[gentoo-doc-cvs] cvs commit: ldap-howto.xml - gentoo-doc-cvs

From:	Joshua Saddler <nightmorph@××××××××××××.org>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] cvs commit: ldap-howto.xml
Date:	Wed, 02 Jan 2008 00:45:24
Message-Id:	`E1J9rjG-0008M1-Vn@stork.gentoo.org`

1

nightmorph    08/01/02 00:45:06

2

3

  Modified:             ldap-howto.xml

4

  Log:

5

  merged jokey's patch for the time being. hopefully he and/or robbat2 or other contributors can fill out the guide so we can bring it out of draft status once again. bug 176075

6

7

Revision  Changes    Path

8

1.36                 xml/htdocs/doc/en/ldap-howto.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.35&r2=1.36

13

14

Index: ldap-howto.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v

17

retrieving revision 1.35

18

retrieving revision 1.36

19

diff -u -r1.35 -r1.36

20

--- ldap-howto.xml	29 Nov 2006 15:48:57 -0000	1.35

21

+++ ldap-howto.xml	2 Jan 2008 00:45:06 -0000	1.36

22

@@ -1,24 +1,25 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.35 2006/11/29 15:48:57 nightmorph Exp $ -->

25

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.36 2008/01/02 00:45:06 nightmorph Exp $ -->

26

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

27

28

-<guide link="/doc/en/ldap-howto.xml" disclaimer="obsolete">

29

+<guide link="/doc/en/ldap-howto.xml" disclaimer="draft">

30

 <title>Gentoo Guide to OpenLDAP Authentication</title>

31

32

 <author title="Author">

33

   <mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>

34

 </author>

35

-

36

 <author title="Editor">

37

   <mail link="swift@g.o">Sven Vermeulen</mail>

38

 </author>

39

-

40

 <author title="Editor">

41

   <mail link="tseng@g.o">Brandon Hale</mail>

42

 </author>

43

 <author title="Editor">

44

   <mail link="bennyc@g.o">Benny Chuang</mail>

45

 </author>

46

+<author title="Editor">

47

+  <mail link="jokey"/>

48

+</author>

49

50

51

 <abstract>

52

@@ -30,8 +31,8 @@

53

 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->

54

 <license/>

55

56

-<version>0.22</version>

57

-<date>2005-10-21</date>

58

+<version>0.23</version>

59

+<date>2008-01-01</date>

60

61

 <chapter>

62

 <title>Getting Started with OpenLDAP</title>

63

@@ -155,43 +156,65 @@

64

 </p>

65

66

 <pre caption="Install OpenLDAP">

67

-# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>

68

-# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>

69

+# <i>emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap</i>

70

 </pre>

71

72

<p>

73

-Edit <path>/etc/openldap/slapd.conf</path> and add the following right after 

74

-<c>core.schema</c>:

75

+Now generate an encrypted password we'll use later on:

76

+</p>

77

+

78

+<pre caption="Generate password">

79

+# slappasswd

80

+New password: my-password

81

+Re-enter new password: my-password

82

+{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4

83

+</pre>

84

+

85

+<p>

86

+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:

87

 </p>

88

89

 <pre caption="/etc/openldap/slapd.conf">

90

-<comment># Include the needed data schemes</comment>

91

+<comment># Include the needed data schemes below core.schema</comment>

92

 include         /etc/openldap/schema/cosine.schema

93

 include         /etc/openldap/schema/inetorgperson.schema

94

 include         /etc/openldap/schema/nis.schema

95

96

-<comment># Use md5 to hash the passwords</comment>

97

-password-hash {md5}

98

+<comment>Uncomment modulepath and hdb module</comment>

99

+# Load dynamic backend modules:

100

+modulepath    /usr/lib/openldap/openldap

101

+# moduleload    back_shell.so

102

+# moduleload    back_relay.so

103

+# moduleload    back_perl.so

104

+# moduleload    back_passwd.so

105

+# moduleload    back_null.so

106

+# moduleload    back_monitor.so

107

+# moduleload    back_meta.so

108

+moduleload    back_hdb.so

109

+# moduleload    back_dnssrv.so

110

+

111

+<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>

112

+access to dn.base="" by * read

113

+access to dn.base="cn=Subschema" by * read

114

+access to *

115

+   by self write

116

+   by users read

117

+   by anonymous auth

118

119

-<comment># Define SSL and TLS properties (optional)</comment>

120

-TLSCertificateFile /etc/ssl/ldap.pem

121

-TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

122

-TLSCACertificateFile /etc/ssl/ldap.pem

123

124

-<comment>(Further down...)</comment>

125

+<comment># BDB Database definition</comment>

126

127

-database        ldbm

128

+database        hdb

129

 suffix          "dc=genfic,dc=com"

