~bencer/serverguide/serverguide-precise-zentyal

« back to all changes in this revision

Viewing changes to serverguide/po/serverguide.pot

Committer: Matthew East
Date: 2011-10-17 19:51:35 UTC
Revision ID: mdke@ubuntu.com-20111017195135-egpxft8t5rsgnwh0

Update pot file

files modified:
serverguide/po/serverguide.pot

Show diffs side-by-side

added added

removed removed

serverguide/po/serverguide.pot

msgid ""

msgstr ""

"Project-Id-Version: PACKAGE VERSION\n"

"POT-Creation-Date: 2011-10-07 20:20+0100\n"

"POT-Creation-Date: 2011-10-17 19:51+0000\n"

"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"

"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"

"Language-Team: LANGUAGE <LL@li.org>\n"

msgid "The server will be configured to share files with any client on the network without prompting for a password. If your environment requires stricter Access Controls see <xref linkend=\"samba-fileprint-security\"/>"

msgstr ""

#: serverguide/C/windows-networking.xml:83(title) serverguide/C/windows-networking.xml:294(title) serverguide/C/web-servers.xml:41(title) serverguide/C/web-servers.xml:669(title) serverguide/C/web-servers.xml:810(title) serverguide/C/web-servers.xml:934(title) serverguide/C/virtualization.xml:62(title) serverguide/C/vcs.xml:28(title) serverguide/C/vcs.xml:86(title) serverguide/C/vcs.xml:405(title) serverguide/C/remote-administration.xml:51(title) serverguide/C/remote-administration.xml:240(title) serverguide/C/network-config.xml:932(title) serverguide/C/network-config.xml:1046(title) serverguide/C/network-auth.xml:52(title) serverguide/C/network-auth.xml:1603(title) serverguide/C/network-auth.xml:2124(title) serverguide/C/network-auth.xml:2515(title) serverguide/C/monitoring.xml:42(title) serverguide/C/monitoring.xml:430(title) serverguide/C/mail.xml:40(title) serverguide/C/mail.xml:491(title) serverguide/C/mail.xml:680(title) serverguide/C/mail.xml:829(title) serverguide/C/mail.xml:1319(title) serverguide/C/lamp-applications.xml:108(title) serverguide/C/lamp-applications.xml:278(title) serverguide/C/lamp-applications.xml:414(title) serverguide/C/installation.xml:13(title) serverguide/C/installation.xml:946(title) serverguide/C/file-server.xml:349(title) serverguide/C/file-server.xml:637(title) serverguide/C/dns.xml:23(title) serverguide/C/databases.xml:39(title) serverguide/C/databases.xml:143(title) serverguide/C/chat.xml:37(title) serverguide/C/chat.xml:136(title) serverguide/C/backups.xml:593(title)

#: serverguide/C/windows-networking.xml:83(title) serverguide/C/windows-networking.xml:294(title) serverguide/C/web-servers.xml:41(title) serverguide/C/web-servers.xml:669(title) serverguide/C/web-servers.xml:810(title) serverguide/C/web-servers.xml:934(title) serverguide/C/virtualization.xml:62(title) serverguide/C/vcs.xml:28(title) serverguide/C/vcs.xml:86(title) serverguide/C/vcs.xml:405(title) serverguide/C/remote-administration.xml:51(title) serverguide/C/remote-administration.xml:240(title) serverguide/C/network-config.xml:932(title) serverguide/C/network-config.xml:1046(title) serverguide/C/network-auth.xml:121(title) serverguide/C/network-auth.xml:2611(title) serverguide/C/network-auth.xml:3002(title) serverguide/C/monitoring.xml:42(title) serverguide/C/monitoring.xml:430(title) serverguide/C/mail.xml:40(title) serverguide/C/mail.xml:491(title) serverguide/C/mail.xml:680(title) serverguide/C/mail.xml:829(title) serverguide/C/mail.xml:1319(title) serverguide/C/lamp-applications.xml:117(title) serverguide/C/lamp-applications.xml:287(title) serverguide/C/lamp-applications.xml:423(title) serverguide/C/installation.xml:13(title) serverguide/C/installation.xml:946(title) serverguide/C/file-server.xml:349(title) serverguide/C/file-server.xml:637(title) serverguide/C/dns.xml:23(title) serverguide/C/databases.xml:39(title) serverguide/C/databases.xml:143(title) serverguide/C/chat.xml:37(title) serverguide/C/chat.xml:136(title) serverguide/C/backups.xml:593(title)

msgid "Installation"

msgstr ""

msgid "That's all there is to it; you are now ready to configure Samba to share files."

msgstr ""

#: serverguide/C/windows-networking.xml:99(title) serverguide/C/windows-networking.xml:311(title) serverguide/C/web-servers.xml:61(title) serverguide/C/web-servers.xml:720(title) serverguide/C/web-servers.xml:821(title) serverguide/C/web-servers.xml:961(title) serverguide/C/web-servers.xml:1061(title) serverguide/C/vcs.xml:39(title) serverguide/C/vcs.xml:423(title) serverguide/C/remote-administration.xml:73(title) serverguide/C/remote-administration.xml:260(title) serverguide/C/package-management.xml:387(title) serverguide/C/network-config.xml:954(title) serverguide/C/network-config.xml:1057(title) serverguide/C/network-auth.xml:2163(title) serverguide/C/network-auth.xml:2536(title) serverguide/C/monitoring.xml:187(title) serverguide/C/monitoring.xml:456(title) serverguide/C/mail.xml:500(title) serverguide/C/mail.xml:690(title) serverguide/C/mail.xml:912(title) serverguide/C/mail.xml:1348(title) serverguide/C/lamp-applications.xml:128(title) serverguide/C/lamp-applications.xml:305(title) serverguide/C/lamp-applications.xml:444(title) serverguide/C/file-server.xml:362(title) serverguide/C/file-server.xml:663(title) serverguide/C/dns.xml:39(title) serverguide/C/databases.xml:75(title) serverguide/C/databases.xml:162(title) serverguide/C/clustering.xml:47(title) serverguide/C/chat.xml:57(title) serverguide/C/chat.xml:148(title) serverguide/C/backups.xml:622(title)

#: serverguide/C/windows-networking.xml:99(title) serverguide/C/windows-networking.xml:311(title) serverguide/C/web-servers.xml:61(title) serverguide/C/web-servers.xml:720(title) serverguide/C/web-servers.xml:821(title) serverguide/C/web-servers.xml:961(title) serverguide/C/web-servers.xml:1061(title) serverguide/C/vcs.xml:39(title) serverguide/C/vcs.xml:423(title) serverguide/C/remote-administration.xml:73(title) serverguide/C/remote-administration.xml:260(title) serverguide/C/package-management.xml:387(title) serverguide/C/network-config.xml:954(title) serverguide/C/network-config.xml:1057(title) serverguide/C/network-auth.xml:2650(title) serverguide/C/network-auth.xml:3023(title) serverguide/C/monitoring.xml:187(title) serverguide/C/monitoring.xml:456(title) serverguide/C/mail.xml:500(title) serverguide/C/mail.xml:690(title) serverguide/C/mail.xml:912(title) serverguide/C/mail.xml:1348(title) serverguide/C/lamp-applications.xml:137(title) serverguide/C/lamp-applications.xml:314(title) serverguide/C/lamp-applications.xml:453(title) serverguide/C/file-server.xml:362(title) serverguide/C/file-server.xml:663(title) serverguide/C/dns.xml:39(title) serverguide/C/databases.xml:75(title) serverguide/C/databases.xml:159(title) serverguide/C/clustering.xml:47(title) serverguide/C/chat.xml:57(title) serverguide/C/chat.xml:148(title) serverguide/C/backups.xml:622(title)

msgid "Configuration"

msgstr ""

155

msgid "Finally, restart the <application>samba</application> services to enable the new configuration:"

156

msgstr ""

157

158

#: serverguide/C/windows-networking.xml:216(command) serverguide/C/windows-networking.xml:338(command) serverguide/C/windows-networking.xml:476(command) serverguide/C/windows-networking.xml:576(command) serverguide/C/windows-networking.xml:926(command) serverguide/C/windows-networking.xml:1080(command) serverguide/C/windows-networking.xml:1187(command) serverguide/C/network-auth.xml:1891(command)

158

159

msgid "sudo restart smbd"

160

msgstr ""

161

162

#: serverguide/C/windows-networking.xml:217(command) serverguide/C/windows-networking.xml:339(command) serverguide/C/windows-networking.xml:477(command) serverguide/C/windows-networking.xml:577(command) serverguide/C/windows-networking.xml:927(command) serverguide/C/windows-networking.xml:1081(command) serverguide/C/windows-networking.xml:1188(command) serverguide/C/network-auth.xml:1892(command)

162

163

msgid "sudo restart nmbd"

164

msgstr ""

165

179

msgid "The file share named <emphasis>\"[share]\"</emphasis> and the path <filename>/srv/samba/share</filename> are just examples. Adjust the share and path names to fit your environment. It is a good idea to name a share after a directory on the file system. Another example would be a share name of <emphasis>[qa]</emphasis> with a path of <filename>/srv/samba/qa</filename>."

180

msgstr ""

181

182

#: serverguide/C/windows-networking.xml:250(title) serverguide/C/windows-networking.xml:349(title) serverguide/C/windows-networking.xml:706(title) serverguide/C/windows-networking.xml:1100(title) serverguide/C/windows-networking.xml:1299(title) serverguide/C/virtualization.xml:368(title) serverguide/C/virtualization.xml:1053(title) serverguide/C/reporting-bugs.xml:304(title) serverguide/C/remote-administration.xml:380(title) serverguide/C/network-config.xml:565(title) serverguide/C/network-config.xml:822(title) serverguide/C/network-auth.xml:1553(title) serverguide/C/network-auth.xml:2007(title) serverguide/C/network-auth.xml:2611(title) serverguide/C/network-auth.xml:3119(title) serverguide/C/installation.xml:880(title) serverguide/C/installation.xml:1166(title) serverguide/C/databases.xml:109(title) serverguide/C/databases.xml:252(title) serverguide/C/backups.xml:861(title)

182

#: serverguide/C/windows-networking.xml:250(title) serverguide/C/windows-networking.xml:349(title) serverguide/C/windows-networking.xml:706(title) serverguide/C/windows-networking.xml:1100(title) serverguide/C/windows-networking.xml:1299(title) serverguide/C/virtualization.xml:368(title) serverguide/C/virtualization.xml:1053(title) serverguide/C/reporting-bugs.xml:304(title) serverguide/C/remote-administration.xml:380(title) serverguide/C/network-config.xml:565(title) serverguide/C/network-config.xml:822(title) serverguide/C/network-auth.xml:1949(title) serverguide/C/network-auth.xml:2489(title) serverguide/C/network-auth.xml:3098(title) serverguide/C/network-auth.xml:3604(title) serverguide/C/installation.xml:880(title) serverguide/C/installation.xml:1166(title) serverguide/C/databases.xml:109(title) serverguide/C/databases.xml:245(title) serverguide/C/backups.xml:861(title)

183

msgid "Resources"

184

msgstr ""

185

824

msgstr ""

825

826

#: serverguide/C/windows-networking.xml:1301(para)

827

msgid "For more <application>smbclient</application> options see the man page: <command>man smbclient</command>, also available <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man1/smbclient.1.html\">online</ulink>."

827

828

msgstr ""

829

830

#: serverguide/C/windows-networking.xml:1306(para)

831

msgid "The <application>mount.cifs</application><ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/mount.cifs.8.html\">man page</ulink> is also useful for more detailed information."

831

msgid "The <application>mount.cifs</application><ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/mount.cifs.8.html\">man page</ulink> is also useful for more detailed information."

832

msgstr ""

833

834

#: serverguide/C/web-servers.xml:13(title)

984

msgid "sudo a2ensite mynewsite"

985

msgstr ""

986

987

#: serverguide/C/web-servers.xml:261(command) serverguide/C/web-servers.xml:279(command) serverguide/C/web-servers.xml:532(command) serverguide/C/web-servers.xml:541(command) serverguide/C/web-servers.xml:600(command) serverguide/C/mail.xml:936(command) serverguide/C/lamp-applications.xml:228(command)

987

988

msgid "sudo service apache2 restart"

989

msgstr ""

990

1189

msgid "You can access the secure server pages by typing https://your_hostname/url/ in your browser address bar."

1190

msgstr ""

1191

1192

#: serverguide/C/web-servers.xml:618(title) serverguide/C/web-servers.xml:766(title) serverguide/C/web-servers.xml:916(title) serverguide/C/web-servers.xml:1011(title) serverguide/C/web-servers.xml:1233(title) serverguide/C/vpn.xml:802(title) serverguide/C/virtualization.xml:2060(title) serverguide/C/vcs.xml:539(title) serverguide/C/security.xml:875(title) serverguide/C/security.xml:1209(title) serverguide/C/security.xml:1623(title) serverguide/C/security.xml:1809(title) serverguide/C/remote-administration.xml:202(title) serverguide/C/package-management.xml:454(title) serverguide/C/other-apps.xml:330(title) serverguide/C/network-config.xml:992(title) serverguide/C/network-config.xml:1100(title) serverguide/C/monitoring.xml:393(title) serverguide/C/monitoring.xml:529(title) serverguide/C/mail.xml:454(title) serverguide/C/mail.xml:649(title) serverguide/C/mail.xml:801(title) serverguide/C/mail.xml:1221(title) serverguide/C/mail.xml:1692(title) serverguide/C/lamp-applications.xml:250(title) serverguide/C/lamp-applications.xml:379(title) serverguide/C/lamp-applications.xml:487(title) serverguide/C/file-server.xml:291(title) serverguide/C/file-server.xml:438(title) serverguide/C/file-server.xml:607(title) serverguide/C/file-server.xml:794(title) serverguide/C/dns.xml:602(title) serverguide/C/clustering.xml:234(title) serverguide/C/chat.xml:107(title) serverguide/C/chat.xml:216(title) serverguide/C/backups.xml:297(title)

1192

#: serverguide/C/web-servers.xml:618(title) serverguide/C/web-servers.xml:766(title) serverguide/C/web-servers.xml:916(title) serverguide/C/web-servers.xml:1011(title) serverguide/C/web-servers.xml:1233(title) serverguide/C/vpn.xml:802(title) serverguide/C/virtualization.xml:2060(title) serverguide/C/vcs.xml:539(title) serverguide/C/security.xml:875(title) serverguide/C/security.xml:1209(title) serverguide/C/security.xml:1623(title) serverguide/C/security.xml:1809(title) serverguide/C/remote-administration.xml:202(title) serverguide/C/package-management.xml:453(title) serverguide/C/other-apps.xml:330(title) serverguide/C/network-config.xml:992(title) serverguide/C/network-config.xml:1100(title) serverguide/C/monitoring.xml:393(title) serverguide/C/monitoring.xml:529(title) serverguide/C/mail.xml:454(title) serverguide/C/mail.xml:649(title) serverguide/C/mail.xml:801(title) serverguide/C/mail.xml:1221(title) serverguide/C/mail.xml:1692(title) serverguide/C/lamp-applications.xml:259(title) serverguide/C/lamp-applications.xml:388(title) serverguide/C/lamp-applications.xml:496(title) serverguide/C/file-server.xml:291(title) serverguide/C/file-server.xml:438(title) serverguide/C/file-server.xml:607(title) serverguide/C/file-server.xml:794(title) serverguide/C/dns.xml:602(title) serverguide/C/clustering.xml:234(title) serverguide/C/chat.xml:107(title) serverguide/C/chat.xml:216(title) serverguide/C/backups.xml:297(title)

1193

msgid "References"

1194

msgstr ""

1195

2462

msgstr ""

2463

2464

#: serverguide/C/virtualization.xml:94(para)

2465

msgid "There are several ways to automate the Ubuntu installation process, for example using preseeds, kickstart, etc. Refer to the <ulink url=\"https://help.ubuntu.com/11.04/installation-guide/\">Ubuntu Installation Guide</ulink> for details."

2465

msgid "There are several ways to automate the Ubuntu installation process, for example using preseeds, kickstart, etc. Refer to the <ulink url=\"https://help.ubuntu.com/11.10/installation-guide/\">Ubuntu Installation Guide</ulink> for details."

2466

msgstr ""

2467

2468

#: serverguide/C/virtualization.xml:98(para)

2866

msgstr ""

2867

2868

#: serverguide/C/virtualization.xml:576(para)

2869

msgid "As this example is based on <application>KVM</application> and Ubuntu 11.04 (Natty Narwhal), and we are likely to rebuild the same virtual machine multiple time, we'll invoke vmbuilder with the following first parameters:"

2869

msgid "As this example is based on <application>KVM</application> and Ubuntu 11.10 (Oneiric Ocelot), and we are likely to rebuild the same virtual machine multiple time, we'll invoke vmbuilder with the following first parameters:"

2870

msgstr ""

2871

2872

#: serverguide/C/virtualization.xml:582(command)

2873

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 -o --libvirt qemu:///system"

2873

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 -o --libvirt qemu:///system"

2874

msgstr ""

2875

2876

#: serverguide/C/virtualization.xml:585(para)

2946

msgstr ""

2947

2948

#: serverguide/C/virtualization.xml:679(command)

2949

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm"

2949

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm"

2950

msgstr ""

2951

2952

#: serverguide/C/virtualization.xml:684(title) serverguide/C/network-config.xml:504(title)

2958

msgstr ""

2959

2960

#: serverguide/C/virtualization.xml:692(command)

2961

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --bridge br0"

2961

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --bridge br0"

2962

msgstr ""

2963

2964

#: serverguide/C/virtualization.xml:696(para)

3000

msgstr ""

3001

3002

#: serverguide/C/virtualization.xml:753(command)

3003

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 \\ -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition"

3003

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 \\ -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition"

3004

msgstr ""

3005

3006

#: serverguide/C/virtualization.xml:758(para)

3036

msgstr ""

3037

3038

#: serverguide/C/virtualization.xml:802(command)

3039

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 \\ -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition \\ --user user --name user --pass default"

3039

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 \\ -o --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition \\ --user user --name user --pass default"

3040

msgstr ""

3041

3042

#: serverguide/C/virtualization.xml:810(title)

3152

3153

#: serverguide/C/virtualization.xml:935(programlisting)

3154

#, no-wrap

3155

msgid "\ndeb http://archive.ubuntu.com/ubuntu natty main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu natty main restricted universe multiverse\n\ndeb http://archive.ubuntu.com/ubuntu natty-updates main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu natty-updates main restricted universe multiverse \n\ndeb http://archive.ubuntu.com/ubuntu/ natty-backports main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu natty-backports main restricted universe multiverse \n\ndeb http://security.ubuntu.com/ubuntu natty-security main restricted universe multiverse \n/deb-i386 http://security.ubuntu.com/ubuntu natty-security main restricted universe multiverse \n\ndeb http://archive.ubuntu.com/ubuntu natty main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer \n/deb-i386 http://archive.ubuntu.com/ubuntu natty main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer \n"

3155

msgid "\ndeb http://archive.ubuntu.com/ubuntu oneiric main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu oneiric main restricted universe multiverse\n\ndeb http://archive.ubuntu.com/ubuntu oneiric-updates main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu oneiric-updates main restricted universe multiverse \n\ndeb http://archive.ubuntu.com/ubuntu/ oneiric-backports main restricted universe multiverse \n/deb-i386 http://archive.ubuntu.com/ubuntu oneiric-backports main restricted universe multiverse \n\ndeb http://security.ubuntu.com/ubuntu oneiric-security main restricted universe multiverse \n/deb-i386 http://security.ubuntu.com/ubuntu oneiric-security main restricted universe multiverse \n\ndeb http://archive.ubuntu.com/ubuntu oneiric main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer \n/deb-i386 http://archive.ubuntu.com/ubuntu oneiric main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer \n"

3156

msgstr ""

3157

3158

#: serverguide/C/virtualization.xml:952(para)

3224

msgstr ""

3225

3226

#: serverguide/C/virtualization.xml:1040(command)

3227

msgid "sudo vmbuilder kvm ubuntu --suite natty --flavour virtual --arch i386 -o \\ --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition --user user \\ --name user --pass default --addpkg apache2 --addpkg apache2-mpm-prefork \\ --addpkg apache2-utils --addpkg apache2.2-common --addpkg dbconfig-common \\ --addpkg libapache2-mod-php5 --addpkg mysql-client --addpkg php5-cli \\ --addpkg php5-gd --addpkg php5-ldap --addpkg php5-mysql --addpkg wwwconfig-common \\ --addpkg mysql-server --addpkg unattended-upgrades --addpkg acpid --ppa nijaba \\ --mirror http://mirroraddress:9999/ubuntu"

3227

msgid "sudo vmbuilder kvm ubuntu --suite oneiric --flavour virtual --arch i386 -o \\ --libvirt qemu:///system --ip 192.168.0.100 --hostname myvm --part vmbuilder.partition --user user \\ --name user --pass default --addpkg apache2 --addpkg apache2-mpm-prefork \\ --addpkg apache2-utils --addpkg apache2.2-common --addpkg dbconfig-common \\ --addpkg libapache2-mod-php5 --addpkg mysql-client --addpkg php5-cli \\ --addpkg php5-gd --addpkg php5-ldap --addpkg php5-mysql --addpkg wwwconfig-common \\ --addpkg mysql-server --addpkg unattended-upgrades --addpkg acpid --ppa nijaba \\ --mirror http://mirroraddress:9999/ubuntu"

3228

msgstr ""

3229

3230

#: serverguide/C/virtualization.xml:1054(para)

3247

msgid "UEC"

3248

msgstr ""

3249

3250

#: serverguide/C/virtualization.xml:1080(title) serverguide/C/network-auth.xml:2058(title) serverguide/C/monitoring.xml:15(title) serverguide/C/lamp-applications.xml:17(title) serverguide/C/installation.xml:916(title) serverguide/C/dns.xml:64(title) serverguide/C/chat.xml:17(title) serverguide/C/backups.xml:541(title)

3250

#: serverguide/C/virtualization.xml:1080(title) serverguide/C/network-auth.xml:2545(title) serverguide/C/monitoring.xml:15(title) serverguide/C/lamp-applications.xml:17(title) serverguide/C/installation.xml:916(title) serverguide/C/dns.xml:64(title) serverguide/C/chat.xml:17(title) serverguide/C/backups.xml:541(title)

3251

msgid "Overview"

3252

msgstr ""

3253

3254

#: serverguide/C/virtualization.xml:1082(para)

3255

msgid "This tutorial covers <application>UEC</application> installation from the Ubuntu 11.04 Server Edition CD, and assumes a basic network topology, with a single system serving as the <emphasis>\"all-in-one controller\"</emphasis>, and one or more nodes attached."

3255

msgid "This tutorial covers <application>UEC</application> installation from the Ubuntu 11.10 Server Edition CD, and assumes a basic network topology, with a single system serving as the <emphasis>\"all-in-one controller\"</emphasis>, and one or more nodes attached."

3256

msgstr ""

3257

3258

#: serverguide/C/virtualization.xml:1087(para)

3460

msgstr ""

3461

3462

#: serverguide/C/virtualization.xml:1273(para)

3463

msgid "Download the Ubuntu 11.04 Server ISO file, and burn it to a CD."

3463

msgid "Download the Ubuntu 11.10 Server ISO file, and burn it to a CD."

3464

msgstr ""

3465

3466

#: serverguide/C/virtualization.xml:1278(para)

4757

msgstr ""

4758

4759

#: serverguide/C/security.xml:17(para)

4760

msgid "This chapter provides an overview of security related topics as they pertain to Ubuntu 11.04 Server Edition, and outlines simple measures you may use to protect your server and network from any number of potential security threats."

4760

msgid "This chapter provides an overview of security related topics as they pertain to Ubuntu 11.10 Server Edition, and outlines simple measures you may use to protect your server and network from any number of potential security threats."

4761

msgstr ""

4762

4763

#: serverguide/C/security.xml:21(title)

5706

msgid "<filename>/etc/init.d/apparmor</filename> can be used to <emphasis>reload</emphasis> all profiles:"

5707

msgstr ""

5708

5709

#: serverguide/C/security.xml:1009(command) serverguide/C/network-auth.xml:645(command)

5709

#: serverguide/C/security.xml:1009(command)

5710

msgid "sudo /etc/init.d/apparmor reload"

5711

msgstr ""

5712

6341

msgstr ""

6342

6343

#: serverguide/C/security.xml:1823(para)

6344

msgid "Also, for more <application>ecryptfs</application> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man7/ecryptfs.7.html\">ecryptfs man page</ulink>."

6344

msgid "Also, for more <application>ecryptfs</application> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man7/ecryptfs.7.html\">ecryptfs man page</ulink>."

6345

msgstr ""

6346

6347

#: serverguide/C/security.xml:1829(para)

6524

msgstr ""

6525

6526

#: serverguide/C/remote-administration.xml:14(para)

6527

msgid "There are many ways to remotely administer a Linux server. This chapter will cover one of the most popular <application>OpenSSH</application>."

6527

msgid "There are many ways to remotely administer a Linux server. This chapter will cover one of the most popular <application>OpenSSH</application>, and one of the most growing usage <application>Puppet</application> ."

6528

msgstr ""

6529

6530

#: serverguide/C/remote-administration.xml:22(para)

6692

msgstr ""

6693

6694

#: serverguide/C/remote-administration.xml:234(para)

6695

msgid "This section will cover installing and configuring <application>puppet</application> in a client/server configuration. This simple example will demonstrate how to install <application>Apache</application> using <application>Puppet</application>."

6695

msgid "This section will cover installing and configuring <application>Puppet</application> in a client/server configuration. This simple example will demonstrate how to install <application>Apache</application> using <application>Puppet</application>."

6696

msgstr ""

6697

6698

#: serverguide/C/remote-administration.xml:242(para)

6699

msgid "To install <application>puppet</application>, in a terminal on the <emphasis>server</emphasis> enter:"

6699

msgid "To install <application>Puppet</application>, in a terminal on the <emphasis>server</emphasis> enter:"

6700

msgstr ""

6701

6702

#: serverguide/C/remote-administration.xml:247(command)

6712

msgstr ""

6713

6714

#: serverguide/C/remote-administration.xml:262(para)

6715

msgid "Prior to configuring <application>puppet</application> you may want to add a DNS <emphasis>CNAME</emphasis> record for <emphasis>puppet.example.com</emphasis>, where <emphasis>example.com</emphasis> is your domain. By default <application>puppet</application> clients check DNS for puppet.example.com as the puppet server name, or <emphasis>Puppet Master</emphasis>. See <xref linkend=\"dns\"/> for more DNS details."

6715

msgid "Prior to configuring <application>puppet</application> you may want to add a DNS <emphasis>CNAME</emphasis> record for <emphasis>puppet.example.com</emphasis>, where <emphasis>example.com</emphasis> is your domain. By default <application>Puppet</application> clients check DNS for puppet.example.com as the puppet server name, or <emphasis>Puppet Master</emphasis>. See <xref linkend=\"dns\"/> for more DNS details."

6716

msgstr ""

6717

6718

#: serverguide/C/remote-administration.xml:269(para)

6719

msgid "If you do not wish to use DNS, you can add entries to the server and client <filename>/etc/hosts</filename> file. For example, in the <application>puppet</application> server's <filename>/etc/hosts</filename> file add:"

6719

msgid "If you do not wish to use DNS, you can add entries to the server and client <filename>/etc/hosts</filename> file. For example, in the <application>Puppet</application> server's <filename>/etc/hosts</filename> file add:"

6720

msgstr ""

6721

6722

#: serverguide/C/remote-administration.xml:274(programlisting)

6725

msgstr ""

6726

6727

#: serverguide/C/remote-administration.xml:279(para)

6728

msgid "On each <application>puppet</application> client, add an entry for the server:"

6728

msgid "On each <application>Puppet</application> client, add an entry for the server:"

6729

msgstr ""

6730

6731

#: serverguide/C/remote-administration.xml:283(programlisting)

6756

msgstr ""

6757

6758

#: serverguide/C/remote-administration.xml:324(para)

6759

msgid "Replace <emphasis>meercat02.example.com</emphasis> with your actual puppet client's host name."

6759

msgid "Replace <emphasis>meercat02.example.com</emphasis> with your actual <application>Puppet</application> client's host name."

6760

msgstr ""

6761

6762

#: serverguide/C/remote-administration.xml:329(para)

6763

msgid "The final step for this simple <application>puppet</application> server is to restart the daemon:"

6763

msgid "The final step for this simple <application>Puppet</application> server is to restart the daemon:"

6764

msgstr ""

6765

6766

#: serverguide/C/remote-administration.xml:334(command)

6768

msgstr ""

6769

6770

#: serverguide/C/remote-administration.xml:337(para)

6771

msgid "Now everything is configured on the <application>puppet</application> server, it is time to configure the client."

6771

msgid "Now everything is configured on the <application>Puppet</application> server, it is time to configure the client."

6772

msgstr ""

6773

6774

#: serverguide/C/remote-administration.xml:341(para)

6775

msgid "First, configure the <application>puppet agent</application> daemon to start. Edit <filename>/etc/default/puppet</filename>, changing <emphasis>START</emphasis> to yes:"

6775

msgid "First, configure the <application>Puppet</application>agent daemon to start. Edit <filename>/etc/default/puppet</filename>, changing <emphasis>START</emphasis> to yes:"

6776

msgstr ""

6777

6778

#: serverguide/C/remote-administration.xml:346(programlisting) serverguide/C/mail.xml:628(programlisting)

6789

msgstr ""

6790

6791

#: serverguide/C/remote-administration.xml:358(para)

6792

msgid "Back on the <application>puppet</application> server sign the client certificate by entering:"

6792

msgid "Back on the <application>Puppet</application> server sign the client certificate by entering:"

6793

msgstr ""

6794

6795

#: serverguide/C/remote-administration.xml:363(command)

6797

msgstr ""

6798

6799

#: serverguide/C/remote-administration.xml:366(para)

6800

msgid "Check <filename>/var/log/syslog</filename> for any errors with the configuration. If all goes well the <application>apache2</application> package and it's dependencies will be installed on the <application>puppet</application> client."

6800

6801

msgstr ""

6802

6803

#: serverguide/C/remote-administration.xml:372(para)

6804

msgid "This example is <emphasis>very</emphasis> simple, and does not highlight many of <application>Puppet's</application> features and benefits. For more information see <xref linkend=\"puppet-resources\"/>."

6804

msgid "This example is <emphasis>very</emphasis> simple, and does not highlight many of <application>Puppet</application>'s features and benefits. For more information see <xref linkend=\"puppet-resources\"/>."

6805

msgstr ""

6806

6807

#: serverguide/C/remote-administration.xml:384(para)

6809

msgstr ""

6810

6811

#: serverguide/C/remote-administration.xml:389(para)

6812

msgid "Also see <ulink url=\"http://apress.com/book/view/1590599780\">Pulling Strings with Puppet</ulink>."

6812

msgid "Also see <ulink url=\"http://www.apress.com/9781430230571\">Pro Puppet</ulink>."

6813

msgstr ""

6814

6815

#: serverguide/C/remote-administration.xml:394(para)

6821

msgstr ""

6822

6823

#: serverguide/C/package-management.xml:14(para)

6824

msgid "Ubuntu features a comprehensive package management system for the installation, upgrade, configuration, and removal of software. In addition to providing access to an organized base of over 24,000 software packages for your Ubuntu computer, the package management facilities also feature dependency resolution capabilities and software update checking."

6824

msgid "Ubuntu features a comprehensive package management system for the installation, upgrade, configuration, and removal of software. In addition to providing access to an organized base of over 35,000 software packages for your Ubuntu computer, the package management facilities also feature dependency resolution capabilities and software update checking."

6825

msgstr ""

6826

6827

#: serverguide/C/package-management.xml:16(para)

6837

msgstr ""

6838

6839

#: serverguide/C/package-management.xml:27(para)

6840

msgid "Many complex packages use the concept of <emphasis role=\"italics\">dependencies</emphasis>. Dependencies are additional packages required by the principal package in order to function properly. For example, the speech synthesis package <application>Festival</application> depends upon the package <application>libasound2</application>, which is a package supplying the <application>ALSA</application> sound library needed for audio playback. In order for <application>Festival</application> to function, it and all of its dependencies must be installed. The software management tools in Ubuntu will do this automatically."

6840

msgid "Many complex packages use the concept of <emphasis role=\"italics\">dependencies</emphasis>. Dependencies are additional packages required by the principal package in order to function properly. For example, the speech synthesis package <application>festival</application> depends upon the package <application>libasound2</application>, which is a package supplying the <application>ALSA</application> sound library needed for audio playback. In order for <application>festival</application> to function, it and all of its dependencies must be installed. The software management tools in Ubuntu will do this automatically."

6841

msgstr ""

6842

6843

#: serverguide/C/package-management.xml:32(title)

6902

msgstr ""

6903

6904

#: serverguide/C/package-management.xml:110(command)

6905

msgid "sudo dpkg -i zip_2.32-1_i386.deb"

6905

msgid "sudo dpkg -i zip_3.0-4_i386.deb"

6906

msgstr ""

6907

6908

#: serverguide/C/package-management.xml:113(para)

6909

msgid "Change <filename>zip_2.32-1_i386.deb</filename> to the actual file name of the local .deb file."

6909

msgid "Change <filename>zip_3.0-4_i386.deb</filename> to the actual file name of the local .deb file."

6910

msgstr ""

6911

6912

#: serverguide/C/package-management.xml:120(para)

6954

msgstr ""

6955

6956

#: serverguide/C/package-management.xml:181(para)

6957

msgid "<emphasis role=\"bold\">Update the Package Index</emphasis>: The APT package index is essentially a database of available packages from the repositories defined in the <filename>/etc/apt/sources.list</filename> file. To update the local package index with the latest changes made in repositories, type the following: <screen>\n<command>sudo apt-get update</command>\n</screen>"

6957

msgid "<emphasis role=\"bold\">Update the Package Index</emphasis>: The APT package index is essentially a database of available packages from the repositories defined in the <filename>/etc/apt/sources.list</filename> file and in the <filename>/etc/apt/sources.list.d</filename> directory. To update the local package index with the latest changes made in repositories, type the following: <screen>\n<command>sudo apt-get update</command>\n</screen>"

6958

msgstr ""

6959

6960

#: serverguide/C/package-management.xml:189(para)

7071

7072

#: serverguide/C/package-management.xml:301(programlisting)

7073

#, no-wrap

7074

msgid "\nUnattended-Upgrade::Allowed-Origins {\n \"Ubuntu natty-security\";\n// \"Ubuntu natty-updates\";\n};\n"

7074

msgid "\nUnattended-Upgrade::Allowed-Origins {\n \"Ubuntu oneiric-security\";\n// \"Ubuntu oneiric-updates\";\n};\n"

7075

msgstr ""

7076

7077

#: serverguide/C/package-management.xml:308(para)

7138

msgstr ""

7139

7140

#: serverguide/C/package-management.xml:389(para)

7141

msgid "Configuration of the <emphasis>Advanced Packaging Tool</emphasis> (APT) system repositories is stored in the /etc/apt/sources.list configuration file. An example of this file is referenced here, along with information on adding or removing repository references from the file."

