https://wiki.archlinux.org/api.php?action=feedcontributions&user=Qumaciel&feedformat=atomArchWiki - User contributions [en]2024-03-29T14:40:59ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=NIS&diff=255150NIS2013-04-25T20:43:33Z<p>Qumaciel: /* initscripts */</p>
<hr />
<div>[[Category:Security]]<br />
{{stub}}<br />
<br />
NIS is a protocol developed by Sun to allow one to defer user authentication to a server. The server software is in the ypserv package, and the client software is in the yp-tools package. ypbind-mt is also available, which is a multi threaded version of the client daemon.<br />
<br />
{{note|Obviously this article is far from finished. hopefully in the future that will change, but in the meantime check the [[NIS#More resources|More resources section]].}}<br />
<br />
== NIS Client ==<br />
<br />
The first step is to install the tools that you need. This provides the configuration files and general tools needed to use NIS.<br />
# pacman -S yp-tools ypbind-mt<br />
<br />
Next put your NIS domain name into the file /etc/conf.d/nisdomainname.<br />
<br />
Now edit the /etc/yp.conf file and add your ypserver or nis server.<br />
ypserver your.nis.server<br />
<br />
Start the rpcbind and ypbind daemons (add them to your [[rc.conf]] file if you want it to start automatically).<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/ypbind start<br />
<br />
To test the setup so far you can run the command yptest:<br />
# yptest<br />
<br />
If it works you will, among other things, see the contents of the NIS user database (which is printed in the same format as /etc/passwd).<br />
<br />
To actually use NIS to log in you have to edit /etc/nsswitch.conf. Modify the lines for passwd, group and shadow to read:<br />
passwd: files nis<br />
group: files nis<br />
shadow: files nis<br />
<br />
And then do not forget<br />
<br />
# /etc/rc.d/ypbind restart<br />
<br />
See [http://www.tldp.org/HOWTO/NIS-HOWTO/settingup_client.html section 7 of The Linux NIS HOWTO] for further information on configuring NIS clients.<br />
<br />
== NIS Server ==<br />
<br />
== Install Packages ==<br />
Make sure packages ypbind-mt, ypserv, and yp-tools are installed:<br />
# pacman -S ypbind-mt yp-tools ypserv<br />
<br />
== Configuration ==<br />
<br />
=== /etc/conf.d/nisdomainname ===<br />
<br />
Add the domain name to /etc/conf.d/nisdomainname:<br />
<br />
# NISDOMAINNAME="nis-domain-name"<br />
<br />
=== /etc/ypserv.conf ===<br />
<br />
Add rules to /etc/ypserv.conf for your your nis clients of this form:<br />
<br />
# ip-address-of-client : nis-domain-name : rule : security<br />
<br />
For example:<br />
<br />
# 192.168. : home-domain : * : port<br />
<br />
For more information see {{ic|man ypserv.conf}}.<br />
<br />
=== /var/yp/Makefile ===<br />
<br />
Add or remove files you would like NIS to use to /var/yp/Makefile under the "all" rule.<br />
<br />
Default:<br />
<br />
# all: passwd group hosts rpc services netid protocols netgrp \<br />
# shadow # publickey networks ethers bootparams printcap mail \<br />
# # amd.home auto.master auto.home auto.local passwd.adjunct \<br />
# # timezone locale netmasks<br />
<br />
Due to recent changes in networking in Archlinux you have to change the line:<br />
<br />
# LOCALDOMAIN = `/bin/domainname`<br />
<br />
to<br />
<br />
# LOCALDOMAIN = `/bin/hostname -d`<br />
<br />
After that you have to build your NIS database:<br />
<br />
# cd /var/yp<br />
# make<br />
<br />
=== /var/yp/securenets ===<br />
<br />
Add rules to /var/yp/securenets to restrict access:<br />
<br />
# 255.255.0.0 192.168.0.0 # Gives access to anyone in 192.168.0.0/16<br />
<br />
Be sure to comment out this line, as it gives access to anyone.<br />
<br />
# 0.0.0.0 0.0.0.0<br />
<br />
=== /var/yp/ypservers ===<br />
<br />
Add the domain name of your server to /var/yp/ypservers:<br />
<br />
# your.nis.server<br />
<br />
== Start NIS Daemons ==<br />
=== initscripts ===<br />
{{note|The daemons MUST be started in this order.}}<br />
<br />
Start rpcbind if it isn't already started:<br />
# systemctl start rpcbind<br />
<br />
Start ypbind:<br />
# systemctl start ypbind<br />
<br />
Start ypserv:<br />
# systemctl start ypserv<br />
<br />
If you want these to start automatically on startup, then<br />
# systemctl enable rpcbind.service<br />
# systemctl enable ypbind.service<br />
# systemctl enable ypserv.service<br />
<br />
=== systemd ===<br />
Simply use the systemctl command to enable and start the ypbind service:<br />
# systemctl enable ypbind.service<br />
<br />
== More resources ==<br />
*[http://www.tldp.org/HOWTO/NIS-HOWTO/ The Linux NIS HOWTO],very helpful and generally applicable to Arch Linux.<br />
