[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: ldap-howto.xml - gentoo-doc-cvs

From:	"Sven Vermeulen (swift)" <swift@g.o>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: ldap-howto.xml
Date:	Mon, 15 Aug 2011 20:25:55
Message-Id:	`20110815202530.4FF0B2004C@flycatcher.gentoo.org`

1

swift       11/08/15 20:25:30

2

3

  Modified:             ldap-howto.xml

4

  Log:

5

  Fix #176075 - Updated OpenLDAP guide

6

7

Revision  Changes    Path

8

1.44                 xml/htdocs/doc/en/ldap-howto.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.43&r2=1.44

13

14

Index: ldap-howto.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v

17

retrieving revision 1.43

18

retrieving revision 1.44

19

diff -u -r1.43 -r1.44

20

--- ldap-howto.xml	18 Apr 2011 02:01:11 -0000	1.43

21

+++ ldap-howto.xml	15 Aug 2011 20:25:30 -0000	1.44

22

@@ -1,15 +1,15 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.43 2011/04/18 02:01:11 nightmorph Exp $ -->

25

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.44 2011/08/15 20:25:30 swift Exp $ -->

26

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

27

28

-<guide disclaimer="draft">

29

+<guide>

30

 <title>Gentoo Guide to OpenLDAP Authentication</title>

31

32

 <author title="Author">

33

   <mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>

34

 </author>

35

-<author title="Editor">

36

-  <mail link="swift@g.o">Sven Vermeulen</mail>

37

+<author title="Author">

38

+  <mail link="swift"/>

39

 </author>

40

 <author title="Editor">

41

   <mail link="tseng@g.o">Brandon Hale</mail>

42

@@ -33,8 +33,8 @@

43

 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->

44

 <license/>

45

46

-<version>5</version>

47

-<date>2011-04-17</date>

48

+<version>6</version>

49

+<date>2011-08-15</date>

50

51

 <chapter>

52

 <title>Getting Started with OpenLDAP</title>

53

@@ -166,52 +166,66 @@

54

55

 <pre caption="Generate password">

56

 # <i>slappasswd</i>

57

-New password: my-password

58

-Re-enter new password: my-password

59

+New password: <i>my-password</i>

60

+Re-enter new password: <i>my-password</i>

61

 {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4

62

 </pre>

63

64

<p>

65

-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:

66

+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below

67

+we'll give a sample configuration file to get things started. For a more

68

+detailed analysis of the configuration file, we suggest that you work through

69

+the OpenLDAP Administrator's Guide.

70

 </p>

71

72

 <pre caption="/etc/openldap/slapd.conf">

73

-<comment># Include the needed data schemes below core.schema</comment>

74

-include         /etc/openldap/schema/cosine.schema

75

-include         /etc/openldap/schema/inetorgperson.schema

76

-include         /etc/openldap/schema/nis.schema

77

-

78

-<comment>Uncomment modulepath and hdb module</comment>

79

-# Load dynamic backend modules:

80

-modulepath    /usr/lib/openldap/openldap

81

-# moduleload    back_shell.so

82

-# moduleload    back_relay.so

83

-# moduleload    back_perl.so

84

-# moduleload    back_passwd.so

85

-# moduleload    back_null.so

86

-# moduleload    back_monitor.so

87

-# moduleload    back_meta.so

88

-moduleload    back_hdb.so

89

-# moduleload    back_dnssrv.so

90

+include	/etc/openldap/schema/core.schema

91

+include /etc/openldap/schema/cosine.schema

92

+include /etc/openldap/schema/inetorgperson.schema

93

+include /etc/openldap/schema/nis.schema

94

+include	/etc/openldap/schema/misc.schema

95

+

96

+pidfile /var/run/openldap/slapd.pid

97

+argsfile /var/run/openldap/slapd.args

98

99

-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>

100

+serverID 0 <comment>Used in case of replication</comment>

101

+loglevel 0

102

+

103

+<comment>## Access Controls</comment>

104

 access to dn.base="" by * read

105

 access to dn.base="cn=Subschema" by * read

106

 access to *

107

-   by self write

108

-   by users read

109

-   by anonymous auth

110

+  by self write

111

+  by users read

112

+  by anonymous read

113

114

+<comment>## Database definition</comment>

115

+database hdb

116

+suffix "dc=genfic,dc=com"

