Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 283307 Details for
Bug 176075
openldap ebuild refers to a unmaintained guide.
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch with correct domain names
ldap-howto.patch (text/plain), 11.90 KB, created by
Sven Vermeulen (RETIRED)
on 2011-08-14 15:00:05 UTC
(
hide
)
Description:
Updated patch with correct domain names
Filename:
MIME Type:
Creator:
Sven Vermeulen (RETIRED)
Created:
2011-08-14 15:00:05 UTC
Size:
11.90 KB
patch
obsolete
>Index: ldap-howto.xml >=================================================================== >RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v >retrieving revision 1.43 >diff -u -B -r1.43 ldap-howto.xml >--- ldap-howto.xml 18 Apr 2011 02:01:11 -0000 1.43 >+++ ldap-howto.xml 14 Aug 2011 14:59:07 -0000 >@@ -8,8 +8,8 @@ > <author title="Author"> > <mail link="sj7trunks@pendulus.net">Benjamin Coles</mail> > </author> >-<author title="Editor"> >- <mail link="swift@gentoo.org">Sven Vermeulen</mail> >+<author title="Author"> >+ <mail link="swift"/> > </author> > <author title="Editor"> > <mail link="tseng@gentoo.org">Brandon Hale</mail> >@@ -33,8 +33,8 @@ > <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> > <license/> > >-<version>5</version> >-<date>2011-04-17</date> >+<version>6</version> >+<date>2011-08-13</date> > > <chapter> > <title>Getting Started with OpenLDAP</title> >@@ -166,52 +166,66 @@ > > <pre caption="Generate password"> > # <i>slappasswd</i> >-New password: my-password >-Re-enter new password: my-password >+New password: <i>my-password</i> >+Re-enter new password: <i>my-password</i> > {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4 > </pre> > > <p> >-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>: >+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below >+we'll give a sample configuration file to get things started. For a more >+detailed analysis of the configuration file, we suggest that you work through >+the OpenLDAP Administrator's Guide. > </p> > > <pre caption="/etc/openldap/slapd.conf"> >-<comment># Include the needed data schemes below core.schema</comment> >-include /etc/openldap/schema/cosine.schema >-include /etc/openldap/schema/inetorgperson.schema >-include /etc/openldap/schema/nis.schema >- >-<comment>Uncomment modulepath and hdb module</comment> >-# Load dynamic backend modules: >-modulepath /usr/lib/openldap/openldap >-# moduleload back_shell.so >-# moduleload back_relay.so >-# moduleload back_perl.so >-# moduleload back_passwd.so >-# moduleload back_null.so >-# moduleload back_monitor.so >-# moduleload back_meta.so >-moduleload back_hdb.so >-# moduleload back_dnssrv.so >+include /etc/openldap/schema/core.schema >+include /etc/openldap/schema/cosine.schema >+include /etc/openldap/schema/inetorgperson.schema >+include /etc/openldap/schema/nis.schema >+include /etc/openldap/schema/misc.schema >+ >+pidfile /var/run/openldap/slapd.pid >+argsfile /var/run/openldap/slapd.args >+ >+serverID 0 <comment>Used in case of replication</comment> >+loglevel 0 > >-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment> >+<comment>## Access Controls</comment> > access to dn.base="" by * read > access to dn.base="cn=Subschema" by * read > access to * >- by self write >- by users read >- by anonymous auth >+ by self write >+ by users read >+ by anonymous read > >+<comment>## Database definition</comment> >+database hdb >+suffix "dc=genfic,dc=com" >+checkpoint 32 30 >+rootdn "cn=Manager,dc=genfic,dc=com" >+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment> >+directory "/var/lib/openldap-ldbm" >+index objectClass eq >+ >+<comment>## Synchronisation (pull from other LDAP server)</comment> >+syncrepl rid=000 >+ provider=ldap://ldap2.genfic.com >+ type=refreshAndPersist >+ retry="5 5 300 +" >+ searchbase="dc=genfic,dc=com" >+ attrs="*,+" >+ bindmethod="simple" >+ binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com" >+ credentials="ldapsyncpass" > >-<comment># BDB Database definition</comment> >+index entryCSN eq >+index entryUUID eq > >-database hdb >-suffix "dc=genfic,dc=com" >-checkpoint 32 30 # <kbyte> <min> >-rootdn "cn=Manager,dc=genfic,dc=com" >-rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i> >-directory /var/lib/openldap-ldbm >-index objectClass eq >+mirrormode TRUE >+ >+overlay syncprov >+syncprov-checkpoint 100 10 > </pre> > > <p> >@@ -223,17 +237,27 @@ > <comment>(Add the following...)