[system-administrators-guide/21] Recommend a higher baud rate
by stephenw
commit 8699d3305940547727d5713df4a1ad4ca37ebbac
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Mon Mar 2 21:34:39 2015 +0100
Recommend a higher baud rate
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index b9d5cc7..9595034 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -621,7 +621,8 @@ GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"
<note><para>
In order to access the grub terminal over a serial connection an additional option must be added to a kernel definition to make that particular kernel monitor a serial connection. For example:
<synopsis>console=<replaceable>ttyS0,9600n8</replaceable></synopsis>
-Where <option>console=ttyS0</option> is the serial terminal to be used, <option>9600</option> is the baud rate, <option>n</option> is for no parity, and <option>8</option> is the word length in bits.
+Where <option>console=ttyS0</option> is the serial terminal to be used, <option>9600</option> is the baud rate, <option>n</option> is for no parity, and <option>8</option> is the word length in bits. A much higher baud rate, for example <literal>115200</literal>, is preferable for tasks such as following log files.</para>
+<para>
For more information on adding kernel options, see <xref linkend="sec-Editing_an_Entry" />. For more information on serial console settings, see <ulink url="https://www.kernel.org/doc/Documentation/serial-console.txt"></ulink> </para>
</note>
9 years, 2 months
[system-administrators-guide/21] remove old remark tags
by stephenw
commit 73cd0b03d6618aa41e23a9249596adb34d30d8d4
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Mon Mar 2 21:29:12 2015 +0100
remove old remark tags
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 9946c94..b9d5cc7 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -185,7 +185,7 @@ The <literal>DEFAULTKERNEL</literal> directive specifies what package type will
</para>
<screen>GRUB_CMDLINE_LINUX="emergency"</screen>
<para>
- Note that you can specify multiple parameters for the <systemitem>GRUB_CMDLINE_LINUX</systemitem> key, similarly to adding the parameters in the GRUB 2 boot menu. For example: <remark></remark>
+ Note that you can specify multiple parameters for the <systemitem>GRUB_CMDLINE_LINUX</systemitem> key, similarly to adding the parameters in the GRUB 2 boot menu. For example:
<synopsis>GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,9600n8"</synopsis>
Where <option>console=tty0</option> is the first virtual terminal and <option>console=ttyS0</option> is the serial terminal to be used.
</para>
@@ -530,7 +530,7 @@ password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671
<screen>~]# <command>grub2-install</command> <filename>/dev/sda</filename></screen>
- <!-- <remark>grub2-install should be sufficient here</remark>
+ <!-- grub2-install should be sufficient here
-->
</section>
9 years, 2 months
[system-administrators-guide/21] Change resources section to new style
by stephenw
commit e9217a5fbb5c8c5d85dcb006e57f1cd79d239e12
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Sat Feb 28 10:09:08 2015 +0100
Change resources section to new style
en-US/OpenLDAP.xml | 72 ++++++++++++++++++++++++---------------------------
1 files changed, 34 insertions(+), 38 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index 857030a..1d64149 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -420,7 +420,7 @@
</tgroup>
</table>
<para>
- For a detailed description of these utilities and their usage, see the corresponding manual pages as referred to in <xref linkend="s3-ldap-installed-docs" />.
+ For a detailed description of these utilities and their usage, see the corresponding manual pages as referred to in <xref linkend="bh-Installed_Documentation_OpenLDAP" />.
</para>
<important>
<title>Make sure the files have correct owner</title>
@@ -1597,29 +1597,24 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<para>
The following resources offer additional information on the Lightweight Directory Access Protocol. Before configuring LDAP on your system, it is highly recommended that you review these resources, especially the <citetitle pubwork="book">OpenLDAP Software Administrator's Guide</citetitle>.
</para>
- <section id="s3-ldap-installed-docs">
- <title>Installed Documentation</title>
+
+ <bridgehead id="bh-Installed_Documentation_OpenLDAP" renderas="sect2">Installed Documentation</bridgehead>
+
<para>
The following documentation is installed with the <package>openldap-servers</package> package:
</para>
- <variablelist>
- <varlistentry>
- <term><filename>/usr/share/doc/openldap-servers/guide.html</filename></term>
- <listitem>
- <para>
- A copy of the <citetitle pubwork="book">OpenLDAP Software Administrator's Guide</citetitle>.
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>/usr/share/doc/openldap-servers/guide.html</filename> — A copy of the <citetitle pubwork="book">OpenLDAP Software Administrator's Guide</citetitle>.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><filename>/usr/share/doc/openldap-servers/README.schema</filename></term>
- <listitem>
- <para>
- A README file containing the description of installed schema files.
+ </listitem>
+ <listitem>
+ <para>
+ <filename>/usr/share/doc/openldap-servers/README.schema</filename> — A README file containing the description of installed schema files.
</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ </listitem>
+ </itemizedlist>
<para>
Additionally, there is also a number of manual pages that are installed with the <package>openldap</package>, <package>openldap-servers</package>, and <package>openldap-clients</package> packages:
</para>
@@ -1630,42 +1625,42 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<itemizedlist>
<listitem>
<para>
- <command>man ldapadd</command> — Describes how to add entries to an LDAP directory.
+ <citerefentry><refentrytitle>ldapadd</refentrytitle><manvolnum>1</manvolnum></citerefentry> — The manual page for the <command>ldapadd</command> command describes how to add entries to an LDAP directory.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapdelete</command> — Describes how to delete entries within an LDAP directory.
+ <citerefentry><refentrytitle>ldapdelete</refentrytitle><manvolnum>1</manvolnum></citerefentry> — The manual page for the <command>ldapdelete</command> command describes how to delete entries within an LDAP directory.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapmodify</command> — Describes how to modify entries within an LDAP directory.
+ <citerefentry><refentrytitle>ldapmodify</refentrytitle><manvolnum>1</manvolnum></citerefentry> — The manual page for the <command>ldapmodify</command> command describes how to modify entries within an LDAP directory.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapsearch</command> — Describes how to search for entries within an LDAP directory.
+ <citerefentry><refentrytitle>ldapsearch</refentrytitle><manvolnum>1</manvolnum></citerefentry> — The manual page for the <command>ldapsearch</command> command describes how to search for entries within an LDAP directory.
</para>
</listitem>
<listitem>
<para>
- <command>man ldappasswd</command> — Describes how to set or change the password of an LDAP user.
