1 |
swift 11/08/15 20:25:30 |
2 |
|
3 |
Modified: ldap-howto.xml |
4 |
Log: |
5 |
Fix #176075 - Updated OpenLDAP guide |
6 |
|
7 |
Revision Changes Path |
8 |
1.44 xml/htdocs/doc/en/ldap-howto.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.44&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.43&r2=1.44 |
13 |
|
14 |
Index: ldap-howto.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v |
17 |
retrieving revision 1.43 |
18 |
retrieving revision 1.44 |
19 |
diff -u -r1.43 -r1.44 |
20 |
--- ldap-howto.xml 18 Apr 2011 02:01:11 -0000 1.43 |
21 |
+++ ldap-howto.xml 15 Aug 2011 20:25:30 -0000 1.44 |
22 |
@@ -1,15 +1,15 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.43 2011/04/18 02:01:11 nightmorph Exp $ --> |
25 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.44 2011/08/15 20:25:30 swift Exp $ --> |
26 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
27 |
|
28 |
-<guide disclaimer="draft"> |
29 |
+<guide> |
30 |
<title>Gentoo Guide to OpenLDAP Authentication</title> |
31 |
|
32 |
<author title="Author"> |
33 |
<mail link="sj7trunks@××××××××.net">Benjamin Coles</mail> |
34 |
</author> |
35 |
-<author title="Editor"> |
36 |
- <mail link="swift@g.o">Sven Vermeulen</mail> |
37 |
+<author title="Author"> |
38 |
+ <mail link="swift"/> |
39 |
</author> |
40 |
<author title="Editor"> |
41 |
<mail link="tseng@g.o">Brandon Hale</mail> |
42 |
@@ -33,8 +33,8 @@ |
43 |
<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
44 |
<license/> |
45 |
|
46 |
-<version>5</version> |
47 |
-<date>2011-04-17</date> |
48 |
+<version>6</version> |
49 |
+<date>2011-08-15</date> |
50 |
|
51 |
<chapter> |
52 |
<title>Getting Started with OpenLDAP</title> |
53 |
@@ -166,52 +166,66 @@ |
54 |
|
55 |
<pre caption="Generate password"> |
56 |
# <i>slappasswd</i> |
57 |
-New password: my-password |
58 |
-Re-enter new password: my-password |
59 |
+New password: <i>my-password</i> |
60 |
+Re-enter new password: <i>my-password</i> |
61 |
{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4 |
62 |
</pre> |
63 |
|
64 |
<p> |
65 |
-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>: |
66 |
+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below |
67 |
+we'll give a sample configuration file to get things started. For a more |
68 |
+detailed analysis of the configuration file, we suggest that you work through |
69 |
+the OpenLDAP Administrator's Guide. |
70 |
</p> |
71 |
|
72 |
<pre caption="/etc/openldap/slapd.conf"> |
73 |
-<comment># Include the needed data schemes below core.schema</comment> |
74 |
-include /etc/openldap/schema/cosine.schema |
75 |
-include /etc/openldap/schema/inetorgperson.schema |
76 |
-include /etc/openldap/schema/nis.schema |
77 |
- |
78 |
-<comment>Uncomment modulepath and hdb module</comment> |
79 |
-# Load dynamic backend modules: |
80 |
-modulepath /usr/lib/openldap/openldap |
81 |
-# moduleload back_shell.so |
82 |
-# moduleload back_relay.so |
83 |
-# moduleload back_perl.so |
84 |
-# moduleload back_passwd.so |
85 |
-# moduleload back_null.so |
86 |
-# moduleload back_monitor.so |
87 |
-# moduleload back_meta.so |
88 |
-moduleload back_hdb.so |
89 |
-# moduleload back_dnssrv.so |
90 |
+include /etc/openldap/schema/core.schema |
91 |
+include /etc/openldap/schema/cosine.schema |
92 |
+include /etc/openldap/schema/inetorgperson.schema |
93 |
+include /etc/openldap/schema/nis.schema |
94 |
+include /etc/openldap/schema/misc.schema |
95 |
+ |
96 |
+pidfile /var/run/openldap/slapd.pid |
97 |
+argsfile /var/run/openldap/slapd.args |
98 |
|
99 |
-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment> |
100 |
+serverID 0 <comment>Used in case of replication</comment> |
101 |
+loglevel 0 |
102 |
+ |
103 |
+<comment>## Access Controls</comment> |
104 |
