Instalar OpenLDAP
Primero tenemos que hacer la instalacion$sudo apt-get install apache2
$sudo apt-get install php5 php5-ldap
$sudo apt-get install slapd
$sudo apt-get install ldap-utils
$sudo apt-get install db4.2-util
$sudo apt-get install gq
$sudo apt-get install phpldapadmin
$sudo apt-get install ldap-account-manager
con el comando siguiente reconfiguramos slapd
$sudo dpkg-reconfigure slapd
dns domanin name:
val.blom.lan
Organization name:
val.blom.lan
Contraseña del administrador (admin):
admin
Verificacion de la contraseña:
admin
Database backend to use:
DBD - es la que recomienda
¿Desea que se borre la base de datos cuando se purge el paquete slapd?
NO
¿Desea mover la base de datos antigua?
YES
Allow LDAPv2 protocol?
YES
Moving old database directory to /var/backups:
There are leftover files in /var/lib/ldap. This will probably break creating the initial directory. If that's the case please move away stuff in there and retry the configuration.
Creating inital slapd configuration...done.
Creating initial LDAP directory...done.
Reloading AppArmor profiles : done.
Starting OpenLDAP: slapd.
Para ver la version de slapd que tenemos instalada
$dpkg --list | grep slap
Comprobamos que realmente esta funcionando el demonio:
$sudo netstat -puta
La configuracion esta en el fichero /etc/ldap/slapd.conf que es donde ha escrito la configuracion anterior. Incluimos alguna linea
$sudo vi /etc/ldap/slapd.conf
...
include /etc/ldap/schema/misc.schema
...
Nos podemos conectar a phpldapadmin desde un navegador
http://jupiter.val.blom.lan/phpldapadmin
Si nos sale un error de memoria baja
Your php memory limit is low - currently 16M
Tenemos que editar el fichero de configuracion de php y aumentarla modificando la siguiente linea
$sudo vi /etc/php5/apache2/php.ini
...
memory_limit = 128M ;Maximum amount of memory a script may consume (128MB)
...
Reiniciamos apache
$sudo /etc/init.d/apache2 restart
Si nos sale error al reiniciar apache
- Restarting web server apache2apache2: Could not reliably determine the server's fully qualified domain name, using jupiter.val.blom.lan for ServerName
Tenemos que editar lo siguiente
$vi /etc/apache2/apache2.conf
...
ServerName jupiter.val.blom.lan
...
Con esto hemos solucionado el problema
$sudo /etc/init.d/apache2 restart
* Restarting web server apache2 [ OK ]
Instalar X en un ubuntu server
$sudo aptitude install xfce4 ubuntu-desktop
©jc_2008
Configurar OpenLDAP
La configuracion esta en el fichero /etc/ldap/slapd.conf que es donde ha escrito la configuracion anterior. Incluimos alguna linea
$sudo vi /etc/ldap/slapd.conf
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/ppolicy.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
#loglevel none
loglevel 4096
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
#moduleload back_hdb
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend hdb
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database hdb
database bdb
# The base of your directory in database #1
suffix "dc=val,dc=blom,dc=lan"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=val,dc=blom,dc=lan"
rootpw admin
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index default sub
index uidNumber eq
index gidNumber eq
index mail,givenName eq,subinitial
index dc eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=val,dc=blom,dc=lan" write
by anonymous auth
by self write
by * none
#Esto es si quitamos lo anterior access to attrs=loginShell,gecos
by dn="cn=admin,dc=ejemplo,dc=com" write
by * read
# read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=val,dc=blom,dc=lan" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=val,dc=blom,dc=lan" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
Reiniciar el servicio
$sudo /etc/init.d/slapd restart
Confirmar que el servicio esta corriendo:
$netstat -plutn | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 25058/slapd
Y ahora hay que hacer una consulta al servidor LDAP:
$ldapsearch -x -b -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=val,dc=blom,dc=lan
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Si sale algo asi significa que el servidor esta corriendo.
Tambien vale esta otra
$sudo ldapsearch -x -b dc=val,dc=blom,dc=lan
Con el comando slapcat se muestra el contenido del servidor en formato LDIF.