117

+checkpoint 32 30

118

+rootdn "cn=Manager,dc=genfic,dc=com"

119

+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>

120

+directory "/var/lib/openldap-ldbm"

121

+index objectClass eq

122

+

123

+<comment>## Synchronisation (pull from other LDAP server)</comment>

124

+syncrepl rid=000

125

+  provider=ldap://ldap2.genfic.com

126

+  type=refreshAndPersist

127

+  retry="5 5 300 +"

128

+  searchbase="dc=genfic,dc=com"

129

+  attrs="*,+"

130

+  bindmethod="simple"

131

+  binddn="cn=ldapreader,dc=genfic,dc=com"

132

+  credentials="ldapsyncpass"

133

134

-<comment># BDB Database definition</comment>

135

+index entryCSN eq

136

+index entryUUID eq

137

138

-database        hdb

139

-suffix          "dc=genfic,dc=com"

140

-checkpoint      32      30 # &lt;kbyte&gt; &lt;min&gt;

141

-rootdn          "cn=Manager,dc=genfic,dc=com"

142

-rootpw          <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>

143

-directory       /var/lib/openldap-ldbm

144

-index           objectClass     eq

145

+mirrormode TRUE

146

+

147

+overlay syncprov

148

+syncprov-checkpoint 100 10

149

 </pre>

150

151

<p>

152

@@ -223,17 +237,27 @@

153

 <comment>(Add the following...)</comment>

154

155

 BASE         dc=genfic, dc=com

156

-URI          ldap://auth.genfic.com:389/

157

+URI          ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/

158

 TLS_REQCERT  allow

159

+TIMELIMIT    2

160

 </pre>

161

162

<p>

163

-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line:

164

+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:

165

 </p>

166

167

 <pre caption="/etc/conf.d/slapd">

168

-<comment># Note: we don't use cn=config here, so stay with this line:</comment>

169

-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

170

+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

171

+</pre>

172

+

173

+<p>

174

+Finally, create the <path>/var/lib/openldap-ldbm</path> structure:

175

+</p>

176

+

177

+<pre caption="Preparing the openldap-ldbm location">

178

+~# <i>mkdir -p /var/lib/openldap-ldbm</i>

179

+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>

180

+~# <i>chmod 700 /var/lib/openldap-ldbm</i>

181

 </pre>

182

183

<p>

184

@@ -262,18 +286,153 @@

185

 </chapter>

186

187

 <chapter>

188

+<title>Replication</title>

189

+<section>

190

+<title>If you need high availability</title>

191

+<body>

192

+

193

+<p>

194

+If your environment requires high availability, then you need to setup

195

+replication of changes across multiple LDAP systems. Replication within OpenLDAP

196

+is, in this guide, set up using a specific replication account

197

+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which

198

+pulls in changes from the primary LDAP server to the secundary.

199

+</p>

200

+

201

+<p>

202

+This setup is then mirrored, allowing the secundary LDAP server to act as a

203

+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if

204

+they are already in the LDAP structure.

205

+</p>

206

+

207

+</body>

208

+</section>

209

+<section>

210

+<title>Setting Up Replication</title>

211

+<body>

212

+

213

+<p>

214

+To setup replication, first setup a second OpenLDAP server, similarly as above.

215

+However take care that, in the configuration file, 

216

+</p>

217

+

218

+<ul>

219

+  <li>

220

+    the <e>sync replication provider</e> is pointing to the <e>other</e> system

221

+  </li>

222

+  <li>

223

+    the <e>serverID</e> of each OpenLDAP system is different

224

+  </li>

225

+</ul>

226

+

227

+<p>

228

+Next, create the synchronisation account. We will create an LDIF file (the

229

+format used as data input for LDAP servers) and add it to each LDAP server:

