Gentoo Archives: gentoo-doc-cvs

From: Joshua Saddler <nightmorph@××××××××××××.org>
To: gentoo-doc-cvs@l.g.o
Subject: [gentoo-doc-cvs] cvs commit: ldap-howto.xml
Date: Wed, 02 Jan 2008 00:45:24
Message-Id: E1J9rjG-0008M1-Vn@stork.gentoo.org
1 nightmorph 08/01/02 00:45:06
2
3 Modified: ldap-howto.xml
4 Log:
5 merged jokey's patch for the time being. hopefully he and/or robbat2 or other contributors can fill out the guide so we can bring it out of draft status once again. bug 176075
6
7 Revision Changes Path
8 1.36 xml/htdocs/doc/en/ldap-howto.xml
9
10 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&view=markup
11 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&content-type=text/plain
12 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.35&r2=1.36
13
14 Index: ldap-howto.xml
15 ===================================================================
16 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
17 retrieving revision 1.35
18 retrieving revision 1.36
19 diff -u -r1.35 -r1.36
20 --- ldap-howto.xml 29 Nov 2006 15:48:57 -0000 1.35
21 +++ ldap-howto.xml 2 Jan 2008 00:45:06 -0000 1.36
22 @@ -1,24 +1,25 @@
23 <?xml version='1.0' encoding='UTF-8'?>
24 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.35 2006/11/29 15:48:57 nightmorph Exp $ -->
25 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.36 2008/01/02 00:45:06 nightmorph Exp $ -->
26 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
27
28 -<guide link="/doc/en/ldap-howto.xml" disclaimer="obsolete">
29 +<guide link="/doc/en/ldap-howto.xml" disclaimer="draft">
30 <title>Gentoo Guide to OpenLDAP Authentication</title>
31
32 <author title="Author">
33 <mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>
34 </author>
35 -
36 <author title="Editor">
37 <mail link="swift@g.o">Sven Vermeulen</mail>
38 </author>
39 -
40 <author title="Editor">
41 <mail link="tseng@g.o">Brandon Hale</mail>
42 </author>
43 <author title="Editor">
44 <mail link="bennyc@g.o">Benny Chuang</mail>
45 </author>
46 +<author title="Editor">
47 + <mail link="jokey"/>
48 +</author>
49
50
51 <abstract>
52 @@ -30,8 +31,8 @@
53 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
54 <license/>
55
56 -<version>0.22</version>
57 -<date>2005-10-21</date>
58 +<version>0.23</version>
59 +<date>2008-01-01</date>
60
61 <chapter>
62 <title>Getting Started with OpenLDAP</title>
63 @@ -155,43 +156,65 @@
64 </p>
65
66 <pre caption="Install OpenLDAP">
67 -# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>
68 -# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>
69 +# <i>emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap</i>
70 </pre>
71
72 <p>
73 -Edit <path>/etc/openldap/slapd.conf</path> and add the following right after
74 -<c>core.schema</c>:
75 +Now generate an encrypted password we'll use later on:
76 +</p>
77 +
78 +<pre caption="Generate password">
79 +# slappasswd
80 +New password: my-password
81 +Re-enter new password: my-password
82 +{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
83 +</pre>
84 +
85 +<p>
86 +Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
87 </p>
88
89 <pre caption="/etc/openldap/slapd.conf">
90 -<comment># Include the needed data schemes</comment>
91 +<comment># Include the needed data schemes below core.schema</comment>
92 include /etc/openldap/schema/cosine.schema
93 include /etc/openldap/schema/inetorgperson.schema
94 include /etc/openldap/schema/nis.schema
95
96 -<comment># Use md5 to hash the passwords</comment>
97 -password-hash {md5}
98 +<comment>Uncomment modulepath and hdb module</comment>
99 +# Load dynamic backend modules:
100 +modulepath /usr/lib/openldap/openldap
101 +# moduleload back_shell.so
102 +# moduleload back_relay.so
103 +# moduleload back_perl.so
104 +# moduleload back_passwd.so
105 +# moduleload back_null.so
106 +# moduleload back_monitor.so
107 +# moduleload back_meta.so
108 +moduleload back_hdb.so
109 +# moduleload back_dnssrv.so
110 +
111 +<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
112 +access to dn.base="" by * read