$slapcat
/etc/ldap/slapd.conf: line 110: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
dn: dc=val,dc=blom,dc=lan
objectClass: top
objectClass: dcObject
objectClass: organization
o: val.blom.lan
dc: val
structuralObjectClass: organization
entryUUID: 6d4c8bdc-5416-102d-9b0a-99269a9e5211
creatorsName:
createTimestamp: 20081201170832Z
entryCSN: 20081201170832.672437Z#000000#000#000000
modifiersName:
modifyTimestamp: 20081201170832Z
dn: cn=admin,dc=val,dc=blom,dc=lan
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fU80cnZlWWlyMVVCY3M=
structuralObjectClass: organizationalRole
entryUUID: 6d4d9946-5416-102d-9b0b-99269a9e5211
creatorsName:
createTimestamp: 20081201170832Z
entryCSN: 20081201170832.679492Z#000000#000#000000
modifiersName:
modifyTimestamp: 20081201170832Z
Para chequear este fichero y su sintaxis, dando incluso avisos de seguridad, se usa el comando slaptes
$slaptest -v
/etc/ldap/slapd.conf: line 110: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
config file testing succeeded
Si quieres que el servidor slapd arranque al inicio del sistema puedes agregar algo asi a tu /etc/rc.d/rc.local
$sudo vi /etc/rc.d/rc.local
...
Creamos un grupo y un usuario para ejecutar slapd
$addgroup --system slapd
Adding group `slapd' (GID 114) ...
Done.
$adduser --home /var/lib/ldap --shell /bin/false --no-create-home --ingroup slapd --system slapd
Adding system user `slapd' (UID 106) ...
Adding new user `slapd' (UID 106) with group `slapd' ...
Not creating home directory `/var/lib/ldap'.
Tenemos que cambiar permisos sobre algunos directorios para el nuevo usuario
$chown -R slapd:slapd /etc/ldap /var/lib/slapd /var/lib/ldap /var/run/slapd
Ahora tenemos que decir con que usuario y grupo se va ha ejecutar el demonio slapd. Para ello editamos el archivo /etc/default/slapd
$vi /etc/default/slapd
...
SLAPD_USER="slapd" SLAPD_GROUP="slapd" ...
Reiniciamos para ejecutar con el nuevo usuario
$/etc/init.d/slapd restart
Vemos que se a arrancado el servicio con el nuevo usuario y grupo
$ps auxf
...
slapd 6162 0.0 0.2 22196 3604 ? Ssl 09:48 0:00 /usr/sbin/slapd -g slapd -u slapd -f /etc/ldap/slapd.conf
...
Podemos instalar LAM (Ldap Account Manager) que sirve para gestionar un servidor.
$sudo apt-get install ldap-account-manager
Desde el navegador ya podemos acceder http://jupiter.val.blom.lan/lam. Para configurar bien el servidor y el nombre del administrador hay que ir al link LAM configuration En el link Edit server profiles cambiamos la direccion del servidor ldap://jupiter.val.blom.lan:389 el sufijo del arbol dc=val,dc=blom,dc=lan y la lista de usuarios validos cn=admin,dc=val,dc=blom,dc=lan por los nuestros.
Los datos son salvados en la siguiente ruta /usr/share/ldap-account-manager/config/lam.conf
Tenemos que crear una estructura en la base de datos de LDAP con unas tablas, para ello creamos un fichero llamado tablas_lam.ldif en el /tmp con los siguientes datos
$sudo vi /tmp/tablas_lam.ldif
dn: ou=Groups,dc=val,dc=blom,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Groups
dn: ou=People,dc=val,dc=blom,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Hosts,dc=val,dc=blom,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Hosts
Para introducir la informacion del fichero en el servidor tenemos que hacer lo siguiente
$ldapadd -x -D 'cn=admin,dc=val,dc=blom,dc=lan' -W -f /tmp/tablas_lam.ldif
Enter LDAP Password:
adding new entry "ou=Groups,dc=val,dc=blom,dc=lan"
adding new entry "ou=People,dc=val,dc=blom,dc=lan"
adding new entry "ou=Hosts,dc=val,dc=blom,dc=lan"
Si iniciamos la sesion en la pagina web de LAM podemos ver los nuevos datos
Ahora creamos un grupo y un usuario con un fichero ldif. El usuario sera normal (objectClass: posixAccount). La contraseña sera el mismo nombre de usuario. Se puede almacenar en texto plano (userPassword: jcgutierrez) o encriptado con md5. Para ver que hash md5 corresponde con la cadena jcgutierrez ejecutamos lo siguiente
$slappasswd -h {MD5} -s jcgutierrez
{MD5}W2HnUIxXN9PYvgIkU4rkzg==
Creamos el fichero ldif para la creacion del grupo y otro para el usuario
$vi /tmp/grupo_lam.ldif
# Fichero /tmp/user_lam.ldif
# Crear Group#
dn: cn=Valladolid,ou=Groups,dc=val,dc=blom,dc=lan
objectClass: top
objectClass: posixGroup
cn: Valladolid
gidNumber: 2000
$vi /tmp/usuario_lam.ldif
# New user
#
dn: uid=jcgutierrez,ou=People,dc=val,dc=blom,dc=lan
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jcgutierrez
cn: Juan Carlos
userPassword: {MD5}W2HnUIxXN9PYvgIkU4rkzg==
gecos: Juan Carlos
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/jcgutierrez
loginShell: /bin/bash
Las opciones de arranque por defecto del servidor se configuran en el siguiente fichero