+ <citerefentry><refentrytitle>ldappasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> — The manual page for the <command>ldappasswd</command> command describes how to set or change the password of an LDAP user.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapcompare</command> — Describes how to use the <command>ldapcompare</command> tool.
+ <citerefentry><refentrytitle>ldapcompare</refentrytitle><manvolnum>1</manvolnum></citerefentry> — Describes how to use the <command>ldapcompare</command> tool.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapwhoami</command> — Describes how to use the <command>ldapwhoami</command> tool.
+ <citerefentry><refentrytitle>ldapwhoami</refentrytitle><manvolnum>1</manvolnum></citerefentry> — Describes how to use the <command>ldapwhoami</command> tool.
</para>
</listitem>
<listitem>
<para>
- <command>man ldapmodrdn</command> — Describes how to modify the RDNs of entries.
+ <citerefentry><refentrytitle>ldapmodrdn</refentrytitle><manvolnum>1</manvolnum></citerefentry> — Describes how to modify the RDNs of entries.
</para>
</listitem>
</itemizedlist>
@@ -1677,7 +1672,7 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<itemizedlist>
<listitem>
<para>
- <command>man slapd</command> — Describes command line options for the LDAP server.
+ <citerefentry><refentrytitle>slapd</refentrytitle><manvolnum>8C</manvolnum></citerefentry> — Describes command line options for the LDAP server.
</para>
</listitem>
</itemizedlist>
@@ -1689,22 +1684,22 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<itemizedlist>
<listitem>
<para>
- <command>man slapadd</command> — Describes command line options used to add entries to a <command>slapd</command> database.
+ <citerefentry><refentrytitle>slapadd</refentrytitle><manvolnum>8C</manvolnum></citerefentry> — Describes command line options used to add entries to a <command>slapd</command> database.
</para>
</listitem>
<listitem>
<para>
- <command>man slapcat</command> — Describes command line options used to generate an LDIF file from a <command>slapd</command> database.
+ <citerefentry><refentrytitle>slapcat</refentrytitle><manvolnum>8C</manvolnum></citerefentry> — Describes command line options used to generate an LDIF file from a <command>slapd</command> database.
</para>
</listitem>
<listitem>
<para>
- <command>man slapindex</command> — Describes command line options used to regenerate an index based upon the contents of a <command>slapd</command> database.
+ <citerefentry><refentrytitle>slapindex</refentrytitle><manvolnum>8C</manvolnum></citerefentry> — Describes command line options used to regenerate an index based upon the contents of a <command>slapd</command> database.
</para>
</listitem>
<listitem>
<para>
- <command>man slappasswd</command> — Describes command line options used to generate user passwords for LDAP directories.
+ <citerefentry><refentrytitle>slappasswd</refentrytitle><manvolnum>8C</manvolnum></citerefentry> — Describes command line options used to generate user passwords for LDAP directories.
</para>
</listitem>
</itemizedlist>
@@ -1716,21 +1711,22 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<itemizedlist>
<listitem>
<para>
- <command>man ldap.conf</command> — Describes the format and options available within the configuration file for LDAP clients.
+ <citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> — The manual page for the <filename>ldap.conf</filename> file describes the format and options available within the configuration file for LDAP clients.
</para>
</listitem>
<listitem>
<para>
- <command>man slapd-config</command> — Describes the format and options available within the configuration directory.
+ <citerefentry><refentrytitle>slapd-config</refentrytitle><manvolnum>5</manvolnum></citerefentry> — Describes the format and options available within the <filename>/etc/openldap/slapd.d</filename> configuration directory.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
- </section>
- <section id="s3-ldap-additional-resources-web">
- <title>Useful Websites</title>
+
+
+ <bridgehead id="bh-Online_Documentation_OpenLDAP" renderas="sect2">Online Documentation</bridgehead>
+
<variablelist>
<varlistentry>
<term><ulink url="http://www.openldap.org/doc/admin24/" /></term>
@@ -1794,6 +1790,6 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
</listitem>
</varlistentry>
</variablelist>
- </section>
+
</section>
</section>
9 years, 2 months
[system-administrators-guide/21] Establishing a Secure Connection
by stephenw
commit 5a06ff2d27e84769d3fab69c729ddedecbb5ff7d
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Sat Feb 28 09:53:06 2015 +0100
Establishing a Secure Connection
en-US/OpenLDAP.xml | 324 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 324 insertions(+), 0 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index e4159cc..857030a 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -1067,6 +1067,330 @@ Re-enter new password:
Since OpenLDAP 2.3, the <filename class="directory">/etc/openldap/slapd.d/</filename> directory also contains LDAP definitions that were previously located in <filename class="directory">/etc/openldap/schema/</filename>. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see <ulink url="http://www.openldap.org/doc/admin/schema.html" />.
</para>
</section>
+ <section id="s3-establishing_a_secure_connection">
+ <title>Establishing a Secure Connection</title>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>configuration</secondary>
+ <tertiary>TLS</tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>files</secondary>
+ <tertiary><filename>/etc/openldap/ldap.conf</filename></tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>files</secondary>
+ <tertiary><filename>/etc/openldap/slapd.d/cn=config.ldif</filename></tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>security</secondary>
+ </indexterm>
+ <para>
+ OpenLDAP clients and servers can be secured using the Transport Layer Security (TLS) framework. TLS is a cryptographic protocol designed to provide communication security over the network. As noted above, OpenLDAP suite in Red Hat Enterprise Linux 7 uses Mozilla NSS as the TLS implementation.
+ </para>
+ <para>
+ To establish a secure connection using TLS, obtain the required certificates as described in <ulink url="http://www.openldap.org/faq/index.cgi?file=1514"><citetitle pubwork="webpage">How do I use TLS/SSL with Mozilla NSS</citetitle></ulink>. Then, a number of options must be configured on both the client and the server. At a minimum, a server must be configured with the Certificate Authority (CA) certificates and also its own server certificate and private key. The clients must be configured with the name of the file containing all the trusted CA certificates.
+ </para>
+ <para>
+ Typically, a server only needs to sign a single CA certificate. A client may want to connect to a variety of secure servers, therefore it is common to specify a list of several trusted CAs in its configuration.
