2850(para)
10761
#: serverguide/C/network-auth.xml:3335(para)
10174
10762
msgid "First, install the necessary packages, from a terminal enter:"
10177
#: serverguide/C/network-auth.xml:2855(command) serverguide/C/network-auth.xml:3012(command)
10765
#: serverguide/C/network-auth.xml:3340(command) serverguide/C/network-auth.xml:3497(command)
10178
10766
msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"
10181
#: serverguide/C/network-auth.xml:2861(para)
10769
#: serverguide/C/network-auth.xml:3346(para)
10182
10770
msgid "Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections:"
10185
#: serverguide/C/network-auth.xml:2865(programlisting)
10773
#: serverguide/C/network-auth.xml:3350(programlisting)
10187
10775
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"
10190
#: serverguide/C/network-auth.xml:2910(para)
10778
#: serverguide/C/network-auth.xml:3395(para)
10191
10779
msgid "Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>, and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network."
10194
#: serverguide/C/network-auth.xml:2919(para)
10782
#: serverguide/C/network-auth.xml:3404(para)
10195
10783
msgid "Next, use the <application>kdb5_ldap_util</application> utility to create the realm:"
10198
#: serverguide/C/network-auth.xml:2924(command)
10786
#: serverguide/C/network-auth.xml:3409(command)
10199
10787
msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"
10202
#: serverguide/C/network-auth.xml:2930(para)
10790
#: serverguide/C/network-auth.xml:3415(para)
10203
10791
msgid "Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and <emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>:"
10206
#: serverguide/C/network-auth.xml:2936(command) serverguide/C/network-auth.xml:3074(command)
10794
#: serverguide/C/network-auth.xml:3421(command) serverguide/C/network-auth.xml:3559(command)
10207
10795
msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
10210
#: serverguide/C/network-auth.xml:2942(para)
10798
#: serverguide/C/network-auth.xml:3427(para)
10211
10799
msgid "Copy the CA certificate from the LDAP server:"
10214
#: serverguide/C/network-auth.xml:2947(command)
10802
#: serverguide/C/network-auth.xml:3432(command)
10215
10803
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
10218
#: serverguide/C/network-auth.xml:2948(command)
10806
#: serverguide/C/network-auth.xml:3433(command)
10219
10807
msgid "sudo cp cacert.pem /etc/ssl/certs"
10222
#: serverguide/C/network-auth.xml:2951(para)
10810
#: serverguide/C/network-auth.xml:3436(para)
10223
10811
msgid "And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
10226
#: serverguide/C/network-auth.xml:2955(programlisting)
10814
#: serverguide/C/network-auth.xml:3440(programlisting)
10228
10816
msgid "\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"
10231
#: serverguide/C/network-auth.xml:2960(para)
10819
#: serverguide/C/network-auth.xml:3445(para)
10232
10820
msgid "The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS."
10235
#: serverguide/C/network-auth.xml:2969(para)
10823
#: serverguide/C/network-auth.xml:3454(para)
10236
10824
msgid "You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the <application>kadmin.local</application> utility enter:"
10239
#: serverguide/C/network-auth.xml:2977(userinput)
10827
#: serverguide/C/network-auth.xml:3462(userinput)
10241
10829
msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"
10244
#: serverguide/C/network-auth.xml:2976(computeroutput)
10832
#: serverguide/C/network-auth.xml:3461(computeroutput)
10246
10834
msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local: <placeholder-1/>\nWARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve@EXAMPLE.COM\": \nRe-enter password for principal \"steve@EXAMPLE.COM\": \nPrincipal \"steve@EXAMPLE.COM\" created."
10249
#: serverguide/C/network-auth.xml:2984(para)
10837
#: serverguide/C/network-auth.xml:3469(para)
10250
10838
msgid "There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the <emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and <application>klist</application> utilities to test that the user is indeed issued a ticket."
10253
#: serverguide/C/network-auth.xml:2991(para)
10841
#: serverguide/C/network-auth.xml:3476(para)
10254
10842
msgid "If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> option is needed to add the Kerberos attributes. Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree."
10257
#: serverguide/C/network-auth.xml:2999(title)
10845
#: serverguide/C/network-auth.xml:3484(title)
10258
10846
msgid "Secondary KDC Configuration"
10261
#: serverguide/C/network-auth.xml:3001(para)
10849
#: serverguide/C/network-auth.xml:3486(para)
10262
10850
msgid "Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database."
10265
#: serverguide/C/network-auth.xml:3007(para)
10853
#: serverguide/C/network-auth.xml:3492(para)
10266
10854
msgid "First, install the necessary packages. In a terminal enter:"
10269
#: serverguide/C/network-auth.xml:3018(para)
10857
#: serverguide/C/network-auth.xml:3503(para)
10270
10858
msgid "Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
10273
#: serverguide/C/network-auth.xml:3022(programlisting)
10861
#: serverguide/C/network-auth.xml:3507(programlisting)
10275
10863
msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"
10278
#: serverguide/C/network-auth.xml:3069(para)
10866
#: serverguide/C/network-auth.xml:3554(para)
10279
10867
msgid "Create the stash for the LDAP bind password:"
10282
#: serverguide/C/network-auth.xml:3080(para)
10870
#: serverguide/C/network-auth.xml:3565(para)
10283
10871
msgid "Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted connection such as <application>scp</application>, or on physical media."
10286
#: serverguide/C/network-auth.xml:3087(command)
10874
#: serverguide/C/network-auth.xml:3572(command)
10287
10875
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
10290
#: serverguide/C/network-auth.xml:3088(command)
10878
#: serverguide/C/network-auth.xml:3573(command)
10291
10879
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
10294
#: serverguide/C/network-auth.xml:3092(para)
10882
#: serverguide/C/network-auth.xml:3577(para)
10295
10883
msgid "Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
10298
#: serverguide/C/network-auth.xml:3100(para)
10886
#: serverguide/C/network-auth.xml:3585(para)
10299
10887
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
10302
#: serverguide/C/network-auth.xml:3111(para)
10890
#: serverguide/C/network-auth.xml:3596(para)
10303
10891
msgid "You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable."
10306
#: serverguide/C/network-auth.xml:3123(para)
10894
#: serverguide/C/network-auth.xml:3608(para)
10307
10895
msgid "The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin Guide</ulink> has some additional details."
10310
#: serverguide/C/network-auth.xml:3129(para)
10311
msgid "For more information on <application>kdb5_ldap_util</application> see <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section 5.6</ulink> and the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/kdb5_ldap_util.8.html\">kdb5_ldap_util man page</ulink>."
10314
#: serverguide/C/network-auth.xml:3137(para)
10315
msgid "Another useful link is the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/krb5.conf.5.html\">krb5.conf man page</ulink>."
10318
#: serverguide/C/network-auth.xml:3142(para)
10898
#: serverguide/C/network-auth.xml:3614(para)
10899
msgid "For more information on <application>kdb5_ldap_util</application> see <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section 5.6</ulink> and the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/kdb5_ldap_util.8.html\">kdb5_ldap_util man page</ulink>."
10902
#: serverguide/C/network-auth.xml:3622(para)
10903
msgid "Another useful link is the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/krb5.conf.5.html\">krb5.conf man page</ulink>."
10906
#: serverguide/C/network-auth.xml:3627(para)
10319
10907
msgid "Also, see the <ulink url=\"https://help.ubuntu.com/community/Kerberos#kerberos-ldap\">Kerberos and LDAP</ulink> Ubuntu wiki page."