diff --git a/images/src/png/yast2-ldap-server.png b/images/src/png/yast2-ldap-server.png
new file mode 100644
index 0000000000..323fad112d
Binary files /dev/null and b/images/src/png/yast2-ldap-server.png differ
diff --git a/xml/security_auth.xml b/xml/security_auth.xml
index 26c9648b6b..d364d100c6 100644
--- a/xml/security_auth.xml
+++ b/xml/security_auth.xml
@@ -8,669 +8,17 @@
- Setting Up Authentication Servers and Clients Using &yast;
+ Setting Up Authentication Clients Using &yast;
Whereas Kerberos is used for authentication, LDAP is used for authorization
- and identification. Both can work together. The Authentication Server you can
- set up with &yast; is based on LDAP and optionally Kerberos. On
- &productname;, you can configure it with a &yast; wizard.
-
-
-
- For more information about LDAP, see
+ and identification. Both can work together. For more information about LDAP, see
, and about Kerberos, see
.
-
-
-
-
-
- Configuring an Authentication Server
-
-
- For information about configuring an Authentication Server, see the &sls;
- Security Guide, chapter Setting Up
- Authentication Servers and Clients Using &yast;. It is available
- from .
-
-
-
-
-
- Configuring an Authentication Server with &yast;
-
-
-
-
- Initial Configuration of an Authentication Server
-
- To set up an authentication server for user account data, make sure the
- yast2-auth-server,
- 389-ds,
- krb5-server, and
- krb5-client packages are installed; &yast; will
- remind you and install them if one of these packages is missing. For
- Kerberos support, the krb5-plugin-kdb-ldap
- package is required.
-
-
- The first part of the Authentication Server configuration with &yast; is
- setting up an LDAP server, then you can enable Kerberos.
-
-
- Authentication Server Configuration with &yast;
-
-
- Start &yast; as &rootuser; and select Network
- ServicesAuthentication Server
- to invoke the configuration wizard.
-
-
-
-
- Configure the Global Settings of your LDAP server
- (you can change these settings later)—see
- :
-
-
- &yast; Authentication Server Configuration
-
-
-
-
-
-
-
-
-
-
-
-
- Set LDAP to be started.
-
-
-
-
- If the LDAP server should announce its services via SLP, check
- Register at an SLP Daemon.
-
-
-
-
- Configure Firewall Settings.
-
-
-
-
- Click Next.
-
-
-
-
-
-
- Select the server type: Stand-alone server,
- Master server in a replication setup, or
- Replica (slave) server.
-
-
-
-
- Select security options (TLS Settings).
-
-
- It is strongly recommended to Enable TLS. For more
- information, see ,
- .
-
-
- Authentication Without Encryption
-
- When using authentication without enabling transport encryption
- using TLS, the password will be transmitted in the clear.
-
-
-
- Also consider using LDAP over SSL with certificates.
-
-
-
-
- Confirm Basic Database Settings with entering an
- LDAP Administrator Password and then clicking
- Next—see
- .
-
-
- &yast; LDAP Server—New Database
-
-
-
-
-
-
-
-
-
-
-
-
- In the Kerberos Authentication dialog, decide
- whether to enable Kerberos authentication or not (you can change these
- settings later)—see
- .
-
-
- &yast; Kerberos Authentication
-
-
-
-
-
-
-
-
-
-
-
-
- Choose whether Kerberos support is needed or not. If you enable it,
- also specify your Realm. Then confirm with
- Next.
-
-
-
-
- The Advanced Configuration allows you to specify
- various aspects such as Maximum ticket life time
- or ports to use.
-
-
-
-
-
-
- Finally, check the Authentication Server Configuration
- Summary and click Finish to exit the
- configuration wizard.
-
-
-
-
-
-
-
-
- Editing an Authentication Server Configuration with &yast;
-
- For changes or additional configuration start the Authentication Server
- module again and in the left pane expand Global
- Settings to make subentries visible—see
- :
-
-
- &yast; Editing Authentication Server Configuration
-
-
-
-
-
-
-
-
-
-
- Editing Authentication Server Configuration
-
-
- With Log Level Settings, configure the degree of
- logging activity (verbosity) of the LDAP server. From the predefined
- list, select or deselect logging options according to your needs. The
- more options are enabled, the larger your log files grow.
