Gentoo Archives: gentoo-doc-cvs

From: "Sven Vermeulen (swift)" <swift@g.o>
To: gentoo-doc-cvs@l.g.o
Subject: [gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: ldap-howto.xml
Date: Mon, 15 Aug 2011 20:25:55
swift       11/08/15 20:25:30

  Modified:             ldap-howto.xml
  Fix #176075 - Updated OpenLDAP guide

Revision  Changes    Path
1.44                 xml/htdocs/doc/en/ldap-howto.xml

file :
diff :

Index: ldap-howto.xml
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- ldap-howto.xml	18 Apr 2011 02:01:11 -0000	1.43
+++ ldap-howto.xml	15 Aug 2011 20:25:30 -0000	1.44
@@ -1,15 +1,15 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.43 2011/04/18 02:01:11 nightmorph Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.44 2011/08/15 20:25:30 swift Exp $ -->
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<guide disclaimer="draft">
 <title>Gentoo Guide to OpenLDAP Authentication</title>
 <author title="Author">
   <mail link="sj7trunks@××××××××.net">Benjamin Coles</mail>
-<author title="Editor">
-  <mail link="swift@g.o">Sven Vermeulen</mail>
+<author title="Author">
+  <mail link="swift"/>
 <author title="Editor">
   <mail link="tseng@g.o">Brandon Hale</mail>
@@ -33,8 +33,8 @@
 <!-- See -->
 <title>Getting Started with OpenLDAP</title>
@@ -166,52 +166,66 @@
 <pre caption="Generate password">
 # <i>slappasswd</i>
-New password: my-password
-Re-enter new password: my-password
+New password: <i>my-password</i>
+Re-enter new password: <i>my-password</i>
-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>:
+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>. Below
+we'll give a sample configuration file to get things started. For a more
+detailed analysis of the configuration file, we suggest that you work through
+the OpenLDAP Administrator's Guide.
 <pre caption="/etc/openldap/slapd.conf">
-<comment># Include the needed data schemes below core.schema</comment>
-include         /etc/openldap/schema/cosine.schema
-include         /etc/openldap/schema/inetorgperson.schema
-include         /etc/openldap/schema/nis.schema
-<comment>Uncomment modulepath and hdb module</comment>
-# Load dynamic backend modules:
-modulepath    /usr/lib/openldap/openldap
-# moduleload
-# moduleload
-# moduleload
-# moduleload
-# moduleload
-# moduleload
-# moduleload
-# moduleload
+include	/etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include	/etc/openldap/schema/misc.schema
+pidfile /var/run/openldap/
+argsfile /var/run/openldap/slapd.args
-<comment># Uncomment sample access restrictions (Note: maintain indentation!)</comment>
+serverID 0 <comment>Used in case of replication</comment>
+loglevel 0
+<comment>## Access Controls</comment>
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
-   by self write
-   by users read
-   by anonymous auth
+  by self write
+  by users read
+  by anonymous read
+<comment>## Database definition</comment>
+database hdb
+suffix "dc=genfic,dc=com"
+checkpoint 32 30
+rootdn "cn=Manager,dc=genfic,dc=com"
+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier slappasswd command</comment>
+directory "/var/lib/openldap-ldbm"
+index objectClass eq
+<comment>## Synchronisation (pull from other LDAP server)</comment>
+syncrepl rid=000
+  provider=ldap://
+  type=refreshAndPersist
+  retry="5 5 300 +"
+  searchbase="dc=genfic,dc=com"
+  attrs="*,+"
+  bindmethod="simple"
+  binddn="cn=ldapreader,dc=genfic,dc=com"
+  credentials="ldapsyncpass"
-<comment># BDB Database definition</comment>
+index entryCSN eq
+index entryUUID eq
-database        hdb
-suffix          "dc=genfic,dc=com"
-checkpoint      32      30 # &lt;kbyte&gt; &lt;min&gt;
-rootdn          "cn=Manager,dc=genfic,dc=com"
-rootpw          <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
-directory       /var/lib/openldap-ldbm
-index           objectClass     eq
+mirrormode TRUE
+overlay syncprov
+syncprov-checkpoint 100 10
@@ -223,17 +237,27 @@
 <comment>(Add the following...)</comment>
 BASE         dc=genfic, dc=com
-URI          ldap://
+URI          ldap:// ldap:// ldap://
-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS line:
+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
 <pre caption="/etc/conf.d/slapd">
-<comment># Note: we don't use cn=config here, so stay with this line:</comment>
-OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
+<pre caption="Preparing the openldap-ldbm location">
+~# <i>mkdir -p /var/lib/openldap-ldbm</i>
+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>
+~# <i>chmod 700 /var/lib/openldap-ldbm</i>
@@ -262,18 +286,153 @@
+<title>If you need high availability</title>
+If your environment requires high availability, then you need to setup
+replication of changes across multiple LDAP systems. Replication within OpenLDAP
+is, in this guide, set up using a specific replication account
+(<c>ldapreader</c>) which has read rights on the primary LDAP server and which
+pulls in changes from the primary LDAP server to the secundary.
+This setup is then mirrored, allowing the secundary LDAP server to act as a
+primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if
+they are already in the LDAP structure.
+<title>Setting Up Replication</title>
