Attachment 283307 Details for Bug 176075 – Updated patch with correct domain names

[patch] Updated patch with correct domain names

ldap-howto.patch (text/plain), 11.90 KB, created by Sven Vermeulen (RETIRED) on 2011-08-14 15:00:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sven Vermeulen (RETIRED)

Created: 2011-08-14 15:00:05 UTC

Size: 11.90 KB

patch

obsolete

>Index: ldap-howto.xml
>===================================================================
>RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
>retrieving revision 1.43
>diff -u -B -r1.43 ldap-howto.xml
>--- ldap-howto.xml	18 Apr 2011 02:01:11 -0000	1.43
>+++ ldap-howto.xml	14 Aug 2011 14:59:07 -0000
>@@ -8,8 +8,8 @@
> <author title="Author">
> <mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
> </author>
>-<author title="Editor">
>- <mail link="swift@gentoo.org">Sven Vermeulen</mail>
>+<author title="Author">
>+ <mail link="swift"/>
> </author>
> <author title="Editor">
> <mail link="tseng@gentoo.org">Brandon Hale</mail>
>@@ -33,8 +33,8 @@
> 
> <license/>
> 
>-<version>5</version>
>-<date>2011-04-17</date>
>+<version>6</version>
>+<date>2011-08-13</date>
> 
> <chapter>
> <title>Getting Started with OpenLDAP</title>
>@@ -166,52 +166,66 @@
> 
> <pre caption="Generate password">
> # slappasswd
>-New password: my-password
>-Re-enter new password: my-password
>+New password: my-password
>+Re-enter new password: my-password
> {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
> </pre>
> 
> 
>-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
>+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below
>+we'll give a sample configuration file to get things started. For a more
>+detailed analysis of the configuration file, we suggest that you work through
>+the OpenLDAP Administrator's Guide.
> 
> 
> <pre caption="/etc/openldap/slapd.conf">
>-<comment># Include the needed data schemes below core.schema</comment>
>-include /etc/openldap/schema/cosine.schema
>-include /etc/openldap/schema/inetorgperson.schema
>-include /etc/openldap/schema/nis.schema
>-
>-<comment>Uncomment modulepath and hdb module</comment>
>-# Load dynamic backend modules:
>-modulepath /usr/lib/openldap/openldap
>-# moduleload back_shell.so
>-# moduleload back_relay.so
>-# moduleload back_perl.so
>-# moduleload back_passwd.so
>-# moduleload back_null.so
>-# moduleload back_monitor.so
>-# moduleload back_meta.so
>-moduleload back_hdb.so
>-# moduleload back_dnssrv.so
>+include	/etc/openldap/schema/core.schema
>+include /etc/openldap/schema/cosine.schema
>+include /etc/openldap/schema/inetorgperson.schema
>+include /etc/openldap/schema/nis.schema
>+include	/etc/openldap/schema/misc.schema
>+
>+pidfile /var/run/openldap/slapd.pid
>+argsfile /var/run/openldap/slapd.args
>+
>+serverID 0 <comment>Used in case of replication</comment>
>+loglevel 0
> 
>-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
>+<comment>## Access Controls</comment>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> access to *
>- by self write
>- by users read
>- by anonymous auth
>+ by self write
>+ by users read
>+ by anonymous read
> 
>+<comment>## Database definition</comment>
>+database hdb
>+suffix "dc=genfic,dc=com"
>+checkpoint 32 30
>+rootdn "cn=Manager,dc=genfic,dc=com"
>+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>
>+directory "/var/lib/openldap-ldbm"
>+index objectClass eq
>+
>+<comment>## Synchronisation (pull from other LDAP server)</comment>
>+syncrepl rid=000
>+ provider=ldap://ldap2.genfic.com
>+ type=refreshAndPersist
>+ retry="5 5 300 +"
>+ searchbase="dc=genfic,dc=com"
>+ attrs="*,+"
>+ bindmethod="simple"
>+ binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com"
>+ credentials="ldapsyncpass"
> 
>-<comment># BDB Database definition</comment>
>+index entryCSN eq
>+index entryUUID eq
> 
>-database hdb
>-suffix "dc=genfic,dc=com"
>-checkpoint 32 30 # &lt;kbyte&gt; &lt;min&gt;
>-rootdn "cn=Manager,dc=genfic,dc=com"