130

+checkpoint      32      30 # &lt;kbyte&gt; &lt;min&gt;

131

 rootdn          "cn=Manager,dc=genfic,dc=com"

132

-rootpw          <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>

133

+rootpw          <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>

134

 directory       /var/lib/openldap-ldbm

135

 index           objectClass     eq

136

-

137

-<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>

138

 </pre>

139

140

<p>

141

-Next we edit the LDAP configuration file:

142

+Next we edit the LDAP Client configuration file:

143

 </p>

144

145

 <pre caption="/etc/openldap/ldap.conf">

146

@@ -199,32 +222,18 @@

147

 <comment>(Add the following...)</comment>

148

149

 BASE         dc=genfic, dc=com

150

-URI          ldaps://auth.genfic.com:636/

151

+URI          ldap://auth.genfic.com:389/

152

 TLS_REQCERT  allow

153

 </pre>

154

155

<p>

156

-Now you will generate an SSL certificate to secure your directory.

157

-Answer the question you receive as good as possible. When asked for your

158

-<e>Common Name</e>, enter the name the clients will use when contacting

159

-the server. This is usually the full domainname (e.g. 

160

-<path>auth.genfic.com</path>).

161

-</p>

162

-

163

-<pre caption="Generating SSL Certificate">

164

-# <i>cd /etc/ssl</i>

165

-# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \

166

-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>

167

-# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>

168

-</pre>

169

-

170

-<p>

171

 Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out 

172

 the existing line:

173

 </p>

174

175

 <pre caption="/etc/conf.d/slapd">

176

-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

177

+<comment># Note: we don't use cn=config here, so stay with this line:</comment>

178

+OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

179

 </pre>

180

181

<p>

182

@@ -253,60 +262,22 @@

183

 </chapter>

184

185

 <chapter>

186

-<title>Migrate Existing Data</title>

187

+<title>Client Configuration</title>

188

 <section>

189

-<title>Migrate User Accounts</title>

190

+<title>Migrate existing data to ldap</title>

191

 <body>

192

193

<p>

194

-Next, we migrate the user accounts. Open 

195

-<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the 

196

-following:

197

-</p>

198

-

199

-<pre caption="/usr/share/migrationtools/migrate_common.ph">

200

-$DEFAULT_BASE = "dc=genfic,dc=com";

201

-$EXTENDED_SCHEMA = 1;

202

-<comment># Comment these lines out unless you have a mail schema loaded</comment>

203

-<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>

204

-<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>

205

-</pre>

206

-

207

-<p>

208

-Now run the migration scripts:

209

-</p>

210

-

211

-<pre caption="Running the migration scripts">

212

-# <i>export ETC_SHADOW=/etc/shadow</i>

213

-# <i>cd /usr/share/migrationtools</i>

214

-# <i>./migrate_base.pl > /tmp/base.ldif</i>

215

-# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>

216

-# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>

217

-# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>

218

-</pre>

219

-

220

-<p>

221

-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:

222

-</p>

223

-

224

-<pre caption="Importing the data to our directory">

225

-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>

226

-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>

227

-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>

228

-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>

229

-</pre>

230

-

231

-<p>

232

-If you come across an error in your ldif files, you can resume from where you

233

-left off by using <c>ldapadd -c</c>.

234

+Go to <uri

235

+link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>

236

+and fetch the scripts there. Configuration is stated on the page. We don't ship

237

+this anymore because the scripts are a potential security hole if you leave

238

+them on the system after porting. When you've finished migrating your data,

239

+continue to the next section.

240

 </p>

241

242

 </body>

243

 </section>

244

-</chapter>

245

-

246

-<chapter>

247

-<title>Client Configuration</title>

248

 <section>

249

 <title>Configuring PAM</title>

250

 <body>

251

@@ -323,37 +294,38 @@

252

 </pre>

253

254

<p>

255

-Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:

256

+Now add the following lines in the right places to <path>/etc/pam.d/system-auth</path>:

257

 </p>

258

259

 <pre caption="/etc/pam.d/system-auth">

260

-auth    required    pam_env.so

261

-auth    sufficient  pam_unix.so likeauth nullok shadow

262

-auth    sufficient  pam_ldap.so use_first_pass

263

-auth    required    pam_deny.so

264

-

265

-account requisite  pam_unix.so

266

-account sufficient pam_localuser.so

267

-account required   pam_ldap.so

268

-

269

-password    required pam_cracklib.so retry=3

270

-password    sufficient pam_unix.so nullok use_authtok shadow md5

271

-password    sufficient pam_ldap.so use_authtok use_first_pass

272

-password    required pam_deny.so

273

-

274

-session required    pam_limits.so

275

-session required    pam_unix.so

276

-session required    pam_mkhomedir.so skel=/etc/skel/ umask=0066

277

-session optional    pam_ldap.so

278

-</pre>

279

+<comment># Note: only add them. Don't kill stuff already in there or your box won't let you login again!</comment>

280

281

-<!--  Should work now, see #87930

282

-<note>

283

-If you find that login on using ssh on these system fails, try interchanging the

284

-two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and

285

-other tools refuse to function correctly if you do.