+ </para>
+ <bridgehead id="br-server_configuration">Server Configuration</bridgehead>
+ <para>
+ This section lists global configuration directives for <systemitem class="daemon">slapd</systemitem> that need to be specified in the <filename>/etc/openldap/slapd.d/cn=config.ldif</filename> file on an OpenLDAP server in order to establish TLS.
+ </para>
+ <para>
+ While the old style configuration uses a single file, normally installed as <filename>/usr/local/etc/openldap/slapd.conf</filename>, the new style uses a slapd backend database to store the configuration. The configuration database normally resides in the <filename class="directory">/usr/local/etc/openldap/slapd.d/</filename> directory.
+ </para>
+ <para>
+ The following directives are also valid for establishing SSL. In addition to TLS directives, you need to enable a port dedicated to SSL on the server side – typically it is port 636. To do so, edit the <filename>/etc/sysconfig/slapd</filename> file and append the <literal>ldaps:///</literal> string to the list of URLs specified with the <option>SLAPD_URLS</option> directive.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>olcTLSCACertificateFile</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcTLSCACertificateFile</option> directive specifies the file encoded with Privacy-Enhanced Mail (PEM) schema that contains trusted CA certificates. The directive takes the following form:
+ </para>
+ <synopsis><option>olcTLSCACertificateFile</option>: <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> either with a path to the CA certificate file, or, if you use Mozilla NSS, with a certificate name.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>olcTLSCACertificatePath</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcTLSCACertificatePath</option> directive specifies the path to a directory containing individual CA certificates in separate files. This directory must be specially managed with the OpenSSL <application>c_rehash</application> utility that generates symbolic links with the hashed names that point to the actual certificate files. In general, it is simpler to use the <option>olcTLSCACertificateFile</option> directive instead.
+ </para>
+ <para>
+ If Mozilla NSS is used, <option>olcTLSCACertificatePath</option> accepts a path to the Mozilla NSS database (as shown in <xref linkend="ex-using_olcTLSCACertificatePath_with_Mozilla_NSS" />). In such a case, <application>c_rehash</application> is not needed.
+ </para>
+ <para>
+ The directive takes the following form:
+ </para>
+ <synopsis><option>olcTLSCACertificatePath</option>: <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the directory containing the CA certificate files, or with a path to a Mozilla NSS database file.
+ </para>
+ <example id="ex-using_olcTLSCACertificatePath_with_Mozilla_NSS">
+ <title>Using olcTLSCACertificatePath with Mozilla NSS</title>
+ <para>
+ With Mozilla NSS, the <option>olcTLSCACertificatePath</option> directive specifies the path of the directory containing the NSS certificate and key database files. For example:
+ </para>
+ <synopsis><option>olcTLSCACertificatePath</option>: <filename>sql:/home/nssdb/sharednssdb</filename></synopsis>
+ <para>
+ The <command>certutil</command> command is used to add a CA certificate to these NSS database files:
+ </para>
+ <synopsis><command>certutil</command> <option>-d</option> <filename class="directory">sql:/home/nssdb/sharednssdb</filename> <option>-A</option> <option>-n</option> "<replaceable>CA_certificate</replaceable>" <option>-t</option> <literal>CT,,</literal> <option>-a</option> <option>-i</option> <filename>certificate.pem</filename></synopsis>
+ <para>
+ The above command adds a CA certificate stored in a PEM-formatted file named <replaceable>certificate.pem</replaceable>. The <option>-d</option> option specifies the database directory containing the certificate and key database files, the <option>-n</option> option sets a name for the certificate, <option>-t</option> <literal>CT,,</literal> means that the certificate is trusted to be used in TLS clients and servers. The <option>-A</option> option adds an existing certificate to a certificate database, the <option>-a</option> option allows the use of ASCII format for input or output, and the <option>-i</option> option passes the <filename>certificate.pem</filename> input file to the command.
+ </para>
+ </example>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>olcTLSCertificateFile</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcTLSCertificateFile</option> directive specifies the file that contains the <systemitem class="daemon">slapd</systemitem> server certificate. The directive takes the following form:
+ </para>
+ <synopsis><option>olcTLSCertificateFile</option>: <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the <systemitem class="daemon">slapd</systemitem> server certificate file, or, if you use Mozilla NSS, with a certificate name.
+ </para>
+ <example id="ex-using_olcTLSCertificateFile_with_Mozilla_NSS">
+ <title>Using olcTLSCertificateFile with Mozilla NSS</title>
+ <para>
+ When using Mozilla NSS with certificate and key database files specified with the <option>olcTLSCACertificatePath</option> directive, <option>olcTLSCertificateFile</option> is used to specify the name of the certificate to use. First, execute the following command to view a list of certificates available in your NSS database file:
+ </para>
+ <synopsis><command>certutil</command> <option>-d</option> <filename class="directory">sql:/home/nssdb/sharednssdb</filename> <option>-L</option></synopsis>
+ <para>
+ Select a certificate from the list and pass its name to <option>olcTLSCertificateFile</option>. For example:
+ </para>
+ <synopsis><command>olcTLSCertificateFile</command> <emphasis>slapd_cert</emphasis></synopsis>
+ </example>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>olcTLSCertificateKeyFile</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcTLSCertificateKeyFile</option> directive specifies the file that contains the private key that matches the certificate stored in the file specified with <option>olcTLSCertificateFile</option>. Note that the current implementation does not support encrypted private keys, and therefore the containing file must be sufficiently protected. The directive takes the following form:
+ </para>
+ <synopsis><option>olcTLSCertificateKeyFile</option>: <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the private key file if you use PEM certificates. When using Mozilla NSS, <replaceable>path</replaceable> stands for the name of a file that contains the password for the key for the certificate specified with the <option>olcTLSCertificateFile</option> directive (see <xref linkend="ex-using_olcTLSCertificateKeyFile_with_Mozilla_NSS" />).
