Recommended Books. Latest Books Formulas Of Acoustics springer Hidden Terrors: The Truth Asia On Tour: Exploring How To Make And Epilepsy Board Quick Review Wendell Berry: Life And Concerto For The Left For example, with a minikube ip of Network Manager can run integrated caching DNS server - dnsmasq plugin and can be configured to use separate nameservers per domain.
The following will remove any matching rules before creating a new one. This is useful for updating the minikube ip. Instead use. Edit this page Create child page Create documentation issue. The root Linux account is an all-powerful account, so pick a strong password. Later an additional regular user account will be created for daily operations. Review the settings and change where needed. Edit it to configure and select the right keyboard.
Take special care with the keymap variable. If the wrong keymap is selected, then weird results will come up when typing on the keyboard. Edit it according to personal preference. Otherwise the system might show clock skew behavior. It's recommended to run systemd-firstboot --prompt --setup-machine-id to ensure the system is setup correctly, but the necessary steps can be run individually too.
Configuring the system From Gentoo Wiki. Other languages:. Warning If the filesystem inside a partition is wiped, then the filesystem label and the UUID values will be subsequently altered or removed.
Note If no domain name is configured, then users will notice they get "This is hostname. Other methods exist for simpler setups like Dhcpcd. Note More detailed information about networking, including advanced topics like bonding, bridging, Note This assumes that the network interface will be called eth0.
This is, however, very system dependent. It is recommended to assume that the interface is named the same as the interface name when booted from the installation media if the installation media is sufficiently recent. More information can be found in Network Interface Naming. About the installation. The canonical copies of all NIS files are stored on the master server.
The databases used to store the information are called NIS maps. Since multiple domains are supported, it is possible to have several directories, one for each domain.
Each domain will have its own independent set of maps. This daemon is responsible for receiving incoming requests from NIS clients, translating the requested domain and map name to a path to the corresponding database file, and transmitting data from the database back to the client. Setting up a master NIS server can be relatively straight forward, depending on environmental needs. Care must be taken in a multi-server domain where the server machines are also NIS clients.
It is generally a good idea to force the servers to bind to themselves rather than allowing them to broadcast bind requests and possibly become bound to each other. Strange failure modes can result if one server goes down and others are dependent upon it. Eventually, all the clients will time out and attempt to bind to other servers, but the delay involved can be considerable and the failure mode is still present since the servers might bind to each other all over again.
Before initializing the NIS maps, start ypserv 8 :. This is to prevent the propagation of passwords to all the servers in the NIS domain. Therefore, before the NIS maps are initialized, configure the primary password files:. It is advisable to remove all entries for system accounts as well as any user accounts that do not need to be propagated to the NIS clients, such as the root and any other administrative accounts.
After completing this task, initialize the NIS maps. FreeBSD includes the ypinit 8 script to do this. When generating maps for the master server, include -m and specify the NIS domain name:. Until this occurs, the new user will not be able to login anywhere except on the NIS master. For example, to add the new user jsmith to the test-domain domain, run these commands on the master server:. The user could also be added using adduser jsmith instead of pw useradd smith. Do not generate any NIS maps, as these already exist on the master server.
When running ypinit on the slave server, use -s for slave instead of -m for master. This option requires the name of the NIS master in addition to the domain name, as seen in this example:. These entries are not mandatory because the master server automatically attempts to push any map changes to its slaves.
However, since clients may depend upon the slave server to provide correct password information, it is recommended to force frequent password map updates. This is especially important on busy networks where map updates might not always complete. This daemon broadcasts RPC requests on the local network. These requests specify the domain name configured on the client. If there are several servers available, the client will use the address of the first server to respond and will direct all of its NIS requests to that server.
The client will automatically ping the server on a regular basis to make sure it is still available. If it fails to receive a reply within a reasonable amount of time, ypbind will mark the domain as unbound and begin broadcasting again in the hopes of locating another server.
