Index: ldap-howto.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v retrieving revision 1.43 diff -u -B -r1.43 ldap-howto.xml --- ldap-howto.xml 18 Apr 2011 02:01:11 -0000 1.43 +++ ldap-howto.xml 14 Aug 2011 14:59:07 -0000 @@ -8,8 +8,8 @@ Benjamin Coles - - Sven Vermeulen + + Brandon Hale @@ -33,8 +33,8 @@ -5 -2011-04-17 +6 +2011-08-13 Getting Started with OpenLDAP @@ -166,52 +166,66 @@ 
 # slappasswd
-New password: my-password
-Re-enter new password: my-password
+New password: my-password
+Re-enter new password: my-password
 {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4

-Now edit the LDAP Server config at /etc/openldap/slapd.conf: +Now edit the LDAP Server config at /etc/openldap/slapd.conf. Below +we'll give a sample configuration file to get things started. For a more +detailed analysis of the configuration file, we suggest that you work through +the OpenLDAP Administrator's Guide. 

-# Include the needed data schemes below core.schema
-include         /etc/openldap/schema/cosine.schema
-include         /etc/openldap/schema/inetorgperson.schema
-include         /etc/openldap/schema/nis.schema
-
-Uncomment modulepath and hdb module
-# Load dynamic backend modules:
-modulepath    /usr/lib/openldap/openldap
-# moduleload    back_shell.so
-# moduleload    back_relay.so
-# moduleload    back_perl.so
-# moduleload    back_passwd.so
-# moduleload    back_null.so
-# moduleload    back_monitor.so
-# moduleload    back_meta.so
-moduleload    back_hdb.so
-# moduleload    back_dnssrv.so
+include	/etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include	/etc/openldap/schema/misc.schema
+
+pidfile /var/run/openldap/slapd.pid
+argsfile /var/run/openldap/slapd.args
+
+serverID 0 Used in case of replication
+loglevel 0
 
-# Uncomment sample access restrictions (Note: maintain indentation!)
+## Access Controls
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
-   by self write
-   by users read
-   by anonymous auth
+  by self write
+  by users read
+  by anonymous read
 
+## Database definition
+database hdb
+suffix "dc=genfic,dc=com"
+checkpoint 32 30
+rootdn "cn=Manager,dc=genfic,dc=com"
+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" # See earlier slappasswd command
+directory "/var/lib/openldap-ldbm"
+index objectClass eq
+
+## Synchronisation (pull from other LDAP server)
+syncrepl rid=000
+  provider=ldap://ldap2.genfic.com
+  type=refreshAndPersist
+  retry="5 5 300 +"
+  searchbase="dc=genfic,dc=com"
+  attrs="*,+"
+  bindmethod="simple"
+  binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com"
+  credentials="ldapsyncpass"
 
-# BDB Database definition
+index entryCSN eq
+index entryUUID eq
 
-database        hdb
-suffix          "dc=genfic,dc=com"
-checkpoint      32      30 # <kbyte> <min>
-rootdn          "cn=Manager,dc=genfic,dc=com"
-rootpw          {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
-directory       /var/lib/openldap-ldbm
-index           objectClass     eq
+mirrormode TRUE
+
+overlay syncprov
+syncprov-checkpoint 100 10

@@ -223,17 +237,27 @@ (Add the following...) BASE dc=genfic, dc=com -URI ldap://auth.genfic.com:389/ +URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/ TLS_REQCERT allow +TIMELIMIT 2

-Now edit /etc/conf.d/slapd and uncomment the following OPTS line: +Now edit /etc/conf.d/slapd and set the following OPTS line: 

-# Note: we don't use cn=config here, so stay with this line:
-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+
+ +

+Finally, create the /var/lib/openldap-ldbm structure: +

+ +
+~# mkdir -p /var/lib/openldap-ldbm
+~# chown ldap:ldap /var/lib/openldap-ldbm
+~# chmod 700 /var/lib/openldap-ldbm

@@ -262,18 +286,153 @@ +Replication +

+If you need high availability + + +

+If your environment requires high availability, then you need to setup +replication of changes across multiple LDAP systems. Replication within OpenLDAP +is, in this guide, set up using a specific replication account +(ldapreader) which has read rights on the primary LDAP server and which +pulls in changes from the primary LDAP server to the secundary. +

+ +

+This setup is then mirrored, allowing the secundary LDAP server to act as a +primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if +they are already in the LDAP structure. +

+ + +
+
+Setting Up Replication + + +

+To setup replication, first setup a second OpenLDAP server, similarly as above. +However take care that, in the configuration file, +

