Index: ldap-howto.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
retrieving revision 1.35
diff -u -r1.35 ldap-howto.xml
--- ldap-howto.xml	29 Nov 2006 15:48:57 -0000	1.35
+++ ldap-howto.xml	16 Aug 2007 00:00:16 -0000
@@ -8,18 +8,21 @@
 <author title="Author">
   <mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
 </author>
-
 <author title="Editor">
   <mail link="swift@gentoo.org">Sven Vermeulen</mail>
 </author>
-
 <author title="Editor">
   <mail link="tseng@gentoo.org">Brandon Hale</mail>
 </author>
 <author title="Editor">
   <mail link="bennyc@gentoo.org">Benny Chuang</mail>
 </author>
-
+<author title="Editor">
+  <mail link="nightmorph@gentoo.org">Joshua Saddler</mail>
+</author>
+<author title="Contributor">
+  <mail link="robbat2@gentoo.org">Robin H. Johnson</mail>
+</author>
 
 <abstract>
 This guide introduces the basics of LDAP and shows you how to setup
@@ -155,8 +158,8 @@
 </p>
 
 <pre caption="Install OpenLDAP">
-# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>
-# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>
+# <i>emerge openldap</i>
+# <i>chown ldap:ldap /var/lib/openldap-data /var/lib/openldap-slurp</i>
 </pre>
 
 <p>
@@ -166,12 +169,14 @@
 
 <pre caption="/etc/openldap/slapd.conf">
 <comment># Include the needed data schemes</comment>
+include         /etc/openldap/schema/core.schema
 include         /etc/openldap/schema/cosine.schema
 include         /etc/openldap/schema/inetorgperson.schema
 include         /etc/openldap/schema/nis.schema
 
-<comment># Use md5 to hash the passwords</comment>
-password-hash {md5}
+<comment># Hash the passwords with standard MD5-Crypt</comment>
+password-hash {CRYPT}
+password-crypt-salt-format $1$%.8s
 
 <comment># Define SSL and TLS properties (optional)</comment>
 TLSCertificateFile /etc/ssl/ldap.pem
@@ -180,14 +185,28 @@
 
 <comment>(Further down...)</comment>
 
-database        ldbm
+database        bdb
 suffix          "dc=genfic,dc=com"
 rootdn          "cn=Manager,dc=genfic,dc=com"
 rootpw          <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
-directory       /var/lib/openldap-ldbm
-index           objectClass     eq
+directory       /var/lib/openldap-data
+index           objectClass,uidNumber,gidNumber,memberUid    pres,eq
+index           uid,description pres,eq,sub,approx
+index           cn, pres,eq,sub
+index           entryUUID pres,eq
+sessionlog      100 500
+checkpoint      64  5
+cachesize       10000
+idlcachesize    10000
+sizelimit       1000
 
 <comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>
+
+<comment># This is the monitoring interface for slapd</comment>
+database        monitor
+access to dn.subtree="cn=Monitor"
+by dn.base="cn=Manager,dc=genfic,dc=com"
+
 </pre>
 
 <p>
@@ -203,6 +222,7 @@
 TLS_REQCERT  allow
 </pre>
 
+<!-- TODO: this section needs to be completely redone without self-signing SSL
 <p>
 Now you will generate an SSL certificate to secure your directory.
 Answer the question you receive as good as possible. When asked for your
@@ -212,11 +232,8 @@
 </p>
 
 <pre caption="Generating SSL Certificate">
-# <i>cd /etc/ssl</i>
-# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
-# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>
 </pre>
+-->
 
 <p>
 Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out 
@@ -224,7 +241,7 @@
 </p>
 
 <pre caption="/etc/conf.d/slapd">
-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+OPTS="-h 'ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
 </pre>
 
