Index: ldap-howto.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v retrieving revision 1.35 diff -u -t -r1.35 ldap-howto.xml --- ldap-howto.xml 29 Nov 2006 15:48:57 -0000 1.35 +++ ldap-howto.xml 15 Oct 2007 09:34:05 -0000 @@ -1,8 +1,8 @@ - + - + Gentoo Guide to OpenLDAP Authentication @@ -19,6 +19,9 @@ Benny Chuang + + Markus Ullmann + @@ -30,8 +33,8 @@ -0.22 -2005-10-21 +0.23 +2007-10-15 Getting Started with OpenLDAP @@ -155,43 +158,65 @@ 

-# emerge openldap pam_ldap nss_ldap migrationtools
-# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp
+# emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap

-Edit /etc/openldap/slapd.conf and add the following right after -core.schema: +Now generate an encrypted password we'll use later on: +

+ +
+# slappasswd
+New password: my-password
+Re-enter new password: my-password
+{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
+
+ +

+Now edit the LDAP Server config at /etc/openldap/slapd.conf: 

-# Include the needed data schemes
+# Include the needed data schemes below core.schema
 include         /etc/openldap/schema/cosine.schema
 include         /etc/openldap/schema/inetorgperson.schema
 include         /etc/openldap/schema/nis.schema
 
-# Use md5 to hash the passwords
-password-hash {md5}
+Uncomment modulepath and hdb module
+# Load dynamic backend modules:
+modulepath    /usr/lib/openldap/openldap
+# moduleload    back_shell.so
+# moduleload    back_relay.so
+# moduleload    back_perl.so
+# moduleload    back_passwd.so
+# moduleload    back_null.so
+# moduleload    back_monitor.so
+# moduleload    back_meta.so
+moduleload    back_hdb.so
+# moduleload    back_dnssrv.so
+
+# Uncomment sample access restrictions (Note: maintain indentation!)
+access to dn.base="" by * read
+access to dn.base="cn=Subschema" by * read
+access to *
+   by self write
+   by users read
+   by anonymous auth
 
-# Define SSL and TLS properties (optional)
-TLSCertificateFile /etc/ssl/ldap.pem
-TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
-TLSCACertificateFile /etc/ssl/ldap.pem
 
-(Further down...)
+# BDB Database definition
 
-database        ldbm
+database        hdb
 suffix          "dc=genfic,dc=com"
+checkpoint      32      30 # <kbyte> <min>
 rootdn          "cn=Manager,dc=genfic,dc=com"
-rootpw          {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
+rootpw          {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
 directory       /var/lib/openldap-ldbm
 index           objectClass     eq
-
-(You can get an encrypted password like above with slappasswd -h {Md5})

-Next we edit the LDAP configuration file: +Next we edit the LDAP Client configuration file: 

@@ -199,32 +224,18 @@
 (Add the following...)
 
 BASE         dc=genfic, dc=com
-URI          ldaps://auth.genfic.com:636/
+URI          ldap://auth.genfic.com:389/
 TLS_REQCERT  allow

-Now you will generate an SSL certificate to secure your directory. -Answer the question you receive as good as possible. When asked for your -Common Name, enter the name the clients will use when contacting -the server. This is usually the full domainname (e.g. -auth.genfic.com). -

- -
-# cd /etc/ssl
-# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999
-# chown ldap:ldap /etc/openldap/ssl/ldap.pem
-
- -

Now edit /etc/conf.d/slapd and add the following, commenting out the existing line: 

-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+# Note: we don't use cn=config here, so stay with this line:
+OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

@@ -253,60 +264,13 @@ -Migrate Existing Data +Client Configuration

-Migrate User Accounts +Migrate existing data to ldap - -

-Next, we migrate the user accounts. Open -/usr/share/migrationtools/migrate_common.ph and edit the -following: -

- -
-$DEFAULT_BASE = "dc=genfic,dc=com";
-$EXTENDED_SCHEMA = 1;
-# Comment these lines out unless you have a mail schema loaded
-#$DEFAULT_MAIL_DOMAIN = "genfic.com";
-#$DEFAULT_MAIL_HOST = "mail.genfic.com";
-
- -

-Now run the migration scripts: -

- -
-# export ETC_SHADOW=/etc/shadow
-# cd /usr/share/migrationtools
-# ./migrate_base.pl > /tmp/base.ldif
-# ./migrate_group.pl /etc/group /tmp/group.ldif
-# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
-# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
-
- -

-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory: -

- -
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif
-
- -

-If you come across an error in your ldif files, you can resume from where you -left off by using ldapadd -c. -

- +Go to http://www.padl.com/OSS/MigrationTools.html and fetch the scripts there. Configuration is stated on the page. We don't ship this anymore because the scripts are a potential security hole if you leave them on the system after porting. When you've finished migrating your data, go on below.
- - - -Client Configuration
Configuring PAM @@ -323,37 +287,38 @@

-Now edit /etc/pam.d/system-auth so it looks like the following: +Now add the following lines in the right places to /etc/pam.d/system-auth: 

-auth    required    pam_env.so
-auth    sufficient  pam_unix.so likeauth nullok shadow
-auth    sufficient  pam_ldap.so use_first_pass
-auth    required    pam_deny.so
-
-account requisite  pam_unix.so
-account sufficient pam_localuser.so
-account required   pam_ldap.so
-
-password    required pam_cracklib.so retry=3
-password    sufficient pam_unix.so nullok use_authtok shadow md5
-password    sufficient pam_ldap.so use_authtok use_first_pass
-password    required pam_deny.so
-
-session required    pam_limits.so
-session required    pam_unix.so
-session required    pam_mkhomedir.so skel=/etc/skel/ umask=0066
-session optional    pam_ldap.so
-
+# Note: only add them. Don't kill stuff already in there or your box won't let you login again! - +auth sufficient pam_ldap.so use_first_pass +account sufficient pam_ldap.so +password sufficient pam_ldap.so use_authtok use_first_pass +session optional pam_ldap.so + +# Example file: +#%PAM-1.0 + +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass likeauth nullok +auth sufficient pam_ldap.so use_first_pass +auth required pam_deny.so + +account sufficient pam_ldap.so +account required pam_unix.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow +password sufficient pam_ldap.so use_authtok use_first_pass +password required pam_deny.so + +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so + +

Now change /etc/ldap.conf to read: @@ -363,12 +328,10 @@ #host 127.0.0.1 #base dc=padl,dc=com -ssl start_tls -ssl on suffix "dc=genfic,dc=com" #rootbinddn uid=root,ou=People,dc=genfic,dc=com -uri ldaps://auth.genfic.com/ +uri ldap://auth.genfic.com/ pam_password exop ldap_version 3 @@ -502,8 +465,8 @@

You can start using the directory to authenticate users in apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a -really easy management interface. You can also use gq or -directory_administrator. +really easy management interface. You can also use phpldapadmin, luma, +diradm or lat.