access to dn.base="" by * read |
105 |
access to dn.base="cn=Subschema" by * read |
106 |
access to * |
107 |
- by self write |
108 |
- by users read |
109 |
- by anonymous auth |
110 |
+ by self write |
111 |
+ by users read |
112 |
+ by anonymous read |
113 |
|
114 |
+<comment>## Database definition</comment> |
115 |
+database hdb |
116 |
+suffix "dc=genfic,dc=com" |
117 |
+checkpoint 32 30 |
118 |
+rootdn "cn=Manager,dc=genfic,dc=com" |
119 |
+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment> |
120 |
+directory "/var/lib/openldap-ldbm" |
121 |
+index objectClass eq |
122 |
+ |
123 |
+<comment>## Synchronisation (pull from other LDAP server)</comment> |
124 |
+syncrepl rid=000 |
125 |
+ provider=ldap://ldap2.genfic.com |
126 |
+ type=refreshAndPersist |
127 |
+ retry="5 5 300 +" |
128 |
+ searchbase="dc=genfic,dc=com" |
129 |
+ attrs="*,+" |
130 |
+ bindmethod="simple" |
131 |
+ binddn="cn=ldapreader,dc=genfic,dc=com" |
132 |
+ credentials="ldapsyncpass" |
133 |
|
134 |
-<comment># BDB Database definition</comment> |
135 |
+index entryCSN eq |
136 |
+index entryUUID eq |
137 |
|
138 |
-database hdb |
139 |
-suffix "dc=genfic,dc=com" |
140 |
-checkpoint 32 30 # <kbyte> <min> |
141 |
-rootdn "cn=Manager,dc=genfic,dc=com" |
142 |
-rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i> |
143 |
-directory /var/lib/openldap-ldbm |
144 |
-index objectClass eq |
145 |
+mirrormode TRUE |
146 |
+ |
147 |
+overlay syncprov |
148 |
+syncprov-checkpoint 100 10 |
149 |
</pre> |
150 |
|
151 |
<p> |
152 |
@@ -223,17 +237,27 @@ |
153 |
<comment>(Add the following...)</comment> |
154 |
|
155 |
BASE dc=genfic, dc=com |
156 |
-URI ldap://auth.genfic.com:389/ |
157 |
+URI ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ldap://ldap2.genfic.com:389/ |
158 |
TLS_REQCERT allow |
159 |
+TIMELIMIT 2 |
160 |
</pre> |
161 |
|
162 |
<p> |
163 |
-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line: |
164 |
+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line: |
165 |
</p> |
166 |
|
167 |
<pre caption="/etc/conf.d/slapd"> |
168 |
-<comment># Note: we don't use cn=config here, so stay with this line:</comment> |
169 |
-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" |
170 |
+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" |
171 |
+</pre> |
172 |
+ |
173 |
+<p> |
174 |
+Finally, create the <path>/var/lib/openldap-ldbm</path> structure: |
175 |
+</p> |
176 |
+ |
177 |
+<pre caption="Preparing the openldap-ldbm location"> |
178 |
+~# <i>mkdir -p /var/lib/openldap-ldbm</i> |
179 |
+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i> |
180 |
+~# <i>chmod 700 /var/lib/openldap-ldbm</i> |
181 |
</pre> |
182 |
|
183 |
<p> |
184 |
@@ -262,18 +286,153 @@ |
185 |
</chapter> |
186 |
|
187 |
<chapter> |
188 |
+<title>Replication</title> |
189 |
+<section> |
190 |
+<title>If you need high availability</title> |
191 |
+<body> |
192 |
+ |
193 |
+<p> |
194 |
+If your environment requires high availability, then you need to setup |
195 |
+replication of changes across multiple LDAP systems. Replication within OpenLDAP |
196 |
+is, in this guide, set up using a specific replication account |
197 |
+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which |
198 |
+pulls in changes from the primary LDAP server to the secundary. |
199 |
+</p> |
200 |
+ |
201 |
+<p> |
202 |
+This setup is then mirrored, allowing the secundary LDAP server to act as a |
203 |
+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if |
204 |
+they are already in the LDAP structure. |
205 |
+</p> |
206 |
+ |
207 |
+</body> |
208 |
+</section> |
209 |
+<section> |
210 |
+<title>Setting Up Replication</title> |
211 |
+<body> |
212 |
+ |
213 |
+<p> |
214 |
+To setup replication, first setup a second OpenLDAP server, similarly as above. |