7141

msgid "Configuration of the <emphasis>Advanced Packaging Tool</emphasis> (APT) system repositories is stored in the <filename>/etc/apt/sources.list</filename> file and the <filename>/etc/apt/sources.list.d</filename> directory. An example of this file is referenced here, along with information on adding or removing repository references from the file."

7142

msgstr ""

7143

7144

#: serverguide/C/package-management.xml:395(para)

7144

#: serverguide/C/package-management.xml:394(para)

7145

msgid "<ulink url=\"../sample/sources.list\">Here</ulink> is a simple example of a typical <filename>/etc/apt/sources.list</filename> file."

7146

msgstr ""

7147

7148

#: serverguide/C/package-management.xml:399(para)

7148

#: serverguide/C/package-management.xml:398(para)

7149

msgid "You may edit the file to enable repositories or disable them. For example, to disable the requirement of inserting the Ubuntu CD-ROM whenever package operations occur, simply comment out the appropriate line for the CD-ROM, which appears at the top of the file:"

7150

msgstr ""

7151

7152

#: serverguide/C/package-management.xml:404(screen)

7152

#: serverguide/C/package-management.xml:403(screen)

7153

#, no-wrap

7154

msgid "\n# no more prompting for CD-ROM please\n# deb cdrom:[Ubuntu 11.04 _Natty Narwhal_ - Release i386 (20070419.1)]/ natty main restricted\n"

7154

msgid "\n# no more prompting for CD-ROM please\n# deb cdrom:[Ubuntu 11.10 _Oneiric Ocelot_ - Release i386 (20111013.1)]/ oneiric main restricted\n"

7155

msgstr ""

7156

7157

#: serverguide/C/package-management.xml:410(title)

7157

#: serverguide/C/package-management.xml:409(title)

7158

msgid "Extra Repositories"

7159

msgstr ""

7160

7161

#: serverguide/C/package-management.xml:411(para)

7161

#: serverguide/C/package-management.xml:410(para)

7162

msgid "In addition to the officially supported package repositories available for Ubuntu, there exist additional community-maintained repositories which add thousands more potential packages for installation. Two of the most popular are the <emphasis>Universe</emphasis> and <emphasis>Multiverse</emphasis> repositories. These repositories are not officially supported by Ubuntu, but because they are maintained by the community they generally provide packages which are safe for use with your Ubuntu computer."

7163

msgstr ""

7164

7165

#: serverguide/C/package-management.xml:414(para)

7165

#: serverguide/C/package-management.xml:413(para)

7166

msgid "Packages in the <emphasis>Multiverse</emphasis> repository often have licensing issues that prevent them from being distributed with a free operating system, and they may be illegal in your locality."

7167

msgstr ""

7168

7169

#: serverguide/C/package-management.xml:416(para)

7169

#: serverguide/C/package-management.xml:415(para)

7170

msgid "Be advised that neither the <emphasis>Universe</emphasis> or <emphasis>Multiverse</emphasis> repositories contain officially supported packages. In particular, there may not be security updates for these packages."

7171

msgstr ""

7172

7173

#: serverguide/C/package-management.xml:420(para)

7173

#: serverguide/C/package-management.xml:419(para)

7174

msgid "Many other package sources are available, sometimes even offering only one package, as in the case of package sources provided by the developer of a single application. You should always be very careful and cautious when using non-standard package sources, however. Research the source and packages carefully before performing any installation, as some package sources and their packages could render your system unstable or non-functional in some respects."

7175

msgstr ""

7176

7177

#: serverguide/C/package-management.xml:423(para)

7177

#: serverguide/C/package-management.xml:422(para)

7178

msgid "By default, the <emphasis>Universe</emphasis> and <emphasis>Multiverse</emphasis> repositories are enabled but if you would like to disable them edit <filename>/etc/apt/sources.list</filename> and comment the following lines:"

7179

msgstr ""

7180

7181

#: serverguide/C/package-management.xml:430(programlisting)

7181

#: serverguide/C/package-management.xml:429(programlisting)

7182

#, no-wrap

7183

msgid "\ndeb http://archive.ubuntu.com/ubuntu natty universe multiverse\ndeb-src http://archive.ubuntu.com/ubuntu natty universe multiverse\n\ndeb http://us.archive.ubuntu.com/ubuntu/ natty universe\ndeb-src http://us.archive.ubuntu.com/ubuntu/ natty universe\ndeb http://us.archive.ubuntu.com/ubuntu/ natty-updates universe\ndeb-src http://us.archive.ubuntu.com/ubuntu/ natty-updates universe\n\ndeb http://us.archive.ubuntu.com/ubuntu/ natty multiverse\ndeb-src http://us.archive.ubuntu.com/ubuntu/ natty multiverse\ndeb http://us.archive.ubuntu.com/ubuntu/ natty-updates multiverse\ndeb-src http://us.archive.ubuntu.com/ubuntu/ natty-updates multiverse\n\ndeb http://security.ubuntu.com/ubuntu natty-security universe\ndeb-src http://security.ubuntu.com/ubuntu natty-security universe\ndeb http://security.ubuntu.com/ubuntu natty-security multiverse\ndeb-src http://security.ubuntu.com/ubuntu natty-security multiverse\n"

7183

msgid "\ndeb http://archive.ubuntu.com/ubuntu oneiric universe multiverse\ndeb-src http://archive.ubuntu.com/ubuntu oneiric universe multiverse\n\ndeb http://us.archive.ubuntu.com/ubuntu/ oneiric universe\ndeb-src http://us.archive.ubuntu.com/ubuntu/ oneiric universe\ndeb http://us.archive.ubuntu.com/ubuntu/ oneiric-updates universe\ndeb-src http://us.archive.ubuntu.com/ubuntu/ oneiric-updates universe\n\ndeb http://us.archive.ubuntu.com/ubuntu/ oneiric multiverse\ndeb-src http://us.archive.ubuntu.com/ubuntu/ oneiric multiverse\ndeb http://us.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse\ndeb-src http://us.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse\n\ndeb http://security.ubuntu.com/ubuntu oneiric-security universe\ndeb-src http://security.ubuntu.com/ubuntu oneiric-security universe\ndeb http://security.ubuntu.com/ubuntu oneiric-security multiverse\ndeb-src http://security.ubuntu.com/ubuntu oneiric-security multiverse\n"

7184

msgstr ""

7185

7186

#: serverguide/C/package-management.xml:456(para)

7186

#: serverguide/C/package-management.xml:455(para)

7187

msgid "Most of the material covered in this chapter is available in <application>man</application> pages, many of which are available online."

7188

msgstr ""

7189

7190

#: serverguide/C/package-management.xml:463(para)

7190

#: serverguide/C/package-management.xml:462(para)

7191

msgid "The <ulink url=\"https://help.ubuntu.com/community/InstallingSoftware\">InstallingSoftware</ulink> Ubuntu wiki page has more information."

7192

msgstr ""

7193

7194

#: serverguide/C/package-management.xml:468(para)

7195

msgid "For more <application>dpkg</application> details see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man1/dpkg.1.html\">dpkg man page</ulink>."

7196

msgstr ""

7197

7198

#: serverguide/C/package-management.xml:474(para)

7199

msgid "The <ulink url=\"http://www.debian.org/doc/manuals/apt-howto/\">APT HOWTO</ulink> and <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/apt-get.8.html\">apt-get man page</ulink> contain useful information regarding <application>apt-get</application> usage."

7200

msgstr ""

7201

7202

#: serverguide/C/package-management.xml:481(para)

7203

msgid "See the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/man8/aptitude.8.html\">aptitude man page</ulink> for more <application>aptitude</application> options."

7204

msgstr ""

7205

7206

#: serverguide/C/package-management.xml:487(para)

7194

#: serverguide/C/package-management.xml:467(para)

7195

msgid "For more <application>dpkg</application> details see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man1/dpkg.1.html\">dpkg man page</ulink>."

7196

msgstr ""

7197

7198

#: serverguide/C/package-management.xml:473(para)

7199

msgid "The <ulink url=\"http://www.debian.org/doc/manuals/apt-howto/\">APT HOWTO</ulink> and <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/apt-get.8.html\">apt-get man page</ulink> contain useful information regarding <application>apt-get</application> usage."

7200

msgstr ""

7201

7202

#: serverguide/C/package-management.xml:480(para)

7203

msgid "See the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/man8/aptitude.8.html\">aptitude man page</ulink> for more <application>aptitude</application> options."

7204

msgstr ""

7205

7206

#: serverguide/C/package-management.xml:486(para)

7207

msgid "The <ulink url=\"https://help.ubuntu.com/community/Repositories/Ubuntu\">Adding Repositories HOWTO (Ubuntu Wiki)</ulink> page contains more details on adding repositories."

7208

msgstr ""

7209

7475

msgstr ""

7476

7477

#: serverguide/C/other-apps.xml:334(para)

7478

msgid "See the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man1/update-motd.1.html\">update-motd man page</ulink> for more options available to <application>update-motd</application>."

7478

msgid "See the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man1/update-motd.1.html\">update-motd man page</ulink> for more options available to <application>update-motd</application>."

7479

msgstr ""

7480

7481

#: serverguide/C/other-apps.xml:340(para)

7936

msgstr ""

7937

7938

#: serverguide/C/network-config.xml:579(para)

7939

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/interfaces.5.html\">interfaces man page</ulink> has details on more options for <filename>/etc/network/interfaces</filename>."

7939

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/interfaces.5.html\">interfaces man page</ulink> has details on more options for <filename>/etc/network/interfaces</filename>."

7940

msgstr ""

7941

7942

#: serverguide/C/network-config.xml:585(para)

7943

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/dhclient.8.html\">dhclient man page</ulink> has details on more options for configuring DHCP client settings."

7943

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/dhclient.8.html\">dhclient man page</ulink> has details on more options for configuring DHCP client settings."

7944

msgstr ""

7945

7946

#: serverguide/C/network-config.xml:591(para)

7947

msgid "For more information on DNS client configuration see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/resolver.5.html\">resolver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network Administrator's Guide</ulink> is a good source of resolver and name service configuration information."

7947

msgid "For more information on DNS client configuration see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/resolver.5.html\">resolver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network Administrator's Guide</ulink> is a good source of resolver and name service configuration information."

7948

msgstr ""

7949

7950

#: serverguide/C/network-config.xml:599(para)

7951

msgid "For more information on <emphasis>bridging</emphasis> see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/brctl.8.html\">brctl man page</ulink> and the Linux Foundation's <ulink url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."

7951

msgid "For more information on <emphasis>bridging</emphasis> see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/brctl.8.html\">brctl man page</ulink> and the Linux Foundation's <ulink url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."

7952

msgstr ""

7953

7954

#: serverguide/C/network-config.xml:610(title)

8068

msgstr ""

8069

8070

#: serverguide/C/network-config.xml:826(para)

8071

msgid "There are man pages for <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man7/tcp.7.html\">TCP</ulink> and <ulink url=\"http://manpages.ubuntu.com/manpages/natty/man7/ip.7.html\">IP</ulink> that contain more useful information."

8071

msgid "There are man pages for <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man7/tcp.7.html\">TCP</ulink> and <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/man7/ip.7.html\">IP</ulink> that contain more useful information."

8072

msgstr ""

8073

8074

#: serverguide/C/network-config.xml:832(para)

8201

msgstr ""

8202

8203

#: serverguide/C/network-config.xml:1001(para)

8204

msgid "For more <filename>/etc/dhcp/dhcpd.conf</filename> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/dhcpd.conf.5.html\">dhcpd.conf man page</ulink>."

8204

msgid "For more <filename>/etc/dhcp/dhcpd.conf</filename> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/dhcpd.conf.5.html\">dhcpd.conf man page</ulink>."

8205

msgstr ""

8206

8207

#: serverguide/C/network-config.xml:1008(ulink)

8296

msgid "ntp.org, home of the Network Time Protocol project"

8297

msgstr ""

8298

8299

#: serverguide/C/network-auth.xml:13(title)

8299

#: serverguide/C/network-auth.xml:14(title)

8300

msgid "Network Authentication"

8301

msgstr ""

8302

8303

#: serverguide/C/network-auth.xml:15(para)

8304

msgid "This section explains various Network Authentication protocols."

8303

#: serverguide/C/network-auth.xml:16(para)

8304

msgid "This section applies LDAP to network authentication."

8305

msgstr ""

8306

8307

#: serverguide/C/network-auth.xml:19(title)

8307

#: serverguide/C/network-auth.xml:21(title)

8308

msgid "OpenLDAP Server"

8309

msgstr ""

8310

8311

#: serverguide/C/network-auth.xml:20(para)

8312

msgid "LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc."

8313

msgstr ""

8314

8315

#: serverguide/C/network-auth.xml:28(para)

8316

msgid "To describe LDAP quickly, all information is stored in a tree structure. With <application>OpenLDAP</application> you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:"

8317

msgstr ""

8318

8319

#: serverguide/C/network-auth.xml:37(para)

8320

msgid "\"People\" node where your users will be stored"

8321

msgstr ""

8322

8323

#: serverguide/C/network-auth.xml:40(para)

8324

msgid "\"Groups\" node where your groups will be stored"

8325

msgstr ""

8326

8327

#: serverguide/C/network-auth.xml:44(para)

8328

msgid "Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com."

8329

msgstr ""

8330

8331

#: serverguide/C/network-auth.xml:54(para)

8332

msgid "First, install the <application>OpenLDAP</application> server daemon <application>slapd</application> and <application>ldap-utils</application>, a package containing LDAP management utilities:"

8333

msgstr ""

8334

8335

#: serverguide/C/network-auth.xml:60(command)

8311

#: serverguide/C/network-auth.xml:23(para)

8312

msgid "The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in <ulink url=\"http://tools.ietf.org/html/rfc4510\">RFC4510</ulink>, and the LDAP implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 (Oneiric)."

8313

msgstr ""

8314

8315

#: serverguide/C/network-auth.xml:29(para)

8316

msgid "So this protocol accesses LDAP directories. Here are some key concepts and terms:"

8317

msgstr ""

8318

8319

#: serverguide/C/network-auth.xml:36(para)

8320

msgid "A LDAP directory is a tree of data <emphasis>entries</emphasis> that is hierarchical in nature and is called the Directory Information Tree (DIT)."

8321

msgstr ""

8322

8323

#: serverguide/C/network-auth.xml:43(para)

8324

msgid "An entry consists of a set of <emphasis>attributes</emphasis>."

8325

msgstr ""

8326

8327

#: serverguide/C/network-auth.xml:49(para)

8328

msgid "An attribute has a <emphasis>type</emphasis> (a name/description) and one or more <emphasis>values</emphasis>."

8329

msgstr ""

8330

8331

#: serverguide/C/network-auth.xml:55(para)

8332

msgid "Every attribute must be defined in at least one <emphasis>objectClass</emphasis>."

8333

msgstr ""

8334

8335

#: serverguide/C/network-auth.xml:61(para)

8336

msgid "Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an objectclass is actually considered as a special kind of attribute)."

8337

msgstr ""

8338

8339

#: serverguide/C/network-auth.xml:68(para)

8340

msgid "Each entry has a unique identifier: it's <emphasis>Distinguished Name</emphasis> (DN or dn). This consists of it's <emphasis>Relative Distinguished Name</emphasis> (RDN) followed by the parent entry's DN."

8341

msgstr ""

8342

8343

#: serverguide/C/network-auth.xml:75(para)

8344

msgid "The entry's DN is not an attribute. It is not considered part of the entry itself."

8345

msgstr ""

8346

8347

#: serverguide/C/network-auth.xml:83(para)

8348

msgid "The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and <emphasis>node</emphasis> have certain connotations but they all essentially mean the same thing as <emphasis>entry</emphasis>, the technically correct term."

8349

msgstr ""

8350

8351

#: serverguide/C/network-auth.xml:89(para)

8352

msgid "For example, below we have a single entry consisting of 11 attributes. It's DN is \"cn=John Doe,dc=example,dc=com\"; it's RDN is \"cn=John Doe\"; and it's parent DN is \"dc=example,dc=com\"."

8353

msgstr ""

8354

8355

#: serverguide/C/network-auth.xml:94(programlisting)

8356

#, no-wrap

8357

msgid "\n dn: cn=John Doe,dc=example,dc=com\n cn: John Doe\n givenName: John\n sn: Doe\n telephoneNumber: +1 888 555 6789\n telephoneNumber: +1 888 555 1232\n mail: john@example.com\n manager: cn=Larry Smith,dc=example,dc=com\n objectClass: inetOrgPerson\n objectClass: organizationalPerson\n objectClass: person\n objectClass: top\n"

8358

msgstr ""

8359

8360

#: serverguide/C/network-auth.xml:109(para)

8361

msgid "The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data Interchange Format). Any information that you feed into your DIT must also be in such a format. It is defined in <ulink url=\"http://tools.ietf.org/html/rfc2849\">RFC2849</ulink>."

8362

msgstr ""

8363

8364

#: serverguide/C/network-auth.xml:114(para)

8365

msgid "Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses, and a mail server's configuration."

8366

msgstr ""

8367

8368

#: serverguide/C/network-auth.xml:123(para)

8369

msgid "Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages <application>slapd</application> and <application>ldap-utils</application> respectively."

8370

msgstr ""

8371

8372

#: serverguide/C/network-auth.xml:128(para)

8373

msgid "The installation of slapd will create a working configuration. In particular, it will create a database instance that you can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. If you want something different, edit <filename>/etc/hosts</filename> and replace the domain name with one that will give you the suffix you desire. For instance, if you want a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have a line similar to this:"

8374

msgstr ""

8375

8376

#: serverguide/C/network-auth.xml:136(programlisting)

8377

#, no-wrap

8378

msgid "\n127.0.1.1 hostname.example.com\thostname\n"

8379

msgstr ""

8380

8381

#: serverguide/C/network-auth.xml:140(para)

8382

msgid "You can revert the change after package installation."

8383

msgstr ""

8384

8385

#: serverguide/C/network-auth.xml:145(para)

8386

msgid "This guide will use a database suffix of <emphasis>dc=example,dc=com</emphasis>."

8387

msgstr ""

8388

8389

#: serverguide/C/network-auth.xml:150(para)

8390

msgid "Proceed with the install:"

8391

msgstr ""

8392

8393

#: serverguide/C/network-auth.xml:155(command)

8336

8394

msgid "sudo apt-get install slapd ldap-utils"

8337

8395

msgstr ""

8338

8396

8339

#: serverguide/C/network-auth.xml:63(para)

8340

msgid "By default <application>slapd</application> is configured with minimal options needed to run the <application>slapd</application> daemon."

8341

msgstr ""

8342

8343

#: serverguide/C/network-auth.xml:68(para)

8344

msgid "The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be <emphasis>dc=example,dc=com</emphasis>."

8345

msgstr ""

8346

8347

#: serverguide/C/network-auth.xml:76(title)

8348

msgid "Populating LDAP"

8349

msgstr ""

8350

8351

#: serverguide/C/network-auth.xml:78(para)

8352

msgid "<application>OpenLDAP</application> uses a separate directory which contains the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The <emphasis>cn=config</emphasis> DIT is used to dynamically configure the <application>slapd</application> daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service."

8353

msgstr ""

8354

8355

#: serverguide/C/network-auth.xml:86(para)

8356

msgid "The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a \"classical\" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc."

8357

msgstr ""

8358

8359

#: serverguide/C/network-auth.xml:95(para)

8360

msgid "For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details."

8361

msgstr ""

8362

8363

#: serverguide/C/network-auth.xml:103(para)

8364

msgid "Remember to change <emphasis>dc=example,dc=com</emphasis> in the following examples to match your LDAP configuration."

8365

msgstr ""

8366

8367

#: serverguide/C/network-auth.xml:108(para)

8368

msgid "First, some additional schema files need to be loaded. In a terminal enter:"

8369

msgstr ""

8370

8371

#: serverguide/C/network-auth.xml:113(command) serverguide/C/network-auth.xml:715(command)

8372

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif"

8373

msgstr ""

8374

8375

#: serverguide/C/network-auth.xml:114(command) serverguide/C/network-auth.xml:716(command)

8376

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif"

8377

msgstr ""

8378

8379

#: serverguide/C/network-auth.xml:115(command) serverguide/C/network-auth.xml:717(command)

8380

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif"

8381

msgstr ""

8382

8383

#: serverguide/C/network-auth.xml:118(para)

8384

msgid "Next, copy the following example LDIF file, naming it <filename>backend.example.com.ldif</filename>, somewhere on your system:"

8385

msgstr ""

8386

8387

#: serverguide/C/network-auth.xml:123(programlisting)

8388

#, no-wrap

8389

msgid "\n# Load dynamic backend modules\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: /usr/lib/ldap\nolcModuleload: back_hdb.la\n\n# Database settings\ndn: olcDatabase=hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {1}hdb\nolcSuffix: dc=example,dc=com\nolcDbDirectory: /var/lib/ldap\nolcRootDN: cn=admin,dc=example,dc=com\nolcRootPW: secret\nolcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500\nolcDbIndex: objectClass eq\nolcLastMod: TRUE\nolcDbCheckpoint: 512 30\nolcAccess: to attrs=userPassword by dn=\"cn=admin,dc=example,dc=com\" write by anonymous auth by self write by * none\nolcAccess: to attrs=shadowLastChange by self write by * read\nolcAccess: to dn.base=\"\" by * read\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n\n"

8390

msgstr ""

8391

8392

#: serverguide/C/network-auth.xml:155(para)

8393

msgid "Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing."

8394

msgstr ""

8395

8396

#: serverguide/C/network-auth.xml:160(para)

8397

msgid "Now add the LDIF to the directory:"

8398

msgstr ""

8399

8400

#: serverguide/C/network-auth.xml:165(command) serverguide/C/network-auth.xml:759(command)

8401

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif"

8402

msgstr ""

8403

8404

#: serverguide/C/network-auth.xml:168(para)

8405

msgid "The frontend directory is now ready to be populated. Create a <filename>frontend.example.com.ldif</filename> with the following contents:"

8406

msgstr ""

8407

8408

#: serverguide/C/network-auth.xml:173(programlisting)

8409

#, no-wrap

8410

msgid "\n# Create top-level object in domain\ndn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectclass: organization\no: Example Organization\ndc: Example\ndescription: LDAP Example \n\n# Admin user.\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword: secret\n\ndn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups\n\ndn: uid=john,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: john\nsn: Doe\ngivenName: John\ncn: John Doe\ndisplayName: John Doe\nuidNumber: 1000\ngidNumber: 10000\nuserPassword: password\ngecos: John Doe\nloginShell: /bin/bash\nhomeDirectory: /home/john\nshadowExpire: -1\nshadowFlag: 0\nshadowWarning: 7\nshadowMin: 8\nshadowMax: 999999\nshadowLastChange: 10877\nmail: john.doe@example.com\npostalCode: 31000\nl: Toulouse\no: Example\nmobile: +33 (0)6 xx xx xx xx\nhomePhone: +33 (0)5 xx xx xx xx\ntitle: System Administrator\npostalAddress: \ninitials: JD\n\ndn: cn=example,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: example\ngidNumber: 10000\n"

8411

msgstr ""

8412

8413

#: serverguide/C/network-auth.xml:236(para)

8414

msgid "In this example the directory structure, a user, and a group have been setup. In other examples you might see the <emphasis>objectClass: top</emphasis> added in every entry, but that is the default behaviour so you do not have to add it explicitly."

8415

msgstr ""

8416

8417

#: serverguide/C/network-auth.xml:243(para)

8418

msgid "Add the entries to the LDAP directory:"

8419

msgstr ""

8420

8421

#: serverguide/C/network-auth.xml:249(command) serverguide/C/network-auth.xml:770(command)

8422

msgid "sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif"

8423

msgstr ""

8424

8425

#: serverguide/C/network-auth.xml:252(para)

8426

msgid "We can check that the content has been correctly added with the <application>ldapsearch</application> utility. Execute a search of the LDAP directory:"

8427

msgstr ""

8428

8429

#: serverguide/C/network-auth.xml:258(command)

8430

msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"

8431

msgstr ""

8432

8433

#: serverguide/C/network-auth.xml:259(computeroutput)

8434

#, no-wrap

8435

msgid "\ndn: uid=john,ou=people,dc=example,dc=com\ncn: John Doe\nsn: Doe\ngivenName: John\n"

8436

msgstr ""

8437

8438

#: serverguide/C/network-auth.xml:267(para)

8439

msgid "Just a quick explanation:"

8440

msgstr ""

8441

8442

#: serverguide/C/network-auth.xml:273(para)

8443

msgid "<emphasis>-x:</emphasis> will not use SASL authentication method, which is the default."

8444

msgstr ""

8445

8446

#: serverguide/C/network-auth.xml:279(para)

8447

msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."

8448

msgstr ""

8449

8450

#: serverguide/C/network-auth.xml:287(title)

8451

msgid "Further Configuration"

8452

msgstr ""

8453

8454

#: serverguide/C/network-auth.xml:290(para)

8455

msgid "The <emphasis>cn=config</emphasis> tree can be manipulated using the utilities in the <application>ldap-utils</application> package. For example:"

8456

msgstr ""

8457

8458

#: serverguide/C/network-auth.xml:298(para)

8459

msgid "Use <application>ldapsearch</application> to view the tree, entering the admin password set during installation or reconfiguration:"

8460

msgstr ""

8461

8462

#: serverguide/C/network-auth.xml:304(command)

8463

msgid "sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"

8464

msgstr ""

8465

8466

#: serverguide/C/network-auth.xml:308(computeroutput)

8467

#, no-wrap

8468

msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=config\n\ndn: cn=module{0},cn=config\n\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: olcDatabase={-1}frontend,cn=config\n\ndn: olcDatabase={0}config,cn=config\n\ndn: olcDatabase={1}hdb,cn=config\n"

8469

msgstr ""

8470

8471

#: serverguide/C/network-auth.xml:334(para)

8472

msgid "The output above is the current configuration options for the <emphasis>cn=config</emphasis> backend database. Your output may be vary."

8473

msgstr ""

8474

8475

#: serverguide/C/network-auth.xml:342(para)

8476

msgid "As an example of modifying the <emphasis>cn=config</emphasis> tree, add another attribute to the index list using <application>ldapmodify</application>:"

8477

msgstr ""

8478

8479

#: serverguide/C/network-auth.xml:348(command) serverguide/C/network-auth.xml:1006(command) serverguide/C/network-auth.xml:1177(command) serverguide/C/network-auth.xml:1213(command)

8480

msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:///"

8481

msgstr ""

8482

8483

#: serverguide/C/network-auth.xml:356(userinput)

8484

#, no-wrap

8485

msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uidNumber eq"

8486

msgstr ""

8487

8488

#: serverguide/C/network-auth.xml:352(computeroutput)

8489

#, no-wrap

8490

msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"

8491

msgstr ""

8492

8493

#: serverguide/C/network-auth.xml:364(para)

8494

msgid "Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to exit the utility."

8495

msgstr ""

8496

8497

#: serverguide/C/network-auth.xml:371(para)

8498

msgid "<application>ldapmodify</application> can also read the changes from a file. Copy and paste the following into a file named <filename>uid_index.ldif</filename>:"

8499

msgstr ""

8500

8501

#: serverguide/C/network-auth.xml:376(programlisting)

8502

#, no-wrap

8503

msgid "\ndn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uid eq,pres,sub\n"

8397

#: serverguide/C/network-auth.xml:158(para)

8398

msgid "Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose. This allows one to dynamically configure slapd without the need to restart the service. This configuration database consists of a collection of text-based LDIF files located under <filename>/etc/ldap/slapd.d</filename>. This way of working is known by several names: the slapd-config method, the RTC method (Real Time Configuration), or the cn=config method. You can still use the traditional flat-file method (slapd.conf) but it's not recommended; the functionality will be eventually phased out."

8399

msgstr ""

8400

8401

#: serverguide/C/network-auth.xml:167(para)

8402

msgid "Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd configuration and this guide reflects that."

8403

msgstr ""

8404

8405

#: serverguide/C/network-auth.xml:173(para)

8406

msgid "During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the <emphasis>rootDN</emphasis> of your database instance. By default, this user's DN is <emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is no administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it. We will see how to do this later on."

8407

msgstr ""

8408

8409

#: serverguide/C/network-auth.xml:180(para)

8410

msgid "Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included \"core\" schema, a pre-requisite for any schema to work."

8411

msgstr ""

8412

8413

#: serverguide/C/network-auth.xml:188(title)

8414

msgid "Post-install Inspection"

8415

msgstr ""

8416

8417

#: serverguide/C/network-auth.xml:190(para)

8418

msgid "The installation process set up 2 DITs. One for slapd-config and one for your own data (dc=example,dc=com). Let's take a look."

8419

msgstr ""

8420

8421

#: serverguide/C/network-auth.xml:197(para)

8422

msgid "This is what the slapd-config database/DIT looks like. Recall that this database is LDIF-based and lives under <filename>/etc/ldap/slapd.d</filename>:"

8423

msgstr ""

8424

8425

#: serverguide/C/network-auth.xml:203(computeroutput)

8426

#, no-wrap

8427

msgid "\n /etc/ldap/slapd.d/\n\n\t├── cn=config\n\t│ ├── cn=module{0}.ldif\n\t│ ├── cn=schema\n\t│ │ ├── cn={0}core.ldif\n\t│ │ ├── cn={1}cosine.ldif\n\t│ │ ├── cn={2}nis.ldif\n\t│ │ └── cn={3}inetorgperson.ldif\n\t│ ├── cn=schema.ldif\n\t│ ├── olcBackend={0}hdb.ldif\n\t│ ├── olcDatabase={0}config.ldif\n\t│ ├── olcDatabase={-1}frontend.ldif\n\t│ └── olcDatabase={1}hdb.ldif\n\t└── cn=config.ldif\n"

8428

msgstr ""

8429

8430

#: serverguide/C/network-auth.xml:223(para)

8431

msgid "Do not edit the slapd-config database directly. Make changes via the LDAP protocol (utilities)."

8432

msgstr ""

8433

8434

#: serverguide/C/network-auth.xml:231(para)

8435

msgid "This is what the slapd-config DIT looks like via the LDAP protocol:"

8436

msgstr ""

8437

8438

#: serverguide/C/network-auth.xml:236(command)

8439

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"

8440

msgstr ""

8441

8442

#: serverguide/C/network-auth.xml:237(computeroutput)

8443

#, no-wrap

8444

msgid "\ndn: cn=config\n\ndn: cn=module{0},cn=config\n\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: olcBackend={0}hdb,cn=config\n\ndn: olcDatabase={-1}frontend,cn=config\n\ndn: olcDatabase={0}config,cn=config\n\ndn: olcDatabase={1}hdb,cn=config\n"

8445

msgstr ""

8446

8447

#: serverguide/C/network-auth.xml:262(para) serverguide/C/network-auth.xml:353(para)

8448

msgid "Explanation of entries:"

8449

msgstr ""

8450

8451

#: serverguide/C/network-auth.xml:269(para)

8452

msgid "<emphasis>cn=config</emphasis>: global settings"

8453

msgstr ""

8454

8455

#: serverguide/C/network-auth.xml:275(para)

8456

msgid "<emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module"

8457

msgstr ""

8458

8459

#: serverguide/C/network-auth.xml:281(para)

8460

msgid "<emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level schema"

8461

msgstr ""

8462

8463

#: serverguide/C/network-auth.xml:287(para)

8464

msgid "<emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core schema"

8465

msgstr ""

8466

8467

#: serverguide/C/network-auth.xml:293(para)

8468

msgid "<emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema"

8469

msgstr ""

8470

8471

#: serverguide/C/network-auth.xml:299(para)

8472

msgid "<emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema"

8473

msgstr ""

8474

8475

#: serverguide/C/network-auth.xml:305(para)

8476

msgid "<emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the inetorgperson schema"

8477

msgstr ""

8478

8479

#: serverguide/C/network-auth.xml:311(para)

8480

msgid "<emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type"

8481

msgstr ""

8482

8483

#: serverguide/C/network-auth.xml:317(para)

8484

msgid "<emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, default settings for other databases"

8485

msgstr ""

8486

8487

#: serverguide/C/network-auth.xml:323(para)

8488

msgid "<emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration database (cn=config)"

8489

msgstr ""

8490

8491

#: serverguide/C/network-auth.xml:329(para)

8492

msgid "<emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com)"

8493

msgstr ""

8494

8495

#: serverguide/C/network-auth.xml:340(para)

8496

msgid "This is what the dc=example,dc=com DIT looks like:"

8497

msgstr ""

8498

8499

#: serverguide/C/network-auth.xml:345(command)

8500

msgid "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn"

8501

msgstr ""

8502

8503

#: serverguide/C/network-auth.xml:346(computeroutput)

8504

#, no-wrap

8505

msgid "\ndn: dc=example,dc=com\n\ndn: cn=admin,dc=example,dc=com\n"

8506

msgstr ""

8507

8508

#: serverguide/C/network-auth.xml:360(para)

8509

msgid "<emphasis>dc=example,dc=com</emphasis>: base of the DIT"

8510

msgstr ""

8511

8512

#: serverguide/C/network-auth.xml:366(para)

8513

msgid "<emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for this DIT (set up during package install)"

8514

msgstr ""

8515

8516

#: serverguide/C/network-auth.xml:380(title)

8517

msgid "Modifying/Populating your Database"

8504

8518

msgstr ""

8505

8519

8506

8520

#: serverguide/C/network-auth.xml:382(para)

8507

msgid "Then execute <application>ldapmodify</application>:"

8508

msgstr ""

8509

8510

#: serverguide/C/network-auth.xml:387(command)

8511

msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"

8512

msgstr ""

8513

8514

#: serverguide/C/network-auth.xml:391(computeroutput)

8515

#, no-wrap

8516

msgid "\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"

8517

msgstr ""

8518

8519

#: serverguide/C/network-auth.xml:399(para)

8520

msgid "The file method is very useful for large changes."