-
-
-
-
- Configure which connection types the server should offer under
- Allow/Disallow Features. Choose from:
-
-
-
- LDAPv2 Bind Requests
-
-
- This option enables connection requests (bind requests) from
- clients using the previous version of the protocol (LDAPv2).
-
-
-
-
- Anonymous Bind When Credentials Not Empty
-
-
- Normally, the LDAP server denies any authentication attempts with
- empty credentials, that is, a distinguished name (DN) or a password.
- However, enabling this option
- makes it possible to connect with a password and no DN to establish
- an anonymous connection.
-
-
-
-
- Unauthenticated Bind When DN Not Empty
-
-
- Enabling this option makes it possible to connect without
- authentication (anonymously) using a distinguished name (DN) but no
- password.
-
-
-
-
- Unauthenticated Update Options to Process
-
-
- Enabling this option allows non-authenticated (anonymous) update
- operations. Access is restricted according to ACLs and other rules.
-
-
-
-
-
-
-
- Allow/Disallow Features also lets you configure the
- server flags. Choose from:
-
-
-
- Disable Acceptance of Anonymous Bind Requests
-
-
- The server will no longer accept anonymous bind requests. Note,
- that this does not generally prohibit anonymous directory access.
-
-
-
-
- Disable Simple Bind Authentication
-
-
- Completely disable Simple Bind authentication.
-
-
-
-
- Disable Forcing Session to Anonymous Status upon StartTLS Operation Receipt
-
-
- The server will no longer force an authenticated connection back to
- the anonymous state when receiving the StartTLS operation.
-
-
-
-
- Disallow the StartTLS Operation if Authenticated
-
-
- The server will disallow the StartTLS operation on already
- authenticated connections.
-
-
-
-
-
-
-
- To configure secure communication between client and server, proceed
- with TLS Settings:
-
-
-
-
- Activate Enable TLS to enable TLS and SSL
- encryption of the client/server communication.
-
-
-
-
- Either Import Certificate by specifying the exact
- path to its location or enable the Use Common Server
- Certificate.
-
-
-
-
-
-
-
-
-
- Add Schema files to be included in the server's configuration by
- selecting Schema Files in the left part of the
- dialog. The default selection of schema files applies to the server
- providing a source of &yast; user account data.
-
-
- &yast; allows to add traditional Schema files (usually with a name
- ending in .schema) or LDIF files containing Schema
- definitions in OpenLDAP's LDIF Schema format.
-
-
- &yast; Authentication Server Database Configuration
-
-
-
-
-
-
-
-
-
-
- To configure the databases managed by your LDAP server, proceed as
- follows:
-
-
-
-
- Select the Databases item in the left part of the
- dialog.
-
-
-
-
- Click Add Database to add a new database.
-
-
-
-
- Specify the requested data:
-
-
-
- Base DN
-
-
-
- Enter the base DN (distinguished name) of your LDAP server.
-
-
-
-
- Administrator DN
-
-
-
- Enter the DN of the administrator in charge of the server. If you
- check Append Base DN, only provide the
- cn of the administrator and the system fills in
- the rest automatically.
-
-
-
-
- LDAP Administrator Password
-
-
- Enter the password for the database administrator.
-
-
-
-
- Use This Database as the Default for OpenLDAP Clients
-
-
- For convenience, check this option if wanted.
-
-
-
-
-
-
-
- In the next dialog, configure replication settings.
-
-
-
-
-
- In the next dialog, enable enforcement of password policies to provide
- extra security to your LDAP server:
-
-
-
-
- Check Enable Password Policies to be able to
- specify a password policy.
-
-
-
-
- Activate Hash Clear Text Passwords to have clear
- text passwords be hashed before they are written to the database
- whenever they are added or modified.
-
-
-
-
- Disclose "Account Locked" Status provides a
- relevant error message for bind requests to locked accounts.
-
-
- Locked Accounts in Security Sensitive Environments
-
- Do not use the Disclose "Account Locked" Status
- option if your environment is sensitive to security issues, because
- the Locked Account error message provides
- security-sensitive information that can be exploited by a potential
- attacker.