vi /etc/ldap/slapd.conf
# Default location of the slapd.conf file. If empty, use the compiled-in
# default (/etc/ldap/slapd.conf). If using the cn=config backend to store
# configuration in LDIF, set this variable to the directory containing the
# cn=config data.
SLAPD_CONF="/etc/ldap/slapd.conf"
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
# default)
SLAPD_PIDFILE=
#slapd normally serves ldap only on all TCP-ports 389. slapd can also
#service requests on TCP-port 636 (ldaps) and requests via unix
#sockets.
#Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldap://jupiter.val.blom.lan:389/ ldaps://jupiter.val.blom.lan/ ldapi:///"
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
Para usar LDAP como fuente de usuarios y grupos del sistema tenemos que instalar los siguientes paquetes y hay que modificar el fichero nsswitch.conf
$sudo apt-get install libnss-ldap libnss-db nss-updatedb
La contraseña se guarda en /etc/ldap.secret
Al instalarse libnss-ldap se pueden editar el archivo de configuración de NSS (/etc/nsswitch.conf). En él habrá que cambiar la forma en la que se obtienen las tablas de passwd, group y shadow: $vi /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
#passwd: compat
passwd: files db [NOTFOUND=continue] ldap #group: compat
group: files db [NOTFOUND=continue] ldap #shadow: compat
shadow: files ldap
#hosts: files dns
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Esto le indica a NSS que primero debe mirar en los típicos archivos (/etc/passwd, /etc/group y /etc/shadow), después en el caché local y, si aún así no lo encuentra, debe buscar en el servidor LDAP.
Para que funcione la búsqueda en el servidor LDAP habrá que configurar el archivo /etc/libnss-ldap.conf con algo así
$sudo vi /etc/libnss-ldap.conf
uri ldaps://jupiter.val.blom.lan base dc=val,dc=blom,dc=lan tls_cacert /etc/ldap/cacert.pem bind_policy hard ssl on use_sasl off rootuse_sasl off idle_timelimit 3600 pam_min_uid 1000 sasl_secprops maxssf=0 nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 8 nss_reconnect_maxconntries 2 nss_paged_results yes nss_base_passwd ou=People,dc=val,dc=blom,dc=lan?one nss_base_shadow ou=People,dc=val,dc=blom,dc=lan?one nss_base_group ou=Groups,dc=val,dc=blom,dc=lan?one
Ahora falta rellenar el caché local con los datos del servidor LDAP. Para eso usaremos: nss_updatedb ldap passwd Tenemos que crear un fichero de configuracion empleado por los clientes LDAP. En este fichero le decimos que ou almacenan los datos del sistema (usuarios,grupos...) y que servidores almacenan dichas ou.
$vi /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#
##Configuracion inicial 26-11-2008_jc
#
#Este archivo se tiene que poder leer por todo el mundo, pero no escribirse por todos
#
#El servidor LDAP a de ser resoluble sin utilizar LDAP
HOST jupiter.val.blom.lan
#Nombre para la base de las busquedas
BASE dc=jupiter,dc=val,dc=blom,dc=lan
#Puerto que usa por defecto 389, el 636 es para ldaps
port 389
Asignamos los permisos al fichero
$chmod -v 644 /etc/ldap/ldap.conf
Tambien damos los permisos adecuados al fichero slapd.conf
$chmod -v 600 /etc/ldap/slapd.conf
©jc_2008
Crear certificado privado
Para poder generar los certificados tenemos que tener instalado OpenSSL, de no ser asi tenemos que instalarlo
$apt-get install openssl
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias
Leyendo la información de estado... Hecho
Paquetes sugeridos:
ca-certificates openssl-doc
Se instalarán los siguientes paquetes NUEVOS:
openssl
0 actualizados, 1 se instalarán, 0 para eliminar y 33 no actualizados.
Necesito descargar 385kB de archivos.
After this operation, 819kB of additional disk space will be used.
Des:1 http://es.archive.ubuntu.com hardy-updates/main openssl 0.9.8g-4ubuntu3.3 [385kB]
Descargados 385kB en 1min26s (4461B/s)
Seleccionando el paquete openssl previamente no seleccionado.
(Leyendo la base de datos ...
18248 ficheros y directorios instalados actualmente.)
Desempaquetando openssl (de .../openssl_0.9.8g-4ubuntu3.3_i386.deb) ...
Configurando openssl (0.9.8g-4ubuntu3.3) ...