8521

msgstr ""

8522

8523

#: serverguide/C/network-auth.xml:406(para)

8524

msgid "Adding additional <emphasis>schemas</emphasis> to <application>slapd</application> requires the schema to be converted to LDIF format. The <filename role=\"directory\">/etc/ldap/schema</filename> directory contains some schema files already converted to LDIF format as demonstrated in the previous section. Fortunately, the <application>slapd</application> program can be used to automate the conversion. The following example will add the <emphasis>dyngroup.schema</emphasis>:"

8525

msgstr ""

8526

8527

#: serverguide/C/network-auth.xml:416(para)

8528

msgid "First, create a conversion <filename>schema_convert.conf</filename> file containing the following lines:"

8529

msgstr ""

8530

8531

#: serverguide/C/network-auth.xml:421(programlisting)

8532

#, no-wrap

8533

msgid "\ninclude /etc/ldap/schema/core.schema\ninclude /etc/ldap/schema/collective.schema\ninclude /etc/ldap/schema/corba.schema\ninclude /etc/ldap/schema/cosine.schema\ninclude /etc/ldap/schema/duaconf.schema\ninclude /etc/ldap/schema/dyngroup.schema\ninclude /etc/ldap/schema/inetorgperson.schema\ninclude /etc/ldap/schema/java.schema\ninclude /etc/ldap/schema/misc.schema\ninclude /etc/ldap/schema/nis.schema\ninclude /etc/ldap/schema/openldap.schema\ninclude /etc/ldap/schema/ppolicy.schema\n"

8534

msgstr ""

8535

8536

#: serverguide/C/network-auth.xml:439(para) serverguide/C/network-auth.xml:1677(para)

8537

msgid "Next, create a temporary directory to hold the output:"

8538

msgstr ""

8539

8540

#: serverguide/C/network-auth.xml:444(command) serverguide/C/network-auth.xml:1682(command) serverguide/C/network-auth.xml:2727(command)

8541

msgid "mkdir /tmp/ldif_output"

8521

msgid "Let's introduce some content to our database. We will add the following:"

8522

msgstr ""

8523

8524

#: serverguide/C/network-auth.xml:389(para)

8525

msgid "a node called <emphasis>People</emphasis> (to store users)"

8526

msgstr ""

8527

8528

#: serverguide/C/network-auth.xml:395(para)

8529

msgid "a node called <emphasis>Groups</emphasis> (to store groups)"

8530

msgstr ""

8531

8532

#: serverguide/C/network-auth.xml:401(para)

8533

msgid "a group called <emphasis>miners</emphasis>"

8534

msgstr ""

8535

8536

#: serverguide/C/network-auth.xml:407(para)

8537

msgid "a user called <emphasis>john</emphasis>"

8538

msgstr ""

8539

8540

#: serverguide/C/network-auth.xml:414(para)

8541

msgid "Create the following LDIF file and call it <filename>add_content.ldif</filename>:"

8542

msgstr ""

8543

8544

#: serverguide/C/network-auth.xml:418(programlisting)

8545

#, no-wrap

8546

msgid "\ndn: ou=People,dc=example,dc=com\nobjectClass: organizationalUnit\nou: People\n\ndn: ou=Groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: Groups\n\ndn: cn=miners,ou=Groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: miners\ngidNumber: 5000\n\ndn: uid=john,ou=People,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: john\nsn: Doe\ngivenName: John\ncn: John Doe\ndisplayName: John Doe\nuidNumber: 10000\ngidNumber: 5000\nuserPassword: johnldap\ngecos: John Doe\nloginShell: /bin/bash\nhomeDirectory: /home/john\n"

8542

8547

msgstr ""

8543

8548

8544

8549

#: serverguide/C/network-auth.xml:450(para)

8545

msgid "Now using <application>slapcat</application> convert the schema files to LDIF:"

8546

msgstr ""

8547

8548

#: serverguide/C/network-auth.xml:455(command)

8549

msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={5}dyngroup,cn=schema,cn=config\" > /tmp/cn=dyngroup.ldif"

8550

msgstr ""

8551

8552

#: serverguide/C/network-auth.xml:458(para)

8553

msgid "Adjust the configuration file name and temporary directory names if yours are different. It may be worthwhile to keep the <filename>ldif_output</filename> directory around in case you want to add additional schemas in the future."

8554

msgstr ""

8555

8556

#: serverguide/C/network-auth.xml:465(para)

8557

msgid "The <emphasis>\"cn={5}\"</emphasis> index number may change according to the configuration ordering. To find out the correct number execute the following:"

8558

msgstr ""

8559

8560

#: serverguide/C/network-auth.xml:470(command)

8561

msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup"

8562

msgstr ""

8563

8564

#: serverguide/C/network-auth.xml:472(para)

8565

msgid "Replace <emphasis>dyngroup</emphasis> with the appropriate schema name."

8566

msgstr ""

8567

8568

#: serverguide/C/network-auth.xml:480(para)

8569

msgid "Edit the <filename>/tmp/cn\\=dyngroup.ldif</filename> file, changing the following attributes:"

8570

msgstr ""

8571

8572

#: serverguide/C/network-auth.xml:484(programlisting)

8573

#, no-wrap

8574

msgid "\ndn: cn=dyngroup,cn=schema,cn=config\n...\ncn: dyngroup\n"

8575

msgstr ""

8576

8577

#: serverguide/C/network-auth.xml:490(para) serverguide/C/network-auth.xml:1714(para)

8578

msgid "And remove the following lines from the bottom of the file:"

8579

msgstr ""

8580

8581

#: serverguide/C/network-auth.xml:494(programlisting)

8582

#, no-wrap

8583

msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\ncreatorsName: cn=config\ncreateTimestamp: 20080826021140Z\nentryCSN: 20080826021140.791425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080826021140Z\n"

8584

msgstr ""

8585

8586

#: serverguide/C/network-auth.xml:505(para) serverguide/C/network-auth.xml:1729(para) serverguide/C/network-auth.xml:2773(para)

8587

msgid "The attribute values will vary, just be sure the attributes are removed."

8588

msgstr ""

8589

8590

#: serverguide/C/network-auth.xml:513(para) serverguide/C/network-auth.xml:1737(para)

8591

msgid "Finally, using the <application>ldapadd</application> utility, add the new schema to the directory:"

8592

msgstr ""

8593

8594

#: serverguide/C/network-auth.xml:519(command)

8595

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=dyngroup.ldif"

8596

msgstr ""

8597

8598

#: serverguide/C/network-auth.xml:525(para)

8599

msgid "There should now be a <emphasis>dn: cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree."

8600

msgstr ""

8601

8602

#: serverguide/C/network-auth.xml:535(title)

8603

msgid "LDAP Replication"

8604

msgstr ""

8605

8606

#: serverguide/C/network-auth.xml:537(para)

8607

msgid "LDAP often quickly becomes a highly critical service to the network. Multiple systems will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to setup a redundant system through replication."

8608

msgstr ""

8609

8610

#: serverguide/C/network-auth.xml:543(para)

8611

msgid "Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model. A provider sends directory changes to consumers."

8612

msgstr ""

8613

8614

#: serverguide/C/network-auth.xml:550(title)

8550

msgid "It's important that uid and gid values in your directory do not collide with local values. Use high number ranges."

8551

msgstr ""

8552

8553

#: serverguide/C/network-auth.xml:455(para)

8554

msgid "Add the content:"

8555

msgstr ""

8556

8557

#: serverguide/C/network-auth.xml:460(command)

8558

msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif"

8559

msgstr ""

8560

8561

#: serverguide/C/network-auth.xml:462(application)

8562

msgid "********"

8563

msgstr ""

8564

8565

#: serverguide/C/network-auth.xml:461(computeroutput)

8566

#, no-wrap

8567

msgid "\nEnter LDAP Password: <placeholder-1/>\nadding new entry \"ou=People,dc=example,dc=com\"\n\nadding new entry \"ou=Groups,dc=example,dc=com\"\n\nadding new entry \"cn=miners,ou=Groups,dc=example,dc=com\"\n\nadding new entry \"uid=john,ou=People,dc=example,dc=com\"\n"

8568

msgstr ""

8569

8570

#: serverguide/C/network-auth.xml:473(para)

8571

msgid "We can check that the information has been correctly added with the <application>ldapsearch</application> utility:"

8572

msgstr ""

8573

8574

#: serverguide/C/network-auth.xml:478(command)

8575

msgid "ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber"

8576

msgstr ""

8577

8578

#: serverguide/C/network-auth.xml:479(computeroutput)

8579

#, no-wrap

8580

msgid "\ndn: uid=john,ou=People,dc=example,dc=com\ncn: John Doe\ngidNumber: 5000\n"

8581

msgstr ""

8582

8583

#: serverguide/C/network-auth.xml:486(para)

8584

msgid "Explanation of switches:"

8585

msgstr ""

8586

8587

#: serverguide/C/network-auth.xml:493(para)

8588

msgid "<emphasis>-x:</emphasis> \"simple\" binding; will not use the default SASL method"

8589

msgstr ""

8590

8591

#: serverguide/C/network-auth.xml:499(para)

8592

msgid "<emphasis>-LLL:</emphasis> disable printing extraneous information"

8593

msgstr ""

8594

8595

#: serverguide/C/network-auth.xml:505(para)

8596

msgid "<emphasis>uid=john:</emphasis> a \"filter\" to find the john user"

8597

msgstr ""

8598

8599

#: serverguide/C/network-auth.xml:511(para)

8600

msgid "<emphasis>cn gidNumber:</emphasis> requests certain attributes to be displayed (the default is to show all attributes)"

8601

msgstr ""

8602

8603

#: serverguide/C/network-auth.xml:521(title)

8604

msgid "Modifying the slapd Configuration Database"

8605

msgstr ""

8606

8607

#: serverguide/C/network-auth.xml:523(para)

8608

msgid "The slapd-config DIT can also be queried and modified. Here are a few examples."

8609

msgstr ""

8610

8611

#: serverguide/C/network-auth.xml:530(para)

8612

msgid "Use <application>ldapmodify</application> to add an \"Index\" (DbIndex attribute) to your <application>{1}hdb,cn=config</application> database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents:"

8613

msgstr ""

8614

8615

#: serverguide/C/network-auth.xml:535(programlisting)

8616

#, no-wrap

8617

msgid "\ndn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: uid eq,pres,sub\n"

8618

msgstr ""

8619

8620

#: serverguide/C/network-auth.xml:541(para)

8621

msgid "Then issue the command:"

8622

msgstr ""

8623

8624

#: serverguide/C/network-auth.xml:546(command)

8625

msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"

8626

msgstr ""

8627

8628

#: serverguide/C/network-auth.xml:547(computeroutput)

8629

#, no-wrap

8630

msgid "\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"

8631

msgstr ""

8632

8633

#: serverguide/C/network-auth.xml:552(para)

8634

msgid "You can confirm the change in this way:"

8635

msgstr ""

8636

8637

#: serverguide/C/network-auth.xml:557(command)

8638

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex"

8639

msgstr ""

8640

8641

#: serverguide/C/network-auth.xml:558(computeroutput)

8642

#, no-wrap

8643

msgid "\ndn: olcDatabase={1}hdb,cn=config\nolcDbIndex: objectClass eq\nolcDbIndex: uid eq,pres,sub\n"

8644

msgstr ""

8645

8646

#: serverguide/C/network-auth.xml:568(para)

8647

msgid "Let's add a schema. It will first need to be converted to LDIF format. You can find unconverted schemas in addition to converted ones in the <filename role=\"directory\">/etc/ldap/schema</filename> directory."

8648

msgstr ""

8649

8650

#: serverguide/C/network-auth.xml:574(para)

8651

msgid "It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system."

8652

msgstr ""

8653

8654

#: serverguide/C/network-auth.xml:579(para)

8655

msgid "In the following example we'll add the CORBA schema."

8656

msgstr ""

8657

8658

#: serverguide/C/network-auth.xml:586(para)

8659

msgid "Create the conversion configuration file <filename>schema_convert.conf</filename> containing the following lines:"

8660

msgstr ""

8661

8662

#: serverguide/C/network-auth.xml:591(programlisting)

8663

#, no-wrap

8664

8665

msgstr ""

8666

8667

#: serverguide/C/network-auth.xml:611(para)

8668

msgid "Create the output directory <filename>ldif_output</filename>."

8669

msgstr ""

8670

8671

#: serverguide/C/network-auth.xml:617(para) serverguide/C/network-auth.xml:2133(para)

8672

msgid "Determine the index of the schema:"

8673

msgstr ""

8674

8675

#: serverguide/C/network-auth.xml:622(command)

8676

msgid "slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema"

8677

msgstr ""

8678

8679

#: serverguide/C/network-auth.xml:623(computeroutput)

8680

#, no-wrap

8681

msgid "\ncn={1}corba,cn=schema,cn=config\n"

8682

msgstr ""

8683

8684

#: serverguide/C/network-auth.xml:629(para)

8685

msgid "When slapd injests objects with the same parent DN it will create an <emphasis>index</emphasis> for that object. An index is contained within braces: <application>{X}</application>."

8686

msgstr ""

8687

8688

#: serverguide/C/network-auth.xml:638(para)

8689

msgid "Use <application>slapcat</application> to perform the conversion:"

8690

msgstr ""

8691

8692

#: serverguide/C/network-auth.xml:643(command)

8693

msgid "slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif"

8694

msgstr ""

8695

8696

#: serverguide/C/network-auth.xml:646(para)

8697

msgid "The converted schema is now in <filename>cn=corba.ldif</filename>"

8698

msgstr ""

8699

8700

#: serverguide/C/network-auth.xml:652(para)

8701

msgid "Edit <filename>cn=corba.ldif</filename> to arrive at the following attributes:"

8702

msgstr ""

8703

8704

#: serverguide/C/network-auth.xml:656(programlisting)

8705

#, no-wrap

8706

msgid "\ndn: cn=corba,cn=schema,cn=config\n...\ncn: corba\n"

8707

msgstr ""

8708

8709

#: serverguide/C/network-auth.xml:662(para)

8710

msgid "Also remove the following lines from the bottom:"

8711

msgstr ""

8712

8713

#: serverguide/C/network-auth.xml:666(programlisting)

8714

#, no-wrap

8715

msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 52109a02-66ab-1030-8be2-bbf166230478\ncreatorsName: cn=config\ncreateTimestamp: 20110829165435Z\nentryCSN: 20110829165435.935248Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20110829165435Z\n"

8716

msgstr ""

8717

8718

#: serverguide/C/network-auth.xml:676(para) serverguide/C/network-auth.xml:2182(para)

8719

msgid "Your attribute values will vary."

8720

msgstr ""

8721

8722

#: serverguide/C/network-auth.xml:682(para)

8723

msgid "Finally, use <application>ldapadd</application> to add the new schema to the slapd-config DIT:"

8724

msgstr ""

8725

8726

#: serverguide/C/network-auth.xml:687(command)

8727

msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=corba.ldif"

8728

msgstr ""

8729

8730

#: serverguide/C/network-auth.xml:688(computeroutput)

8731

#, no-wrap

8732

msgid "\nadding new entry \"cn=corba,cn=schema,cn=config\"\n"

8733

msgstr ""

8734

8735

#: serverguide/C/network-auth.xml:696(para)

8736

msgid "Confirm currently loaded schemas:"

8737

msgstr ""

8738

8739

#: serverguide/C/network-auth.xml:701(command)

8740

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"

8741

msgstr ""

8742

8743

#: serverguide/C/network-auth.xml:702(computeroutput)

8744

#, no-wrap

8745

msgid "\ndn: cn=schema,cn=config\n\ndn: cn={0}core,cn=schema,cn=config\n\ndn: cn={1}cosine,cn=schema,cn=config\n\ndn: cn={2}nis,cn=schema,cn=config\n\ndn: cn={3}inetorgperson,cn=schema,cn=config\n\ndn: cn={4}corba,cn=schema,cn=config\n"

8746

msgstr ""

8747

8748

#: serverguide/C/network-auth.xml:726(para)

8749

msgid "For external applications and clients to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the appropriate client-side documentation for details."

8750

msgstr ""

8751

8752

#: serverguide/C/network-auth.xml:735(title) serverguide/C/dns.xml:505(title)

8753

msgid "Logging"

8754

msgstr ""

8755

8756

#: serverguide/C/network-auth.xml:737(para)

8757

msgid "Activity logging for slapd is indispensible when implementing an OpenLDAP-based solution yet it must be manually enabled after software installation. Otherwise, only rudimentary messages will appear in the logs. Logging, like any other slapd configuration, is enabled via the slapd-config database."

8758

msgstr ""

8759

8760

#: serverguide/C/network-auth.xml:743(para)

8761

msgid "OpenLDAP comes with multiple logging subsystems (levels) with each one containing the lower one (additive). A good level to try is <emphasis>stats</emphasis>. The <ulink url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html\">slapd-config</ulink> man page has more to say on the different subsystems."

8762

msgstr ""

8763

8764

#: serverguide/C/network-auth.xml:749(para)

8765

msgid "Create the file <filename>logging.ldif</filename> with the following contents:"

8766

msgstr ""

8767

8768

#: serverguide/C/network-auth.xml:753(programlisting)

8769

#, no-wrap

8770

msgid "\ndn: cn=config\nchangetype: modify\nadd: olcLogLevel\nolcLogLevel: stats\n"

8771

msgstr ""

8772

8773

#: serverguide/C/network-auth.xml:760(para)

8774

msgid "Implement the change:"

8775

msgstr ""

8776

8777

#: serverguide/C/network-auth.xml:765(command)

8778

msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif"

8779

msgstr ""

8780

8781

#: serverguide/C/network-auth.xml:768(para)

8782

msgid "This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system is in production. While in this verbose mode your host's syslog engine (rsyslog) may have a hard time keeping up and may drop messages:"

8783

msgstr ""

8784

8785

#: serverguide/C/network-auth.xml:774(programlisting)

8786

#, no-wrap

8787

msgid "\nrsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting\n"

8788

msgstr ""

8789

8790

#: serverguide/C/network-auth.xml:778(para)

8791

msgid "You may consider a change to rsyslog's configuration. In <filename>/etc/rsyslog.conf</filename>, put:"

8792

msgstr ""

8793

8794

#: serverguide/C/network-auth.xml:782(programlisting)

8795

#, no-wrap

8796

msgid "\n# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0)\n$SystemLogRateLimitInterval 0\n"

8797

msgstr ""

8798

8799

#: serverguide/C/network-auth.xml:787(para)

8800

msgid "And then restart the rsyslog daemon:"

8801

msgstr ""

8802

8803

#: serverguide/C/network-auth.xml:792(command)

8804

msgid "sudo service rsyslog restart"

8805

msgstr ""

8806

8807

#: serverguide/C/network-auth.xml:798(title)

8808

msgid "Replication"

8809

msgstr ""

8810

8811

#: serverguide/C/network-auth.xml:800(para)

8812

msgid "The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment, it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become unresponsive. This is done through <emphasis>LDAP replication</emphasis>."

8813

msgstr ""

8814

8815

#: serverguide/C/network-auth.xml:806(para)

8816

msgid "Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This allows changes to be synchronized using a <emphasis>Consumer</emphasis> - <emphasis>Provider</emphasis> model. The specific kind of replication we will implement in this guide is a combination of the following modes: <emphasis>refreshAndPersist</emphasis> and <emphasis>delta-syncrepl</emphasis>. This has the Provider push changed entries to the Consumer as soon as they're made but, in addition, only actual changes will be sent, not entire entries."

8817

msgstr ""

8818

8819

#: serverguide/C/network-auth.xml:815(title)

8615

8820

msgid "Provider Configuration"

8616

8821

msgstr ""

8617

8822

8618

#: serverguide/C/network-auth.xml:552(para)

8619

msgid "The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>."

8620

msgstr ""

8621

8622

#: serverguide/C/network-auth.xml:560(para)

8623

msgid "First, configure the provider server. Copy the following to a file named <filename>provider_sync.ldif</filename>:"

8624

msgstr ""

8625

8626

#: serverguide/C/network-auth.xml:565(programlisting)

8823

#: serverguide/C/network-auth.xml:817(para)

8824

msgid "Begin by configuring the <emphasis>Provider</emphasis>."

8825

msgstr ""

8826

8827

#: serverguide/C/network-auth.xml:824(para)

8828

msgid "Create an LDIF file with the following contents and name it <filename>provider_sync.ldif</filename>:"

8829

msgstr ""

8830

8831

#: serverguide/C/network-auth.xml:828(programlisting)

8627

8832

#, no-wrap

8628

8833

msgid "\n# Add indexes to the frontend db.\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryCSN eq\n-\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n\n#Load the syncprov and accesslog modules.\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n-\nadd: olcModuleLoad\nolcModuleLoad: accesslog\n\n# Accesslog database definitions\ndn: olcDatabase={2}hdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcHdbConfig\nolcDatabase: {2}hdb\nolcDbDirectory: /var/lib/ldap/accesslog\nolcSuffix: cn=accesslog\nolcRootDN: cn=admin,dc=example,dc=com\nolcDbIndex: default eq\nolcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart\n\n# Accesslog db syncprov.\ndn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpNoPresent: TRUE\nolcSpReloadHint: TRUE\n\n# syncrepl Provider for primary db\ndn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpNoPresent: TRUE\n\n# accesslog overlay definitions for primary db\ndn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config\nobjectClass: olcOverlayConfig\nobjectClass: olcAccessLogConfig\nolcOverlay: accesslog\nolcAccessLogDB: cn=accesslog\nolcAccessLogOps: writes\nolcAccessLogSuccess: TRUE\n# scan the accesslog DB every day, and purge entries older than 7 days\nolcAccessLogPurge: 07+00:00 01+00:00\n"

8629

8834

msgstr ""

8630

8835

8631

#: serverguide/C/network-auth.xml:627(para)

8632

msgid "The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding:"

8633

msgstr ""

8634

8635

#: serverguide/C/network-auth.xml:632(programlisting)

8836

#: serverguide/C/network-auth.xml:887(para)

8837

msgid "Change the rootDN in the LDIF file to match the one you have for your directory."

8838

msgstr ""

8839

8840

#: serverguide/C/network-auth.xml:894(para)

8841

msgid "The <application>apparmor</application> profile for slapd will need to be adjusted for the accesslog database location. Edit <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> by adding the following:"

8842

msgstr ""

8843

8844

#: serverguide/C/network-auth.xml:900(programlisting)

8636

8845

#, no-wrap

8637

msgid "\n /var/lib/ldap/accesslog/ r,\n /var/lib/ldap/accesslog/** rwk,\n"

8638

msgstr ""

8639

8640

#: serverguide/C/network-auth.xml:637(para)

8641

msgid "Then create the directory, reload the <application>apparmor</application> profile, and copy the <filename>DB_CONFIG</filename> file:"

8642

msgstr ""

8643

8644

#: serverguide/C/network-auth.xml:643(command)

8846

msgid "\n/var/lib/ldap/accesslog/ r,\n/var/lib/ldap/accesslog/** rwk,\n"

8847

msgstr ""

8848

8849

#: serverguide/C/network-auth.xml:905(para)

8850

msgid "Create a directory, set up a databse config file, and reload the apparmor profile:"

8851

msgstr ""

8852

8853

#: serverguide/C/network-auth.xml:910(command)

8645

8854

msgid "sudo -u openldap mkdir /var/lib/ldap/accesslog"

8646

8855

msgstr ""

8647

8856

8648

#: serverguide/C/network-auth.xml:644(command)

8649

msgid "sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/"

8650

msgstr ""

8651

8652

#: serverguide/C/network-auth.xml:649(para)

8653

msgid "Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above removes the need to adjust permissions for the new directory later."

8654

msgstr ""

8655

8656

#: serverguide/C/network-auth.xml:658(para)

8657

msgid "Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory:"

8658

msgstr ""

8659

8660

#: serverguide/C/network-auth.xml:662(programlisting)

8661

#, no-wrap

8662

msgid "\nolcRootDN: cn=admin,dc=example,dc=com\n"

8663

msgstr ""

8664

8665

#: serverguide/C/network-auth.xml:670(para)

8666

msgid "Next, add the LDIF file using the <application>ldapadd</application> utility:"

8667

msgstr ""

8668

8669

#: serverguide/C/network-auth.xml:675(command)

8670

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif"

8671

msgstr ""

8672

8673

#: serverguide/C/network-auth.xml:682(para)

8674

msgid "Restart <application>slapd</application>:"

8675

msgstr ""

8676

8677

#: serverguide/C/network-auth.xml:687(command) serverguide/C/network-auth.xml:1062(command) serverguide/C/network-auth.xml:1249(command)

8678

msgid "sudo /etc/init.d/slapd restart"

8679

msgstr ""

8680

8681

#: serverguide/C/network-auth.xml:693(para)

8682

msgid "The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis> server."

8683

msgstr ""

8684

8685

#: serverguide/C/network-auth.xml:700(title)

8686

msgid "Consumer Configuration"

8687

msgstr ""

8688

8689

#: serverguide/C/network-auth.xml:705(para)

8690

msgid "On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the <emphasis>Syncrepl</emphasis> configuration steps."

8691

msgstr ""

8692

8693

#: serverguide/C/network-auth.xml:710(para)

8694

msgid "Add the additional schema files:"

8695

msgstr ""

8696

8697

#: serverguide/C/network-auth.xml:720(para)

8698

msgid "Also, create, or copy from the provider server, the <filename>backend.example.com.ldif</filename>"

8699

msgstr ""

8700

8701

#: serverguide/C/network-auth.xml:724(programlisting)

8702

#, no-wrap

8703

8704

msgstr ""

8705

8706

#: serverguide/C/network-auth.xml:754(para)

8707

msgid "And add the LDIF by entering:"

8708

msgstr ""

8709

8710

#: serverguide/C/network-auth.xml:765(para)

8711

msgid "Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it:"

8712

msgstr ""

8713

8714

#: serverguide/C/network-auth.xml:773(para)

8715

msgid "The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis> options."

8716

msgstr ""

8717

8718

#: serverguide/C/network-auth.xml:781(para)

8719

msgid "Now create a file named <filename>consumer_sync.ldif</filename> containing:"

8720

msgstr ""

8721

8722

#: serverguide/C/network-auth.xml:785(programlisting)

8723

#, no-wrap

8724

msgid "\n#Load the syncprov module.\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n\n# syncrepl specific indices\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n-\nadd: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=admin,dc=example,dc=com\" \n credentials=secret searchbase=\"dc=example,dc=com\" logbase=\"cn=accesslog\" \n logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" schemachecking=on \n type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n-\nadd: olcUpdateRef\nolcUpdateRef: ldap://ldap01.example.com\n"

8725

msgstr ""

8726

8727

#: serverguide/C/network-auth.xml:808(para)

8728

msgid "You will probably want to change the following attributes:"

8729

msgstr ""

8730

8731

#: serverguide/C/network-auth.xml:813(para)

8732

msgid "<emphasis>ldap01.example.com</emphasis> to your server's hostname."

8733

msgstr ""

8734

8735

#: serverguide/C/network-auth.xml:814(emphasis)

8736

msgid "binddn"

8737

msgstr ""

8738

8739

#: serverguide/C/network-auth.xml:815(emphasis)

8740

msgid "credentials"

8741

msgstr ""

8742

8743

#: serverguide/C/network-auth.xml:816(emphasis)

8744

msgid "searchbase"

8745

msgstr ""

8746

8747

#: serverguide/C/network-auth.xml:817(emphasis)

8748

msgid "olcUpdateRef:"

8749

msgstr ""

8750

8751

#: serverguide/C/network-auth.xml:823(para)

8752

msgid "Add the LDIF file to the configuration tree:"

8753

msgstr ""

8754

8755

#: serverguide/C/network-auth.xml:828(command)

8756

msgid "sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"

8757

msgstr ""

8758

8759

#: serverguide/C/network-auth.xml:834(para)

8760

msgid "The frontend database should now sync between servers. You can add additional servers using the steps above as the need arises."

8761

msgstr ""

8762

8763

#: serverguide/C/network-auth.xml:844(programlisting)

8764

#, no-wrap

8765

msgid "127.0.0.1\tldap01.example.com ldap01"

8766

msgstr ""

8767

8768

#: serverguide/C/network-auth.xml:840(para)

8769

msgid "The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename> by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information. Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."

8770

msgstr ""

8771

8772

#: serverguide/C/network-auth.xml:852(title)

8773

msgid "Setting up ACL"

8774

msgstr ""

8775

8776

#: serverguide/C/network-auth.xml:854(para)

8777

msgid "Authentication requires access to the password field, that should be not accessible by default. Also, in order for users to change their own password, using <command>passwd</command> or other utilities, <emphasis>shadowLastChange</emphasis> needs to be accessible once a user has authenticated."

8778

msgstr ""

8779

8780

#: serverguide/C/network-auth.xml:861(para)

8781

msgid "To view the Access Control List (ACL) for the <emphasis>cn=config</emphasis> tree, use the <application>ldapsearch</application> utility:"

8782

msgstr ""

8783

8784

#: serverguide/C/network-auth.xml:867(command)

8785

msgid "sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess"

8786

msgstr ""

8787

8788

#: serverguide/C/network-auth.xml:871(computeroutput)

8789

#, no-wrap

8790

msgid "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: olcDatabase={0}config,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external\n ,cn=auth manage by * break\n"

8791

msgstr ""

8792

8793

#: serverguide/C/network-auth.xml:880(para)

8794

msgid "To see the ACL for the frontend tree enter:"

8795

msgstr ""

8796

8797

#: serverguide/C/network-auth.xml:885(command)

8798

msgid "sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess"

8799

msgstr ""

8800

8801

#: serverguide/C/network-auth.xml:891(title)

8802

msgid "TLS and SSL"

8803

msgstr ""

8804

8805

#: serverguide/C/network-auth.xml:893(para)

8806

msgid "When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL)."

8807

msgstr ""

8808

8809

#: serverguide/C/network-auth.xml:898(para)

8810

msgid "The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application> is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be used to create certificates."

8811

msgstr ""

8812

8813

#: serverguide/C/network-auth.xml:907(para)

8814

msgid "First, install <application>gnutls-bin</application> by entering the following in a terminal:"

8857

#: serverguide/C/network-auth.xml:911(command)

8858

msgid "sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog"

8815

8859

msgstr ""

8816

8860

8817

8861

#: serverguide/C/network-auth.xml:912(command)

8818

msgid "sudo apt-get install gnutls-bin"

8862

msgid "sudo service apparmor reload"

8819

8863

msgstr ""

8820

8864

8821

8865

#: serverguide/C/network-auth.xml:918(para)

8822

msgid "Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA):"

8866

msgid "Add the new content and, due to the apparmor change, restart the daemon:"

8823

8867

msgstr ""

8824

8868

8825

8869

#: serverguide/C/network-auth.xml:923(command)

8870

msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif"

8871

msgstr ""

8872

8873

#: serverguide/C/network-auth.xml:924(command) serverguide/C/network-auth.xml:1392(command) serverguide/C/network-auth.xml:1577(command)

8874

msgid "sudo service slapd restart"

8875

msgstr ""

8876

8877

#: serverguide/C/network-auth.xml:931(para)

8878

msgid "The Provider is now configured."

8879

msgstr ""

8880

8881

#: serverguide/C/network-auth.xml:938(title)

8882

msgid "Consumer Configuration"

8883

msgstr ""

8884

8885

#: serverguide/C/network-auth.xml:940(para)

8886

msgid "And now configure the <emphasis>Consumer</emphasis>."

8887

msgstr ""

8888

8889

#: serverguide/C/network-auth.xml:947(para)

8890

msgid "Install the software by going through <xref linkend=\"openldap-server-installation\"/>. Make sure the slapd-config databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same."

8891

msgstr ""

8892

8893

#: serverguide/C/network-auth.xml:954(para)

8894

msgid "Create an LDIF file with the following contents and name it <filename>consumer_sync.ldif</filename>:"

8895

msgstr ""

8896

8897

#: serverguide/C/network-auth.xml:958(programlisting)

8898

#, no-wrap

8899

msgid "\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov\n\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryUUID eq\n-\nadd: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=admin,dc=example,dc=com\" \n credentials=secret searchbase=\"dc=example,dc=com\" logbase=\"cn=accesslog\" \n logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" schemachecking=on \n type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n-\nadd: olcUpdateRef\nolcUpdateRef: ldap://ldap01.example.com\n"

8900

msgstr ""

8901

8902

#: serverguide/C/network-auth.xml:979(para)

8903

msgid "Ensure the following attributes have the correct values:"

8904

msgstr ""

8905

8906

#: serverguide/C/network-auth.xml:984(para)

8907

msgid "<emphasis>ldap01.example.com</emphasis> (Provider server's hostname or IP address)"

8908

msgstr ""

8909

8910

#: serverguide/C/network-auth.xml:985(para)

8911

msgid "<emphasis>binddn</emphasis> (the admin DN you're using)"

8912

msgstr ""

8913

8914

#: serverguide/C/network-auth.xml:986(para)

8915

msgid "<emphasis>credentials</emphasis> (the admin DN password you're using)"

8916

msgstr ""

8917

8918

#: serverguide/C/network-auth.xml:987(para)

8919

msgid "<emphasis>searchbase</emphasis> (the database suffix you're using)"

8920

msgstr ""

8921

8922

#: serverguide/C/network-auth.xml:988(para)

8923

msgid "<emphasis>olcUpdateRef:</emphasis> (Provider server's hostname or IP address)"

8924

msgstr ""

8925

8926

#: serverguide/C/network-auth.xml:995(para)

8927

msgid "Add the new content:"

8928

msgstr ""

8929

8930

#: serverguide/C/network-auth.xml:1000(command)

8931

msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"

8932

msgstr ""

8933

8934

#: serverguide/C/network-auth.xml:1007(para)

8935

msgid "You're done. The two databases (suffix: dc=example,dc=com) should now be synchronizing."

8936

msgstr ""

8937

8938

#: serverguide/C/network-auth.xml:1011(para)

8939

msgid "To test if it worked simply query, on the Consumer, the DNs in the database:"

8940

msgstr ""

8941

8942

#: serverguide/C/network-auth.xml:1016(command)

8943

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn"

8944

msgstr ""

8945

8946

#: serverguide/C/network-auth.xml:1019(para)

8947

msgid "You should see the user 'john' and the group 'miners' as well as the nodes 'People' and 'Groups'."

8948

msgstr ""

8949

8950

#: serverguide/C/network-auth.xml:1028(title)

8951

msgid "Access Control"

8952

msgstr ""

8953

8954

#: serverguide/C/network-auth.xml:1030(para)

8955

msgid "The management of what type of access (read, write, etc) users should be granted to resources is known as <emphasis>access control</emphasis>. The configuration directives involved are called <emphasis>access control lists</emphasis> or ACL."

8956

msgstr ""

8957

8958

#: serverguide/C/network-auth.xml:1035(para)

8959

msgid "When we installed the slapd package various ACL were set up automatically. We will look at a few important consequences of those defaults and, in so doing, we'll get an idea of how ACLs work and how they're configured."

8960

msgstr ""

8961

8962

#: serverguide/C/network-auth.xml:1040(para)

8963

msgid "To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The frontend database is the second to be consulted and the ACL to be applied is the first to match (\"first match wins\") among these 2 ACL sources. The following commands will give, respectively, the ACLs of the hdb database (\"dc=example,dc=com\") and those of the frontend database:"

8964

msgstr ""

8965

8966

#: serverguide/C/network-auth.xml:1049(command)

8967

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess"

8968

msgstr ""

8969

8970

#: serverguide/C/network-auth.xml:1050(computeroutput)

8971

#, no-wrap

8972

msgid "\ndn: olcDatabase={1}hdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\nolcAccess: {1}to dn.base=\"\" by * read\nolcAccess: {2}to * by self write by dn=\"cn=admin,dc=example,dc=com\" write by *\n read\n"

8973

msgstr ""

8974

8975

#: serverguide/C/network-auth.xml:1060(para)

8976

msgid "The rootDN always has full rights to it's database. Including it in an ACL does provide an explicit configuration but it also causes slapd to incure a performance penalty."