230

+</p>

231

+

232

+<pre caption="Creating the ldapreader account">

233

+~# <i>slappasswd -s myreaderpassword</i>

234

+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM

235

+

236

+~# <i>cat ldapreader.ldif</i>

237

+dn: cn=ldapreader,dc=genfic,dc=com

238

+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM

239

+objectClass: organizationalRole

240

+objectClass: simpleSecurityObject

241

+cn: ldapreader

242

+description: LDAP reader used for synchronization

243

+

244

+~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i>

245

+Password: <comment>enter the administrative password</comment>

246

+</pre>

247

+

248

+</body>

249

+</section>

250

+</chapter>

251

+

252

+<chapter>

253

 <title>Client Configuration</title>

254

 <section>

255

 <title>Migrate existing data to ldap</title>

256

 <body>

257

258

<p>

259

+Configuring OpenLDAP for centralized administration and management of common

260

+Linux/Unix items isn't easy, but thanks to some tools and scripts available on

261

+the Internet, migrating a system from a single-system administrative

262

+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard

263

+either.

264

+</p>

265

+

266

+<p>

267

 Go to <uri

268

 link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>

269

-and fetch the scripts there. Configuration is stated on the page. We don't ship

270

-this anymore because the scripts are a potential security hole if you leave

271

-them on the system after porting. When you've finished migrating your data,

272

-continue to the next section.

273

+and fetch the scripts there. You'll need the migration tools and the

274

+<c>make_master.sh</c> script.

275

+</p>

276

+

277

+<p>

278

+Next, extract the tools and copy the <c>make_master.sh</c> script inside the

279

+extracted location:

280

+</p>

281

+

282

+<pre caption="Extracting the MigrationTools">

283

+~# <i>mktemp -d</i>

284

+/tmp/tmp.zchomocO3Q

285

+~# <i>cd /tmp/tmp.zchomocO3Q</i>

286

+~# <i>tar xvzf /path/to/MigrationTools.tgz</i>

287

+~# <i>mv /path/to/make_master.sh MigrationTools-47</i>

288

+~# <i>cd MigrationTools-47</i>

289

+</pre>

290

+

291

+<p>

292

+The next step now is to migrate the information of your system to OpenLDAP. The

293

+<c>make_master.sh</c> script will do this for you, after you have provided it

294

+with the information regarding your LDAP structure and environment.

295

+</p>

296

+

297

+<p>

298

+At the time of writing, the tools require the following input:

299

+</p>

300

+

301

+<table>

302

+<tr>

303

+  <th>Input</th>

304

+  <th>Description</th>

305

+  <th>Example</th>

306

+</tr>

307

+<tr>

308

+  <ti>LDAP BaseDN</ti>

309

+  <ti>The base location (root) of your tree</ti>

310

+  <ti>dc=genfic,dc=com</ti>

311

+</tr>

312

+<tr>

313

+  <ti>Mail domain</ti>

314

+  <ti>Domain used in e-mail addresses</ti>

315

+  <ti>genfic.com</ti>

316

+</tr>

317

+<tr>

318

+  <ti>Mail host</ti>

319

+  <ti>FQDN of your mail server infrastructure</ti>

320

+  <ti>smtp.genfic.com</ti>

321

+</tr>

322

+<tr>

323

+  <ti>LDAP Root DN</ti>

324

+  <ti>Administrative account information for your LDAP structure</ti>

325

+  <ti>cn=Manager,dc=genfic,dc=com</ti>

326

+</tr>

327

+<tr>

328

+  <ti>LDAP Root Password</ti>

329

+  <ti>

330

+    Password for the administrative account, cfr earlier <c>slappasswd</c>

331

+    command

332

+  </ti>

333

+  <ti></ti>

334

+</tr>

335

+</table>

336

+

337

+<p>

338

+The tool will also ask you which accounts and settings you want to migrate.

