Use DIGEST-MD5 authentication for OpenLDAP replication

author Oliver Liebel <oliver@itc.li>

Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)
author Oliver Liebel <oliver@itc.li>
Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)
diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py

index 9c2a208460eb2f59e0e2b27d7bb19dc12e926d10..f37d09d5e09811f082546997d28a39b3d20f8d22 100644 (file)
--- a/source/scripting/python/samba/provision.py
+++ b/source/scripting/python/samba/provision.py
@@ -1266,6 +1266,7 @@ def provision_backend(setup_dir=None, message=None,
  
  # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
         mmr_on_config = ""
+       mmr_replicator_acl = ""
         mmr_serverids_config = ""
          mmr_syncrepl_schema_config = "" 
         mmr_syncrepl_config_config = "" 
@@ -1278,6 +1279,7 @@ def provision_backend(setup_dir=None, message=None,
                       
  
                 mmr_on_config = "MirrorMode On"
+               mmr_replicator_acl = "  by dn=cn=replicator,cn=samba read"
                 serverid=0
                 for url in url_list:
                         serverid=serverid+1
@@ -1315,6 +1317,7 @@ def provision_backend(setup_dir=None, message=None,
                      "SCHEMADN": names.schemadn,
                      "MEMBEROF_CONFIG": memberof_config,
                      "MIRRORMODE": mmr_on_config,
+                    "REPLICATOR_ACL": mmr_replicator_acl,
                      "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
                      "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
                      "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
@@ -1340,6 +1343,15 @@ def provision_backend(setup_dir=None, message=None,
                                {"LDAPADMINPASS_B64": b64encode(adminpass),
                                 "UUID": str(uuid.uuid4()), 
                                 "LDAPTIME": timestring(int(time.time()))} )
+       
+       if ol_mmr_urls is not None:
+          setup_file(setup_path("cn=replicator.ldif"),
+                              os.path.join(paths.ldapdir, "db", "samba",  "cn=samba", "cn=replicator.ldif"),
+                              {"LDAPADMINPASS_B64": b64encode(adminpass),
+                               "UUID": str(uuid.uuid4()),
+                               "LDAPTIME": timestring(int(time.time()))} )
+
+
  
          mapping = "schema-map-openldap-2.3"
          backend_schema = "backend-schema.schema"
diff --git a/source/setup/cn=replicator.ldif b/source/setup/cn=replicator.ldif

new file mode 100644 (file)

index 0000000..e7c5a24
--- /dev/null
+++ b/source/setup/cn=replicator.ldif
@@ -0,0 +1,12 @@
+dn: cn=replicator
+objectClass: top
+objectClass: person
+cn: replicator
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241039Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source/setup/mmr_syncrepl.conf b/source/setup/mmr_syncrepl.conf

index 3a207b2d13a62e4f0b8aba4c09873b36c1cf63a9..1373858c4e64a75284e8a7f1fda39938999dd92b 100644 (file)
--- a/source/setup/mmr_syncrepl.conf
+++ b/source/setup/mmr_syncrepl.conf
@@ -5,7 +5,8 @@ syncrepl rid=${RID}
         searchbase="${MMRDN}"
         type=refreshAndPersist
         retry="10 +"
-       bindmethod=simple
-       binddn="CN=Manager,${MMRDN}"
+       bindmethod=sasl
+       saslmech=DIGEST-MD5
+       authcid="replicator"
         credentials="${MMR_PASSWORD}"
  
diff --git a/source/setup/slapd.conf b/source/setup/slapd.conf

index 141c0cd27a641e4a754e83044411cc2fb6c8ee3a..b64d581e0d30c9e0f154993fe43501820a3c1968 100644 (file)
--- a/source/setup/slapd.conf
+++ b/source/setup/slapd.conf
@@ -1,5 +1,8 @@
  loglevel 0
  
+### needed for initial content load ###
+sizelimit unlimited
+
  ### Multimaster-ServerIDs and URLs ###
  
  ${MMR_SERVERIDS_CONFIG}
@@ -36,7 +39,7 @@ access to dn.subtree="cn=samba"
         by anonymous auth
  
  access to dn.subtree="${DOMAINDN}"
-       by dn=cn=samba-admin,cn=samba manage
+       by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
         by dn=cn=manager manage
         by * none
  
@@ -62,7 +65,6 @@ rootdn          cn=Manager,cn=Samba
  database        hdb
  suffix         ${SCHEMADN}
  rootdn          cn=Manager,${SCHEMADN}
-rootpw         "${MMR_PASSWORD}"
  directory      ${LDAPDIR}/db/schema
  index           objectClass eq
  index           samAccountName eq
@@ -89,7 +91,6 @@ ${MIRRORMODE}
  database        hdb
  suffix         ${CONFIGDN}
  rootdn          cn=Manager,${CONFIGDN}
-rootpw         "${MMR_PASSWORD}"
  directory      ${LDAPDIR}/db/config
  index           objectClass eq
  index           samAccountName eq
@@ -118,7 +119,6 @@ ${MIRRORMODE}
  database        hdb
  suffix         ${DOMAINDN}
  rootdn          cn=Manager,${DOMAINDN}
-rootpw         "${MMR_PASSWORD}"
  directory      ${LDAPDIR}/db/user
  index           objectClass eq
  index           samAccountName eq
author	Oliver Liebel <oliver@itc.li>
	Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 8 Sep 2008 04:39:54 +0000 (14:39 +1000)
source/scripting/python/samba/provision.py		patch \| blob \| history
source/setup/cn=replicator.ldif	[new file with mode: 0644]	patch \| blob
source/setup/mmr_syncrepl.conf		patch \| blob \| history
source/setup/slapd.conf		patch \| blob \| history