8977

msgstr ""

8978

8979

#: serverguide/C/network-auth.xml:1067(command)

8980

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess"

8981

msgstr ""

8982

8983

#: serverguide/C/network-auth.xml:1068(computeroutput)

8984

#, no-wrap

8985

msgid "\ndn: olcDatabase={-1}frontend,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\nolcAccess: {1}to dn.exact=\"\" by * read\nolcAccess: {2}to dn.base=\"cn=Subschema\" by * read\n"

8986

msgstr ""

8987

8988

#: serverguide/C/network-auth.xml:1076(para)

8989

msgid "The very first ACL is crucial:"

8990

msgstr ""

8991

8992

#: serverguide/C/network-auth.xml:1080(programlisting)

8993

#, no-wrap

8994

msgid "\nolcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\n"

8995

msgstr ""

8996

8997

#: serverguide/C/network-auth.xml:1084(para)

8998

msgid "This can be represented differently for easier digestion:"

8999

msgstr ""

9000

9001

#: serverguide/C/network-auth.xml:1088(programlisting)

9002

#, no-wrap

9003

msgid "\nto attrs=userPassword\n\tby self write\n\tby anonymous auth\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * none\n\nto attrs=shadowLastChange\n\tby self write\n\tby anonymous auth\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * none\n"

9004

msgstr ""

9005

9006

#: serverguide/C/network-auth.xml:1102(para)

9007

msgid "This compound ACL (there are 2) enforces the following:"

9008

msgstr ""

9009

9010

#: serverguide/C/network-auth.xml:1109(para)

9011

msgid "Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> attribute for the initial connection to occur. Perhaps counter-intuitively, 'by anonymous auth' is needed even when anonymous access to the DIT is unwanted. Once the remote end is connected, howerver, authentication can occur (see next point)."

9012

msgstr ""

9013

9014

#: serverguide/C/network-auth.xml:1117(para)

9015

msgid "Authentication can happen because all users have 'read' (due to 'by self write') access to the <emphasis>userPassword</emphasis> attribute."

9016

msgstr ""

9017

9018

#: serverguide/C/network-auth.xml:1123(para)

9019

msgid "The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by all other users, with the exception of the rootDN, who has complete access to it."

9020

msgstr ""

9021

9022

#: serverguide/C/network-auth.xml:1130(para)

9023

msgid "In order for users to change their own password, using <command>passwd</command> or other utilities, the <emphasis>shadowLastChange</emphasis> attribute needs to be accessible once a user has authenticated."

9024

msgstr ""

9025

9026

#: serverguide/C/network-auth.xml:1138(para)

9027

msgid "This DIT can be searched anonymously because of 'by * read' in this ACL:"

9028

msgstr ""

9029

9030

#: serverguide/C/network-auth.xml:1142(programlisting)

9031

#, no-wrap

9032

msgid "\nto *\n\tby self write\n\tby dn=\"cn=admin,dc=example,dc=com\" write\n\tby * read\n"

9033

msgstr ""

9034

9035

#: serverguide/C/network-auth.xml:1149(para)

9036

msgid "If this is unwanted then you need to change the ACLs. To force authentication during a bind request you can alternatively (or in combination with the modified ACL) use the 'olcRequire: authc' directive."

9037

msgstr ""

9038

9039

#: serverguide/C/network-auth.xml:1154(para)

9040

msgid "As previously mentioned, there is no administrative account created for the slapd-config database. There is, however, a SASL identity that is granted full access to it. It represents the localhost's superuser (root/sudo). Here it is:"

9041

msgstr ""

9042

9043

#: serverguide/C/network-auth.xml:1159(programlisting)

9044

#, no-wrap

9045

msgid "\ndn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth \n"

9046

msgstr ""

9047

9048

#: serverguide/C/network-auth.xml:1163(para)

9049

msgid "The following command will display the ACLs of the slapd-config database:"

9050

msgstr ""

9051

9052

#: serverguide/C/network-auth.xml:1168(command)

9053

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={0}config)' olcAccess"

9054

msgstr ""

9055

9056

#: serverguide/C/network-auth.xml:1169(computeroutput)

9057

#, no-wrap

9058

msgid "\ndn: olcDatabase={0}config,cn=config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n"

9059

msgstr ""

9060

9061

#: serverguide/C/network-auth.xml:1175(para)

9062

msgid "Since this is a SASL identity we need to use a SASL <emphasis>mechanism</emphasis> when invoking the LDAP utility in question and and we have seen it plenty of times in this guide. It is the EXTERNAL mechanism. See the previous command for an example. Note that:"

9063

msgstr ""

9064

9065

#: serverguide/C/network-auth.xml:1183(para)

9066

msgid "You must use <emphasis>sudo</emphasis> to become the root identity in order for the ACL to match."

9067

msgstr ""

9068

9069

#: serverguide/C/network-auth.xml:1189(para)

9070

msgid "The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain sockets). This means you must use the <emphasis>ldapi</emphasis> URI format."

9071

msgstr ""

9072

9073

#: serverguide/C/network-auth.xml:1197(para)

9074

msgid "A succinct way to get all the ACLs is like this:"

9075

msgstr ""

9076

9077

#: serverguide/C/network-auth.xml:1202(command)

9078

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcAccess=*)' olcAccess olcSuffix"

9079

msgstr ""

9080

9081

#: serverguide/C/network-auth.xml:1205(para)

9082

msgid "There is much to say on the topic of access control. See the man page for <ulink url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html\">slapd.access</ulink>."

9083

msgstr ""

9084

9085

#: serverguide/C/network-auth.xml:1213(title)

9086

msgid "TLS"

9087

msgstr ""

9088

9089

#: serverguide/C/network-auth.xml:1215(para)

9090

msgid "When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS)."

9091

msgstr ""

9092

9093

#: serverguide/C/network-auth.xml:1220(para)

9094

msgid "Here, we will be our own <emphasis>Certificate Authority</emphasis> and then create and sign our LDAP server certificate as that CA. Since <application>slapd</application> is compiled using the <application>gnutls</application> library, we will use the <application>certtool</application> utility to complete these tasks."

9095

msgstr ""

9096

9097

#: serverguide/C/network-auth.xml:1229(para)

9098

msgid "Install the <application>gnutls-bin</application> and <application>gnutls-bin</application> packages:"

9099

msgstr ""

9100

9101

#: serverguide/C/network-auth.xml:1234(command)

9102

msgid "sudo apt-get install gnutls-bin ssl-cert"

9103

msgstr ""

9104

9105

#: serverguide/C/network-auth.xml:1240(para)

9106

msgid "Create a private key for the Certificate Authority:"

9107

msgstr ""

9108

9109

#: serverguide/C/network-auth.xml:1245(command)

8826

9110

msgid "sudo sh -c \"certtool --generate-privkey > /etc/ssl/private/cakey.pem\""

8827

9111

msgstr ""

8828

9112

8829

#: serverguide/C/network-auth.xml:929(para)

8830

msgid "Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing:"

9113

#: serverguide/C/network-auth.xml:1251(para)

9114

msgid "Create the template/file <filename>/etc/ssl/ca.info</filename> to define the CA:"

8831

9115

msgstr ""

8832

9116

8833

#: serverguide/C/network-auth.xml:933(programlisting)

9117

#: serverguide/C/network-auth.xml:1255(programlisting)

8834

9118

#, no-wrap

8835

9119

msgid "\ncn = Example Company\nca\ncert_signing_key\n"

8836

9120

msgstr ""

8837

9121

8838

#: serverguide/C/network-auth.xml:942(para)

8839

msgid "Now create the self-signed CA certificate:"

8840

msgstr ""

8841

8842

#: serverguide/C/network-auth.xml:947(command)

8843

msgid "sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem"

8844

msgstr ""

8845

8846

#: serverguide/C/network-auth.xml:954(para)

9122

#: serverguide/C/network-auth.xml:1264(para)

9123

msgid "Create the self-signed CA certificate:"

9124

msgstr ""

9125

9126

#: serverguide/C/network-auth.xml:1269(command)

9127

msgid "sudo certtool --generate-self-signed \\ --load-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ca.info \\ --outfile /etc/ssl/certs/cacert.pem"

9128

msgstr ""

9129

9130

#: serverguide/C/network-auth.xml:1278(para)

8847

9131

msgid "Make a private key for the server:"

8848

9132

msgstr ""

8849

9133

8850

#: serverguide/C/network-auth.xml:959(command)

8851

msgid "sudo sh -c \"certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem\""

8852

msgstr ""

8853

8854

#: serverguide/C/network-auth.xml:963(para)

8855

msgid "Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep filenames and paths straight."

8856

msgstr ""

8857

8858

#: serverguide/C/network-auth.xml:972(para)

8859

msgid "To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing:"

8860

msgstr ""

8861

8862

#: serverguide/C/network-auth.xml:976(programlisting)

9134

#: serverguide/C/network-auth.xml:1283(command)

9135

msgid "sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile /etc/ssl/private/ldap01_slapd_key.pem"

9136

msgstr ""

9137

9138

#: serverguide/C/network-auth.xml:1289(para)

9139

msgid "Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep things clear."

9140

msgstr ""

9141

9142

#: serverguide/C/network-auth.xml:1298(para)

9143

msgid "Create the <filename>/etc/ssl/ldap01.info</filename> info file containing:"

9144

msgstr ""

9145

9146

#: serverguide/C/network-auth.xml:1302(programlisting)

8863

9147

#, no-wrap

8864

msgid "\norganization = Example Company\ncn = ldap01.example.com\ntls_www_server\nencryption_key\nsigning_key\n"

8865

msgstr ""

8866

8867

#: serverguide/C/network-auth.xml:987(para)

9148

msgid "\norganization = Example Company\ncn = ldap01.example.com\ntls_www_server\nencryption_key\nsigning_key\nexpiration_days = 3650\n"

9149

msgstr ""

9150

9151

#: serverguide/C/network-auth.xml:1311(para)

9152

msgid "The above certificate is good for 10 years. Adjust accordingly."

9153

msgstr ""

9154

9155

#: serverguide/C/network-auth.xml:1317(para)

8868

9156

msgid "Create the server's certificate:"

8869

9157

msgstr ""

8870

9158

8871

#: serverguide/C/network-auth.xml:992(command)

8872

msgid "sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem"

8873

msgstr ""

8874

8875

#: serverguide/C/network-auth.xml:1000(para)

8876

msgid "Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new configuration options:"

8877

msgstr ""

8878

8879

#: serverguide/C/network-auth.xml:1011(userinput)

8880

#, no-wrap

8881

msgid "dn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem"

8882

msgstr ""

8883

8884

#: serverguide/C/network-auth.xml:1010(computeroutput) serverguide/C/network-auth.xml:1181(computeroutput)

8885

#, no-wrap

8886

msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"cn=config\"\n"

8887

msgstr ""

8888

8889

#: serverguide/C/network-auth.xml:1026(para)

8890

msgid "Adjust the <filename>ldap01_slapd_cert.pem</filename>, <filename>ldap01_slapd_key.pem</filename>, and <filename>cacert.pem</filename> names if yours are different."

8891

msgstr ""

8892

8893

#: serverguide/C/network-auth.xml:1032(para)

8894

msgid "Next, edit <filename>/etc/default/slapd</filename> uncomment the <emphasis>SLAPD_SERVICES</emphasis> option:"

8895

msgstr ""

8896

8897

#: serverguide/C/network-auth.xml:1036(programlisting)

8898

#, no-wrap

8899

msgid "\nSLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"

8900

msgstr ""

8901

8902

#: serverguide/C/network-auth.xml:1040(para)

8903

msgid "Now the <emphasis>openldap</emphasis> user needs access to the certificate:"

8904

msgstr ""

8905

8906

#: serverguide/C/network-auth.xml:1045(command)

9159

#: serverguide/C/network-auth.xml:1322(command)

9160

msgid "sudo certtool --generate-certificate \\ --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem \\ --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template /etc/ssl/ldap01.info \\ --outfile /etc/ssl/certs/ldap01_slapd_cert.pem"

9161

msgstr ""

9162

9163

#: serverguide/C/network-auth.xml:1334(para)

9164

msgid "Create the file <filename>certinfo.ldif</filename> with the following contents (adjust accordingly):"

9165

msgstr ""

9166

9167

#: serverguide/C/network-auth.xml:1338(programlisting)

9168

#, no-wrap

9169

msgid "\ndn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem\n"

9170

msgstr ""

9171

9172

#: serverguide/C/network-auth.xml:1350(para)

9173

msgid "Use the <application>ldapmodify</application> command to tell slapd about our TLS work via the slapd-config database:"

9174

msgstr ""

9175

9176

#: serverguide/C/network-auth.xml:1355(command)

9177

msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif"

9178

msgstr ""

9179

9180

#: serverguide/C/network-auth.xml:1358(para)

9181

msgid "Contratry to popular belief, you do not need <emphasis>ldaps://</emphasis> in <filename>/etc/default/slapd</filename> in order to use encryption. You should have just:"

9182

msgstr ""

9183

9184

#: serverguide/C/network-auth.xml:1363(programlisting)

9185

#, no-wrap

9186

msgid "\nSLAPD_SERVICES=\"ldap:/// ldapi:///\"\n"

9187

msgstr ""

9188

9189

#: serverguide/C/network-auth.xml:1368(para)

9190

msgid "LDAP over TLS/SSL (ldaps://) is deprecated in favour of <emphasis>StartTLS</emphasis>. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636."

9191

msgstr ""

9192

9193

#: serverguide/C/network-auth.xml:1376(para)

9194

msgid "Tighten up ownership and permissions:"

9195

msgstr ""

9196

9197

#: serverguide/C/network-auth.xml:1381(command) serverguide/C/network-auth.xml:1498(command)

8907

9198

msgid "sudo adduser openldap ssl-cert"

8908

9199

msgstr ""

8909

9200

8910

#: serverguide/C/network-auth.xml:1046(command)

9201

#: serverguide/C/network-auth.xml:1382(command)

8911

9202

msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem"

8912

9203

msgstr ""

8913

9204

8914

#: serverguide/C/network-auth.xml:1047(command)

9205

#: serverguide/C/network-auth.xml:1383(command)

8915

9206

msgid "sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem"

8916

9207

msgstr ""

8917

9208

8918

#: serverguide/C/network-auth.xml:1051(para)

8919

msgid "If the <filename role=\"directory\">/etc/ssl/private</filename> and <filename>/etc/ssl/private/server.key</filename> have different permissions, adjust the commands appropriately."

8920

msgstr ""

8921

8922

#: serverguide/C/network-auth.xml:1057(para)

8923

msgid "Finally, restart <application>slapd</application>:"

8924

msgstr ""

8925

8926

#: serverguide/C/network-auth.xml:1065(para)

8927

msgid "The <application>slapd</application> daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication."

8928

msgstr ""

8929

8930

#: serverguide/C/network-auth.xml:1071(para)

8931

msgid "If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key."

8932

msgstr ""

8933

8934

#: serverguide/C/network-auth.xml:1083(title)

8935

msgid "TLS Replication"

8936

msgstr ""

8937

8938

#: serverguide/C/network-auth.xml:1085(para)

8939

msgid "If you have setup <application>Syncrepl</application> between servers, it is prudent to encrypt the replication traffic using <emphasis>Transport Layer Security (TLS)</emphasis>. For details on setting up replication see <xref linkend=\"openldap-server-replication\"/>."

8940

msgstr ""

8941

8942

#: serverguide/C/network-auth.xml:1091(para)

8943

msgid "Assuming you have followed the above instructions and created a CA certificate and server certificate on the <emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the <emphasis>Consumer</emphasis> server."

8944

msgstr ""

8945

8946

#: serverguide/C/network-auth.xml:1100(para)

8947

msgid "Create a new key for the Consumer server:"

8948

msgstr ""

8949

8950

#: serverguide/C/network-auth.xml:1105(command)

9209

#: serverguide/C/network-auth.xml:1384(command)

9210

msgid "sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem"

9211

msgstr ""

9212

9213

#: serverguide/C/network-auth.xml:1387(para)

9214

msgid "Restart OpenLDAP:"

9215

msgstr ""

9216

9217

#: serverguide/C/network-auth.xml:1395(para)

9218

msgid "Check your host's logs (/var/log/syslog) to see if the server has started properly."

9219

msgstr ""

9220

9221

#: serverguide/C/network-auth.xml:1402(title)

9222

msgid "Replication and TLS"

9223

msgstr ""

9224

9225

#: serverguide/C/network-auth.xml:1404(para)

9226

msgid "If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work."

9227

msgstr ""

9228

9229

#: serverguide/C/network-auth.xml:1410(para)

9230

msgid "The assumption here is that you have set up replication between Provider and Consumer according to <xref linkend=\"openldap-server-replication\"/> and have configured TLS for authentication on the Provider by following <xref linkend=\"openldap-tls\"/>."

9231

msgstr ""

9232

9233

#: serverguide/C/network-auth.xml:1415(para)

9234

msgid "As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer."

9235

msgstr ""

9236

9237

#: serverguide/C/network-auth.xml:1426(para) serverguide/C/network-auth.xml:1583(para)

9238

msgid "On the Provider,"

9239

msgstr ""

9240

9241

#: serverguide/C/network-auth.xml:1430(para)

9242

msgid "Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key:"

9243

msgstr ""

9244

9245

#: serverguide/C/network-auth.xml:1435(command)

8951

9246

msgid "mkdir ldap02-ssl"

8952

9247

msgstr ""

8953

9248

8954

#: serverguide/C/network-auth.xml:1106(command)

9249

#: serverguide/C/network-auth.xml:1436(command)

8955

9250

msgid "cd ldap02-ssl"

8956

9251

msgstr ""

8957

9252

8958

#: serverguide/C/network-auth.xml:1107(command)

8959

msgid "certtool --generate-privkey > ldap02_slapd_key.pem"

8960

msgstr ""

8961

8962

#: serverguide/C/network-auth.xml:1111(para)

8963

msgid "Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the files to the Consumer server."

8964

msgstr ""

8965

8966

#: serverguide/C/network-auth.xml:1120(para)

8967

msgid "Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your locality and server:"

8968

msgstr ""

8969

8970

#: serverguide/C/network-auth.xml:1125(programlisting)

9253

#: serverguide/C/network-auth.xml:1437(command)

9254

msgid "sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile ldap02_slapd_key.pem"

9255

msgstr ""

9256

9257

#: serverguide/C/network-auth.xml:1442(para)

9258

msgid "Create an info file, <filename>ldap02.info</filename>, for the Consumer server, adjusting it's values accordingly:"

9259

msgstr ""

9260

9261

#: serverguide/C/network-auth.xml:1446(programlisting)

8971

9262

#, no-wrap

8972

msgid "\ncountry = US\nstate = North Carolina\nlocality = Winston-Salem\norganization = Example Company\ncn = ldap02.salem.edu\ntls_www_client\nencryption_key\nsigning_key\n"

8973

msgstr ""

8974

8975

#: serverguide/C/network-auth.xml:1139(para)

8976

msgid "Create the certificate:"

8977

msgstr ""

8978

8979

#: serverguide/C/network-auth.xml:1144(command)

8980

msgid "sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template ldap02.info --outfile ldap02_slapd_cert.pem"

8981

msgstr ""

8982

8983

#: serverguide/C/network-auth.xml:1152(para)

8984

msgid "Copy the <filename>cacert.pem</filename> to the directory:"

8985

msgstr ""

8986

8987

#: serverguide/C/network-auth.xml:1157(command)

9263

msgid "\norganization = Example Company\ncn = ldap02.example.com\ntls_www_server\nencryption_key\nsigning_key\nexpiration_days = 3650\n"

9264

msgstr ""

9265

9266

#: serverguide/C/network-auth.xml:1455(para)

9267

msgid "Create the Consumer's certificate:"

9268

msgstr ""

9269

9270

#: serverguide/C/network-auth.xml:1460(command)

9271

msgid "sudo certtool --generate-certificate \\ --load-privkey ldap02_slapd_key.pem \\ --load-ca-certificate /etc/ssl/certs/cacert.pem \\ --load-ca-privkey /etc/ssl/private/cakey.pem \\ --template ldap02.info \\ --outfile ldap02_slapd_cert.pem"

9272

msgstr ""

9273

9274

#: serverguide/C/network-auth.xml:1468(para)

9275

msgid "Get a copy of the CA certificate:"

9276

msgstr ""

9277

9278

#: serverguide/C/network-auth.xml:1473(command)

8988

9279

msgid "cp /etc/ssl/certs/cacert.pem ."

8989

9280

msgstr ""

8990

9281

8991

#: serverguide/C/network-auth.xml:1163(para)

8992

msgid "The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy <filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>, and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>."

8993

msgstr ""

8994

8995

#: serverguide/C/network-auth.xml:1172(para)

8996

msgid "Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering:"

8997

msgstr ""

8998

8999

#: serverguide/C/network-auth.xml:1182(userinput)

9000

#, no-wrap

9001

msgid "dn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem"

9002

msgstr ""

9003

9004

#: serverguide/C/network-auth.xml:1199(para)

9005

msgid "As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis> parameter to the <emphasis>SLAPD_SERVICES</emphasis> option."

9006

msgstr ""

9007

9008

#: serverguide/C/network-auth.xml:1207(para)

9009

msgid "Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's <emphasis>cn=config</emphasis> tree by entering the following in a terminal:"

9010

msgstr ""

9011

9012

#: serverguide/C/network-auth.xml:1220(userinput)

9013

#, no-wrap

9014

msgid "\ndn: olcDatabase={1}hdb,cn=config\nreplace: olcSyncrepl\nolcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn=\"cn=ad\n min,dc=example,dc=com\" credentials=secret searchbase=\"dc=example,dc=com\" logbas\n e=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" s\n chemachecking=on type=refreshAndPersist retry=\"60 +\" syncdata=accesslog starttls=yes"

9015

msgstr ""

9016

9017

#: serverguide/C/network-auth.xml:1217(computeroutput)

9018

#, no-wrap

9019

msgid "SASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"

9020

msgstr ""

9021

9022

#: serverguide/C/network-auth.xml:1232(para)

9023

msgid "If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit <filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"

9024

msgstr ""

9025

9026

#: serverguide/C/network-auth.xml:1237(programlisting)

9027

#, no-wrap

9028

msgid "\nTLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem\nTLS_KEY /etc/ssl/private/ldap02_slapd_key.pem\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"

9029

msgstr ""

9030

9031

#: serverguide/C/network-auth.xml:1244(para)

9032

msgid "Finally, restart <application>slapd</application> on each of the servers:"

9033

msgstr ""

9034

9035

#: serverguide/C/network-auth.xml:1257(title)

9282

#: serverguide/C/network-auth.xml:1476(para)

9283

msgid "We're done. Now transfer the <filename>ldap02-ssl</filename> directory to the Consumer. Here we use scp (adjust accordingly):"

9284

msgstr ""

9285

9286

#: serverguide/C/network-auth.xml:1481(command)

9287

msgid "cd .."

9288

msgstr ""

9289

9290

#: serverguide/C/network-auth.xml:1482(command)

9291

msgid "scp -r ldap02-ssl user@consumer:"

9292

msgstr ""

9293

9294

#: serverguide/C/network-auth.xml:1488(para) serverguide/C/network-auth.xml:1536(para)

9295

msgid "On the Consumer,"

9296

msgstr ""

9297

9298

#: serverguide/C/network-auth.xml:1492(para)

9299

msgid "Configure TLS authentication:"

9300

msgstr ""

9301

9302

#: serverguide/C/network-auth.xml:1497(command)

9303

msgid "sudo apt-get install ssl-cert"

9304

msgstr ""

9305

9306

#: serverguide/C/network-auth.xml:1499(command)

9307

msgid "sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs"

9308

msgstr ""

9309

9310

#: serverguide/C/network-auth.xml:1500(command)

9311

msgid "sudo cp ldap02_slapd_key.pem /etc/ssl/private"

9312

msgstr ""

9313

9314

#: serverguide/C/network-auth.xml:1501(command)

9315

msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem"

9316

msgstr ""

9317

9318

#: serverguide/C/network-auth.xml:1502(command)

9319

msgid "sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem"

9320

msgstr ""

9321

9322

#: serverguide/C/network-auth.xml:1503(command)

9323

msgid "sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem"

9324

msgstr ""

9325

9326

#: serverguide/C/network-auth.xml:1506(para)

9327

msgid "Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the following contents (adjust accordingly):"

9328

msgstr ""

9329

9330

#: serverguide/C/network-auth.xml:1510(programlisting)

9331

#, no-wrap

9332

msgid "\ndn: cn=config\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem\n"

9333

msgstr ""

9334

9335

#: serverguide/C/network-auth.xml:1522(para)

9336

msgid "Configure the slapd-config database:"

9337

msgstr ""

9338

9339

#: serverguide/C/network-auth.xml:1527(command)

9340

msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif"

9341

msgstr ""

9342

9343

#: serverguide/C/network-auth.xml:1530(para)

9344

msgid "Configure <filename>/etc/default/slapd</filename> as on the Provider (SLAPD_SERVICES)."

9345

msgstr ""

9346

9347

#: serverguide/C/network-auth.xml:1540(para)

9348

msgid "Configure TLS for Consumer-side replication. Modify the existing <emphasis>olcSyncrepl</emphasis> attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s)."

9349

msgstr ""

9350

9351

#: serverguide/C/network-auth.xml:1545(para)

9352

msgid "Create the file <filename>consumer_sync_tls.ldif</filename> with the following contents:"

9353

msgstr ""

9354

9355

#: serverguide/C/network-auth.xml:1549(programlisting)

9356

#, no-wrap

9357

msgid "\ndn: olcDatabase={1}hdb,cn=config\nreplace: olcSyncRepl\nolcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple\n binddn=\"cn=admin,dc=example,dc=com\" credentials=secret searchbase=\"dc=example,dc=com\"\n logbase=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\"\n schemachecking=on type=refreshAndPersist retry=\"60 +\" syncdata=accesslog\n <application>starttls=critical tls_reqcert=demand</application>\n"

9358

msgstr ""

9359

9360

#: serverguide/C/network-auth.xml:1559(para)

9361

msgid "The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace')."

9362

msgstr ""

9363

9364

#: serverguide/C/network-auth.xml:1564(para)

9365

msgid "Implement these changes:"

9366

msgstr ""

9367

9368

#: serverguide/C/network-auth.xml:1569(command)

9369

msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif"

9370

msgstr ""

9371

9372

#: serverguide/C/network-auth.xml:1572(para)

9373

msgid "And restart slapd:"

9374

msgstr ""

9375

9376

#: serverguide/C/network-auth.xml:1587(para)

9377

msgid "Check to see that a TLS session has been established. In <filename>/var/log/syslog</filename>, providing you have 'conns'-level logging set up, you should see messages similar to:"

9378

msgstr ""

9379

9380

#: serverguide/C/network-auth.xml:1592(programlisting)

9381

#, no-wrap

9382

msgid "\nslapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)\nslapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037\nslapd[3620]: conn=1047 op=0 STARTTLS\nslapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=\nslapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128\nslapd[3620]: conn=1047 op=1 BIND dn=\"cn=admin,dc=example,dc=com\" method=128\nslapd[3620]: conn=1047 op=1 BIND dn=\"cn=admin,dc=example,dc=com\" mech=SIMPLE ssf=0\nslapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text\n"

9383

msgstr ""

9384

9385

#: serverguide/C/network-auth.xml:1610(title)

9036

9386

msgid "LDAP Authentication"

9037

9387

msgstr ""

9038

9388

9039

#: serverguide/C/network-auth.xml:1259(para)

9040

msgid "Once you have a working LDAP server, the <application>auth-client-config</application> and <application>libnss-ldap</application> packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:"

9389

#: serverguide/C/network-auth.xml:1612(para)

9390

msgid "Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. On Ubuntu, this has been traditionally accomplishd by installing the <application>libnss-ldap</application> package. This package will bring in other tools that will assist you in the configuration step. Install this package now:"

9041

9391

msgstr ""

9042

9392

9043

#: serverguide/C/network-auth.xml:1266(command)

9393

#: serverguide/C/network-auth.xml:1619(command)

9044

9394

msgid "sudo apt-get install libnss-ldap"

9045

9395

msgstr ""

9046

9396

9047

#: serverguide/C/network-auth.xml:1269(para)

9048

msgid "During the install a menu dialog will ask you connection details about your LDAP server."

9049

msgstr ""

9050

9051

#: serverguide/C/network-auth.xml:1273(para)

9052

msgid "If you make a mistake when entering your information you can execute the dialog again using:"

9053

msgstr ""

9054

9055

#: serverguide/C/network-auth.xml:1278(command)

9397

#: serverguide/C/network-auth.xml:1622(para)

9398

msgid "You will be prompted for details of your LDAP server. If you make a mistake you can try again using:"

9399

msgstr ""

9400

9401

#: serverguide/C/network-auth.xml:1627(command)

9056

9402

msgid "sudo dpkg-reconfigure ldap-auth-config"

9057

9403

msgstr ""

9058

9404

9059

#: serverguide/C/network-auth.xml:1281(para)

9405

#: serverguide/C/network-auth.xml:1630(para)

9060

9406

msgid "The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu edit this file accordingly."

9061

9407

msgstr ""

9062

9408

9063

#: serverguide/C/network-auth.xml:1286(para)

9064

msgid "Now that <application>libnss-ldap</application> is configured enable the <application>auth-client-config</application> LDAP profile by entering:"

9409

#: serverguide/C/network-auth.xml:1635(para)

9410

msgid "Now configure the LDAP profile for NSS:"

9065

9411

msgstr ""

9066

9412

9067

#: serverguide/C/network-auth.xml:1292(command)

9413

#: serverguide/C/network-auth.xml:1640(command)

9068

9414

msgid "sudo auth-client-config -t nss -p lac_ldap"

9069

9415

msgstr ""

9070

9416

9071

#: serverguide/C/network-auth.xml:1297(para)

9072

msgid "<emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>."

9073

msgstr ""

9074

9075

#: serverguide/C/network-auth.xml:1302(para)

9076

msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."

9077

msgstr ""

9078

9079

#: serverguide/C/network-auth.xml:1307(para)

9080

msgid "<emphasis>lac_ldap:</emphasis> the <application>auth-client-config</application> profile that is part of the <application>ldap-auth-config</application> package."

9081

msgstr ""

9082

9083

#: serverguide/C/network-auth.xml:1314(para)

9084

msgid "Using the <application>pam-auth-update</application> utility, configure the system to use LDAP for authentication:"

9085

msgstr ""

9086

9087

#: serverguide/C/network-auth.xml:1319(command)

9417

#: serverguide/C/network-auth.xml:1643(para)

9418

msgid "Configure the system to use LDAP for authentication:"

9419

msgstr ""

9420

9421

#: serverguide/C/network-auth.xml:1648(command)

9088

9422

msgid "sudo pam-auth-update"

9089

9423

msgstr ""

9090

9424

9091

#: serverguide/C/network-auth.xml:1322(para)

9092

msgid "From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need."

9093

msgstr ""

9094

9095

#: serverguide/C/network-auth.xml:1326(para)

9096

msgid "You should now be able to login using user credentials stored in the LDAP directory."

9097

msgstr ""

9098

9099

#: serverguide/C/network-auth.xml:1331(para)

9100

msgid "If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> for details."

9101

msgstr ""

9102

9103

#: serverguide/C/network-auth.xml:1339(title)

9425

#: serverguide/C/network-auth.xml:1651(para)

9426

msgid "From the menu, choose LDAP and any other authentication mechanisms you need."

9427

msgstr ""

9428

9429

#: serverguide/C/network-auth.xml:1655(para)

9430

msgid "You should now be able to log in using LDAP-based credentials."

9431

msgstr ""

9432

9433

#: serverguide/C/network-auth.xml:1659(para)

9434

msgid "LDAP clients will need to refer to multiple servers if replication is in use. In <filename>/etc/ldap.conf</filename> you would have something like:"

9435

msgstr ""

9436

9437

#: serverguide/C/network-auth.xml:1664(programlisting)

9438

#, no-wrap

9439

msgid "\nuri ldap://ldap01.example.com ldap://ldap02.example.com\n"

9440

msgstr ""

9441

9442

#: serverguide/C/network-auth.xml:1668(para)

9443

msgid "The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive."

9444

msgstr ""

9445

9446

#: serverguide/C/network-auth.xml:1672(para)

9447

msgid "If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> for details."

9448

msgstr ""

9449

9450

#: serverguide/C/network-auth.xml:1678(para)

9451

msgid "An alternative to the <application>libnss-ldap</application> package is the <application>libnss-ldapd</application> package. This, however, will bring in the <application>nscd</application> package which is problably not wanted. Simply remove it afterwards."

9452

msgstr ""

9453

9454

#: serverguide/C/network-auth.xml:1688(title)

9104

9455

msgid "User and Group Management"

9105

9456

msgstr ""

9106

9457

9107

#: serverguide/C/network-auth.xml:1341(para)

9108

msgid "The <application>ldap-utils</application> package comes with multiple utilities to manage the directory, but the long string of options needed, can make them a burden to use. The <application>ldapscripts</application> package contains configurable scripts to easily manage LDAP users and groups."

9109

msgstr ""

9110

9111

#: serverguide/C/network-auth.xml:1347(para)

9112

msgid "To install the package, from a terminal enter:"

9113

msgstr ""

9114

9115

#: serverguide/C/network-auth.xml:1352(command)

9458

#: serverguide/C/network-auth.xml:1690(para)

9459

msgid "The <application>ldap-utils</application> package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use. The <application>ldapscripts</application> package contains wrapper scripts to these utilities that some people find easier to use."

9460

msgstr ""

9461

9462

#: serverguide/C/network-auth.xml:1696(para)

9463

msgid "Install the package:"

9464

msgstr ""

9465

9466

#: serverguide/C/network-auth.xml:1701(command)

9116

9467

msgid "sudo apt-get install ldapscripts"

9117

9468

msgstr ""

9118

9469

9119

#: serverguide/C/network-auth.xml:1355(para)

9120

msgid "Next, edit the config file <filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and changing the following to match your environment:"

9470

#: serverguide/C/network-auth.xml:1704(para)

9471

msgid "Then edit the file <filename>/etc/ldapscripts/ldapscripts.conf</filename> to arrive at something similar to the following:"

9121

9472

msgstr ""

9122

9473

9123

#: serverguide/C/network-auth.xml:1360(programlisting)

9474

#: serverguide/C/network-auth.xml:1708(programlisting)

9124

9475

#, no-wrap

9125

9476

msgid "\nSERVER=localhost\nBINDDN='cn=admin,dc=example,dc=com'\nBINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\nSUFFIX='dc=example,dc=com'\nGSUFFIX='ou=Groups'\nUSUFFIX='ou=People'\nMSUFFIX='ou=Computers'\nGIDSTART=10000\nUIDSTART=10000\nMIDSTART=10000\n"

9126

9477

msgstr ""

9127

9478

9128

#: serverguide/C/network-auth.xml:1373(para)

9129

msgid "Now, create the <filename>ldapscripts.passwd</filename> file to allow authenticated access to the directory:"

9479

#: serverguide/C/network-auth.xml:1721(para)

9480

msgid "Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN access to the directory:"

9130

9481

msgstr ""

9131

9482

9132

#: serverguide/C/network-auth.xml:1378(command)

9483

#: serverguide/C/network-auth.xml:1726(command)

9133

9484

msgid "sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""

9134

9485

msgstr ""

9135

9486

9136

#: serverguide/C/network-auth.xml:1379(command)

9487

#: serverguide/C/network-auth.xml:1727(command)

9137

9488

msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"

9138

9489

msgstr ""

9139

9490

9140

#: serverguide/C/network-auth.xml:1383(para)

9141

msgid "Replace <quote>secret</quote> with the actual password for your LDAP admin user."

