[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-476-g57d19ad
Andrew Bartlett
abartlet at samba.org
Mon Sep 8 05:09:35 GMT 2008
The branch, v4-0-test has been updated
via 57d19ad002c523fb9a09694e6710ab7f588d44ec (commit)
via 67373c143a1d8a9f310fd116dbf81c1dd123b75f (commit)
from 36f727c4a73ffc8634692b0c5645343cb414de93 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 57d19ad002c523fb9a09694e6710ab7f588d44ec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 15:09:06 2008 +1000
Make it clear that the MMR password can differ from the admin passsword
In the future, we might simply randomly generate this, or allow the
admin to specify it seperate to the admin password. However, both are
highly sensitive, as they imply read access to the krbtgt.
Andrew Bartlett
commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f
Author: Oliver Liebel <oliver at itc.li>
Date: Mon Sep 8 14:39:54 2008 +1000
Use DIGEST-MD5 authentication for OpenLDAP replication
This avoids passing rootdn passwords or replicated data in cleartext
across the network.
Signed-of-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source/scripting/python/samba/provision.py | 24 +++++++++++++++----
.../{cn=samba-admin.ldif => cn=replicator.ldif} | 8 +++---
source/setup/mmr_syncrepl.conf | 5 ++-
source/setup/slapd.conf | 8 +++---
4 files changed, 30 insertions(+), 15 deletions(-)
copy source/setup/{cn=samba-admin.ldif => cn=replicator.ldif} (58%)
Changeset truncated at 500 lines:
diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py
index 9c2a208..68f6153 100644
--- a/source/scripting/python/samba/provision.py
+++ b/source/scripting/python/samba/provision.py
@@ -1266,18 +1266,23 @@ def provision_backend(setup_dir=None, message=None,
# generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
mmr_on_config = ""
+ mmr_replicator_acl = ""
mmr_serverids_config = ""
mmr_syncrepl_schema_config = ""
mmr_syncrepl_config_config = ""
mmr_syncrepl_user_config = ""
if ol_mmr_urls is not None:
- url_list=filter(None,ol_mmr_urls.split(' '))
+ # For now, make these equal
+ mmr_pass = adminpass
+
+ url_list=filter(None,ol_mmr_urls.split(' '))
if (len(url_list) == 1):
url_list=filter(None,ol_mmr_urls.split(','))
mmr_on_config = "MirrorMode On"
+ mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
serverid=0
for url in url_list:
serverid=serverid+1
@@ -1290,21 +1295,21 @@ def provision_backend(setup_dir=None, message=None,
{ "RID" : str(rid),
"MMRDN": names.schemadn,
"LDAPSERVER" : url,
- "MMR_PASSWORD": adminpass})
+ "MMR_PASSWORD": mmr_pass})
rid=rid+1
mmr_syncrepl_config_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
{ "RID" : str(rid),
"MMRDN": names.configdn,
"LDAPSERVER" : url,
- "MMR_PASSWORD": adminpass})
+ "MMR_PASSWORD": mmr_pass})
rid=rid+1
mmr_syncrepl_user_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
{ "RID" : str(rid),
"MMRDN": names.domaindn,
"LDAPSERVER" : url,
- "MMR_PASSWORD": adminpass })
+ "MMR_PASSWORD": mmr_pass })
setup_file(setup_path("slapd.conf"), paths.slapdconf,
@@ -1315,11 +1320,11 @@ def provision_backend(setup_dir=None, message=None,
"SCHEMADN": names.schemadn,
"MEMBEROF_CONFIG": memberof_config,
"MIRRORMODE": mmr_on_config,
+ "REPLICATOR_ACL": mmr_replicator_acl,
"MMR_SERVERIDS_CONFIG": mmr_serverids_config,
"MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
"MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
"MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
- "MMR_PASSWORD": adminpass,
"REFINT_CONFIG": refint_config})
setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
@@ -1340,6 +1345,15 @@ def provision_backend(setup_dir=None, message=None,
{"LDAPADMINPASS_B64": b64encode(adminpass),
"UUID": str(uuid.uuid4()),
"LDAPTIME": timestring(int(time.time()))} )
+
+ if ol_mmr_urls is not None:
+ setup_file(setup_path("cn=replicator.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
+ {"MMR_PASSWORD_B64": b64encode(mmr_pass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
diff --git a/source/setup/cn=samba-admin.ldif b/source/setup/cn=replicator.ldif
similarity index 58%
copy from source/setup/cn=samba-admin.ldif
copy to source/setup/cn=replicator.ldif
index c59ffd9..6001456 100644
--- a/source/setup/cn=samba-admin.ldif
+++ b/source/setup/cn=replicator.ldif
@@ -1,12 +1,12 @@
-dn: cn=samba-admin
+dn: cn=replicator
objectClass: top
objectClass: person
-cn: samba-admin
-userPassword:: ${LDAPADMINPASS_B64}
+cn: replicator
+userPassword:: ${MMR_PASSWORD_B64}
structuralObjectClass: person
entryUUID: ${UUID}
creatorsName:
createTimestamp: ${LDAPTIME}
-entryCSN: 20080714010529.241038Z#000000#000#000000
+entryCSN: 20080714010529.241039Z#000000#000#000000
modifiersName:
modifyTimestamp: ${LDAPTIME}
diff --git a/source/setup/mmr_syncrepl.conf b/source/setup/mmr_syncrepl.conf
index 3a207b2..1373858 100644
--- a/source/setup/mmr_syncrepl.conf
+++ b/source/setup/mmr_syncrepl.conf
@@ -5,7 +5,8 @@ syncrepl rid=${RID}
searchbase="${MMRDN}"
type=refreshAndPersist
retry="10 +"
- bindmethod=simple
- binddn="CN=Manager,${MMRDN}"
+ bindmethod=sasl
+ saslmech=DIGEST-MD5
+ authcid="replicator"
credentials="${MMR_PASSWORD}"
diff --git a/source/setup/slapd.conf b/source/setup/slapd.conf
index 141c0cd..b64d581 100644
--- a/source/setup/slapd.conf
+++ b/source/setup/slapd.conf
@@ -1,5 +1,8 @@
loglevel 0
+### needed for initial content load ###
+sizelimit unlimited
+
### Multimaster-ServerIDs and URLs ###
${MMR_SERVERIDS_CONFIG}
@@ -36,7 +39,7 @@ access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
- by dn=cn=samba-admin,cn=samba manage
+ by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
by dn=cn=manager manage
by * none
@@ -62,7 +65,6 @@ rootdn cn=Manager,cn=Samba
database hdb
suffix ${SCHEMADN}
rootdn cn=Manager,${SCHEMADN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/schema
index objectClass eq
index samAccountName eq
@@ -89,7 +91,6 @@ ${MIRRORMODE}
database hdb
suffix ${CONFIGDN}
rootdn cn=Manager,${CONFIGDN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/config
index objectClass eq
index samAccountName eq
@@ -118,7 +119,6 @@ ${MIRRORMODE}
database hdb
suffix ${DOMAINDN}
rootdn cn=Manager,${DOMAINDN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/user
index objectClass eq
index samAccountName eq
--
Samba Shared Repository
More information about the samba-cvs
mailing list