The translation is temporarily closed for contributions due to maintenance, please come back later.

Translation

Unfortunately, as of the time this was written FreeBSD did not support changing user passwords with <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. BecauseAs a result of this, most administrators are left to implement a solution themselves. I provide some examples here. Note that if you write your own password change script, there are some security issues you should be made aware of; see <xref linkend="security-passwd"/>
(itstool) path: sect2/para
English
Unfortunately, as of the time this was written FreeBSD did not support changing user passwords with <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. As a result of this, most administrators are left to implement a solution themselves. I provide some examples here. Note that if you write your own password change script, there are some security issues you should be made aware of; see <xref linkend="security-passwd"/>
Context English Spanish State
Additionally, this directive is not checked in PAM during authentication, it is checked during account management, so you will need a second line in your PAM files under <literal>account</literal>. This will require, in turn, <emphasis>every</emphasis> user to be listed in the group, which is not necessarily what we want. To avoid blocking users that are not in LDAP, you should enable the <literal>ignore_unknown_user</literal> attribute. Finally, you should set the <literal>ignore_authinfo_unavail</literal> option so that you are not locked out of every computer when the LDAP server is unavailable. Además, esta directiva no se verifica en PAM durante la autenticación, se verifica durante la administración de la cuenta, por lo que necesitará añadir más configuraciones en sus archivos de PAM en la sección de <literal>account</literal>. Esto, a su vez, requerirá que <emphasis>cada</emphasis> usuario se incluya en el grupo, lo cual no es necesariamente lo que queremos. Para evitar bloquear usuarios que no están en LDAP, debe habilitar el atributo <literal>ignore_unknown_user</literal>. Finalmente, debe configurar la opción <literal>ignore_authinfo_unavail</literal> para que el usuario no quede bloqueado en todos los ordenadores cuando el servidor LDAP no esté disponible.
Your <filename>pam.d/sshd</filename> might then end up looking like this: Su archivo <filename>pam.d/sshd</filename> debería quedar de la siguiente forma:
Sample <filename>pam.d/sshd</filename> Ejemplo de <filename>pam.d/sshd</filename>
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass

account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass

account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
Since we are adding these lines specifically to <filename>pam.d/sshd</filename>, this will only have an effect on <application>SSH</application> sessions. LDAP users will be unable to log in at the console. To change this behavior, examine the other files in <filename>/etc/pam.d</filename> and modify them accordingly. Como estamos añadiendo estas líneas específicamente a <filename>pam.d/sshd</filename>, esto solo tendrá efecto en las sesiones <application>SSH</application>. Los usuarios de LDAP no podrán iniciar sesión por consola. Para cambiar este comportamiento, examine los otros archivos en <filename>/etc/pam.d</filename> y modifíquelos como corresponda.
Name Service Switch Name Service Switch
<application>NSS</application> is the service that maps attributes to names. So, for example, if a file is owned by user <literal>1001</literal>, an application will query <application>NSS</application> for the name of <literal>1001</literal>, and it might get <literal>bob</literal> or <literal>ted</literal> or whatever the user's name is. <application>NSS</application> es el servicio que asigna atributos a nombres. Entonces, por ejemplo, si un archivo es propiedad del usuario <literal>1001</literal>, una aplicación le consultará a <application>NSS</application> por el nombre de <literal>1001</literal>, y podría obtener <literal>bob</literal> o <literal>ted</literal> o cual sea el nombre del usuario.
Now that our user information is kept in LDAP, we need to tell <application>NSS</application> to look there when queried. Ahora que nuestra información de usuario se mantiene en LDAP, debemos decirle a <application>NSS</application> que busque allí cuando se le consulte.
The <package>net/nss_ldap</package> port does this. It uses the same configuration file as <package>security/pam_ldap</package>, and should not need any extra parameters once it is installed. Instead, what is left is simply to edit <filename>/etc/nsswitch.conf</filename> to take advantage of the directory. Simply replace the following lines: El port <package>net/nss_ldap</package> hace esto. Utiliza el mismo archivo de configuración que <package>security/pam_ldap</package>, y no debería necesitar ningún parámetro adicional después de su instalación. En cambio, solo quedaría editar el archivo <filename>/etc/nsswitch.conf</filename> para aprovechar el directorio. Simplemente cambie las siguientes líneas:
group: compat
passwd: compat
group: compat
passwd: compat
with por
group: files ldap
passwd: files ldap
group: files ldap
passwd: files ldap
This will allow you to map usernames to UIDs and UIDs to usernames. Esto le permitirá asignar nombres de usuario a UIDs y UIDs a nombres de usuario.
Congratulations! You should now have working LDAP authentication. ¡Felicidades! Ahora debería tener la autenticación de LDAP en funcionamiento.
Caveats Advertencias
Unfortunately, as of the time this was written FreeBSD did not support changing user passwords with <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. As a result of this, most administrators are left to implement a solution themselves. I provide some examples here. Note that if you write your own password change script, there are some security issues you should be made aware of; see <xref linkend="security-passwd"/> Desafortunadamente, al momento de escribir esto, FreeBSD no soporta el cambio de contraseñas de usuario con <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Por lo tanto, la mayoría de los administradores deben implementar una solución ellos mismos. Proporciono algunos ejemplos aquí. Tenga en cuenta que si escribe su propio script para cambiar la contraseña, debe tener en cuenta algunos problemas de seguridad; consulte la <xref linkend="security-passwd"/>
Shell Script for Changing Passwords Shell Script para cambiar contraseñas
#!/bin/sh

stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo

if [ "$np1" != "$np2" ]; then
echo "Passwords do not match."
exit 1
fi

ldappasswd -D uid="$USER",ou=people,dc=example,dc=org \
-w "$oldp" \
-a "$oldp" \
-s "$np1"
#!/bin/sh

stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo

if [ "$np1" != "$np2" ]; then
echo "Passwords do not match."
exit 1
fi

ldappasswd -D uid="$USER",ou=people,dc=example,dc=org \
-w "$oldp" \
-a "$oldp" \
-s "$np1"
This script does hardly any error checking, but more important it is very cavalier about how it stores your passwords. If you do anything like this, at least adjust the <literal>security.bsd.see_other_uids</literal> sysctl value: Este script apenas verifica errores, pero, lo más importante, es el poco cuidado con el que almacena sus contraseñas. Si hace algo como esto, establezca al menos el calor de <literal>security.bsd.see_other_uids</literal>:
<prompt>#</prompt> <userinput>sysctl security.bsd.see_other_uids=0</userinput> <prompt>#</prompt> <userinput>sysctl security.bsd.see_other_uids=0</userinput>
A more flexible (and probably more secure) approach can be used by writing a custom program, or even a web interface. The following is part of a <application>Ruby</application> library that can change LDAP passwords. It sees use both on the command line, and on the web. Se puede utilizar un enfoque más flexible (y probablemente más seguro) escribiendo un programa personalizado o incluso una interfaz web. Lo siguiente es parte de una libreria de <application>Ruby</application> que puede cambiar las contraseñas LDAP. Se puede usar tanto por línea de comandos y en la web.
Ruby Script for Changing Passwords Script en Ruby para cambiar las contraseñas
require 'ldap'
require 'base64'
require 'digest'
require 'password' # ruby-password

ldap_server = "ldap.example.org"
luser = "uid=#{ENV['USER']},ou=people,dc=example,dc=org"

# get the new password, check it, and create a salted hash from it
def get_password
pwd1 = Password.get("New Password: ")
pwd2 = Password.get("Retype New Password: ")

raise if pwd1 != pwd2
pwd1.check # check password strength

salt = rand.to_s.gsub(/0\./, '')
pass = pwd1.to_s
hash = "{SSHA}"+Base64.encode64(Digest::SHA1.digest("#{pass}#{salt}")+salt).chomp!
return hash
end

oldp = Password.get("Old Password: ")
newp = get_password

# We'll just replace it. That we can bind proves that we either know
# the old password or are an admin.

replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,
"userPassword",
[newp])

conn = LDAP::SSLConn.new(ldap_server, 389, true)
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
conn.bind(luser, oldp)
conn.modify(luser, [replace])
require 'ldap'
require 'base64'
require 'digest'
require 'password' # ruby-password

ldap_server = "ldap.example.org"
luser = "uid=#{ENV['USER']},ou=people,dc=example,dc=org"

