From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-doc-cvs+bounces-3864-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Qt3jP-0006tk-AS
	for garchives@archives.gentoo.org; Mon, 15 Aug 2011 20:25:55 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9852F21C109;
	Mon, 15 Aug 2011 20:25:32 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 479AF21C109
	for <gentoo-doc-cvs@lists.gentoo.org>; Mon, 15 Aug 2011 20:25:32 +0000 (UTC)
Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8CBA01B403B
	for <gentoo-doc-cvs@lists.gentoo.org>; Mon, 15 Aug 2011 20:25:31 +0000 (UTC)
Received: by flycatcher.gentoo.org (Postfix, from userid 617)
	id 4FF0B2004C; Mon, 15 Aug 2011 20:25:30 +0000 (UTC)
From: "Sven Vermeulen (swift)" <swift@gentoo.org>
To: gentoo-doc-cvs@lists.gentoo.org
Subject: [gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: ldap-howto.xml
X-VCS-Repository: gentoo
X-VCS-Files: ldap-howto.xml
X-VCS-Directories: xml/htdocs/doc/en
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
Content-Type: text/plain; charset=utf8
Message-Id: <20110815202530.4FF0B2004C@flycatcher.gentoo.org>
Date: Mon, 15 Aug 2011 20:25:30 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-doc-cvs@lists.gentoo.org>
List-Help: <mailto:gentoo-doc-cvs+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-doc-cvs+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-doc-cvs+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-doc-cvs.gentoo.org>
X-BeenThere: gentoo-doc-cvs@lists.gentoo.org
Reply-to: docs-team@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: d9ae5921632c43caa09bb09e263a604e

swift       11/08/15 20:25:30

  Modified:             ldap-howto.xml
  Log:
  Fix #176075 - Updated OpenLDAP guide

Revision  Changes    Path
1.44                 xml/htdocs/doc/en/ldap-howto.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap=
-howto.xml?rev=3D1.44&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap=
-howto.xml?rev=3D1.44&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/ldap=
-howto.xml?r1=3D1.43&r2=3D1.44

Index: ldap-howto.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- ldap-howto.xml	18 Apr 2011 02:01:11 -0000	1.43
+++ ldap-howto.xml	15 Aug 2011 20:25:30 -0000	1.44
@@ -1,15 +1,15 @@
 <?xml version=3D'1.0' encoding=3D'UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.4=
3 2011/04/18 02:01:11 nightmorph Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.4=
4 2011/08/15 20:25:30 swift Exp $ -->
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
=20
-<guide disclaimer=3D"draft">
+<guide>
 <title>Gentoo Guide to OpenLDAP Authentication</title>
=20
 <author title=3D"Author">
   <mail link=3D"sj7trunks@pendulus.net">Benjamin Coles</mail>
 </author>
-<author title=3D"Editor">
-  <mail link=3D"swift@gentoo.org">Sven Vermeulen</mail>
+<author title=3D"Author">
+  <mail link=3D"swift"/>
 </author>
 <author title=3D"Editor">
   <mail link=3D"tseng@gentoo.org">Brandon Hale</mail>
@@ -33,8 +33,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
=20
-<version>5</version>
-<date>2011-04-17</date>
+<version>6</version>
+<date>2011-08-15</date>
=20
 <chapter>
 <title>Getting Started with OpenLDAP</title>
@@ -166,52 +166,66 @@
=20
 <pre caption=3D"Generate password">
 # <i>slappasswd</i>
-New password: my-password
-Re-enter new password: my-password
+New password: <i>my-password</i>
+Re-enter new password: <i>my-password</i>
 {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
 </pre>
=20
 <p>
-Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>=
:
+Now edit the LDAP Server config at <path>/etc/openldap/slapd.conf</path>=
. Below
+we'll give a sample configuration file to get things started. For a more
+detailed analysis of the configuration file, we suggest that you work th=
rough
+the OpenLDAP Administrator's Guide.