+ </para>
+ <example id="ex-using_olcTLSCertificateKeyFile_with_Mozilla_NSS">
+ <title>Using olcTLSCertificateKeyFile with Mozilla NSS</title>
+ <para>
+ When using Mozilla NSS, this directive specifies the name of a file that contains the password for the key for the certificate specified with <option>olcTLSCertificateFile</option>:
+ </para>
+ <synopsis><option>olcTLSCertificateKeyFile</option>: <emphasis>slapd_cert_key</emphasis></synopsis>
+ <para>
+ The <command>modutil</command> command can be used to turn off password protection or to change the password for NSS database files. For example:
+ </para>
+ <synopsis><command>modutil</command> <option>-dbdir</option> <filename class="directory">sql:/home/nssdb/sharednssdb</filename> <option>-changepw</option></synopsis>
+ </example>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <bridgehead id="br-client_configuration">Client Configuration</bridgehead>
+ <para>
+ Specify the following directives in the <filename>/etc/openldap/ldap.conf</filename> configuration file on the client system. Most of these directives are parallel to the server configuration options. Directives in<filename>/etc/openldap/ldap.conf</filename> are configured on a system-wide basis, however, individual users may override them in their <filename>~/.ldaprc</filename> files.
+ </para>
+ <para>
+ The same directives can be used to establish an SSL connection. The <literal>ldaps://</literal> string must be used instead of <literal>ldap://</literal> in OpenLDAP commands such as <command>ldapsearch</command>. This forces commands to use the default port for SSL, port 636, configured on the server.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>TLS_CACERT</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>TLS_CACERT</option> directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize. This is equivalent to the <option>olcTLSCACertificateFile</option> directive on a server. <option>TLS_CACERT</option> should always be specified before <option>TLS_CACERTDIR</option> in <filename>/etc/openldap/ldap.conf</filename>. The directive takes the following form:
+ </para>
+ <synopsis><option>TLS_CACERT</option> <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the CA certificate file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>TLS_CACERTDIR</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>TLS_CACERTDIR</option> directive specifies the path to a directory that contains Certificate Authority certificates in separate files. As with <option>olcTLSCACertificatePath</option> on a server, the specified directory must be managed with the OpenSSL <application>c_rehash</application> utility. Path to Mozilla NSS database file is also accepted, <application>c_rehash</application> is not needed in such case. The directive takes the following form:
+ </para>
+ <synopsis><option>TLS_CACERTDIR</option> <replaceable>directory</replaceable></synopsis>
+ <para>
+ Replace <replaceable>directory</replaceable> with a path to the directory containing CA certificate files. With Mozilla NSS, <replaceable>directory</replaceable> stands for a path to the certificate or key database file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>TLS_CERT</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>TLS_CERT</option> specifies the file that contains a client certificate. This directive can only be specified in a user's <filename>~/.ldaprc</filename> file. With Mozilla NSS, this directive specifies the name of the certificate to be chosen from the database specified with the aforementioned <option>TLS_CACERTDIR</option> directive. The directive takes the following form:
+ </para>
+ <synopsis><option>TLS_CERT</option> <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the client certificate file, or with a name of a certificate from the NSS database.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>TLS_KEY</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>TLS_KEY</option> specifies the file that contains the private key that matches the certificate stored in the file specified with the <option>TLS_CERT</option> directive. As with <option>olcTLSCertificateFile</option> on a server, encrypted key files are not supported, so the file itself must be carefully protected. This option is only configurable in a user's <filename>~/.ldaprc</filename> file.
+ </para>
+ <para>
+ When using Mozilla NSS, <option>TLS_KEY</option> specifies the name of a file that contains the password for the private key that protects the certificate specified with the <option>TLS_CERT</option> directive. Similarly to the <option>olcTLSCertificateKeyFile</option> directive on a server (see <xref linkend="ex-using_olcTLSCertificateKeyFile_with_Mozilla_NSS" />), you can use the <command>modutil</command> command to manage this password.
+ </para>
+ <para>
+ The <option>TLS_KEY</option> directive takes the following form:
+ </para>
+ <synopsis><option>TLS_KEY</option> <replaceable>path</replaceable></synopsis>
+ <para>
+ Replace <replaceable>path</replaceable> with a path to the client certificate file or with a name of the password file in the NSS database.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ <section id="s3-setting_up_replication">
+ <title>Setting Up Replication</title>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>configuration</secondary>
+ <tertiary>TLS</tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>directories</secondary>
+ <tertiary><filename class="directory">/etc/openldap/slapd.d/</filename></tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>replication</secondary>
+ </indexterm>
+ <para>
+ Replication is the process of copying updates from one LDAP server (<emphasis>provider</emphasis>) to one or more other servers or clients (<emphasis>consumers</emphasis>). A provider replicates directory updates to consumers, the received updates can be further propagated by the consumer to other servers, so a consumer can also act simultaneously as a provider. Also, a consumer does not have to be an LDAP server, it may be just an LDAP client. In OpenLDAP, you can use several replication modes, most notable are <emphasis>mirror</emphasis> and <emphasis>sync</emphasis>. For more information on OpenLDAP replication modes, see the <emphasis>OpenLDAP Software Administrator's Guide</emphasis> installed with <package>openldap-servers</package> package (see <xref linkend="bh-Installed_Documentation_OpenLDAP" />).
+ </para>
+ <para>
+ To enable a chosen replication mode, use one of the following directives in <filename class="directory">/etc/openldap/slapd.d/</filename> on both provider and consumers.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>olcMirrorMode</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcMirrorMode</option> directive enables the mirror replication mode. It takes the following form:
+ </para>
+ <synopsis><option>olcMirrorMode</option> <option>on</option></synopsis>
+ <para>
+ This option needs to be specified both on provider and consumers. Also a <option>serverID</option> must be specified along with <option>syncrepl</option> options. Find a detailed example in the <emphasis>18.3.4. MirrorMode</emphasis> section of the <emphasis>OpenLDAP Software Administrator's Guide</emphasis> (see <xref linkend="bh-Installed_Documentation_OpenLDAP" />).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>olcSyncrepl</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcSyncrepl</option> directive enables the sync replication mode. It takes the following form:
+ </para>
+ <synopsis><option>olcSyncrepl</option> <option>on</option></synopsis>
+ <para>
+ The sync replication mode requires a specific configuration on both the provider and the consumers. This configuration is thoroughly described in the <emphasis>18.3.1. Syncrepl</emphasis> section of the <emphasis>OpenLDAP Software Administrator's Guide</emphasis> (see <xref linkend="bh-Installed_Documentation_OpenLDAP" />).