El certificado lo vamos a generar a partir de una CA
Generamos el certificado, se va a crear en el directorio donde estemos
$openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
Generating a 1024 bit RSA private key
..............................++++++
......................................................................++++++
writing new private key to 'server.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valladolid
Locality Name (eg, city) []:Valladolid
Organization Name (eg, company) [Internet Widgits Pty Ltd]:blom.es
Organizational Unit Name (eg, section) []:blom.es
Common Name (eg, YOUR name) []:blom.es
Email Address []:admin@blom.es
root@jupiter:/etc/ldap# updatedb
root@jupiter:/etc/ldap# locate server.pem
/etc/ldap/server.pem
/usr/lib/python2.5/site-packages/twisted/test/server.pem
/usr/share/pyshared/twisted/test/server.pem
Le doy al fichero los siguientes permisos
$chown slapd:slapd /etc/ldap/server.pem
Ahora generaremos el proceso de obtencion de un certificado firmado por una entidad certificadora y una llave para el servidor.
$mkdir -v /var/tmp/mica
$cd /var/tmp/mica
$/usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
....................++++++
................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:sistemas
Verifying - Enter PEM pass phrase:sistemas
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
Locality Name (eg, city) []:Valladolid
Organization Name (eg, company) [Internet Widgits Pty Ltd]:blom.es
Organizational Unit Name (eg, section) []:blom.es
Common Name (eg, YOUR name) []:blom.es
Email Address []: admin@blom.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:sistemas
An optional company name []:blom.es
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:sistemas
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 21 09:07:28 2008 GMTNot After : Nov 21 09:07:28 2011 GMT
Subject:
countryName = ES
stateOrProvinceName = Valladolid
organizationName = blom.es
organizationalUnitName = blom.es
commonName = blom.es
emailAddress = admin@blom.es X509v3 extensions:
X509v3 Subject Key Identifier:
96:95:85:D8:3A:C1:FD:B8:00:89:CA:4C:59:74:1B:14:C0:81:DE:ED
X509v3 Authority Key Identifier:
keyid:96:95:85:D8:3A:C1:FD:B8:00:89:CA:4C:59:74:1B:14:C0:81:DE:ED
DirName:/C=ES/ST=Valladolid/O=blom.es/OU=blom.es/CN=blom.es/emailAddress=admin@blom.es
serial:00
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 21 09:07:28 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Vemos la estructura que nos ha generado con el comando tree
$apt-get install tree
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes NUEVOS:
tree
0 actualizados, 1 se instalarán, 0 para eliminar y 33 no actualizados.
Necesito descargar 28,4kB de archivos.
After this operation, 94,2kB of additional disk space will be used.
Des:1 http://es.archive.ubuntu.com hardy/universe tree 1.5.1.1-1 [28,4kB]
Descargados 28,4kB en 25s (1134B/s)
Seleccionando el paquete tree previamente no seleccionado.
(Leyendo la base de datos ...
18321 ficheros y directorios instalados actualmente.)
Desempaquetando tree (de .../tree_1.5.1.1-1_i386.deb) ...
Configurando tree (1.5.1.1-1) ...
$tree
.
`-- demoCA
|-- cacert.pem
|-- careq.pem
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- 00.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
5 directories, 9 files
Los archivos realmente importantes son demoCA/cacert.pem y demoCA/private/cakey.pem
Creación de la petición para la firma del certificado del servidor
$openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to 'newreq.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valladolid
