From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1J9rjX-0004aI-Kp for garchives@archives.gentoo.org; Wed, 02 Jan 2008 00:45:24 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.2/8.14.0) with SMTP id m020j9OB027099; Wed, 2 Jan 2008 00:45:09 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.2/8.14.0) with ESMTP id m020j8RF027088 for ; Wed, 2 Jan 2008 00:45:08 GMT Received: from stork.gentoo.org (stork.gentoo.org [64.127.104.133]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 0C26565545 for ; Wed, 2 Jan 2008 00:45:08 +0000 (UTC) Received: from nightmorph by stork.gentoo.org with local (Exim 4.68) (envelope-from ) id 1J9rjG-0008M1-Vn for gentoo-doc-cvs@lists.gentoo.org; Wed, 02 Jan 2008 00:45:07 +0000 To: gentoo-doc-cvs@lists.gentoo.org Subject: [gentoo-doc-cvs] cvs commit: ldap-howto.xml Message-Id: From: Joshua Saddler Date: Wed, 02 Jan 2008 00:45:06 +0000 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-doc-cvs@gentoo.org Reply-to: docs-team@lists.gentoo.org X-Archives-Salt: f718dd2f-03ac-4f50-9961-fcad80aa317e X-Archives-Hash: ba0e7e89822aa029b5293d78017041ba nightmorph 08/01/02 00:45:06 Modified: ldap-howto.xml Log: merged jokey's patch for the time being. hopefully he and/or robbat2 or other contributors can fill out the guide so we can bring it out of draft status once again. bug 176075 Revision Changes Path 1.36 xml/htdocs/doc/en/ldap-howto.xml file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&view=markup plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?rev=1.36&content-type=text/plain diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/ldap-howto.xml?r1=1.35&r2=1.36 Index: ldap-howto.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v retrieving revision 1.35 retrieving revision 1.36 diff -u -r1.35 -r1.36 --- ldap-howto.xml 29 Nov 2006 15:48:57 -0000 1.35 +++ ldap-howto.xml 2 Jan 2008 00:45:06 -0000 1.36 @@ -1,24 +1,25 @@ - + - + Gentoo Guide to OpenLDAP Authentication Benjamin Coles - Sven Vermeulen - Brandon Hale Benny Chuang + + + @@ -30,8 +31,8 @@ -0.22 -2005-10-21 +0.23 +2008-01-01 Getting Started with OpenLDAP @@ -155,43 +156,65 @@ 

-# emerge openldap pam_ldap nss_ldap migrationtools
-# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp
+# emerge ">=net-nds/openldap-2.3.38" pam_ldap nss_ldap

-Edit /etc/openldap/slapd.conf and add the following right after -core.schema: +Now generate an encrypted password we'll use later on: +

+ +
+# slappasswd
+New password: my-password
+Re-enter new password: my-password
+{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
+
+ +

+Now edit the LDAP Server config at /etc/openldap/slapd.conf: 

-# Include the needed data schemes
+# Include the needed data schemes below core.schema
 include         /etc/openldap/schema/cosine.schema
 include         /etc/openldap/schema/inetorgperson.schema
 include         /etc/openldap/schema/nis.schema
 
-# Use md5 to hash the passwords
-password-hash {md5}
+Uncomment modulepath and hdb module
+# Load dynamic backend modules:
+modulepath    /usr/lib/openldap/openldap
+# moduleload    back_shell.so
+# moduleload    back_relay.so
+# moduleload    back_perl.so
+# moduleload    back_passwd.so
+# moduleload    back_null.so
+# moduleload    back_monitor.so
+# moduleload    back_meta.so
+moduleload    back_hdb.so
+# moduleload    back_dnssrv.so
+
+# Uncomment sample access restrictions (Note: maintain indentation!)
+access to dn.base="" by * read
+access to dn.base="cn=Subschema" by * read
+access to *
+   by self write
+   by users read
+   by anonymous auth
 
-# Define SSL and TLS properties (optional)
-TLSCertificateFile /etc/ssl/ldap.pem
-TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
-TLSCACertificateFile /etc/ssl/ldap.pem
 
-(Further down...)
+# BDB Database definition
 
-database        ldbm
+database        hdb
 suffix          "dc=genfic,dc=com"
+checkpoint      32      30 # <kbyte> <min>
 rootdn          "cn=Manager,dc=genfic,dc=com"
-rootpw          {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
+rootpw          {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
 directory       /var/lib/openldap-ldbm
 index           objectClass     eq
-
-(You can get an encrypted password like above with slappasswd -h {Md5})

-Next we edit the LDAP configuration file: +Next we edit the LDAP Client configuration file: 

@@ -199,32 +222,18 @@
 (Add the following...)
 