9142

msgstr ""

9143

9144

#: serverguide/C/network-auth.xml:1388(para)

9145

msgid "The <application>ldapscripts</application> are now ready to help manage your directory. The following are some examples of how to use the scripts:"

9146

msgstr ""

9147

9148

#: serverguide/C/network-auth.xml:1395(para)

9491

#: serverguide/C/network-auth.xml:1731(para)

9492

msgid "Replace <quote>secret</quote> with the actual password for your database's rootDN user."

9493

msgstr ""

9494

9495

#: serverguide/C/network-auth.xml:1736(para)

9496

msgid "The scripts are now ready to help manage your directory. Here are some examples of how to use them:"

9497

msgstr ""

9498

9499

#: serverguide/C/network-auth.xml:1743(para)

9149

9500

msgid "Create a new user:"

9150

9501

msgstr ""

9151

9502

9152

#: serverguide/C/network-auth.xml:1399(command)

9503

#: serverguide/C/network-auth.xml:1748(command)

9153

9504

msgid "sudo ldapadduser george example"

9154

9505

msgstr ""

9155

9506

9156

#: serverguide/C/network-auth.xml:1401(para)

9507

#: serverguide/C/network-auth.xml:1751(para)

9157

9508

msgid "This will create a user with uid <emphasis role=\"italic\">george</emphasis> and set the user's primary group (gid) to <emphasis role=\"italic\">example</emphasis>"

9158

9509

msgstr ""

9159

9510

9160

#: serverguide/C/network-auth.xml:1407(para)

9511

#: serverguide/C/network-auth.xml:1758(para)

9161

9512

msgid "Change a user's password:"

9162

9513

msgstr ""

9163

9514

9164

#: serverguide/C/network-auth.xml:1411(command)

9515

#: serverguide/C/network-auth.xml:1763(command)

9165

9516

msgid "sudo ldapsetpasswd george"

9166

9517

msgstr ""

9167

9518

9168

#: serverguide/C/network-auth.xml:1412(computeroutput)

9519

#: serverguide/C/network-auth.xml:1764(computeroutput)

9169

9520

#, no-wrap

9170

9521

msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"

9171

9522

msgstr ""

9172

9523

9173

#: serverguide/C/network-auth.xml:1413(userinput)

9524

#: serverguide/C/network-auth.xml:1765(userinput)

9174

9525

#, no-wrap

9175

9526

msgid "New Password: "

9176

9527

msgstr ""

9177

9528

9178

#: serverguide/C/network-auth.xml:1414(userinput)

9529

#: serverguide/C/network-auth.xml:1766(userinput)

9179

9530

#, no-wrap

9180

9531

msgid "New Password (verify): "

9181

9532

msgstr ""

9182

9533

9183

#: serverguide/C/network-auth.xml:1418(para)

9534

#: serverguide/C/network-auth.xml:1772(para)

9184

9535

msgid "Delete a user:"

9185

9536

msgstr ""

9186

9537

9187

#: serverguide/C/network-auth.xml:1422(command)

9538

#: serverguide/C/network-auth.xml:1777(command)

9188

9539

msgid "sudo ldapdeleteuser george"

9189

9540

msgstr ""

9190

9541

9191

#: serverguide/C/network-auth.xml:1427(para)

9542

#: serverguide/C/network-auth.xml:1783(para)

9192

9543

msgid "Add a group:"

9193

9544

msgstr ""

9194

9545

9195

#: serverguide/C/network-auth.xml:1431(command)

9546

#: serverguide/C/network-auth.xml:1788(command)

9196

9547

msgid "sudo ldapaddgroup qa"

9197

9548

msgstr ""

9198

9549

9199

#: serverguide/C/network-auth.xml:1435(para)

9550

#: serverguide/C/network-auth.xml:1794(para)

9200

9551

msgid "Delete a group:"

9201

9552

msgstr ""

9202

9553

9203

#: serverguide/C/network-auth.xml:1439(command)

9554

#: serverguide/C/network-auth.xml:1799(command)

9204

9555

msgid "sudo ldapdeletegroup qa"

9205

9556

msgstr ""

9206

9557

9207

#: serverguide/C/network-auth.xml:1443(para)

9558

#: serverguide/C/network-auth.xml:1805(para)

9208

9559

msgid "Add a user to a group:"

9209

9560

msgstr ""

9210

9561

9211

#: serverguide/C/network-auth.xml:1447(command)

9562

#: serverguide/C/network-auth.xml:1810(command)

9212

9563

msgid "sudo ldapaddusertogroup george qa"

9213

9564

msgstr ""

9214

9565

9215

#: serverguide/C/network-auth.xml:1449(para)

9566

#: serverguide/C/network-auth.xml:1813(para)

9216

9567

msgid "You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis role=\"italic\">george</emphasis>."

9217

9568

msgstr ""

9218

9569

9219

#: serverguide/C/network-auth.xml:1455(para)

9570

#: serverguide/C/network-auth.xml:1820(para)

9220

9571

msgid "Remove a user from a group:"

9221

9572

msgstr ""

9222

9573

9223

#: serverguide/C/network-auth.xml:1459(command)

9574

#: serverguide/C/network-auth.xml:1825(command)

9224

9575

msgid "sudo ldapdeleteuserfromgroup george qa"

9225

9576

msgstr ""

9226

9577

9227

#: serverguide/C/network-auth.xml:1461(para)

9578

#: serverguide/C/network-auth.xml:1828(para)

9228

9579

msgid "The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role=\"italic\">qa</emphasis> group."

9229

9580

msgstr ""

9230

9581

9231

#: serverguide/C/network-auth.xml:1467(para)

9582

#: serverguide/C/network-auth.xml:1835(para)

9232

9583

msgid "The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the <application>ldapmodify</application> utility. For example:"

9233

9584

msgstr ""

9234

9585

9235

#: serverguide/C/network-auth.xml:1472(command)

9586

#: serverguide/C/network-auth.xml:1841(command)

9236

9587

msgid "sudo ldapmodifyuser george"

9237

9588

msgstr ""

9238

9589

9239

#: serverguide/C/network-auth.xml:1473(computeroutput)

9590

#: serverguide/C/network-auth.xml:1842(computeroutput)

9240

9591

#, no-wrap

9241

9592

msgid "# About to modify the following entry :\ndn: uid=george,ou=People,dc=example,dc=com\nobjectClass: account\nobjectClass: posixAccount\ncn: george\nuid: george\nuidNumber: 1001\ngidNumber: 1001\nhomeDirectory: /home/george\nloginShell: /bin/bash\ngecos: george\ndescription: User account\nuserPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n\n# Enter your modifications here, end with CTRL-D.\ndn: uid=george,ou=People,dc=example,dc=com"

9242

9593

msgstr ""

9243

9594

9244

#: serverguide/C/network-auth.xml:1489(userinput)

9595

#: serverguide/C/network-auth.xml:1858(userinput)

9245

9596

#, no-wrap

9246

9597

msgid "replace: gecos\ngecos: George Carlin"

9247

9598

msgstr ""

9248

9599

9249

#: serverguide/C/network-auth.xml:1492(para)

9600

#: serverguide/C/network-auth.xml:1862(para)

9250

9601

msgid "The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>."

9251

9602

msgstr ""

9252

9603

9253

#: serverguide/C/network-auth.xml:1497(para)

9254

msgid "Another great feature of <application>ldapscripts</application>, is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"

9604

#: serverguide/C/network-auth.xml:1868(para)

9605

msgid "A nice feature of <application>ldapscripts</application> is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the <emphasis>user</emphasis> template edit <filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"

9255

9606

msgstr ""

9256

9607

9257

#: serverguide/C/network-auth.xml:1504(programlisting)

9608

#: serverguide/C/network-auth.xml:1874(programlisting)

9258

9609

#, no-wrap

9259

9610

msgid "\nUTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"

9260

9611

msgstr ""

9261

9612

9262

#: serverguide/C/network-auth.xml:1508(para)

9613

#: serverguide/C/network-auth.xml:1878(para)

9263

9614

msgid "There are <emphasis role=\"italic\">sample</emphasis> templates in the <filename>/etc/ldapscripts</filename> directory. Copy or rename the <filename>ldapadduser.template.sample</filename> file to <filename>/etc/ldapscripts/ldapadduser.template</filename>:"

9264

9615

msgstr ""

9265

9616

9266

#: serverguide/C/network-auth.xml:1515(command)

9267

msgid "sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template"

9268

msgstr ""

9269

9270

#: serverguide/C/network-auth.xml:1518(para)

9271

msgid "Edit the new template to add the desired attributes. The following will create new user's as with an <emphasis>objectClass</emphasis> of <emphasis>inetOrgPerson</emphasis>:"

9272

msgstr ""

9273

9274

#: serverguide/C/network-auth.xml:1523(programlisting)

9617

#: serverguide/C/network-auth.xml:1885(command)

9618

msgid "sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \\ /etc/ldapscripts/ldapadduser.template"

9619

msgstr ""

9620

9621

#: serverguide/C/network-auth.xml:1889(para)

9622

msgid "Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:"

9623

msgstr ""

9624

9625

#: serverguide/C/network-auth.xml:1894(programlisting)

9275

9626

#, no-wrap

9276

9627

msgid "\ndn: uid=<user>,<usuffix>,<suffix>\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\ncn: <user>\nsn: <ask>\nuid: <user>\nuidNumber: <uid>\ngidNumber: <gid>\nhomeDirectory: <home>\nloginShell: <shell>\ngecos: <user>\ndescription: User account\ntitle: Employee\n"

9277

9628

msgstr ""

9278

9629

9279

#: serverguide/C/network-auth.xml:1539(para)

9280

msgid "Notice the <emphasis><ask></emphasis> option used for the <emphasis>ssn</emphasis> value. Using <ask> will configure <application>ldapadduser</application> to prompt you for the attribute value during user creation."

9281

msgstr ""

9282

9283

#: serverguide/C/network-auth.xml:1547(para)

9284

msgid "There are more useful scripts in the package, to see a full list enter: <command>dpkg -L ldapscripts | grep bin</command>"

9285

msgstr ""

9286

9287

#: serverguide/C/network-auth.xml:1556(para)

9288

msgid "The <ulink url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP Ubuntu Wiki</ulink> page has more details."

9289

msgstr ""

9290

9291

#: serverguide/C/network-auth.xml:1561(para)

9292

msgid "For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP Home Page</ulink>"

9293

msgstr ""

9294

9295

#: serverguide/C/network-auth.xml:1566(para)

9296

msgid "Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System Administration</ulink>"

9297

msgstr ""

9298

9299

#: serverguide/C/network-auth.xml:1572(para)

9300

msgid "Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering newer versions of OpenLDAP."

9301

msgstr ""

9302

9303

#: serverguide/C/network-auth.xml:1578(para)

9304

msgid "For more information on <application>auth-client-config</application> see the man page: <command>man auth-client-config</command>."

9305

msgstr ""

9306

9307

#: serverguide/C/network-auth.xml:1583(para)

9308

msgid "For more details regarding the <application>ldapscripts</application> package see the man pages: <command>man ldapscripts</command>, <command>man ldapadduser</command>, <command>man ldapaddgroup</command>, etc."

9309

msgstr ""

9310

9311

#: serverguide/C/network-auth.xml:1593(title)

9630

#: serverguide/C/network-auth.xml:1910(para)

9631

msgid "Notice the <emphasis><ask></emphasis> option used for the <emphasis>sn</emphasis> attribute. This will make <application>ldapadduser</application> prompt you for it's value."

9632

msgstr ""

9633

9634

#: serverguide/C/network-auth.xml:1918(para)

9635

msgid "There are utilities in the package that were not covered here. Here is a complete list:"

9636

msgstr ""

9637

9638

#: serverguide/C/network-auth.xml:1923(ulink)

9639

msgid "ldaprenamemachine"

9640

msgstr ""

9641

9642

#: serverguide/C/network-auth.xml:1924(ulink)

9643

msgid "ldapadduser"

9644

msgstr ""

9645

9646

#: serverguide/C/network-auth.xml:1925(ulink)

9647

msgid "ldapdeleteuserfromgroup"

9648

msgstr ""

9649

9650

#: serverguide/C/network-auth.xml:1926(ulink)

9651

msgid "ldapfinger"

9652

msgstr ""

9653

9654

#: serverguide/C/network-auth.xml:1927(ulink)

9655

msgid "ldapid"

9656

msgstr ""

9657

9658

#: serverguide/C/network-auth.xml:1928(ulink)

9659

msgid "ldapgid"

9660

msgstr ""

9661

9662

#: serverguide/C/network-auth.xml:1929(ulink)

9663

msgid "ldapmodifyuser"

9664

msgstr ""

9665

9666

#: serverguide/C/network-auth.xml:1930(ulink)

9667

msgid "ldaprenameuser"

9668

msgstr ""

9669

9670

#: serverguide/C/network-auth.xml:1931(ulink)

9671

msgid "lsldap"

9672

msgstr ""

9673

9674

#: serverguide/C/network-auth.xml:1932(ulink)

9675

msgid "ldapaddusertogroup"

9676

msgstr ""

9677

9678

#: serverguide/C/network-auth.xml:1933(ulink)

9679

msgid "ldapsetpasswd"

9680

msgstr ""

9681

9682

#: serverguide/C/network-auth.xml:1934(ulink)

9683

msgid "ldapinit"

9684

msgstr ""

9685

9686

#: serverguide/C/network-auth.xml:1935(ulink)

9687

msgid "ldapaddgroup"

9688

msgstr ""

9689

9690

#: serverguide/C/network-auth.xml:1936(ulink)

9691

msgid "ldapdeletegroup"

9692

msgstr ""

9693

9694

#: serverguide/C/network-auth.xml:1937(ulink)

9695

msgid "ldapmodifygroup"

9696

msgstr ""

9697

9698

#: serverguide/C/network-auth.xml:1938(ulink)

9699

msgid "ldapdeletemachine"

9700

msgstr ""

9701

9702

#: serverguide/C/network-auth.xml:1939(ulink)

9703

msgid "ldaprenamegroup"

9704

msgstr ""

9705

9706

#: serverguide/C/network-auth.xml:1940(ulink)

9707

msgid "ldapaddmachine"

9708

msgstr ""

9709

9710

#: serverguide/C/network-auth.xml:1941(ulink)

9711

msgid "ldapmodifymachine"

9712

msgstr ""

9713

9714

#: serverguide/C/network-auth.xml:1942(ulink)

9715

msgid "ldapsetprimarygroup"

9716

msgstr ""

9717

9718

#: serverguide/C/network-auth.xml:1943(ulink)

9719

msgid "ldapdeleteuser"

9720

msgstr ""

9721

9722

#: serverguide/C/network-auth.xml:1954(para)

9723

msgid "The primary resource is the upstream documentation: <ulink url=\"http://www.openldap.org/\">www.openldap.org</ulink>"

9724

msgstr ""

9725

9726

#: serverguide/C/network-auth.xml:1960(para)

9727

msgid "There are many man pages that come with the slapd package. Here are some important ones, especially considering the material presented in this guide:"

9728

msgstr ""

9729

9730

#: serverguide/C/network-auth.xml:1966(ulink)

9731

msgid "slapd"

9732

msgstr ""

9733

9734

#: serverguide/C/network-auth.xml:1967(ulink)

9735

msgid "slapd-config"

9736

msgstr ""

9737

9738

#: serverguide/C/network-auth.xml:1968(ulink)

9739

msgid "slapd.access"

9740

msgstr ""

9741

9742

#: serverguide/C/network-auth.xml:1969(ulink)

9743

msgid "slapo-syncprov"

9744

msgstr ""

9745

9746

#: serverguide/C/network-auth.xml:1975(para)

9747

msgid "Other man pages:"

9748

msgstr ""

9749

9750

#: serverguide/C/network-auth.xml:1980(ulink)

9751

msgid "auth-client-config"

9752

msgstr ""

9753

9754

#: serverguide/C/network-auth.xml:1981(ulink)

9755

msgid "pam-auth-update"

9756

msgstr ""

9757

9758

#: serverguide/C/network-auth.xml:1987(para)

9759

msgid "Zytrax's <ulink url=\"http://www.zytrax.com/books/ldap/\">LDAP for Rocket Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP"

9760

msgstr ""

9761

9762

#: serverguide/C/network-auth.xml:1993(para)

9763

msgid "A Ubuntu community <ulink url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP wiki</ulink> page has a collection of notes"

9764

msgstr ""

9765

9766

#: serverguide/C/network-auth.xml:1999(para)

9767

msgid "O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System Administration</ulink> (textbook; 2003)"

9768

msgstr ""

9769

9770

#: serverguide/C/network-auth.xml:2005(para)

9771

msgid "Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book\">Mastering OpenLDAP</ulink> (textbook; 2007)"

9772

msgstr ""

9773

9774

#: serverguide/C/network-auth.xml:2016(title)

9312

9775

msgid "Samba and LDAP"

9313

9776

msgstr ""

9314

9777

9315

#: serverguide/C/network-auth.xml:1595(para)

9316

msgid "This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See <xref linkend=\"openldap-server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on setting up OpenLDAP. For more information on installing and configuring Samba see <xref linkend=\"windows-networking\"/>."

9317

msgstr ""

9318

9319

#: serverguide/C/network-auth.xml:1605(para)

9320

msgid "There are three packages needed when integrating Samba with LDAP. <application>samba</application>, <application>samba-doc</application>, and <application>smbldap-tools</application> packages . To install the packages, from a terminal enter:"

9321

msgstr ""

9322

9323

#: serverguide/C/network-auth.xml:1611(command)

9778

#: serverguide/C/network-auth.xml:2018(para)

9779

msgid "This section covers the integration of Samba with LDAP. The Samba server's role will be that of a \"standalone\" server and the LDAP directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba requires in order to function (in any of it's 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory that can accept authentication requests. See <xref linkend=\"openldap-server\"/> for details on fulfilling this requirement. Once this section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly."

9780

msgstr ""

9781

9782

#: serverguide/C/network-auth.xml:2027(title)

9783

msgid "Software Installation"

9784

msgstr ""

9785

9786

#: serverguide/C/network-auth.xml:2029(para)

9787

msgid "There are three packages needed when integrating Samba with LDAP: <application>samba</application>, <application>samba-doc</application>, and <application>smbldap-tools</application> packages."

9788

msgstr ""

9789

9790

#: serverguide/C/network-auth.xml:2034(para)

9791

msgid "Strictly speaking, the <application>smbldap-tools</application> package isn't needed, but unless you have some other way to manage the various Samaba entities (users, groups, computers) in an LDAP context then you should install it."

9792

msgstr ""

9793

9794

#: serverguide/C/network-auth.xml:2039(para)

9795

msgid "Install these packages now:"

9796

msgstr ""

9797

9798

#: serverguide/C/network-auth.xml:2044(command)

9324

9799

msgid "sudo apt-get install samba samba-doc smbldap-tools"

9325

9800

msgstr ""

9326

9801

9327

#: serverguide/C/network-auth.xml:1614(para)

9328

msgid "Strictly speaking the <application>smbldap-tools</application> package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed."

9329

msgstr ""

9330

9331

#: serverguide/C/network-auth.xml:1621(title)

9332

msgid "OpenLDAP Configuration"

9333

msgstr ""

9334

9335

#: serverguide/C/network-auth.xml:1623(para)

9336

msgid "In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes."

9337

msgstr ""

9338

9339

#: serverguide/C/network-auth.xml:1631(para)

9340

msgid "The Samba attributes are defined in the <filename>samba.schema</filename> file which is part of the <application>samba-doc</application> package. The schema file needs to be unzipped and copied to <filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"

9341

msgstr ""

9342

9343

#: serverguide/C/network-auth.xml:1638(command)

9344

msgid "sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/"

9345

msgstr ""

9346

9347

#: serverguide/C/network-auth.xml:1639(command)

9802

#: serverguide/C/network-auth.xml:2050(title)

9803

msgid "LDAP Configuration"

9804

msgstr ""

9805

9806

#: serverguide/C/network-auth.xml:2052(para)

9807

msgid "We will now configure the LDAP server so that it can accomodate Samba data. We will perform three tasks in this section:"

9808

msgstr ""

9809

9810

#: serverguide/C/network-auth.xml:2059(para)

9811

msgid "Import a schema"

9812

msgstr ""

9813

9814

#: serverguide/C/network-auth.xml:2063(para)

9815

msgid "Index some entries"

9816

msgstr ""

9817

9818

#: serverguide/C/network-auth.xml:2067(para)

9819

msgid "Add objects"

9820

msgstr ""

9821

9822

#: serverguide/C/network-auth.xml:2073(title)

9823

msgid "Samba schema"

9824

msgstr ""

9825

9826

#: serverguide/C/network-auth.xml:2075(para)

9827

msgid "In order for OpenLDAP to be used as a backend for Samba, logically, the DIT will need to use attributes that can properly describe Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let's do this now."

9828

msgstr ""

9829

9830

#: serverguide/C/network-auth.xml:2081(para)

9831

msgid "For more information on schemas and their installation see <xref linkend=\"openldap-configuration\"/>."

9832

msgstr ""

9833

9834

#: serverguide/C/network-auth.xml:2089(para)

9835

msgid "The schema is found in the now-installed <application>samba-doc</application> package. It needs to be unzipped and copied to the <filename>/etc/ldap/schema</filename> directory:"

9836

msgstr ""

9837

9838

#: serverguide/C/network-auth.xml:2095(command)

9839

msgid "sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema"

9840

msgstr ""

9841

9842

#: serverguide/C/network-auth.xml:2096(command)

9348

9843

msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"

9349

9844

msgstr ""

9350

9845

9351

#: serverguide/C/network-auth.xml:1645(para)

9352

msgid "The <emphasis>samba</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."

9353

msgstr ""

9354

9355

#: serverguide/C/network-auth.xml:1653(para) serverguide/C/network-auth.xml:2698(para)

9356

msgid "First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar descriptive name, containing the following lines:"

9357

msgstr ""

9358

9359

#: serverguide/C/network-auth.xml:1658(programlisting)

9360

#, no-wrap

9361

9362

msgstr ""

9363

9364

#: serverguide/C/network-auth.xml:1688(para) serverguide/C/network-auth.xml:2733(para)

9365

msgid "Now use <application>slapcat</application> to convert the schema files:"

9366

msgstr ""

9367

9368

#: serverguide/C/network-auth.xml:1693(command)

9369

msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}samba,cn=schema,cn=config\" > /tmp/cn=samba.ldif"

9370

msgstr ""

9371

9372

#: serverguide/C/network-auth.xml:1696(para) serverguide/C/network-auth.xml:2741(para)

9373

msgid "Change the above file and path names to match your own if they are different."

9374

msgstr ""

9375

9376

#: serverguide/C/network-auth.xml:1703(para)

9377

msgid "Edit the generated <filename>/tmp/cn\\=samba.ldif</filename> file by removing <emphasis>{XX}</emphasis> at the top of the file, where <emphasis>\"{XX}\"</emphasis> is the index number in curly braces:"

9378

msgstr ""

9379

9380

#: serverguide/C/network-auth.xml:1708(programlisting)

9846

#: serverguide/C/network-auth.xml:2102(para)

9847

msgid "Have the configuration file <filename>schema_convert.conf</filename> that contains the following lines:"

9848

msgstr ""

9849

9850

#: serverguide/C/network-auth.xml:2106(programlisting)

9851

#, no-wrap

9852

9853

msgstr ""

9854

9855

#: serverguide/C/network-auth.xml:2127(para)

9856

msgid "Have the directory <filename>ldif_output</filename> hold output."

9857

msgstr ""

9858

9859

#: serverguide/C/network-auth.xml:2138(command)

9860

msgid "slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema"

9861

msgstr ""

9862

9863

#: serverguide/C/network-auth.xml:2139(computeroutput)

9864

#, no-wrap

9865

msgid "\ndn: cn={14}samba,cn=schema,cn=config\n"

9866

msgstr ""

9867

9868

#: serverguide/C/network-auth.xml:2147(para)

9869

msgid "Convert the schema to LDIF format:"

9870

msgstr ""

9871

9872

#: serverguide/C/network-auth.xml:2152(command)

9873

msgid "slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif"

9874

msgstr ""

9875

9876

#: serverguide/C/network-auth.xml:2158(para)

9877

msgid "Edit the generated <filename>cn=samba.ldif</filename> file by removing index information to arrive at:"

9878

msgstr ""

9879

9880

#: serverguide/C/network-auth.xml:2162(programlisting)

9381

9881

#, no-wrap

9382

9882

msgid "\ndn: cn=samba,cn=schema,cn=config\n...\ncn: samba\n"

9383

9883

msgstr ""

9384

9884

9385

#: serverguide/C/network-auth.xml:1718(programlisting)

9885

#: serverguide/C/network-auth.xml:2168(para)

9886

msgid "Remove the bottom lines:"

9887

msgstr ""

9888

9889

#: serverguide/C/network-auth.xml:2172(programlisting)

9386

9890

#, no-wrap

9387

9891

msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\ncreatorsName: cn=config\ncreateTimestamp: 20080827045234Z\nentryCSN: 20080827045234.341425Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20080827045234Z\n"

9388

9892

msgstr ""

9389

9893

9390

#: serverguide/C/network-auth.xml:1743(command)

9391

msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=samba.ldif"

9392

msgstr ""

9393

9394

#: serverguide/C/network-auth.xml:1746(para)

9395

msgid "If you have not followed <xref linkend=\"openldap-server\"/>, you can add the schema by entering:"

9396

msgstr ""

9397

9398

#: serverguide/C/network-auth.xml:1751(command)

9399

msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=samba.ldif"

9400

msgstr ""

9401

9402

#: serverguide/C/network-auth.xml:1757(para)

9403

msgid "There should now be a <emphasis>dn: cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next sequential schema, entry in the cn=config tree."

9404

msgstr ""

9405

9406

#: serverguide/C/network-auth.xml:1765(para)

9407

msgid "Copy and paste the following into a file named <filename>samba_indexes.ldif</filename>:"

9408

msgstr ""

9409

9410

#: serverguide/C/network-auth.xml:1769(programlisting)

9894

#: serverguide/C/network-auth.xml:2188(para)

9895

msgid "Add the new schema:"

9896

msgstr ""

9897

9898

#: serverguide/C/network-auth.xml:2193(command)

9899

msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=samba.ldif"

9900

msgstr ""

9901

9902

#: serverguide/C/network-auth.xml:2196(para)

9903

msgid "To query and view this new schema:"

9904

msgstr ""

9905

9906

#: serverguide/C/network-auth.xml:2201(command)

9907

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'"

9908

msgstr ""

9909

9910

#: serverguide/C/network-auth.xml:2211(title)

9911

msgid "Samba indices"

9912

msgstr ""

9913

9914

#: serverguide/C/network-auth.xml:2213(para)

9915

msgid "Now that slapd knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a way to improve performance when a client performs a filtered search on the DIT."

9916

msgstr ""

9917

9918

#: serverguide/C/network-auth.xml:2218(para)

9919

msgid "Create the file <filename>samba_indices.ldif</filename> with the following contents:"

9920

msgstr ""

9921

9922

#: serverguide/C/network-auth.xml:2222(programlisting)

9411

9923

#, no-wrap

9412

9924

msgid "\ndn: olcDatabase={1}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: uidNumber eq\nolcDbIndex: gidNumber eq\nolcDbIndex: loginShell eq\nolcDbIndex: uid eq,pres,sub\nolcDbIndex: memberUid eq,pres,sub\nolcDbIndex: uniqueMember eq,pres\nolcDbIndex: sambaSID eq\nolcDbIndex: sambaPrimaryGroupSID eq\nolcDbIndex: sambaGroupType eq\nolcDbIndex: sambaSIDList eq\nolcDbIndex: sambaDomainName eq\nolcDbIndex: default sub\n"

9413

9925

msgstr ""

9414

9926

9415

#: serverguide/C/network-auth.xml:1787(para)

9416

msgid "Using the <application>ldapmodify</application> utility load the new indexes:"

9417

msgstr ""

9418

9419

#: serverguide/C/network-auth.xml:1792(command)

9420

msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"

9421

msgstr ""

9422

9423

#: serverguide/C/network-auth.xml:1794(para)

9424

msgid "If all went well you should see the new indexes using <application>ldapsearch</application>:"

9425

msgstr ""

9426

9427

#: serverguide/C/network-auth.xml:1799(command)

9428

msgid "ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"

9429

msgstr ""

9430

9431

#: serverguide/C/network-auth.xml:1805(para)

9927

#: serverguide/C/network-auth.xml:2240(para)

9928

msgid "Using the <application>ldapmodify</application> utility load the new indices:"

9929

msgstr ""

9930

9931

#: serverguide/C/network-auth.xml:2245(command)

9932

msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif"

9933

msgstr ""

9934

9935

#: serverguide/C/network-auth.xml:2248(para)

9936

msgid "If all went well you should see the new indices using <application>ldapsearch</application>:"

9937

msgstr ""

9938

9939

#: serverguide/C/network-auth.xml:2253(command)

9940

msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex"

9941

msgstr ""

9942

9943

#: serverguide/C/network-auth.xml:2259(title)

9944

msgid "Adding Samba LDAP objects"

9945

msgstr ""

9946

9947

#: serverguide/C/network-auth.xml:2261(para)

9432

9948

msgid "Next, configure the <application>smbldap-tools</application> package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:"

9433

9949

msgstr ""

9434

9950

9435

#: serverguide/C/network-auth.xml:1811(command)

9951

#: serverguide/C/network-auth.xml:2267(command)

9436

9952

msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"

9437

9953

msgstr ""

9438

9954

9439

#: serverguide/C/network-auth.xml:1812(command)

9955

#: serverguide/C/network-auth.xml:2268(command)

9440

9956

msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"

9441

9957

msgstr ""

9442

9958

9443

#: serverguide/C/network-auth.xml:1815(para)

9444

msgid "Once you have answered the questions, there should be <filename>/etc/smbldap-tools/smbldap.conf</filename> and <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately."

9445

msgstr ""

9446

9447

#: serverguide/C/network-auth.xml:1825(para)

9448

msgid "The <application>smbldap-populate</application> script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with <application>slapcat</application> before executing the command:"

9449

msgstr ""

9450

9451

#: serverguide/C/network-auth.xml:1832(command)

9959

#: serverguide/C/network-auth.xml:2271(para)

9960

msgid "You may need to comment out the strict pragma in the <filename>configure.pl</filename> file."

9961

msgstr ""

9962

9963

#: serverguide/C/network-auth.xml:2275(para)

9964

msgid "Once you have answered the questions, the files <filename>/etc/smbldap-tools/smbldap.conf</filename> and <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> should be generated. If you made any mistakes while executing the script you can always edit the files afterwards."

9965

msgstr ""

9966

9967

#: serverguide/C/network-auth.xml:2281(para)

9968

msgid "The <application>smbldap-populate</application> script will add the LDAP objects required for Samba. It is a good idea to first make a backup of your entire directory using <application>slapcat</application>:"

9969

msgstr ""

9970

9971

#: serverguide/C/network-auth.xml:2287(command)

9452

9972

msgid "sudo slapcat -l backup.ldif"

9453

9973

msgstr ""

9454

9974

9455

#: serverguide/C/network-auth.xml:1838(para)

9456

msgid "Once you have a current backup execute <application>smbldap-populate</application> by entering:"

9975

#: serverguide/C/network-auth.xml:2290(para)

9976

msgid "Once you have a backup proceed to populate your directory:"

9457

9977

msgstr ""

9458

9978

9459

#: serverguide/C/network-auth.xml:1843(command)

9979

#: serverguide/C/network-auth.xml:2295(command)

9460

9980

msgid "sudo smbldap-populate"

9461

9981

msgstr ""

9462

9982

9463

#: serverguide/C/network-auth.xml:1847(para)

9464

msgid "You can create an LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. This allows you to look over the changes making sure everything is correct."

9465

msgstr ""

9466

9467

#: serverguide/C/network-auth.xml:1855(para)

9468

msgid "Your LDAP directory now has the necessary domain information to authenticate Samba users."

9469

msgstr ""

9470

9471

#: serverguide/C/network-auth.xml:1861(title)

9983

#: serverguide/C/network-auth.xml:2298(para)

9984

msgid "You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e' switch. Alternatively, you can take the LDIF file and import it's data per usual."

9985

msgstr ""

9986

9987

#: serverguide/C/network-auth.xml:2304(para)

9988

msgid "Your LDAP directory now has the necessary information to authenticate Samba users."

9989

msgstr ""

9990

9991

#: serverguide/C/network-auth.xml:2313(title)

9472

9992

msgid "Samba Configuration"

9473

9993

msgstr ""

9474

9994

9475

#: serverguide/C/network-auth.xml:1863(para)

9476

msgid "There a multiple ways to configure Samba for details on some common configurations see <xref linkend=\"windows-networking\"/>. To configure Samba to use LDAP, edit the main Samba configuration file <filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb backend</emphasis> option and adding the following:"

9995

#: serverguide/C/network-auth.xml:2315(para)

9996

msgid "There are multiple ways to configure Samba. For details on some common configurations see <xref linkend=\"windows-networking\"/>. To configure Samba to use LDAP, edit it's configuration file <filename>/etc/samba/smb.conf</filename> commenting out the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones:"

9477

9997

msgstr ""

9478

9998

9479

#: serverguide/C/network-auth.xml:1869(programlisting)

9999

#: serverguide/C/network-auth.xml:2321(programlisting)

9480

10000

#, no-wrap

9481

10001

msgid "\n# passdb backend = tdbsam\n\n# LDAP Settings\n passdb backend = ldapsam:ldap://hostname\n ldap suffix = dc=example,dc=com\n ldap user suffix = ou=People\n ldap group suffix = ou=Groups\n ldap machine suffix = ou=Computers\n ldap idmap suffix = ou=Idmap\n ldap admin dn = cn=admin,dc=example,dc=com\n ldap ssl = start tls\n ldap passwd sync = yes\n...\n add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"

9482

10002

msgstr ""

9483

10003

9484

#: serverguide/C/network-auth.xml:1886(para)

10004

#: serverguide/C/network-auth.xml:2338(para)

10005

msgid "Change the values to match your environment."

10006

msgstr ""

10007

10008

#: serverguide/C/network-auth.xml:2342(para)

9485

10009

msgid "Restart <application>samba</application> to enable the new settings:"

9486

10010

msgstr ""

9487

10011

9488

#: serverguide/C/network-auth.xml:1895(para)

9489

msgid "Now Samba needs to know the LDAP admin password. From a terminal prompt enter:"

9490

msgstr ""

9491

9492

#: serverguide/C/network-auth.xml:1900(command)

9493

msgid "sudo smbpasswd -w secret"

9494

msgstr ""

9495

9496

#: serverguide/C/network-auth.xml:1904(para)

9497

msgid "Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin password."