Locality Name (eg, city) []:Valladolid
Organization Name (eg, company) [Internet Widgits Pty Ltd]:blom.es
Organizational Unit Name (eg, section) []:blom.es
Common Name (eg, YOUR name) []:blom.es
Email Address []:admin@blom.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:sistemas
An optional company name []:blom.es
El resultado a sido el fichero newreq.pem Firma del CSR
$/usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:sistemas
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 21 09:22:24 2008 GMT
Not After : Nov 21 09:22:24 2009 GMT
Subject:
countryName = ES
stateOrProvinceName = Valladolid
localityName = Valladolid
organizationName = blom.es
organizationalUnitName = blom.es
commonName = blom.es
emailAddress = admin@blom.es
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
67:1C:25:F0:E7:06:B6:3B:C2:AC:75:4C:AD:A9:CB:41:44:5D:45:EB
X509v3 Authority Key Identifier:
keyid:96:95:85:D8:3A:C1:FD:B8:00:89:CA:4C:59:74:1B:14:C0:81:DE:ED
Certificate is to be certified until Nov 21 09:22:24 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, ST=Valladolid, O=blom.es, OU=blom.es, CN=blom.es/emailAddress=admin@blom.es
Validity
Not Before: Nov 21 09:22:24 2008 GMT
Not After : Nov 21 09:22:24 2009 GMT
Subject: C=ES, ST=Valladolid, L=Valladolid, O=blom.es, OU=blom.es, CN=blom.es/emailAddress=admin@blom.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c2:46:d3:ac:63:5e:86:39:f8:78:d8:d2:f8:4f:
f2:87:f8:23:61:e7:7b:a6:51:5f:92:c4:23:15:a6:
92:ec:41:ce:6e:54:61:70:03:c4:65:56:be:3b:ad:
23:b3:af:d6:eb:d0:d4:6d:e3:f6:da:8b:26:b3:af:
98:eb:dc:ca:b6:d5:5e:7f:fd:bf:23:44:72:6f:8f:
dc:d4:6f:3e:1b:e8:11:cb:11:6f:e7:b7:21:33:b0:
20:f0:6a:0a:25:e4:ce:bb:d8:95:48:74:25:32:10:
80:cd:ed:66:37:d4:18:e5:86:41:0b:65:4d:ad:5a:
7d:aa:e4:a3:11:e8:a9:fa:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
67:1C:25:F0:E7:06:B6:3B:C2:AC:75:4C:AD:A9:CB:41:44:5D:45:EB
X509v3 Authority Key Identifier:
keyid:96:95:85:D8:3A:C1:FD:B8:00:89:CA:4C:59:74:1B:14:C0:81:DE:ED
Signature Algorithm: sha1WithRSAEncryption
21:78:76:9d:c8:22:12:37:43:2f:ea:53:19:63:74:7d:92:6c:
8f:7a:ca:a5:b5:ff:4e:5b:09:98:b0:62:80:5a:05:2e:fd:f3:
be:1f:9e:a7:9f:ab:c3:28:27:6e:e5:7b:42:b5:be:df:ed:84:
43:30:d8:f7:08:34:84:38:cc:9c:c5:d0:13:f8:39:64:65:e7:
53:de:2d:d7:7b:ee:9c:85:62:76:98:00:18:70:c2:5d:3a:62:
3f:32:ed:07:a2:42:ab:e3:60:9b:29:da:77:10:db:c2:ea:c6:
fa:1a:29:cb:19:48:b6:ef:1b:d5:8d:b7:f5:73:2d:85:67:e8:
62:69
BEGIN CERTIFICATE-----
MIIC4TCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJFUzEZ
MBcGA1UECBQQVmFsbGFkb2xpZBtbQhtbQTENMAsGA1UEChMEYmxvbTENMAsGA1UE
CxMEYmxvbTEVMBMGA1UEAxMMdmFsLmJsb20ubGFuMB4XDTA4MTEyMTA5MjIyNFoX
DTA5MTEyMTA5MjIyNFowgZIxCzAJBgNVBAYTAkVTMRMwEQYDVQQIEwpWYWxsYWRv
bGlkMRMwEQYDVQQHEwpWYWxsYWRvbGlkMQ0wCwYDVQQKEwRibG9tMRUwEwYDVQQL
Ewx2YWwuYmxvbS5sYW4xFTATBgNVBAMTDHZhbC5ibG9tLmxhbjEcMBoGCSqGSIb3
DQEJARYNYWRtaW5AYmxvbS5lczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wkbTrGNehjn4eNjS+E/yh/gjYed7plFfksQjFaaS7EHOblRhcAPEZVa+O60js6/W
69DUbeP22osms6+Y69zKttVef/2/I0Ryb4/c1G8+G+gRyxFv57chM7Ag8GoKJeTO
u9iVSHQlMhCAze1mN9QY5YZBC2VNrVp9quSjEeip+rMCAwEAAaN7MHkwCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFGccJfDnBrY7wqx1TK2py0FEXUXrMB8GA1UdIwQYMBaAFJaV
hdg6wf24AInKTFl0GxTAgd7tMA0GCSqGSIb3DQEBBQUAA4GBACF4dp3IIhI3Qy/q
UxljdH2SbI96yqW1/05bCZiwYoBaBS79874fnqefq8MoJ27le0K1vt/thEMw2PcI
NIQ4zJzF0BP4OWRl51PeLdd77pyFYnaYABhwwl06Yj8y7QeiQqvjYJsp2ncQ28Lq
xvoaKcsZSLbvG9WNt/VzLYVn6GJp
END CERTIFICATE-----
Signed certificate is in newcert.pem