 </p>
=20
 <pre caption=3D"/etc/openldap/slapd.conf">
-<comment># Include the needed data schemes below core.schema</comment>
-include         /etc/openldap/schema/cosine.schema
-include         /etc/openldap/schema/inetorgperson.schema
-include         /etc/openldap/schema/nis.schema
-
-<comment>Uncomment modulepath and hdb module</comment>
-# Load dynamic backend modules:
-modulepath    /usr/lib/openldap/openldap
-# moduleload    back_shell.so
-# moduleload    back_relay.so
-# moduleload    back_perl.so
-# moduleload    back_passwd.so
-# moduleload    back_null.so
-# moduleload    back_monitor.so
-# moduleload    back_meta.so
-moduleload    back_hdb.so
-# moduleload    back_dnssrv.so
+include	/etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include	/etc/openldap/schema/misc.schema
+
+pidfile /var/run/openldap/slapd.pid
+argsfile /var/run/openldap/slapd.args
=20
-<comment># Uncomment sample access restrictions (Note: maintain indentat=
ion!)</comment>
+serverID 0 <comment>Used in case of replication</comment>
+loglevel 0
+
+<comment>## Access Controls</comment>
 access to dn.base=3D"" by * read
 access to dn.base=3D"cn=3DSubschema" by * read
 access to *
-   by self write
-   by users read
-   by anonymous auth
+  by self write
+  by users read
+  by anonymous read
=20
+<comment>## Database definition</comment>
+database hdb
+suffix "dc=3Dgenfic,dc=3Dcom"
+checkpoint 32 30
+rootdn "cn=3DManager,dc=3Dgenfic,dc=3Dcom"
+rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4" <comment># See earlier s=
lappasswd command</comment>
+directory "/var/lib/openldap-ldbm"
+index objectClass eq
+
+<comment>## Synchronisation (pull from other LDAP server)</comment>
+syncrepl rid=3D000
+  provider=3Dldap://ldap2.genfic.com
+  type=3DrefreshAndPersist
+  retry=3D"5 5 300 +"
+  searchbase=3D"dc=3Dgenfic,dc=3Dcom"
+  attrs=3D"*,+"
+  bindmethod=3D"simple"
+  binddn=3D"cn=3Dldapreader,dc=3Dgenfic,dc=3Dcom"
+  credentials=3D"ldapsyncpass"
=20
-<comment># BDB Database definition</comment>
+index entryCSN eq
+index entryUUID eq
=20
-database        hdb
-suffix          "dc=3Dgenfic,dc=3Dcom"
-checkpoint      32      30 # &lt;kbyte&gt; &lt;min&gt;
-rootdn          "cn=3DManager,dc=3Dgenfic,dc=3Dcom"
-rootpw          <i>{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4</i>
-directory       /var/lib/openldap-ldbm
-index           objectClass     eq
+mirrormode TRUE
+
+overlay syncprov
+syncprov-checkpoint 100 10
 </pre>
=20
 <p>
@@ -223,17 +237,27 @@
 <comment>(Add the following...)</comment>
=20
 BASE         dc=3Dgenfic, dc=3Dcom
-URI          ldap://auth.genfic.com:389/
+URI          ldap://ldap.genfic.com:389/ ldap://ldap1.genfic.com:389/ ld=
ap://ldap2.genfic.com:389/
 TLS_REQCERT  allow
+TIMELIMIT    2
 </pre>
=20
 <p>
-Now edit <path>/etc/conf.d/slapd</path> and uncomment the following OPTS=
 line:
+Now edit <path>/etc/conf.d/slapd</path> and set the following OPTS line:
 </p>
=20
 <pre caption=3D"/etc/conf.d/slapd">
-<comment># Note: we don't use cn=3Dconfig here, so stay with this line:<=
/comment>
-OPTS=3D"-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2fr=
un%2fopenldap%2fslapd.sock'"
+OPTS=3D"-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc=
k'"
+</pre>
+
+<p>
+Finally, create the <path>/var/lib/openldap-ldbm</path> structure:
+</p>
+
+<pre caption=3D"Preparing the openldap-ldbm location">
+~# <i>mkdir -p /var/lib/openldap-ldbm</i>
+~# <i>chown ldap:ldap /var/lib/openldap-ldbm</i>
+~# <i>chmod 700 /var/lib/openldap-ldbm</i>
 </pre>
=20
 <p>
@@ -262,18 +286,153 @@
 </chapter>
=20
 <chapter>
+<title>Replication</title>
+<section>
+<title>If you need high availability</title>
+<body>
+
+<p>
+If your environment requires high availability, then you need to setup
+replication of changes across multiple LDAP systems. Replication within =
OpenLDAP
+is, in this guide, set up using a specific replication account
+(<c>ldapreader</c>) which has read rights on the primary LDAP server and=
 which
+pulls in changes from the primary LDAP server to the secundary.