9498

msgstr ""

9499

9500

#: serverguide/C/network-auth.xml:1909(para)

9501

msgid "If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the <filename>samba.schema</filename> file. Add the Samba attributes to existing users using the <application>smbpasswd</application> utility, replacing <emphasis role=\"italic\">username</emphasis> with an actual user:"

9502

msgstr ""

9503

9504

#: serverguide/C/network-auth.xml:1917(command)

10012

#: serverguide/C/network-auth.xml:2351(para)

10013

msgid "Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):"

10014

msgstr ""

10015

10016

#: serverguide/C/network-auth.xml:2356(command)

10017

msgid "sudo smbpasswd -w password"

10018

msgstr ""

10019

10020

#: serverguide/C/network-auth.xml:2359(para)

10021

msgid "If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra attributes. The <application>smbpasswd</application> utility can do this as well (your host will need to be able to see (enumerate) those users via NSS; install and configure either <application>libnss-ldapd</application> or <application>libnss-ldap</application>):"

10022

msgstr ""

10023

10024

#: serverguide/C/network-auth.xml:2367(command)

9505

10025

msgid "sudo smbpasswd -a username"

9506

10026

msgstr ""

9507

10027

9508

#: serverguide/C/network-auth.xml:1920(para)

9509

msgid "You will then be asked to enter the user's password."

9510

msgstr ""

9511

9512

#: serverguide/C/network-auth.xml:1924(para)

9513

msgid "To add new user, group, and machine accounts use the utilities from the <application>smbldap-tools</application> package. Here are some examples:"

9514

msgstr ""

9515

9516

#: serverguide/C/network-auth.xml:1931(para)

9517

msgid "To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:"

9518

msgstr ""

9519

9520

#: serverguide/C/network-auth.xml:1935(command)

10028

#: serverguide/C/network-auth.xml:2370(para)

10029

msgid "You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable."

10030

msgstr ""

10031

10032

#: serverguide/C/network-auth.xml:2374(para)

10033

msgid "To manage user, group, and machine accounts use the utilities provided by the <application>smbldap-tools</application> package. Here are some examples:"

10034

msgstr ""

10035

10036

#: serverguide/C/network-auth.xml:2382(para)

10037

msgid "To add a new user:"

10038

msgstr ""

10039

10040

#: serverguide/C/network-auth.xml:2387(command)

9521

10041

msgid "sudo smbldap-useradd -a -P username"

9522

10042

msgstr ""

9523

10043

9524

#: serverguide/C/network-auth.xml:1937(para)

9525

msgid "The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> options calls the <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user."

9526

msgstr ""

9527

9528

#: serverguide/C/network-auth.xml:1943(para)

9529

msgid "To remove a user from the directory enter:"

9530

msgstr ""

9531

9532

#: serverguide/C/network-auth.xml:1947(command)

10044

#: serverguide/C/network-auth.xml:2390(para)

10045

msgid "The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user."

10046

msgstr ""

10047

10048

#: serverguide/C/network-auth.xml:2397(para)

10049

msgid "To remove a user:"

10050

msgstr ""

10051

10052

#: serverguide/C/network-auth.xml:2402(command)

9533

10053

msgid "sudo smbldap-userdel username"

9534

10054

msgstr ""

9535

10055

9536

#: serverguide/C/network-auth.xml:1949(para)

9537

msgid "The <application>smbldap-userdel</application> utility also has a <emphasis>-r</emphasis> option to remove the user's home directory."

9538

msgstr ""

9539

9540

#: serverguide/C/network-auth.xml:1954(para)

9541

msgid "Use <application>smbldap-groupadd</application> to add a group, replacing groupname with an appropriate group:"

9542

msgstr ""

9543

9544

#: serverguide/C/network-auth.xml:1958(command)

10056

#: serverguide/C/network-auth.xml:2405(para)

10057

msgid "In the above command, use the <emphasis>-r</emphasis> option to remove the user's home directory."

10058

msgstr ""

10059

10060

#: serverguide/C/network-auth.xml:2411(para)

10061

msgid "To add a group:"

10062

msgstr ""

10063

10064

#: serverguide/C/network-auth.xml:2416(command)

9545

10065

msgid "sudo smbldap-groupadd -a groupname"

9546

10066

msgstr ""

9547

10067

9548

#: serverguide/C/network-auth.xml:1960(para)

9549

msgid "Similar to <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes."

9550

msgstr ""

9551

9552

#: serverguide/C/network-auth.xml:1965(para)

9553

msgid "To add a user to a group use <application>smbldap-groupmod</application>:"

9554

msgstr ""

9555

9556

#: serverguide/C/network-auth.xml:1969(command)

10068

#: serverguide/C/network-auth.xml:2419(para)

10069

msgid "As for <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes."

10070

msgstr ""

10071

10072

#: serverguide/C/network-auth.xml:2425(para)

10073

msgid "To make an existing user a member of a group:"

10074

msgstr ""

10075

10076

#: serverguide/C/network-auth.xml:2430(command)

9557

10077

msgid "sudo smbldap-groupmod -m username groupname"

9558

10078

msgstr ""

9559

10079

9560

#: serverguide/C/network-auth.xml:1971(para)

9561

msgid "Be sure to replace <emphasis>username</emphasis> with a real user. Also, the <emphasis>-m</emphasis> option can add more than one user at a time by listing them in <emphasis>comma separated</emphasis> format."

9562

msgstr ""

9563

9564

#: serverguide/C/network-auth.xml:1977(para)

9565

msgid "<application>smbldap-groupmod</application> can also be used to remove a user from a group:"

9566

msgstr ""

9567

9568

#: serverguide/C/network-auth.xml:1981(command)

10080

#: serverguide/C/network-auth.xml:2433(para)

10081

msgid "The <emphasis>-m</emphasis> option can add more than one user at a time by listing them in comma-separated format."

10082

msgstr ""

10083

10084

#: serverguide/C/network-auth.xml:2439(para)

10085

msgid "To remove a user from a group:"

10086

msgstr ""

10087

10088

#: serverguide/C/network-auth.xml:2444(command)

9569

10089

msgid "sudo smbldap-groupmod -x username groupname"

9570

10090

msgstr ""

9571

10091

9572

#: serverguide/C/network-auth.xml:1985(para)

9573

msgid "Additionally, the <application>smbldap-useradd</application> utility can add Samba machine accounts:"

10092

#: serverguide/C/network-auth.xml:2450(para)

10093

msgid "To add a Samba machine account:"

9574

10094

msgstr ""

9575

10095

9576

#: serverguide/C/network-auth.xml:1989(command)

10096

#: serverguide/C/network-auth.xml:2455(command)

9577

10097

msgid "sudo smbldap-useradd -t 0 -w username"

9578

10098

msgstr ""

9579

10099

9580

#: serverguide/C/network-auth.xml:1991(para)

9581

msgid "Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the <emphasis>add machine script</emphasis> option in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>."

9582

msgstr ""

9583

9584

#: serverguide/C/network-auth.xml:2000(para)

9585

msgid "There are more useful utilities and options in the <application>smbldap-tools</application> package. The man page for each utility provides more details."

9586

msgstr ""

9587

9588

#: serverguide/C/network-auth.xml:2011(para)

9589

msgid "There are multiple places where LDAP and Samba is documented in the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO Collection</ulink>."

9590

msgstr ""

9591

9592

#: serverguide/C/network-auth.xml:2017(para)

9593

msgid "Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html\">passdb section</ulink>."

9594

msgstr ""

9595

9596

#: serverguide/C/network-auth.xml:2023(para)

9597

msgid "Another good site is <ulink url=\"http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."

9598

msgstr ""

9599

9600

#: serverguide/C/network-auth.xml:2029(para)

9601

msgid "Again, for more information on <application>smbldap-tools</application> see the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-groupadd</command>, <command>man smbldap-populate</command>, etc."

9602

msgstr ""

9603

9604

#: serverguide/C/network-auth.xml:2036(para)

9605

msgid "Also, there is a list of <ulink url=\"https://help.ubuntu.com/community/Samba#samba-ldap\">Ubuntu wiki</ulink> articles with more information."

9606

msgstr ""

9607

9608

#: serverguide/C/network-auth.xml:2045(title)

10100

#: serverguide/C/network-auth.xml:2458(para)

10101

msgid "Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the <emphasis>add machine script</emphasis> parameter in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>."

10102

msgstr ""

10103

10104

#: serverguide/C/network-auth.xml:2467(para)

10105

msgid "There are utilities in the <application>smbldap-tools</application> package that were not covered here. Here is a complete list:"

10106

msgstr ""

10107

10108

#: serverguide/C/network-auth.xml:2472(ulink)

10109

msgid "smbldap-groupadd"

10110

msgstr ""

10111

10112

#: serverguide/C/network-auth.xml:2473(ulink)

10113

msgid "smbldap-groupdel"

10114

msgstr ""

10115

10116

#: serverguide/C/network-auth.xml:2474(ulink)

10117

msgid "smbldap-groupmod"

10118

msgstr ""

10119

10120

#: serverguide/C/network-auth.xml:2475(ulink)

10121

msgid "smbldap-groupshow"

10122

msgstr ""

10123

10124

#: serverguide/C/network-auth.xml:2476(ulink)

10125

msgid "smbldap-passwd"

10126

msgstr ""

10127

10128

#: serverguide/C/network-auth.xml:2477(ulink)

10129

msgid "smbldap-populate"

10130

msgstr ""

10131

10132

#: serverguide/C/network-auth.xml:2478(ulink)

10133

msgid "smbldap-useradd"

10134

msgstr ""

10135

10136

#: serverguide/C/network-auth.xml:2479(ulink)

10137

msgid "smbldap-userdel"

10138

msgstr ""

10139

10140

#: serverguide/C/network-auth.xml:2480(ulink)

10141

msgid "smbldap-userinfo"

10142

msgstr ""

10143

10144

#: serverguide/C/network-auth.xml:2481(ulink)

10145

msgid "smbldap-userlist"

10146

msgstr ""

10147

10148

#: serverguide/C/network-auth.xml:2482(ulink)

10149

msgid "smbldap-usermod"

10150

msgstr ""

10151

10152

#: serverguide/C/network-auth.xml:2483(ulink)

10153

msgid "smbldap-usershow"

10154

msgstr ""

10155

10156

#: serverguide/C/network-auth.xml:2494(para)

10157

msgid "For more information on installing and configuring Samba see <xref linkend=\"windows-networking\"/> of this Ubuntu Server Guide."

10158

msgstr ""

10159

10160

#: serverguide/C/network-auth.xml:2500(para)

10161

msgid "There are multiple places where LDAP and Samba is documented in the upstream <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO Collection</ulink>."

10162

msgstr ""

10163

10164

#: serverguide/C/network-auth.xml:2507(para)

10165

msgid "Regarding the above, see specifically the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html\">passdb section</ulink>."

10166

msgstr ""

10167

10168

#: serverguide/C/network-auth.xml:2513(para)

10169

msgid "Although dated (2007), the <ulink url=\"http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/\">Linux Samba-OpenLDAP HOWTO</ulink> contains valuable notes."

10170

msgstr ""

10171

10172

#: serverguide/C/network-auth.xml:2519(para)

10173

msgid "The main page of the <ulink url=\"https://help.ubuntu.com/community/Samba#samba-ldap\">Samba Ubuntu community documentation</ulink> has a plethora of links to articles that may prove useful."

10174

msgstr ""

10175

10176

#: serverguide/C/network-auth.xml:2532(title)

9609

10177

msgid "Kerberos"

9610

10178

msgstr ""

9611

10179

9612

#: serverguide/C/network-auth.xml:2047(para)

10180

#: serverguide/C/network-auth.xml:2534(para)

9613

10181

msgid "<application>Kerberos</application> is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO)."

9614

10182

msgstr ""

9615

10183

9616

#: serverguide/C/network-auth.xml:2053(para)

10184

#: serverguide/C/network-auth.xml:2540(para)

9617

10185

msgid "This section covers installation and configuration of a Kerberos server, and some example client configurations."

9618

10186

msgstr ""

9619

10187

9620

#: serverguide/C/network-auth.xml:2060(para)

10188

#: serverguide/C/network-auth.xml:2547(para)

9621

10189

msgid "If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:"

9622

10190

msgstr ""

9623

10191

9624

#: serverguide/C/network-auth.xml:2067(para)

10192

#: serverguide/C/network-auth.xml:2554(para)

9625

10193

msgid "<emphasis>Principal:</emphasis> any users, computers, and services provided by servers need to be defined as Kerberos Principals."

9626

10194

msgstr ""

9627

10195

9628

#: serverguide/C/network-auth.xml:2072(para)

10196

#: serverguide/C/network-auth.xml:2559(para)

9629

10197

msgid "<emphasis>Instances:</emphasis> are used for service principals and special administrative principals."

9630

10198

msgstr ""

9631

10199

9632

#: serverguide/C/network-auth.xml:2077(para)

10200

#: serverguide/C/network-auth.xml:2564(para)

9633

10201

msgid "<emphasis>Realms:</emphasis> the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to uppercase (EXAMPLE.COM)."

9634

10202

msgstr ""

9635

10203

9636

#: serverguide/C/network-auth.xml:2083(para)

10204

#: serverguide/C/network-auth.xml:2570(para)

9637

10205

msgid "<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC."

9638

10206

msgstr ""

9639

10207

9640

#: serverguide/C/network-auth.xml:2089(para)

10208

#: serverguide/C/network-auth.xml:2576(para)

9641

10209

msgid "<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC."

9642

10210

msgstr ""

9643

10211

9644

#: serverguide/C/network-auth.xml:2095(para)

10212

#: serverguide/C/network-auth.xml:2582(para)

9645

10213

msgid "<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to clients upon request."

9646

10214

msgstr ""

9647

10215

9648

#: serverguide/C/network-auth.xml:2100(para)

10216

#: serverguide/C/network-auth.xml:2587(para)

9649

10217

msgid "<emphasis>Tickets:</emphasis> confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session."

9650

10218

msgstr ""

9651

10219

9652

#: serverguide/C/network-auth.xml:2106(para)

10220

#: serverguide/C/network-auth.xml:2593(para)

9653

10221

msgid "<emphasis>Keytab Files:</emphasis> are files extracted from the KDC principal database and contain the encryption key for a service or host."

9654

10222

msgstr ""

9655

10223

9656

#: serverguide/C/network-auth.xml:2113(para)

10224

#: serverguide/C/network-auth.xml:2600(para)

9657

10225

msgid "To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which contains a database of Principals. When a user principal logs into a workstation, configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password."

9658

10226

msgstr ""

9659

10227

9660

#: serverguide/C/network-auth.xml:2122(title)

10228

#: serverguide/C/network-auth.xml:2609(title)

9661

10229

msgid "Kerberos Server"

9662

10230

msgstr ""

9663

10231

9664

#: serverguide/C/network-auth.xml:2126(para)

10232

#: serverguide/C/network-auth.xml:2613(para)

9665

10233

msgid "Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the <emphasis>example.com</emphasis> domain configured in <xref linkend=\"dns-primarymaster-configuration\"/>."

9666

10234

msgstr ""

9667

10235

9668

#: serverguide/C/network-auth.xml:2132(para)

10236

#: serverguide/C/network-auth.xml:2619(para)

9669

10237

msgid "Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the <emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up NTP see <xref linkend=\"NTP\"/>."

9670

10238

msgstr ""

9671

10239

9672

#: serverguide/C/network-auth.xml:2139(para)

10240

#: serverguide/C/network-auth.xml:2626(para)

9673

10241

msgid "The first step in installing a Kerberos Realm is to install the <application>krb5-kdc</application> and <application>krb5-admin-server</application> packages. From a terminal enter:"

9674

10242

msgstr ""

9675

10243

9676

#: serverguide/C/network-auth.xml:2145(command) serverguide/C/network-auth.xml:2320(command)

10244

#: serverguide/C/network-auth.xml:2632(command) serverguide/C/network-auth.xml:2807(command)

9677

10245

msgid "sudo apt-get install krb5-kdc krb5-admin-server"

9678

10246

msgstr ""

9679

10247

9680

#: serverguide/C/network-auth.xml:2148(para)

10248

#: serverguide/C/network-auth.xml:2635(para)

9681

10249

msgid "You will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm."

9682

10250

msgstr ""

9683

10251

9684

#: serverguide/C/network-auth.xml:2153(para)

10252

#: serverguide/C/network-auth.xml:2640(para)

9685

10253

msgid "Next, create the new realm with the <application>kdb5_newrealm</application> utility:"

9686

10254

msgstr ""

9687

10255

9688

#: serverguide/C/network-auth.xml:2158(command)

10256

#: serverguide/C/network-auth.xml:2645(command)

9689

10257

msgid "sudo krb5_newrealm"

9690

10258

msgstr ""

9691

10259

9692

#: serverguide/C/network-auth.xml:2165(para)

10260

#: serverguide/C/network-auth.xml:2652(para)

9693

10261

msgid "The questions asked during installation are used to configure the <filename>/etc/krb5.conf</filename> file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the <application>krb5-kdc</application> daemon."

9694

10262

msgstr ""

9695

10263

9696

#: serverguide/C/network-auth.xml:2173(para)

10264

#: serverguide/C/network-auth.xml:2660(para)

9697

10265

msgid "Now that the KDC running an admin user is needed. It is recommended to use a different username from your everyday username. Using the <application>kadmin.local</application> utility in a terminal prompt enter:"

9698

10266

msgstr ""

9699

10267

9700

#: serverguide/C/network-auth.xml:2179(command) serverguide/C/network-auth.xml:2975(command)

10268

#: serverguide/C/network-auth.xml:2666(command) serverguide/C/network-auth.xml:3460(command)

9701

10269

msgid "sudo kadmin.local"

9702

10270

msgstr ""

9703

10271

9704

#: serverguide/C/network-auth.xml:2180(computeroutput)

10272

#: serverguide/C/network-auth.xml:2667(computeroutput)

9705

10273

#, no-wrap

9706

10274

msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local:"

9707

10275

msgstr ""

9708

10276

9709

#: serverguide/C/network-auth.xml:2181(userinput)

10277

#: serverguide/C/network-auth.xml:2668(userinput)

9710

10278

#, no-wrap

9711

10279

msgid " addprinc steve/admin"

9712

10280

msgstr ""

9713

10281

9714

#: serverguide/C/network-auth.xml:2182(computeroutput)

10282

#: serverguide/C/network-auth.xml:2669(computeroutput)

9715

10283

#, no-wrap

9716

10284

msgid "WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve/admin@EXAMPLE.COM\": \nRe-enter password for principal \"steve/admin@EXAMPLE.COM\": \nPrincipal \"steve/admin@EXAMPLE.COM\" created.\nkadmin.local:"

9717

10285

msgstr ""

9718

10286

9719

#: serverguide/C/network-auth.xml:2186(userinput)

10287

#: serverguide/C/network-auth.xml:2673(userinput)

9720

10288

#, no-wrap

9721

10289

msgid " quit"

9722

10290

msgstr ""

9723

10291

9724

#: serverguide/C/network-auth.xml:2189(para)

10292

#: serverguide/C/network-auth.xml:2676(para)

9725

10293

msgid "In the above example <emphasis role=\"italic\">steve</emphasis> is the <emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> is an <emphasis>Instance</emphasis>, and <emphasis role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis role=\"italic\">\"every day\"</emphasis> Principal would be <emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user rights."

9726

10294

msgstr ""

9727

10295

9728

#: serverguide/C/network-auth.xml:2197(para)

10296

#: serverguide/C/network-auth.xml:2684(para)

9729

10297

msgid "Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with your Realm and admin username."

9730

10298

msgstr ""

9731

10299

9732

#: serverguide/C/network-auth.xml:2205(para)

10300

#: serverguide/C/network-auth.xml:2692(para)

9733

10301

msgid "Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the <filename>/etc/krb5kdc/kadm5.acl</filename> file:"

9734

10302

msgstr ""

9735

10303

9736

#: serverguide/C/network-auth.xml:2210(programlisting)

10304

#: serverguide/C/network-auth.xml:2697(programlisting)

9737

10305

#, no-wrap

9738

10306

msgid "\nsteve/admin@EXAMPLE.COM *\n"

9739

10307

msgstr ""

9740

10308

9741

#: serverguide/C/network-auth.xml:2214(para)

10309

#: serverguide/C/network-auth.xml:2701(para)

9742

10310

msgid "This entry grants <emphasis>steve/admin</emphasis> the ability to perform any operation on all principals in the realm."

9743

10311

msgstr ""

9744

10312

9745

#: serverguide/C/network-auth.xml:2221(para)

10313

#: serverguide/C/network-auth.xml:2708(para)

9746

10314

msgid "Now restart the <application>krb5-admin-server</application> for the new ACL to take affect:"

9747

10315

msgstr ""

9748

10316

9749

#: serverguide/C/network-auth.xml:2226(command)

10317

#: serverguide/C/network-auth.xml:2713(command)

9750

10318

msgid "sudo /etc/init.d/krb5-admin-server restart"

9751

10319

msgstr ""

9752

10320

9753

#: serverguide/C/network-auth.xml:2232(para)

10321

#: serverguide/C/network-auth.xml:2719(para)

9754

10322

msgid "The new user principal can be tested using the <application>kinit utility</application>:"

9755

10323

msgstr ""

9756

10324

9757

#: serverguide/C/network-auth.xml:2237(command)

10325

#: serverguide/C/network-auth.xml:2724(command)

9758

10326

msgid "kinit steve/admin"

9759

10327

msgstr ""

9760

10328

9761

#: serverguide/C/network-auth.xml:2238(computeroutput)

10329

#: serverguide/C/network-auth.xml:2725(computeroutput)

9762

10330

#, no-wrap

9763

10331

msgid "steve/admin@EXAMPLE.COM's Password:"

9764

10332

msgstr ""

9765

10333

9766

#: serverguide/C/network-auth.xml:2241(para)

10334

#: serverguide/C/network-auth.xml:2728(para)

9767

10335

msgid "After entering the password, use the <application>klist</application> utility to view information about the Ticket Granting Ticket (TGT):"

9768

10336

msgstr ""

9769

10337

9770

#: serverguide/C/network-auth.xml:2247(command) serverguide/C/network-auth.xml:2582(command)

10338

#: serverguide/C/network-auth.xml:2734(command) serverguide/C/network-auth.xml:3069(command)

9771

10339

msgid "klist"

9772

10340

msgstr ""

9773

10341

9774

#: serverguide/C/network-auth.xml:2248(computeroutput)

10342

#: serverguide/C/network-auth.xml:2735(computeroutput)

9775

10343

#, no-wrap

9776

10344

msgid "Credentials cache: FILE:/tmp/krb5cc_1000\n Principal: steve/admin@EXAMPLE.COM\n\n Issued Expires Principal\nJul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"

9777

10345

msgstr ""

9778

10346

9779

#: serverguide/C/network-auth.xml:2255(para)

10347

#: serverguide/C/network-auth.xml:2742(para)

9780

10348

msgid "You may need to add an entry into the <filename>/etc/hosts</filename> for the KDC. For example:"

9781

10349

msgstr ""

9782

10350

9783

#: serverguide/C/network-auth.xml:2259(programlisting)

10351

#: serverguide/C/network-auth.xml:2746(programlisting)

9784

10352

#, no-wrap

9785

10353

msgid "\n192.168.0.1 kdc01.example.com kdc01\n"

9786

10354

msgstr ""

9787

10355

9788

#: serverguide/C/network-auth.xml:2263(para)

10356

#: serverguide/C/network-auth.xml:2750(para)

9789

10357

msgid "Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."

9790

10358

msgstr ""

9791

10359

9792

#: serverguide/C/network-auth.xml:2270(para)

10360

#: serverguide/C/network-auth.xml:2757(para)

9793

10361

msgid "In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to <filename>/etc/named/db.example.com</filename>:"

9794

10362

msgstr ""

9795

10363

9796

#: serverguide/C/network-auth.xml:2275(programlisting)

10364

#: serverguide/C/network-auth.xml:2762(programlisting)

9797

10365

#, no-wrap

9798

10366

msgid "\n_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"

9799

10367

msgstr ""

9800

10368

9801

#: serverguide/C/network-auth.xml:2285(para)

10369

#: serverguide/C/network-auth.xml:2772(para)

9802

10370

msgid "Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and <emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary KDC."

9803

10371

msgstr ""

9804

10372

9805

#: serverguide/C/network-auth.xml:2291(para)

10373

#: serverguide/C/network-auth.xml:2778(para)

9806

10374

msgid "See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."

9807

10375

msgstr ""

9808

10376

9809

#: serverguide/C/network-auth.xml:2298(para)

10377

#: serverguide/C/network-auth.xml:2785(para)

9810

10378

msgid "Your new Kerberos Realm is now ready to authenticate clients."

9811

10379

msgstr ""

9812

10380

9813

#: serverguide/C/network-auth.xml:2305(title)

10381

#: serverguide/C/network-auth.xml:2792(title)

9814

10382

msgid "Secondary KDC"

9815

10383

msgstr ""

9816

10384

9817

#: serverguide/C/network-auth.xml:2307(para)

10385

#: serverguide/C/network-auth.xml:2794(para)

9818

10386

msgid "Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the primary becomes unavailable."

9819

10387

msgstr ""

9820

10388

9821

#: serverguide/C/network-auth.xml:2315(para)

10389

#: serverguide/C/network-auth.xml:2802(para)

9822

10390

msgid "First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC:"

9823

10391

msgstr ""

9824

10392

9825

#: serverguide/C/network-auth.xml:2326(para)

10393

#: serverguide/C/network-auth.xml:2813(para)

9826

10394

msgid "Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:"

9827

10395

msgstr ""

9828

10396

9829

#: serverguide/C/network-auth.xml:2331(command)

10397

#: serverguide/C/network-auth.xml:2818(command)

9830

10398

msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""

9831

10399

msgstr ""

9832

10400

9833

#: serverguide/C/network-auth.xml:2335(para)

10401

#: serverguide/C/network-auth.xml:2822(para)

9834

10402

msgid "After, issuing any <application>kadmin</application> commands you will be prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal password."

9835

10403

msgstr ""

9836

10404

9837

#: serverguide/C/network-auth.xml:2344(para)

10405

#: serverguide/C/network-auth.xml:2831(para)

9838

10406

msgid "Extract the <emphasis>keytab</emphasis> file:"

9839

10407

msgstr ""

9840

10408

9841

#: serverguide/C/network-auth.xml:2349(command)

10409

#: serverguide/C/network-auth.xml:2836(command)

9842

10410

msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""

9843

10411

msgstr ""

9844

10412

9845

#: serverguide/C/network-auth.xml:2355(para)

10413

#: serverguide/C/network-auth.xml:2842(para)

9846

10414

msgid "There should now be a <filename>keytab.kdc02</filename> in the current directory, move the file to <filename>/etc/krb5.keytab</filename>:"

9847

10415

msgstr ""

9848

10416

9849

#: serverguide/C/network-auth.xml:2361(command)

10417

#: serverguide/C/network-auth.xml:2848(command)

9850

10418

msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"

9851

10419

msgstr ""

9852

10420

9853

#: serverguide/C/network-auth.xml:2365(para)

10421

#: serverguide/C/network-auth.xml:2852(para)

9854

10422

msgid "If the path to the <filename>keytab.kdc02</filename> file is different adjust accordingly."

9855

10423

msgstr ""

9856

10424

9857

#: serverguide/C/network-auth.xml:2370(para)

10425

#: serverguide/C/network-auth.xml:2857(para)

9858

10426

msgid "Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the <application>klist</application> utility:"

9859

10427

msgstr ""

9860

10428

9861

#: serverguide/C/network-auth.xml:2376(command)

10429

#: serverguide/C/network-auth.xml:2863(command)

9862

10430

msgid "sudo klist -k /etc/krb5.keytab"

9863

10431

msgstr ""

9864

10432

9865

#: serverguide/C/network-auth.xml:2382(para)

10433

#: serverguide/C/network-auth.xml:2869(para)

9866

10434

msgid "Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC that lists all KDCs for the Realm. For example, on both primary and secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"

9867

10435

msgstr ""

9868

10436

9869

#: serverguide/C/network-auth.xml:2387(programlisting)

10437

#: serverguide/C/network-auth.xml:2874(programlisting)

9870

10438

#, no-wrap

9871

10439

msgid "\nhost/kdc01.example.com@EXAMPLE.COM\nhost/kdc02.example.com@EXAMPLE.COM\n"

9872

10440

msgstr ""

9873

10441

9874

#: serverguide/C/network-auth.xml:2395(para)

10442

#: serverguide/C/network-auth.xml:2882(para)

9875

10443

msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"

9876

10444

msgstr ""

9877

10445

9878

#: serverguide/C/network-auth.xml:2400(command)

10446

#: serverguide/C/network-auth.xml:2887(command)

9879

10447

msgid "sudo kdb5_util -s create"

9880

10448

msgstr ""

9881

10449

9882

#: serverguide/C/network-auth.xml:2406(para)

10450

#: serverguide/C/network-auth.xml:2893(para)

9883

10451

msgid "Now start the <application>kpropd</application> daemon, which listens for connections from the <application>kprop</application> utility. <application>kprop</application> is used to transfer dump files:"

9884

10452

msgstr ""

9885

10453

9886

#: serverguide/C/network-auth.xml:2413(command)

10454

#: serverguide/C/network-auth.xml:2900(command)

9887

10455

msgid "sudo kpropd -S"

9888

10456

msgstr ""

9889

10457

9890

#: serverguide/C/network-auth.xml:2419(para)

10458

#: serverguide/C/network-auth.xml:2906(para)

9891

10459

msgid "From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file of the principal database:"

9892

10460

msgstr ""

9893

10461

9894

#: serverguide/C/network-auth.xml:2424(command)

10462

#: serverguide/C/network-auth.xml:2911(command)

9895

10463

msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"

9896

10464

msgstr ""

9897

10465

9898

#: serverguide/C/network-auth.xml:2430(para)

10466

#: serverguide/C/network-auth.xml:2917(para)

9899

10467

msgid "Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to <filename>/etc/krb5.keytab</filename>:"

9900

10468

msgstr ""

9901

10469

9902

#: serverguide/C/network-auth.xml:2435(command)

10470

#: serverguide/C/network-auth.xml:2922(command)

9903

10471

msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""

9904

10472

msgstr ""

9905

10473

9906

#: serverguide/C/network-auth.xml:2436(command)

10474

#: serverguide/C/network-auth.xml:2923(command)

9907

10475

msgid "sudo mv keytab.kdc01 /etc/krb5.keytab"

9908

10476

msgstr ""

9909

10477

9910

#: serverguide/C/network-auth.xml:2440(para)

10478

#: serverguide/C/network-auth.xml:2927(para)

9911

10479

msgid "Make sure there is a <emphasis>host</emphasis> for <emphasis>kdc01.example.com</emphasis> before extracting the Keytab."

9912

10480

msgstr ""

9913

10481

9914

#: serverguide/C/network-auth.xml:2448(para)

10482

#: serverguide/C/network-auth.xml:2935(para)

9915

10483

msgid "Using the <application>kprop</application> utility push the database to the Secondary KDC:"

9916

10484

msgstr ""

9917

10485

9918

#: serverguide/C/network-auth.xml:2453(command)

10486

#: serverguide/C/network-auth.xml:2940(command)

9919

10487

msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"

9920

10488

msgstr ""

9921

10489

9922

#: serverguide/C/network-auth.xml:2457(para)

10490

#: serverguide/C/network-auth.xml:2944(para)

9923

10491

msgid "There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation worked. If there is an error message check <filename>/var/log/syslog</filename> on the secondary KDC for more information."

9924

10492

msgstr ""

9925

10493

9926

#: serverguide/C/network-auth.xml:2463(para)

10494

#: serverguide/C/network-auth.xml:2950(para)

9927

10495

msgid "You may also want to create a <application>cron</application> job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour:"

9928

10496

msgstr ""

9929

10497

9930

#: serverguide/C/network-auth.xml:2468(programlisting)

10498

#: serverguide/C/network-auth.xml:2955(programlisting)

9931

10499

#, no-wrap

9932

10500

msgid "\n# m h dom mon dow command\n0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"

9933

10501

msgstr ""

9934

10502

9935

#: serverguide/C/network-auth.xml:2476(para)

10503

#: serverguide/C/network-auth.xml:2963(para)

9936

10504

msgid "Back on the <emphasis>Secondary KDC</emphasis>, create a <emphasis>stash</emphasis> file to hold the Kerberos master key:"

9937

10505

msgstr ""

9938

10506

9939

#: serverguide/C/network-auth.xml:2482(command)

10507

#: serverguide/C/network-auth.xml:2969(command)

9940

10508

msgid "sudo kdb5_util stash"

9941

10509

msgstr ""

9942

10510

9943

#: serverguide/C/network-auth.xml:2488(para)

10511

#: serverguide/C/network-auth.xml:2975(para)

9944

10512

msgid "Finally, start the <application>krb5-kdc</application> daemon on the Secondary KDC:"

9945

10513

msgstr ""

9946

10514

9947

#: serverguide/C/network-auth.xml:2493(command) serverguide/C/network-auth.xml:3105(command)

10515

#: serverguide/C/network-auth.xml:2980(command) serverguide/C/network-auth.xml:3590(command)

9948

10516

msgid "sudo /etc/init.d/krb5-kdc start"

9949

10517

msgstr ""

9950

10518

9951

#: serverguide/C/network-auth.xml:2499(para)

10519

#: serverguide/C/network-auth.xml:2986(para)

9952

10520

msgid "The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets for the Realm. You can test this by stopping the <application>krb5-kdc</application> daemon on the Primary KDC, then use <application>kinit</application> to request a ticket. If all goes well you should receive a ticket from the Secondary KDC."

9953

10521

msgstr ""

9954

10522

9955

#: serverguide/C/network-auth.xml:2507(title)

10523

#: serverguide/C/network-auth.xml:2994(title)

9956

10524

msgid "Kerberos Linux Client"

9957

10525

msgstr ""

9958

10526

9959

#: serverguide/C/network-auth.xml:2509(para)

10527

#: serverguide/C/network-auth.xml:2996(para)

9960

10528

msgid "This section covers configuring a Linux system as a <application>Kerberos</application> client. This will allow access to any kerberized services once a user has successfully logged into the system."

9961

10529

msgstr ""

9962

10530

9963

#: serverguide/C/network-auth.xml:2517(para)

10531

#: serverguide/C/network-auth.xml:3004(para)

9964

10532

msgid "In order to authenticate to a Kerberos Realm, the <application>krb5-user</application> and <application>libpam-krb5</application> packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages enter the following in a terminal prompt:"

9965

10533

msgstr ""

9966

10534

9967

#: serverguide/C/network-auth.xml:2524(command)

10535

#: serverguide/C/network-auth.xml:3011(command)

9968

10536

msgid "sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"

9969

10537

msgstr ""

9970

10538

9971

#: serverguide/C/network-auth.xml:2527(para)

10539

#: serverguide/C/network-auth.xml:3014(para)

9972

10540

msgid "The <application>auth-client-config</application> package allows simple configuration of PAM for authentication from multiple sources, and the <application>libpam-ccreds</application> will cache authentication credentials allowing you to login in case the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while on the corporate network, but will need to be accessed off the network as well."