# get the new password, check it, and create a salted hash from it
def get_password
pwd1 = Password.get("New Password: ")
pwd2 = Password.get("Retype New Password: ")

raise if pwd1 != pwd2
pwd1.check # check password strength

salt = rand.to_s.gsub(/0\./, '')
pass = pwd1.to_s
hash = "{SSHA}"+Base64.encode64(Digest::SHA1.digest("#{pass}#{salt}")+salt).chomp!
return hash
end

oldp = Password.get("Old Password: ")
newp = get_password

# We'll just replace it. That we can bind proves that we either know
# the old password or are an admin.

replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,
"userPassword",
[newp])

conn = LDAP::SSLConn.new(ldap_server, 389, true)
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
conn.bind(luser, oldp)
conn.modify(luser, [replace])
Although not guaranteed to be free of security holes (the password is kept in memory, for example) this is cleaner and more flexible than a simple <command>sh</command> script. Aunque no se garantiza que esté a salvo de agujeros de seguridad (la contraseña se guarda en memoria, por ejemplo), esto es más limpio y más flexible que un simple script <command>sh</command>.
Security Considerations Consideraciones de seguridad
Now that your machines (and possibly other services) are authenticating against your LDAP server, this server needs to be protected at least as well as <filename>/etc/master.passwd</filename> would be on a regular server, and possibly even more so since a broken or cracked LDAP server would break every client service. Ahora que sus ordenadores (y posiblemente otros servicios) se están autenticando contra su servidor LDAP, este servidor debe estar protegido, así como <filename>/etc/master.passwd</filename> estaría en un servidor normal, y posiblemente aún más desde un servidor LDAP corrupto rompería todos los servicios del cliente.
Remember, this section is not exhaustive. You should continually review your configuration and procedures for improvements. Recuerde, esta sección no es exhaustiva. Debe revisar continuamente su configuración y procedimientos de mejora.
Setting Attributes Read-only Establecer atributos de solo lectura
Several attributes in LDAP should be read-only. If left writable by the user, for example, a user could change his <literal>uidNumber</literal> attribute to <literal>0</literal> and get <systemitem class="username">root</systemitem> access! Hay varios atributos en LDAP que deben ser de solo lectura. Si el usuario pudiera tener acceso de escritura, por ejemplo, ¡un usuario podría cambiar su atributo <literal>uidNumber</literal> a <literal>0</literal> y obtener permisos de <systemitem class="username">root</systemitem>!
To begin with, the <literal>userPassword</literal> attribute should not be world-readable. By default, anyone who can connect to the LDAP server can read this attribute. To disable this, put the following in <filename>slapd.conf</filename>: Para empezar, el atributo <literal>userPassword</literal> no debe ser legible por todo el mundo. Por defecto, cualquiera que pueda conectarse al servidor LDAP puede leer este atributo. Para deshabilitar esto, coloque la siguiente configuración en el archivo <filename>slapd.conf</filename>:
Hide Passwords Ocultar contraseñas

Loading…

User avatar None

Source string changed

FreeBSD Doc (Archived) / articles_ldap-authSpanish

Unfortunately, as of the time this was written FreeBSD did not support changing user passwords with <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. BecauseAs a result of this, most administrators are left to implement a solution themselves. I provide some examples here. Note that if you write your own password change script, there are some security issues you should be made aware of; see <xref linkend="security-passwd"/>
a month ago
Browse all component changes

Glossary

English Spanish
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Source string location
article.translate.xml:618
String age
a month ago
Source string age
a month ago
Translation file
articles/es_ES/ldap-auth.po, string 113