Source string Read only

(itstool) path: sect3/para
51/510
Context English State
FreeBSD is a registered trademark of the FreeBSD Foundation.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the <quote>™</quote> or the <quote>®</quote> symbol.
$FreeBSD$
This document is intended as a guide for the configuration of an LDAP server (principally an <application>OpenLDAP</application> server) for authentication on FreeBSD. This is useful for situations where many servers need the same user accounts, for example as a replacement for <application>NIS</application>.
Preface
This document is intended to give the reader enough of an understanding of LDAP to configure an LDAP server. This document will attempt to provide an explanation of <package>net/nss_ldap</package> and <package>security/pam_ldap</package> for use with client machines services for use with the LDAP server.
When finished, the reader should be able to configure and deploy a FreeBSD server that can host an LDAP directory, and to configure and deploy a FreeBSD server which can authenticate against an LDAP directory.
This article is not intended to be an exhaustive account of the security, robustness, or best practice considerations for configuring LDAP or the other services discussed herein. While the author takes care to do everything correctly, they do not address security issues beyond a general scope. This article should be considered to lay the theoretical groundwork only, and any actual implementation should be accompanied by careful requirement analysis.
Configuring LDAP
LDAP stands for <quote>Lightweight Directory Access Protocol</quote> and is a subset of the X.500 Directory Access Protocol. Its most recent specifications are in <link xlink:href="http://www.ietf.org/rfc/rfc4510.txt">RFC4510</link> and friends. Essentially it is a database that expects to be read from more often than it is written to.
The LDAP server <link xlink:href="http://www.openldap.org/">OpenLDAP</link> will be used in the examples in this document; while the principles here should be generally applicable to many different servers, most of the concrete administration is <application>OpenLDAP</application>-specific. There are several server versions in ports, for example <package>net/openldap24-server</package>. Client servers will need the corresponding <package>net/openldap24-client</package> libraries.
There are (basically) two areas of the LDAP service which need configuration. The first is setting up a server to receive connections properly, and the second is adding entries to the server's directory so that FreeBSD tools know how to interact with it.
Setting Up the Server for Connections
This section is specific to <application>OpenLDAP</application>. If you are using another server, you will need to consult that server's documentation.
Installing <application>OpenLDAP</application>
First, install <application>OpenLDAP</application>:
<prompt>#</prompt> <userinput>cd /usr/ports/net/openldap24-server</userinput>
<prompt>#</prompt> make install clean
This installs the <command>slapd</command> and <command>slurpd</command> binaries, along with the required <application>OpenLDAP</application> libraries.
Configuring <application>OpenLDAP</application>
Next we must configure <application>OpenLDAP</application>.
You will want to require encryption in your connections to the LDAP server; otherwise your users' passwords will be transferred in plain text, which is considered insecure. The tools we will be using support two very similar kinds of encryption, SSL and TLS.
TLS stands for <quote>Transportation Layer Security</quote>. Services that employ TLS tend to connect on the <emphasis>same</emphasis> ports as the same services without TLS; thus an SMTP server which supports TLS will listen for connections on port 25, and an LDAP server will listen on 389.
SSL stands for <quote>Secure Sockets Layer</quote>, and services that implement SSL do <emphasis>not</emphasis> listen on the same ports as their non-SSL counterparts. Thus SMTPS listens on port 465 (not 25), HTTPS listens on 443, and LDAPS on 636.
The reason SSL uses a different port than TLS is because a TLS connection begins as plain text, and switches to encrypted traffic after the <literal>STARTTLS</literal> directive. SSL connections are encrypted from the beginning. Other than that there are no substantial differences between the two.
We will adjust <application>OpenLDAP</application> to use TLS, as SSL is considered deprecated.
Once <application>OpenLDAP</application> is installed via ports, the following configuration parameters in <filename>/usr/local/etc/openldap/slapd.conf</filename> will enable TLS:
security ssf=128

TLSCertificateFile /path/to/your/cert.crt
TLSCertificateKeyFile /path/to/your/cert.key
TLSCACertificateFile /path/to/your/cacert.crt
Here, <literal>ssf=128</literal> tells <application>OpenLDAP</application> to require 128-bit encryption for all connections, both search and update. This parameter may be configured based on the security needs of your site, but rarely you need to weaken it, as most LDAP client libraries support strong encryption.
The <filename>cert.crt</filename>, <filename>cert.key</filename>, and <filename>cacert.crt</filename> files are necessary for clients to authenticate <emphasis>you</emphasis> as the valid LDAP server. If you simply want a server that runs, you can create a self-signed certificate with OpenSSL:
Generating an RSA Key
<prompt>%</prompt> <userinput>openssl genrsa -out cert.key 1024</userinput>
Generating RSA private key, 1024 bit long modulus
....................++++++
...++++++
e is 65537 (0x10001)
<prompt>%</prompt> <userinput>openssl req -new -key cert.key -out cert.csr</userinput>

Loading…

No matching activity found.

Browse all component changes

Glossary

English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect3/para
Flags
read-only
Source string location
article.translate.xml:115
String age
a year ago
Source string age
a year ago
Translation file
articles/ldap-auth.pot, string 21