-
-
-
-
-
- Enter the DN of the default policy object. To use a DN other than
- the one suggested by &yast;, enter your choice. Otherwise, accept
- the default settings.
-
-
-
-
-
-
- Complete the database configuration by clicking
- Finish.
-
-
-
-
- If you have not opted for password policies, your server is ready to run
- at this point. If you have chosen to enable password policies, proceed
- with the configuration of the password policy in detail. If you have
- chosen a password policy object that does not yet exist, &yast; creates
- one:
-
-
-
-
- Enter the LDAP server password. In the navigation tree below
- Databases expand your database object and activate
- the Password Policy Configuration item.
-
-
-
-
- Make sure Enable Password Policies is activated.
- Then click Edit Policy.
-
-
-
-
- Configure the password change policies:
-
-
-
-
- Determine the number of passwords stored in the password history.
- Saved passwords may not be reused by the user.
-
-
-
-
- Determine if users can change their passwords and if
- they will need to change their passwords after a reset by the
- administrator. Require the old password for password changes
- (optional).
-
-
-
-
- Determine whether and to what extent passwords should be subject to
- quality checking. Set the minimum password length that must be met
- before a password is valid. If you select Accept
- Uncheckable Passwords, users are allowed to use encrypted
- passwords, even though the quality checks cannot be performed. If
- you opt for Only Accept Checked Passwords only
- those passwords that pass the quality tests are accepted as valid.
-
-
-
-
-
-
- Configure the password time-limit policies:
-
-
-
-
- Determine the minimum password time-limit (the time that needs to
- pass between two valid password changes) and the maximum password
- time limit.
-
-
-
-
- Determine the time between a password expiration warning and the
- actual password expiration.
-
-
-
-
- Set the number of postponement uses of an expired password before
- the password expires permanently.
-
-
-
-
-
-
- Configure the lockout policies:
-
-
-
-
- Enable password locking.
-
-
-
-
- Determine the number of bind failures that trigger a password lock.
-
-
-
-
- Determine the duration of the password lock.
-
-
-
-
- Determine the length of time that password failures are kept in the
- cache before they are purged.
-
-
-
-
-
-
- Apply your password policy settings with OK.
-
-
-
-
- To edit a previously created database, select its base DN in the tree to
- the left. In the right part of the window, &yast; displays a dialog
- similar to the one used for the creation of a new database (with the
- main difference that the base DN entry is grayed out and cannot be
- changed).
-
-
- After leaving the Authentication Server configuration by selecting
- Finish, you are ready to go with a basic working
- configuration for your Authentication Server. To fine-tune this setup,
- use OpenLDAP's dynamic configuration back-end.
-
-
-
- The OpenLDAP's dynamic configuration back-end stores the configuration
- in an LDAP database. That database consists of a set of
- .ldif files in
- /etc/openldap/slapd.d. There is no need to access
- these files directly. To access the settings you can either use the
- &yast; Authentication Server module (the
- yast2-auth-server package) or an LDAP client
- such as ldapmodify or ldapsearch.
- For more information on the dynamic configuration of OpenLDAP, see the
- OpenLDAP Administration Guide.
-
-
-
-
- Editing LDAP Users and Groups
-
- For editing LDAP users and groups with &yast;, see
- .
-
-
-
-
Configuring an Authentication Client with &yast;
@@ -733,12 +81,5 @@ sssd.service - System Security Services Daemon
&prompt.sudo;rm -f /var/lib/sss/db/*
&prompt.sudo;systemctl start sssd
-
-
- For More Information
-
- For more information, see .
-
-
diff --git a/xml/security_ldap.xml b/xml/security_ldap.xml
index bddbb86979..7a2a98f7f6 100644
--- a/xml/security_ldap.xml
+++ b/xml/security_ldap.xml
@@ -307,32 +307,13 @@ objectclass (2.16.840.1.113730.3.2.333 NAME 'nsPerson' (as described in ) or create a
+ very basic setup with &yast; (as described in
+ ).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -341,12 +322,18 @@ objectclass (2.16.840.1.113730.3.2.333 NAME 'nsPerson'
+
+
+
+
+
+
@@ -499,6 +486,85 @@ instance 'Localhost' is running
+
+ Using CA Certificates for TSL
+
+ You can manage the CA certificates for &ds389; with the following command
+ line tools: certutil, openssl, and
+ pk12util.