>-rootpw {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
>-directory /var/lib/openldap-ldbm
>-index objectClass eq
>+mirrormode TRUE
>+
>+overlay syncprov
>+syncprov-checkpoint 100 10
> </pre>
> 
> 
>@@ -223,17 +237,27 @@
> <comment>(Add the following...)</comment>
> 
> BASE dc=genfic, dc=com
>-URI ldap://auth.genfic.com:389/
>+URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/
> TLS_REQCERT allow
>+TIMELIMIT 2
> </pre>
> 
> 
>-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line:
>+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
> 
> 
> <pre caption="/etc/conf.d/slapd">
>-<comment># Note: we don't use cn=config here, so stay with this line:</comment>
>-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
>+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
>+</pre>
>+
>+
>+Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
>+
>+
>+<pre caption="Preparing the openldap-ldbm location">
>+~# mkdir -p /var/lib/openldap-ldbm
>+~# chown ldap:ldap /var/lib/openldap-ldbm
>+~# chmod 700 /var/lib/openldap-ldbm
> </pre>
> 
> 
>@@ -262,18 +286,153 @@
> </chapter>
> 
> <chapter>
>+<title>Replication</title>
>+<section>
>+<title>If you need high availability</title>
>+<body>
>+
>+
>+If your environment requires high availability, then you need to setup
>+replication of changes across multiple LDAP systems. Replication within OpenLDAP
>+is, in this guide, set up using a specific replication account
>+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which
>+pulls in changes from the primary LDAP server to the secundary.
>+
>+
>+
>+This setup is then mirrored, allowing the secundary LDAP server to act as a
>+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if
>+they are already in the LDAP structure.
>+
>+
>+</body>
>+</section>
>+<section>
>+<title>Setting Up Replication</title>
>+<body>
>+
>+
>+To setup replication, first setup a second OpenLDAP server, similarly as above.
>+However take care that, in the configuration file, 
>+
>+
>+<ul>
>+ <li>
>+ the <e>sync replication provider</e> is pointing to the <e>other</e> system
>+ </li>
>+ <li>
>+ the <e>serverID</e> of each OpenLDAP system is different
>+ </li>
>+</ul>
>+
>+
>+Next, create the synchronisation account. We will create an LDIF file (the
>+format used as data input for LDAP servers) and add it to each LDAP server:
>+
>+
>+<pre caption="Creating the ldapreader account">
>+~# slappasswd -s myreaderpassword
>+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
>+
>+~# cat ldapreader.ldif
>+dn: cn=ldapreader.genfic.com,dc=genfic,dc=com
>+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
>+objectClass: organizationalRole
>+objectClass: simpleSecurityObject
>+cn: ldapreader.genfic.com
>+description: LDAP reader used for synchronization
>+
>+~# ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif
>+Password: <comment>enter the administrative password</comment>
>+</pre>
>+
>+</body>
>+</section>
>+</chapter>
>+
>+<chapter>
> <title>Client Configuration</title>
> <section>
> <title>Migrate existing data to ldap</title>
> <body>
> 
> 
>+Configuring OpenLDAP for centralized administration and management of common
>+Linux/Unix items isn't easy, but thanks to some tools and scripts available on
>+the Internet, migrating a system from a single-system administrative
>+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard
>+either.
>+
>+
>+
> Go to <uri
> link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
>-and fetch the scripts there. Configuration is stated on the page. We don't ship
>-this anymore because the scripts are a potential security hole if you leave
>-them on the system after porting. When you've finished migrating your data,
>-continue to the next section.
>+and fetch the scripts there. You'll need the migration tools and the
>+<c>make_master.sh</c> script.
>+
>+
>+
>+Next, extract the tools and copy the <c>make_master.sh</c> script inside the