When removing the accounts, keep in mind that at least one local account should remain and this account should be a member of wheel. If there is a problem with NIS, this local account can be used to log in remotely, become the superuser, and fix the problem. Before saving the edits, add the following line to the end of the file:. There are many ways to configure the NIS client by modifying this line. One method is described in Using Netgroups. Since RPC is a broadcast-based service, any system running ypbind within the same domain can retrieve the contents of the NIS maps.
To prevent unauthorized transactions, ypserv 8 supports a feature called "securenets" which can be used to restrict access to a given set of hosts. This file contains entries that consist of a network specification and a network mask separated by white space. Lines starting with are considered to be comments. A sample [. If ypserv 8 receives a request from an address that matches one of these rules, it will process the request normally.
If the address fails to match a rule, the request will be ignored and a warning message will be logged. If the securenets does not exist, ypserv will allow connections from any host. TCP Wrapper is an alternate mechanism for providing access control instead of securenets. While either access control mechanism adds some security, they are both vulnerable to "IP spoofing" attacks.
All NIS-related traffic should be blocked at the firewall. Some of these implementations set all host bits to zero when doing broadcasts or fail to observe the subnet mask when calculating the broadcast address. While some of these problems can be fixed by changing the client configuration, other problems may force the retirement of these client systems or the abandonment of securenets. The additional delay may be long enough to cause timeouts in client programs, especially in busy networks with slow NIS servers.
If one or more clients suffer from latency, convert those clients into NIS slave servers and force them to bind to themselves.
In this example, the basie system is a faculty workstation within the NIS domain. The passwd map on the master NIS server contains accounts for both faculty and students. This section demonstrates how to allow faculty logins on this system while refusing student logins. In this example, bill is barred from logging on to basie :.
Barring specified users from logging on to individual systems becomes unscaleable on larger networks and quickly loses the main benefit of NIS: centralized administration. Netgroups were developed to handle large, complex networks with hundreds of users and machines.
To expand on the example used in this chapter, the NIS domain will be extended to add the users and systems shown in Tables A very old machine without any critical data.
Even interns are allowed to use this system. When using netgroups to configure this scenario, each user is assigned to one or more netgroups and logins are then allowed or forbidden for all members of the netgroup. When adding a new machine, login restrictions must be defined for all netgroups.
When a new user is added, the account must be added to one or more netgroups. If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines.
In FreeBSD, this map is not created by default. This example creates four netgroups to represent IT employees, IT apprentices, employees, and interns:. Each entry configures a netgroup.
The first column in an entry is the name of the netgroup. Each set of brackets represents either a group of one or more users or the name of another netgroup. When specifying a user, the three comma-delimited fields inside each group represent:. The name of the host s where the other fields representing the user are valid. If a hostname is not specified, the entry is valid on all hosts.
If a group contains multiple users, separate each user with whitespace. Additionally, each field may contain wildcards. See netgroup 5 for details. Netgroup names longer than 8 characters should not be used.
The names are case sensitive and using capital letters for netgroup names is an easy way to distinguish between user, machine and netgroup names.
This limit may be circumvented by creating several sub-netgroups with 15 users or fewer and a real netgroup consisting of the sub-netgroups, as seen in this example:. This will generate the three NIS maps netgroup , netgroup. Use the map key option of ypcat 1 to check if the new NIS maps are available:. The second command only produces output if host-specific netgroups were created. The third command is used to get the list of netgroups for a user. To configure a client, use vipw 8 to specify the name of the netgroup.
For example, on the server named war , replace this line:. To fix this, import all user entries without allowing them to login into the servers. This can be achieved by adding an extra line:. NIS supports the creation of netgroups from other netgroups which can be useful if the policy regarding user access changes. One possibility is the creation of role-based netgroups. Each of these netgroups contains the netgroups that are allowed to login onto these machines.
This method of defining login restrictions works reasonably well when it is possible to define groups of machines with identical restrictions. Unfortunately, this is the exception and not the rule. Most of the time, the ability to define login restrictions on a per-machine basis is required. Machine-specific netgroup definitions are another possibility to deal with the policy changes.
