backend provision samba4-ol-multimaster
Oliver Liebel
oliver at itc.li
Sun Sep 7 13:33:15 GMT 2008
Andrew Bartlett schrieb:
> On Sat, 2008-09-06 at 18:40 +0200, Oliver Liebel wrote:
>
>> Andrew Bartlett schrieb:
>>
>>> On Fri, 2008-09-05 at 10:37 +0200, Oliver Liebel wrote:
>>>
>>>
>>>> e.g. rid=serverid*100 instead of ...*10
>>>>
>>>>
>>> Sure, but then we have a maximum of 9 replicating servers, which seemed
>>> like rather a low limit.
>>>
>> sorry, youre right - i missed that point, was just looking at the
>> "readability".
>>
>> but there is another point to mention: we should add the "sizelimit
>> unlimited" ( or just a value greater 552 [cn=schema] )
>> to slapd.conf-template again, otherwise we are running into trouble
>> during initial content cload on the secondary dcs.
>>
>>
>>> Yep, we need a separate account, but I can't see a good way to move away
>>> from cleartext passwords.
>>>
>>> ...
>>>
>>> No, we cannot use GSSAPI. We must use something like DIGEST-MD5 because
>>> we are creating the backend for the KDC, so we can't use kerberos to do
>>> it :-)
>>>
>>>
>> okay, if we would use digest-md5, what do you think about the following
>> idea:
>>
>
> Excellent. Please give me a patch with the sizelimit and these
> changes.
>
>
done. confs and diffs are attached.
>> as there is no need for rootpws for the subcontexts now
>> (which surely also can be kept there - maybe for debugging issues,
>> using pre-crypted slappasswd-ssha-values),
>> the only thing remaining in cleartext are the authcid and credentials in
>> syncrepl-config, but as
>> the replicator-account has only ro-privileges on the dit,
>> its not that bad, even if someone could catch a look on the config...
>>
>
> Let's remove all the rootpw entries.
>
done.
>
>> another option could be (with the advantage of having no passwords at
>> all in slapd.conf / slapd.d/ )
>> to use mech external, but in that case we would have to setup
>> the ca and all host-certs during provisioning, maybe using a fixed
>> cert-dn, e.g. cn=<hostname>,cn=samba4dc,dc=<names.domaindn>
>> or something like that.
>> but as we have to setup tls for replication anyway, maybe its worth a
>> thougt.
>>
>> so what do you think about the mech we should use?
>>
>
> digest-md5 please.
>
done.
>
>>> I'm certainly quite OK with having a switch to inhibit the creation of
>>> the actual cn=samba data.
>>>
>>> If we do actually get as far as replicating cn=config, then perhaps this
>>> same switch might be used to create a 'stub' slapd.conf with only enough
>>> to replicate in cn=config?
>>>
>>>
>> hm... do you mean (after we have converted the complete slapd to olc on
>> the first dc) a switch (for the other dcs) that will activate
>> a very small olc-replication config "from the scratch", which will fetch
>> everything needed from the first dc?
>> yes, i think we can get that done.
>>
>
> Great.
>
> Andrew Bartlett
>
i have busy next weeks, but i will start my work on the olc-part as soon
as possible.
greetings,
oliver
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 19.363 from 07.09.2008
Virus news: www.antiviruslab.com
-------------- next part --------------
--- setup/slapd.conf.bak 2008-09-07 14:27:47.000000000 +0200
+++ setup/slapd.conf 2008-09-07 14:52:50.000000000 +0200
@@ -1,5 +1,8 @@
loglevel 0
+### needed for initial content load ###
+sizelimit unlimited
+
### Multimaster-ServerIDs and URLs ###
${MMR_SERVERIDS_CONFIG}
@@ -36,7 +39,7 @@
by anonymous auth
access to dn.subtree="${DOMAINDN}"
- by dn=cn=samba-admin,cn=samba manage
+ by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
by dn=cn=manager manage
by * none
@@ -62,7 +65,6 @@
database hdb
suffix ${SCHEMADN}
rootdn cn=Manager,${SCHEMADN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/schema
index objectClass eq
index samAccountName eq
@@ -89,7 +91,6 @@
database hdb
suffix ${CONFIGDN}
rootdn cn=Manager,${CONFIGDN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/config
index objectClass eq
index samAccountName eq
@@ -118,7 +119,6 @@
database hdb
suffix ${DOMAINDN}
rootdn cn=Manager,${DOMAINDN}
-rootpw "${MMR_PASSWORD}"
directory ${LDAPDIR}/db/user
index objectClass eq
index samAccountName eq
-------------- next part --------------
dn: cn=replicator
objectClass: top
objectClass: person
cn: replicator
userPassword:: ${LDAPADMINPASS_B64}
structuralObjectClass: person
entryUUID: ${UUID}
creatorsName:
createTimestamp: ${LDAPTIME}
entryCSN: 20080714010529.241039Z#000000#000#000000
modifiersName:
modifyTimestamp: ${LDAPTIME}
-------------- next part --------------
# Generated from template mmr_syncrepl.conf
syncrepl rid=${RID}
provider="${LDAPSERVER}"
searchbase="${MMRDN}"
type=refreshAndPersist
retry="10 +"
bindmethod=sasl
saslmech=DIGEST-MD5
authcid="replicator"
credentials="${MMR_PASSWORD}"
-------------- next part --------------
--- scripting/python/samba/provision.py.bak 2008-09-07 14:16:45.000000000 +0200
+++ scripting/python/samba/provision.py 2008-09-07 14:52:59.000000000 +0200
@@ -1266,6 +1266,7 @@
# generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
mmr_on_config = ""
+ mmr_replicator_acl = ""
mmr_serverids_config = ""
mmr_syncrepl_schema_config = ""
mmr_syncrepl_config_config = ""
@@ -1278,6 +1279,7 @@
mmr_on_config = "MirrorMode On"
+ mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
serverid=0
for url in url_list:
serverid=serverid+1
@@ -1315,6 +1317,7 @@
"SCHEMADN": names.schemadn,
"MEMBEROF_CONFIG": memberof_config,
"MIRRORMODE": mmr_on_config,
+ "REPLICATOR_ACL": mmr_replicator_acl,
"MMR_SERVERIDS_CONFIG": mmr_serverids_config,
"MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
"MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
@@ -1340,6 +1343,15 @@
{"LDAPADMINPASS_B64": b64encode(adminpass),
"UUID": str(uuid.uuid4()),
"LDAPTIME": timestring(int(time.time()))} )
+
+ if ol_mmr_urls is not None:
+ setup_file(setup_path("cn=replicator.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
+ {"LDAPADMINPASS_B64": b64encode(adminpass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
More information about the samba-technical
mailing list