339

 </p>

340

341

 </body>

342

@@ -310,7 +469,7 @@

343

 #%PAM-1.0

344

345

 auth       required     pam_env.so

346

-auth       sufficient   pam_unix.so try_first_pass likeauth nullok

347

+auth       <i>sufficient</i>   pam_unix.so try_first_pass likeauth nullok

348

 <i>auth       sufficient   pam_ldap.so use_first_pass</i>

349

 auth       required     pam_deny.so

350

351

@@ -318,7 +477,7 @@

352

 account    required     pam_unix.so

353

354

 password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

355

-password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

356

+password   <i>sufficient</i>   pam_unix.so try_first_pass use_authtok nullok md5 shadow

357

 <i>password   sufficient   pam_ldap.so use_authtok use_first_pass</i>

358

 password   required     pam_deny.so

359

360

@@ -338,20 +497,20 @@

361

362

 suffix          "dc=genfic,dc=com"

363

 <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>

364

-

365

-uri ldap://auth.genfic.com/

366

-pam_password exop

367

-

368

+bind_policy soft

369

+bind_timelimit 2

370

 ldap_version 3

371

+nss_base_group ou=Group,dc=genfic,dc=com

372

+nss_base_hosts ou=Hosts,dc=genfic,dc=com

373

+nss_base_passwd ou=People,dc=genfic,dc=com

374

+nss_base_shadow ou=People,dc=genfic,dc=com

375

 pam_filter objectclass=posixAccount

376

 pam_login_attribute uid

377

 pam_member_attribute memberuid

378

-nss_base_passwd ou=People,dc=genfic,dc=com

379

-nss_base_shadow ou=People,dc=genfic,dc=com

380

-nss_base_group  ou=Group,dc=genfic,dc=com

381

-nss_base_hosts  ou=Hosts,dc=genfic,dc=com

382

-

383

+pam_password exop

384

 scope one

385

+timelimit 2

386

+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com

387

 </pre>

388

389

<p>

390

@@ -376,26 +535,14 @@

391

 </pre>

392

393

<p>

394

-To test the changes, type:

395

-</p>

396

-

397

-<pre caption="Testing LDAP Auth">

398

-# <i>getent passwd|grep 0:0</i>

399

-

400

-<comment>(You should get two entries back:)</comment>

401

-root:x:0:0:root:/root:/bin/bash

402

-root:x:0:0:root:/root:/bin/bash

403

-</pre>

404

-

405

-<p>

406

 If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>

407

 was commented out (the <c>rootbinddn</c> line): you don't need it unless you

408

 want to change a user's password as superuser. In this case you need to echo

409

 the root password to <path>/etc/ldap.secret</path> in plaintext. This is

410

-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that

411

-file blank and when I need to change someones password thats both in the ldap

412

-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I

413

-change it and remove it when I'm done.

414

+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to

415

+do is keep that file blank and when you need to change someones password thats

416

+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10

417

+seconds while changing the users password and remove it when done.