All further changes can be handled by modifying the NIS map. Here is an example of a possible netgroup map for this scenario:. It may not always be advisable to use machine-based netgroups. When deploying a couple of dozen or hundreds of systems, role-based netgroups instead of machine-based netgroups may be used to keep the size of the NIS map within reasonable limits.
If users have trouble authenticating on an NIS client, it may be due to a differing password format. In a heterogeneous network, the format must be supported by all operating systems, where DES is the lowest common standard. In this example, the system is using the DES format for password hashing. For more information and the up to date list of what is available on your system, consult the crypt 3 manpage.
If the format on a host needs to be edited to match the one being used in the NIS domain, the login capability database must be rebuilt after saving the change:. The format of passwords for existing user accounts will not be updated until each user changes their password after the login capability database is rebuilt. The Lightweight Directory Access Protocol LDAP is an application layer protocol used to access, modify, and authenticate objects using a distributed directory information service.
Think of it as a phone or record book which stores several levels of hierarchical, homogeneous information. It is used in Active Directory and OpenLDAP networks and allows users to access to several levels of internal information utilizing a single account. It assumes that the administrator already has a design plan which includes the type of information to store, what that information will be used for, which users should have access to that information, and how to secure this information from unauthorized access.
LDAP uses several terms which should be understood before starting the configuration. All directory entries consist of a group of attributes. Each of these attribute sets contains a unique identifier known as a Distinguished Name DN which is normally built from several other attributes such as the common or Relative Distinguished Name RDN.
Similar to how directories have absolute and relative paths, consider a DN as an absolute path and the RDN as the relative path. An example LDAP entry looks like the following. This example searches for the entry for the specified user account uid , organizational unit ou , and organization o :. This example entry shows the values for the dn , mail , cn , uid , and telephoneNumber attributes. The cn attribute is the RDN. There is a large set of default options enabled in the package.
Review them by running pkg info openldap-server. If they are not sufficient for example if SQL support is needed , please consider recompiling the port using the appropriate framework.
The directory to store the certificates must be created:. The next phase is to configure the Certificate Authority. This is important as the file permissions need to be restrictive and users should not have access to these files. More detailed information about certificates and their parameters can be found in OpenSSL.
To create the Certificate Authority, start with this command and follow the prompts:. The entries for the prompts may be generic except for the Common Name. This entry must be different than the system hostname. If this will be a self signed certificate, prefix the hostname with CA for Certificate Authority. The next task is to create a certificate signing request and a private key. Input this command and follow the prompts:.
During the certificate generation process, be sure to correctly set the Common Name attribute. The Certificate Signing Request must be signed with the Certificate Authority in order to be used as a valid certificate:. The final part of the certificate generation process is to generate and sign the client certificates:. Remember to use the same Common Name attribute when prompted. When finished, ensure that a total of eight 8 new files have been generated through the proceeding commands.
Its configuration is performed through slapd. Configuration examples for slapd. Options are documented in slapd-config 5. Each section of slapd.
Be sure that no blank lines are left between the dn: statement and the desired end of the section. In the following example, TLS will be used to implement a secure channel. The first section represents the global configuration:. The Certificate Authority, server certificate and server private key files must be specified here. The third section is devoted to load the needed ldif schemas to be used by the databases: they are essential. Another section is devoted to the configuration backend , the only way to later access the OpenLDAP server configuration is as a global super-user.
Type slappasswd in a shell, choose a password and use its hash in olcRootPW. If this option is not specified now, before slapd. This database hosts the actual contents of the LDAP directory. Types other than mdb are available. Its super-user, not to be confused with the global one, is configured here: a possibly custom username in olcRootDN and the password hash in olcRootPW ; slappasswd can be used as before. This repository contains four examples of slapd.
To convert an existing slapd. When the configuration is completed, slapd. It is recommended to create it as:. Option -d can be used for debugging, as specified in slapd 8. To verify that the server is running and working:. The server must still be trusted.
If that has never been done before, follow these instructions. Install the OpenSSL package or port:.
0コメント