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ <section id="s3-loading_modules_or_backends">
+ <title>Loading Modules and Backends</title>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>configuration</secondary>
+ <tertiary>TLS</tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>directories</secondary>
+ <tertiary><filename class="directory">/etc/openldap/slapd.d/</filename></tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>modules</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>backends</secondary>
+ </indexterm>
+ <para>
+ You can enhance the <systemitem class="daemon">slapd</systemitem> service with dynamically loaded modules. Support for these modules must be enabled with the <option>--enable-modules</option> option when configuring <systemitem class="daemon">slapd</systemitem>. Modules are stored in files with the <emphasis>.la</emphasis> extension:
+ </para>
+ <synopsis><replaceable>module_name</replaceable>.la</synopsis>
+ <para>
+ <firstterm>Backends</firstterm> store or retrieve data in response to LDAP requests. Backends may be compiled statically into <systemitem class="daemon">slapd</systemitem>, or when module support is enabled, they may be dynamically loaded. In the latter case, the following naming convention is applied:
+ </para>
+ <synopsis>back_<replaceable>backend_name</replaceable>.la</synopsis>
+ <para>
+ To load a module or a backend, use the following directive in <filename class="directory">/etc/openldap/slapd.d/</filename>:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>olcModuleLoad</option>
+ </term>
+ <listitem>
+ <para>
+ The <option>olcModuleLoad</option> directive specifies a dynamically loadable module to load. It takes the following form:
+ </para>
+ <synopsis><option>olcModuleLoad</option>: <replaceable>module</replaceable></synopsis>
+ <para>
+ Here, <replaceable>module</replaceable> stands either for a file containing the module, or a backend, that will be loaded.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ </section>
+ <section id="s2-selinux-openldap">
+ <title>SELinux Policy for Applications Using LDAP</title>
+ <para>
+ SELinux is an implementation of a mandatory access control mechanism in the Linux kernel. By default, SELinux prevents applications from accessing an OpenLDAP server. To enable authentication through LDAP, which is required by several applications, the <systemitem>allow_ypbind</systemitem> SELinux Boolean needs to be enabled. Certain applications also demand an enabled <systemitem>authlogin_nsswitch_use_ldap</systemitem> Boolean in this scenario. Execute the following commands to enable the aforementioned Booleans:
+ </para>
+ <synopsis>~]# <command>setsebool</command> <option>-P</option> <option>allow_ypbind</option>=<literal>1</literal></synopsis>
+ <synopsis>~]# <command>setsebool</command> <option>-P</option> <option>authlogin_nsswitch_use_ldap</option>=<literal>1</literal></synopsis>
+ <para>
+ The <option>-P</option> option makes this setting persistent across system reboots. See the <ulink url="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...">Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide</ulink> for more detailed information about SELinux.
+ </para>
</section>
<section id="s2-ldap-running">
<title>Running an OpenLDAP Server</title>
9 years, 2 months
[system-administrators-guide/21] More style & markup improvements to OpenLDAP
by stephenw
commit bfe81301855223720db4c442823123a578a355a7
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Sat Feb 28 09:52:03 2015 +0100
More style & markup improvements to OpenLDAP
en-US/OpenLDAP.xml | 30 ++++++++++++++++--------------
1 files changed, 16 insertions(+), 14 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index 364c5fd..e4159cc 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -1102,13 +1102,14 @@ Re-enter new password:
<secondary>stopping</secondary>
</indexterm>
<para>
- To stop the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
+ To stop the running <systemitem class="service">slapd</systemitem> service in the current session, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl stop slapd.service</command></screen>
+ <screen>~]# <command>systemctl stop slapd.service</command></screen>
<para>
- To prevent the service from starting automatically at the boot time, type:
+ To prevent the service from starting automatically at the boot time, type as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl disable slapd.service</command></screen>
+ <screen>~]# <command>systemctl disable slapd.service</command>
+rm '/etc/systemd/system/multi-user.target.wants/slapd.service'</screen>
<para>
See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
</para>
@@ -1122,21 +1123,22 @@ Re-enter new password:
<para>
To restart the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl restart slapd.service</command></screen>
+ <screen>~]# <command>systemctl restart slapd.service</command></screen>
<para>
- This stops the service, and then starts it again. Use this command to reload the configuration.
+ This stops the service and immediately starts it again. Use this command to reload the configuration.
</para>
</section>
<section id="s3-ldap-running-status">
- <title>Checking the Service Status</title>
+ <title>Verifying the Service Status</title>
<indexterm>
<primary>OpenLDAP</primary>
<secondary>checking status</secondary>
</indexterm>
<para>
- To check whether the service is running, type the following at a shell prompt:
+ To verify that the <systemitem class="service">slapd</systemitem> service is running, type the following at a shell prompt:
</para>
- <screen><command>systemctl is-active slapd.service</command></screen>
+ <screen>~]$ <command>systemctl is-active slapd.service</command>
+active</screen>
</section>
</section>
<section id="s2-ldap-pam">
@@ -1144,7 +1146,7 @@ Re-enter new password:
<para>
In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in <xref linkend="s2-ldap-installation" /> and <xref linkend="s2-ldap-configuration" />. On a client, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>yum install openldap openldap-clients nss-pam-ldapd</command></screen>
+ <screen>~]# <command>yum install openldap openldap-clients nss-pam-ldapd</command></screen>
<section id="s3-ldap-migrationtools">
<title>Migrating Old Authentication Information to LDAP Format</title>
@@ -1155,7 +1157,7 @@ Re-enter new password:
<para>
The <package>migrationtools</package> package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>yum install migrationtools</command></screen>
+ <screen>~]# <command>yum install migrationtools</command></screen>
<para>
This will install the scripts to the <filename class="directory">/usr/share/migrationtools/</filename> directory. Once installed, edit the <filename>/usr/share/migrationtools/migrate_common.ph</filename> file and change the following lines to reflect the correct domain, for example:
</para>
@@ -1167,10 +1169,10 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<para>
Alternatively, you can specify the environment variables directly on the command line. For example, to run the <filename>migrate_all_online.sh</filename> script with the default base set to <literal>dc=example,dc=com</literal>, type:
</para>
- <screen><command>export DEFAULT_BASE="dc=example,dc=com" \</command>
+ <screen>~]# <command>export DEFAULT_BASE="dc=example,dc=com" \</command>
<command>/usr/share/migrationtools/migrate_all_online.sh</command></screen>
<para>
- To decide which script to run in order to migrate the user database, refer to <xref linkend="table-ldap-migrationtools"/>.