*[http://www.yolinux.com/TUTORIALS/NIS.html YoLinux NIS tutorial]<br />
*[http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS Quick HOWTO, Configuring NIS]</div>Qumacielhttps://wiki.archlinux.org/index.php?title=NIS&diff=255148NIS2013-04-25T20:41:48Z<p>Qumaciel: /* initscripts */</p>
<hr />
<div>[[Category:Security]]<br />
{{stub}}<br />
<br />
NIS is a protocol developed by Sun to allow one to defer user authentication to a server. The server software is in the ypserv package, and the client software is in the yp-tools package. ypbind-mt is also available, which is a multi threaded version of the client daemon.<br />
<br />
{{note|Obviously this article is far from finished. hopefully in the future that will change, but in the meantime check the [[NIS#More resources|More resources section]].}}<br />
<br />
== NIS Client ==<br />
<br />
The first step is to install the tools that you need. This provides the configuration files and general tools needed to use NIS.<br />
# pacman -S yp-tools ypbind-mt<br />
<br />
Next put your NIS domain name into the file /etc/conf.d/nisdomainname.<br />
<br />
Now edit the /etc/yp.conf file and add your ypserver or nis server.<br />
ypserver your.nis.server<br />
<br />
Start the rpcbind and ypbind daemons (add them to your [[rc.conf]] file if you want it to start automatically).<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/ypbind start<br />
<br />
To test the setup so far you can run the command yptest:<br />
# yptest<br />
<br />
If it works you will, among other things, see the contents of the NIS user database (which is printed in the same format as /etc/passwd).<br />
<br />
To actually use NIS to log in you have to edit /etc/nsswitch.conf. Modify the lines for passwd, group and shadow to read:<br />
passwd: files nis<br />
group: files nis<br />
shadow: files nis<br />
<br />
And then do not forget<br />
<br />
# /etc/rc.d/ypbind restart<br />
<br />
See [http://www.tldp.org/HOWTO/NIS-HOWTO/settingup_client.html section 7 of The Linux NIS HOWTO] for further information on configuring NIS clients.<br />
<br />
== NIS Server ==<br />
<br />
== Install Packages ==<br />
Make sure packages ypbind-mt, ypserv, and yp-tools are installed:<br />
# pacman -S ypbind-mt yp-tools ypserv<br />
<br />
== Configuration ==<br />
<br />
=== /etc/conf.d/nisdomainname ===<br />
<br />
Add the domain name to /etc/conf.d/nisdomainname:<br />
<br />
# NISDOMAINNAME="nis-domain-name"<br />
<br />
=== /etc/ypserv.conf ===<br />
<br />
Add rules to /etc/ypserv.conf for your your nis clients of this form:<br />
<br />
# ip-address-of-client : nis-domain-name : rule : security<br />
<br />
For example:<br />
<br />
# 192.168. : home-domain : * : port<br />
<br />
For more information see {{ic|man ypserv.conf}}.<br />
<br />
=== /var/yp/Makefile ===<br />
<br />
Add or remove files you would like NIS to use to /var/yp/Makefile under the "all" rule.<br />
<br />
Default:<br />
<br />
# all: passwd group hosts rpc services netid protocols netgrp \<br />
# shadow # publickey networks ethers bootparams printcap mail \<br />
# # amd.home auto.master auto.home auto.local passwd.adjunct \<br />
# # timezone locale netmasks<br />
<br />
Due to recent changes in networking in Archlinux you have to change the line:<br />
<br />
# LOCALDOMAIN = `/bin/domainname`<br />
<br />
to<br />
<br />
# LOCALDOMAIN = `/bin/hostname -d`<br />
<br />
After that you have to build your NIS database:<br />
<br />
# cd /var/yp<br />
# make<br />
<br />
=== /var/yp/securenets ===<br />
<br />
Add rules to /var/yp/securenets to restrict access:<br />
<br />
# 255.255.0.0 192.168.0.0 # Gives access to anyone in 192.168.0.0/16<br />
<br />
Be sure to comment out this line, as it gives access to anyone.<br />
<br />
# 0.0.0.0 0.0.0.0<br />
<br />
=== /var/yp/ypservers ===<br />
<br />
Add the domain name of your server to /var/yp/ypservers:<br />
<br />
# your.nis.server<br />
<br />
== Start NIS Daemons ==<br />
=== initscripts ===<br />
{{note|The daemons MUST be started in this order.}}<br />
<br />
Start rpcbind if it isn't already started:<br />
# systemctl start rpcbind<br />
<br />
Start ypbind:<br />
# systemctl start ypbind<br />
<br />
Start ypserv:<br />
# systemctl start ypserv<br />
<br />
If you want these to start automatically on startup, then<br />
# systemctl enable rpcbind.service<br />
# systemctl enable ypbind.service<br />
# systemctl enable ypserv.service<br />
<br />
Make sure they go after network in the array.<br />
<br />
=== systemd ===<br />
Simply use the systemctl command to enable and start the ypbind service:<br />
# systemctl enable ypbind.service<br />
<br />
== More resources ==<br />
*[http://www.tldp.org/HOWTO/NIS-HOWTO/ The Linux NIS HOWTO],very helpful and generally applicable to Arch Linux.<br />