+ +
    +
  • + the sync replication provider is pointing to the other system +
    • +
  • + the serverID of each OpenLDAP system is different +
    • +
+ +

+Next, create the synchronisation account. We will create an LDIF file (the +format used as data input for LDAP servers) and add it to each LDAP server: +

+ +
+~# slappasswd -s myreaderpassword
+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+
+~# cat ldapreader.ldif
+dn: cn=ldapreader.genfic.com,dc=genfic,dc=com
+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: ldapreader.genfic.com
+description: LDAP reader used for synchronization
+
+~# ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif
+Password: enter the administrative password
+
+ + +
+ + + Client Configuration
Migrate existing data to ldap

+Configuring OpenLDAP for centralized administration and management of common +Linux/Unix items isn't easy, but thanks to some tools and scripts available on +the Internet, migrating a system from a single-system administrative +point-of-view towards an OpenLDAP-based, centralized managed system isn't hard +either. +

+ +

Go to http://www.padl.com/OSS/MigrationTools.html -and fetch the scripts there. Configuration is stated on the page. We don't ship -this anymore because the scripts are a potential security hole if you leave -them on the system after porting. When you've finished migrating your data, -continue to the next section. +and fetch the scripts there. You'll need the migration tools and the +make_master.sh script. +

+ +

+Next, extract the tools and copy the make_master.sh script inside the +extracted location: +

+ +
+~# mktemp -d
+/tmp/tmp.zchomocO3Q
+~# cd /tmp/tmp.zchomocO3Q
+~# tar xvzf /path/to/MigrationTools.tgz
+~# mv /path/to/make_master.sh MigrationTools-47
+~# cd MigrationTools-47
+
+ +

+The next step now is to migrate the information of your system to OpenLDAP. The +make_master.sh script will do this for you, after you have provided it +with the information regarding your LDAP structure and environment. +

+ +

+At the time of writing, the tools require the following input: +

+ + + + + + + + + LDAP BaseDN + The base location (root) of your tree + dc=genfic,dc=com + + + Mail domain + Domain used in e-mail addresses + genfic.com + + + Mail host + FQDN of your mail server infrastructure + smtp.genfic.com + + + LDAP Root DN + Administrative account information for your LDAP structure + cn=Manager,dc=genfic,dc=com + + + LDAP Root Password + + Password for the administrative account, cfr earlier slappasswd + command + + + +
InputDescriptionExample
+ +

+The tool will also ask you which accounts and settings you want to migrate.

@@ -310,7 +469,7 @@ #%PAM-1.0 auth required pam_env.so -auth sufficient pam_unix.so try_first_pass likeauth nullok +auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so @@ -318,7 +477,7 @@ account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 -password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so @@ -338,20 +497,20 @@ suffix "dc=genfic,dc=com" #rootbinddn uid=root,ou=People,dc=genfic,dc=com - -uri ldap://auth.genfic.com/ -pam_password exop - +bind_policy soft +bind_timelimit 2 ldap_version 3 +nss_base_group ou=Group,dc=genfic,dc=com +nss_base_hosts ou=Hosts,dc=genfic,dc=com +nss_base_passwd ou=People,dc=genfic,dc=com +nss_base_shadow ou=People,dc=genfic,dc=com pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid -nss_base_passwd ou=People,dc=genfic,dc=com -nss_base_shadow ou=People,dc=genfic,dc=com -nss_base_group ou=Group,dc=genfic,dc=com -nss_base_hosts ou=Hosts,dc=genfic,dc=com - +pam_password exop scope one +timelimit 2 +uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com

@@ -376,26 +535,14 @@

-To test the changes, type: -

- -
-# getent passwd|grep 0:0
-
-(You should get two entries back:)
-root:x:0:0:root:/root:/bin/bash
-root:x:0:0:root:/root:/bin/bash
-
- -

If you noticed one of the lines you pasted into your /etc/ldap.conf was commented out (the rootbinddn line): you don't need it unless you want to change a user's password as superuser. In this case you need to echo the root password to /etc/ldap.secret in plaintext. This is -DANGEROUS and should be chmoded to 600. What I do is keep that -file blank and when I need to change someones password thats both in the ldap -and /etc/passwd I put the pass in there for 10 seconds while I -change it and remove it when I'm done. +DANGEROUS and should be chmoded to 600. What you might want to +do is keep that file blank and when you need to change someones password thats +both in the ldap and /etc/passwd, put the pass in there for 10 +seconds while changing the users password and remove it when done.