</comment> > > BASE dc=genfic, dc=com >-URI ldap://auth.genfic.com:389/ >+URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/ > TLS_REQCERT allow >+TIMELIMIT 2 > </pre> > > <p> >-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line: >+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line: > </p> > > <pre caption="/etc/conf.d/slapd"> >-<comment># Note: we don't use cn=config here, so stay with this line:</comment> >-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" >+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" >+</pre> >+ >+<p> >+Finally, create the <path>/var/lib/openldap-ldbm</path> structure: >+</p> >+ >+<pre caption="Preparing the openldap-ldbm location"> >+~# <i>mkdir -p /var/lib/openldap-ldbm</i> >+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i> >+~# <i>chmod 700 /var/lib/openldap-ldbm</i> > </pre> > > <p> >@@ -262,18 +286,153 @@ > </chapter> > > <chapter> >+<title>Replication</title> >+<section> >+<title>If you need high availability</title> >+<body> >+ >+<p> >+If your environment requires high availability, then you need to setup >+replication of changes across multiple LDAP systems. Replication within OpenLDAP >+is, in this guide, set up using a specific replication account >+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which >+pulls in changes from the primary LDAP server to the secundary. >+</p> >+ >+<p> >+This setup is then mirrored, allowing the secundary LDAP server to act as a >+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if >+they are already in the LDAP structure. >+</p> >+ >+</body> >+</section> >+<section> >+<title>Setting Up Replication</title> >+<body> >+ >+<p> >+To setup replication, first setup a second OpenLDAP server, similarly as above. >+However take care that, in the configuration file, >+</p> >+ >+<ul> >+ <li> >+ the <e>sync replication provider</e> is pointing to the <e>other</e> system >+ </li> >+ <li> >+ the <e>serverID</e> of each OpenLDAP system is different >+ </li> >+</ul> >+ >+<p> >+Next, create the synchronisation account. We will create an LDIF file (the >+format used as data input for LDAP servers) and add it to each LDAP server: >+</p> >+ >+<pre caption="Creating the ldapreader account"> >+~# <i>slappasswd -s myreaderpassword</i> >+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM >+ >+~# <i>cat ldapreader.ldif</i> >+dn: cn=ldapreader.genfic.com,dc=genfic,dc=com >+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM >+objectClass: organizationalRole >+objectClass: simpleSecurityObject >+cn: ldapreader.genfic.com >+description: LDAP reader used for synchronization >+ >+~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i> >+Password: <comment>enter the administrative password</comment> >+</pre> >+ >+</body> >+</section> >+</chapter> >+ >+<chapter> > <title>Client Configuration</title> > <section> > <title>Migrate existing data to ldap</title> > <body> > > <p> >+Configuring OpenLDAP for centralized administration and management of common >+Linux/Unix items isn't easy, but thanks to some tools and scripts available on >+the Internet, migrating a system from a single-system administrative >+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard >+either. >+</p> >+ >+<p> > Go to <uri > link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri> >-and fetch the scripts there. Configuration is stated on the page. We don't ship >-this anymore because the scripts are a potential security hole if you leave >-them on the system after porting. When you've finished migrating your data, >-continue to the next section. >+and fetch the scripts there. You'll need the migration tools and the >+<c>make_master.sh</c> script. >+</p> >+ >+<p> >+Next, extract the tools and copy the <c>make_master.sh</c> script inside the >+extracted location: >+</p> >+ >+<pre caption="Extracting the MigrationTools"> >+~# <i>mktemp -d</i> >+/tmp/tmp.zchomocO3Q >+~# <i>cd /tmp/tmp.zchomocO3Q</i> >+~# <i>tar xvzf /path/to/MigrationTools.tgz</i> >+~# <i>mv /path/to/make_master.sh MigrationTools-47</i> >+~# <i>cd MigrationTools-47</i> >+</pre> >+ >+<p> >+The next step now is to migrate the information of your system to OpenLDAP. The >+<c>make_master.sh</c> script will do this for you, after you have provided it >+with the information regarding your LDAP structure and environment. >+</p> >+ >+<p> >+At the time of writing, the tools require the following input: >+</p> >+ >+<table> >+<tr> >+ <th>Input</th> >+ <th>Description</th> >+ <th>Example</th> >+</tr> >+<tr> >+ <ti>LDAP BaseDN</ti> >+ <ti>The base location (root) of your tree</ti> >+ <ti>dc=genfic,dc=com</ti> >+</tr> >+<tr> >+ <ti>Mail domain</ti> >+ <ti>Domain used in e-mail addresses</ti> >+ <ti>genfic.com</ti> >+</tr> >+<tr> >+ <ti>Mail host</ti> >+ <ti>FQDN of your mail server infrastructure</ti> >+ <ti>smtp.genfic.com</ti> >+</tr> >+<tr> >+ <ti>LDAP Root DN</ti> >+ <ti>Administrative account information for your LDAP structure</ti> >+ <ti>cn=Manager,dc=genfic,dc=com</ti> >+</tr> >+<tr> >+ <ti>LDAP Root Password</ti> >+ <ti> >+ Password for the administrative account, cfr earlier <c>slappasswd</c> >+ command >+ </ti> >+ <ti></ti> >+</tr> >+</table> >+ >+<p> >+The tool will also ask you which accounts and settings you want to migrate. > </p> > > </body> >@@ -310,7 +469,7 @@ > #%PAM-1.0 > > auth required pam_env.so >-auth sufficient pam_unix.so try_first_pass likeauth nullok >+auth <i>sufficient</i> pam_unix.so try_first_pass likeauth nullok > <i>auth sufficient pam_ldap.so use_first_pass</i> > auth required pam_deny.so > >@@ -318,7 +477,7 @@ > account required pam_unix.so > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 >-password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow >+password <i>sufficient</i> pam_unix.so try_first_pass use_authtok nullok md5 shadow > <i>password sufficient pam_ldap.so use_authtok use_first_pass</i> > password required pam_deny.so > >@@ -338,20 +497,20 @@ > > suffix "dc=genfic,dc=com" > <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment> >- >-uri ldap://auth.genfic.com/ >-pam_password exop >- >+bind_policy soft >+bind_timelimit 2 > ldap_version 3 >+nss_base_group ou=Group,dc=genfic,dc=com >+nss_base_hosts ou=Hosts,dc=genfic,dc=com >+nss_base_passwd ou=People,dc=genfic,dc=com >+nss_base_shadow ou=People,dc=genfic,dc=com > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberuid >-nss_base_passwd ou=People,dc=genfic,dc=com >-nss_base_shadow ou=People,dc=genfic,dc=com >-nss_base_group ou=Group,dc=genfic,dc=com >-nss_base_hosts ou=Hosts,dc=genfic,dc=com >- >+pam_password exop > scope one >+timelimit 2 >+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com > </pre> > > <p> >@@ -376,26 +535,14 @@ > </pre> > > <p> >-To test the changes, type: >-</p> >- >-<pre caption="Testing LDAP Auth"> >-# <i>getent passwd|grep 0:0</i> >- >-<comment>(You should get two entries back:)</comment> >-root:x:0:0:root:/root:/bin/bash >-root:x:0:0:root:/root:/bin/bash >-</pre> >- >-<p> > If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path> > was commented out (the <c>rootbinddn</c> line): you don't need it unless you > want to change a user's password as superuser. In this case you need to echo > the root password to <path>/etc/ldap.secret</path> in plaintext. This is >-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that >-file blank and when I need to change someones password thats both in the ldap >-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I >-change it and remove it when I'm done. >+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to >+do is keep that file blank and when you need to change someones password thats >+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10 >+seconds while changing the users password and remove it when done. > </p> > > </body>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 176075
:
133513
|
133526
|
133527
|
171283
|
283305
|
283307
|
283395