286

-</note>

287

--->

288

+auth       sufficient   pam_ldap.so use_first_pass

289

+account    sufficient   pam_ldap.so

290

+password   sufficient   pam_ldap.so use_authtok use_first_pass

291

+session    optional     pam_ldap.so

292

+

293

+<comment># Example file:</comment>

294

+#%PAM-1.0

295

+

296

+auth       required     pam_env.so

297

+auth       sufficient   pam_unix.so try_first_pass likeauth nullok

298

+<i>auth       sufficient   pam_ldap.so use_first_pass</i>

299

+auth       required     pam_deny.so

300

+

301

+<i>account    sufficient   pam_ldap.so</i>

302

+account    required     pam_unix.so

303

+

304

+password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

305

+password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

306

+<i>password   sufficient   pam_ldap.so use_authtok use_first_pass</i>

307

+password   required     pam_deny.so

308

+

309

+session    required     pam_limits.so

310

+session    required     pam_unix.so

311

+<i>session    optional     pam_ldap.so</i>

312

+

313

+</pre>

314

315

<p>

316

 Now change <path>/etc/ldap.conf</path> to read:

317

@@ -363,12 +335,10 @@

318

 <comment>#host 127.0.0.1</comment>

319

 <comment>#base dc=padl,dc=com</comment>

320

321

-ssl start_tls

322

-ssl on

323

 suffix          "dc=genfic,dc=com"

324

 <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>

325

326

-uri ldaps://auth.genfic.com/

327

+uri ldap://auth.genfic.com/

328

 pam_password exop

329

330

 ldap_version 3

331

@@ -500,10 +470,9 @@

332

 <body>

333

334

<p>

335

-You can start using the directory to authenticate users in 

336

-apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a 

337

-really easy management interface. You can also use gq or 

338

-directory_administrator. 

339

+You can start using the directory to authenticate users in

340

+apache/proftpd/qmail/samba. You can manage it with Webmin, which provides an

341

+easy management interface. You can also use phpldapadmin, luma, diradm or lat. 