Esto nos crea el archivo newcert.pem (certificado del servidor firmado por la entidad certificadora) con la clave privada newreq.pem
Verificacion del certificado
$openssl verify -CAfile demoCA/cacert.pem newcert.pem
newcert.pem: OK
Creamos la estructura para los certificados
$mkdir /etc/ldap/ssl
$cd /var/tmp/mica
$cp demoCA/cacert.pem /etc/ldap/ssl/
$cp newcert.pem /etc/ldap/ssl/certs/servidorcert.pem
$cp -r demoCA/crl /etc/ldap/ssl/
$cp demoCA/index.txt /etc/ldap/ssl/
$cp -r demoCA/newcerts /etc/ldap/ssl/
$cp -r demoCA/private /etc/ldap/ssl/
$cp newreq.pem /etc/ldap/ssl/private/servidorkey.pem
$cp demoCA/serial /etc/ldap/ssl/
Queraria de esta manera el directorio con los certificados
$tree /etc/ldap/ssl
/etc/ldap/ssl
|-- cacert.pem
|-- certs
| `-- servidorcert.pem
|-- crl
|-- index.txt
|-- newcerts
| `-- 01.pem
|-- private
| |-- cakey.pem
| `-- servidorkey.pem
`-- serial
4 directories, 7 files
El archivo servidorcert.pem se corresponde con el archivo newcert.pem generado tras la firma del CSR
El archivo servidorkey.pem se corresponde con el archivo newreq.pem generado tras la firma del CSR
Todo debe pertenecer al usuario slapd
$chown -R /etc/ldap/ssl
$chmod -R /etc/ldap/ssl
Damos permisos sobre la llave privada
$chmod -v 400 /etc/ldap/ssl/private/servidorkey.pem
mode of `/etc/ldap/ssl/private/servidorkey.pem' changed to 0400 (r--------)
©jc_2008
Certificado para los clientes
Ya tenemos entidad certificadora. Pretendemos usar la misma entidad certificadora para firmar el certificado del cliente.
Creamos la petición para la firma del certificado perteneciente al servidor (CSR). El certificado, se va a crear en el directorio donde estemos, en este caso lo hacemos en el directorio donde tenemos el certificado anteriormente creado /var/tmp/mica/
$cd /var/tmp/mica
$/usr/bin/openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.....++++++
............++++++
writing new private key to 'newreq.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valladollid
Locality Name (eg, city) []:
root@jupiter:/home/jcgutierrez/ssl# /usr/bin/openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
........++++++
.....................++++++
writing new private key to 'newreq.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valladolid
Locality Name (eg, city) []:Valladolid
Organization Name (eg, company) [Internet Widgits Pty Ltd]:blom.es
Organizational Unit Name (eg, section) []:Sistemas Valladolid
Common Name (eg, YOUR name) []:Juan Carlos Gutierrez Alonso
Email Address []:jcgutierrez@blom.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxxxx
An optional company name []:
La clave utilizada ha de tener un mínimo de 4 caracteres.
El resultado es el archivo newreq.pem.
Copio el fichero resultante al directorio del usuario
$cp newreq.pem /home/jcgutierrez/ssl
Firmamos el CSR
$/usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 27 08:08:21 2008 GMT
Not After : Nov 27 08:08:21 2009 GMT
Subject:
countryName = ES
stateOrProvinceName = Valladolid
localityName = Valladolid
organizationName = blom.es
organizationalUnitName = Sistemas Valladolid
commonName = Juan Carlos Gutierrez Alonso
emailAddress = jcgutierrez@blom.es
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
89:EF:AF:8D:95:29:C5:15:0C:9C:0B:44:35:34:D9:56:85:C8:93:CC
X509v3 Authority Key Identifier:
keyid:BF:FD:3B:2C:6C:95:EA:0A:8D:A9:EC:2B:05:33:BF:E8:EB:A8:34:55
Certificate is to be certified until Nov 27 08:08:21 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, ST=Valladolid, O=blom.es, OU=blom.es, CN=blom.es/emailAddress=admin@blom.es
Validity
Not Before: Nov 27 08:08:21 2008 GMT
