backend provision samba4-ol-multimaster
Oliver Liebel
oliver at itc.li
Sat Sep 6 16:40:07 GMT 2008
Andrew Bartlett schrieb:
> On Fri, 2008-09-05 at 10:37 +0200, Oliver Liebel wrote:
>
>> e.g. rid=serverid*100 instead of ...*10
>>
>
> Sure, but then we have a maximum of 9 replicating servers, which seemed
> like rather a low limit.
sorry, youre right - i missed that point, was just looking at the
"readability".
but there is another point to mention: we should add the "sizelimit
unlimited" ( or just a value greater 552 [cn=schema] )
to slapd.conf-template again, otherwise we are running into trouble
during initial content cload on the secondary dcs.
> Yep, we need a separate account, but I can't see a good way to move away
> from cleartext passwords.
>
> ...
>
> No, we cannot use GSSAPI. We must use something like DIGEST-MD5 because
> we are creating the backend for the KDC, so we can't use kerberos to do
> it :-)
>
okay, if we would use digest-md5, what do you think about the following
idea:
we create the cn=replicator account in the same way, cn=samba-admin is
created (under cn=samba, so we can use the same authz-regexp mappings).
we can use the --adminpass
given during provisioning (or use another pass, maybe
"--replicator-pass=..." ) .
i have tested the following setup (using --adminpass), and its working:
...setup/cn=replicator.ldif: (except dn/cn/entryCSN identical to
cn=samba-admin)
dn: cn=replicator
objectClass: top
objectClass: person
cn: replicator
userPassword:: ${LDAPADMINPASS_B64}
structuralObjectClass: person
entryUUID: ${UUID}
creatorsName:
createTimestamp: ${LDAPTIME}
entryCSN: 20080714010529.241039Z#000000#000#000000
modifiersName:
modifyTimestamp: ${LDAPTIME}
slapd.conf:
syncrepl section:
syncrepl rid=<rid>
provider=<host>
...
bindmethod=sasl
saslmech=DIGEST-MD5
authcid="replicator"
credentials="linux"
acl section:
access to dn.subtree="DC=ldap,DC=local,DC=site"
by dn=cn=samba-admin,cn=samba manage
by dn=cn=replicator,cn=samba read
by dn=cn=manager manage
by * none
provison.py:
setup_file(setup_path("cn=samba-admin.ldif"),
os.path.join(paths.ldapdir, "db", "samba",
"cn=samba", "cn=samba-admin.ldif"),
...
setup_file(setup_path("cn=replicator.ldif"),
os.path.join(paths.ldapdir, "db", "samba",
"cn=samba", "cn=replicator.ldif"),
{"LDAPADMINPASS_B64": b64encode(adminpass),
"UUID": str(uuid.uuid4()),
"LDAPTIME": timestring(int(time.time()))} )
slapd-logs shows me that everythings working fine during sasl-bind:
>>> SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
>>> send_ldap_sasl: err=0 len=40
>>> do_bind: SASL/DIGEST-MD5 bind: dn="cn=replicator,cn=samba"
sasl_ssf=128
and replication itself is working fine.
as there is no need for rootpws for the subcontexts now
(which surely also can be kept there - maybe for debugging issues,
using pre-crypted slappasswd-ssha-values),
the only thing remaining in cleartext are the authcid and credentials in
syncrepl-config, but as
the replicator-account has only ro-privileges on the dit,
its not that bad, even if someone could catch a look on the config...
another option could be (with the advantage of having no passwords at
all in slapd.conf / slapd.d/ )
to use mech external, but in that case we would have to setup
the ca and all host-certs during provisioning, maybe using a fixed
cert-dn, e.g. cn=<hostname>,cn=samba4dc,dc=<names.domaindn>
or something like that.
but as we have to setup tls for replication anyway, maybe its worth a
thougt.
so what do you think about the mech we should use?
> I'm certainly quite OK with having a switch to inhibit the creation of
> the actual cn=samba data.
>
> If we do actually get as far as replicating cn=config, then perhaps this
> same switch might be used to create a 'stub' slapd.conf with only enough
> to replicate in cn=config?
>
hm... do you mean (after we have converted the complete slapd to olc on
the first dc) a switch (for the other dcs) that will activate
a very small olc-replication config "from the scratch", which will fetch
everything needed from the first dc?
yes, i think we can get that done.
have a nice weekend,
oliver
> Andrew Bartlett
>
>
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 19.344 from 06.09.2008
Virus news: www.antiviruslab.com
More information about the samba-technical
mailing list