+
+
+ For testing purposes, you can create a self-signed certificate with
+ dscreate. Find the certificate at
+ /etc/dirsrv/slapd-localhost/ca.crt. For remote administration,
+ copy the certificate to a readable location. For production environments,
+ contact a CA authority of your organization's choice and request a server
+ certificate, a client certificate, and a root certificate.
+
+
+ Make sure to meet the following requirements before executing the procedure below:
+
+
+
+
+ You have a server certificate and a private key to use for the TSL connection.
+
+
+
+
+ You have set up an NSS (Network Security Services) database (for example,
+ with the certutil command).
+
+
+
+
+
+
+ Before you can import an existing private key and certificate into the NSS
+ (Network Security Services) database, you need to create a bundle of the
+ private key and the server certificate. This results in a *.p12
+ file.
+
+
+ <filename>*.p12</filename> File and Friendly Name
+
+ When creating the PKCS12 bundle, you must encode a friendly name
+ in the *.p12 file.
+
+
+ Make sure to use Server-Cert as friendly name. Otherwise
+ the TLS connection will fail, because the &ds389; searches for this exact string.
+
+
+ As soon as you have imported the *.p12 file in the NSS
+ database, the friendly name cannot be changed any more.
+
+
+
+
+ To create the PKCS12 bundle with the required friendly name:
+
+ &prompt.root;openssl pkcs12 -export -in SERVER.crt \
+ -inkey SERVER.key -out SERVER.p12 \
+ -name Server-Cert
+
+ Replace SERVER.crt with the server certificate
+ and SERVER.key with the private key to be bundled.
+ With , specify the name of the *.p12
+ file. Use to set the friendly name to use,
+ Server-Cert.
+
+
+
+
+ After you have created the required SERVER.p12 file,
+ import the file into your NSS database:
+
+ pk12util -i SERVER.p12 -d PATH_TO_NSS_DB
+
+
+
+
Configuring Admin Credentials for Remote/Local Access
@@ -517,7 +583,7 @@ instance 'Localhost' is running
uri = ldaps://localhost
basedn = dc=example,dc=com
binddn = cn=Directory Manager
-tls_cacertdir = /etc/dirsrv/slapd-localhost/
+tls_cacertdir = PATH_TO_CERTDIR
@@ -527,19 +593,8 @@ tls_cacertdir = /etc/dirsrv/slapd-localhost/
- For test purposes, you can use dscreate to generate
- a self-signed certificate which you can trust. Find the certificate at
- /etc/dirsrv/slapd-localhost/ca.crt. Copy it to a
- readable location or to the client machine from which you use the
- ds* commands.
-
-
- For production environments, contact the CA authority of your organization's
- choice to receive a server, a client and a root certificate.
- taroth 2020-01-17: @firstyear: after receiving them, where to put
- them? how to adjust the example above for a production environment? and
- last but not least: is there more to add on how to create a request for
- and how to use a certificate from a trusted CA?
+ Path to the certificate at a readable location or on the client machine from
+ which you use the ds* commands.
@@ -564,12 +619,12 @@ binddn = cn=Directory Manager
When using ldapi
on the server where the &ds389; instance is running, your UID/GID will be
- detected. If it is 0/0 (which means you are logged
+ detected. If it is 0/0 (which means you are logged
in as &rootuser; user), the ldapi binds the local
&rootuser; as the directory server root dn (cn=Directory Manager)
of the instance. This allows local administration of the server, but also
allows you to set a machine-generated password for cn=Directory
- Manager) that no human knows. Whoever has administrator rights
+ Manager that no human knows. Whoever has administrator rights
on the server hosting the &ds389; instance, can access the instance as
cn=Directory Manager.
@@ -782,9 +837,131 @@ systemctl start sssd
-
+
+
+
+ Setting Up a &ds389; with &yast;
+
+ You can use &yast; to quickly create a very basic setup of the &ds389;.
