[deployment-guide] Updated the "Directory Servers" chapter for Fedora 15.
Jaromir Hradilek
jhradile at fedoraproject.org
Sat May 21 21:17:26 UTC 2011
commit 08cf43cc3e768e1f4a4885a1810e4904ee7a1407
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Sat May 21 23:17:16 2011 +0200
Updated the "Directory Servers" chapter for Fedora 15.
en-US/OpenLDAP.xml | 112 ++++++++++++++++++++++++++--------------------------
1 files changed, 56 insertions(+), 56 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index a8ec77e..8e1cbf8 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -102,10 +102,10 @@
<para>
The <firstterm>LDAP Data Interchange Format</firstterm> (<acronym>LDIF</acronym>) is a plain text representation of an LDAP entry. It takes the following form:
</para>
- <screen><optional><replaceable>id</replaceable></optional> dn: <replaceable>distinguished_name</replaceable>
+ <programlisting><optional><replaceable>id</replaceable></optional> dn: <replaceable>distinguished_name</replaceable>
<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>…
<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>…
-…</screen>
+…</programlisting>
<para>
The optional <replaceable>id</replaceable> is a number determined by the application that is used to edit the entry. Each entry can contain as many <replaceable>attribute_type</replaceable> and <replaceable>attribute_value</replaceable> pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.
</para>
@@ -255,6 +255,7 @@
A package containing the SQL support module.
</entry>
</row>
+ <!-- jhradile: This package is not present in Fedora 15.
<row>
<entry>
<package>compat-openldap</package>
@@ -263,6 +264,7 @@
A package containing the OpenLDAP compatibility libraries.
</entry>
</row>
+ -->
</tbody>
</tgroup>
</table>
@@ -311,9 +313,9 @@
</para>
<screen><command>yum</command> <option>install</option> <replaceable>package</replaceable>…</screen>
<para>
- For example, to perform the basic LDAP server installation, type the following at a shell prompt:
+ For example, to perform the basic LDAP server installation, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install openldap openldap-clients openldap-servers</command></screen>
+ <screen><command>yum install openldap openldap-clients openldap-servers</command></screen>
<para>
Note that you must have superuser privileges (that is, you must be logged in as <systemitem class="username">root</systemitem>) to run this command. For more information on how to install new packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
</para>
@@ -425,15 +427,14 @@
<para>
Although only <systemitem class="username">root</systemitem> can run <command>slapadd</command>, the <systemitem class="service">slapd</systemitem> service runs as the <systemitem class="username">ldap</systemitem> user. Because of this, the directory server is unable to modify any files created by <command>slapadd</command>. To correct this issue, after running the <command>slapd</command> utility, type the following at a shell prompt:
</para>
- <screen>~]# <command>chown -R ldap:ldap /var/lib/ldap</command></screen>
+ <screen><command>chown -R ldap:ldap /var/lib/ldap</command></screen>
</important>
<warning>
<title>Stop slapd before using these utilities</title>
<para>
- To preserve the data integrity, stop the <systemitem class="service">slapd</systemitem> service before using <command>slapadd</command>, <command>slapcat</command>, or <command>slapindex</command>. You can do so by typing the following at a shell prompt:
+ To preserve the data integrity, stop the <systemitem class="service">slapd</systemitem> service before using <command>slapadd</command>, <command>slapcat</command>, or <command>slapindex</command>. You can do so by typing the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>service slapd stop</command>
-Stopping slapd: [ OK ]</screen>
+ <screen><command>systemctl stop slapd.service</command></screen>
<para>
For more information on how to start, stop, restart, and check the current status of the <systemitem class="service">slapd</systemitem> service, refer to <xref linkend="s2-ldap-running" />.
</para>
@@ -613,9 +614,9 @@ Stopping slapd: [ OK ]</screen>
</tgroup>
</table>
<para>
- Note that OpenLDAP no longer reads its configuration from the <filename>/etc/openldap/slapd.conf</filename> file. Instead, it uses a configuration database located in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory. If you have an existing <filename>slapd.conf</filename> file from a previous installation, you can convert it to the new format by running the following command:
+ Note that OpenLDAP no longer reads its configuration from the <filename>/etc/openldap/slapd.conf</filename> file. Instead, it uses a configuration database located in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory. If you have an existing <filename>slapd.conf</filename> file from a previous installation, you can convert it to the new format by running the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/</command></screen>
+ <screen><command>slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/</command></screen>
<para>
The <systemitem class="service">slapd</systemitem> configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in <xref linkend="s3-ldap-packages-openldap-servers" />.