418

 </p>

419

420

 </body>

1	swift 11/08/15 20:25:30
2
3	Modified: ldap-howto.xml
4	Log:
5	Fix #176075 - Updated OpenLDAP guide
6
7	Revision Changes Path
8	1.44 xml/htdocs/doc/en/ldap-howto.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.43&r2=1.44
13
14	Index: ldap-howto.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
17	retrieving revision 1.43
18	retrieving revision 1.44
19	diff -u -r1.43 -r1.44
20	--- ldap-howto.xml 18 Apr 2011 02:01:11 -0000 1.43
21	+++ ldap-howto.xml 15 Aug 2011 20:25:30 -0000 1.44
22	@@ -1,15 +1,15 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.43 2011/04/18 02:01:11 nightmorph Exp $ -->
25	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.44 2011/08/15 20:25:30 swift Exp $ -->
26	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
27
28	-<guide disclaimer="draft">
29	+<guide>
30	<title>Gentoo Guide to OpenLDAP Authentication</title>
31
32	<author title="Author">
33	<mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>
34	</author>
35	-<author title="Editor">
36	- <mail link="swift@g.o">Sven Vermeulen</mail>
37	+<author title="Author">
38	+ <mail link="swift"/>
39	</author>
40	<author title="Editor">
41	<mail link="tseng@g.o">Brandon Hale</mail>
42	@@ -33,8 +33,8 @@
43	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
44	<license/>
45
46	-<version>5</version>
47	-<date>2011-04-17</date>
48	+<version>6</version>
49	+<date>2011-08-15</date>
50
51	<chapter>
52	<title>Getting Started with OpenLDAP</title>
53	@@ -166,52 +166,66 @@
54
55	<pre caption="Generate password">
56	# <i>slappasswd</i>
57	-New password: my-password
58	-Re-enter new password: my-password
59	+New password: <i>my-password</i>
60	+Re-enter new password: <i>my-password</i>
61	{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
62	</pre>
63
64	<p>
65	-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
66	+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below
67	+we'll give a sample configuration file to get things started. For a more
68	+detailed analysis of the configuration file, we suggest that you work through
69	+the OpenLDAP Administrator's Guide.
70	</p>
71
72	<pre caption="/etc/openldap/slapd.conf">
73	-<comment># Include the needed data schemes below core.schema</comment>
74	-include /etc/openldap/schema/cosine.schema
75	-include /etc/openldap/schema/inetorgperson.schema
76	-include /etc/openldap/schema/nis.schema
77	-
78	-<comment>Uncomment modulepath and hdb module</comment>
79	-# Load dynamic backend modules:
80	-modulepath /usr/lib/openldap/openldap
81	-# moduleload back_shell.so
82	-# moduleload back_relay.so
83	-# moduleload back_perl.so
84	-# moduleload back_passwd.so
85	-# moduleload back_null.so
86	-# moduleload back_monitor.so
87	-# moduleload back_meta.so
88	-moduleload back_hdb.so
89	-# moduleload back_dnssrv.so
90	+include /etc/openldap/schema/core.schema
91	+include /etc/openldap/schema/cosine.schema
92	+include /etc/openldap/schema/inetorgperson.schema
93	+include /etc/openldap/schema/nis.schema
94	+include /etc/openldap/schema/misc.schema
95	+
96	+pidfile /var/run/openldap/slapd.pid
97	+argsfile /var/run/openldap/slapd.args
98
99	-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
100	+serverID 0 <comment>Used in case of replication</comment>
101	+loglevel 0
102	+
103	+<comment>## Access Controls</comment>
104	access to dn.base="" by * read
105	access to dn.base="cn=Subschema" by * read
106	access to *
107	- by self write
108	- by users read
109	- by anonymous auth
110	+ by self write
111	+ by users read
112	+ by anonymous read
113
114	+<comment>## Database definition</comment>
115	+database hdb
116	+suffix "dc=genfic,dc=com"
117	+checkpoint 32 30
118	+rootdn "cn=Manager,dc=genfic,dc=com"
119	+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>
120	+directory "/var/lib/openldap-ldbm"
121	+index objectClass eq
122	+
123	+<comment>## Synchronisation (pull from other LDAP server)</comment>
124	+syncrepl rid=000
125	+ provider=ldap://ldap2.genfic.com
126	+ type=refreshAndPersist
127	+ retry="5 5 300 +"
128	+ searchbase="dc=genfic,dc=com"
129	+ attrs="*,+"
130	+ bindmethod="simple"
131	+ binddn="cn=ldapreader,dc=genfic,dc=com"
132	+ credentials="ldapsyncpass"
133
134	-<comment># BDB Database definition</comment>
135	+index entryCSN eq
136	+index entryUUID eq
137
138	-database hdb
139	-suffix "dc=genfic,dc=com"
140	-checkpoint 32 30 # <kbyte> <min>
141	-rootdn "cn=Manager,dc=genfic,dc=com"
