# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # Fernando Apesteguía , 2021, 2022. msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2022-02-01 09:21-0300\n" "PO-Revision-Date: 2022-08-12 06:38+0000\n" "Last-Translator: Fernando Apesteguía \n" "Language-Team: Spanish \n" "Language: es\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" "X-Generator: Weblate 4.10.1\n" #. type: YAML Front Matter: description #: documentation/content/en/articles/ldap-auth/_index.adoc:1 #, no-wrap msgid "Guide for the configuration of an LDAP server for authentication on FreeBSD" msgstr "" "Guía para la configuración de un servidor de autenticación LDAP en FreeBSD" #. type: Title = #: documentation/content/en/articles/ldap-auth/_index.adoc:1 #: documentation/content/en/articles/ldap-auth/_index.adoc:12 #, no-wrap msgid "LDAP Authentication" msgstr "Autenticación LDAP" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:45 msgid "Abstract" msgstr "Resumen" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:48 msgid "" "This document is intended as a guide for the configuration of an LDAP server " "(principally an OpenLDAP server) for authentication on FreeBSD. This is " "useful for situations where many servers need the same user accounts, for " "example as a replacement for NIS." msgstr "" "Este documento pretende ser una guía para la configuración de un servidor " "LDAP (principalmente un servidor OpenLDAP) para la autenticación en FreeBSD. " "Esto es útil para situaciones en las que muchos servidores necesitan las " "mismas cuentas de usuario, por ejemplo, como reemplazo de NIS." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:50 msgid "'''" msgstr "'''" #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:54 #, no-wrap msgid "Preface" msgstr "Prólogo" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:58 msgid "" "This document is intended to give the reader enough of an understanding of " "LDAP to configure an LDAP server. This document will attempt to provide an " "explanation of package:net/nss_ldap[] and package:security/pam_ldap[] for " "use with client machines services for use with the LDAP server." msgstr "" "Este documento está destinado a proporcionar al lector una comprensión " "suficiente de LDAP para configurar un servidor LDAP. Este documento " "intentará proporcionar una explicación de package:net/nss_ldap[] y package:" "security/pam_ldap[] para usarlos con los servicios de la máquina del cliente " "para su uso con el servidor LDAP." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:60 msgid "" "When finished, the reader should be able to configure and deploy a FreeBSD " "server that can host an LDAP directory, and to configure and deploy a " "FreeBSD server which can authenticate against an LDAP directory." msgstr "" "Cuando termine, el lector debería poder configurar e implementar un servidor " "FreeBSD que pueda alojar un directorio LDAP, y configurar e implementar un " "servidor FreeBSD que pueda autenticarse en un directorio LDAP." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:64 msgid "" "This article is not intended to be an exhaustive account of the security, " "robustness, or best practice considerations for configuring LDAP or the " "other services discussed herein. While the author takes care to do " "everything correctly, they do not address security issues beyond a general " "scope. This article should be considered to lay the theoretical groundwork " "only, and any actual implementation should be accompanied by careful " "requirement analysis." msgstr "" "Este artículo no pretende ser una explicación exhaustiva de las " "consideraciones de seguridad, robustez o mejores prácticas para configurar " "LDAP u otros de los servicios que se explican aquí. Aunque el autor tiene " "cuidado de hacer todo correctamente, no aborda los problemas de seguridad " "más allá del alcance general. Este artículo debe tenerse en cuenta para " "sentar las bases teóricas únicamente, y cualquier implementación real debe " "ir acompañado de un análisis cuidadoso de los requisitos." #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:66 #, no-wrap msgid "Configuring LDAP" msgstr "Configurando LDAP" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:71 msgid "" "LDAP stands for \"Lightweight Directory Access Protocol\" and is a subset of " "the X.500 Directory Access Protocol. Its most recent specifications are in " "http://www.ietf.org/rfc/rfc4510.txt[RFC4510] and friends. Essentially it is " "a database that expects to be read from more often than it is written to." msgstr "" "LDAP significa \"Lightweight Directory Access Protocol\" (Protocolo Ligero " "de Acceso a Directorio) y es un subconjunto del Protocolo de Acceso a " "Directorio X.500. Su especificación más reciente se encuentra en http://www." "ietf.org/rfc/rfc4510.txt[RFC4510]. En esencia es una base de datos que " "espera recibir muchas más consultas que escrituras." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:75 msgid "" "The LDAP server http://www.openldap.org/[OpenLDAP] will be used in the " "examples in this document; while the principles here should be generally " "applicable to many different servers, most of the concrete administration is " "OpenLDAP-specific. There are several server versions in ports, for example " "package:net/openldap24-server[]. Client servers will need the corresponding " "package:net/openldap24-client[] libraries." msgstr "" "En los ejemplos de este documento se utilizará el servidor LDAP http://www." "openldap.org/[OpenLDAP]; aunque los procedimientos deberían ser aplicables a " "los diferentes servidores, la mayor parte de la administración es específica " "de OpenLDAP. Hay varias versiones del servidor en la colección de ports, por " "ejemplo, package:net/openldap24-server[]. Los clientes necesitarán las " "librerías necesarias del paquete package:net/openldap24-client[]." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:78 msgid "" "There are (basically) two areas of the LDAP service which need " "configuration. The first is setting up a server to receive connections " "properly, and the second is adding entries to the server's directory so that " "FreeBSD tools know how to interact with it." msgstr "" "Hay (básicamente) dos áreas del servicio LDAP que necesitan configuración. " "Lo primero es configurar un servidor para recibir conexiones correctamente, " "y lo segundo es añadir entradas al directorio del servidor para que las " "herramientas de FreeBSD sepan como interactuar con él." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:80 #, no-wrap msgid "Setting Up the Server for Connections" msgstr "Configurar el Servidor para recibir Conexiones" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:86 msgid "" "This section is specific to OpenLDAP. If you are using another server, you " "will need to consult that server's documentation." msgstr "" "Esta sección es específica de OpenLDAP. Si usas otro servidor, necesitarás " "consultar su propia documentación." #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:89 #: documentation/content/en/articles/ldap-auth/_index.adoc:94 #, no-wrap msgid "Installing OpenLDAP" msgstr "Instalando OpenLDAP" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:92 msgid "First, install OpenLDAP:" msgstr "Primero, instala OpenLDAP:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:102 #, no-wrap msgid "" "# cd /usr/ports/net/openldap24-server\n" "# make install clean\n" msgstr "" "# cd /usr/ports/net/openldap24-server\n" "# make install clean\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:107 msgid "" "This installs the `slapd` and `slurpd` binaries, along with the required " "OpenLDAP libraries." msgstr "" "Esto instala los binarios `slapd` y `slurpd`, junto con las librerías " "OpenLDAP necesarias." #. type: Title ==== #: documentation/content/en/articles/ldap-auth/_index.adoc:109 #, no-wrap msgid "Configuring OpenLDAP" msgstr "Configurando OpenLDAP" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:112 msgid "Next we must configure OpenLDAP." msgstr "Después necesitamos configurar OpenLDAP." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:115 msgid "" "You will want to require encryption in your connections to the LDAP server; " "otherwise your users' passwords will be transferred in plain text, which is " "considered insecure. The tools we will be using support two very similar " "kinds of encryption, SSL and TLS." msgstr "" "Es necesario que hagas obligatorio el uso de cifrado en tus conexiones al " "servidor LDAP; de lo contrario, las contraseñas de sus usuarios se " "transferirán en texto plano, lo que se considera inseguro. Las herramientas " "que utilizaremos admiten dos tipos muy similares de encriptación, SSL y TLS." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:118 msgid "" "TLS stands for \"Transportation Layer Security\". Services that employ TLS " "tend to connect on the _same_ ports as the same services without TLS; thus " "an SMTP server which supports TLS will listen for connections on port 25, " "and an LDAP server will listen on 389." msgstr "" "TLS significa \"Seguridad en Capa de Transporte\" (Transportation Layer " "Security). Los servicios que utilizan TLS suelen conectarse _a los mismos_ " "puertos que los servicios que no utilizan TLS; por lo tanto un servidor SMTP " "que soporta TLS escuchará conexiones en el puerto 25 y un servidor LDAP " "escuchará conexiones en 389." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:121 msgid "" "SSL stands for \"Secure Sockets Layer\", and services that implement SSL do " "_not_ listen on the same ports as their non-SSL counterparts. Thus SMTPS " "listens on port 465 (not 25), HTTPS listens on 443, and LDAPS on 636." msgstr "" "SSL significa \"Capa de Sockets Seguros\" (Secure Sockets Layer) y los " "servicios que implementan SSL _no_ escuchan en los mismos puertos que sus " "equivalentes sin SSL. Por lo tanto SMTPS escucha en el puerto 465 (no en el " "25), HTTPS escucha en el 443 y LDAPS en el 636." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:125 msgid "" "The reason SSL uses a different port than TLS is because a TLS connection " "begins as plain text, and switches to encrypted traffic after the `STARTTLS` " "directive. SSL connections are encrypted from the beginning. Other than " "that there are no substantial differences between the two." msgstr "" "La razón por la que SSL utiliza un puerto diferente a TLS es porque una " "conexión TLS empieza como texto plano y cambia al tráfico cifrado después de " "la directiva `STARTTLS`. Las conexiones SSL se cifran desde el principio. " "Aparte de eso, no hay diferencias sustanciales entre ambos." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:129 msgid "We will adjust OpenLDAP to use TLS, as SSL is considered deprecated." msgstr "" "Ajustaremos OpenLDAP para que utilice TLS ya que SSL se considera obsoleto." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:132 msgid "" "Once OpenLDAP is installed via ports, the following configuration parameters " "in [.filename]#/usr/local/etc/openldap/slapd.conf# will enable TLS:" msgstr "" "Una vez que hemos instalado OpenLDAP, los siguientes parámetros en [." "filename]#/usr/local/etc/openldap/slapd.conf# habilitarán el uso de TLS:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:136 #, no-wrap msgid "security ssf=128\n" msgstr "security ssf=128\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:140 #, no-wrap msgid "" "TLSCertificateFile /path/to/your/cert.crt\n" "TLSCertificateKeyFile /path/to/your/cert.key\n" "TLSCACertificateFile /path/to/your/cacert.crt\n" msgstr "" "TLSCertificateFile /path/to/your/cert.crt\n" "TLSCertificateKeyFile /path/to/your/cert.key\n" "TLSCACertificateFile /path/to/your/cacert.crt\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:144 msgid "" "Here, `ssf=128` tells OpenLDAP to require 128-bit encryption for all " "connections, both search and update. This parameter may be configured based " "on the security needs of your site, but rarely you need to weaken it, as " "most LDAP client libraries support strong encryption." msgstr "" "En este caso, `ssf=128` indica a OpenLDAP que solicite una encriptación de " "128 bits para todas las conexiones, tanto para búsquedas como para " "actualizaciones. Este parámetro se podría configurar según las necesidades " "de seguridad de tu sitio web, pero es raro que necesites rebajarlo ya que la " "mayoría de las librerías cliente de LDAP soportan encriptación fuerte." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:147 msgid "" "The [.filename]#cert.crt#, [.filename]#cert.key#, and [.filename]#cacert." "crt# files are necessary for clients to authenticate _you_ as the valid LDAP " "server. If you simply want a server that runs, you can create a self-signed " "certificate with OpenSSL:" msgstr "" "Los ficheros [.filename]#cert.crt#, [.filename]#cert.key#, y [." "filename]#cacert.crt# son necesarios para que los clientes te autentiquen _a " "ti_ como el servidor LDAP válido. Si sólo quieres ejecutar un servidor, " "puedes crear un certificado auto firmado con OpenSSL:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:149 #, no-wrap msgid "Generating an RSA Key" msgstr "Generar una Clave RSA" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:160 #, no-wrap msgid "" "% openssl genrsa -out cert.key 1024\n" "Generating RSA private key, 1024 bit long modulus\n" "....................++++++\n" "...++++++\n" "e is 65537 (0x10001)\n" msgstr "" "% openssl genrsa -out cert.key 1024\n" "Generating RSA private key, 1024 bit long modulus\n" "....................++++++\n" "...++++++\n" "e is 65537 (0x10001)\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:162 #, no-wrap msgid "% openssl req -new -key cert.key -out cert.csr\n" msgstr "% openssl req -new -key cert.key -out cert.csr\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:171 msgid "" "At this point you should be prompted for some values. You may enter " "whatever values you like; however, it is important the \"Common Name\" value " "be the fully qualified domain name of the OpenLDAP server. In our case, and " "the examples here, the server is _server.example.org_. Incorrectly setting " "this value will cause clients to fail when making connections. This can the " "cause of great frustration, so ensure that you follow these steps closely." msgstr "" "En este punto se te deberían preguntar algunos valores. Podrías introducir " "los valores que quisieras; sin embargo, es importante que el valor de " "\"Common Name\" sea el nombre de dominio del servidor LDAP completamente " "cualificado. En nuestro caso, y en los ejemplos, el servidor es " "_server.example.org_. Establecer este valor incorrectamente hará que los " "clientes no puedan conectar. Esto puede causar una gran frustración así que " "asegúrate de que sigues estos pasos con cuidado." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:173 msgid "Finally, the certificate signing request needs to be signed:" msgstr "Finalmente, el certificado debe firmarse:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:175 #, no-wrap msgid "Self-signing the Certificate" msgstr "Autofirmar el certificado" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:185 #, no-wrap msgid "" "% openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt\n" "Signature ok\n" "subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd\n" "Getting Private key\n" msgstr "" "% openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt\n" "Signature ok\n" "subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd\n" "Getting Private key\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:191 msgid "" "This will create a self-signed certificate that can be used for the " "directives in [.filename]#slapd.conf#, where [.filename]#cert.crt# and [." "filename]#cacert.crt# are the same file. If you are going to use many " "OpenLDAP servers (for replication via `slurpd`) you will want to see <> to generate a CA key and use it to sign individual server certificates." msgstr "" "Esto creará un certificado auto firmado que puede ser usado para las " "directivas en [.filename]#slapd.conf#, donde [.filename]#cert.crt# y [." "filename]#cacert.crt# son el mismo fichero. Si vas a utilizar muchos " "servidores OpenLDA (para replicación vía `slurpd`) querrás echar un vistazo " "a <> para generar una clave CA y usarla para firmar los certificados " "de servidor individuales." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:193 msgid "Once this is done, put the following in [.filename]#/etc/rc.conf#:" msgstr "Una vez hecho esto, escribe lo siguiente en [.filename]#/etc/rc.conf#:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:197 #, no-wrap msgid "slapd_enable=\"YES\"\n" msgstr "slapd_enable=\"YES\"\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:202 msgid "" "Then run `/usr/local/etc/rc.d/slapd start`. This should start OpenLDAP. " "Confirm that it is listening on 389 with" msgstr "" "Después ejecuta `/usr/local/etc/rc.d/slapd start`. Esto debería arrancar " "OpenLDAP. Confirma que está escuchando en el puerto 389 con" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:207 #, no-wrap msgid "" "% sockstat -4 -p 389\n" "ldap slapd 3261 7 tcp4 *:389 *:*\n" msgstr "" "% sockstat -4 -p 389\n" "ldap slapd 3261 7 tcp4 *:389 *:*\n" #. type: Title ==== #: documentation/content/en/articles/ldap-auth/_index.adoc:210 #, no-wrap msgid "Configuring the Client" msgstr "Configurar el Cliente" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:214 msgid "" "Install the package:net/openldap24-client[] port for the OpenLDAP " "libraries. The client machines will always have OpenLDAP libraries since " "that is all package:security/pam_ldap[] and package:net/nss_ldap[] support, " "at least for the moment." msgstr "" "Instala el port package:net/openldap24-client[] para obtener las librerías " "de OpenLDAP. Las máquinas cliente siempre tendrán las librerías de OpenLDAP " "pues que eso es lo único que soportan package:security/pam_ldap[] y package:" "net/nss_ldap[], al menos por el momento." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:217 msgid "" "The configuration file for the OpenLDAP libraries is [.filename]#/usr/local/" "etc/openldap/ldap.conf#. Edit this file to contain the following values:" msgstr "" "El fichero de configuración para las librerías de OpenLDAP es [.filename]#/" "usr/local/etc/openldap/ldap.conf#. Edita este fichero para que contenga los " "siguientes valores:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:224 #, no-wrap msgid "" "base dc=example,dc=org\n" "uri ldap://server.example.org/\n" "ssl start_tls\n" "tls_cacert /path/to/your/cacert.crt\n" msgstr "" "base dc=example,dc=org\n" "uri ldap://server.example.org/\n" "ssl start_tls\n" "tls_cacert /path/to/your/cacert.crt\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:229 msgid "" "It is important that your clients have access to [.filename]#cacert.crt#, " "otherwise they will not be able to connect." msgstr "" "Es importante que tus clientes tengan acceso a [.filename]#cacert.crt#, de " "lo contrario no podrán conectarse." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:236 msgid "" "There are two files called [.filename]#ldap.conf#. The first is this file, " "which is for the OpenLDAP libraries and defines how to talk to the server. " "The second is [.filename]#/usr/local/etc/ldap.conf#, and is for pam_ldap." msgstr "" "Hay dos ficheros que se llaman [.filename]#ldap.conf#. El primero es este " "fichero, que es para las librerías OpenLDAP y define cómo hablar con el " "servidor. El segundo es [.filename]#/usr/local/etc/ldap.conf# y es para " "pam_ldap." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:241 msgid "" "At this point you should be able to run `ldapsearch -Z` on the client " "machine; `-Z` means \"use TLS\". If you encounter an error, then something " "is configured wrong; most likely it is your certificates. Use man:" "openssl[1]'s `s_client` and `s_server` to ensure you have them configured " "and signed properly." msgstr "" "En este punto deberías ser capaz de ejecutar `ldapsearch -Z` en la maquina " "cliente; `-Z` significa \"usa TLS\". Si encuentras un error, entonces algo " "está mal configurado; seguramente sean tus certificados. Utiliza los " "comandos `s_client` y `s_server` de man:openssl[1] para asegurarte de que " "están correctamente configurados y firmados." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:243 #, no-wrap msgid "Entries in the Database" msgstr "Entradas en la base de datos" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:248 msgid "" "Authentication against an LDAP directory is generally accomplished by " "attempting to bind to the directory as the connecting user. This is done by " "establishing a \"simple\" bind on the directory with the user name " "supplied. If there is an entry with the `uid` equal to the user name and " "that entry's `userPassword` attribute matches the password supplied, then " "the bind is successful." msgstr "" "La autenticación en un directorio LDAP se logra generalmente al intentar " "vincularse al directorio como el usuario que se conecta. Esto se realiza " "mediante el establecimiento de un enlace \"simple\" en el directorio con el " "nombre de usuario proporcionado. Si hay una entrada con el `uid` igual al " "nombre de usuario y el atributo `userPassword` de la entrada coincide con la " "contraseña proporcionada, el enlace tiene éxito." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:250 msgid "" "The first thing we have to do is figure out is where in the directory our " "users will live." msgstr "" "Lo primero que tenemos que hacer es averiguar en qué parte del directorio " "estarán nuestros usuarios." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:254 msgid "" "The base entry for our database is `dc=example,dc=org`. The default " "location for users that most clients seem to expect is something like " "`ou=people,_base_`, so that is what will be used here. However keep in mind " "that this is configurable." msgstr "" "La entrada base de nuestra base de datos es `dc=example,dc=org`. La mayoría " "de los clientes esperan una localización para los usuarios que sea algo como " "`ou=people,_base_` así que es lo que se usará aquí. Sin embargo, ten en " "cuenta que esto es configurable." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:256 msgid "So the ldif entry for the `people` organizational unit will look like:" msgstr "" "Así que la entrada ldif para la unidad organizacional `people` se parecerá a:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:263 #, no-wrap msgid "" "dn: ou=people,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: people\n" msgstr "" "dn: ou=people,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: people\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:266 msgid "All users will be created as subentries of this organizational unit." msgstr "" "Todos los usuarios se crearán como subentradas de esta unidad organizativa." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:271 msgid "" "Some thought might be given to the object class your users will belong to. " "Most tools by default will use `people`, which is fine if you simply want to " "provide entries against which to authenticate. However, if you are going to " "store user information in the LDAP database as well, you will probably want " "to use `inetOrgPerson`, which has many useful attributes. In either case, " "the relevant schemas need to be loaded in [.filename]#slapd.conf#." msgstr "" "Se podría pensar en la clase de objeto a la que pertenecerán sus usuarios. " "Por defecto, la mayoría de las herramientas utilizarán `people`, lo cual " "está bien si simplemente quieres proporcionar entradas para la " "autenticación. Sin embargo, si también vas a almacenar información de " "usuario en la base de datos LDAP, probablemente quieras usar `inetOrgPerson`" ", el cual dispone de muchos atributos útiles. En cualquier caso, los " "esquemas relevantes deben introducirse en el archivo [.filename]#slapd.conf#." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:274 msgid "" "For this example we will use the `person` object class. If you are using " "`inetOrgPerson`, the steps are basically identical, except that the `sn` " "attribute is required." msgstr "" "Para este ejemplo utilizaremos la clase de objeto `person`. Si usas " "`inetOrgPerson`, los pasos son básicamente iguales, con la excepción de que " "se requiere el atributo `sn`." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:276 msgid "To add a test-user named `tuser`, the ldif would be:" msgstr "Para añadir un usuario de pruebas llamado `tuser`, el ldif sería:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:290 #, no-wrap msgid "" "dn: uid=tuser,ou=people,dc=example,dc=org\n" "objectClass: person\n" "objectClass: posixAccount\n" "objectClass: shadowAccount\n" "objectClass: top\n" "uidNumber: 10000\n" "gidNumber: 10000\n" "homeDirectory: /home/tuser\n" "loginShell: /bin/csh\n" "uid: tuser\n" "cn: tuser\n" msgstr "" "dn: uid=tuser,ou=people,dc=example,dc=org\n" "objectClass: person\n" "objectClass: posixAccount\n" "objectClass: shadowAccount\n" "objectClass: top\n" "uidNumber: 10000\n" "gidNumber: 10000\n" "homeDirectory: /home/tuser\n" "loginShell: /bin/csh\n" "uid: tuser\n" "cn: tuser\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:293 msgid "" "I start my LDAP users' UIDs at 10000 to avoid collisions with system " "accounts; you can configure whatever number you wish here, as long as it is " "less than 65536." msgstr "" "Yo empiezo los UIDs de mis usuarios de LDAP en el 10000 para evitar " "conflictos con las cuentas del sistema; puedes establecer el número que " "desees aquí, siempre que sea inferior a 65536." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:296 msgid "" "We also need group entries. They are as configurable as user entries, but " "we will use the defaults below:" msgstr "" "También necesitamos entradas grupales. Son tan configurables como las " "entradas de usuario, pero usaremos los valores predeterminados que se " "muestran a continuación:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:303 #, no-wrap msgid "" "dn: ou=groups,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: groups\n" msgstr "" "dn: ou=people,dc=example,dc=org\n" "objectClass: top\n" "objectClass: organizationalUnit\n" "ou: people\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:309 #, no-wrap msgid "" "dn: cn=tuser,ou=groups,dc=example,dc=org\n" "objectClass: posixGroup\n" "objectClass: top\n" "gidNumber: 10000\n" "cn: tuser\n" msgstr "" "dn: cn=tuser,ou=groups,dc=example,dc=org\n" "objectClass: posixGroup\n" "objectClass: top\n" "gidNumber: 10000\n" "cn: tuser\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:313 msgid "" "To enter these into your database, you can use `slapadd` or `ldapadd` on a " "file containing these entries. Alternatively, you can use package:sysutils/" "ldapvi[]." msgstr "" "Para introducir estos en tu base de datos, puedes utilizar `slapadd` o " "`ldapadd` en un fichero que contenga esas entradas. De forma alternativa, " "puedes utilizar package:sysutils/ldapvi[]." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:316 msgid "" "The `ldapsearch` utility on the client machine should now return these " "entries. If it does, your database is properly configured to be used as an " "LDAP authentication server." msgstr "" "La utilidad `ldapsearch` en la máquina del cliente debería devolver estas " "entradas. Si es así, la base de datos está configurada correctamente para " "ser utilizada como un servidor de autenticación LDAP." #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:318 #, no-wrap msgid "Client Configuration" msgstr "Configuración del Cliente" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:321 msgid "" "The client should already have OpenLDAP libraries from <>, but if you are installing several client machines you will need to " "install package:net/openldap24-client[] on each of them." msgstr "" "El cliente ya debería tener las librerías de OpenLDAP de <>, pero si estás instalando varias máquinas cliente, necesitarás " "instalar package:net/openldap24-client[] en cada una de ellas." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:323 msgid "" "FreeBSD requires two ports to be installed to authenticate against an LDAP " "server, package:security/pam_ldap[] and package:net/nss_ldap[]." msgstr "" "FreeBSD requiere de la instalación de dos ports para autenticarse en un " "servidor LDAP, package:security/pam_ldap[] y package:net/nss_ldap[]." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:325 #, no-wrap msgid "Authentication" msgstr "Autenticación" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:328 msgid "" "package:security/pam_ldap[] is configured via [.filename]#/usr/local/etc/" "ldap.conf#." msgstr "" "package:security/pam_ldap[] se configura en el fichero [.filename]#/usr/" "local/etc/ldap.conf#." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:333 msgid "" "This is a _different file_ than the OpenLDAP library functions' " "configuration file, [.filename]#/usr/local/etc/openldap/ldap.conf#; however, " "it takes many of the same options; in fact it is a superset of that file. " "For the rest of this section, references to [.filename]#ldap.conf# will mean " "[.filename]#/usr/local/etc/ldap.conf#." msgstr "" "Este fichero es _diferente_ del fichero de configuración de las librerías de " "OpenLDAP, [.filename]#/usr/local/etc/openldap/ldap.conf#; sin embargo, tiene " "muchas de las mismas opciones; de hecho es un superconjunto de ese fichero. " "En lo que queda de sección, referencias a [.filename]#ldap.conf# se refieren " "a [.filename]#/usr/local/etc/ldap.conf#." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:337 msgid "" "Thus, we will want to copy all of our original configuration parameters from " "[.filename]#openldap/ldap.conf# to the new [.filename]#ldap.conf#. Once " "this is done, we want to tell package:security/pam_ldap[] what to look for " "on the directory server." msgstr "" "Por lo tanto, queremos copiar todos nuestros parámetros de configuración " "originales de [.filename]#openldap/ldap.conf# al nuevo [.filename]#ldap.conf#" ". Una vez hecho esto, le indicaremos a package:security/pam_ldap[] qué " "buscar en el servidor de directorio." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:340 msgid "" "We are identifying our users with the `uid` attribute. To configure this " "(though it is the default), set the `pam_login_attribute` directive in [." "filename]#ldap.conf#:" msgstr "" "Estamos identificando nuestros usuarios mediante el atributo `uid`. Para " "configurarlo (aunque es el valor por defecto), establece la directiva " "`pam_login_attribute` en [.filename]#ldap.conf#:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:342 #, no-wrap msgid "Setting `pam_login_attribute`" msgstr "Estableciendo `pam_login_attribute`" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:349 #, no-wrap msgid "pam_login_attribute uid\n" msgstr "pam_login_attribute uid\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:357 msgid "" "With this set, package:security/pam_ldap[] will search the entire LDAP " "directory under `base` for the value `uid=_username_`. If it finds one and " "only one entry, it will attempt to bind as that user with the password it " "was given. If it binds correctly, then it will allow access. Otherwise it " "will fail." msgstr "" "Con esto ya establecido, package:security/pam_ldap[] buscará el valor " "`uid=_username_` en todo el directorio LDAP bajo `base`. Si encuentra una " "sola entrada, intentará vincular a ese usuario con la contraseña que se le " "ha pasado. Se vincula correctamente, entonces permitirá el acceso. En " "cualquier otro caso fallará." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:363 msgid "" "Users whose shell is not in [.filename]#/etc/shells# will not be able to log " "in. This is particularly important when Bash is set as the user shell on " "the LDAP server. Bash is not included with a default installation of " "FreeBSD. When installed from a package or port, it is located at [." "filename]#/usr/local/bin/bash#. Verify that the path to the shell on the " "server is set correctly:" msgstr "" "Los usuarios cuyo shell no esté en [.filename]#/etc/shells# no podrán " "iniciar sesión. Esto es muy importante cuando se configura Bash como la " "shell de usuario en el servidor LDAP. Bash no está incluido en la " "instalación estándar de FreeBSD. Cuando se instala desde un paquete o port, " "se encuentra en el directorio [.filename]#/usr/local/bin/bash#. Comprueba " "que la ruta a la shell en el servidor esté configurada correctamente:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:367 #, no-wrap msgid "% getent passwd username\n" msgstr "% getent passwd username\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:372 msgid "" "There are two choices when the output shows `/bin/bash` in the last column. " "The first is to change the user's entry on the LDAP server to [.filename]#/" "usr/local/bin/bash#. The second option is to create a symlink on the LDAP " "client computer so Bash is found at the correct location:" msgstr "" "Hay dos opciones cuando en la salida se muestra `/bin/bash` en la última " "columna. La primera es cambiar en el servidor LDAP la entrada del usuario " "para que apunte a [.filename]#/usr/local/bin/bash#. La segunda es crear un " "enlace simbólico en la máquina LDAP cliente de forma que se pueda encontrar " "Bash en el lugar correcto:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:376 #, no-wrap msgid "# ln -s /usr/local/bin/bash /bin/bash\n" msgstr "# ln -s /usr/local/bin/bash /bin/bash\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:380 msgid "" "Make sure that [.filename]#/etc/shells# contains entries for both `/usr/" "local/bin/bash` and `/bin/bash`. The user will then be able to log in to " "the system with Bash as their shell." msgstr "" "Asegúrate de que [.filename]#/etc/shells# contiene las entradas tanto para `/" "usr/local/bin/bash` como para `/bin/bash`. El usuario ya será capaz de " "logearse en el sistema utilizando Bash como shell." #. type: Title ==== #: documentation/content/en/articles/ldap-auth/_index.adoc:382 #, no-wrap msgid "PAM" msgstr "PAM" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:386 msgid "" "PAM, which stands for \"Pluggable Authentication Modules\", is the method by " "which FreeBSD authenticates most of its sessions. To tell FreeBSD we wish " "to use an LDAP server, we will have to add a line to the appropriate PAM " "file." msgstr "" "PAM, que significa \"Pluggable Authentication Modules\", es el método por el " "cual FreeBSD autentica la mayoría de sus sesiones. Para decirle a FreeBSD " "que queremos usar un servidor LDAP, tendremos que añadir una línea al " "archivo PAM apropiado." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:388 msgid "" "Most of the time the appropriate PAM file is [.filename]#/etc/pam.d/sshd#, " "if you want to use SSH (remember to set the relevant options in [.filename]#/" "etc/ssh/sshd_config#, otherwise SSH will not use PAM)." msgstr "" "La mayoría de las veces el fichero PAM apropiado es [.filename]#/etc/pam.d/" "sshd#, si quieres usar SSH (recuerda establecer las opciones " "correspondientes en [.filename]#/etc/ssh/sshd_config#, de lo contrario SSH " "no usará PAM)." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:390 msgid "To use PAM for authentication, add the line" msgstr "Para usar PAM para la autenticación, añade la línea" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:394 #, no-wrap msgid "auth sufficient /usr/local/lib/pam_ldap.so no_warn\n" msgstr "auth sufficient /usr/local/lib/pam_ldap.so no_warn\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:397 msgid "" "Exactly where this line shows up in the file and which options appear in the " "fourth column determine the exact behavior of the authentication mechanism; " "see man:pam[d]" msgstr "" "El lugar exacto en el que aparece esta línea en el fichero y las opciones " "que aparecen en la cuarta columna determinan el comportamiento exacto del " "mecanismo de autenticación; lee man:pam[d]" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:400 msgid "" "With this configuration you should be able to authenticate a user against an " "LDAP directory. PAM will perform a bind with your credentials, and if " "successful will tell SSH to allow access." msgstr "" "Con esta configuración deberías ser capaz de autenticar un usuario contra un " "directorio LDAP. PAM realizará un vínculo con tus credenciales, y si tiene " "éxito le dirá a SSH que permita el acceso." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:404 msgid "" "However it is not a good idea to allow _every_ user in the directory into " "_every_ client machine. With the current configuration, all that a user " "needs to log into a machine is an LDAP entry. Fortunately there are a few " "ways to restrict user access." msgstr "" "Sin embargo, no es buena idea permitir que _cada_ usuario del directorio " "pueda acceder a _todos_ las máquinas clientes. Con la configuración actual, " "todo lo que necesita un usuario para iniciar sesión en una máquina es una " "entrada LDAP. Afortunadamente, hay algunas formas de restringir el acceso de " "los usuarios." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:407 msgid "" "[.filename]#ldap.conf# supports a `pam_groupdn` directive; every account " "that connects to this machine needs to be a member of the group specified " "here. For example, if you have" msgstr "" "[.filename]#ldap.conf# admite la directiva `pam_groupdn`; cada cuenta que se " "conecta a esta máquina debe ser miembro del grupo especificado aquí. Por " "ejemplo, si tienes" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:411 #, no-wrap msgid "pam_groupdn cn=servername,ou=accessgroups,dc=example,dc=org\n" msgstr "pam_groupdn cn=servername,ou=accessgroups,dc=example,dc=org\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:415 msgid "" "in [.filename]#ldap.conf#, then only members of that group will be able to " "log in. There are a few things to bear in mind, however." msgstr "" "en [.filename]#ldap.conf#, solo los miembros de este grupo podrán iniciar " "sesión. Sin embargo hay algunas cosas a tener en cuenta." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:418 msgid "" "Members of this group are specified in one or more `memberUid` attributes, " "and each attribute must have the full distinguished name of the member. So " "`memberUid: someuser` will not work; it must be:" msgstr "" "Los miembros de este grupo se especifican en uno o más atributos `memberUid` " "y cada atributo debe tener el nombre completamente unívoco del miembro. " "Entonces `memberUid: someuser` no funcionará; debe ser:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:422 #, no-wrap msgid "memberUid: uid=someuser,ou=people,dc=example,dc=org\n" msgstr "memberUid: uid=someuser,ou=people,dc=example,dc=org\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:428 msgid "" "Additionally, this directive is not checked in PAM during authentication, it " "is checked during account management, so you will need a second line in your " "PAM files under `account`. This will require, in turn, _every_ user to be " "listed in the group, which is not necessarily what we want. To avoid " "blocking users that are not in LDAP, you should enable the " "`ignore_unknown_user` attribute. Finally, you should set the " "`ignore_authinfo_unavail` option so that you are not locked out of every " "computer when the LDAP server is unavailable." msgstr "" "Además, esta directiva no se verifica en PAM durante la autenticación, se " "verifica durante la administración de la cuenta, por lo que necesitarás " "añadir más configuraciones en tus archivos de PAM en la sección de `account`" ". Esto, a su vez, requerirá que _cada_ usuario se incluya en el grupo, lo " "cual no es necesariamente lo que queremos. Para evitar bloquear usuarios que " "no están en LDAP, debes habilitar el atributo `ignore_unknown_user`. " "Finalmente, debes configurar la opción `ignore_authinfo_unavail` para que el " "usuario no quede bloqueado en todos los ordenadores cuando el servidor LDAP " "no esté disponible." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:430 msgid "Your [.filename]#pam.d/sshd# might then end up looking like this:" msgstr "Tu [.filename]#pam.d/sshd# podría parecerse a esto:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:432 #, no-wrap msgid "Sample [.filename]#pam.d/sshd#" msgstr "Ejemplo de [.filename]#pam.d/sshd#" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:443 #, no-wrap msgid "" "auth required pam_nologin.so no_warn\n" "auth sufficient pam_opie.so no_warn no_fake_prompts\n" "auth requisite pam_opieaccess.so no_warn allow_local\n" "auth sufficient /usr/local/lib/pam_ldap.so no_warn\n" "auth required pam_unix.so no_warn try_first_pass\n" msgstr "" "auth required pam_nologin.so no_warn\n" "auth sufficient pam_opie.so no_warn " "no_fake_prompts\n" "auth requisite pam_opieaccess.so no_warn allow_local\n" "auth sufficient /usr/local/lib/pam_ldap.so no_warn\n" "auth required pam_unix.so no_warn " "try_first_pass\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:446 #, no-wrap msgid "" "account required pam_login_access.so\n" "account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user\n" msgstr "" "account required pam_login_access.so\n" "account required /usr/local/lib/pam_ldap.so no_warn " "ignore_authinfo_unavail ignore_unknown_user\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:455 msgid "" "Since we are adding these lines specifically to [.filename]#pam.d/sshd#, " "this will only have an effect on SSH sessions. LDAP users will be unable to " "log in at the console. To change this behavior, examine the other files in " "[.filename]#/etc/pam.d# and modify them accordingly." msgstr "" "Como estamos añadiendo estas líneas específicamente a [.filename]#pam.d/sshd#" ", esto solo tendrá efecto en las sesiones SSH. Los usuarios de LDAP no " "podrán iniciar sesión por consola. Para cambiar este comportamiento, examina " "los otros archivos en [.filename]#/etc/pam.d# y modifícalos como corresponda." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:458 #, no-wrap msgid "Name Service Switch" msgstr "Name Service Switch" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:462 msgid "" "NSS is the service that maps attributes to names. So, for example, if a " "file is owned by user `1001`, an application will query NSS for the name of " "`1001`, and it might get `bob` or `ted` or whatever the user's name is." msgstr "" "NSS es el servicio que mapea atributos a nombres. Por ejemplo, si un fichero " "es propiedad del usuario `1001`, una aplicación preguntará a NSS por el " "nombre de `1001` y podría obtener `bob` o `ted` o el cualquiera que sea el " "nombre del usuario." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:464 msgid "" "Now that our user information is kept in LDAP, we need to tell NSS to look " "there when queried." msgstr "" "Ahora que tenemos nuestra información en LDAP, necesitamos decirle a NSS que " "mire ahí cuando se le hagan preguntas." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:469 msgid "" "The package:net/nss_ldap[] port does this. It uses the same configuration " "file as package:security/pam_ldap[], and should not need any extra " "parameters once it is installed. Instead, what is left is simply to edit [." "filename]#/etc/nsswitch.conf# to take advantage of the directory. Simply " "replace the following lines:" msgstr "" "Est es lo que hace el port package:net/nss_ldap[]. Utiliza el mismo archivo " "de configuración que package:security/pam_ldap[], y no debería necesitar " "ningún parámetro adicional después de su instalación. En cambio, solo " "quedaría editar el archivo [.filename]#/etc/nsswitch.conf# para aprovechar " "el directorio. Simplemente cambia las siguientes líneas:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:474 #, no-wrap msgid "" "group: compat\n" "passwd: compat\n" msgstr "" "group: compat\n" "passwd: compat\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:477 msgid "with" msgstr "por" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:482 #, no-wrap msgid "" "group: files ldap\n" "passwd: files ldap\n" msgstr "" "group: files ldap\n" "passwd: files ldap\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:485 msgid "This will allow you to map usernames to UIDs and UIDs to usernames." msgstr "" "Esto te permitirá asignar nombres de usuario a UIDs y UIDs a nombres de " "usuario." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:487 msgid "Congratulations! You should now have working LDAP authentication." msgstr "" "¡Felicidades! Ahora deberías tener la autenticación de LDAP en " "funcionamiento." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:489 #, no-wrap msgid "Caveats" msgstr "Advertencias" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:495 msgid "" "Unfortunately, as of the time this was written FreeBSD did not support " "changing user passwords with man:passwd[1]. As a result of this, most " "administrators are left to implement a solution themselves. I provide some " "examples here. Note that if you write your own password change script, " "there are some security issues you should be made aware of; see <>" msgstr "" "Desafortunadamente, en el momento de escribir esto FreeBSD no soportaba " "cambiar las contraseñas de usuario con man:passwd[1]. Como resultado, la " "mayoría de los administradores tienen que implementar una solución por ellos " "mismos. Aquí proporciono algunos ejemplos. Observa que si escribes tu propio " "script de cambio de contraseñas deberías tener en cuenta algunas " "consideraciones de seguridad; lee <>" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:497 #, no-wrap msgid "Shell Script for Changing Passwords" msgstr "Shell Script para Cambiar Contraseñas" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:504 #, no-wrap msgid "#!/bin/sh\n" msgstr "#!/bin/sh\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:510 #, no-wrap msgid "" "stty -echo\n" "read -p \"Old Password: \" oldp; echo\n" "read -p \"New Password: \" np1; echo\n" "read -p \"Retype New Password: \" np2; echo\n" "stty echo\n" msgstr "" "stty -echo\n" "read -p \"Old Password: \" oldp; echo\n" "read -p \"New Password: \" np1; echo\n" "read -p \"Retype New Password: \" np2; echo\n" "stty echo\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:515 #, no-wrap msgid "" "if [ \"$np1\" != \"$np2\" ]; then\n" " echo \"Passwords do not match.\"\n" " exit 1\n" "fi\n" msgstr "" "if [ \"$np1\" != \"$np2\" ]; then\n" " echo \"Passwords do not match.\"\n" " exit 1\n" "fi\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:520 #, no-wrap msgid "" "ldappasswd -D uid=\"$USER\",ou=people,dc=example,dc=org \\\n" " -w \"$oldp\" \\\n" " -a \"$oldp\" \\\n" " -s \"$np1\"\n" msgstr "" "ldappasswd -D uid=\"$USER\",ou=people,dc=example,dc=org \\\n" " -w \"$oldp\" \\\n" " -a \"$oldp\" \\\n" " -s \"$np1\"\n" #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:529 msgid "" "This script does hardly any error checking, but more important it is very " "cavalier about how it stores your passwords. If you do anything like this, " "at least adjust the `security.bsd.see_other_uids` sysctl value:" msgstr "" "Este script apenas verifica errores, pero lo más importante es el poco " "cuidado con el que almacena sus contraseñas. Si haces algo como esto, " "establece al menos el valor de `security.bsd.see_other_uids`:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:533 #, no-wrap msgid "# sysctl security.bsd.see_other_uids=0\n" msgstr "# sysctl security.bsd.see_other_uids=0\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:540 msgid "" "A more flexible (and probably more secure) approach can be used by writing a " "custom program, or even a web interface. The following is part of a Ruby " "library that can change LDAP passwords. It sees use both on the command " "line, and on the web." msgstr "" "Se puede utilizar un enfoque más flexible (y probablemente más seguro) " "escribiendo un programa personalizado o incluso una interfaz web. Lo " "siguiente es parte de una librería de Ruby que puede cambiar las contraseñas " "LDAP. Se puede usar por línea de comandos y en la web." #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:542 #, no-wrap msgid "Ruby Script for Changing Passwords" msgstr "Script en Ruby para Cambiar las Contraseñas" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:552 #, no-wrap msgid "" "require 'ldap'\n" "require 'base64'\n" "require 'digest'\n" "require 'password' # ruby-password\n" msgstr "" "require 'ldap'\n" "require 'base64'\n" "require 'digest'\n" "require 'password' # ruby-password\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:555 #, no-wrap msgid "" "ldap_server = \"ldap.example.org\"\n" "luser = \"uid=#{ENV['USER']},ou=people,dc=example,dc=org\"\n" msgstr "" "ldap_server = \"ldap.example.org\"\n" "luser = \"uid=#{ENV['USER']},ou=people,dc=example,dc=org\"\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:560 #, no-wrap msgid "" "# get the new password, check it, and create a salted hash from it\n" "def get_password\n" " pwd1 = Password.get(\"New Password: \")\n" " pwd2 = Password.get(\"Retype New Password: \")\n" msgstr "" "# get the new password, check it, and create a salted hash from it\n" "def get_password\n" " pwd1 = Password.get(\"New Password: \")\n" " pwd2 = Password.get(\"Retype New Password: \")\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:563 #, no-wrap msgid "" " raise if pwd1 != pwd2\n" " pwd1.check # check password strength\n" msgstr "" " raise if pwd1 != pwd2\n" " pwd1.check # check password strength\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:569 #, no-wrap msgid "" " salt = rand.to_s.gsub(/0\\./, '')\n" " pass = pwd1.to_s\n" " hash = \"{SSHA}\"+Base64.encode64(Digest::SHA1.digest(\"#{pass}#{salt}\")+salt).chomp!\n" " return hash\n" "end\n" msgstr "" " salt = rand.to_s.gsub(/0\\./, '')\n" " pass = pwd1.to_s\n" " hash = \"{SSHA}\"+Base64.encode64(Digest::SHA1.digest(\"#{pass}#{salt}\"" ")+salt).chomp!\n" " return hash\n" "end\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:572 #, no-wrap msgid "" "oldp = Password.get(\"Old Password: \")\n" "newp = get_password\n" msgstr "" "oldp = Password.get(\"Old Password: \")\n" "newp = get_password\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:575 #, no-wrap msgid "" "# We'll just replace it. That we can bind proves that we either know\n" "# the old password or are an admin.\n" msgstr "" "# We'll just replace it. That we can bind proves that we either know\n" "# the old password or are an admin.\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:579 #, no-wrap msgid "" "replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,\n" " \"userPassword\",\n" " [newp])\n" msgstr "" "replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,\n" " \"userPassword\",\n" " [newp])\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:584 #, no-wrap msgid "" "conn = LDAP::SSLConn.new(ldap_server, 389, true)\n" "conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)\n" "conn.bind(luser, oldp)\n" "conn.modify(luser, [replace])\n" msgstr "" "conn = LDAP::SSLConn.new(ldap_server, 389, true)\n" "conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)\n" "conn.bind(luser, oldp)\n" "conn.modify(luser, [replace])\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:589 msgid "" "Although not guaranteed to be free of security holes (the password is kept " "in memory, for example) this is cleaner and more flexible than a simple `sh` " "script." msgstr "" "Aunque no se garantiza que esté a salvo de agujeros de seguridad (la " "contraseña se guarda en memoria, por ejemplo), esto es más limpio y más " "flexible que un simple script `sh`." #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:591 #, no-wrap msgid "Security Considerations" msgstr "Consideraciones de Seguridad" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:594 msgid "" "Now that your machines (and possibly other services) are authenticating " "against your LDAP server, this server needs to be protected at least as well " "as [.filename]#/etc/master.passwd# would be on a regular server, and " "possibly even more so since a broken or cracked LDAP server would break " "every client service." msgstr "" "Ahora que tus máquinas (y posiblemente otros servicios) se están " "autenticando contra su servidor LDAP, este servidor tiene que estar " "protegido, así como [.filename]#/etc/master.passwd# estaría en un servidor " "normal, y posiblemente aún más puesto que un servidor LDAP corrupto o " "comprometido rompería todos los servicios del cliente." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:597 msgid "" "Remember, this section is not exhaustive. You should continually review " "your configuration and procedures for improvements." msgstr "" "Recuerda, esta sección no es exhaustiva. Debes revisar continuamente tu " "configuración y procedimientos para mejorarlos." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:599 #, no-wrap msgid "Setting Attributes Read-only" msgstr "Establecer Atributos de Solo Lectura" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:603 msgid "" "Several attributes in LDAP should be read-only. If left writable by the " "user, for example, a user could change his `uidNumber` attribute to `0` and " "get `root` access!" msgstr "" "Varios atributos en LDAP deberían ser de sólo lectura. Si el usuario pudiera " "escribirlos, por ejemplo, un usuario podría cambiar su `uidNumber` a `0` ¡y " "obtener acceso `root`!" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:607 msgid "" "To begin with, the `userPassword` attribute should not be world-readable. " "By default, anyone who can connect to the LDAP server can read this " "attribute. To disable this, put the following in [.filename]#slapd.conf#:" msgstr "" "Para empezar, el atributo `userPassword` no debe ser legible por todo el " "mundo. Por defecto, cualquiera que pueda conectarse al servidor LDAP puede " "leer este atributo. Para deshabilitar esto, usa la siguiente configuración " "en el archivo [.filename]#slapd.conf#:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:609 #, no-wrap msgid "Hide Passwords" msgstr "Ocultar Contraseñas" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:620 #: documentation/content/en/articles/ldap-auth/_index.adoc:646 #, no-wrap msgid "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attrs=userPassword\n" " by self write\n" " by anonymous auth\n" " by * none\n" msgstr "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attrs=userPassword\n" " by self write\n" " by anonymous auth\n" " by * none\n" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:624 #: documentation/content/en/articles/ldap-auth/_index.adoc:653 #, no-wrap msgid "" "access to *\n" " by self write\n" " by * read\n" msgstr "" "access to *\n" " by self write\n" " by * read\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:629 msgid "" "This will disallow reading of the `userPassword` attribute, while still " "allowing users to change their own passwords." msgstr "" "Esto evitará que se pueda leer el atributo `userPassword`, a la vez que " "seguirá permitiendo a los usuarios cambiar sus propias contraseñas." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:633 msgid "" "Additionally, you'll want to keep users from changing some of their own " "attributes. By default, users can change any attribute (except for those " "which the LDAP schemas themselves deny changes), such as `uidNumber`. To " "close this hole, modify the above to" msgstr "" "Además, querrás evitar que los usuarios cambien algunos de sus atributos. De " "forma predeterminada, los usuarios pueden cambiar cualquier atributo (" "excepto aquellos en los que los esquemas LDAP mismos niegan cambios), como " "`uidNumber`. Para cerrar este agujero, modifica lo anterior a" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:635 #, no-wrap msgid "Read-only Attributes" msgstr "Atributos de Solo Lectura" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:649 #, no-wrap msgid "" "access to attrs=homeDirectory,uidNumber,gidNumber\n" " by * read\n" msgstr "" "access to attrs=homeDirectory,uidNumber,gidNumber\n" " by * read\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:658 msgid "This will stop users from being able to masquerade as other users." msgstr "Esto evitará que los usuarios puedan hacerse pasar por otros usuarios." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:660 #, no-wrap msgid "`root` Account Definition" msgstr "Definición de la Cuenta `root`" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:665 msgid "" "Often the `root` or manager account for the LDAP service will be defined in " "the configuration file. OpenLDAP supports this, for example, and it works, " "but it can lead to trouble if [.filename]#slapd.conf# is compromised. It " "may be better to use this only to bootstrap yourself into LDAP, and then " "define a `root` account there." msgstr "" "Habitualmente la cuenta `root` o la cuenta del gestor para el servicio de " "LDAP estará definida en el fichero de configuración. Por ejemplo, OpenLDAP " "soporta esto y funciona, pero puede dar lugar a problemas si [." "filename]#slapd.conf# se ve comprometido. Sería mejor usar esto sólo para " "entrar en LDAP y después definir ahí una cuenta `root`." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:669 msgid "" "Even better is to define accounts that have limited permissions, and omit a " "`root` account entirely. For example, users that can add or remove user " "accounts are added to one group, but they cannot themselves change the " "membership of this group. Such a security policy would help mitigate the " "effects of a leaked password." msgstr "" "Es incluso mejor definir cuentas que tengan permisos limitados y omitir " "completamente la cuenta `root`. Por ejemplo, los usuarios que pueden crear o " "eliminar cuentas de usuario se añaden a un grupo, pero ellos mismos no " "pueden cambiar la pertenencia a este grupo. Esta política de seguridad " "ayudaría a mitigar los efectos de una contraseña que se haya podido filtrar." #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:671 #: documentation/content/en/articles/ldap-auth/_index.adoc:677 #, no-wrap msgid "Creating a Management Group" msgstr "Crear un Grupo de Mantenimiento" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:675 msgid "" "Say you want your IT department to be able to change home directories for " "users, but you do not want all of them to be able to add or remove users. " "The way to do this is to add a group for these admins:" msgstr "" "Supongamos que quieres que tu departamento de TI pueda cambiar los " "directorios home de los usuarios, pero no quieres que todos puedan añadir o " "eliminar usuarios. La forma de hacerlo es agregar un grupo para estos " "administradores:" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:690 #, no-wrap msgid "" "dn: cn=homemanagement,dc=example,dc=org\n" "objectClass: top\n" "objectClass: posixGroup\n" "cn: homemanagement\n" "gidNumber: 121 # required for posixGroup\n" "memberUid: uid=tuser,ou=people,dc=example,dc=org\n" "memberUid: uid=user2,ou=people,dc=example,dc=org\n" msgstr "" "dn: cn=homemanagement,dc=example,dc=org\n" "objectClass: top\n" "objectClass: posixGroup\n" "cn: homemanagement\n" "gidNumber: 121 # required for posixGroup\n" "memberUid: uid=tuser,ou=people,dc=example,dc=org\n" "memberUid: uid=user2,ou=people,dc=example,dc=org\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:695 msgid "And then change the permissions attributes in [.filename]#slapd.conf#:" msgstr "" "Y luego cambia los atributos de los permisos en [.filename]#slapd.conf#:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:697 #, no-wrap msgid "ACLs for a Home Directory Management Group" msgstr "ACLs para el Grupo de Administración del Directorio Home" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:707 #, no-wrap msgid "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attr=homeDirectory\n" " by dn=\"cn=homemanagement,dc=example,dc=org\"\n" " dnattr=memberUid write\n" msgstr "" "access to dn.subtree=\"ou=people,dc=example,dc=org\"\n" " attr=homeDirectory\n" " by dn=\"cn=homemanagement,dc=example,dc=org\"\n" " dnattr=memberUid write\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:712 msgid "Now `tuser` and `user2` can change other users' home directories." msgstr "" "Ahora el usuario `tuser` y el `user2` pueden cambiar los directorios home " "del otro." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:716 msgid "" "In this example we have given a subset of administrative power to certain " "users without giving them power in other domains. The idea is that soon no " "single user account has the power of a `root` account, but every power root " "had is had by at least one user. The `root` account then becomes " "unnecessary and can be removed." msgstr "" "En este ejemplo hemos concedido un subconjunto de poderes administrativos a " "algunos usuarios sin darles poder en otros dominios. La idea es que pronto " "ninguna cuenta de usuario tenga el poder de la cuenta de `root`, pero cada " "poder que tenga root lo tiene como mínimo algún otro usuario. Entonces la " "cuenta `root` se hace innecesaria y se puede eliminar." #. type: Title === #: documentation/content/en/articles/ldap-auth/_index.adoc:718 #, no-wrap msgid "Password Storage" msgstr "Almacenamiento de Contraseña" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:722 msgid "" "By default OpenLDAP will store the value of the `userPassword` attribute as " "it stores any other data: in the clear. Most of the time it is base 64 " "encoded, which provides enough protection to keep an honest administrator " "from knowing your password, but little else." msgstr "" "OpenLDAP almacenará por defecto el valor del atributo `userPssword` de la " "misma forma que cualquier otro dato: en plano. La mayoría de las veces está " "codificado en base 64 lo que proporciona suficiente protección para evitar " "que un administrador honesto conozca tu contraseña, pero poco más." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:725 msgid "" "It is a good idea, then, to store passwords in a more secure format, such as " "SSHA (salted SHA). This is done by whatever program you use to change " "users' passwords." msgstr "" "Por lo tanto, es buena idea almacenar las contraseñas en un formato más " "seguro, como SSHA (salted SHA). Esto lo hace cualquier programa que uses " "para cambiar las contraseñas de los usuarios." #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:730 #, no-wrap msgid "Useful Aids" msgstr "Consideraciones Útiles" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:733 msgid "" "There are a few other programs that might be useful, particularly if you " "have many users and do not want to configure everything manually." msgstr "" "Hay otros programas que pueden ser útiles, especialmente si tienes muchos " "usuarios y no quieres configurarlo todo manualmente." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:736 msgid "" "package:security/pam_mkhomedir[] is a PAM module that always succeeds; its " "purpose is to create home directories for users which do not have them. If " "you have dozens of client servers and hundreds of users, it is much easier " "to use this and set up skeleton directories than to prepare every home " "directory." msgstr "" "package:security/pam_mkhomedir[] es un módulo de PAM que siempre funciona; " "su propósito es crear directorios home para los usuarios que no los tienen. " "Si tienes docenas de servidores cliente y cientos de usuarios, es mucho más " "fácil usarlo y configurar un directorio tipo plantilla para cada directorio " "home." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:740 msgid "" "package:sysutils/cpu[] is a man:pw[8]-like utility that can be used to " "manage users in the LDAP directory. You can call it directly, or wrap " "scripts around it. It can handle both TLS (with the `-x` flag) and SSL " "(directly)." msgstr "" "package:sysutils/cpu[] es una utilidad tipo man:pw[8] que se puede usar para " "gestionar usuarios en el directorio LDAP. Puedes llamarlo directamente o " "envolverlo en un script. Puede gestionar tanto TLS (con el flag `-x`) como " "SSL (directamente)." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:744 msgid "" "package:sysutils/ldapvi[] is a great utility for editing LDAP values in an " "LDIF-like syntax. The directory (or subsection of the directory) is " "presented in the editor chosen by the `EDITOR` environment variable. This " "makes it easy to enable large-scale changes in the directory without having " "to write a custom tool." msgstr "" "package:sysutils/ldapvi[] es una utilidad de gran ayuda para editar valores " "LDAP en una sintaxis similar a LDIF. El directorio (o subsección del " "directorio) se muestra en el editor elegido por la variable de entorno " "`EDITOR`. Esto facilita la realización de cambios de directorio a gran " "escala sin escribir una herramienta personalizada." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:747 msgid "" "package:security/openssh-portable[] has the ability to contact an LDAP " "server to verify SSH keys. This is extremely nice if you have many servers " "and do not want to copy your public keys across all of them." msgstr "" "package:security/openssh-portable[] tienen la capacidad de contactar con un " "servidor LDAP para verificar claves SSH. Esto es realmente útil si tienes " "muchos servidores y no quieres copiar tus claves públicas a todos ellos." #. type: Title == #: documentation/content/en/articles/ldap-auth/_index.adoc:752 #, no-wrap msgid "OpenSSL Certificates for LDAP" msgstr "Certificados OpenSSL para LDAP" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:756 msgid "" "If you are hosting two or more LDAP servers, you will probably not want to " "use self-signed certificates, since each client will have to be configured " "to work with each certificate. While this is possible, it is not nearly as " "simple as creating your own certificate authority, and signing your servers' " "certificates with that." msgstr "" "Si alojas dos o más servidores LDAP, probablemente no quieras utilizar " "certificados autofirmados, ya que cada cliente deberá estar configurado para " "funcionar con cada certificado. Si bien esto es posible, no es tan simple " "como crear tu propia autoridad de certificación y firmar con ella los " "certificados de tus servidores." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:758 msgid "" "The steps here are presented as they are with very little attempt at " "explaining what is going on-further explanation can be found in man:" "openssl[1] and its friends." msgstr "" "Los pasos se muestran aquí tal cual, sin ninguna intención de explicar lo " "que hacen - se puede encontrar más información en man:openssl[1] y amigos." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:761 msgid "" "To create a certificate authority, we simply need a self-signed certificate " "and key. The steps for this again are" msgstr "" "Para crear una autoridad de certificación, simplemente necesitamos un " "certificado autofirmado y una clave. De nuevo, las instrucciones son" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:763 #, no-wrap msgid "Creating a Certificate" msgstr "Crear un Certificado" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:772 #, no-wrap msgid "" "% openssl genrsa -out root.key 1024\n" "% openssl req -new -key root.key -out root.csr\n" "% openssl x509 -req -days 1024 -in root.csr -signkey root.key -out root.crt\n" msgstr "" "% openssl genrsa -out root.key 1024\n" "% openssl req -new -key root.key -out root.csr\n" "% openssl x509 -req -days 1024 -in root.csr -signkey root.key -out root.crt\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:778 msgid "" "These will be your root CA key and certificate. You will probably want to " "encrypt the key and store it in a cool, dry place; anyone with access to it " "can masquerade as one of your LDAP servers." msgstr "" "Estos serán tu clave CA y certificado root. Probablemente quieras cifrar la " "clave y almacenarla en un lugar freso y seco; cualquier persona con acceso a " "ella puede hacerse pasar por uno de tus servidores LDAP." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:781 msgid "" "Next, using the first two steps above create a key [.filename]#ldap-server-" "one.key# and certificate signing request [.filename]#ldap-server-one.csr#. " "Once you sign the signing request with [.filename]#root.key#, you will be " "able to use [.filename]#ldap-server-one.*# on your LDAP servers." msgstr "" "A continuación, utilizando los dos pasos anteriores, crea la clave [." "filename]#ldap-server-one.key# y la solicitud de firma de certificado [." "filename]#ldap-server-one.csr#. Una vez que firmes la solicitud con la clave " "[.filename]#root.key#, podrás usar [.filename]#ldap-server-one.*# en tus " "servidores LDAP." #. type: Plain text #: documentation/content/en/articles/ldap-auth/_index.adoc:785 msgid "" "Do not forget to use the fully qualified domain name for the \"common name\" " "attribute when generating the certificate signing request; otherwise clients " "will reject a connection with you, and it can be very tricky to diagnose." msgstr "" "No olvides utilizar un fully qualified domain name (nombre de dominio " "completamente cualificado) para el atributo \"common name\" al generar la " "solicitud de firma del certificado; de lo contrario, los clientes rechazarán " "la conexión y esto puede ser muy difícil de diagnosticar." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:788 msgid "To sign the key, use `-CA` and `-CAkey` instead of `-signkey`:" msgstr "Para firmar la clave utiliza `-CA` y `_CAkey` en lugar de `-signkey`:" #. type: Block title #: documentation/content/en/articles/ldap-auth/_index.adoc:790 #, no-wrap msgid "Signing as a Certificate Authority" msgstr "Firmar como Autoridad Certificadora" #. type: delimited block . 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:799 #, no-wrap msgid "" "% openssl x509 -req -days 1024 \\\n" "-in ldap-server-one.csr -CA root.crt -CAkey root.key \\\n" "-out ldap-server-one.crt\n" msgstr "" "% openssl x509 -req -days 1024 \\\n" "-in ldap-server-one.csr -CA root.crt -CAkey root.key \\\n" "-out ldap-server-one.crt\n" #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:804 msgid "" "The resulting file will be the certificate that you can use on your LDAP " "servers." msgstr "" "El archivo resultante será el certificado que puedes utilizar en sus " "servidores LDAP." #. type: delimited block = 4 #: documentation/content/en/articles/ldap-auth/_index.adoc:805 msgid "" "Finally, for clients to trust all your servers, distribute [.filename]#root." "crt# (the __certificate__, not the key!) to each client, and specify it in " "the `TLSCACertificateFile` directive in [.filename]#ldap.conf#." msgstr "" "Por último, para que los clientes confíen en todos tus servidores, " "distribuye [.filename]#root.crt# (el __certificado__, ¡no la clave!) a cada " "cliente y especifícalo en la directiva `TLSCACertificateFile` de [." "filename]#ldap.conf#." #~ msgid "" #~ "include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/" #~ "{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists." #~ "adoc[] include::shared/{{% lang %}}/urls.adoc[]" #~ msgstr "" #~ "include::shared/attributes/attributes-{{% lang %}}.adoc[]\n" #~ "include::shared/{{% lang %}}/teams.adoc[]\n" #~ "include::shared/{{% lang %}}/mailing-lists.adoc[]\n" #~ "include::shared/{{% lang %}}/urls.adoc[]"