9973

10541

msgstr ""

9974

10542

9975

#: serverguide/C/network-auth.xml:2538(para)

10543

#: serverguide/C/network-auth.xml:3025(para)

9976

10544

msgid "To configure the client in a terminal enter:"

9977

10545

msgstr ""

9978

10546

9979

#: serverguide/C/network-auth.xml:2543(command)

10547

#: serverguide/C/network-auth.xml:3030(command)

9980

10548

msgid "sudo dpkg-reconfigure krb5-config"

9981

10549

msgstr ""

9982

10550

9983

#: serverguide/C/network-auth.xml:2546(para)

10551

#: serverguide/C/network-auth.xml:3033(para)

9984

10552

msgid "You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server."

9985

10553

msgstr ""

9986

10554

9987

#: serverguide/C/network-auth.xml:2552(para)

10555

#: serverguide/C/network-auth.xml:3039(para)

9988

10556

msgid "The <application>dpkg-reconfigure</application> adds entries to the <filename>/etc/krb5.conf</filename> file for your Realm. You should have entries similar to the following:"

9989

10557

msgstr ""

9990

10558

9991

#: serverguide/C/network-auth.xml:2557(programlisting)

10559

#: serverguide/C/network-auth.xml:3044(programlisting)

9992

10560

#, no-wrap

9993

10561

msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n...\n[realms]\n EXAMPLE.COM = } \n kdc = 192.168.0.1 \n admin_server = 192.168.0.1\n }\n"

9994

10562

msgstr ""

9995

10563

9996

#: serverguide/C/network-auth.xml:2568(para)

10564

#: serverguide/C/network-auth.xml:3055(para)

9997

10565

msgid "You can test the configuration by requesting a ticket using the <application>kinit</application> utility. For example:"

9998

10566

msgstr ""

9999

10567

10000

#: serverguide/C/network-auth.xml:2573(command)

10568

#: serverguide/C/network-auth.xml:3060(command)

10001

10569

msgid "kinit steve@EXAMPLE.COM"

10002

10570

msgstr ""

10003

10571

10004

#: serverguide/C/network-auth.xml:2574(computeroutput)

10572

#: serverguide/C/network-auth.xml:3061(computeroutput)

10005

10573

#, no-wrap

10006

10574

msgid "Password for steve@EXAMPLE.COM:"

10007

10575

msgstr ""

10008

10576

10009

#: serverguide/C/network-auth.xml:2577(para)

10577

#: serverguide/C/network-auth.xml:3064(para)

10010

10578

msgid "When a ticket has been granted, the details can be viewed using <application>klist</application>:"

10011

10579

msgstr ""

10012

10580

10013

#: serverguide/C/network-auth.xml:2583(computeroutput)

10581

#: serverguide/C/network-auth.xml:3070(computeroutput)

10014

10582

#, no-wrap

10015

10583

msgid "Ticket cache: FILE:/tmp/krb5cc_1000\nDefault principal: steve@EXAMPLE.COM\n\nValid starting Expires Service principal\n07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n renew until 07/25/08 05:18:57\n\n\nKerberos 4 ticket cache: /tmp/tkt1000\nklist: You have no tickets cached"

10016

10584

msgstr ""

10017

10585

10018

#: serverguide/C/network-auth.xml:2595(para)

10586

#: serverguide/C/network-auth.xml:3082(para)

10019

10587

msgid "Next, use the <application>auth-client-config</application> to configure the <application>libpam-krb5</application> module to request a ticket during login:"

10020

10588

msgstr ""

10021

10589

10022

#: serverguide/C/network-auth.xml:2601(command)

10590

#: serverguide/C/network-auth.xml:3088(command)

10023

10591

msgid "sudo auth-client-config -a -p kerberos_example"

10024

10592

msgstr ""

10025

10593

10026

#: serverguide/C/network-auth.xml:2604(para)

10594

#: serverguide/C/network-auth.xml:3091(para)

10027

10595

msgid "You will should now receive a ticket upon successful login authentication."

10028

10596

msgstr ""

10029

10597

10030

#: serverguide/C/network-auth.xml:2615(para)

10598

#: serverguide/C/network-auth.xml:3102(para)

10031

10599

msgid "For more information on Kerberos see the <ulink url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."

10032

10600

msgstr ""

10033

10601

10034

#: serverguide/C/network-auth.xml:2620(para)

10602

#: serverguide/C/network-auth.xml:3107(para)

10035

10603

msgid "The <ulink url=\"https://help.ubuntu.com/community/Kerberos\">Ubuntu Wiki Kerberos</ulink> page has more details."

10036

10604

msgstr ""

10037

10605

10038

#: serverguide/C/network-auth.xml:2625(para)

10606

#: serverguide/C/network-auth.xml:3112(para)

10039

10607

msgid "O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive Guide</ulink> is a great reference when setting up Kerberos."

10040

10608

msgstr ""

10041

10609

10042

#: serverguide/C/network-auth.xml:2631(para)

10610

#: serverguide/C/network-auth.xml:3118(para)

10043

10611

msgid "Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have Kerberos questions."

10044

10612

msgstr ""

10045

10613

10046

#: serverguide/C/network-auth.xml:2641(title)

10614

#: serverguide/C/network-auth.xml:3128(title)

10047

10615

msgid "Kerberos and LDAP"

10048

10616

msgstr ""

10049

10617

10050

#: serverguide/C/network-auth.xml:2643(para)

10618

#: serverguide/C/network-auth.xml:3130(para)

10051

10619

msgid "Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application> directory as a principal database. This section covers configuring a primary and secondary kerberos server to use <application>OpenLDAP</application> for the principal database."

10052

10620

msgstr ""

10053

10621

10054

#: serverguide/C/network-auth.xml:2651(title)

10622

#: serverguide/C/network-auth.xml:3138(title)

10055

10623

msgid "Configuring OpenLDAP"

10056

10624

msgstr ""

10057

10625

10058

#: serverguide/C/network-auth.xml:2653(para)

10626

#: serverguide/C/network-auth.xml:3140(para)

10059

10627

msgid "First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."

10060

10628

msgstr ""

10061

10629

10062

#: serverguide/C/network-auth.xml:2660(para)

10630

#: serverguide/C/network-auth.xml:3147(para)

10063

10631

msgid "It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See <xref linkend=\"openldap-tls\"/> for details."

10064

10632

msgstr ""

10065

10633

10066

#: serverguide/C/network-auth.xml:2667(para)

10634

#: serverguide/C/network-auth.xml:3154(para)

10067

10635

msgid "To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package. From a terminal enter:"

10068

10636

msgstr ""

10069

10637

10070

#: serverguide/C/network-auth.xml:2673(command)

10638

#: serverguide/C/network-auth.xml:3160(command)

10071

10639

msgid "sudo apt-get install krb5-kdc-ldap"

10072

10640

msgstr ""

10073

10641

10074

#: serverguide/C/network-auth.xml:2678(para)

10642

#: serverguide/C/network-auth.xml:3165(para)

10075

10643

msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"

10076

10644

msgstr ""

10077

10645

10078

#: serverguide/C/network-auth.xml:2683(command)

10646

#: serverguide/C/network-auth.xml:3170(command)

10079

10647

msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"

10080

10648

msgstr ""

10081

10649

10082

#: serverguide/C/network-auth.xml:2684(command)

10650

#: serverguide/C/network-auth.xml:3171(command)

10083

10651

msgid "sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"

10084

10652

msgstr ""

10085

10653

10086

#: serverguide/C/network-auth.xml:2690(para)

10654

#: serverguide/C/network-auth.xml:3177(para)

10087

10655

msgid "The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. The procedure to add a new schema to <application>slapd</application> is also detailed in <xref linkend=\"openldap-configuration\"/>."

10088

10656

msgstr ""

10089

10657

10090

#: serverguide/C/network-auth.xml:2703(programlisting)

10658

#: serverguide/C/network-auth.xml:3185(para)

10659

msgid "First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar descriptive name, containing the following lines:"

10660

msgstr ""

10661

10662

#: serverguide/C/network-auth.xml:3190(programlisting)

10091

10663

#, no-wrap

10092

10664

10093

10665

msgstr ""

10094

10666

10095

#: serverguide/C/network-auth.xml:2723(para)

10667

#: serverguide/C/network-auth.xml:3210(para)

10096

10668

msgid "Create a temporary directory to hold the LDIF files:"

10097

10669

msgstr ""

10098

10670

10099

#: serverguide/C/network-auth.xml:2738(command)

10671

#: serverguide/C/network-auth.xml:3214(command)

10672

msgid "mkdir /tmp/ldif_output"

10673

msgstr ""

10674

10675

#: serverguide/C/network-auth.xml:3220(para)

10676

msgid "Now use <application>slapcat</application> to convert the schema files:"

10677

msgstr ""

10678

10679

#: serverguide/C/network-auth.xml:3225(command)

10100

10680

msgid "slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"

10101

10681

msgstr ""

10102

10682

10103

#: serverguide/C/network-auth.xml:2748(para)

10683

#: serverguide/C/network-auth.xml:3228(para)

10684

msgid "Change the above file and path names to match your own if they are different."

10685

msgstr ""

10686

10687

#: serverguide/C/network-auth.xml:3235(para)

10104

10688

msgid "Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, changing the following attributes:"

10105

10689

msgstr ""

10106

10690

10107

#: serverguide/C/network-auth.xml:2752(programlisting)

10691

#: serverguide/C/network-auth.xml:3239(programlisting)

10108

10692

#, no-wrap

10109

10693

msgid "\ndn: cn=kerberos,cn=schema,cn=config\n...\ncn: kerberos\n"

10110

10694

msgstr ""

10111

10695

10112

#: serverguide/C/network-auth.xml:2758(para)

10696

#: serverguide/C/network-auth.xml:3245(para)

10113

10697

msgid "And remove the following lines from the end of the file:"

10114

10698

msgstr ""

10115

10699

10116

#: serverguide/C/network-auth.xml:2762(programlisting)

10700

#: serverguide/C/network-auth.xml:3249(programlisting)

10117

10701

#, no-wrap

10118

10702

msgid "\nstructuralObjectClass: olcSchemaConfig\nentryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\ncreatorsName: cn=config\ncreateTimestamp: 20090111203515Z\nentryCSN: 20090111203515.326445Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20090111203515Z\n"

10119

10703

msgstr ""

10120

10704

10121

#: serverguide/C/network-auth.xml:2781(para)

10705

#: serverguide/C/network-auth.xml:3259(para)

10706

msgid "The attribute values will vary, just be sure the attributes are removed."

10707

msgstr ""

10708

10709

#: serverguide/C/network-auth.xml:3266(para)

10122

10710

msgid "Load the new schema with <application>ldapadd</application>:"

10123

10711

msgstr ""

10124

10712

10125

#: serverguide/C/network-auth.xml:2786(command)

10713

#: serverguide/C/network-auth.xml:3271(command)

10126

10714

msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=kerberos.ldif"

10127

10715

msgstr ""

10128

10716

10129

#: serverguide/C/network-auth.xml:2792(para)

10717

#: serverguide/C/network-auth.xml:3277(para)

10130

10718

msgid "Add an index for the <emphasis>krb5principalname</emphasis> attribute:"

10131

10719

msgstr ""

10132

10720

10133

#: serverguide/C/network-auth.xml:2797(command) serverguide/C/network-auth.xml:2814(command)

10721

#: serverguide/C/network-auth.xml:3282(command) serverguide/C/network-auth.xml:3299(command)

10134

10722

msgid "ldapmodify -x -D cn=admin,cn=config -W"

10135

10723

msgstr ""

10136

10724

10137

#: serverguide/C/network-auth.xml:2799(userinput)

10725

#: serverguide/C/network-auth.xml:3284(userinput)

10138

10726

#, no-wrap

10139

10727

msgid "dn: olcDatabase={1}hdb,cn=config\nadd: olcDbIndex\nolcDbIndex: krbPrincipalName eq,pres,sub"

10140

10728

msgstr ""

10141

10729

10142

#: serverguide/C/network-auth.xml:2798(computeroutput)

10730

#: serverguide/C/network-auth.xml:3283(computeroutput)

10143

10731

#, no-wrap

10144

10732

msgid "Enter LDAP Password:\n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\""

10145

10733

msgstr ""

10146

10734

10147

#: serverguide/C/network-auth.xml:2809(para)

10735

#: serverguide/C/network-auth.xml:3294(para)

10148

10736

msgid "Finally, update the Access Control Lists (ACL):"

10149

10737

msgstr ""

10150

10738

10151

#: serverguide/C/network-auth.xml:2816(userinput)

10739

#: serverguide/C/network-auth.xml:3301(userinput)

10152

10740

#, no-wrap

10153

10741

msgid "dn: olcDatabase={1}hdb,cn=config\nreplace: olcAccess\nolcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn=\"cn=admin,dc=exampl\n e,dc=com\" write by anonymous auth by self write by * none\n-\nadd: olcAccess\nolcAccess: to dn.base=\"\" by * read\n-\nadd: olcAccess\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"

10154

10742

msgstr ""

10155

10743

10156

#: serverguide/C/network-auth.xml:2815(computeroutput)

10744

#: serverguide/C/network-auth.xml:3300(computeroutput)

10157

10745

#, no-wrap

10158

10746

msgid "Enter LDAP Password: \n<placeholder-1/>\n\nmodifying entry \"olcDatabase={1}hdb,cn=config\"\n"

10159

10747

msgstr ""

10160

10748

10161

#: serverguide/C/network-auth.xml:2836(para)

10749

#: serverguide/C/network-auth.xml:3321(para)

10162

10750

msgid "That's it, your LDAP directory is now ready to serve as a Kerberos principal database."

10163

10751

msgstr ""

10164

10752

10165

#: serverguide/C/network-auth.xml:2842(title)

10753

#: serverguide/C/network-auth.xml:3327(title)

10166

10754

msgid "Primary KDC Configuration"

10167

10755

msgstr ""

10168

10756

10169

#: serverguide/C/network-auth.xml:2844(para)

10757

#: serverguide/C/network-auth.xml:3329(para)

10170

10758

msgid "With <application>OpenLDAP</application> configured it is time to configure the KDC."

10171

10759

msgstr ""

10172

10760

10173

#: serverguide/C/network-auth.xml:2850(para)

10761

#: serverguide/C/network-auth.xml:3335(para)

10174

10762

msgid "First, install the necessary packages, from a terminal enter:"

10175

10763

msgstr ""

10176

10764

10177

#: serverguide/C/network-auth.xml:2855(command) serverguide/C/network-auth.xml:3012(command)

10765

#: serverguide/C/network-auth.xml:3340(command) serverguide/C/network-auth.xml:3497(command)

10178

10766

msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"

10179

10767

msgstr ""

10180

10768

10181

#: serverguide/C/network-auth.xml:2861(para)

10769

#: serverguide/C/network-auth.xml:3346(para)

10182

10770

msgid "Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections:"

10183

10771

msgstr ""

10184

10772

10185

#: serverguide/C/network-auth.xml:2865(programlisting)

10773

#: serverguide/C/network-auth.xml:3350(programlisting)

10186

10774

#, no-wrap

10187

10775

msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"

10188

10776

msgstr ""

10189

10777

10190

#: serverguide/C/network-auth.xml:2910(para)

10778

#: serverguide/C/network-auth.xml:3395(para)

10191

10779

msgid "Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>, and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network."

10192

10780

msgstr ""

10193

10781

10194

#: serverguide/C/network-auth.xml:2919(para)

10782

#: serverguide/C/network-auth.xml:3404(para)

10195

10783

msgid "Next, use the <application>kdb5_ldap_util</application> utility to create the realm:"

10196

10784

msgstr ""

10197

10785

10198

#: serverguide/C/network-auth.xml:2924(command)

10786

#: serverguide/C/network-auth.xml:3409(command)

10199

10787

msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"

10200

10788

msgstr ""

10201

10789

10202

#: serverguide/C/network-auth.xml:2930(para)

10790

#: serverguide/C/network-auth.xml:3415(para)

10203

10791

msgid "Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and <emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>:"

10204

10792

msgstr ""

10205

10793

10206

#: serverguide/C/network-auth.xml:2936(command) serverguide/C/network-auth.xml:3074(command)

10794

#: serverguide/C/network-auth.xml:3421(command) serverguide/C/network-auth.xml:3559(command)

10207

10795

msgid "sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"

10208

10796

msgstr ""

10209

10797

10210

#: serverguide/C/network-auth.xml:2942(para)

10798

#: serverguide/C/network-auth.xml:3427(para)

10211

10799

msgid "Copy the CA certificate from the LDAP server:"

10212

10800

msgstr ""

10213

10801

10214

#: serverguide/C/network-auth.xml:2947(command)

10802

#: serverguide/C/network-auth.xml:3432(command)

10215

10803

msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."

10216

10804

msgstr ""

10217

10805

10218

#: serverguide/C/network-auth.xml:2948(command)

10806

#: serverguide/C/network-auth.xml:3433(command)

10219

10807

msgid "sudo cp cacert.pem /etc/ssl/certs"

10220

10808

msgstr ""

10221

10809

10222

#: serverguide/C/network-auth.xml:2951(para)

10810

#: serverguide/C/network-auth.xml:3436(para)

10223

10811

msgid "And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"

10224

10812

msgstr ""

10225

10813

10226

#: serverguide/C/network-auth.xml:2955(programlisting)

10814

#: serverguide/C/network-auth.xml:3440(programlisting)

10227

10815

#, no-wrap

10228

10816

msgid "\nTLS_CACERT /etc/ssl/certs/cacert.pem\n"

10229

10817

msgstr ""

10230

10818

10231

#: serverguide/C/network-auth.xml:2960(para)

10819

#: serverguide/C/network-auth.xml:3445(para)

10232

10820

msgid "The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS."

10233

10821

msgstr ""

10234

10822

10235

#: serverguide/C/network-auth.xml:2969(para)

10823

#: serverguide/C/network-auth.xml:3454(para)

10236

10824

msgid "You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the <application>kadmin.local</application> utility enter:"

10237

10825

msgstr ""

10238

10826

10239

#: serverguide/C/network-auth.xml:2977(userinput)

10827

#: serverguide/C/network-auth.xml:3462(userinput)

10240

10828

#, no-wrap

10241

10829

msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"

10242

10830

msgstr ""

10243

10831

10244

#: serverguide/C/network-auth.xml:2976(computeroutput)

10832

#: serverguide/C/network-auth.xml:3461(computeroutput)

10245

10833

#, no-wrap

10246

10834

msgid "Authenticating as principal root/admin@EXAMPLE.COM with password.\nkadmin.local: <placeholder-1/>\nWARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\nEnter password for principal \"steve@EXAMPLE.COM\": \nRe-enter password for principal \"steve@EXAMPLE.COM\": \nPrincipal \"steve@EXAMPLE.COM\" created."

10247

10835

msgstr ""

10248

10836

10249

#: serverguide/C/network-auth.xml:2984(para)

10837

#: serverguide/C/network-auth.xml:3469(para)

10250

10838

msgid "There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the <emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and <application>klist</application> utilities to test that the user is indeed issued a ticket."

10251

10839

msgstr ""

10252

10840

10253

#: serverguide/C/network-auth.xml:2991(para)

10841

#: serverguide/C/network-auth.xml:3476(para)

10254

10842

msgid "If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> option is needed to add the Kerberos attributes. Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree."

10255

10843

msgstr ""

10256

10844

10257

#: serverguide/C/network-auth.xml:2999(title)

10845

#: serverguide/C/network-auth.xml:3484(title)

10258

10846

msgid "Secondary KDC Configuration"

10259

10847

msgstr ""

10260

10848

10261

#: serverguide/C/network-auth.xml:3001(para)

10849

#: serverguide/C/network-auth.xml:3486(para)

10262

10850

msgid "Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database."

10263

10851

msgstr ""

10264

10852

10265

#: serverguide/C/network-auth.xml:3007(para)

10853

#: serverguide/C/network-auth.xml:3492(para)

10266

10854

msgid "First, install the necessary packages. In a terminal enter:"

10267

10855

msgstr ""

10268

10856

10269

#: serverguide/C/network-auth.xml:3018(para)

10857

#: serverguide/C/network-auth.xml:3503(para)

10270

10858

msgid "Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"

10271

10859

msgstr ""

10272

10860

10273

#: serverguide/C/network-auth.xml:3022(programlisting)

10861

#: serverguide/C/network-auth.xml:3507(programlisting)

10274

10862

#, no-wrap

10275

10863

msgid "\n[libdefaults]\n default_realm = EXAMPLE.COM\n\n...\n\n[realms]\n EXAMPLE.COM = {\n kdc = kdc01.example.com\n kdc = kdc02.example.com\n admin_server = kdc01.example.com\n admin_server = kdc02.example.com\n default_domain = example.com\n database_module = openldap_ldapconf\n }\n\n...\n\n[domain_realm]\n .example.com = EXAMPLE.COM\n\n...\n\n[dbdefaults]\n ldap_kerberos_container_dn = dc=example,dc=com\n\n[dbmodules]\n openldap_ldapconf = {\n db_library = kldap\n ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read rights on\n # the realm container, principal container and realm sub-trees\n ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n\n # this object needs to have read and write rights on\n # the realm container, principal container and realm sub-trees\n ldap_service_password_file = /etc/krb5kdc/service.keyfile\n ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com\n ldap_conns_per_server = 5\n }\n"

10276

10864

msgstr ""

10277

10865

10278

#: serverguide/C/network-auth.xml:3069(para)

10866

#: serverguide/C/network-auth.xml:3554(para)

10279

10867

msgid "Create the stash for the LDAP bind password:"

10280

10868

msgstr ""

10281

10869

10282

#: serverguide/C/network-auth.xml:3080(para)

10870

#: serverguide/C/network-auth.xml:3565(para)

10283

10871

msgid "Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted connection such as <application>scp</application>, or on physical media."

10284

10872

msgstr ""

10285

10873

10286

#: serverguide/C/network-auth.xml:3087(command)

10874

#: serverguide/C/network-auth.xml:3572(command)

10287

10875

msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"

10288

10876

msgstr ""

10289

10877

10290

#: serverguide/C/network-auth.xml:3088(command)

10878

#: serverguide/C/network-auth.xml:3573(command)

10291

10879

msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"

10292

10880

msgstr ""

10293

10881

10294

#: serverguide/C/network-auth.xml:3092(para)

10882

#: serverguide/C/network-auth.xml:3577(para)

10295

10883

msgid "Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."

10296

10884

msgstr ""

10297

10885

10298

#: serverguide/C/network-auth.xml:3100(para)

10886

#: serverguide/C/network-auth.xml:3585(para)

10299

10887

msgid "Finally, start the <application>krb5-kdc</application> daemon:"

10300

10888

msgstr ""

10301

10889

10302

#: serverguide/C/network-auth.xml:3111(para)

10890

#: serverguide/C/network-auth.xml:3596(para)

10303

10891

msgid "You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable."

10304

10892

msgstr ""

10305

10893

10306

#: serverguide/C/network-auth.xml:3123(para)

10894

#: serverguide/C/network-auth.xml:3608(para)

10307

10895

msgid "The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin Guide</ulink> has some additional details."

10308

10896

msgstr ""

10309

10897

10310

#: serverguide/C/network-auth.xml:3129(para)

10311

msgid "For more information on <application>kdb5_ldap_util</application> see <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section 5.6</ulink> and the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/kdb5_ldap_util.8.html\">kdb5_ldap_util man page</ulink>."

10312

msgstr ""

10313

10314

#: serverguide/C/network-auth.xml:3137(para)

10315

msgid "Another useful link is the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/krb5.conf.5.html\">krb5.conf man page</ulink>."

10316

msgstr ""

10317

10318

#: serverguide/C/network-auth.xml:3142(para)

10898

#: serverguide/C/network-auth.xml:3614(para)

10899

msgid "For more information on <application>kdb5_ldap_util</application> see <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section 5.6</ulink> and the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/kdb5_ldap_util.8.html\">kdb5_ldap_util man page</ulink>."

10900

msgstr ""

10901

10902

#: serverguide/C/network-auth.xml:3622(para)

10903

msgid "Another useful link is the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/krb5.conf.5.html\">krb5.conf man page</ulink>."

10904

msgstr ""

10905

10906

#: serverguide/C/network-auth.xml:3627(para)

10319

10907

msgid "Also, see the <ulink url=\"https://help.ubuntu.com/community/Kerberos#kerberos-ldap\">Kerberos and LDAP</ulink> Ubuntu wiki page."

10320

10908

msgstr ""

10321

10909

12013

12601

msgstr ""

12014

12602

12015

12603

#: serverguide/C/lamp-applications.xml:19(para)

12016

msgid "LAMP installations (Linux + Apache + MySQL + PHP) are a popular setup for Ubuntu servers. There is a plethora of Open Source applications written using the LAMP application stack. Some popular LAMP applications are Wiki's, Content Management Systems, and Management Software such as phpMyAdmin."

12604

msgid "LAMP installations (Linux + Apache + MySQL + PHP/Perl/Python) are a popular setup for Ubuntu servers. There is a plethora of Open Source applications written using the LAMP application stack. Some popular LAMP applications are Wiki's, Content Management Systems, and Management Software such as phpMyAdmin."

12017

12605

msgstr ""

12018

12606

12019

12607

#: serverguide/C/lamp-applications.xml:26(para)

12020

msgid "One advantage of LAMP is the substantial flexibility for different database, web server, and scripting languages. Popular substitutes for MySQL include PostgreSQL and SQLite. Python, Perl, and Ruby are also frequently used instead of PHP."

12608

12021

12609

msgstr ""

12022

12610

12023

12611

#: serverguide/C/lamp-applications.xml:32(para)

12024

msgid "The traditional way to install most <emphasis>LAMP</emphasis> applications is:"

12025

msgstr ""

12026

12027

#: serverguide/C/lamp-applications.xml:38(para)

12612

msgid "The fastest way to get started is to install LAMP using tasksel, tasksel is a Debian/Ubuntu tool that installs multiple related packages as a co-ordinated \"task\" onto your system."

12613

msgstr ""

12614

12615

#: serverguide/C/lamp-applications.xml:38(command)

12616

msgid "sudo tasksel install lamp-server"

12617

msgstr ""

12618

12619

#: serverguide/C/lamp-applications.xml:41(para)

12620

msgid "After installing it you'll be able to install most <emphasis>LAMP</emphasis> applications this way:"

12621

msgstr ""

12622

12623

#: serverguide/C/lamp-applications.xml:47(para)

12028

12624

msgid "Download an archive containing the application source files."

12029

12625

msgstr ""

12030

12626

12031

#: serverguide/C/lamp-applications.xml:43(para)

12627

#: serverguide/C/lamp-applications.xml:52(para)

12032

12628

msgid "Unpack the archive, usually in a directory accessible to a web server."

12033

12629

msgstr ""

12034

12630

12035

#: serverguide/C/lamp-applications.xml:48(para)

12631

#: serverguide/C/lamp-applications.xml:57(para)

12036

12632

msgid "Depending on where the source was extracted, configure a web server to serve the files."

12037

12633

msgstr ""

12038

12634

12039

#: serverguide/C/lamp-applications.xml:53(para)

12635

#: serverguide/C/lamp-applications.xml:62(para)

12040

12636

msgid "Configure the application to connect to the database."

12041

12637

msgstr ""

12042

12638

12043

#: serverguide/C/lamp-applications.xml:58(para)

12639

#: serverguide/C/lamp-applications.xml:67(para)

12044

12640

msgid "Run a script, or browse to a page of the application, to install the database needed by the application."

12045

12641

msgstr ""

12046

12642

12047

#: serverguide/C/lamp-applications.xml:63(para)

12643

#: serverguide/C/lamp-applications.xml:72(para)

12048

12644

msgid "Once the steps above, or similar steps, are completed you are ready to begin using the application."

12049

12645

msgstr ""

12050

12646

12051

#: serverguide/C/lamp-applications.xml:69(para)

12647

#: serverguide/C/lamp-applications.xml:78(para)

12052

12648

msgid "A disadvantage of using this approach is that the application files are not placed in the file system in a standard way, which can cause confusion as to where the application is installed. Another larger disadvantage is updating the application. When a new version is released, the same process used to install the application is needed to apply updates."

12053

12649

msgstr ""

12054

12650

12055

#: serverguide/C/lamp-applications.xml:76(para)

12651

#: serverguide/C/lamp-applications.xml:85(para)

12056

12652

msgid "Fortunately, a number of <emphasis>LAMP</emphasis> applications are already packaged for Ubuntu, and are available for installation in the same way as non-LAMP applications. Depending on the application some extra configuration and setup steps may be needed, however."

12057

12653

msgstr ""

12058

12654

12059

#: serverguide/C/lamp-applications.xml:82(para)

12655

#: serverguide/C/lamp-applications.xml:91(para)

12060

12656

msgid "This section covers howto install and configure the Wiki applications <application>MoinMoin</application>, <application>MediaWiki</application>, and the MySQL management application <application>phpMyAdmin</application>."

12061

12657

msgstr ""

12062

12658

12063

#: serverguide/C/lamp-applications.xml:88(para)

12659

#: serverguide/C/lamp-applications.xml:97(para)

12064

12660

msgid "A Wiki is a website that allows the visitors to easily add, remove and modify available content easily. The ease of interaction and operation makes Wiki an effective tool for mass collaborative authoring. The term Wiki is also referred to the collaborative software."

12065

12661

msgstr ""

12066

12662

12067

#: serverguide/C/lamp-applications.xml:100(title)

12663

#: serverguide/C/lamp-applications.xml:109(title)

12068

12664

msgid "Moin Moin"

12069

12665

msgstr ""

12070

12666

12071

#: serverguide/C/lamp-applications.xml:102(para)

12667

#: serverguide/C/lamp-applications.xml:111(para)

12072

12668

msgid "MoinMoin is a Wiki engine implemented in Python, based on the PikiPiki Wiki engine, and licensed under the GNU GPL."

12073

12669

msgstr ""

12074

12670

12075

#: serverguide/C/lamp-applications.xml:110(para)

12671

#: serverguide/C/lamp-applications.xml:119(para)

12076

12672

msgid "To install <application>MoinMoin</application>, run the following command in the command prompt:"

12077

12673

msgstr ""

12078

12674

12079

#: serverguide/C/lamp-applications.xml:116(command)

12675

#: serverguide/C/lamp-applications.xml:125(command)

12080

12676

msgid "sudo apt-get install python-moinmoin"

12081

12677

msgstr ""

12082

12678

12083

#: serverguide/C/lamp-applications.xml:119(para)

12679

#: serverguide/C/lamp-applications.xml:128(para)

12084

12680

msgid "You should also install <application>apache2</application> web server. For installing <application>apache2</application> web server, please refer to <xref linkend=\"http-installation\"/> sub-section in <xref linkend=\"httpd\"/> section."

12085

12681

msgstr ""

12086

12682

12087

#: serverguide/C/lamp-applications.xml:130(para)

12683

#: serverguide/C/lamp-applications.xml:139(para)

12088

12684

msgid "For configuring your first Wiki application, please run the following set of commands. Let us assume that you are creating a Wiki named <emphasis>mywiki</emphasis>:"

12089

12685

msgstr ""

12090

12686

12091

#: serverguide/C/lamp-applications.xml:137(command)

12687

#: serverguide/C/lamp-applications.xml:146(command)

12092

12688

msgid "cd /usr/share/moin"

12093

12689

msgstr ""

12094

12690

12095

#: serverguide/C/lamp-applications.xml:138(command)

12691

#: serverguide/C/lamp-applications.xml:147(command)

12096

12692

msgid "sudo mkdir mywiki"

12097

12693

msgstr ""

12098

12694

12099

#: serverguide/C/lamp-applications.xml:139(command)

12695

#: serverguide/C/lamp-applications.xml:148(command)

12100

12696

msgid "sudo cp -R data mywiki"

12101

12697

msgstr ""

12102

12698

12103

#: serverguide/C/lamp-applications.xml:140(command)

12699

#: serverguide/C/lamp-applications.xml:149(command)

12104

12700

msgid "sudo cp -R underlay mywiki"

12105

12701

msgstr ""

12106

12702

12107

#: serverguide/C/lamp-applications.xml:141(command)

12703

#: serverguide/C/lamp-applications.xml:150(command)

12108

12704

msgid "sudo cp server/moin.cgi mywiki"

12109

12705

msgstr ""

12110

12706

12111

#: serverguide/C/lamp-applications.xml:142(command)

12707

#: serverguide/C/lamp-applications.xml:151(command)

12112

12708

msgid "sudo chown -R www-data.www-data mywiki"

12113

12709

msgstr ""

12114

12710

12115

#: serverguide/C/lamp-applications.xml:143(command)

12711

#: serverguide/C/lamp-applications.xml:152(command)

12116

12712

msgid "sudo chmod -R ug+rwX mywiki"

12117

12713

msgstr ""

12118

12714

12119

#: serverguide/C/lamp-applications.xml:144(command)

12715

#: serverguide/C/lamp-applications.xml:153(command)

12120

12716

msgid "sudo chmod -R o-rwx mywiki"

12121

12717

msgstr ""

12122

12718

12123

#: serverguide/C/lamp-applications.xml:147(para)

12719

#: serverguide/C/lamp-applications.xml:156(para)

12124

12720

msgid "Now you should configure <application>MoinMoin</application> to find your new Wiki <emphasis>mywiki</emphasis>. To configure <application>MoinMoin</application>, open <filename>/etc/moin/mywiki.py</filename> file and change the following line:"

12125

12721

msgstr ""

12126

12722

12127

#: serverguide/C/lamp-applications.xml:155(programlisting)

12723

#: serverguide/C/lamp-applications.xml:164(programlisting)

12128

12724

#, no-wrap

12129

12725

msgid "data_dir = '/org/mywiki/data'"

12130

12726

msgstr ""

12131

12727

12132

#: serverguide/C/lamp-applications.xml:157(para)

12728

#: serverguide/C/lamp-applications.xml:166(para)

12133

12729

msgid "to"

12134

12730

msgstr ""

12135

12731

12136

#: serverguide/C/lamp-applications.xml:161(programlisting)

12732

#: serverguide/C/lamp-applications.xml:170(programlisting)

12137

12733

#, no-wrap

12138

12734

msgid "data_dir = '/usr/share/moin/mywiki/data'"

12139

12735

msgstr ""

12140

12736

12141

#: serverguide/C/lamp-applications.xml:163(para)

12737

#: serverguide/C/lamp-applications.xml:172(para)

12142

12738

msgid "Also, below the <emphasis>data_dir</emphasis> option add the <emphasis>data_underlay_dir</emphasis>:"

12143

12739

msgstr ""

12144

12740

12145

#: serverguide/C/lamp-applications.xml:167(programlisting)

12741

#: serverguide/C/lamp-applications.xml:176(programlisting)

12146

12742

#, no-wrap

12147

12743

msgid "\ndata_underlay_dir='/usr/share/moin/mywiki/underlay'\n"

12148

12744

msgstr ""

12149

12745

12150

#: serverguide/C/lamp-applications.xml:172(para)

12746

#: serverguide/C/lamp-applications.xml:181(para)

12151

12747

msgid "If the <filename>/etc/moin/mywiki.py</filename> file does not exists, you should copy <filename>/etc/moin/moinmaster.py</filename> file to <filename>/etc/moin/mywiki.py</filename> file and do the above mentioned change."

