Attachment 133527 Details for Bug 176075 – ldap-howto.xml.diff

ldap-howto.xml.diff

ldap-howto.xml.diff (text/plain), 10.11 KB, created by Markus Ullmann (RETIRED) on 2007-10-15 09:35:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Markus Ullmann (RETIRED)

Created: 2007-10-15 09:35:51 UTC

Size: 10.11 KB

patch

obsolete

>Index: ldap-howto.xml
>===================================================================
>RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
>retrieving revision 1.35
>diff -u -t -r1.35 ldap-howto.xml
>--- ldap-howto.xml	29 Nov 2006 15:48:57 -0000	1.35
>+++ ldap-howto.xml	15 Oct 2007 09:34:05 -0000
>@@ -1,8 +1,8 @@
> <?xml version='1.0' encoding='UTF-8'?>
>-
>+
> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
> 
>-<guide link="/doc/en/ldap-howto.xml" disclaimer="obsolete">
>+<guide link="/doc/en/ldap-howto.xml" disclaimer="draft">
> <title>Gentoo Guide to OpenLDAP Authentication</title>
> 
> <author title="Author">
>@@ -19,6 +19,9 @@
> <author title="Editor">
> <mail link="bennyc@gentoo.org">Benny Chuang</mail>
> </author>
>+<author title="Editor">
>+ <mail link="jokey@gentoo.org">Markus Ullmann</mail>
>+</author>
> 
> 
> <abstract>
>@@ -30,8 +33,8 @@
> 
> <license/>
> 
>-<version>0.22</version>
>-<date>2005-10-21</date>
>+<version>0.23</version>
>+<date>2007-10-15</date>
> 
> <chapter>
> <title>Getting Started with OpenLDAP</title>
>@@ -155,43 +158,65 @@
> 
> 
> <pre caption="Install OpenLDAP">
>-# emerge openldap pam_ldap nss_ldap migrationtools
>-# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp
>+# emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap
> </pre>
> 
> 
>-Edit <path>/etc/openldap/slapd.conf</path> and add the following right after 
>-<c>core.schema</c>:
>+Now generate an encrypted password we'll use later on:
>+
>+
>+<pre caption="Generate password">
>+# slappasswd
>+New password: my-password
>+Re-enter new password: my-password
>+{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
>+</pre>
>+
>+
>+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
> 
> 
> <pre caption="/etc/openldap/slapd.conf">
>-<comment># Include the needed data schemes</comment>
>+<comment># Include the needed data schemes below core.schema</comment>
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> 
>-<comment># Use md5 to hash the passwords</comment>
>-password-hash {md5}
>+<comment>Uncomment modulepath and hdb module</comment>
>+# Load dynamic backend modules:
>+modulepath /usr/lib/openldap/openldap
>+# moduleload back_shell.so
>+# moduleload back_relay.so
>+# moduleload back_perl.so
>+# moduleload back_passwd.so
>+# moduleload back_null.so
>+# moduleload back_monitor.so
>+# moduleload back_meta.so
>+moduleload back_hdb.so
>+# moduleload back_dnssrv.so
>+
>+<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
>+access to dn.base="" by * read
>+access to dn.base="cn=Subschema" by * read
>+access to *
>+ by self write
>+ by users read
>+ by anonymous auth
> 
>-<comment># Define SSL and TLS properties (optional)</comment>
>-TLSCertificateFile /etc/ssl/ldap.pem
>-TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
>-TLSCACertificateFile /etc/ssl/ldap.pem
> 
>-<comment>(Further down...)</comment>
>+<comment># BDB Database definition</comment>
> 
>-database ldbm
>+database hdb
> suffix "dc=genfic,dc=com"
>+checkpoint 32 30 # &lt;kbyte&gt; &lt;min&gt;
> rootdn "cn=Manager,dc=genfic,dc=com"
>-rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
>+rootpw {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
> directory /var/lib/openldap-ldbm
> index objectClass eq
>-
>-<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>
> </pre>
> 
> 
>-Next we edit the LDAP configuration file:
>+Next we edit the LDAP Client configuration file:
> 
> 
> <pre caption="/etc/openldap/ldap.conf">
>@@ -199,32 +224,18 @@
> <comment>(Add the following...)</comment>
> 
> BASE dc=genfic, dc=com
>-URI ldaps://auth.genfic.com:636/
>+URI ldap://auth.genfic.com:389/
> TLS_REQCERT allow
> </pre>
> 
> 
>-Now you will generate an SSL certificate to secure your directory.
>-Answer the question you receive as good as possible. When asked for your
>-<e>Common Name</e>, enter the name the clients will use when contacting
>-the server. This is usually the full domainname (e.g. 
>-<path>auth.genfic.com</path>).
>-
>-
>-<pre caption="Generating SSL Certificate">
>-# cd /etc/ssl
>-# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
>-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999
>-# chown ldap:ldap /etc/openldap/ssl/ldap.pem
>-</pre>
>-
>-
> Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out 
> the existing line:
> 
> 
> <pre caption="/etc/conf.d/slapd">
>-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