*[http://www.yolinux.com/TUTORIALS/NIS.html YoLinux NIS tutorial]<br />
*[http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS Quick HOWTO, Configuring NIS]</div>Qumacielhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=254539OpenLDAP2013-04-18T18:08:13Z<p>Qumaciel: /* /etc/openldap/slapd.conf */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
<br />
{{Out_of_date|slapd.conf(5) is deprecated; use slapd-config(5)}}<br />
<br />
OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check. <br />
<br />
If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html here] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
This part is easy:<br />
pacman -S openldap <br />
<br />
The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.<br />
<br />
== Configuration ==<br />
<br />
=== The server (slapd) ===<br />
<br />
First prepare the database directory. You will need to copy the default config file and set the proper ownership.<br />
<br />
{{Warning|The following snippet wipes out any existing ldap database.}}<br />
<br />
rm -rf /var/lib/openldap/openldap-data/*<br />
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
==== /etc/openldap/slapd.conf ====<br />
Next we prepare slapd.conf. Add some typically used schemas...<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
}}<br />
Edit the suffix. Typically this is your domain name but it does not have to be. It depends on how you use your directory. We will use 'example' for the domain name, and 'com' for the tld. Also set your ldap administrators name (we'll use 'root' here)<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
#find the line with rootpw and delete it<br />
sed -i "/rootpw/ d" slapd.conf<br />
#add a line which includes the hashed password output from slappasswd<br />
echo "rootpw $(slappasswd)" >> slapd.conf<br />
<br />
ldap won't find things unless you index them. Read the [http://www.zytrax.com/books/ldap/ch6/#index ldap documentation] for details, you can use the following to start with. (add them to your {{ic|slapd.conf}})<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
'''Note: '''<br />
<br />
Don't forget to run {{ic|slapindex}} after you populate your directory. (slapd needs to be stopped to do this). Then change the ownership for all the generated files:<br />
chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
If you want to use SSL, you have to specify a path to your certificates here. See [[OpenLDAP Authentication]]<br />
<br />
Finally you can start the slapd daemon.<br />
#systemctl start slapd<br />
<br />
It might be possible that /run/openldap does not exist, starting the daemon won't work. Just create the directory and change the permission:<br />
<br />
#mkdir /run/openldap<br />
#chown ldap:ldap /run/openldap<br />
<br />
==== /etc/conf.d/slapd ====<br />
Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap:// <br />
You can also specify additional slapd options here.<br />
<br />
<br />
=== The client ===<br />
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.<br />
<br />
The client config file is located at /etc/openldap/ldap.conf<br />
It is actually very simple. <br />
<br />
If you decide to use SSL:<br />
* The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, you have to add them to TLS_CACERT<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts<br />
<br />
you should see some information on your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the Openldap server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. <br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
{{bc|openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365}}<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. <br />
'''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:<br />
{{bc|<br />
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
chown ldap slapdkey.pem<br />
chmod 400 slapdkey.pem<br />
chmod 444 slapdcert.pem<br />
}}<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:+SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:<br />
{{bc|1=SLAPD_SERVICES="ldaps:///"}}<br />
Localhost connections don't need to use SSL so you can use this instead:<br />
{{bc|1=SLAPD_SERVICES="ldap://127.0.0.1 ldaps:///:}}<br />
<br />
<br />
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:<br />
<br />
TLS_REQCERT allow<br />
<br />
Finally restart the server.<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
== Troubleshooting ==<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* http://www.openldap.org/doc/admin24/<br />
* [http://phpldapadmin.sourceforge.net/ phpLDAPadmin] is a web interface tool in the style of phpmyadmin.<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect for OpenLDAP installations.</div>Qumaciel