113 +access to dn.base="cn=Subschema" by * read
114 +access to *
115 + by self write
116 + by users read
117 + by anonymous auth
118
119 -<comment># Define SSL and TLS properties (optional)</comment>
120 -TLSCertificateFile /etc/ssl/ldap.pem
121 -TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
122 -TLSCACertificateFile /etc/ssl/ldap.pem
123
124 -<comment>(Further down...)</comment>
125 +<comment># BDB Database definition</comment>
126
127 -database ldbm
128 +database hdb
129 suffix "dc=genfic,dc=com"
130 +checkpoint 32 30 # &lt;kbyte&gt; &lt;min&gt;
131 rootdn "cn=Manager,dc=genfic,dc=com"
132 -rootpw <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
133 +rootpw <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
134 directory /var/lib/openldap-ldbm
135 index objectClass eq
136 -
137 -<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>
138 </pre>
139
140 <p>
141 -Next we edit the LDAP configuration file:
142 +Next we edit the LDAP Client configuration file:
143 </p>
144
145 <pre caption="/etc/openldap/ldap.conf">
146 @@ -199,32 +222,18 @@
147 <comment>(Add the following...)</comment>
148
149 BASE dc=genfic, dc=com
150 -URI ldaps://auth.genfic.com:636/
151 +URI ldap://auth.genfic.com:389/
152 TLS_REQCERT allow
153 </pre>
154
155 <p>
156 -Now you will generate an SSL certificate to secure your directory.
157 -Answer the question you receive as good as possible. When asked for your
158 -<e>Common Name</e>, enter the name the clients will use when contacting
159 -the server. This is usually the full domainname (e.g.
160 -<path>auth.genfic.com</path>).
161 -</p>
162 -
163 -<pre caption="Generating SSL Certificate">
164 -# <i>cd /etc/ssl</i>
165 -# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
166 -ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
167 -# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>
168 -</pre>
169 -
170 -<p>
171 Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out
172 the existing line:
173 </p>
174
175 <pre caption="/etc/conf.d/slapd">
176 -OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
177 +<comment># Note: we don't use cn=config here, so stay with this line:</comment>
178 +OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
179 </pre>
180
181 <p>
182 @@ -253,60 +262,22 @@
183 </chapter>
184
185 <chapter>
186 -<title>Migrate Existing Data</title>
187 +<title>Client Configuration</title>
188 <section>
189 -<title>Migrate User Accounts</title>
190 +<title>Migrate existing data to ldap</title>
191 <body>
192
193 <p>
194 -Next, we migrate the user accounts. Open
195 -<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the
196 -following:
197 -</p>
198 -
199 -<pre caption="/usr/share/migrationtools/migrate_common.ph">
200 -$DEFAULT_BASE = "dc=genfic,dc=com";
201 -$EXTENDED_SCHEMA = 1;
202 -<comment># Comment these lines out unless you have a mail schema loaded</comment>
203 -<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
204 -<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
205 -</pre>
206 -
207 -<p>
208 -Now run the migration scripts:
209 -</p>
210 -
211 -<pre caption="Running the migration scripts">
212 -# <i>export ETC_SHADOW=/etc/shadow</i>
213 -# <i>cd /usr/share/migrationtools</i>
214 -# <i>./migrate_base.pl > /tmp/base.ldif</i>
215 -# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
216 -# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
217 -# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
218 -</pre>
219 -
220 -<p>
221 -This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
222 -</p>
223 -
224 -<pre caption="Importing the data to our directory">
225 -# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
226 -# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
227 -# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
228 -# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
229 -</pre>
230 -
231 -<p>
232 -If you come across an error in your ldif files, you can resume from where you
233 -left off by using <c>ldapadd -c</c>.