12152

12748

msgstr ""

12153

12749

12154

#: serverguide/C/lamp-applications.xml:181(para)

12750

#: serverguide/C/lamp-applications.xml:190(para)

12155

12751

msgid "If you have named your Wiki as <emphasis>my_wiki_name</emphasis> you should insert a line <quote>(\"my_wiki_name\", r\".*\")</quote> in <filename>/etc/moin/farmconfig.py</filename> file after the line <quote>(\"mywiki\", r\".*\")</quote>."

12156

12752

msgstr ""

12157

12753

12158

#: serverguide/C/lamp-applications.xml:189(para)

12754

#: serverguide/C/lamp-applications.xml:198(para)

12159

12755

msgid "Once you have configured <application>MoinMoin</application> to find your first Wiki application <emphasis>mywiki</emphasis>, you should configure <application>apache2</application> and make it ready for your Wiki application."

12160

12756

msgstr ""

12161

12757

12162

#: serverguide/C/lamp-applications.xml:196(para)

12758

#: serverguide/C/lamp-applications.xml:205(para)

12163

12759

msgid "You should add the following lines in <filename>/etc/apache2/sites-available/default</filename> file inside the <quote><VirtualHost *></quote> tag:"

12164

12760

msgstr ""

12165

12761

12166

#: serverguide/C/lamp-applications.xml:202(programlisting)

12762

#: serverguide/C/lamp-applications.xml:211(programlisting)

12167

12763

#, no-wrap

12168

12764

msgid "\n### moin\n ScriptAlias /mywiki \"/usr/share/moin/mywiki/moin.cgi\"\n alias /moin_static184 \"/usr/share/moin/htdocs\"\n <Directory /usr/share/moin/htdocs>\n Order allow,deny\n allow from all\n </Directory>\n### end moin\n"

12169

12765

msgstr ""

12170

12766

12171

#: serverguide/C/lamp-applications.xml:214(para)

12767

#: serverguide/C/lamp-applications.xml:223(para)

12172

12768

msgid "Adjust the <emphasis>\"moin_static184\"</emphasis> in the <emphasis>alias</emphasis> line above, to the <application>moinmoin</application> version installed."

12173

12769

msgstr ""

12174

12770

12175

#: serverguide/C/lamp-applications.xml:220(para)

12771

#: serverguide/C/lamp-applications.xml:229(para)

12176

12772

msgid "Once you configure the <application>apache2</application> web server and make it ready for your Wiki application, you should restart it. You can run the following command to restart the <application>apache2</application> web server:"

12177

12773

msgstr ""

12178

12774

12179

#: serverguide/C/lamp-applications.xml:233(title)

12775

#: serverguide/C/lamp-applications.xml:242(title)

12180

12776

msgid "Verification"

12181

12777

msgstr ""

12182

12778

12183

#: serverguide/C/lamp-applications.xml:235(para)

12779

#: serverguide/C/lamp-applications.xml:244(para)

12184

12780

msgid "You can verify the Wiki application and see if it works by pointing your web browser to the following URL:"

12185

12781

msgstr ""

12186

12782

12187

#: serverguide/C/lamp-applications.xml:239(programlisting)

12783

#: serverguide/C/lamp-applications.xml:248(programlisting)

12188

12784

#, no-wrap

12189

12785

msgid "\nhttp://localhost/mywiki\n"

12190

12786

msgstr ""

12191

12787

12192

#: serverguide/C/lamp-applications.xml:243(para)

12788

#: serverguide/C/lamp-applications.xml:252(para)

12193

12789

msgid "For more details, please refer to the <ulink url=\"http://moinmo.in/\">MoinMoin</ulink> web site."

12194

12790

msgstr ""

12195

12791

12196

#: serverguide/C/lamp-applications.xml:254(para)

12792

#: serverguide/C/lamp-applications.xml:263(para)

12197

12793

msgid "For more information see the <ulink url=\"http://moinmo.in/\">moinmoin Wiki</ulink>."

12198

12794

msgstr ""

12199

12795

12200

#: serverguide/C/lamp-applications.xml:259(para)

12796

#: serverguide/C/lamp-applications.xml:268(para)

12201

12797

msgid "Also, see the <ulink url=\"https://help.ubuntu.com/community/MoinMoin\">Ubuntu Wiki MoinMoin</ulink> page."

12202

12798

msgstr ""

12203

12799

12204

#: serverguide/C/lamp-applications.xml:268(title)

12800

#: serverguide/C/lamp-applications.xml:277(title)

12205

12801

msgid "MediaWiki"

12206

12802

msgstr ""

12207

12803

12208

#: serverguide/C/lamp-applications.xml:270(para)

12804

#: serverguide/C/lamp-applications.xml:279(para)

12209

12805

msgid "MediaWiki is an web based Wiki software written in the PHP language. It can either use <application>MySQL</application> or <application>PostgreSQL</application> Database Management System."

12210

12806

msgstr ""

12211

12807

12212

#: serverguide/C/lamp-applications.xml:280(para)

12808

#: serverguide/C/lamp-applications.xml:289(para)

12213

12809

msgid "Before installing <application>MediaWiki</application> you should also install <application>Apache2</application>, the <application>PHP5</application> scripting language and Database a Management System. <application>MySQL</application> or <application>PostgreSQL</application> are the most common, choose one depending on your need. Please refer to those sections in this manual for installation instructions."

12214

12810

msgstr ""

12215

12811

12216

#: serverguide/C/lamp-applications.xml:288(para)

12812

#: serverguide/C/lamp-applications.xml:297(para)

12217

12813

msgid "To install <application>MediaWiki</application>, run the following command in the command prompt:"

12218

12814

msgstr ""

12219

12815

12220

#: serverguide/C/lamp-applications.xml:294(command)

12816

#: serverguide/C/lamp-applications.xml:303(command)

12221

12817

msgid "sudo apt-get install mediawiki php5-gd"

12222

12818

msgstr ""

12223

12819

12224

#: serverguide/C/lamp-applications.xml:297(para)

12820

#: serverguide/C/lamp-applications.xml:306(para)

12225

12821

msgid "For additional <application>MediaWiki</application> functionality see the <application>mediawiki-extensions</application> package."

12226

12822

msgstr ""

12227

12823

12228

#: serverguide/C/lamp-applications.xml:307(para)

12824

#: serverguide/C/lamp-applications.xml:316(para)

12229

12825

msgid "The Apache configuration file <filename>mediawiki.conf</filename> for MediaWiki is installed in <filename>/etc/apache2/conf.d/</filename> directory. You should uncomment the following line in this file to access MediaWiki application."

12230

12826

msgstr ""

12231

12827

12232

#: serverguide/C/lamp-applications.xml:315(screen)

12828

#: serverguide/C/lamp-applications.xml:324(screen)

12233

12829

#, no-wrap

12234

12830

msgid "\n# Alias /mediawiki /var/lib/mediawiki\n"

12235

12831

msgstr ""

12236

12832

12237

#: serverguide/C/lamp-applications.xml:319(para)

12833

#: serverguide/C/lamp-applications.xml:328(para)

12238

12834

msgid "After you uncomment the above line, restart Apache server and access MediaWiki using the following url:"

12239

12835

msgstr ""

12240

12836

12241

#: serverguide/C/lamp-applications.xml:324(programlisting)

12837

#: serverguide/C/lamp-applications.xml:333(programlisting)

12242

12838

#, no-wrap

12243

12839

msgid "\nhttp://localhost/mediawiki/config/index.php\n"

12244

12840

msgstr ""

12245

12841

12246

#: serverguide/C/lamp-applications.xml:329(para)

12842

#: serverguide/C/lamp-applications.xml:338(para)

12247

12843

msgid "Please read the <quote>Checking environment...</quote> section in this page. You should be able to fix many issues by carefully reading this section."

12248

12844

msgstr ""

12249

12845

12250

#: serverguide/C/lamp-applications.xml:336(para)

12846

#: serverguide/C/lamp-applications.xml:345(para)

12251

12847

msgid "Once the configuration is complete, you should copy the <filename>LocalSettings.php</filename> file to <filename>/etc/mediawiki</filename> directory:"

12252

12848

msgstr ""

12253

12849

12254

#: serverguide/C/lamp-applications.xml:343(command)

12850

#: serverguide/C/lamp-applications.xml:352(command)

12255

12851

msgid "sudo mv /var/lib/mediawiki/config/LocalSettings.php /etc/mediawiki/"

12256

12852

msgstr ""

12257

12853

12258

#: serverguide/C/lamp-applications.xml:346(para)

12854

#: serverguide/C/lamp-applications.xml:355(para)

12259

12855

msgid "You may also want to edit <filename>/etc/mediawiki/LocalSettings.php</filename> adjusting:"

12260

12856

msgstr ""

12261

12857

12262

#: serverguide/C/lamp-applications.xml:351(programlisting)

12858

#: serverguide/C/lamp-applications.xml:360(programlisting)

12263

12859

#, no-wrap

12264

12860

msgid "\nini_set( 'memory_limit', '64M' );\n"

12265

12861

msgstr ""

12266

12862

12267

#: serverguide/C/lamp-applications.xml:358(title)

12863

#: serverguide/C/lamp-applications.xml:367(title)

12268

12864

msgid "Extensions"

12269

12865

msgstr ""

12270

12866

12271

#: serverguide/C/lamp-applications.xml:359(para)

12867

#: serverguide/C/lamp-applications.xml:368(para)

12272

12868

msgid "The extensions add new features and enhancements for the MediaWiki application. The extensions give wiki administrators and end users the ability to customize MediaWiki to their requirements."

12273

12869

msgstr ""

12274

12870

12275

#: serverguide/C/lamp-applications.xml:365(para)

12871

#: serverguide/C/lamp-applications.xml:374(para)

12276

12872

msgid "You can download MediaWiki extensions as an archive file or checkout from the Subversion repository. You should copy it to <filename>/var/lib/mediawiki/extensions</filename> directory. You should also add the following line at the end of file: <filename>/etc/mediawiki/LocalSettings.php</filename>."

12277

12873

msgstr ""

12278

12874

12279

#: serverguide/C/lamp-applications.xml:373(programlisting)

12875

#: serverguide/C/lamp-applications.xml:382(programlisting)

12280

12876

#, no-wrap

12281

12877

msgid "\nrequire_once \"$IP/extensions/ExtentionName/ExtentionName.php\";\n"

12282

12878

msgstr ""

12283

12879

12284

#: serverguide/C/lamp-applications.xml:383(para)

12880

#: serverguide/C/lamp-applications.xml:392(para)

12285

12881

msgid "For more details, please refer to the <ulink url=\"http://www.mediawiki.org\">MediaWiki</ulink> web site."

12286

12882

msgstr ""

12287

12883

12288

#: serverguide/C/lamp-applications.xml:389(para)

12884

#: serverguide/C/lamp-applications.xml:398(para)

12289

12885

msgid "The <ulink url=\"http://www.packtpub.com/Mediawiki/book\">MediaWiki Administrators’ Tutorial Guide</ulink> contains a wealth of information for new MediaWiki administrators."

12290

12886

msgstr ""

12291

12887

12292

#: serverguide/C/lamp-applications.xml:395(para)

12888

#: serverguide/C/lamp-applications.xml:404(para)

12293

12889

msgid "Also, the <ulink url=\"https://help.ubuntu.com/community/MediaWiki\">Ubuntu Wiki MediaWiki</ulink> page is a good resource."

12294

12890

msgstr ""

12295

12891

12296

#: serverguide/C/lamp-applications.xml:405(title)

12892

#: serverguide/C/lamp-applications.xml:414(title)

12297

12893

msgid "phpMyAdmin"

12298

12894

msgstr ""

12299

12895

12300

#: serverguide/C/lamp-applications.xml:407(para)

12896

#: serverguide/C/lamp-applications.xml:416(para)

12301

12897

msgid "<application>phpMyAdmin</application> is a LAMP application specifically written for administering <application>MySQL</application> servers. Written in <application>PHP</application>, and accessed through a web browser, phpMyAdmin provides a graphical interface for database administration tasks."

12302

12898

msgstr ""

12303

12899

12304

#: serverguide/C/lamp-applications.xml:416(para)

12900

#: serverguide/C/lamp-applications.xml:425(para)

12305

12901

msgid "Before installing <application>phpMyAdmin</application> you will need access to a <application>MySQL</application> database either on the same host as that phpMyAdmin is installed on, or on a host accessible over the network. For more information see <xref linkend=\"mysql\"/>. From a terminal prompt enter:"

12306

12902

msgstr ""

12307

12903

12308

#: serverguide/C/lamp-applications.xml:423(command)

12904

#: serverguide/C/lamp-applications.xml:432(command)

12309

12905

msgid "sudo apt-get install phpmyadmin"

12310

12906

msgstr ""

12311

12907

12312

#: serverguide/C/lamp-applications.xml:426(para)

12908

#: serverguide/C/lamp-applications.xml:435(para)

12313

12909

msgid "At the prompt choose which web server to be configured for <application>phpMyAdmin</application>. The rest of this section will use <application>Apache2</application> for the web server."

12314

12910

msgstr ""

12315

12911

12316

#: serverguide/C/lamp-applications.xml:431(para)

12912

#: serverguide/C/lamp-applications.xml:440(para)

12317

12913

msgid "In a browser go to <emphasis>http://servername/phpmyadmin</emphasis>, replacing <emphasis role=\"italic\">serveranme</emphasis> with the server's actual hostname. At the login, page enter <emphasis>root</emphasis> for the <emphasis>username</emphasis>, or another <application>MySQL</application> user if you any setup, and enter the <application>MySQL</application> user's password."

12318

12914

msgstr ""

12319

12915

12320

#: serverguide/C/lamp-applications.xml:438(para)

12916

#: serverguide/C/lamp-applications.xml:447(para)

12321

12917

msgid "Once logged in you can reset the <emphasis>root</emphasis> password if needed, create users, create/destroy databases and tables, etc."

12322

12918

msgstr ""

12323

12919

12324

#: serverguide/C/lamp-applications.xml:446(para)

12920

#: serverguide/C/lamp-applications.xml:455(para)

12325

12921

msgid "The configuration files for <application>phpMyAdmin</application> are located in <filename>/etc/phpmyadmin</filename>. The main configuration file is <filename>/etc/phpmyadmin/config.inc.php</filename>. This file contains configuration options that apply globally to <application>phpMyAdmin</application>."

12326

12922

msgstr ""

12327

12923

12328

#: serverguide/C/lamp-applications.xml:452(para)

12924

#: serverguide/C/lamp-applications.xml:461(para)

12329

12925

msgid "To use <application>phpMyAdmin</application> to administer a MySQL database hosted on another server, adjust the following in <filename>/etc/phpmyadmin/config.inc.php</filename>:"

12330

12926

msgstr ""

12331

12927

12332

#: serverguide/C/lamp-applications.xml:457(programlisting)

12928

#: serverguide/C/lamp-applications.xml:466(programlisting)

12333

12929

#, no-wrap

12334

12930

msgid "\n$cfg['Servers'][$i]['host'] = 'db_server';\n"

12335

12931

msgstr ""

12336

12932

12337

#: serverguide/C/lamp-applications.xml:462(para)

12933

#: serverguide/C/lamp-applications.xml:471(para)

12338

12934

msgid "Replace <emphasis role=\"italic\">db_server</emphasis> with the actual remote database server name or IP address. Also, be sure that the <application>phpMyAdmin</application> host has permissions to access the remote database."

12339

12935

msgstr ""

12340

12936

12341

#: serverguide/C/lamp-applications.xml:468(para)

12937

#: serverguide/C/lamp-applications.xml:477(para)

12342

12938

msgid "Once configured, log out of <application>phpMyAdmin</application> and back in, and you should be accessing the new server."

12343

12939

msgstr ""

12344

12940

12345

#: serverguide/C/lamp-applications.xml:472(para)

12941

#: serverguide/C/lamp-applications.xml:481(para)

12346

12942

msgid "The <filename>config.header.inc.php</filename> and <filename>config.footer.inc.php</filename> files are used to add a HTML header and footer to <application>phpMyAdmin</application>."

12347

12943

msgstr ""

12348

12944

12349

#: serverguide/C/lamp-applications.xml:477(para)

12945

#: serverguide/C/lamp-applications.xml:486(para)

12350

12946

msgid "Another important configuration file is <filename>/etc/phpmyadmin/apache.conf</filename>, this file is symlinked to <filename>/etc/apache2/conf.d/phpmyadmin.conf</filename>, and is used to configure <application>Apache2</application> to serve the <application>phpMyAdmin</application> site. The file contains directives for loading <application>PHP</application>, directory permissions, etc. For more information on configuring <application>Apache2</application> see <xref linkend=\"httpd\"/>."

12351

12947

msgstr ""

12352

12948

12353

#: serverguide/C/lamp-applications.xml:491(para)

12949

#: serverguide/C/lamp-applications.xml:500(para)

12354

12950

msgid "The <application>phpMyAdmin</application> documentation comes installed with the package and can be accessed from the <emphasis>phpMyAdmin Documentation</emphasis> link (a question mark with a box around it) under the phpMyAdmin logo. The official docs can also be access on the <ulink url=\"http://www.phpmyadmin.net/home_page/docs.php\">phpMyAdmin</ulink> site."

12355

12951

msgstr ""

12356

12952

12357

#: serverguide/C/lamp-applications.xml:498(para)

12953

#: serverguide/C/lamp-applications.xml:507(para)

12358

12954

msgid "Also, <ulink url=\"http://www.packtpub.com/phpmyadmin-3rd-edition/book\">Mastering phpMyAdmin</ulink> is a great resource."

12359

12955

msgstr ""

12360

12956

12361

#: serverguide/C/lamp-applications.xml:503(para)

12957

#: serverguide/C/lamp-applications.xml:512(para)

12362

12958

msgid "A third resource is the <ulink url=\"https://help.ubuntu.com/community/phpMyAdmin\">phpMyAdmin Ubuntu Wiki</ulink> page."

12363

12959

msgstr ""

12364

12960

12371

12967

msgstr ""

12372

12968

12373

12969

#: serverguide/C/introduction.xml:19(para)

12374

msgid "This guide assumes you have a basic understanding of your Ubuntu system. Some installation details are covered in <xref linkend=\"installation\"/>, but if you need detailed instructions installing Ubuntu please refer to the <ulink url=\"https://help.ubuntu.com/11.04/installation-guide/\">Ubuntu Installation Guide</ulink>."

12970

msgid "This guide assumes you have a basic understanding of your Ubuntu system. Some installation details are covered in <xref linkend=\"installation\"/>, but if you need detailed instructions installing Ubuntu please refer to the <ulink url=\"https://help.ubuntu.com/11.10/installation-guide/\">Ubuntu Installation Guide</ulink>."

12375

12971

msgstr ""

12376

12972

12377

12973

#: serverguide/C/introduction.xml:25(para)

12378

msgid "A HTML version of the manual is available online at <ulink url=\"https://help.ubuntu.com\">the Ubuntu Documentation website</ulink>. The HTML files are also available in the <application>ubuntu-serverguide</application> package. See <xref linkend=\"package-management\"/> for details on installing packages."

12379

msgstr ""

12380

12381

#: serverguide/C/introduction.xml:32(para)

12382

msgid "If you choose to install the <application>ubuntu-serverguide</application> you can view this document from a console by:"

12383

msgstr ""

12384

12385

#: serverguide/C/introduction.xml:36(command)

12386

msgid "w3m /usr/share/ubuntu-serverguide/html/C/index.html"

12387

msgstr ""

12388

12389

#: serverguide/C/introduction.xml:39(para)

12390

msgid "If you are using a localized version of Ubuntu, replace <emphasis>C</emphasis> with your language localization (e.g. <emphasis>en_GB</emphasis>)."

12391

msgstr ""

12392

12393

#: serverguide/C/introduction.xml:53(title)

12974

msgid "A HTML version of the manual is available online at <ulink url=\"https://help.ubuntu.com\">the Ubuntu Documentation website</ulink>."

12975

msgstr ""

12976

12977

#: serverguide/C/introduction.xml:31(title)

12394

12978

msgid "Support"

12395

12979

msgstr ""

12396

12980

12397

#: serverguide/C/introduction.xml:55(para)

12981

#: serverguide/C/introduction.xml:33(para)

12398

12982

msgid "There are a couple of different ways that Ubuntu Server Edition is supported, commercial support and community support. The main commercial support (and development funding) is available from Canonical Ltd. They supply reasonably priced support contracts on a per desktop or per server basis. For more information see the <ulink url=\"http://www.canonical.com/services/support\">Canonical Services</ulink> page."

12399

12983

msgstr ""

12400

12984

12401

#: serverguide/C/introduction.xml:62(para)

12985

#: serverguide/C/introduction.xml:40(para)

12402

12986

msgid "Community support is also provided by dedicated individuals, and companies, that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions. See the <ulink url=\"http://www.ubuntu.com/support\">Ubuntu Support</ulink> page for more information."

12403

12987

msgstr ""

12404

12988

12405

12989

#: serverguide/C/installation.xml:14(para)

12406

msgid "This chapter provides a quick overview of installing Ubuntu 11.04 Server Edition. For more detailed instructions, please refer to the <ulink url=\"https://help.ubuntu.com/11.04/installation-guide/\">Ubuntu Installation Guide</ulink>."

12990

msgid "This chapter provides a quick overview of installing Ubuntu 11.10 Server Edition. For more detailed instructions, please refer to the <ulink url=\"https://help.ubuntu.com/11.10/installation-guide/\">Ubuntu Installation Guide</ulink>."

12407

12991

msgstr ""

12408

12992

12409

12993

#: serverguide/C/installation.xml:19(title)

12419

13003

msgstr ""

12420

13004

12421

13005

#: serverguide/C/installation.xml:25(para)

12422

msgid "Ubuntu 11.04 Server Edition supports three (3) major architectures: Intel x86, AMD64 and ARM. The table below lists recommended hardware specifications. Depending on your needs, you might manage with less than this. However, most users risk being frustrated if they ignore these suggestions."

13006

msgid "Ubuntu 11.10 Server Edition supports three (3) major architectures: Intel x86, AMD64 and ARM. The table below lists recommended hardware specifications. Depending on your needs, you might manage with less than this. However, most users risk being frustrated if they ignore these suggestions."

12423

13007

msgstr ""

12424

13008

12425

13009

#: serverguide/C/installation.xml:28(title)

12503

13087

msgstr ""

12504

13088

12505

13089

#: serverguide/C/installation.xml:108(para)

12506

msgid "To see all kernel configuration options you can look through <filename>/boot/config-2.6.35-server</filename>. Also, <ulink url=\"http://www.kroah.com/lkn/\">Linux Kernel in a Nutshell</ulink> is a great resource on the options available."

13090

msgid "To see all kernel configuration options you can look through <filename>/boot/config-3.0.0-server</filename>. Also, <ulink url=\"http://www.kroah.com/lkn/\">Linux Kernel in a Nutshell</ulink> is a great resource on the options available."

12507

13091

msgstr ""

12508

13092

12509

13093

#: serverguide/C/installation.xml:117(title)

12611

13195

msgstr ""

12612

13196

12613

13197

#: serverguide/C/installation.xml:272(para)

12614

msgid "Once again, for detailed instructions see the <ulink url=\"https://help.ubuntu.com/11.04/installation-guide/\"> Ubuntu Installation Guide</ulink>."

13198

msgid "Once again, for detailed instructions see the <ulink url=\"https://help.ubuntu.com/11.10/installation-guide/\"> Ubuntu Installation Guide</ulink>."

12615

13199

msgstr ""

12616

13200

12617

13201

#: serverguide/C/installation.xml:278(title)

13238

13822

msgstr ""

13239

13823

13240

13824

#: serverguide/C/installation.xml:1187(para)

13241

msgid "For more information on <application>fdisk</application> see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/fdisk.8.html\">fdisk man page</ulink>."

13825

msgid "For more information on <application>fdisk</application> see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/fdisk.8.html\">fdisk man page</ulink>."

13242

13826

msgstr ""

13243

13827

13244

13828

#: serverguide/C/file-server.xml:13(title)

13455

14039

msgstr ""

13456

14040

13457

14041

#: serverguide/C/file-server.xml:300(para)

13458

msgid "For detailed <filename>/etc/vsftpd.conf</filename> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/vsftpd.conf.5.html\">vsftpd.conf man page</ulink>."

14042

msgid "For detailed <filename>/etc/vsftpd.conf</filename> options see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/vsftpd.conf.5.html\">vsftpd.conf man page</ulink>."

13459

14043

msgstr ""

13460

14044

13461

14045

#: serverguide/C/file-server.xml:306(para)

14232

14816

msgid "The <emphasis>Serial Number</emphasis> of your zone file will probably be different."

14233

14817

msgstr ""

14234

14818

14235

#: serverguide/C/dns.xml:505(title)

14236

msgid "Logging"

14237

msgstr ""

14238

14239

14819

#: serverguide/C/dns.xml:506(para)

14240

14820

msgid "<application>BIND9</application> has a wide variety of logging configuration options available. There are two main options. The <emphasis>channel</emphasis> option configures where logs go, and the <emphasis>category</emphasis> option determines what information to log."

14241

14821

msgstr ""

14470

15050

msgid "Full documentation is available in both online and offline formats from the <ulink url=\"http://dev.mysql.com/doc/\"> MySQL Developers portal</ulink>"

14471

15051

msgstr ""

14472

15052

14473

#: serverguide/C/databases.xml:122(para) serverguide/C/databases.xml:269(para)

15053

#: serverguide/C/databases.xml:122(para) serverguide/C/databases.xml:262(para)

14474

15054

msgid "For general SQL information see <ulink url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\">Using SQL Special Edition</ulink> by Rafe Colburn."

14475

15055

msgstr ""

14476

15056

14486

15066

msgid "To install PostgreSQL, run the following command in the command prompt:"

14487

15067

msgstr ""

14488

15068

14489

#: serverguide/C/databases.xml:151(command)

15069

#: serverguide/C/databases.xml:150(command)

14490

15070

msgid "sudo apt-get install postgresql"

14491

15071

msgstr ""

14492

15072

14493

#: serverguide/C/databases.xml:155(para)

15073

#: serverguide/C/databases.xml:153(para)

14494

15074

msgid "Once the installation is complete, you should configure the PostgreSQL server based on your needs, although the default configuration is viable."

14495

15075

msgstr ""

14496

15076

14497

#: serverguide/C/databases.xml:163(para)

14498

msgid "By default, connection via TCP/IP is disabled. PostgreSQL supports multiple client authentication methods. By default, IDENT authentication method is used for <application>postgres</application> and local users. Please refer <ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the PostgreSQL Administrator's Guide</ulink>."

15077

#: serverguide/C/databases.xml:160(para)

15078

msgid "By default, connection via TCP/IP is disabled. PostgreSQL supports multiple client authentication methods. IDENT authentication method is used for <application>postgres</application> and local users, unless otherwise configured. Please refer <ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the PostgreSQL Administrator's Guide if you would like to configure alternatives like Kerberos</ulink>."

14499

15079

msgstr ""

14500

15080

14501

#: serverguide/C/databases.xml:170(para)

15081

#: serverguide/C/databases.xml:166(para)

14502

15082

msgid "The following discussion assumes that you wish to enable TCP/IP connections and use the MD5 method for client authentication. PostgreSQL configuration files are stored in the <filename>/etc/postgresql/<version>/main</filename> directory. For example, if you install PostgreSQL 8.4, the configuration files are stored in the <filename>/etc/postgresql/8.4/main</filename> directory."

14503

15083

msgstr ""

14504

15084

14505

#: serverguide/C/databases.xml:180(para)

14506

msgid "To configure <emphasis>ident</emphasis> authentication, add entries to the <filename>/etc/postgresql/8.4/main/pg_ident.conf</filename> file."

15085

#: serverguide/C/databases.xml:175(para)

15086

msgid "To configure <emphasis>ident</emphasis> authentication, add entries to the <filename>/etc/postgresql/8.4/main/pg_ident.conf</filename> file. There are detailed comments in the file to guide you."

14507

15087

msgstr ""

14508

15088

14509

#: serverguide/C/databases.xml:187(para)

15089

#: serverguide/C/databases.xml:181(para)

14510

15090

msgid "To enable TCP/IP connections, edit the file <filename>/etc/postgresql/8.4/main/postgresql.conf</filename>"

14511

15091

msgstr ""

14512

15092

14513

#: serverguide/C/databases.xml:189(para)

15093

#: serverguide/C/databases.xml:182(para)

14514

15094

msgid "Locate the line <emphasis>#listen_addresses = 'localhost'</emphasis> and change it to:"

14515

15095

msgstr ""

14516

15096

14517

#: serverguide/C/databases.xml:192(programlisting)

15097

#: serverguide/C/databases.xml:185(programlisting)

14518

15098

#, no-wrap

14519

15099

msgid "\nlisten_addresses = 'localhost'\n"

14520

15100

msgstr ""

14521

15101

14522

#: serverguide/C/databases.xml:196(para)

14523

msgid "To allow other computers to connect to your <application>PostgreSQL</application> server replace 'localhost' with the <emphasis>IP Address</emphasis> of your server."

15102

#: serverguide/C/databases.xml:189(para)

15103

msgid "To allow other computers to connect to your <application>PostgreSQL</application> server replace 'localhost' with the <emphasis>IP Address</emphasis> of your server, or alternatively to '0.0.0.0' to bind to all interfaces."

14524

15104

msgstr ""

14525

15105

14526

#: serverguide/C/databases.xml:201(para)

15106

#: serverguide/C/databases.xml:194(para)

14527

15107

msgid "You may also edit all other parameters, if you know what you are doing! For details, refer to the configuration file or to the PostgreSQL documentation."

14528

15108

msgstr ""

14529

15109

14530

#: serverguide/C/databases.xml:206(para)

15110

#: serverguide/C/databases.xml:199(para)

14531

15111

msgid "Now that we can connect to our <application>PostgreSQL</application> server, the next step is to set a password for the <emphasis>postgres</emphasis> user. Run the following command at a terminal prompt to connect to the default PostgreSQL template database:"

14532

15112

msgstr ""

14533

15113

14534

#: serverguide/C/databases.xml:213(command)

15114

#: serverguide/C/databases.xml:206(command)

14535

15115

msgid "sudo -u postgres psql template1"

14536

15116

msgstr ""

14537

15117

14538

#: serverguide/C/databases.xml:215(para)

15118

#: serverguide/C/databases.xml:208(para)

14539

15119

msgid "The above command connects to PostgreSQL database <emphasis>template1</emphasis> as user <emphasis>postgres</emphasis>. Once you connect to the PostgreSQL server, you will be at a SQL prompt. You can run the following SQL command at the <application>psql</application> prompt to configure the password for the user <emphasis role=\"italics\">postgres</emphasis>."

14540

15120

msgstr ""

14541

15121

14542

#: serverguide/C/databases.xml:223(command)

15122

#: serverguide/C/databases.xml:216(command)

14543

15123

msgid "ALTER USER postgres with encrypted password 'your_password';"

14544

15124

msgstr ""

14545

15125

14546

#: serverguide/C/databases.xml:225(para)

15126

#: serverguide/C/databases.xml:218(para)

14547

15127

msgid "After configuring the password, edit the file <filename>/etc/postgresql/8.4/main/pg_hba.conf</filename> to use <emphasis>MD5</emphasis> authentication with the <emphasis>postgres</emphasis> user:"

14548

15128

msgstr ""

14549

15129

14550

#: serverguide/C/databases.xml:231(programlisting)

15130

#: serverguide/C/databases.xml:224(programlisting)

14551

15131

#, no-wrap

14552

15132

msgid "\nlocal all postgres md5\n"

14553

15133

msgstr ""

14554

15134

14555

#: serverguide/C/databases.xml:235(para)

15135

#: serverguide/C/databases.xml:228(para)

14556

15136

msgid "Finally, you should restart the <application>PostgreSQL</application> service to initialize the new configuration. From a terminal prompt enter the following to restart <application>PostgreSQL</application>:"

14557

15137

msgstr ""

14558

15138

14559

#: serverguide/C/databases.xml:241(command)

15139

#: serverguide/C/databases.xml:234(command)

14560

15140

msgid "sudo /etc/init.d/postgresql-8.4 restart"

14561

15141

msgstr ""

14562

15142

14563

#: serverguide/C/databases.xml:244(para)

15143

#: serverguide/C/databases.xml:237(para)

14564

15144

msgid "The above configuration is not complete by any means. Please refer <ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the PostgreSQL Administrator's Guide</ulink> to configure more parameters."

14565

15145

msgstr ""

14566

15146

14567

#: serverguide/C/databases.xml:255(para)

15147

#: serverguide/C/databases.xml:248(para)

14568

15148

msgid "As mentioned above the <ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\">Administrator's Guide</ulink> is an excellent resource. The guide is also available in the <application>postgresql-doc-8.4</application> package. Execute the following in a terminal to install the package:"

14569

15149

msgstr ""

14570

15150

14571

#: serverguide/C/databases.xml:261(command)

15151

#: serverguide/C/databases.xml:254(command)

14572

15152

msgid "sudo apt-get install postgresql-doc-8.4"

14573

15153

msgstr ""

14574

15154

14575

#: serverguide/C/databases.xml:263(para)

15155

#: serverguide/C/databases.xml:256(para)

14576

15156

msgid "To view the guide enter <command>file:///usr/share/doc/postgresql-doc-8.4/html/index.html</command> into the address bar of your browser."

14577

15157

msgstr ""

14578

15158

14579

#: serverguide/C/databases.xml:275(para)

15159

#: serverguide/C/databases.xml:268(para)

14580

15160

msgid "Also, see the <ulink url=\"https://help.ubuntu.com/community/PostgreSQL\">PostgreSQL Ubuntu Wiki</ulink> page for more information."

14581

15161

msgstr ""

14582

15162

14726

15306

msgstr ""

14727

15307

14728

15308

#: serverguide/C/clustering.xml:243(para)

14729

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man5/drbd.conf.5.html\">drbd.conf man page</ulink> contains details on the options not covered in this guide."

15309

msgid "The <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man5/drbd.conf.5.html\">drbd.conf man page</ulink> contains details on the options not covered in this guide."

14730

15310

msgstr ""

14731

15311

14732

15312

#: serverguide/C/clustering.xml:249(para)

14733

msgid "Also, see the <ulink url=\"http://manpages.ubuntu.com/manpages/natty/en/man8/drbdadm.8.html\">drbdadm man page</ulink>."

15313

msgid "Also, see the <ulink url=\"http://manpages.ubuntu.com/manpages/oneiric/en/man8/drbdadm.8.html\">drbdadm man page</ulink>."

14734

15314

msgstr ""

14735

15315

14736

15316

#: serverguide/C/clustering.xml:254(para)

Older »