Not After : Nov 27 08:08:21 2009 GMT
Subject: C=ES, ST=Valladolid, L=Valladolid, O=blom.es, OU=Sistemas Valladolid, CN=Juan Carlos Gutierrez Alonso/emailAddress=jcgutierrez@blom.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:43:8a:1e:56:a2:15:05:27:c0:e0:96:d4:a2:
30:f8:25:e4:fa:43:93:c6:c5:0c:c5:4f:7d:32:4f:
3a:3f:44:1f:3f:1a:e1:71:20:00:a0:c3:14:73:f7:
30:80:52:c5:54:0a:ab:74:7b:f2:3f:2c:ba:a7:6e:
a7:98:00:ab:3d:7b:f9:36:28:08:4a:14:a6:bd:28:
f6:47:11:b8:98:a6:00:cb:62:67:ba:57:87:15:28:
47:00:ce:9f:5c:e7:76:e9:55:57:51:d5:81:59:56:
35:a2:8b:21:8f:74:3f:3b:4c:4c:9f:48:7d:07:72:
7c:d3:24:dc:c7:64:f2:30:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
89:EF:AF:8D:95:29:C5:15:0C:9C:0B:44:35:34:D9:56:85:C8:93:CC
X509v3 Authority Key Identifier:
keyid:BF:FD:3B:2C:6C:95:EA:0A:8D:A9:EC:2B:05:33:BF:E8:EB:A8:34:55
Signature Algorithm: sha1WithRSAEncryption
a8:44:74:c0:c7:f4:1b:a4:86:bf:ab:b2:f3:42:91:64:ba:50:
d3:c6:a1:b2:a1:fb:aa:78:fa:4c:a3:b1:2b:ae:83:51:d0:3b:
38:dd:77:01:ab:1a:7c:4d:01:2a:b4:89:47:92:18:14:0e:47:
fc:d9:e9:ed:db:57:73:d1:c8:a0:07:90:4f:0d:16:b5:25:8b:
5b:30:b7:9e:b1:58:cb:73:c9:3c:8f:e5:26:82:c7:9e:ab:b5:
b6:72:e5:64:ae:29:ed:35:6a:e4:25:84:38:6f:66:bb:2a:48:
1f:f5:96:2b:8c:f8:6c:a6:1f:9d:d2:1b:a8:06:8f:69:af:39:
08:cd
BEGIN CERTIFICATE-----
MIIDGjCCAoOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB2MQswCQYDVQQGEwJFUzET
MBEGA1UECBMKVmFsbGFkb2xpZDEQMA4GA1UEChMHYmxvbS5lczEQMA4GA1UECxMH
YmxvbS5lczEQMA4GA1UEAxMHYmxvbS5lczEcMBoGCSqGSIb3DQEJARYNYWRtaW5A
YmxvbS5lczAeFw0wODExMjcwODA4MjFaFw0wOTExMjcwODA4MjFaMIGyMQswCQYD
VQQGEwJFUzETMBEGA1UECBMKVmFsbGFkb2xpZDETMBEGA1UEBxMKVmFsbGFkb2xp
ZDEQMA4GA1UEChMHYmxvbS5lczEcMBoGA1UECxMTU2lzdGVtYXMgVmFsbGFkb2xp
ZDElMCMGA1UEAxMcSnVhbiBDYXJsb3MgR3V0aWVycmV6IEFsb25zbzEiMCAGCSqG
SIb3DQEJARYTamNndXRpZXJyZXpAYmxvbS5lczCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAxEOKHlaiFQUnwOCW1KIw+CXk+kOTxsUMxU99Mk86P0QfPxrhcSAA
oMMUc/cwgFLFVAqrdHvyPyy6p26nmACrPXv5NigIShSmvSj2RxG4mKYAy2JnuleH
FShHAM6fXOd26VVXUdWBWVY1ooshj3Q/O0xMn0h9B3J80yTcx2TyMPsCAwEAAaN7
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFInvr42VKcUVDJwLRDU02VaFyJPMMB8GA1Ud
IwQYMBaAFL/9OyxsleoKjansKwUzv+jrqDRVMA0GCSqGSIb3DQEBBQUAA4GBAKhE
dMDH9Bukhr+rsvNCkWS6UNPGobKh+6p4+kyjsSuug1HQOzjddwGrGnxNASq0iUeS
GBQOR/zZ6e3bV3PRyKAHkE8NFrUli1swt56xWMtzyTyP5SaCx56rtbZy5WSuKe01
auQlhDhvZrsqSB/1liuM+GymH53SG6gGj2mvOQjN
END CERTIFICATE-----
Signed certificate is in newcert.pem
Esto crea el archivo newcert.pem (el certificado del servidor firmado por la entidad certificadora) con la clave privada, newreq.pem.
Para verificar que el certificado está correctamente firmado se puede utilizar la siguiente orden:
$/usr/bin/openssl verify -CAfile demoCA/cacert.pem newcert.pem
newcert.pem: OK
Ahora se puede renombrar y mover el certificado y la llave privada del cliente al lugar indicado (por ejemplo, /home/usuario/ssl/). También sería recomendable que cambiase los permisos de la llave privada, para que sólo pueda ser leída por el usuario al que pertenece
$mkdir -p /home/jcgutierrez/ssl
$cd /home/jcgutierrez/ssl
Copio el fichero resultante al directorio del usuario
$cp newcert.pem /home/jcgutierrez/ssl
Tengo que tener creado el usuario en la maquina local para poder dar permisos sobre la llave privada solo al usuario al que pertenece
$adduser jcgutierrez --home /home/jcgutierrez --shell /bin/bash Warning: The home dir /home/jcgutierrez you specified already exists. Adding user `jcgutierrez' ...
Adding new group `jcgutierrez' (1001) ...
Adding new user `jcgutierrez' (1001) with group `jcgutierrez' ...