+ To decide which script to run in order to migrate the user database, see <xref linkend="table-ldap-migrationtools"/>.
</para>
<table id="table-ldap-migrationtools">
<title>Commonly used LDAP migration scripts</title>
@@ -1262,7 +1264,7 @@ $DEFAULT_BASE = "dc=example,dc=com";</programlisting>
</tgroup>
</table>
<para>
- For more information on how to use these scripts, refer to the <filename>README</filename> and the <filename>migration-tools.txt</filename> files in the <filename>/usr/share/doc/migrationtools/</filename> directory.
+ For more information on how to use these scripts, see the <filename>README</filename> and the <filename>migration-tools.txt</filename> files in the <filename>/usr/share/doc/migrationtools/</filename> directory.
</para>
</section>
</section>
9 years, 2 months
[system-administrators-guide/21] Typos, markup, and style
by stephenw
commit b581bbec95e538882a7141a9f6f4fffc884981b2
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Sat Feb 28 09:42:28 2015 +0100
Typos, markup, and style
en-US/OpenLDAP.xml | 34 +++++++++++++++++-----------------
1 files changed, 17 insertions(+), 17 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index 2df8b14..364c5fd 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -34,12 +34,12 @@
<section id="s2-ldap-introduction">
<title>Introduction to LDAP</title>
<para>
- Using a client/server architecture, LDAP provides reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the <firstterm>Secure Sockets Layer</firstterm> (<acronym>SSL</acronym>) or <firstterm>Transport Layer Security</firstterm> (<acronym>TLS</acronym>) cryptographic protocols can be used to prevent an attacker from intercepting the transmission.
+ Using a client-server architecture, LDAP provides a reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the <firstterm>Transport Layer Security</firstterm> (<acronym>TLS</acronym>) cryptographic protocol can be used to prevent an attacker from intercepting the transmission.
</para>
<important>
<title>Using Mozilla NSS</title>
<para>
- The OpenLDAP suite in &MAJOROSVER; no longer uses OpenSSL. Instead, it uses the Mozilla implementation of <firstterm>Network Security Services</firstterm> (<acronym>NSS</acronym>). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database, refer to <ulink url="http://www.openldap.org/faq/index.cgi?file=1514"><citetitle pubwork="webpage">How do I use TLS/SSL with Mozilla NSS</citetitle></ulink>.
+ The OpenLDAP suite in &MAJOROSVER; no longer uses OpenSSL. Instead, it uses the Mozilla implementation of <firstterm>Network Security Services</firstterm> (<acronym>NSS</acronym>). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database, see <ulink url="http://www.openldap.org/faq/index.cgi?file=1514"><citetitle pubwork="webpage">How do I use TLS/SSL with Mozilla NSS</citetitle></ulink>.
</para>
</important>
<para>
@@ -80,7 +80,7 @@
Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, etc. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.
</para>
<para>
- An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, other are required. Required attributes are specified using the <option>objectClass</option> definition, and can be found in schema files located in the <filename class="directory">/etc/openldap/slapd.d/cn=config/cn=schema/</filename> directory.
+ An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, others are required. Required attributes are specified using the <option>objectClass</option> definition, and can be found in schema files located in the <filename class="directory">/etc/openldap/slapd.d/cn=config/cn=schema/</filename> directory.
</para>
<para>
The assertion of an attribute and its corresponding value is also referred to as a <firstterm>Relative Distinguished Name</firstterm> (<acronym>RDN</acronym>). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry.
@@ -315,9 +315,9 @@
<para>
For example, to perform the basic LDAP server installation, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>yum install openldap openldap-clients openldap-servers</command></screen>
+ <screen>~]# <command>yum install openldap openldap-clients openldap-servers</command></screen>
<para>
- Note that you must have superuser privileges (that is, you must be logged in as <systemitem class="username">root</systemitem>) to run this command. For more information on how to install new packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
+ Note that you must have superuser privileges (that is, you must be logged in as <systemitem class="username">root</systemitem>) to run this command. For more information on how to install new packages in &MAJOROS;, see <xref linkend="sec-Installing" />.
</para>
<section id="s3-ldap-packages-openldap-servers">
<title>Overview of OpenLDAP Server Utilities</title>
@@ -420,7 +420,7 @@
</tgroup>
</table>
<para>
- For a detailed description of these utilities and their usage, refer to the corresponding manual pages as referred to in <xref linkend="s3-ldap-installed-docs" />.
+ For a detailed description of these utilities and their usage, see the corresponding manual pages as referred to in <xref linkend="s3-ldap-installed-docs" />.
</para>
<important>
<title>Make sure the files have correct owner</title>
@@ -434,9 +434,9 @@
<para>
To preserve the data integrity, stop the <systemitem class="service">slapd</systemitem> service before using <command>slapadd</command>, <command>slapcat</command>, or <command>slapindex</command>. You can do so by typing the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl stop slapd.service</command></screen>
+ <screen>~]# <command>systemctl stop slapd.service</command></screen>
<para>
- For more information on how to start, stop, restart, and check the current status of the <systemitem class="service">slapd</systemitem> service, refer to <xref linkend="s2-ldap-running" />.
+ For more information on how to start, stop, restart, and check the current status of the <systemitem class="service">slapd</systemitem> service, see <xref linkend="s2-ldap-running" />.
</para>
</warning>
</section>
@@ -616,7 +616,7 @@
<para>
Note that OpenLDAP no longer reads its configuration from the <filename>/etc/openldap/slapd.conf</filename> file. Instead, it uses a configuration database located in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory. If you have an existing <filename>slapd.conf</filename> file from a previous installation, you can convert it to the new format by running the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/</command></screen>
+ <screen>~]# <command>slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/</command></screen>
<para>
The <systemitem class="service">slapd</systemitem> configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in <xref linkend="s3-ldap-packages-openldap-servers" />.
