Index: ldap-howto.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
retrieving revision 1.35
diff -u -r1.35 ldap-howto.xml
--- ldap-howto.xml 29 Nov 2006 15:48:57 -0000 1.35
+++ ldap-howto.xml 16 Aug 2007 00:00:16 -0000
@@ -8,18 +8,21 @@
-# emerge openldap pam_ldap nss_ldap migrationtools -# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp +# emerge openldap +# chown ldap:ldap /var/lib/openldap-data /var/lib/openldap-slurp
@@ -166,12 +169,14 @@
# Include the needed data schemes +include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema -# Use md5 to hash the passwords -password-hash {md5} +# Hash the passwords with standard MD5-Crypt +password-hash {CRYPT} +password-crypt-salt-format $1$%.8s# Define SSL and TLS properties (optional) TLSCertificateFile /etc/ssl/ldap.pem @@ -180,14 +185,28 @@(Further down...) -database ldbm +database bdb suffix "dc=genfic,dc=com" rootdn "cn=Manager,dc=genfic,dc=com" rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== -directory /var/lib/openldap-ldbm -index objectClass eq +directory /var/lib/openldap-data +index objectClass,uidNumber,gidNumber,memberUid pres,eq +index uid,description pres,eq,sub,approx +index cn, pres,eq,sub +index entryUUID pres,eq +sessionlog 100 500 +checkpoint 64 5 +cachesize 10000 +idlcachesize 10000 +sizelimit 1000(You can get an encrypted password like above with slappasswd -h {Md5}) + +# This is the monitoring interface for slapd +database monitor +access to dn.subtree="cn=Monitor" +by dn.base="cn=Manager,dc=genfic,dc=com" +
@@ -203,6 +222,7 @@ TLS_REQCERT allow +
Now edit
-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" +OPTS="-h 'ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
@@ -252,58 +269,16 @@
+
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok shadow @@ -347,14 +326,6 @@ session optional pam_ldap.so- -
Now change
Next, copy over the (OpenLDAP)
(Substitute ldap-server with your LDAP server name) # scp ldap-server:/etc/openldap/ldap.conf /etc/openldap @@ -408,6 +383,7 @@ To test the changes, type: +# getent passwd|grep 0:0 @@ -416,17 +392,6 @@ root:x:0:0:root:/root:/bin/bash--If you noticed one of the lines you pasted into your
-/etc/ldap.conf -was commented out (therootbinddn line): you don't need it unless you -want to change a user's password as superuser. In this case you need to echo -the root password to/etc/ldap.secret in plaintext. This is -DANGEROUS and should be chmoded to 600. What I do is keep that -file blank and when I need to change someones password thats both in the ldap -and/etc/passwd I put the pass in there for 10 seconds while I -change it and remove it when I'm done. -