142	-rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
143	-directory /var/lib/openldap-ldbm
144	-index objectClass eq
145	+mirrormode TRUE
146	+
147	+overlay syncprov
148	+syncprov-checkpoint 100 10
149	</pre>
150
151	<p>
152	@@ -223,17 +237,27 @@
153	<comment>(Add the following...)</comment>
154
155	BASE dc=genfic, dc=com
156	-URI ldap://auth.genfic.com:389/
157	+URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/
158	TLS_REQCERT allow
159	+TIMELIMIT 2
160	</pre>
161
162	<p>
163	-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line:
164	+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
165	</p>
166
167	<pre caption="/etc/conf.d/slapd">
168	-<comment># Note: we don't use cn=config here, so stay with this line:</comment>
169	-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
170	+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
171	+</pre>
172	+
173	+<p>
174	+Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
175	+</p>
176	+
177	+<pre caption="Preparing the openldap-ldbm location">
178	+~# <i>mkdir -p /var/lib/openldap-ldbm</i>
179	+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>
180	+~# <i>chmod 700 /var/lib/openldap-ldbm</i>
181	</pre>
182
183	<p>
184	@@ -262,18 +286,153 @@
185	</chapter>
186
187	<chapter>
188	+<title>Replication</title>
189	+<section>
190	+<title>If you need high availability</title>
191	+<body>
192	+
193	+<p>
194	+If your environment requires high availability, then you need to setup
195	+replication of changes across multiple LDAP systems. Replication within OpenLDAP
196	+is, in this guide, set up using a specific replication account
197	+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which
198	+pulls in changes from the primary LDAP server to the secundary.
199	+</p>
200	+
201	+<p>
202	+This setup is then mirrored, allowing the secundary LDAP server to act as a
203	+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if
204	+they are already in the LDAP structure.
205	+</p>
206	+
207	+</body>
208	+</section>
209	+<section>
210	+<title>Setting Up Replication</title>
211	+<body>
212	+
213	+<p>
214	+To setup replication, first setup a second OpenLDAP server, similarly as above.
215	+However take care that, in the configuration file,
216	+</p>
217	+
218	+<ul>
219	+ <li>
220	+ the <e>sync replication provider</e> is pointing to the <e>other</e> system
221	+ </li>
222	+ <li>
223	+ the <e>serverID</e> of each OpenLDAP system is different
224	+ </li>
225	+</ul>
226	+
227	+<p>
228	+Next, create the synchronisation account. We will create an LDIF file (the
229	+format used as data input for LDAP servers) and add it to each LDAP server:
230	+</p>
231	+
232	+<pre caption="Creating the ldapreader account">
233	+~# <i>slappasswd -s myreaderpassword</i>
234	+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
235	+
236	+~# <i>cat ldapreader.ldif</i>
237	+dn: cn=ldapreader,dc=genfic,dc=com
238	+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
239	+objectClass: organizationalRole
240	+objectClass: simpleSecurityObject
241	+cn: ldapreader
242	+description: LDAP reader used for synchronization
243	+
244	+~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i>
245	+Password: <comment>enter the administrative password</comment>
246	+</pre>
247	+
248	+</body>
249	+</section>
250	+</chapter>
251	+
252	+<chapter>
253	<title>Client Configuration</title>
254	<section>
255	<title>Migrate existing data to ldap</title>
256	<body>
257
258	<p>
259	+Configuring OpenLDAP for centralized administration and management of common
260	+Linux/Unix items isn't easy, but thanks to some tools and scripts available on
261	+the Internet, migrating a system from a single-system administrative
262	+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard
263	+either.
264	+</p>
265	+
266	+<p>
267	Go to <uri
268	link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
269	-and fetch the scripts there. Configuration is stated on the page. We don't ship
270	-this anymore because the scripts are a potential security hole if you leave
271	-them on the system after porting. When you've finished migrating your data,
272	-continue to the next section.
273	+and fetch the scripts there. You'll need the migration tools and the
274	+<c>make_master.sh</c> script.
275	+</p>
276	+
277	+<p>
278	+Next, extract the tools and copy the <c>make_master.sh</c> script inside the
279	+extracted location:
280	+</p>
281	+