+To setup replication, first setup a second OpenLDAP server, similarly as above.
+However take care that, in the configuration file, 
+  <li>
+    the <e>sync replication provider</e> is pointing to the <e>other</e> system
+  </li>
+  <li>
+    the <e>serverID</e> of each OpenLDAP system is different
+  </li>
+Next, create the synchronisation account. We will create an LDIF file (the
+format used as data input for LDAP servers) and add it to each LDAP server:
+<pre caption="Creating the ldapreader account">
+~# <i>slappasswd -s myreaderpassword</i>
+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+~# <i>cat ldapreader.ldif</i>
+dn: cn=ldapreader,dc=genfic,dc=com
+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: ldapreader
+description: LDAP reader used for synchronization
+~# <i>ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif</i>
+Password: <comment>enter the administrative password</comment>
 <title>Client Configuration</title>
 <title>Migrate existing data to ldap</title>
+Configuring OpenLDAP for centralized administration and management of common
+Linux/Unix items isn't easy, but thanks to some tools and scripts available on
+the Internet, migrating a system from a single-system administrative
+point-of-view towards an OpenLDAP-based, centralized managed system isn't hard
 Go to <uri
-and fetch the scripts there. Configuration is stated on the page. We don't ship
-this anymore because the scripts are a potential security hole if you leave
-them on the system after porting. When you've finished migrating your data,
-continue to the next section.
+and fetch the scripts there. You'll need the migration tools and the
+<c></c> script.
+Next, extract the tools and copy the <c></c> script inside the
+extracted location:
+<pre caption="Extracting the MigrationTools">
+~# <i>mktemp -d</i>
+~# <i>cd /tmp/tmp.zchomocO3Q</i>
+~# <i>tar xvzf /path/to/MigrationTools.tgz</i>
+~# <i>mv /path/to/ MigrationTools-47</i>
+~# <i>cd MigrationTools-47</i>
+The next step now is to migrate the information of your system to OpenLDAP. The
+<c></c> script will do this for you, after you have provided it
+with the information regarding your LDAP structure and environment.
+At the time of writing, the tools require the following input:
+  <th>Input</th>
+  <th>Description</th>
+  <th>Example</th>
+  <ti>LDAP BaseDN</ti>
+  <ti>The base location (root) of your tree</ti>
+  <ti>dc=genfic,dc=com</ti>
+  <ti>Mail domain</ti>
+  <ti>Domain used in e-mail addresses</ti>
+  <ti></ti>
+  <ti>Mail host</ti>
+  <ti>FQDN of your mail server infrastructure</ti>
+  <ti></ti>
+  <ti>LDAP Root DN</ti>
+  <ti>Administrative account information for your LDAP structure</ti>
+  <ti>cn=Manager,dc=genfic,dc=com</ti>
+  <ti>LDAP Root Password</ti>
+  <ti>
+    Password for the administrative account, cfr earlier <c>slappasswd</c>
+    command
+  </ti>
+  <ti></ti>
+The tool will also ask you which accounts and settings you want to migrate.
@@ -310,7 +469,7 @@
 auth       required
-auth       sufficient try_first_pass likeauth nullok
+auth       <i>sufficient</i> try_first_pass likeauth nullok
 <i>auth       sufficient use_first_pass</i>
 auth       required
@@ -318,7 +477,7 @@
 account    required
 password   required difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
-password   sufficient try_first_pass use_authtok nullok md5 shadow
+password   <i>sufficient</i> try_first_pass use_authtok nullok md5 shadow
 <i>password   sufficient use_authtok use_first_pass</i>
 password   required
@@ -338,20 +497,20 @@
 suffix          "dc=genfic,dc=com"
 <comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
-uri ldap://
-pam_password exop
+bind_policy soft
+bind_timelimit 2
 ldap_version 3
+nss_base_group ou=Group,dc=genfic,dc=com
+nss_base_hosts ou=Hosts,dc=genfic,dc=com
+nss_base_passwd ou=People,dc=genfic,dc=com
+nss_base_shadow ou=People,dc=genfic,dc=com
 pam_filter objectclass=posixAccount
 pam_login_attribute uid
 pam_member_attribute memberuid
-nss_base_passwd ou=People,dc=genfic,dc=com
-nss_base_shadow ou=People,dc=genfic,dc=com
-nss_base_group  ou=Group,dc=genfic,dc=com
-nss_base_hosts  ou=Hosts,dc=genfic,dc=com
+pam_password exop
 scope one
+timelimit 2
+uri ldap:// ldap:// ldap://
@@ -376,26 +535,14 @@
-To test the changes, type:
-<pre caption="Testing LDAP Auth">
-# <i>getent passwd|grep 0:0</i>
-<comment>(You should get two entries back:)</comment>
 If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
 was commented out (the <c>rootbinddn</c> line): you don't need it unless you
 want to change a user's password as superuser. In this case you need to echo
 the root password to <path>/etc/ldap.secret</path> in plaintext. This is
-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that
-file blank and when I need to change someones password thats both in the ldap
-and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I
-change it and remove it when I'm done.
+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might want to
+do is keep that file blank and when you need to change someones password thats
+both in the ldap and <path>/etc/passwd</path>, put the pass in there for 10
+seconds while changing the users password and remove it when done.