From e4340040b487fc7cf8fda3e27855f83b6946ebd4 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 18 May 2005 21:44:30 +0000 Subject: Adding missing files. (This used to be commit 6b5e4a89bb668f78d2336d08830ceb6ffd79caef) --- docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml | 406 +++++++++++++++++++++ docs/Samba-HOWTO-Collection/TOSHARG-preface.xml | 61 ++++ 2 files changed, 467 insertions(+) create mode 100644 docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml create mode 100644 docs/Samba-HOWTO-Collection/TOSHARG-preface.xml (limited to 'docs') diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml new file mode 100644 index 0000000000..86e2845037 --- /dev/null +++ b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml @@ -0,0 +1,406 @@ + + + + Transport Layer Security + + Introduction + + + Transport Layer Seccurity, TLS + Introduction + + Up until now, we have discussed the straight forward configuration of + OpenLDAP, with some advanced features such as + . This does not however, deal with the + fact that the network transmissions are still in plain text. This is + where Transport Layer Security (TLS) comes in. + + + OpenLDAP clients and servers are capable of + using the Transport Layer Security (TLS) framework to provide + integrity and confidentiality protections in accordance with - + RFC2830; + Lightweight Directory Access Protocol (v3): Extension + for Transport Layer Security + + + TLS uses X.509 certificates. All servers are required to have valid + certificates, whereas client certificates are optional. We will only + be discussing server certificates. + + + The DN of a server certificate must use the CN attribute to name the + server, and the CN must carry the server's fully qualified domain name + (FQDN). Additional alias names and wildcards may be present in the + certificate extension. More details on + server certificate names are in + RFC2830. + + + + + We will discuss this more in the next sections. + + + + + Configuring + + + Transport Layer Seccurity, TLS + Configuring + + Now on to the good bit. + + + + Generating the Certificate Authority + + In order to create the relevant certificates, we need to become our own + Certificate Authority (CA). + + + We could however, get our generated server certificate signed by proper CAs, + like Thawte and + VeriSign, which you pay for, + or the free ones, via CAcert + + + This is necessary, so we can sign the server certificate. + + + We will be using the OpenSSL + + + The downside to making our own CA, is that the certificate is not automatically + recognised by clients, like the commercial ones are. + + + software for this, which is included with every great + Linux distribution. + + + TLS is used for many types of servers, but the instructions + + + For information straight from the horses mouth, please visit - + + ttp://www.openssl.org/docs/HOWTO/; the main OpenSSL site. + + + presented here, are tailored for &OL;. + + + The Common Name (CN), if the following example, + MUST be the fully qualified domain name (fqdn) + of your ldap server. + + + + + First we need to generate the CA: + + +[ghenry@suretec ldap-docs]$ mkdir myCA + + + Move into that directory: + + +[ghenry@suretec ldap-docs]$ cd myCA + + + Now generate the CA: + + + Your CA.pl or CA.sh might + not be in the same location as mine is, you can find it by using the + locate command, i.e. locate CA.pl. + If the command complains about the database being too old, run + updatedb as root to update it. + + + + +[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -newca +CA certificate filename (or enter to create) + +Making CA certificate ... +Generating a 1024 bit RSA private key +.......................++++++ +.............................++++++ +writing new private key to './demoCA/private/cakey.pem' +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase: +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:GB +State or Province Name (full name) [Some-State]:Aberdeenshire +Locality Name (eg, city) []:Aberdeen +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd. +Organizational Unit Name (eg, section) []:IT +Common Name (eg, YOUR name) []:ldap.suretecsystems.com +Email Address []:support@suretecsystems.com + + + + + Now, there are some things to note here. + + + + You MUST remember the password, as we will need + it to sign the server certificate.. + + + + + The Common Name (CN), MUST be the + fully qualified domain name (fqdn) of your ldap server. + + + + + + + + Generating the Server Certificate + + Now we need to generate the server certificate: + + +[ghenry@suretec myCA]$ openssl req -new -nodes -keyout newreq.pem -out newreq.pem +Generating a 1024 bit RSA private key +.............++++++ +........................................................++++++ +writing new private key to 'newreq.pem' +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:GB +State or Province Name (full name) [Some-State]:Aberdeenshire +Locality Name (eg, city) []:Aberdeen +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd. +Organizational Unit Name (eg, section) []:IT +Common Name (eg, YOUR name) []:ldap.suretecsystems.com +Email Address []:support@suretecsystems.com + +Please enter the following 'extra' attributes +to be sent with your certificate request +A challenge password []: +An optional company name []: + + + + + Again, there are some things to note here. + + + + You should NOT enter a password. + + + + + The Common Name (CN), MUST be + the fully qualified domain name (fqdn) of your ldap server. + + + + + + Now, we sign the certificate with the new CA: + + +[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -sign +Using configuration from /etc/ssl/openssl.cnf +Enter pass phrase for ./demoCA/private/cakey.pem: +Check that the request matches the signature +Signature ok +Certificate Details: + Serial Number: 1 (0x1) + Validity + Not Before: Mar 6 18:22:26 2005 GMT + Not After : Mar 6 18:22:26 2006 GMT + Subject: + countryName = GB + stateOrProvinceName = Aberdeenshire + localityName = Aberdeen + organizationName = Suretec Systems Ltd. + organizationalUnitName = IT + commonName = ldap.suretecsystems.com + emailAddress = support@suretecsystems.com + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE + X509v3 Authority Key Identifier: + keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC + DirName:/C=GB/ST=Aberdeenshire/L=Aberdeen/O=Suretec Systems Ltd./OU=IT/CN=ldap.suretecsystems.com/emailAddress=support@suretecsystems.com + serial:00 + +Certificate is to be certified until Mar 6 18:22:26 2006 GMT (365 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated +Signed certificate is in newcert.pem + + + + + That completes the server certificate generation. + + + + Installing the Certificates + + Now we need to copy the certificates to the right configuration directories, + rename them at the same time for convenience, change the ownership and + finally the permissions: + + +[ghenry@suretec myCA]$ cp demoCA/cacert.pem /etc/openldap/ +[ghenry@suretec myCA]$ cp newcert.pem /etc/openldap/servercrt.pem +[ghenry@suretec myCA]$ cp newreq.pem /etc/openldap/serverkey.pem +[ghenry@suretec myCA]$ chown ldap.ldap /etc/openldap/*.pem +[ghenry@suretec myCA]$ chmod 640 /etc/openldap/cacert.pem; chmod 600 /etc/openldap/serverkey.pem + + + + + Now we just need to add these locations to slapd.conf, + anywhere before the declaration and ldap.conf: + + + slapd.conf + + +TLSCertificateFile /etc/openldap/servercrt.pem +TLSCertificateKeyFile /etc/openldap/serverkey.pem +TLSCACertificateFile /etc/openldap/cacert.pem + + + + + ldap.conf + + +TLS_CACERT /etc/openldap/cacert.pem + + + + + That's all there is to it. Now on to + + + + + + Testing + + + Transport Layer Seccurity, TLS + Testing + + This is the easy part. Restart the server: + + +[ghenry@suretec myCA]$ /etc/init.d/ldap restart +Stopping slapd: [ OK ] +Checking configuration files for slapd: config file testing succeeded +Starting slapd: [ OK ] + + + Then, using ldapsearch, test an anonymous search with the + + + See man ldapsearch: + + + option: + + +[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ + + + Your results should be the same as before you restarted the server, for example: + + +[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ + +# extended LDIF +# +# LDAPv3 +# base <> with scope sub +# filter: (objectclass=*) +# requesting: ALL +# + +# suretecsystems.com +dn: dc=ldap,dc=suretecsystems,dc=com +objectClass: dcObject +objectClass: organization +o: Suretec Systems Ltd. +dc: suretecsystems + +# Manager, ldap.suretecsystems.com +dn: cn=Manager,dc=ldap,dc=suretecsystems,dc=com +objectClass: organizationalRole +cn: Manager + +# SURETEC, suretecsystems.com +dn: sambaDomainName=SURETEC,dc=ldap,dc=suretecsystems,dc=com +sambaDomainName: SURETEC +sambaSID: S-1-5-21-238355452-1056757430-1592208922 +sambaAlgorithmicRidBase: 1000 +objectClass: sambaDomain +sambaNextUserRid: 67109862 +sambaNextGroupRid: 67109863 + + + If you have any problems, please read + + + + + Troubleshooting + + + Transport Layer Seccurity, TLS + Troubleshooting + + The most common error when configuring TLS, as I have already mentioned + numerous times, is that the Common Name (CN) you entered + in is NOT + the Full Qualified Domain Name (FQDN) of your ldap server. + + Other errors could be that you have a typo somewhere in your + ldapsearch command, or that your have the wrong + permissions on the servercrt.pem and + cacert.pem files. They should be set with + chmod 640, as per . + + + For anything else, it's best to read through your ldap logfile or + join the &OL; mailing list. + + + + diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-preface.xml b/docs/Samba-HOWTO-Collection/TOSHARG-preface.xml new file mode 100644 index 0000000000..43df53e523 --- /dev/null +++ b/docs/Samba-HOWTO-Collection/TOSHARG-preface.xml @@ -0,0 +1,61 @@ + + + + +Preface + + +The editors wish to thank you for your decision to purchase this book. +The Official Samba-3 HOWTO and Reference Guide is the result of many years +of accumulation of information, feedback, tips, hints, and happy solutions. + + + +Please note that this book is a living document, the contents of which are +constantly being updated. We encourage you to contribute your tips, techniques, +helpful hints, and your special insight into the Windows networking world to +help make the next generation of this book even more valuable to Samba users. + + + +We have made a concerted effort to document more comprehensively than has been +done previously the information that may help you to better deploy Samba and to +gain more contented network users. + + + +This book provides example configurations, it documents key aspects of Microsoft +Windows networking, provides in-depth insight into the important configuration of +Samba-3, and helps to put all of these into a useful framework. + + + +The most recent electronic versions of this document can be found at +http://www.samba.org/ +on the Documentation page. + + + +Updates, patches and corrections are most welcome. Please email your contributions +to any one of the following: + + + + +Jelmer Vernooij (jelmer@samba.org) +John H. Terpstra (jht@samba.org) +Gerald (Jerry) Carter (jerry@samba.org) + + + + +We wish to advise that only original and unencumbered material can be published. Please do not submit +content that is not your own work unless proof of consent from the copyright holder accompanies your +submission. + + + + + + + -- cgit