342

 </p>

343

344

 </body>

--

349

gentoo-doc-cvs@g.o mailing list

1	nightmorph 08/01/02 00:45:06
2
3	Modified: ldap-howto.xml
4	Log:
5	merged jokey's patch for the time being. hopefully he and/or robbat2 or other contributors can fill out the guide so we can bring it out of draft status once again. bug 176075
6
7	Revision Changes Path
8	1.36 xml/htdocs/doc/en/ldap-howto.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.35&r2=1.36
13
14	Index: ldap-howto.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
17	retrieving revision 1.35
18	retrieving revision 1.36
19	diff -u -r1.35 -r1.36
20	--- ldap-howto.xml 29 Nov 2006 15:48:57 -0000 1.35
21	+++ ldap-howto.xml 2 Jan 2008 00:45:06 -0000 1.36
22	@@ -1,24 +1,25 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.35 2006/11/29 15:48:57 nightmorph Exp $ -->
25	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.36 2008/01/02 00:45:06 nightmorph Exp $ -->
26	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
27
28	-<guide link="/doc/en/ldap-howto.xml" disclaimer="obsolete">
29	+<guide link="/doc/en/ldap-howto.xml" disclaimer="draft">
30	<title>Gentoo Guide to OpenLDAP Authentication</title>
31
32	<author title="Author">
33	<mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>
34	</author>
35	-
36	<author title="Editor">
37	<mail link="swift@g.o">Sven Vermeulen</mail>
38	</author>
39	-
40	<author title="Editor">
41	<mail link="tseng@g.o">Brandon Hale</mail>
42	</author>
43	<author title="Editor">
44	<mail link="bennyc@g.o">Benny Chuang</mail>
45	</author>
46	+<author title="Editor">
47	+ <mail link="jokey"/>
48	+</author>
49
50
51	<abstract>
52	@@ -30,8 +31,8 @@
53	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
54	<license/>
55
56	-<version>0.22</version>
57	-<date>2005-10-21</date>
58	+<version>0.23</version>
59	+<date>2008-01-01</date>
60
61	<chapter>
62	<title>Getting Started with OpenLDAP</title>
63	@@ -155,43 +156,65 @@
64	</p>
65
66	<pre caption="Install OpenLDAP">
67	-# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>
68	-# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>
69	+# <i>emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap</i>
70	</pre>
71
72	<p>
73	-Edit <path>/etc/openldap/slapd.conf</path> and add the following right after
74	-<c>core.schema</c>:
75	+Now generate an encrypted password we'll use later on:
76	+</p>
77	+
78	+<pre caption="Generate password">
79	+# slappasswd
80	+New password: my-password
81	+Re-enter new password: my-password
82	+{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
83	+</pre>
84	+
85	+<p>
86	+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
87	</p>
88
89	<pre caption="/etc/openldap/slapd.conf">
90	-<comment># Include the needed data schemes</comment>
91	+<comment># Include the needed data schemes below core.schema</comment>
92	include /etc/openldap/schema/cosine.schema
93	include /etc/openldap/schema/inetorgperson.schema
94	include /etc/openldap/schema/nis.schema
95
96	-<comment># Use md5 to hash the passwords</comment>
97	-password-hash {md5}
98	+<comment>Uncomment modulepath and hdb module</comment>
99	+# Load dynamic backend modules:
100	+modulepath /usr/lib/openldap/openldap
101	+# moduleload back_shell.so
102	+# moduleload back_relay.so
103	+# moduleload back_perl.so
104	+# moduleload back_passwd.so
105	+# moduleload back_null.so
106	+# moduleload back_monitor.so
107	+# moduleload back_meta.so
108	+moduleload back_hdb.so
109	+# moduleload back_dnssrv.so
110	+
111	+<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
112	+access to dn.base="" by * read
113	+access to dn.base="cn=Subschema" by * read
114	+access to *
115	+ by self write
116	+ by users read
117	+ by anonymous auth
118
119	-<comment># Define SSL and TLS properties (optional)</comment>
120	-TLSCertificateFile /etc/ssl/ldap.pem
121	-TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
122	-TLSCACertificateFile /etc/ssl/ldap.pem
123
124	-<comment>(Further down...)</comment>
125	+<comment># BDB Database definition</comment>
126
127	-database ldbm
128	+database hdb
129	suffix "dc=genfic,dc=com"
130	+checkpoint 32 30 # <kbyte> <min>
131	rootdn "cn=Manager,dc=genfic,dc=com"
132	-rootpw <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
133	+rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
134	directory /var/lib/openldap-ldbm
135	index objectClass eq
136	-
137	-<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>
138	</pre>
139
140	<p>
141	-Next we edit the LDAP configuration file:
142	+Next we edit the LDAP Client configuration file:
143	</p>
144
145	<pre caption="/etc/openldap/ldap.conf">
146	@@ -199,32 +222,18 @@
147	<comment>(Add the following...)</comment>
148
149	BASE dc=genfic, dc=com
150	-URI ldaps://auth.genfic.com:636/
151	+URI ldap://auth.genfic.com:389/
152	TLS_REQCERT allow
153	</pre>
154
155	<p>
156	-Now you will generate an SSL certificate to secure your directory.
157	-Answer the question you receive as good as possible. When asked for your
158	-<e>Common Name</e>, enter the name the clients will use when contacting
159	-the server. This is usually the full domainname (e.g.
160	-<path>auth.genfic.com</path>).
161	-</p>
162	-
163	-<pre caption="Generating SSL Certificate">
164	-# <i>cd /etc/ssl</i>
165	-# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
166	-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
167	-# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>
168	-</pre>
169	-
170	-<p>
171	Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out
172	the existing line:
173	</p>
174
175	<pre caption="/etc/conf.d/slapd">
176	-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