The home directory `/home/jcgutierrez' already exists. Not copying from `/etc/skel'.
adduser: Warning: The home directory `/home/jcgutierrez' does not belong to the user you are currently creating.
Enter new UNIX password:xxxxxx
Retype new UNIX password:xxxxxx
passwd: password updated successfully
Changing the user information for jcgutierrez
Enter the new value, or press ENTER for the default
Full Name []: Juan Carlos Gutierrez Alonso
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y$chmod -R 755 /home/jcgutierrez/
$chown -R jcgutierrez:jcgutierrez /home/jcgutierrez
$chmod 400 /home/jcgutierrez/ssl/newreq.pem
Ahora que ya están creados los certificados, sólo queda configurar OpenLDAP.
©jc_2008
Configuración de OpenLDAP
Se ha de añadir las siguientes líneas al archivo de configuración de slapd
$vi /etc/ldap/slapd.conf
...
# Certificado firmado de una entidad certificadora y
# el certificado del servidor
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/ssl/cacert.pem
TLSCertificateFile /etc/ldap/ssl/certs/servidorcert.pem
TLSCertificateKeyFile /etc/ldap/ssl/private/servidorkey.pem
# Si desea que el cliente necesite autentificación,
# descomente la siguiente línea
TLSVerifyClient demand
# ... si no, descomente esta otra
# TLSVerifyClient never
...
la configuracion para los clientes se hace en el fichero ldap.conf y si se necesitan valores especificos para los usuarios se pueden crear los ficheros ldaprc o .ldaprc en el home del usuario.
$vi /etc/ldap/ldap.conf
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#
##Configuracion inicial 26-11-2008_jc
#
#Este archivo se tiene que poder leer por todo el mundo, pero no escribirse por todos
#
#El servidor LDAP a de ser resoluble sin utilizar LDAP
HOST jupiter.val.blom.lan
#Nombre para la base de las busquedas
BASE dc=jupiter,dc=val,dc=blom,dc=lan
#Puerto que usa por defecto 389, el 636 es para ldaps
PORT 636
#archivo con los certificados pertenecientes a entidades certificadoras que el cliente reconoce
TLS_CACERT /etc/ldap/ssl/certs/cacert.pem
#Tipo de comprobacion que se ha de realizar a un certificado de servidor
TLS_REQCERT demand
El fichero ldap.conf se ha de poder leer por todo el mundo pero no escribir
$chmod 644 /etc/ldap/ssl/ldap.conf
Creamos un fichero de configuracion para el usuario dentro de su /home/usuario
$vi /home/usuario/ldaprc
#configuracion de usuario especifica para LDAP
#sobreescribe la directiva global si se ha establecido
TLS_REQCERT demand
#
#autentificacion del cliente (certificado y clave)
TLS_CERT /home/jcgutierrez/ssl/newcert.pem
TLS_KEY /home/jcgutierrez/ssl/newreq.pem
Le damos los permisos adecuados al fichero
$chown jcgutierrez:jcgutierrez /home/jcgutierrez/ldaprc
Dentro de la carpeta /etc/ldap/schema se encuentran varias definiciones de esquemas para LDAP
Instalacion de mas paquetes
$apt-get install libpam-ldap ldapscripts libpam-ccreds nss-updatedb
$apt-get install libnss-ldapd
URI of the LDAP server: ldaps://jupiter.val.blom.lan
LDAP server search base: dc=jupiter,dc=val,dc=blom,dc=lan
modifica /etc/nsswitch.conf, name services to configure: aliases - ethers - group - hosts - netgroup - networks - passwd - protocols - rpc - services - shadow Nos falta instalar algun paquete y cambiar el sources.list para que nos funcionen paquetes de DEBIAN
$vi /etc/apt/sources.list
...
- paquetes de debian añadidos 27-11-2008_jc
- deb http://debian.mirrors.pair.com/ stable main contrib non-free
- deb-src http://debian.mirrors.pair.com/ stable main contrib non-free
deb-src http://debian.crosslink.net/debian/ stable main
deb http://security.debian.org/ stable/updates main
...
$apt-get update
$apt-get install gcc
$apt-get install gnutls-bin
$apt-get install dpkg-dev
$cd /tmp
$apt-get source openldap2
$ls -l
total 2508
drwxr-xr-x 11 root root 4096 Nov 27 13:33 openldap2-2.1.30
-rw-r--r-- 1 root root 502270 Feb 17 2007 openldap2_2.1.30-13.3.diff.gz
-rw-r--r-- 1 root root 976 Feb 17 2007 openldap2_2.1.30-13.3.dsc
-rw-r--r-- 1 root root 2044673 May 25 2004 openldap2_2.1.30.orig.tar.gz
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.