+
+
+ Creating an &ds389; Instance with &yast;
+
+
+
+ In &yast;, click
+ Network Services
+ Create New Directory Server
+ . Alternatively, start the module from command line with
+ yast2 ldap-server.
+
+
+ In the window that opens, you need to fill in all mandatory text fields.
+
+
+
+
+ Enter the Fully qualified domain name of the &ds389;.
+ It must be resolvable from the host.
+
+
+
+
+ In Directory server instance name, enter a local name for
+ the LDAP server instance.
+
+ Instance Name
+
+ The instance name cannot be changed after the instance
+ has been created. If you plan for only one LDAP server, use the default
+ instance name localhost. However, if you plan to host
+ multiple LDAP servers, use meaningful names for the individual instances.
+
+
+
+
+
+ In Directory suffix, enter the base domain name of the LDAP
+ tree. It is your domain name split by component. For example,
+ example.com becomes dc=example,dc=com.
+
+
+
+
+ In the mandatory security options, enter the password for the directory manager
+ (LDAP's root/admin account) and repeat the password in the next step. The
+ password must be at least 8 characters long.
+
+
+
+
+ To run &ds389; with a CA certificate, specify both of the following options:
+
+
+
+
+ Enter the path to the Server TLS certificate authority in PEM
+ format, with which the server certificates have been signed.
+ taroth 2020-01-22: string may be simplified in the future, see
+ https://github.com/yast/yast-auth-server/issues/55
+
+
+
+
+ Enter the path to the Server TLS certificate and key in PKCS12
+ format with friendly name "Server-Cert". The
+ *.p12 file contains the server's private key and
+ certificate. These must have been signed by the CA in PEM format that you
+ have specified above. The friendly name must be
+ Server-Cert, see
+ for details.
+ taroth 2020-01-22: string may be simplified in the future, see
+ https://github.com/yast/yast-auth-server/issues/55
+
+
+ If you do not specify a CA certificate here, a self-signed certificate
+ will be created automatically. After the instance has been created,
+ find the related files in
+ /etc/dirsrv/slapd-INSTANCENAME.
+
+
+
+
+
+
+ If you are ready to create the instance, click OK.
+
+
+
+
+
+
+
+
+
+
+
+ &yast; displays a message whether the creation was successful and where
+ to find the log files.
+
+
+
+
+
+
+
+ The setup with &yast; provides only a very basic configuration of the &ds389;.
+ To fine-tune more settings, see
+ or the documentation mentioned in .
+
+
-
+
+
+ .-\->
@@ -839,8 +1018,8 @@ systemctl start sssd
Enter the Plug-Ins tab, select the LDAP plug-in,
and click Launch to configure additional LDAP
attributes assigned to the new user.
-
+).-\->
@@ -857,7 +1036,7 @@ systemctl start sssd
You can administer groups in a similar way on the Groups
tab.
-
+ -\->
The initial input form of user administration offers LDAP
@@ -878,9 +1057,9 @@ systemctl start sssd
LDAP users and groups by selecting LDAP User and Group
Configuration.
-
-
-
+
+-->
+Configuring an LDAP Client with &yast;
&yast; includes the module LDAP and Kerberos Client
@@ -1066,6 +1245,7 @@ systemctl start sssd
+
diff --git a/xml/security_ldap_kerberos_ad_yast.xml b/xml/security_ldap_kerberos_ad_yast.xml
index c099b4aa07..be8f346f30 100644
--- a/xml/security_ldap_kerberos_ad_yast.xml
+++ b/xml/security_ldap_kerberos_ad_yast.xml
@@ -49,7 +49,7 @@
- LDAP:
+ LDAP:
diff --git a/xml/yast2_gui.xml b/xml/yast2_gui.xml
index db2320c942..a0fa1a73fc 100644
--- a/xml/yast2_gui.xml
+++ b/xml/yast2_gui.xml
@@ -133,7 +133,7 @@
-
+
diff --git a/xml/yast2_userman.xml b/xml/yast2_userman.xml
index 620aa4e5fe..8fb960411e 100644
--- a/xml/yast2_userman.xml
+++ b/xml/yast2_userman.xml
@@ -908,7 +908,7 @@
LDAP:
-
+