</para>
@@ -654,7 +655,7 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcAllows</option> directive allows you to specify which features to enable. It takes the following form:
</para>
- <screen><option>olcAllows</option>: <replaceable>feature</replaceable>…</screen>
+ <programlisting><option>olcAllows</option>: <replaceable>feature</replaceable>…</programlisting>
<para>
It accepts a space-separated list of features as described in <xref linkend="table-ldap-configuration-olcallows" />. The default option is <option>bind_v2</option>.
</para>
@@ -719,7 +720,7 @@ Stopping slapd: [ OK ]</screen>
</table>
<example id="example-ldap-configuration-olcallows">
<title>Using the olcAllows directive</title>
- <screen>olcAllows: bind_v2 update_anon</screen>
+ <programlisting>olcAllows: bind_v2 update_anon</programlisting>
</example>
</listitem>
</varlistentry>
@@ -736,13 +737,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcConnMaxPending</option> directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:
</para>
- <screen><option>olcConnMaxPending</option>: <replaceable>number</replaceable></screen>
+ <programlisting><option>olcConnMaxPending</option>: <replaceable>number</replaceable></programlisting>
<para>
The default option is <option>100</option>.
</para>
<example id="example-ldap-configuration-olcconnmaxpending">
<title>Using the olcConnMaxPending directive</title>
- <screen>olcConnMaxPending: 100</screen>
+ <programlisting>olcConnMaxPending: 100</programlisting>
</example>
</listitem>
</varlistentry>
@@ -759,13 +760,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcConnMaxPendingAuth</option> directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:
</para>
- <screen><option>olcConnMaxPendingAuth</option>: <replaceable>number</replaceable></screen>
+ <programlisting><option>olcConnMaxPendingAuth</option>: <replaceable>number</replaceable></programlisting>
<para>
The default option is <option>1000</option>.
</para>
<example id="example-ldap-configuration-olcconnmaxpendingauth">
<title>Using the olcConnMaxPendingAuth directive</title>
- <screen>olcConnMaxPendingAuth: 1000</screen>
+ <programlisting>olcConnMaxPendingAuth: 1000</programlisting>
</example>
</listitem>
</varlistentry>
@@ -782,7 +783,7 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcDisallows</option> directive allows you to specify which features to disable. It takes the following form:
</para>
- <screen><option>olcDisallows</option>: <replaceable>feature</replaceable>…</screen>
+ <programlisting><option>olcDisallows</option>: <replaceable>feature</replaceable>…</programlisting>
<para>
It accepts a space-separated list of features as described in <xref linkend="table-ldap-configuration-olcdisallows" />. No features are disabled by default.
</para>
@@ -839,7 +840,7 @@ Stopping slapd: [ OK ]</screen>
</table>
<example id="example-ldap-configuration-olcdisallows">
<title>Using the olcDisallows directive</title>
- <screen>olcDisallows: bind_anon</screen>
+ <programlisting>olcDisallows: bind_anon</programlisting>
</example>
</listitem>
</varlistentry>
@@ -856,13 +857,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcIdleTimeout</option> directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:
</para>
- <screen><option>olcIdleTimeout</option>: <replaceable>number</replaceable></screen>
+ <programlisting><option>olcIdleTimeout</option>: <replaceable>number</replaceable></programlisting>
<para>
This option is disabled by default (that is, set to <option>0</option>).
</para>
<example id="example-ldap-configuration-olcidletimeout">
<title>Using the olcIdleTimeout directive</title>
- <screen>olcIdleTimeout: 180</screen>
+ <programlisting>olcIdleTimeout: 180</programlisting>
</example>
</listitem>
</varlistentry>
@@ -879,13 +880,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcLogFile</option> directive allows you to specify a file in which to write log messages. It takes the following form:
</para>
- <screen><option>olcLogFile</option>: <replaceable>file_name</replaceable></screen>
+ <programlisting><option>olcLogFile</option>: <replaceable>file_name</replaceable></programlisting>
<para>
The log messages are written to standard error by default.
</para>
<example id="example-ldap-configuration-olclogfile">
<title>Using the olcLogFile directive</title>
- <screen>olcLogFile: /var/log/slapd.log</screen>
+ <programlisting>olcLogFile: /var/log/slapd.log</programlisting>
</example>
</listitem>
</varlistentry>
@@ -902,13 +903,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcReferral</option> option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:
</para>
- <screen><option>olcReferral</option>: <replaceable>URL</replaceable></screen>
+ <programlisting><option>olcReferral</option>: <replaceable>URL</replaceable></programlisting>
<para>
This option is disabled by default.