 <p>
@@ -252,58 +269,16 @@
 </section>
 </chapter>
 
+<!--TODO: explain how to use diradm for data migration
 <chapter>
 <title>Migrate Existing Data</title>
 <section>
 <title>Migrate User Accounts</title>
 <body>
-
-<p>
-Next, we migrate the user accounts. Open 
-<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the 
-following:
-</p>
-
-<pre caption="/usr/share/migrationtools/migrate_common.ph">
-$DEFAULT_BASE = "dc=genfic,dc=com";
-$EXTENDED_SCHEMA = 1;
-<comment># Comment these lines out unless you have a mail schema loaded</comment>
-<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
-<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
-</pre>
-
-<p>
-Now run the migration scripts:
-</p>
-
-<pre caption="Running the migration scripts">
-# <i>export ETC_SHADOW=/etc/shadow</i>
-# <i>cd /usr/share/migrationtools</i>
-# <i>./migrate_base.pl > /tmp/base.ldif</i>
-# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
-# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
-# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
-</pre>
-
-<p>
-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
-</p>
-
-<pre caption="Importing the data to our directory">
-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
-</pre>
-
-<p>
-If you come across an error in your ldif files, you can resume from where you
-left off by using <c>ldapadd -c</c>.
-</p>
-
 </body>
 </section>
 </chapter>
+-->
 
 <chapter>
 <title>Client Configuration</title>
@@ -326,6 +301,10 @@
 Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
 </p>
 
+<!--
+Code sample needs a complete replacement with a more recent one, then the pam_ldap
+lines can be added
+-->
 <pre caption="/etc/pam.d/system-auth">
 auth    required    pam_env.so
 auth    sufficient  pam_unix.so likeauth nullok shadow
@@ -347,14 +326,6 @@
 session optional    pam_ldap.so
 </pre>
 
-<!--  Should work now, see #87930
-<note>
-If you find that login on using ssh on these system fails, try interchanging the
-two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and
-other tools refuse to function correctly if you do.
-</note>
--->
-
 <p>
 Now change <path>/etc/ldap.conf</path> to read:
 </p>
@@ -364,17 +335,17 @@
 <comment>#base dc=padl,dc=com</comment>
 
 ssl start_tls
-ssl on
 suffix          "dc=genfic,dc=com"
 <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
 
-uri ldaps://auth.genfic.com/
+uri ldap://auth.genfic.com/
 pam_password exop
 
 ldap_version 3
 pam_filter objectclass=posixAccount
 pam_login_attribute uid
-pam_member_attribute memberuid
+pam_member_attribute gid
+base dc=genfic,dc=com
 nss_base_passwd ou=People,dc=genfic,dc=com
 nss_base_shadow ou=People,dc=genfic,dc=com
 nss_base_group  ou=Group,dc=genfic,dc=com
@@ -382,12 +353,16 @@
 
 scope one
 </pre>
+<!-- TODO: Add time/retry numbers to the above code -->
 
 <p>
 Next, copy over the (OpenLDAP) <path>ldap.conf</path> file from the server to 
 the client so the clients are aware of the LDAP environment:
 </p>
 
+<!--
+TODO: add a separate /etc/openldap/ldap.conf for the server that uses ldapi
+-->
 <pre caption="Copying over the OpenLDAP ldap.conf">
 <comment>(Substitute ldap-server with your LDAP server name)</comment>
 # <i>scp ldap-server:/etc/openldap/ldap.conf /etc/openldap</i>
@@ -408,6 +383,7 @@
 To test the changes, type:
 </p>
 
+<!-- TODO: REPLACE with an example showing a single pure LDAP user -->
 <pre caption="Testing LDAP Auth">
 # <i>getent passwd|grep 0:0</i>
 
@@ -416,17 +392,6 @@
 root:x:0:0:root:/root:/bin/bash
 </pre>
 
-<p>
-If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
-was commented out (the <c>rootbinddn</c> line): you don't need it unless you 
-want to change a user's password as superuser. In this case you need to echo 
-the root password to <path>/etc/ldap.secret</path> in plaintext. This is 
-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that 
-file blank and when I need to change someones password thats both in the ldap 
-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I 
-change it and remove it when I'm done.
-</p>
-
 </body>
 </section>
 </chapter>
@@ -522,6 +487,5 @@
 
 </body>
 </section>
-
 </chapter>
 </guide>