+</p>
+
+<p>
+This setup is then mirrored, allowing the secundary LDAP server to act a=
s a
+primary. Thanks to OpenLDAP's internal structure, changes are not re-app=
lied if
+they are already in the LDAP structure.
+</p>
+
+</body>
+</section>
+<section>
+<title>Setting Up Replication</title>
+<body>
+
+<p>
+To setup replication, first setup a second OpenLDAP server, similarly as=
 above.
+However take care that, in the configuration file,=20
+</p>
+
+<ul>
+  <li>
+    the <e>sync replication provider</e> is pointing to the <e>other</e>=
 system
+  </li>
+  <li>
+    the <e>serverID</e> of each OpenLDAP system is different
+  </li>
+</ul>
+
+<p>
+Next, create the synchronisation account. We will create an LDIF file (t=
he
+format used as data input for LDAP servers) and add it to each LDAP serv=
er:
+</p>
+
+<pre caption=3D"Creating the ldapreader account">
+~# <i>slappasswd -s myreaderpassword</i>
+ {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+
+~# <i>cat ldapreader.ldif</i>
+dn: cn=3Dldapreader,dc=3Dgenfic,dc=3Dcom
+userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: ldapreader
+description: LDAP reader used for synchronization
+
+~# <i>ldapadd -x -W -D "cn=3DManager,dc=3Dgenfic,dc=3Dcom" -f ldapreader=
.ldif</i>
+Password: <comment>enter the administrative password</comment>
+</pre>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
 <title>Client Configuration</title>
 <section>
 <title>Migrate existing data to ldap</title>
 <body>
=20
 <p>
+Configuring OpenLDAP for centralized administration and management of co=
mmon
+Linux/Unix items isn't easy, but thanks to some tools and scripts availa=
ble on
+the Internet, migrating a system from a single-system administrative
+point-of-view towards an OpenLDAP-based, centralized managed system isn'=
t hard
+either.
+</p>
+
+<p>
 Go to <uri
 link=3D"http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com=
/OSS/MigrationTools.html</uri>
-and fetch the scripts there. Configuration is stated on the page. We don=
't ship
-this anymore because the scripts are a potential security hole if you le=
ave
-them on the system after porting. When you've finished migrating your da=
ta,
-continue to the next section.
+and fetch the scripts there. You'll need the migration tools and the
+<c>make_master.sh</c> script.
+</p>
+
+<p>
+Next, extract the tools and copy the <c>make_master.sh</c> script inside=
 the
+extracted location:
+</p>
+
+<pre caption=3D"Extracting the MigrationTools">
+~# <i>mktemp -d</i>
+/tmp/tmp.zchomocO3Q
+~# <i>cd /tmp/tmp.zchomocO3Q</i>
+~# <i>tar xvzf /path/to/MigrationTools.tgz</i>
+~# <i>mv /path/to/make_master.sh MigrationTools-47</i>
+~# <i>cd MigrationTools-47</i>
+</pre>
+
+<p>
+The next step now is to migrate the information of your system to OpenLD=
AP. The
+<c>make_master.sh</c> script will do this for you, after you have provid=
ed it
+with the information regarding your LDAP structure and environment.
+</p>
+
+<p>
+At the time of writing, the tools require the following input:
+</p>
+
+<table>
+<tr>
+  <th>Input</th>
+  <th>Description</th>
+  <th>Example</th>
+</tr>
+<tr>
+  <ti>LDAP BaseDN</ti>
+  <ti>The base location (root) of your tree</ti>
+  <ti>dc=3Dgenfic,dc=3Dcom</ti>
+</tr>
+<tr>
+  <ti>Mail domain</ti>
+  <ti>Domain used in e-mail addresses</ti>
+  <ti>genfic.com</ti>
+</tr>
+<tr>
+  <ti>Mail host</ti>
+  <ti>FQDN of your mail server infrastructure</ti>
+  <ti>smtp.genfic.com</ti>
+</tr>
+<tr>
+  <ti>LDAP Root DN</ti>
+  <ti>Administrative account information for your LDAP structure</ti>
+  <ti>cn=3DManager,dc=3Dgenfic,dc=3Dcom</ti>
+</tr>
+<tr>
+  <ti>LDAP Root Password</ti>
+  <ti>
+    Password for the administrative account, cfr earlier <c>slappasswd</=
c>
+    command
+  </ti>
+  <ti></ti>
+</tr>
+</table>
+
+<p>
+The tool will also ask you which accounts and settings you want to migra=
te.