215 |
+However take care that, in the configuration file, |
216 |
+</p> |
217 |
+ |
218 |
+<ul> |
219 |
+ <li> |
220 |
+ the <e>sync replication provider</e> is pointing to the <e>other</e> system |
221 |
+ </li> |
222 |
+ <li> |
223 |
+ the <e>serverID</e> of each OpenLDAP system is different |
224 |
+ </li> |
225 |
+</ul> |
226 |
+ |
227 |
+<p> |
228 |
+Next, create the synchronisation account. We will create an LDIF file (the |
229 |
+format used as data input for LDAP servers) and add it to each LDAP server: |
230 |
+</p> |
231 |
+ |
232 |
+<pre caption="Creating the ldapreader account"> |
233 |
+~# <i>slappasswd -s myreaderpassword</i> |
234 |
+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM |
235 |
+ |
236 |
+~# <i>cat ldapreader.ldif</i> |
237 |
+dn: cn=ldapreader,dc=genfic,dc=com |
238 |
+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM |
239 |
+objectClass: organizationalRole |
240 |
+objectClass: simpleSecurityObject |
241 |
+cn: ldapreader |
242 |
+description: LDAP reader used for synchronization |
243 |
+ |
244 |
+~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i> |
245 |
+Password: <comment>enter the administrative password</comment> |
246 |
+</pre> |
247 |
+ |
248 |
+</body> |
249 |
+</section> |
250 |
+</chapter> |
251 |
+ |
252 |
+<chapter> |
253 |
<title>Client Configuration</title> |
254 |
<section> |
255 |
<title>Migrate existing data to ldap</title> |
256 |
<body> |
257 |
|
258 |
<p> |
259 |
+Configuring OpenLDAP for centralized administration and management of common |
260 |
+Linux/Unix items isn't easy, but thanks to some tools and scripts available on |
261 |
+the Internet, migrating a system from a single-system administrative |
262 |
+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard |
263 |
+either. |
264 |
+</p> |
265 |
+ |
266 |
+<p> |
267 |
Go to <uri |
268 |
link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri> |
269 |
-and fetch the scripts there. Configuration is stated on the page. We don't ship |
270 |
-this anymore because the scripts are a potential security hole if you leave |
271 |
-them on the system after porting. When you've finished migrating your data, |
272 |
-continue to the next section. |
273 |
+and fetch the scripts there. You'll need the migration tools and the |
274 |
+<c>make_master.sh</c> script. |
275 |
+</p> |
276 |
+ |
277 |
+<p> |
278 |
+Next, extract the tools and copy the <c>make_master.sh</c> script inside the |
279 |
+extracted location: |
280 |
+</p> |
281 |
+ |
282 |
+<pre caption="Extracting the MigrationTools"> |
283 |
+~# <i>mktemp -d</i> |
284 |
+/tmp/tmp.zchomocO3Q |
285 |
+~# <i>cd /tmp/tmp.zchomocO3Q</i> |
286 |
+~# <i>tar xvzf /path/to/MigrationTools.tgz</i> |
287 |
+~# <i>mv /path/to/make_master.sh MigrationTools-47</i> |
288 |
+~# <i>cd MigrationTools-47</i> |
289 |
+</pre> |
290 |
+ |
291 |
+<p> |
292 |
+The next step now is to migrate the information of your system to OpenLDAP. The |
293 |
+<c>make_master.sh</c> script will do this for you, after you have provided it |
294 |
+with the information regarding your LDAP structure and environment. |
295 |
+</p> |
296 |
+ |
297 |
+<p> |
298 |
+At the time of writing, the tools require the following input: |
299 |
+</p> |
300 |
+ |
301 |
+<table> |
302 |
+<tr> |
303 |
+ <th>Input</th> |
304 |
+ <th>Description</th> |
305 |
+ <th>Example</th> |
306 |
+</tr> |
307 |
+<tr> |
308 |
+ <ti>LDAP BaseDN</ti> |
309 |
+ <ti>The base location (root) of your tree</ti> |
310 |
+ <ti>dc=genfic,dc=com</ti> |
311 |
+</tr> |
312 |
+<tr> |
313 |
+ <ti>Mail domain</ti> |
314 |
+ <ti>Domain used in e-mail addresses</ti> |
315 |
+ <ti>genfic.com</ti> |
316 |
+</tr> |
317 |
+<tr> |
318 |
+ <ti>Mail host</ti> |