282	+<pre caption="Extracting the MigrationTools">
283	+~# <i>mktemp -d</i>
284	+/tmp/tmp.zchomocO3Q
285	+~# <i>cd /tmp/tmp.zchomocO3Q</i>
286	+~# <i>tar xvzf /path/to/MigrationTools.tgz</i>
287	+~# <i>mv /path/to/make_master.sh MigrationTools-47</i>
288	+~# <i>cd MigrationTools-47</i>
289	+</pre>
290	+
291	+<p>
292	+The next step now is to migrate the information of your system to OpenLDAP. The
293	+<c>make_master.sh</c> script will do this for you, after you have provided it
294	+with the information regarding your LDAP structure and environment.
295	+</p>
296	+
297	+<p>
298	+At the time of writing, the tools require the following input:
299	+</p>
300	+
301	+<table>
302	+<tr>
303	+ <th>Input</th>
304	+ <th>Description</th>
305	+ <th>Example</th>
306	+</tr>
307	+<tr>
308	+ <ti>LDAP BaseDN</ti>
309	+ <ti>The base location (root) of your tree</ti>
310	+ <ti>dc=genfic,dc=com</ti>
311	+</tr>
312	+<tr>
313	+ <ti>Mail domain</ti>
314	+ <ti>Domain used in e-mail addresses</ti>
315	+ <ti>genfic.com</ti>
316	+</tr>
317	+<tr>
318	+ <ti>Mail host</ti>
319	+ <ti>FQDN of your mail server infrastructure</ti>
320	+ <ti>smtp.genfic.com</ti>
321	+</tr>
322	+<tr>
323	+ <ti>LDAP Root DN</ti>
324	+ <ti>Administrative account information for your LDAP structure</ti>
325	+ <ti>cn=Manager,dc=genfic,dc=com</ti>
326	+</tr>
327	+<tr>
328	+ <ti>LDAP Root Password</ti>
329	+ <ti>
330	+ Password for the administrative account, cfr earlier <c>slappasswd</c>
331	+ command
332	+ </ti>
333	+ <ti></ti>
334	+</tr>
335	+</table>
336	+
337	+<p>
338	+The tool will also ask you which accounts and settings you want to migrate.
339	</p>
340
341	</body>
342	@@ -310,7 +469,7 @@
343	#%PAM-1.0
344
345	auth required pam_env.so
346	-auth sufficient pam_unix.so try_first_pass likeauth nullok
347	+auth <i>sufficient</i> pam_unix.so try_first_pass likeauth nullok
348	<i>auth sufficient pam_ldap.so use_first_pass</i>
349	auth required pam_deny.so
350
351	@@ -318,7 +477,7 @@
352	account required pam_unix.so
353
354	password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
355	-password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
356	+password <i>sufficient</i> pam_unix.so try_first_pass use_authtok nullok md5 shadow
357	<i>password sufficient pam_ldap.so use_authtok use_first_pass</i>
358	password required pam_deny.so
359
360	@@ -338,20 +497,20 @@
361
362	suffix "dc=genfic,dc=com"
363	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
364	-
365	-uri ldap://auth.genfic.com/
366	-pam_password exop
367	-
368	+bind_policy soft
369	+bind_timelimit 2
370	ldap_version 3
371	+nss_base_group ou=Group,dc=genfic,dc=com
372	+nss_base_hosts ou=Hosts,dc=genfic,dc=com
373	+nss_base_passwd ou=People,dc=genfic,dc=com
374	+nss_base_shadow ou=People,dc=genfic,dc=com
375	pam_filter objectclass=posixAccount
376	pam_login_attribute uid
377	pam_member_attribute memberuid
378	-nss_base_passwd ou=People,dc=genfic,dc=com
379	-nss_base_shadow ou=People,dc=genfic,dc=com
380	-nss_base_group ou=Group,dc=genfic,dc=com
381	-nss_base_hosts ou=Hosts,dc=genfic,dc=com
382	-
383	+pam_password exop
384	scope one
385	+timelimit 2
386	+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com
387	</pre>
388
389	<p>
390	@@ -376,26 +535,14 @@
391	</pre>
392
393	<p>
394	-To test the changes, type:
395	-</p>
396	-
397	-<pre caption="Testing LDAP Auth">
398	-# <i>getent passwd\|grep 0:0</i>
399	-
400	-<comment>(You should get two entries back:)</comment>
401	-root:x:0:0:root:/root:/bin/bash
402	-root:x:0:0:root:/root:/bin/bash
403	-</pre>
404	-
405	-<p>
406	If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
407	was commented out (the <c>rootbinddn</c> line): you don't need it unless you
408	want to change a user's password as superuser. In this case you need to echo
409	the root password to <path>/etc/ldap.secret</path> in plaintext. This is
410	-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that
411	-file blank and when I need to change someones password thats both in the ldap
412	-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I
413	-change it and remove it when I'm done.
414	+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to
415	+do is keep that file blank and when you need to change someones password thats
416	+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10
417	+seconds while changing the users password and remove it when done.
418	</p>
419
420	</body>

Gentoo Archives: gentoo-doc-cvs