</para>
<example id="example-ldap-configuration-olcreferral">
<title>Using the olcReferral directive</title>
- <screen>olcReferral: ldap://root.openldap.org</screen>
+ <programlisting>olcReferral: ldap://root.openldap.org</programlisting>
</example>
</listitem>
</varlistentry>
@@ -925,13 +926,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcWriteTimeout</option> option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:
</para>
- <screen><option>olcWriteTimeout</option></screen>
+ <programlisting><option>olcWriteTimeout</option></programlisting>
<para>
This option is disabled by default (that is, set to <option>0</option>).
</para>
<example id="example-ldap-configuration-olcwritetimeout">
<title>Using the olcWriteTimeout directive</title>
- <screen>olcWriteTimeout: 180</screen>
+ <programlisting>olcWriteTimeout: 180</programlisting>
</example>
</listitem>
</varlistentry>
@@ -966,13 +967,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcReadOnly</option> directive allows you to use the database in a read-only mode. It takes the following form:
</para>
- <screen><option>olcReadOnly</option>: <replaceable>boolean</replaceable></screen>
+ <programlisting><option>olcReadOnly</option>: <replaceable>boolean</replaceable></programlisting>
<para>
It accepts either <option>TRUE</option> (enable the read-only mode), or <option>FALSE</option> (enable modifications of the database). The default option is <option>FALSE</option>.
</para>
<example id="example-ldap-configuration-olcreadonly">
<title>Using the olcReadOnly directive</title>
- <screen>olcReadOnly: TRUE</screen>
+ <programlisting>olcReadOnly: TRUE</programlisting>
</example>
</listitem>
</varlistentry>
@@ -989,13 +990,13 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcRootDN</option> directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:
</para>
- <screen><option>olcRootDN</option>: <replaceable>distinguished_name</replaceable></screen>
+ <programlisting><option>olcRootDN</option>: <replaceable>distinguished_name</replaceable></programlisting>
<para>
It accepts a <firstterm>Distinguished Name</firstterm> (<acronym>DN</acronym>). The default option is <option>cn=Manager,dn=my-domain,dc=com</option>.
</para>
<example id="example-ldap-configuration-olcrootdn">
<title>Using the olcRootDN directive</title>
- <screen>olcRootDN: cn=root,dn=example,dn=com</screen>
+ <programlisting>olcRootDN: cn=root,dn=example,dn=com</programlisting>
</example>
</listitem>
</varlistentry>
@@ -1012,9 +1013,9 @@ Stopping slapd: [ OK ]</screen>
<para>
The <option>olcRootPW</option> directive allows you to set a password for the user that is specified using the <option>olcRootDN</option> directive. It takes the following form:
</para>
- <screen><option>olcRootPW</option>: <replaceable>password</replaceable></screen>
+ <programlisting><option>olcRootPW</option>: <replaceable>password</replaceable></programlisting>
<para>
- It accepts either a plain text string, or a hash. To generate a hash, type the following at a shell prompt:
+ It accepts either a plain text string, or a hash. To generate a hash, use the <command>slappaswd</command> utility, for example:
</para>
<screen>~]$ <command>slappaswd</command>
New password:
@@ -1022,7 +1023,7 @@ Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD</screen>
<example id="example-ldap-configuration-olcrootpw">
<title>Using the olcRootPW directive</title>
- <screen>olcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD</screen>
+ <programlisting>olcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD</programlisting>
</example>
</listitem>
</varlistentry>
@@ -1039,13 +1040,13 @@ Re-enter new password:
<para>
The <option>olcSuffix</option> directive allows you to specify the domain for which to provide information. It takes the following form:
</para>
- <screen><option>olcSuffix</option>: <replaceable>domain_name</replaceable></screen>
+ <programlisting><option>olcSuffix</option>: <replaceable>domain_name</replaceable></programlisting>
<para>
It accepts a <firstterm>fully qualified domain name</firstterm> (<acronym>FQDN</acronym>). The default option is <option>dc=my-domain,dc=com</option>.
</para>
<example id="example-ldap-configuration-olcsuffix">
<title>Using the olcSuffix directive</title>
- <screen>olcSuffix: dc=example,dc=com</screen>
+ <programlisting>olcSuffix: dc=example,dc=com</programlisting>
</example>
</listitem>
</varlistentry>
@@ -1083,17 +1084,18 @@ Re-enter new password:
<secondary>running</secondary>
</indexterm>
<para>
- To run the <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt:
+ To run the <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>service slapd start</command>
-Starting slapd: [ OK ]</screen>
+ <screen><command>systemctl start slapd.service</command></screen>
<para>
If you want the service to start automatically at the boot time, use the following command:
</para>
- <screen>~]# <command>chkconfig slapd on</command></screen>
+ <screen><command>systemctl enable slapd.service</command></screen>
+ <!-- jhradile: TBD F15: Uncomment this as soon as the Services and Daemons section is updated.