</para>
@@ -1015,9 +1015,9 @@
</para>
<programlisting><option>olcRootPW</option>: <replaceable>password</replaceable></programlisting>
<para>
- It accepts either a plain text string, or a hash. To generate a hash, use the <command>slappaswd</command> utility, for example:
+ It accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:
</para>
- <screen>~]$ <command>slappaswd</command>
+ <screen>~]$ <command>slappaswd</command>
New password:
Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD</screen>
@@ -1064,7 +1064,7 @@ Re-enter new password:
<tertiary><filename class="directory">/etc/openldap/slapd.d/cn=config/cn=schema/</filename></tertiary>
</indexterm>
<para>
- Since OpenLDAP 2.3, the <filename class="directory">/etc/openldap/slapd.d/</filename> directory also contains LDAP definitions that were previously located in <filename class="directory">/etc/openldap/schema/</filename>. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, refer to <ulink url="http://www.openldap.org/doc/admin/schema.html" />.
+ Since OpenLDAP 2.3, the <filename class="directory">/etc/openldap/slapd.d/</filename> directory also contains LDAP definitions that were previously located in <filename class="directory">/etc/openldap/schema/</filename>. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, see <ulink url="http://www.openldap.org/doc/admin/schema.html" />.
</para>
</section>
</section>
@@ -1075,7 +1075,7 @@ Re-enter new password:
<see>OpenLDAP</see>
</indexterm>
<para>
- This section describes how to start, stop, restart, and check the current status of the <application>Standalone LDAP Daemon</application>. For more information on how to manage system services in general, refer to <xref linkend="ch-Services_and_Daemons" />.
+ This section describes how to start, stop, restart, and check the current status of the <application>Standalone LDAP Daemon</application>. For more information on how to manage system services in general, see <xref linkend="ch-Services_and_Daemons" />.
</para>
<section id="s3-ldap-running-starting">
<title>Starting the Service</title>
@@ -1084,13 +1084,13 @@ Re-enter new password:
<secondary>running</secondary>
</indexterm>
<para>
- To run the <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
+ To start the <systemitem class="service">slapd</systemitem> service in the current session, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl start slapd.service</command></screen>
+ <screen>~]# <command>systemctl start slapd.service</command></screen>
<para>
- If you want the service to start automatically at the boot time, use the following command:
+ To configure the service to start automatically at the boot time, use the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl enable slapd.service</command></screen>
+ <screen>~]# <command>systemctl enable slapd.service</command></screen>
<para>
See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
</para>
9 years, 2 months
[system-administrators-guide/21] mod_ldap contains mod_authz_ldap
by stephenw
commit 00dd5b598e0f4c87544b14251d69965859b309f2
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Sat Feb 28 09:19:04 2015 +0100
mod_ldap contains mod_authz_ldap
Package contains modules previously a package
en-US/OpenLDAP.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index 192795d..2df8b14 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -297,11 +297,11 @@
</row>
<row>
<entry>
- <package>mod_authz_ldap</package>
+ <package>mod_ldap</package>
</entry>
<entry>
<para>
- A package containing <systemitem class="resource">mod_authz_ldap</systemitem>, the LDAP authorization module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. Note that the <systemitem class="resource">mod_ssl</systemitem> module is required when using the <systemitem class="resource">mod_authz_ldap</systemitem> module.
+ A package containing the <systemitem class="resource">mod_authnz_ldap</systemitem> and <systemitem class="resource">mod_ldap</systemitem> modules. The <systemitem class="resource">mod_authnz_ldap</systemitem> module is the LDAP authorization module for the Apache HTTP Server. This module can authenticate users' credentials against an LDAP directory, and can enforce access control based on the user name, full DN, group membership, an arbitrary attribute, or a complete filter string. The <systemitem class="resource">mod_ldap</systemitem> module contained in the same package provides a configurable shared memory cache, to avoid repeated directory access across many HTTP requests, and also support for SSL/TLS.
</para>
</entry>
</row>
9 years, 2 months
[system-administrators-guide] grub can have: linux, linux, or linuxefi
by stephenw
commit c0ea26e71a19b1023ee308a86b076db7e617e564
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Wed Mar 4 08:44:34 2015 +0100
grub can have: linux, linux, or linuxefi
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index f59a3b6..8a3d2d9 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -703,7 +703,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
</step>
<step>
<para>
- Add the following parameter at the end of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems:
+ Add the following parameter at the end of the <literal>linux</literal> line on 64-Bit IBM Power Series, the <literal>linux16</literal> line on x86-64 BIOS-based systems, or the <literal>linuxefi</literal> line on UEFI systems:
</para>
<screen>systemd.unit=emergency.target</screen>
<para>
9 years, 2 months
[system-administrators-guide] Update to "Resetting root password"
by stephenw
commit 271650cdb072474b467fad714ac2fb63b21bb9ca
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Wed Mar 4 08:41:38 2015 +0100
Update to "Resetting root password"
replace bin/sh method with boot disk method
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 103 ++++++++++++-------------
1 files changed, 50 insertions(+), 53 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 8c62014..f59a3b6 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -726,93 +726,79 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<title>Changing and Resetting the Root Password</title>
<para>
Setting up the <systemitem class="username">root</systemitem> password is a mandatory part of the Fedora installation. If you forget or lose the <systemitem class="username">root</systemitem> password it is possible to reset it, however users who are members of the wheel group can change the <systemitem class="username">root</systemitem> password as follows:
- <screen>~$ <command>sudo passwd root</command></screen>
+ <screen>~]$ <command>sudo passwd root</command></screen>
</para>
<para>
Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The <systemitem class="username">root</systemitem> password is now required to operate in <literal>single-user</literal> mode as well as in <literal>emergency</literal> mode.
</para>
<para>
- Two procedures for changing the <systemitem class="username">root</systemitem> password are shown here. The <xref linkend="proc-Resetting_the_Root_Password_Using_bin_sh" /> procedure creates a shell, in a changed <systemitem class="username">root</systemitem> environment, using <command>init=/bin/sh</command>. It is the shorter of the two procedures and does not require an SELinux relabel, which can be time consuming. But this procedure will not work if you have a USB keyboard, encrypted file systems, and does not work in certain virtual machines or systems. The <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> procedure makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that you have to then change <systemitem class="username">root</systemitem> using the <command>sysroot</command>
command.</para>
- <procedure id="proc-Resetting_the_Root_Password_Using_bin_sh">
- <title>Resetting the Root Password Using /bin/sh</title>
+ Two procedures for resetting the <systemitem class="username">root</systemitem> password are shown here:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <xref linkend="proc-Resetting_the_Root_Password_Using_an_Installation_Disk" /> takes you to a shell prompt, without having to edit the grub menu. It is the shorter of the two procedures and it is also the recommended method. You can use a server boot disk or a netinstall installation disk.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for <filename>/etc/shadow/</filename> when the boot completes.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <procedure id="proc-Resetting_the_Root_Password_Using_an_Installation_Disk">
+ <title>Resetting the Root Password Using an Installation Disk</title>
<step>
<para>
- Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit.
+ Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
</para>
</step>
<step>
<para>
- Remove the <option>rhgb</option> and <option>quiet</option> parameters from the end, or near the end, of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems.
+ Choose <guimenuitem>Troubleshooting</guimenuitem>.
</para>
- <para>
- Press <keycombo><keycap>Ctrl</keycap><keycap>a</keycap></keycombo> and <keycombo><keycap>Ctrl</keycap><keycap>e</keycap></keycombo> to jump to the start and end of the line, respectively. On some systems, <keycap>Home</keycap> and <keycap>End</keycap> might also work.
-</para>
-
- <important>
- <para>
- The <option>rhgb</option> and <option>quiet</option> parameters must be removed in order to enable system messages.
- </para>
- </important>
</step>
<step>
<para>
- Add the following parameter at the end of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems:
- </para>
- <screen>init=/bin/sh</screen>
- <para>
- The Linux <package>kernel</package> will run the <application>/bin/sh</application> shell rather than the system <systemitem class="daemon">init</systemitem> daemon. Therefore, some functions may be limited or missing.
+ Choose <guimenuitem>Rescue a Fedora-Server System</guimenuitem>.
</para>
- <para>
- Note that if a console is specified, the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line.
+ </step>
+ <step>
+ <para>
+ Choose <guimenuitem>Continue</guimenuitem> which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.
</para>
</step>
<step>
<para>
- Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters.
- </para>
- <para>
- The shell prompt appears.
+ Press <keycap>OK</keycap> to acknowledge the information displayed until the shell prompt appears.
</para>
</step>
<step>
- <para>
- <!-- Add this step as a result of https://bugzilla.redhat.com/show_bug.cgi?id=1045574#c11 -->
- To preserve the SELinux context of the files that are to be modified, load the SELinux policy into the kernel. Use the <option>-i</option> option as this is the first time the policy is being loaded since boot:
- <screen>sh-4.2# <command>/usr/sbin/load_policy -i</command></screen>
- </para>
- </step>
- <step>
<para>
- The file system is mounted read-only. You will not be allowed to change the password if the file system is not writable.
- </para>
- <para>
- Remount the file system as writable:
- <screen>~]# <command>mount -o remount,rw /</command></screen>
+ Change the file system <systemitem class="username">root</systemitem> as follows:
+ <screen>sh-4.2# <command>chroot /mnt/sysimage</command></screen>
</para>
</step>
<step>
<para>
Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password.
</para>
- <para>
- Note that if the system is not writable, the <application>passwd</application> tool fails with the following error:
- </para>
-<screen>Authentication token manipulation error</screen>
</step>
<step>
<para>
- Remount the file system as read only:
- <screen>~]# <command>mount -o remount,ro /</command></screen>
+ Remove the <filename>autorelable</filename> file to prevent a time consuming SELinux relabel of the disk:
+ <screen>sh-4.2# <command>rm -f /.autorelabel</command></screen>
</para>
</step>
<step>
- <para>
- Enter the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot.
+ <para>
+ Enter the <command>exit</command> command to exit the <command>chroot</command> environment.
</para>
+ </step>
+ <step>
<para>
- Running the <command>exec</command> command with another command specified replaces the shell and creates a new process; <systemitem class="daemon">init</systemitem> in this case.
- </para>
- </step>
+ Enter the <command>exit</command> command again to resume the initialization and finish the system boot.
+ </para>
+ </step>
</procedure>
<procedure id="proc-Resetting_the_Root_Password_Using_rd.break">
<title>Resetting the Root Password Using rd.break</title>
@@ -837,9 +823,10 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
</step>
<step>
<para>
- Add the following parameter at the end of the <literal>linux16</literal> or <literal>linuxefi</literal> on UEFI systems:
- </para>
- <screen>rd.break</screen>
+ Add the following parameters at the end of the <literal>linux</literal> line on 64-Bit IBM Power Series, the <literal>linux16</literal> line on x86-64 BIOS-based systems, or the <literal>linuxefi</literal> line on UEFI systems:
+ <screen>rd.break enforcing=0</screen>
+ Adding the <option>enforcing=0</option> option enables omitting the time consuming SELinux relabeling process.
+ </para>
<para>
The <systemitem>initramfs</systemitem> will stop before passing control to the Linux <package>kernel</package>, enabling you to work with the <systemitem class="username">root</systemitem> file system.
</para>
@@ -858,7 +845,6 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
The <systemitem>initramfs</systemitem> <systemitem class="username">switch_root</systemitem> prompt appears.
</para>
</step>
-
<step>
<para>
The file system is mounted read-only on <filename class="directory">/sysroot/</filename>. You will not be allowed to change the password if the file system is not writable.
@@ -892,6 +878,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<para>
Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:
<screen>sh-4.2# <command>touch /.autorelabel</command></screen>
+Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the <option>enforcing=0</option> option in step 3.
</para>
</step>
<step>
@@ -920,6 +907,16 @@ Updating the password file results in a file with the incorrect SELinux security
</para>
</note>
</step>
+ <step>
+ <para>
+ If you added the <option>enforcing=0</option> option in step 3 and omitted the <command>touch /.autorelabel</command> command in step 8, enter the following command to restore the <filename>/etc/shadow</filename> file's SELinux security context:
+ <screen>~]# <command>restorcon /etc/shadow</command></screen>
+ Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:
+ <screen>~]# <command>setenforce 1</command>
+~]# <command>getenforce</command>
+Enforcing</screen>
+ </para>
+ </step>
</procedure>
</section>
9 years, 2 months
[system-administrators-guide] typo
by stephenw
commit a9e6bf597741b81ba3a73ea73fb793309af9f8e2
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Mon Mar 2 21:35:00 2015 +0100
typo
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 9595034..8c62014 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -852,7 +852,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters.
</para>
<para>
- With an encrypted system file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
+ With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
</para>
<para>
The <systemitem>initramfs</systemitem> <systemitem class="username">switch_root</systemitem> prompt appears.
9 years, 2 months