319 |
+ <ti>FQDN of your mail server infrastructure</ti> |
320 |
+ <ti>smtp.genfic.com</ti> |
321 |
+</tr> |
322 |
+<tr> |
323 |
+ <ti>LDAP Root DN</ti> |
324 |
+ <ti>Administrative account information for your LDAP structure</ti> |
325 |
+ <ti>cn=Manager,dc=genfic,dc=com</ti> |
326 |
+</tr> |
327 |
+<tr> |
328 |
+ <ti>LDAP Root Password</ti> |
329 |
+ <ti> |
330 |
+ Password for the administrative account, cfr earlier <c>slappasswd</c> |
331 |
+ command |
332 |
+ </ti> |
333 |
+ <ti></ti> |
334 |
+</tr> |
335 |
+</table> |
336 |
+ |
337 |
+<p> |
338 |
+The tool will also ask you which accounts and settings you want to migrate. |
339 |
</p> |
340 |
|
341 |
</body> |
342 |
@@ -310,7 +469,7 @@ |
343 |
#%PAM-1.0 |
344 |
|
345 |
auth required pam_env.so |
346 |
-auth sufficient pam_unix.so try_first_pass likeauth nullok |
347 |
+auth <i>sufficient</i> pam_unix.so try_first_pass likeauth nullok |
348 |
<i>auth sufficient pam_ldap.so use_first_pass</i> |
349 |
auth required pam_deny.so |
350 |
|
351 |
@@ -318,7 +477,7 @@ |
352 |
account required pam_unix.so |
353 |
|
354 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 |
355 |
-password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow |
356 |
+password <i>sufficient</i> pam_unix.so try_first_pass use_authtok nullok md5 shadow |
357 |
<i>password sufficient pam_ldap.so use_authtok use_first_pass</i> |
358 |
password required pam_deny.so |
359 |
|
360 |
@@ -338,20 +497,20 @@ |
361 |
|
362 |
suffix "dc=genfic,dc=com" |
363 |
<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment> |
364 |
- |
365 |
-uri ldap://auth.genfic.com/ |
366 |
-pam_password exop |
367 |
- |
368 |
+bind_policy soft |
369 |
+bind_timelimit 2 |
370 |
ldap_version 3 |
371 |
+nss_base_group ou=Group,dc=genfic,dc=com |
372 |
+nss_base_hosts ou=Hosts,dc=genfic,dc=com |
373 |
+nss_base_passwd ou=People,dc=genfic,dc=com |
374 |
+nss_base_shadow ou=People,dc=genfic,dc=com |
375 |
pam_filter objectclass=posixAccount |
376 |
pam_login_attribute uid |
377 |
pam_member_attribute memberuid |
378 |
-nss_base_passwd ou=People,dc=genfic,dc=com |
379 |
-nss_base_shadow ou=People,dc=genfic,dc=com |
380 |
-nss_base_group ou=Group,dc=genfic,dc=com |
381 |
-nss_base_hosts ou=Hosts,dc=genfic,dc=com |
382 |
- |
383 |
+pam_password exop |
384 |
scope one |
385 |
+timelimit 2 |
386 |
+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.com |
387 |
</pre> |
388 |
|
389 |
<p> |
390 |
@@ -376,26 +535,14 @@ |
391 |
</pre> |
392 |
|
393 |
<p> |
394 |
-To test the changes, type: |
395 |
-</p> |
396 |
- |
397 |
-<pre caption="Testing LDAP Auth"> |
398 |
-# <i>getent passwd|grep 0:0</i> |
399 |
- |
400 |
-<comment>(You should get two entries back:)</comment> |
401 |
-root:x:0:0:root:/root:/bin/bash |
402 |
-root:x:0:0:root:/root:/bin/bash |
403 |
-</pre> |
404 |
- |
405 |
-<p> |
406 |
If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path> |
407 |
was commented out (the <c>rootbinddn</c> line): you don't need it unless you |
408 |
want to change a user's password as superuser. In this case you need to echo |
409 |
the root password to <path>/etc/ldap.secret</path> in plaintext. This is |
410 |
-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that |
411 |
-file blank and when I need to change someones password thats both in the ldap |
412 |
-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I |
413 |
-change it and remove it when I'm done. |
414 |
+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to |
415 |
+do is keep that file blank and when you need to change someones password thats |
416 |
+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10 |
417 |
+seconds while changing the users password and remove it when done. |
418 |
</p> |
419 |
|
420 |
</body> |