[deployment-guide/comm-rel-14: 621/677] Updated the Overview of the LDAP Server Setup section.
Jaromir Hradilek
jhradile at fedoraproject.org
Sun Nov 14 23:54:33 UTC 2010
commit 9526113274ad4a99b0bf9350884433404fcd88ec
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Fri Oct 22 14:16:14 2010 +0200
Updated the Overview of the LDAP Server Setup section.
.../Lightweight_Directory_Access_Protocol_LDAP.xml | 180 +++++++++-----------
1 files changed, 78 insertions(+), 102 deletions(-)
---
diff --git a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
index 8a488b5..bb772f0 100644
--- a/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
+++ b/en-US/Lightweight_Directory_Access_Protocol_LDAP.xml
@@ -106,8 +106,41 @@
</listitem>
</itemizedlist>
</section>
+ <section id="s2-ldap-setup">
+ <title>Overview of the LDAP Server Setup</title>
+ <para>
+ The typical steps to set up an LDAP server on &MAJOROS; are as follows:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Install the OpenLDAP suite. Refer to <xref linkend="s1-ldap-installation" /> for more information on required packages.
+ </para>
+ </step>
+ <step>
+ <para>
+ Edit the LDIF files in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory as described in <xref linkend="s1-ldap-configuration" />.
+ </para>
+ </step>
+ <step>
+ <para>
+ Start the <systemitem class="service">slapd</systemitem> service as described in <xref linkend="s1-ldap-running" />.
+ </para>
+ </step>
+ <step>
+ <para>
+ Use the <command>ldapadd</command> utility to add entries to the LDAP directory.
+ </para>
+ </step>
+ <step>
+ <para>
+ Use the <command>ldapsearch</command> utility to verify that the <systemitem class="service">slapd</systemitem> service is accessing the information correctly.
+ </para>
+ </step>
+ </procedure>
+ </section>
</section>
- <section id="s1-ldap-daemonsutils">
+ <section id="s1-ldap-installation">
<title>Installing the OpenLDAP Suite</title>
<section id="s2-ldap-packages">
<title>Overview of LDAP Packages</title>
@@ -465,7 +498,7 @@ Stopping slapd: [ OK ]</screen>
</para>
</section>
</section>
- <section id="s1-ldap-files">
+ <section id="s1-ldap-configuration">
<title>Configuring an OpenLDAP Server</title>
<para>
OpenLDAP configuration files are installed into the <filename>/etc/openldap/</filename> directory. The following is a brief list highlighting the most important directories and files:
@@ -545,116 +578,59 @@ include /etc/openldap/schema/redhat/autofs.schema</screen>
Extending the schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Refer to <ulink url="http://www.openldap.org/doc/admin/schema.html" /> for information.
</para>
</section>
- <section id="s1-ldap-quickstart">
- <title>OpenLDAP Setup Overview</title>
+ <section id="s2-ldap-files-slapd-conf">
+ <title>Editing <filename>/etc/openldap/slapd.conf</filename></title>
<para>
- This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs:
+ To use the <command>slapd</command> LDAP server, modify its configuration file, <filename>/etc/openldap/slapd.conf</filename>, to specify the correct domain and server.
</para>
- <itemizedlist>
- <listitem>
- <para>
- <ulink url="http://www.openldap.org/doc/admin/quickstart.html" /> — The <citetitle>Quick-Start Guide</citetitle> on the OpenLDAP website.
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink url="http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html" /> — The <citetitle>LDAP Linux HOWTO</citetitle> from the Linux Documentation Project.
- </para>
- </listitem>
- </itemizedlist>
<para>
- The basic steps for creating an LDAP server are as follows:
+ The <command>suffix</command> line names the domain for which the LDAP server provides information and should be changed from:
</para>
- <orderedlist>
- <listitem>
- <para>
- Install the <filename>openldap</filename>, <filename>openldap-servers</filename>, and <filename>openldap-clients</filename> RPMs.
- </para>
- </listitem>
- <listitem>
- <para>
- Edit the <filename>/etc/openldap/slapd.conf</filename> file to specify the LDAP domain and server. Refer to <xref linkend="s2-ldap-files-slapd-conf"/> for more information.
- </para>
- </listitem>
- <listitem>
- <para>
- Start <command>slapd</command> with the command:
- </para>
- <screen>/sbin/service ldap start</screen>
- <para>
- After configuring LDAP, use <command>chkconfig</command>, <command>/usr/sbin/ntsysv</command>, or the <application>Services Configuration Tool</application> to configure LDAP to start at boot time. For more information about configuring services, refer to <xref linkend="ch-Controlling_Access_to_Services"/>.
- </para>
- </listitem>
- <listitem>
- <para>
- Add entries to an LDAP directory with <command>ldapadd</command>.
- </para>
- </listitem>
- <listitem>
- <para>
- Use <command>ldapsearch</command> to determine if <command>slapd</command> is accessing the information correctly.