 BASE         dc=genfic, dc=com
-URI          ldaps://auth.genfic.com:636/
+URI          ldap://auth.genfic.com:389/
 TLS_REQCERT  allow

-Now you will generate an SSL certificate to secure your directory. -Answer the question you receive as good as possible. When asked for your -Common Name, enter the name the clients will use when contacting -the server. This is usually the full domainname (e.g. -auth.genfic.com). -

- -
-# cd /etc/ssl
-# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
-ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999
-# chown ldap:ldap /etc/openldap/ssl/ldap.pem
-
- -

Now edit /etc/conf.d/slapd and add the following, commenting out the existing line: 

-OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+# Note: we don't use cn=config here, so stay with this line:
+OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

@@ -253,60 +262,22 @@ -Migrate Existing Data +Client Configuration

-Migrate User Accounts +Migrate existing data to ldap

-Next, we migrate the user accounts. Open -/usr/share/migrationtools/migrate_common.ph and edit the -following: -

- -
-$DEFAULT_BASE = "dc=genfic,dc=com";
-$EXTENDED_SCHEMA = 1;
-# Comment these lines out unless you have a mail schema loaded
-#$DEFAULT_MAIL_DOMAIN = "genfic.com";
-#$DEFAULT_MAIL_HOST = "mail.genfic.com";
-
- -

-Now run the migration scripts: -

- -
-# export ETC_SHADOW=/etc/shadow
-# cd /usr/share/migrationtools
-# ./migrate_base.pl > /tmp/base.ldif
-# ./migrate_group.pl /etc/group /tmp/group.ldif
-# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
-# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
-
- -

-This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory: -

- -
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif
-# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif
-
- -

-If you come across an error in your ldif files, you can resume from where you -left off by using ldapadd -c. +Go to http://www.padl.com/OSS/MigrationTools.html +and fetch the scripts there. Configuration is stated on the page. We don't ship +this anymore because the scripts are a potential security hole if you leave +them on the system after porting. When you've finished migrating your data, +continue to the next section.

- - - -Client Configuration
Configuring PAM @@ -323,37 +294,38 @@

-Now edit /etc/pam.d/system-auth so it looks like the following: +Now add the following lines in the right places to /etc/pam.d/system-auth: 

-auth    required    pam_env.so
-auth    sufficient  pam_unix.so likeauth nullok shadow
-auth    sufficient  pam_ldap.so use_first_pass
-auth    required    pam_deny.so
-
-account requisite  pam_unix.so
-account sufficient pam_localuser.so
-account required   pam_ldap.so
-
-password    required pam_cracklib.so retry=3
-password    sufficient pam_unix.so nullok use_authtok shadow md5
-password    sufficient pam_ldap.so use_authtok use_first_pass
-password    required pam_deny.so
-
-session required    pam_limits.so
-session required    pam_unix.so
-session required    pam_mkhomedir.so skel=/etc/skel/ umask=0066
-session optional    pam_ldap.so
-
+# Note: only add them. Don't kill stuff already in there or your box won't let you login again! - +auth sufficient pam_ldap.so use_first_pass +account sufficient pam_ldap.so +password sufficient pam_ldap.so use_authtok use_first_pass +session optional pam_ldap.so + +# Example file: +#%PAM-1.0 + +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass likeauth nullok +auth sufficient pam_ldap.so use_first_pass +auth required pam_deny.so + +account sufficient pam_ldap.so +account required pam_unix.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow +password sufficient pam_ldap.so use_authtok use_first_pass +password required pam_deny.so + +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so + +

Now change /etc/ldap.conf to read: @@ -363,12 +335,10 @@ #host 127.0.0.1 #base dc=padl,dc=com -ssl start_tls -ssl on suffix "dc=genfic,dc=com" #rootbinddn uid=root,ou=People,dc=genfic,dc=com -uri ldaps://auth.genfic.com/ +uri ldap://auth.genfic.com/ pam_password exop ldap_version 3 @@ -500,10 +470,9 @@

-You can start using the directory to authenticate users in -apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a -really easy management interface. You can also use gq or -directory_administrator. +You can start using the directory to authenticate users in +apache/proftpd/qmail/samba. You can manage it with Webmin, which provides an +easy management interface. You can also use phpldapadmin, luma, diradm or lat.

-- gentoo-doc-cvs@gentoo.org mailing list