>+extracted location:
>+
>+
>+<pre caption="Extracting the MigrationTools">
>+~# mktemp -d
>+/tmp/tmp.zchomocO3Q
>+~# cd /tmp/tmp.zchomocO3Q
>+~# tar xvzf /path/to/MigrationTools.tgz
>+~# mv /path/to/make_master.sh MigrationTools-47
>+~# cd MigrationTools-47
>+</pre>
>+
>+
>+The next step now is to migrate the information of your system to OpenLDAP. The
>+<c>make_master.sh</c> script will do this for you, after you have provided it
>+with the information regarding your LDAP structure and environment.
>+
>+
>+
>+At the time of writing, the tools require the following input:
>+
>+
>+<table>
>+<tr>
>+ <th>Input</th>
>+ <th>Description</th>
>+ <th>Example</th>
>+</tr>
>+<tr>
>+ <ti>LDAP BaseDN</ti>
>+ <ti>The base location (root) of your tree</ti>
>+ <ti>dc=genfic,dc=com</ti>
>+</tr>
>+<tr>
>+ <ti>Mail domain</ti>
>+ <ti>Domain used in e-mail addresses</ti>
>+ <ti>genfic.com</ti>
>+</tr>
>+<tr>
>+ <ti>Mail host</ti>
>+ <ti>FQDN of your mail server infrastructure</ti>
>+ <ti>smtp.genfic.com</ti>
>+</tr>
>+<tr>
>+ <ti>LDAP Root DN</ti>
>+ <ti>Administrative account information for your LDAP structure</ti>
>+ <ti>cn=Manager,dc=genfic,dc=com</ti>
>+</tr>
>+<tr>
>+ <ti>LDAP Root Password</ti>
>+ <ti>
>+ Password for the administrative account, cfr earlier <c>slappasswd</c>
>+ command
>+ </ti>
>+ <ti></ti>
>+</tr>
>+</table>
>+
>+
>+The tool will also ask you which accounts and settings you want to migrate.
> 
> 
> </body>
>@@ -310,7 +469,7 @@
> #%PAM-1.0
> 
> auth required pam_env.so
>-auth sufficient pam_unix.so try_first_pass likeauth nullok
>+auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> 
>@@ -318,7 +477,7 @@
> account required pam_unix.so
> 
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
>-password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
>+password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
> password sufficient pam_ldap.so use_authtok use_first_pass
> password required pam_deny.so
> 
>@@ -338,20 +497,20 @@
> 
> suffix "dc=genfic,dc=com"
> <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
>-
>-uri ldap://auth.genfic.com/
>-pam_password exop
>-
>+bind_policy soft
>+bind_timelimit 2
> ldap_version 3
>+nss_base_group ou=Group,dc=genfic,dc=com
>+nss_base_hosts ou=Hosts,dc=genfic,dc=com
>+nss_base_passwd ou=People,dc=genfic,dc=com
>+nss_base_shadow ou=People,dc=genfic,dc=com
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute memberuid
>-nss_base_passwd ou=People,dc=genfic,dc=com
>-nss_base_shadow ou=People,dc=genfic,dc=com
>-nss_base_group ou=Group,dc=genfic,dc=com
>-nss_base_hosts ou=Hosts,dc=genfic,dc=com
>-
>+pam_password exop
> scope one
>+timelimit 2
>+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com
> </pre>
> 
> 
>@@ -376,26 +535,14 @@
> </pre>
> 
> 
>-To test the changes, type:
>-
>-
>-<pre caption="Testing LDAP Auth">
>-# getent passwd|grep 0:0
>-
>-<comment>(You should get two entries back:)</comment>
>-root:x:0:0:root:/root:/bin/bash
>-root:x:0:0:root:/root:/bin/bash
>-</pre>
>-
>-
> If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
> was commented out (the <c>rootbinddn</c> line): you don't need it unless you
> want to change a user's password as superuser. In this case you need to echo
> the root password to <path>/etc/ldap.secret</path> in plaintext. This is
>-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that
>-file blank and when I need to change someones password thats both in the ldap
>-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I
>-change it and remove it when I'm done.
>+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to
>+do is keep that file blank and when you need to change someones password thats
>+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10
>+seconds while changing the users password and remove it when done.
> 
> 
> </body>

Actions: View | Diff

Attachments on bug 176075: 133513 | 133526 | 133527 | 171283 | 283305 | 283307 | 283395