234 +Go to <uri
235 +link="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</uri>
236 +and fetch the scripts there. Configuration is stated on the page. We don't ship
237 +this anymore because the scripts are a potential security hole if you leave
238 +them on the system after porting. When you've finished migrating your data,
239 +continue to the next section.
240 </p>
241
242 </body>
243 </section>
244 -</chapter>
245 -
246 -<chapter>
247 -<title>Client Configuration</title>
248 <section>
249 <title>Configuring PAM</title>
250 <body>
251 @@ -323,37 +294,38 @@
252 </pre>
253
254 <p>
255 -Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
256 +Now add the following lines in the right places to <path>/etc/pam.d/system-auth</path>:
257 </p>
258
259 <pre caption="/etc/pam.d/system-auth">
260 -auth required pam_env.so
261 -auth sufficient pam_unix.so likeauth nullok shadow
262 -auth sufficient pam_ldap.so use_first_pass
263 -auth required pam_deny.so
264 -
265 -account requisite pam_unix.so
266 -account sufficient pam_localuser.so
267 -account required pam_ldap.so
268 -
269 -password required pam_cracklib.so retry=3
270 -password sufficient pam_unix.so nullok use_authtok shadow md5
271 -password sufficient pam_ldap.so use_authtok use_first_pass
272 -password required pam_deny.so
273 -
274 -session required pam_limits.so
275 -session required pam_unix.so
276 -session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
277 -session optional pam_ldap.so
278 -</pre>
279 +<comment># Note: only add them. Don't kill stuff already in there or your box won't let you login again!</comment>
280
281 -<!-- Should work now, see #87930
282 -<note>
283 -If you find that login on using ssh on these system fails, try interchanging the
284 -two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and
285 -other tools refuse to function correctly if you do.
286 -</note>
287 --->
288 +auth sufficient pam_ldap.so use_first_pass
289 +account sufficient pam_ldap.so
290 +password sufficient pam_ldap.so use_authtok use_first_pass
291 +session optional pam_ldap.so
292 +
293 +<comment># Example file:</comment>
294 +#%PAM-1.0
295 +
296 +auth required pam_env.so
297 +auth sufficient pam_unix.so try_first_pass likeauth nullok
298 +<i>auth sufficient pam_ldap.so use_first_pass</i>
299 +auth required pam_deny.so
300 +
301 +<i>account sufficient pam_ldap.so</i>
302 +account required pam_unix.so
303 +
304 +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
305 +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
306 +<i>password sufficient pam_ldap.so use_authtok use_first_pass</i>
307 +password required pam_deny.so
308 +
309 +session required pam_limits.so
310 +session required pam_unix.so
311 +<i>session optional pam_ldap.so</i>
312 +
313 +</pre>
314
315 <p>
316 Now change <path>/etc/ldap.conf</path> to read:
317 @@ -363,12 +335,10 @@
318 <comment>#host 127.0.0.1</comment>
319 <comment>#base dc=padl,dc=com</comment>
320
321 -ssl start_tls
322 -ssl on
323 suffix "dc=genfic,dc=com"
324 <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
325
326 -uri ldaps://auth.genfic.com/
327 +uri ldap://auth.genfic.com/
328 pam_password exop
329
330 ldap_version 3
331 @@ -500,10 +470,9 @@
332 <body>
333
334 <p>
335 -You can start using the directory to authenticate users in
336 -apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a
337 -really easy management interface. You can also use gq or
338 -directory_administrator.
339 +You can start using the directory to authenticate users in
340 +apache/proftpd/qmail/samba. You can manage it with Webmin, which provides an
341 +easy management interface. You can also use phpldapadmin, luma, diradm or lat.
342 </p>
343
344 </body>
345
346
347
348 --
349 gentoo-doc-cvs@g.o mailing list