- </para>
- </listitem>
- <listitem>
- <para>
- At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
- </para>
- </listitem>
- </orderedlist>
- <section id="s2-ldap-files-slapd-conf">
- <title>Editing <filename>/etc/openldap/slapd.conf</filename></title>
- <para>
- To use the <command>slapd</command> LDAP server, modify its configuration file, <filename>/etc/openldap/slapd.conf</filename>, to specify the correct domain and server.
- </para>
- <para>
- The <command>suffix</command> line names the domain for which the LDAP server provides information and should be changed from:
- </para>
- <screen>suffix "dc=your-domain,dc=com"</screen>
- <para>
- Edit it accordingly so that it reflects a fully qualified domain name. For example:
- </para>
- <screen>suffix "dc=example,dc=com"</screen>
- <para>
- The <command>rootdn</command> entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The <command>rootdn</command> user can be thought of as the root user for the LDAP directory. In the configuration file, change the <command>rootdn</command> line from its default value as in the following example:
- </para>
- <screen>rootdn "cn=root,dc=example,dc=com"</screen>
- <para>
- When populating an LDAP directory over a network, change the <command>rootpw</command> line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
- </para>
- <screen>slappasswd</screen>
- <para>
- When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
- </para>
- <para>
- Next, copy the newly created encrypted password into the <filename>/etc/openldap/slapd.conf</filename> on one of the <command>rootpw</command> lines and remove the hash sign (<command>#</command>).
- </para>
+ <screen>suffix "dc=your-domain,dc=com"</screen>
+ <para>
+ Edit it accordingly so that it reflects a fully qualified domain name. For example:
+ </para>
+ <screen>suffix "dc=example,dc=com"</screen>
+ <para>
+ The <command>rootdn</command> entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The <command>rootdn</command> user can be thought of as the root user for the LDAP directory. In the configuration file, change the <command>rootdn</command> line from its default value as in the following example:
+ </para>
+ <screen>rootdn "cn=root,dc=example,dc=com"</screen>
+ <para>
+ When populating an LDAP directory over a network, change the <command>rootpw</command> line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
+ </para>
+ <screen>slappasswd</screen>
+ <para>
+ When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
+ </para>
+ <para>
+ Next, copy the newly created encrypted password into the <filename>/etc/openldap/slapd.conf</filename> on one of the <command>rootpw</command> lines and remove the hash sign (<command>#</command>).
+ </para>
+ <para>
+ When finished, the line should look similar to the following example:
+ </para>
+ <screen>rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u</screen>
+ <warning>
+ <title>Warning</title>
<para>
- When finished, the line should look similar to the following example:
+ LDAP passwords, including the <command>rootpw</command> directive specified in <filename>/etc/openldap/slapd.conf</filename>, are sent over the network <emphasis>unencrypted</emphasis>, unless TLS encryption is enabled.
</para>
- <screen>rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u</screen>
- <warning>
- <title>Warning</title>
- <para>
- LDAP passwords, including the <command>rootpw</command> directive specified in <filename>/etc/openldap/slapd.conf</filename>, are sent over the network <emphasis>unencrypted</emphasis>, unless TLS encryption is enabled.
- </para>
- <para>
- To enable TLS encryption, review the comments in <filename>/etc/openldap/slapd.conf</filename> and refer to the man page for <filename>slapd.conf</filename>.
- </para>
- </warning>
<para>
- For added security, the <command>rootpw</command> directive should be commented out after populating the LDAP directory by preceding it with a hash sign (<command>#</command>).
+ To enable TLS encryption, review the comments in <filename>/etc/openldap/slapd.conf</filename> and refer to the man page for <filename>slapd.conf</filename>.
</para>
+ </warning>
+ <para>
+ For added security, the <command>rootpw</command> directive should be commented out after populating the LDAP directory by preceding it with a hash sign (<command>#</command>).
+ </para>
+ <para>
+ When using the <command>/usr/sbin/slapadd</command> command line tool locally to populate the LDAP directory, use of the <command>rootpw</command> directive is not necessary.
+ </para>
+ <important>
+ <title>Important</title>
<para>
- When using the <command>/usr/sbin/slapadd</command> command line tool locally to populate the LDAP directory, use of the <command>rootpw</command> directive is not necessary.
+ Only the root user can use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:
</para>
- <important>
- <title>Important</title>
- <para>
- Only the root user can use <command>/usr/sbin/slapadd</command>. However, the directory server runs as the <filename>ldap</filename> user. Therefore, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after using <command>slapadd</command>, type the following command:
- </para>
- <screen>chown -R ldap /var/lib/ldap</screen>
- </important>
- </section>
+ <screen>chown -R ldap /var/lib/ldap</screen>
+ </important>
</section>
<section id="s1-ldap-pam">
<title>Configuring a System to Authenticate Using OpenLDAP</title>
More information about the docs-commits
mailing list