>+<comment># Note: we don't use cn=config here, so stay with this line:</comment>
>+OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
> </pre>
> 
> 
>@@ -253,60 +264,13 @@
> </chapter>
> 
> <chapter>
>-<title>Migrate Existing Data</title>
>+<title>Client Configuration</title>
> <section>
>-<title>Migrate User Accounts</title>
>+<title>Migrate existing data to ldap</title>
> <body>
>-
>-
>-Next, we migrate the user accounts. Open 
>-<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the 
>-following:
>-
>-
>-<pre caption="/usr/share/migrationtools/migrate_common.ph">
>-$DEFAULT_BASE = "dc=genfic,dc=com";
>-$EXTENDED_SCHEMA = 1;
>-<comment># Comment these lines out unless you have a mail schema loaded</comment>
>-<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
>-<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
>-</pre>
>-
>-
>-Now run the migration scripts:
>-
>-
>-<pre caption="Running the migration scripts">
>-# export ETC_SHADOW=/etc/shadow
>-# cd /usr/share/migrationtools
>-# ./migrate_base.pl > /tmp/base.ldif
>-# ./migrate_group.pl /etc/group /tmp/group.ldif
>-# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
>-# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
>-</pre>
>-
>-
>-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
>-
>-
>-<pre caption="Importing the data to our directory">
>-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif
>-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif
>-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif
>-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif
>-</pre>
>-
>-
>-If you come across an error in your ldif files, you can resume from where you
>-left off by using <c>ldapadd -c</c>.
>-
>-
>+Go to <uri link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri> and fetch the scripts there. Configuration is stated on the page. We don't ship this anymore because the scripts are a potential security hole if you leave them on the system after porting. When you've finished migrating your data, go on below.
> </body>
> </section>
>-</chapter>
>-
>-<chapter>
>-<title>Client Configuration</title>
> <section>
> <title>Configuring PAM</title>
> <body>
>@@ -323,37 +287,38 @@
> </pre>
> 
> 
>-Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
>+Now add the following lines in the right places to <path>/etc/pam.d/system-auth</path>:
> 
> 
> <pre caption="/etc/pam.d/system-auth">
>-auth required pam_env.so
>-auth sufficient pam_unix.so likeauth nullok shadow
>-auth sufficient pam_ldap.so use_first_pass
>-auth required pam_deny.so
>-
>-account requisite pam_unix.so
>-account sufficient pam_localuser.so
>-account required pam_ldap.so
>-
>-password required pam_cracklib.so retry=3
>-password sufficient pam_unix.so nullok use_authtok shadow md5
>-password sufficient pam_ldap.so use_authtok use_first_pass
>-password required pam_deny.so
>-
>-session required pam_limits.so
>-session required pam_unix.so
>-session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
>-session optional pam_ldap.so
>-</pre>
>+<comment># Note: only add them. Don't kill stuff already in there or your box won't let you login again!</comment>
> 
>-
>+auth sufficient pam_ldap.so use_first_pass
>+account sufficient pam_ldap.so
>+password sufficient pam_ldap.so use_authtok use_first_pass
>+session optional pam_ldap.so
>+
>+<comment># Example file:</comment>
>+#%PAM-1.0
>+
>+auth required pam_env.so
>+auth sufficient pam_unix.so try_first_pass likeauth nullok
>+auth sufficient pam_ldap.so use_first_pass
>+auth required pam_deny.so
>+
>+account sufficient pam_ldap.so
>+account required pam_unix.so
>+
>+password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
>+password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
>+password sufficient pam_ldap.so use_authtok use_first_pass
>+password required pam_deny.so
>+
>+session required pam_limits.so
>+session required pam_unix.so
>+session optional pam_ldap.so
>+
>+</pre>
> 
> 
> Now change <path>/etc/ldap.conf</path> to read:
>@@ -363,12 +328,10 @@
> <comment>#host 127.0.0.1</comment>
> <comment>#base dc=padl,dc=com</comment>
> 
>-ssl start_tls
>-ssl on
> suffix "dc=genfic,dc=com"
> <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
> 
>-uri ldaps://auth.genfic.com/
>+uri ldap://auth.genfic.com/
> pam_password exop
> 
> ldap_version 3
>@@ -502,8 +465,8 @@
> 
> You can start using the directory to authenticate users in 
> apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a 
>-really easy management interface. You can also use gq or 
>-directory_administrator. 
>+really easy management interface. You can also use phpldapadmin, luma, 
>+diradm or lat. 
> 
> 
> </body>

Actions: View

Attachments on bug 176075: 133513 | 133526 | 133527 | 171283 | 283305 | 283307 | 283395