 </p>
=20
 </body>
@@ -310,7 +469,7 @@
 #%PAM-1.0
=20
 auth       required     pam_env.so
-auth       sufficient   pam_unix.so try_first_pass likeauth nullok
+auth       <i>sufficient</i>   pam_unix.so try_first_pass likeauth nullo=
k
 <i>auth       sufficient   pam_ldap.so use_first_pass</i>
 auth       required     pam_deny.so
=20
@@ -318,7 +477,7 @@
 account    required     pam_unix.so
=20
 password   required     pam_cracklib.so difok=3D2 minlen=3D8 dcredit=3D2=
 ocredit=3D2 try_first_pass retry=3D3
-password   sufficient   pam_unix.so try_first_pass use_authtok nullok md=
5 shadow
+password   <i>sufficient</i>   pam_unix.so try_first_pass use_authtok nu=
llok md5 shadow
 <i>password   sufficient   pam_ldap.so use_authtok use_first_pass</i>
 password   required     pam_deny.so
=20
@@ -338,20 +497,20 @@
=20
 suffix          "dc=3Dgenfic,dc=3Dcom"
 <comment>#rootbinddn uid=3Droot,ou=3DPeople,dc=3Dgenfic,dc=3Dcom</commen=
t>
-
-uri ldap://auth.genfic.com/
-pam_password exop
-
+bind_policy soft
+bind_timelimit 2
 ldap_version 3
+nss_base_group ou=3DGroup,dc=3Dgenfic,dc=3Dcom
+nss_base_hosts ou=3DHosts,dc=3Dgenfic,dc=3Dcom
+nss_base_passwd ou=3DPeople,dc=3Dgenfic,dc=3Dcom
+nss_base_shadow ou=3DPeople,dc=3Dgenfic,dc=3Dcom
 pam_filter objectclass=3DposixAccount
 pam_login_attribute uid
 pam_member_attribute memberuid
-nss_base_passwd ou=3DPeople,dc=3Dgenfic,dc=3Dcom
-nss_base_shadow ou=3DPeople,dc=3Dgenfic,dc=3Dcom
-nss_base_group  ou=3DGroup,dc=3Dgenfic,dc=3Dcom
-nss_base_hosts  ou=3DHosts,dc=3Dgenfic,dc=3Dcom
-
+pam_password exop
 scope one
+timelimit 2
+uri ldap://ldap.genfic.com/ ldap://ldap1.genfic.com ldap://ldap2.genfic.=
com
 </pre>
=20
 <p>
@@ -376,26 +535,14 @@
 </pre>
=20
 <p>
-To test the changes, type:
-</p>
-
-<pre caption=3D"Testing LDAP Auth">
-# <i>getent passwd|grep 0:0</i>
-
-<comment>(You should get two entries back:)</comment>
-root:x:0:0:root:/root:/bin/bash
-root:x:0:0:root:/root:/bin/bash
-</pre>
-
-<p>
 If you noticed one of the lines you pasted into your <path>/etc/ldap.con=
f</path>
 was commented out (the <c>rootbinddn</c> line): you don't need it unless=
 you
 want to change a user's password as superuser. In this case you need to =
echo
 the root password to <path>/etc/ldap.secret</path> in plaintext. This is
-<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep=
 that
-file blank and when I need to change someones password thats both in the=
 ldap
-and <path>/etc/passwd</path> I put the pass in there for 10 seconds whil=
e I
-change it and remove it when I'm done.
+<brite>DANGEROUS</brite> and should be chmoded to 600. What you might wa=
nt to
+do is keep that file blank and when you need to change someones password=
 thats
+both in the ldap and <path>/etc/passwd</path>, put the pass in there for=
 10
+seconds while changing the users password and remove it when done.
 </p>
=20
 </body>