#, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2019-03-17 16:32-0300\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Put one translator per line, in the form NAME , YEAR1, YEAR2 msgctxt "_" msgid "translator-credits" msgstr "" #. (itstool) path: info/title #: article.translate.xml:5 msgid "LDAP Authentication" msgstr "" #. (itstool) path: affiliation/address #: article.translate.xml:14 #, no-wrap msgid "\n" " kurin@causa-sui.net\n" " " msgstr "" #. (itstool) path: authorgroup/author #: article.translate.xml:8 msgid "" " Toby Burress <_:address-1/> " msgstr "" #. (itstool) path: info/copyright #: article.translate.xml:21 msgid "" "2007 2008 The FreeBSD Documentation " "Project" msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:28 msgid "FreeBSD is a registered trademark of the FreeBSD Foundation." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:30 msgid "" "Many of the designations used by manufacturers and sellers to distinguish " "their products are claimed as trademarks. Where those designations appear in " "this document, and the FreeBSD Project was aware of the trademark claim, the " "designations have been followed by the ™ or the ® symbol." msgstr "" #. (itstool) path: info/pubdate #. (itstool) path: info/releaseinfo #: article.translate.xml:38 article.translate.xml:40 msgid "$FreeBSD$" msgstr "" #. (itstool) path: abstract/para #: article.translate.xml:43 msgid "" "This document is intended as a guide for the configuration of an LDAP server " "(principally an OpenLDAP server) for " "authentication on FreeBSD. This is useful for situations where many servers " "need the same user accounts, for example as a replacement for " "NIS." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:53 msgid "Preface" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:55 msgid "" "This document is intended to give the reader enough of an understanding of " "LDAP to configure an LDAP server. This document will attempt to provide an " "explanation of net/nss_ldap and security/" "pam_ldap for use with client machines services for use with the " "LDAP server." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:62 msgid "" "When finished, the reader should be able to configure and deploy a FreeBSD " "server that can host an LDAP directory, and to configure and deploy a " "FreeBSD server which can authenticate against an LDAP directory." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:67 msgid "" "This article is not intended to be an exhaustive account of the security, " "robustness, or best practice considerations for configuring LDAP or the " "other services discussed herein. While the author takes care to do " "everything correctly, they do not address security issues beyond a general " "scope. This article should be considered to lay the theoretical groundwork " "only, and any actual implementation should be accompanied by careful " "requirement analysis." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:78 msgid "Configuring LDAP" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:80 msgid "" "LDAP stands for Lightweight Directory Access Protocol and is " "a subset of the X.500 Directory Access Protocol. Its most recent " "specifications are in RFC4510 and friends. Essentially it is a database that expects " "to be read from more often than it is written to." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:86 msgid "" "The LDAP server OpenLDAP will be used in the examples in this document; while the principles " "here should be generally applicable to many different servers, most of the " "concrete administration is OpenLDAP-specific. " "There are several server versions in ports, for example net/" "openldap24-server. Client servers will need the corresponding " "net/openldap24-client libraries." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:96 msgid "" "There are (basically) two areas of the LDAP service which need configuration." " The first is setting up a server to receive connections properly, and the " "second is adding entries to the server's directory so that FreeBSD tools " "know how to interact with it." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:103 msgid "Setting Up the Server for Connections" msgstr "" #. (itstool) path: note/para #: article.translate.xml:106 msgid "" "This section is specific to OpenLDAP. If you are " "using another server, you will need to consult that server's documentation." msgstr "" #. (itstool) path: sect3/title #. (itstool) path: example/title #: article.translate.xml:113 article.translate.xml:119 msgid "Installing OpenLDAP" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:115 msgid "First, install OpenLDAP:" msgstr "" #. (itstool) path: example/screen #: article.translate.xml:122 #, no-wrap msgid "" "# cd /usr/ports/net/openldap24-server\n" "# make install clean" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:126 msgid "" "This installs the slapd and slurpd " "binaries, along with the required OpenLDAP " "libraries." msgstr "" #. (itstool) path: sect3/title #: article.translate.xml:132 msgid "Configuring OpenLDAP" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:134 msgid "Next we must configure OpenLDAP." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:137 msgid "" "You will want to require encryption in your connections to the LDAP server; " "otherwise your users' passwords will be transferred in plain text, which is " "considered insecure. The tools we will be using support two very similar " "kinds of encryption, SSL and TLS." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:143 msgid "" "TLS stands for Transportation Layer Security. Services that " "employ TLS tend to connect on the same ports as the " "same services without TLS; thus an SMTP server which supports TLS will " "listen for connections on port 25, and an LDAP server will listen on 389." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:150 msgid "" "SSL stands for Secure Sockets Layer, and services that " "implement SSL do not listen on the same ports as their " "non-SSL counterparts. Thus SMTPS listens on port 465 (not 25), HTTPS listens " "on 443, and LDAPS on 636." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:156 msgid "" "The reason SSL uses a different port than TLS is because a TLS connection " "begins as plain text, and switches to encrypted traffic after the " "STARTTLS directive. SSL connections are encrypted from " "the beginning. Other than that there are no substantial differences between " "the two." msgstr "" #. (itstool) path: note/para #: article.translate.xml:164 msgid "" "We will adjust OpenLDAP to use TLS, as SSL is " "considered deprecated." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:168 msgid "" "Once OpenLDAP is installed via ports, the " "following configuration parameters in /usr/local/etc/openldap/" "slapd.conf will enable TLS:" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:173 #, no-wrap msgid "" "security ssf=128\n" "\n" "TLSCertificateFile /path/to/your/cert.crt\n" "TLSCertificateKeyFile /path/to/your/cert.key\n" "TLSCACertificateFile /path/to/your/cacert.crt" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:180 msgid "" "Here, ssf=128 tells OpenLDAP " "to require 128-bit encryption for all connections, both search and update. " "This parameter may be configured based on the security needs of your site, " "but rarely you need to weaken it, as most LDAP client libraries support " "strong encryption." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:187 msgid "" "The cert.crt, cert.key, and " "cacert.crt files are necessary for clients to " "authenticate you as the valid LDAP server. If you " "simply want a server that runs, you can create a self-signed certificate " "with OpenSSL:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:196 msgid "Generating an RSA Key" msgstr "" #. (itstool) path: example/screen #: article.translate.xml:198 #, no-wrap msgid "" "% openssl genrsa -out cert.key 1024\n" "Generating RSA private key, 1024 bit long modulus\n" "....................++++++\n" "...++++++\n" "e is 65537 (0x10001)\n" "% openssl req -new -key cert.key -out cert.csr" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:206 msgid "" "At this point you should be prompted for some values. You may enter whatever " "values you like; however, it is important the Common Name " "value be the fully qualified domain name of the OpenLDAP server. In our case, and the examples here, the server is " "server.example.org. Incorrectly setting this " "value will cause clients to fail when making connections. This can the cause " "of great frustration, so ensure that you follow these steps closely." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:217 msgid "Finally, the certificate signing request needs to be signed:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:221 msgid "Self-signing the Certificate" msgstr "" #. (itstool) path: example/screen #: article.translate.xml:223 #, no-wrap msgid "" "% openssl x509 -req -in cert.csr -days 365 -" "signkey cert.key -out cert.crt\n" "Signature ok\n" "subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd\n" "Getting Private key" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:229 msgid "" "This will create a self-signed certificate that can be used for the " "directives in slapd.conf, where cert.crt and cacert.crt are the same file. If you are " "going to use many OpenLDAP servers (for " "replication via slurpd) you will want to see to generate a CA key and use it to sign individual " "server certificates." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:239 msgid "" "Once this is done, put the following in /etc/rc.conf:" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:242 #, no-wrap msgid "slapd_enable=\"YES\"" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:244 msgid "" "Then run /usr/local/etc/rc.d/slapd start. This should " "start OpenLDAP. Confirm that it is listening on " "389 with" msgstr "" #. (itstool) path: sect3/screen #: article.translate.xml:249 #, no-wrap msgid "" "% sockstat -4 -p 389\n" "ldap slapd 3261 7 tcp4 *:389 *:*" msgstr "" #. (itstool) path: sect3/title #: article.translate.xml:254 msgid "Configuring the Client" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:256 msgid "" "Install the net/openldap24-client port for the " "OpenLDAP libraries. The client machines will " "always have OpenLDAP libraries since that is all " "security/pam_ldap and net/nss_ldap " "support, at least for the moment." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:264 msgid "" "The configuration file for the OpenLDAP libraries " "is /usr/local/etc/openldap/ldap.conf. Edit this file to " "contain the following values:" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:269 #, no-wrap msgid "" "base dc=example,dc=org\n" "uri ldap://server.example.org/\n" "ssl start_tls\n" "tls_cacert /path/to/your/cacert.crt" msgstr "" #. (itstool) path: note/para #: article.translate.xml:275 msgid "" "It is important that your clients have access to cacert.crt, otherwise they will not be able to connect." msgstr "" #. (itstool) path: note/para #: article.translate.xml:281 msgid "" "There are two files called ldap.conf. The first is this " "file, which is for the OpenLDAP libraries and " "defines how to talk to the server. The second is /usr/local/etc/" "ldap.conf, and is for pam_ldap." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:289 msgid "" "At this point you should be able to run ldapsearch -Z " "on the client machine; means use TLS. If " "you encounter an error, then something is configured wrong; most likely it " "is your certificates. Use openssl1's s_client and s_server to ensure you have them configured " "and signed properly." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:301 msgid "Entries in the Database" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:303 msgid "" "Authentication against an LDAP directory is generally accomplished by " "attempting to bind to the directory as the connecting user. This is done by " "establishing a simple bind on the directory with the user " "name supplied. If there is an entry with the uid equal to " "the user name and that entry's userPassword attribute " "matches the password supplied, then the bind is successful." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:312 msgid "" "The first thing we have to do is figure out is where in the directory our " "users will live." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:315 msgid "" "The base entry for our database is dc=example,dc=org. The " "default location for users that most clients seem to expect is something " "like ou=people,base, so that " "is what will be used here. However keep in mind that this is configurable." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:322 msgid "" "So the ldif entry for the people organizational unit will " "look like:" msgstr "" #. (itstool) path: sect2/programlisting #: article.translate.xml:325 #, no-wrap msgid "" "dn: ou=people,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: people" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:330 msgid "All users will be created as subentries of this organizational unit." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:333 msgid "" "Some thought might be given to the object class your users will belong to. " "Most tools by default will use people, which is fine if " "you simply want to provide entries against which to authenticate. However, " "if you are going to store user information in the LDAP database as well, you " "will probably want to use inetOrgPerson, which has many " "useful attributes. In either case, the relevant schemas need to be loaded in " "slapd.conf." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:343 msgid "" "For this example we will use the person object class. If " "you are using inetOrgPerson, the steps are basically " "identical, except that the sn attribute is required." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:349 msgid "To add a user testuser, the ldif would be:" msgstr "" #. (itstool) path: sect2/programlisting #: article.translate.xml:352 #, no-wrap msgid "" "dn: uid=tuser,ou=people,dc=example,dc=org\n" "objectClass: person\n" "objectClass: posixAccount\n" "objectClass: shadowAccount\n" "objectClass: top\n" "uidNumber: 10000\n" "gidNumber: 10000\n" "homeDirectory: /home/tuser\n" "loginShell: /bin/csh\n" "uid: tuser\n" "cn: tuser" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:364 msgid "" "I start my LDAP users' UIDs at 10000 to avoid collisions with system " "accounts; you can configure whatever number you wish here, as long as it is " "less than 65536." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:368 msgid "" "We also need group entries. They are as configurable as user entries, but we " "will use the defaults below:" msgstr "" #. (itstool) path: sect2/programlisting #: article.translate.xml:371 #, no-wrap msgid "" "dn: ou=groups,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: groups\n" "\n" "dn: cn=tuser,ou=groups,dc=example,dc=org\n" "objectClass: posixGroup\n" "objectClass: top\n" "gidNumber: 10000\n" "cn: tuser" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:382 msgid "" "To enter these into your database, you can use slapadd or " "ldapadd on a file containing these entries. " "Alternatively, you can use sysutils/ldapvi." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:387 msgid "" "The ldapsearch utility on the client machine should now " "return these entries. If it does, your database is properly configured to be " "used as an LDAP authentication server." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:395 msgid "Client Configuration" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:397 msgid "" "The client should already have OpenLDAP libraries " "from , but if you are installing " "several client machines you will need to install net/openldap24-" "client on each of them." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:402 msgid "" "FreeBSD requires two ports to be installed to authenticate against an LDAP " "server, security/pam_ldap and net/nss_ldap." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:407 msgid "Authentication" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:409 msgid "" "security/pam_ldap is configured via /usr/local/" "etc/ldap.conf." msgstr "" #. (itstool) path: note/para #: article.translate.xml:413 msgid "" "This is a different file than the " "OpenLDAP library functions' configuration file, " "/usr/local/etc/openldap/ldap.conf; however, it takes " "many of the same options; in fact it is a superset of that file. For the " "rest of this section, references to ldap.conf will mean " "/usr/local/etc/ldap.conf." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:423 msgid "" "Thus, we will want to copy all of our original configuration parameters from " "openldap/ldap.conf to the new ldap.conf. Once this is done, we want to tell security/pam_ldap what to look for on the directory server." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:430 msgid "" "We are identifying our users with the uid attribute. To " "configure this (though it is the default), set the " "pam_login_attribute directive in ldap.conf:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:437 msgid "Setting pam_login_attribute" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:439 #, no-wrap msgid "pam_login_attribute uid" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:442 msgid "" "With this set, security/pam_ldap will search the entire " "LDAP directory under base for the value uid=" "username. If it finds one and only one " "entry, it will attempt to bind as that user with the password it was given. " "If it binds correctly, then it will allow access. Otherwise it will fail." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:451 msgid "" "Users whose shell is not in /etc/shells will not be " "able to log in. This is particularly important when Bash is set as the user shell on the LDAP server. Bash is not included with a default installation of FreeBSD. When " "installed from a package or port, it is located at /usr/local/bin/" "bash. Verify that the path to the shell on the server is set " "correctly:" msgstr "" #. (itstool) path: sect2/screen #: article.translate.xml:461 #, no-wrap msgid "" "% getent passwd username" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:463 msgid "" "There are two choices when the output shows /bin/bash in " "the last column. The first is to change the user's entry on the LDAP server " "to /usr/local/bin/bash. The second option is to create " "a symlink on the LDAP client computer so Bash is " "found at the correct location:" msgstr "" #. (itstool) path: sect2/screen #: article.translate.xml:471 #, no-wrap msgid "" "# ln -s /usr/local/bin/bash /bin/bash" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:473 msgid "" "Make sure that /etc/shells contains entries for both " "/usr/local/bin/bash and /bin/bash. The " "user will then be able to log in to the system with Bash as their shell." msgstr "" #. (itstool) path: sect3/title #: article.translate.xml:480 msgid "PAM" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:482 msgid "" "PAM, which stands for Pluggable Authentication Modules, is " "the method by which FreeBSD authenticates most of its sessions. To tell " "FreeBSD we wish to use an LDAP server, we will have to add a line to the " "appropriate PAM file." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:488 msgid "" "Most of the time the appropriate PAM file is /etc/pam.d/sshd, if you want to use SSH (remember to " "set the relevant options in /etc/ssh/sshd_config, " "otherwise SSH will not use PAM)." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:495 msgid "To use PAM for authentication, add the line" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:497 #, no-wrap msgid "auth sufficient /usr/local/lib/pam_ldap.so no_warn" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:499 msgid "" "Exactly where this line shows up in the file and which options appear in the " "fourth column determine the exact behavior of the authentication mechanism; " "see pam.d5" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:504 msgid "" "With this configuration you should be able to authenticate a user against an " "LDAP directory. PAM will perform a bind with your " "credentials, and if successful will tell SSH to " "allow access." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:510 msgid "" "However it is not a good idea to allow every user in " "the directory into every client machine. With the " "current configuration, all that a user needs to log into a machine is an " "LDAP entry. Fortunately there are a few ways to restrict user access." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:517 msgid "" "ldap.conf supports a pam_groupdn " "directive; every account that connects to this machine needs to be a member " "of the group specified here. For example, if you have" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:522 #, no-wrap msgid "pam_groupdn cn=servername,ou=accessgroups,dc=example,dc=org" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:524 msgid "" "in ldap.conf, then only members of that group will be " "able to log in. There are a few things to bear in mind, however." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:528 msgid "" "Members of this group are specified in one or more memberUid attributes, and each attribute must have the full distinguished " "name of the member. So memberUid: someuser will not work; " "it must be:" msgstr "" #. (itstool) path: sect3/programlisting #: article.translate.xml:534 #, no-wrap msgid "memberUid: uid=someuser,ou=people,dc=example,dc=org" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:536 msgid "" "Additionally, this directive is not checked in PAM during authentication, it " "is checked during account management, so you will need a second line in your " "PAM files under account. This will require, in turn, " "every user to be listed in the group, which is not " "necessarily what we want. To avoid blocking users that are not in LDAP, you " "should enable the ignore_unknown_user attribute. Finally, " "you should set the ignore_authinfo_unavail option so that " "you are not locked out of every computer when the LDAP server is unavailable." "" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:549 msgid "" "Your pam.d/sshd might then end up looking like this:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:553 msgid "Sample pam.d/sshd" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:555 #, no-wrap msgid "" "auth required pam_nologin.so no_warn\n" "auth sufficient pam_opie.so no_warn " "no_fake_prompts\n" "auth requisite pam_opieaccess.so no_warn allow_local\n" "auth sufficient /usr/local/lib/pam_ldap.so no_warn\n" "auth required pam_unix.so no_warn " "try_first_pass\n" "\n" "account required pam_login_access.so\n" "account required /usr/local/lib/pam_ldap.so no_warn " "ignore_authinfo_unavail ignore_unknown_user" msgstr "" #. (itstool) path: note/para #: article.translate.xml:566 msgid "" "Since we are adding these lines specifically to pam.d/sshd, this will only have an effect on SSH " "sessions. LDAP users will be unable to log in at the console. To change this " "behavior, examine the other files in /etc/pam.d and " "modify them accordingly." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:578 msgid "Name Service Switch" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:580 msgid "" "NSS is the service that maps attributes to names. " "So, for example, if a file is owned by user 1001, an " "application will query NSS for the name of " "1001, and it might get bob or " "ted or whatever the user's name is." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:588 msgid "" "Now that our user information is kept in LDAP, we need to tell " "NSS to look there when queried." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:592 msgid "" "The net/nss_ldap port does this. It uses the same " "configuration file as security/pam_ldap, and should not " "need any extra parameters once it is installed. Instead, what is left is " "simply to edit /etc/nsswitch.conf to take advantage of " "the directory. Simply replace the following lines:" msgstr "" #. (itstool) path: sect2/programlisting #: article.translate.xml:600 #, no-wrap msgid "group: compat\n" "passwd: compat" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:603 msgid "with" msgstr "" #. (itstool) path: sect2/programlisting #: article.translate.xml:605 #, no-wrap msgid "group: files ldap\n" "passwd: files ldap" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:608 msgid "This will allow you to map usernames to UIDs and UIDs to usernames." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:611 msgid "Congratulations! You should now have working LDAP authentication." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:616 msgid "Caveats" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:618 msgid "" "Unfortunately, as of the time this was written FreeBSD did not support " "changing user passwords with passwd1. Because of this, most " "administrators are left to implement a solution themselves. I provide some " "examples here. Note that if you write your own password change script, there " "are some security issues you should be made aware of; see " msgstr "" #. (itstool) path: example/title #: article.translate.xml:626 msgid "Shell Script for Changing Passwords" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:628 #, no-wrap msgid "" "#!/bin/sh\n" "\n" "stty -echo\n" "read -p \"Old Password: \" oldp; echo\n" "read -p \"New Password: \" np1; echo\n" "read -p \"Retype New Password: \" np2; echo\n" "stty echo\n" "\n" "if [ \"$np1\" != \"$np2\" ]; then\n" " echo \"Passwords do not match.\"\n" " exit 1\n" "fi\n" "\n" "ldappasswd -D uid=\"$USER\",ou=people,dc=example,dc=org \\\n" " -w \"$oldp\" \\\n" " -a \"$oldp\" \\\n" " -s \"$np1\"" msgstr "" #. (itstool) path: caution/para #: article.translate.xml:648 msgid "" "This script does hardly any error checking, but more important it is very " "cavalier about how it stores your passwords. If you do anything like this, " "at least adjust the security.bsd.see_other_uids sysctl " "value:" msgstr "" #. (itstool) path: caution/screen #: article.translate.xml:654 #, no-wrap msgid "" "# sysctl security.bsd.see_other_uids=0" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:657 msgid "" "A more flexible (and probably more secure) approach can be used by writing a " "custom program, or even a web interface. The following is part of a " "Ruby library that can change LDAP passwords. It " "sees use both on the command line, and on the web." msgstr "" #. (itstool) path: example/title #: article.translate.xml:664 msgid "Ruby Script for Changing Passwords" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:666 #, no-wrap msgid "" "require 'ldap'\n" "require 'base64'\n" "require 'digest'\n" "require 'password' # ruby-password\n" "\n" "ldap_server = \"ldap.example.org\"\n" "luser = \"uid=#{ENV['USER']},ou=people,dc=example,dc=org\"\n" "\n" "# get the new password, check it, and create a salted hash from it\n" "def get_password\n" " pwd1 = Password.get(\"New Password: \")\n" " pwd2 = Password.get(\"Retype New Password: \")\n" "\n" " raise if pwd1 != pwd2\n" " pwd1.check # check password strength\n" "\n" " salt = rand.to_s.gsub(/0\\./, '')\n" " pass = pwd1.to_s\n" " hash = \"{SSHA}\"+Base64.encode64(Digest::SHA1." "digest(\"#{pass}#{salt}\")+salt).chomp!\n" " return hash\n" "end\n" "\n" "oldp = Password.get(\"Old Password: \")\n" "newp = get_password\n" "\n" "# We'll just replace it. That we can bind proves that we either know\n" "# the old password or are an admin.\n" "\n" "replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,\n" " \"userPassword\",\n" " [newp])\n" "\n" "conn = LDAP::SSLConn.new(ldap_server, 389, true)\n" "conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)\n" "conn.bind(luser, oldp)\n" "conn.modify(luser, [replace])" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:704 msgid "" "Although not guaranteed to be free of security holes (the password is kept " "in memory, for example) this is cleaner and more flexible than a simple " "sh script." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:712 msgid "Security Considerations" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:714 msgid "" "Now that your machines (and possibly other services) are authenticating " "against your LDAP server, this server needs to be protected at least as well " "as /etc/master.passwd would be on a regular server, and " "possibly even more so since a broken or cracked LDAP server would break " "every client service." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:721 msgid "" "Remember, this section is not exhaustive. You should continually review your " "configuration and procedures for improvements." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:726 msgid "Setting Attributes Read-only" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:728 msgid "" "Several attributes in LDAP should be read-only. If left writable by the " "user, for example, a user could change his uidNumber " "attribute to 0 and get root access!" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:734 msgid "" "To begin with, the userPassword attribute should not be " "world-readable. By default, anyone who can connect to the LDAP server can " "read this attribute. To disable this, put the following in slapd." "conf:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:741 msgid "Hide Passwords" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:743 #, no-wrap msgid "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attrs=userPassword\n" " by self write\n" " by anonymous auth\n" " by * none\n" "\n" "access to *\n" " by self write\n" " by * read" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:754 msgid "" "This will disallow reading of the userPassword attribute, " "while still allowing users to change their own passwords." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:758 msgid "" "Additionally, you'll want to keep users from changing some of their own " "attributes. By default, users can change any attribute (except for those " "which the LDAP schemas themselves deny changes), such as uidNumber. To close this hole, modify the above to" msgstr "" #. (itstool) path: example/title #: article.translate.xml:765 msgid "Read-only Attributes" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:767 #, no-wrap msgid "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attrs=userPassword\n" " by self write\n" " by anonymous auth\n" " by * none\n" "\n" "access to attrs=homeDirectory,uidNumber,gidNumber\n" " by * read\n" "\n" "access to *\n" " by self write\n" " by * read" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:781 msgid "This will stop users from being able to masquerade as other users." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:786 msgid "root Account Definition" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:789 msgid "" "Often the root or manager " "account for the LDAP service will be defined in the configuration file. " "OpenLDAP supports this, for example, and it " "works, but it can lead to trouble if slapd.conf is " "compromised. It may be better to use this only to bootstrap yourself into " "LDAP, and then define a root " "account there." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:797 msgid "" "Even better is to define accounts that have limited permissions, and omit a " "root account entirely. For " "example, users that can add or remove user accounts are added to one group, " "but they cannot themselves change the membership of this group. Such a " "security policy would help mitigate the effects of a leaked password." msgstr "" #. (itstool) path: sect3/title #. (itstool) path: example/title #: article.translate.xml:805 article.translate.xml:813 msgid "Creating a Management Group" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:807 msgid "" "Say you want your IT department to be able to change home directories for " "users, but you do not want all of them to be able to add or remove users. " "The way to do this is to add a group for these admins:" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:815 #, no-wrap msgid "" "dn: cn=homemanagement,dc=example,dc=org\n" "objectClass: top\n" "objectClass: posixGroup\n" "cn: homemanagement\n" "gidNumber: 121 # required for posixGroup\n" "memberUid: uid=tuser,ou=people,dc=example,dc=org\n" "memberUid: uid=user2,ou=people,dc=example,dc=org" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:824 msgid "" "And then change the permissions attributes in slapd.conf:" msgstr "" #. (itstool) path: example/title #: article.translate.xml:828 msgid "ACLs for a Home Directory Management Group" msgstr "" #. (itstool) path: example/programlisting #: article.translate.xml:830 #, no-wrap msgid "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attr=homeDirectory\n" " by dn=\"cn=homemanagement,dc=example,dc=org\"\n" " dnattr=memberUid write" msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:836 msgid "" "Now tuser and user2 can change other users' home directories." msgstr "" #. (itstool) path: sect3/para #: article.translate.xml:840 msgid "" "In this example we have given a subset of administrative power to certain " "users without giving them power in other domains. The idea is that soon no " "single user account has the power of a root account, but every power root had is had by at least one user. " "The root account then becomes " "unnecessary and can be removed." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:850 msgid "Password Storage" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:852 msgid "" "By default OpenLDAP will store the value of the " "userPassword attribute as it stores any other data: in " "the clear. Most of the time it is base 64 encoded, which provides enough " "protection to keep an honest administrator from knowing your password, but " "little else." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:859 msgid "" "It is a good idea, then, to store passwords in a more secure format, such as " "SSHA (salted SHA). This is done by whatever program you use to change users' " "passwords." msgstr "" #. (itstool) path: appendix/title #: article.translate.xml:866 msgid "Useful Aids" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:868 msgid "" "There are a few other programs that might be useful, particularly if you " "have many users and do not want to configure everything manually." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:872 msgid "" "security/pam_mkhomedir is a PAM module that always " "succeeds; its purpose is to create home directories for users which do not " "have them. If you have dozens of client servers and hundreds of users, it is " "much easier to use this and set up skeleton directories than to prepare " "every home directory." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:879 msgid "" "sysutils/cpu is a pw8-like utility that can " "be used to manage users in the LDAP directory. You can call it directly, or " "wrap scripts around it. It can handle both TLS (with the " "flag) and SSL (directly)." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:885 msgid "" "sysutils/ldapvi is a great utility for editing LDAP " "values in an LDIF-like syntax. The directory (or subsection of the " "directory) is presented in the editor chosen by the EDITOR " "environment variable. This makes it easy to enable large-scale changes in " "the directory without having to write a custom tool." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:892 msgid "" "security/openssh-portable has the ability to contact an " "LDAP server to verify SSH keys. This is extremely " "nice if you have many servers and do not want to copy your public keys " "across all of them." msgstr "" #. (itstool) path: appendix/title #: article.translate.xml:900 msgid "OpenSSL Certificates for LDAP" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:903 msgid "" "If you are hosting two or more LDAP servers, you will probably not want to " "use self-signed certificates, since each client will have to be configured " "to work with each certificate. While this is possible, it is not nearly as " "simple as creating your own certificate authority, and signing your servers' " "certificates with that." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:910 msgid "" "The steps here are presented as they are with very little attempt at " "explaining what is going on—further explanation can be found in " "openssl1 and its friends." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:914 msgid "" "To create a certificate authority, we simply need a self-signed certificate " "and key. The steps for this again are" msgstr "" #. (itstool) path: example/title #: article.translate.xml:919 msgid "Creating a Certificate" msgstr "" #. (itstool) path: example/screen #: article.translate.xml:921 #, no-wrap msgid "" "% openssl genrsa -out root.key 1024\n" "% openssl req -new -key root.key -out root.csr\n" "% openssl x509 -req -days 1024 -in root.csr -" "signkey root.key -out root.crt" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:926 msgid "" "These will be your root CA key and certificate. You will probably want to " "encrypt the key and store it in a cool, dry place; anyone with access to it " "can masquerade as one of your LDAP servers." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:931 msgid "" "Next, using the first two steps above create a key ldap-server-one." "key and certificate signing request ldap-server-one." "csr. Once you sign the signing request with root.key, you will be able to use ldap-server-one.* on " "your LDAP servers." msgstr "" #. (itstool) path: note/para #: article.translate.xml:939 msgid "" "Do not forget to use the fully qualified domain name for the common " "name attribute when generating the certificate signing request; " "otherwise clients will reject a connection with you, and it can be very " "tricky to diagnose." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:946 msgid "" "To sign the key, use and " "instead of :" msgstr "" #. (itstool) path: example/title #: article.translate.xml:951 msgid "Signing as a Certificate Authority" msgstr "" #. (itstool) path: example/screen #: article.translate.xml:953 #, no-wrap msgid "" "% openssl x509 -req -days 1024 \\\n" "-in ldap-server-one.csr -CA root.crt -CAkey root.key \\\n" "-out ldap-server-one.crt" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:958 msgid "" "The resulting file will be the certificate that you can use on your LDAP " "servers." msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:961 msgid "" "Finally, for clients to trust all your servers, distribute root." "crt (the certificate, not the key!) to each " "client, and specify it in the TLSCACertificateFile " "directive in ldap.conf." msgstr ""