<para>
Note that you can also use the <application>Service Configuration</application> utility as described in <xref linkend="s3-services-serviceconf-enabling" />.
</para>
+ -->
</section>
<section id="s3-ldap-running-stopping">
<title>Stopping the Service</title>
@@ -1102,17 +1104,18 @@ Starting slapd: [ OK ]</screen>
<secondary>stopping</secondary>
</indexterm>
<para>
- To stop the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt:
+ To stop the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>service slapd stop</command>
-Stopping slapd: [ OK ]</screen>
+ <screen><command>systemctl stop slapd.service</command></screen>
<para>
To prevent the service from starting automatically at the boot time, type:
</para>
- <screen>~]# <command>chkconfig slapd off</command></screen>
+ <screen><command>systemctl disable slapd.service</command></screen>
+ <!-- jhradile: TBD F15: Uncomment this as soon as the Services and Daemons section is updated.
<para>
Alternatively, you can use the <application>Service Configuration</application> utility as described in <xref linkend="s3-services-serviceconf-disabling" />.
</para>
+ -->
</section>
<section id="s3-ldap-running-restarting">
<title>Restarting the Service</title>
@@ -1121,11 +1124,9 @@ Stopping slapd: [ OK ]</screen>
<secondary>restarting</secondary>
</indexterm>
<para>
- To restart the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt:
+ To restart the running <systemitem class="service">slapd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>service slapd restart</command>
-Stopping slapd: [ OK ]
-Starting slapd: [ OK ]</screen>
+ <screen><command>systemctl restart slapd.service</command></screen>
<para>
This stops the service, and then starts it again. Use this command to reload the configuration.
</para>
@@ -1139,16 +1140,15 @@ Starting slapd: [ OK ]</screen>
<para>
To check whether the service is running, type the following at a shell prompt:
</para>
- <screen>~]# <command>service slapd status</command>
-slapd (pid 3672) is running...</screen>
+ <screen><command>systemctl is-active slapd.service</command></screen>
</section>
</section>
<section id="s2-ldap-pam">
<title>Configuring a System to Authenticate Using OpenLDAP</title>
<para>
- In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in <xref linkend="s2-ldap-installation" /> and <xref linkend="s2-ldap-configuration" />. On a client, type the following at a shell prompt:
+ In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in <xref linkend="s2-ldap-installation" /> and <xref linkend="s2-ldap-configuration" />. On a client, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install openldap openldap-clients nss-pam-ldapd</command></screen>
+ <screen><command>yum install openldap openldap-clients nss-pam-ldapd</command></screen>
<para>
<xref linkend="ch-Configuring_Authentication" /> provides detailed instructions on how to configure applications to use LDAP for authentication.
</para>
@@ -1159,21 +1159,21 @@ slapd (pid 3672) is running...</screen>
<secondary>migrating authentication information</secondary>
</indexterm>
<para>
- The <package>migrationtools</package> package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt:
+ The <package>migrationtools</package> package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install migrationtools</command></screen>
+ <screen><command>yum install migrationtools</command></screen>
<para>
This will install the scripts to the <filename class="directory">/usr/share/migrationtools/</filename> directory. Once installed, edit the <filename>/usr/share/migrationtools/migrate_common.ph</filename> file and change the following lines to reflect the correct domain, for example:
</para>
- <screen># Default DNS domain
+ <programlisting># Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";
# Default base
-$DEFAULT_BASE = "dc=example,dc=com";</screen>
+$DEFAULT_BASE = "dc=example,dc=com";</programlisting>
<para>
Alternatively, you can specify the environment variables directly on the command line. For example, to run the <filename>migrate_all_online.sh</filename> script with the default base set to <literal>dc=example,dc=com</literal>, type:
</para>
- <screen>~]# <command>export DEFAULT_BASE="dc=example,dc=com" \</command>
+ <screen><command>export DEFAULT_BASE="dc=example,dc=com" \</command>
<command>/usr/share/migrationtools/migrate_all_online.sh</command></screen>
<para>
To decide which script to run in order to migrate the user database, refer to <xref linkend="table-ldap-migrationtools"/>.
More information about the docs-commits
mailing list