177	+<comment># Note: we don't use cn=config here, so stay with this line:</comment>
178	+OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
179	</pre>
180
181	<p>
182	@@ -253,60 +262,22 @@
183	</chapter>
184
185	<chapter>
186	-<title>Migrate Existing Data</title>
187	+<title>Client Configuration</title>
188	<section>
189	-<title>Migrate User Accounts</title>
190	+<title>Migrate existing data to ldap</title>
191	<body>
192
193	<p>
194	-Next, we migrate the user accounts. Open
195	-<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the
196	-following:
197	-</p>
198	-
199	-<pre caption="/usr/share/migrationtools/migrate_common.ph">
200	-$DEFAULT_BASE = "dc=genfic,dc=com";
201	-$EXTENDED_SCHEMA = 1;
202	-<comment># Comment these lines out unless you have a mail schema loaded</comment>
203	-<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
204	-<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
205	-</pre>
206	-
207	-<p>
208	-Now run the migration scripts:
209	-</p>
210	-
211	-<pre caption="Running the migration scripts">
212	-# <i>export ETC_SHADOW=/etc/shadow</i>
213	-# <i>cd /usr/share/migrationtools</i>
214	-# <i>./migrate_base.pl > /tmp/base.ldif</i>
215	-# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
216	-# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
217	-# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
218	-</pre>
219	-
220	-<p>
221	-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
222	-</p>
223	-
224	-<pre caption="Importing the data to our directory">
225	-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
226	-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
227	-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
228	-# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
229	-</pre>
230	-
231	-<p>
232	-If you come across an error in your ldif files, you can resume from where you
233	-left off by using <c>ldapadd -c</c>.
234	+Go to <uri
235	+link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
236	+and fetch the scripts there. Configuration is stated on the page. We don't ship
237	+this anymore because the scripts are a potential security hole if you leave
238	+them on the system after porting. When you've finished migrating your data,
239	+continue to the next section.
240	</p>
241
242	</body>
243	</section>
244	-</chapter>
245	-
246	-<chapter>
247	-<title>Client Configuration</title>
248	<section>
249	<title>Configuring PAM</title>
250	<body>
251	@@ -323,37 +294,38 @@
252	</pre>
253
254	<p>
255	-Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
256	+Now add the following lines in the right places to <path>/etc/pam.d/system-auth</path>:
257	</p>
258
259	<pre caption="/etc/pam.d/system-auth">
260	-auth required pam_env.so
261	-auth sufficient pam_unix.so likeauth nullok shadow
262	-auth sufficient pam_ldap.so use_first_pass
263	-auth required pam_deny.so
264	-
265	-account requisite pam_unix.so
266	-account sufficient pam_localuser.so
267	-account required pam_ldap.so
268	-
269	-password required pam_cracklib.so retry=3
270	-password sufficient pam_unix.so nullok use_authtok shadow md5
271	-password sufficient pam_ldap.so use_authtok use_first_pass
272	-password required pam_deny.so
273	-
274	-session required pam_limits.so
275	-session required pam_unix.so
276	-session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
277	-session optional pam_ldap.so
278	-</pre>
279	+<comment># Note: only add them. Don't kill stuff already in there or your box won't let you login again!</comment>
280
281	-<!-- Should work now, see #87930
282	-<note>
283	-If you find that login on using ssh on these system fails, try interchanging the
284	-two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and
285	-other tools refuse to function correctly if you do.
286	-</note>
287	--->
288	+auth sufficient pam_ldap.so use_first_pass
289	+account sufficient pam_ldap.so
290	+password sufficient pam_ldap.so use_authtok use_first_pass
291	+session optional pam_ldap.so
292	+
293	+<comment># Example file:</comment>
294	+#%PAM-1.0
295	+
296	+auth required pam_env.so
297	+auth sufficient pam_unix.so try_first_pass likeauth nullok
298	+<i>auth sufficient pam_ldap.so use_first_pass</i>
299	+auth required pam_deny.so
300	+
301	+<i>account sufficient pam_ldap.so</i>
302	+account required pam_unix.so
303	+
304	+password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
305	+password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
306	+<i>password sufficient pam_ldap.so use_authtok use_first_pass</i>
307	+password required pam_deny.so
308	+
309	+session required pam_limits.so
310	+session required pam_unix.so
311	+<i>session optional pam_ldap.so</i>
312	+
313	+</pre>
314
315	<p>
316	Now change <path>/etc/ldap.conf</path> to read:
317	@@ -363,12 +335,10 @@
318	<comment>#host 127.0.0.1</comment>
319	<comment>#base dc=padl,dc=com</comment>
320
321	-ssl start_tls
322	-ssl on
323	suffix "dc=genfic,dc=com"
324	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
325
326	-uri ldaps://auth.genfic.com/
327	+uri ldap://auth.genfic.com/
328	pam_password exop
329
330	ldap_version 3
331	@@ -500,10 +470,9 @@
332	<body>
333
334	<p>
335	-You can start using the directory to authenticate users in
336	-apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a
337	-really easy management interface. You can also use gq or
338	-directory_administrator.
339	+You can start using the directory to authenticate users in
340	+apache/proftpd/qmail/samba. You can manage it with Webmin, which provides an
341	+easy management interface. You can also use phpldapadmin, luma, diradm or lat.
342	</p>
343
344	</body>
345
346
347
348	--
349	gentoo-doc-cvs@g.o mailing list

Gentoo Archives: gentoo-doc-cvs