olc-conversion
Oliver Liebel
oliver at itc.li
Wed Feb 11 07:05:28 MST 2009
Oliver Liebel schrieb:
>
> Andrew Bartlett schrieb:
>>
>> I would prefer to keep Samba's configuration to the ldapi (leave the
>> provision unchanged), but of course to have the slapd command line
>> propose binding to a real TCP port.
>>
>
1) provision-backend helplines:
first of all: you cannot use (and access) the openldap-olc via ldapi
from remote hosts or "trough" samba (389),
so you have to provide another port then 389 (=occupied by samba4).
for this reason, every setup other than "standard" / "default case" (s4
/ ol standalone without olc/mmr) you have to run
slapd with additional host:port - directive, as it is needed for all
cases with mmr and olc involved.
in consequence, here are the slapd-specific setup-help-lines, displayed
after run of provision-backend:
- s4/ol: "Start slapd with: slapd -f
/usr/local/samba/private/ldap/slapd.conf -h
ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi"
- s4/ol/olc: "Start slapd with: slapd -F
/usr/local/samba/private/ldap/slapd.d -h
"ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
ldap://<FQHN>:<PORT>" "
- s4/ol/mmr: "Start slapd with: slapd -f
/usr/local/samba/private/ldap/slapd.conf -h
"ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
ldap://<FQHN>:<PORT>" "
- s4/ol/olc/mmr: "Start slapd with: slapd -F
/usr/local/samba/private/ldap/slapd.d -h
"ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
ldap://<FQHN>:<PORT>" "
(Final)Provision-Helpline is displayed in every case with "ldapi", as
you wanted it:
"Run provision with: --ldap-backend=ldapi --ldap-backend-type=openldap
--password=linux --username=samba-admin"
2) added some additional validation checks to --ol-olc=yes and
--ol-slaptest=<path>
if olc=yes and slaptest=none -> exit
if olc=yes and wrong path to slaptest -> exit
3) slapd.conf remains in case of olc=yes (let us keep this for
debugging purposes until everything works as wanted)
4) added some comments in provision-backend to olc/mmr help-output to
make some things more clear
all modified files and diffs are attached, everything should work as
expected.
please test it and give me a feedback.
greetings
oliver
-------------- next part --------------
--- scripting/python/samba/provision.org 2009-01-06 12:59:15.000000000 +0100
+++ scripting/python/samba/provision.py 2009-02-11 14:50:46.000000000 +0100
@@ -26,6 +26,7 @@
from base64 import b64encode
import os
+import sys
import pwd
import grp
import time
@@ -76,9 +77,14 @@
self.memberofconf = None
self.fedoradsinf = None
self.fedoradspartitions = None
- self.olmmron = None
- self.olmmrserveridsconf = None
- self.olmmrsyncreplconf = None
+ self.olmmron = None
+ self.olmmrserveridsconf = None
+ self.olmmrsyncreplconf = None
+ self.olcdir = None
+ self.olslaptest = None
+ self.olcseedldif = None
+ self.olcsyncprovdir = None
+ self.olcsyncprovfile = None
class ProvisionNames(object):
@@ -251,6 +257,14 @@
"mmr_serverids.conf")
paths.olmmrsyncreplconf = os.path.join(paths.ldapdir,
"mmr_syncrepl.conf")
+ paths.olcdir = os.path.join(paths.ldapdir,
+ "slapd.d")
+ paths.olcseedldif = os.path.join(paths.ldapdir,
+ "olc_seed.ldif")
+ paths.olcsyncprovdir = os.path.join(paths.olcdir,
+ "cn=config/olcDatabase={0}config")
+ paths.olcsyncprovfile = os.path.join(paths.olcsyncprovdir,
+ "olcOverlay={0}syncprov.ldif")
paths.hklm = "hklm.ldb"
paths.hkcr = "hkcr.ldb"
paths.hkcu = "hkcu.ldb"
@@ -1160,7 +1174,7 @@
rootdn=None, domaindn=None, schemadn=None, configdn=None,
domain=None, hostname=None, adminpass=None, root=None, serverrole=None,
ldap_backend_type=None, ldap_backend_port=None,
- ol_mmr_urls=None):
+ ol_mmr_urls=None,ol_olc=None,ol_slaptest=None):
def setup_path(file):
return os.path.join(setup_dir, file)
@@ -1184,6 +1198,19 @@
make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
targetdir)
+ # openldap-online-configuration: validation of olc and slaptest
+ if ol_olc == "yes" and ol_slaptest is None:
+ sys.exit("Warning: OpenLDAP-Online-Configuration cant be setup without path to slaptest-Binary!")
+
+ if ol_olc == "yes" and ol_slaptest is not None:
+ ol_slaptest = ol_slaptest + "/slaptest"
+ if not os.path.exists(ol_slaptest):
+ message (ol_slaptest)
+ sys.exit("Warning: Given Path to slaptest-Binary does not exist!")
+ ###
+
+
+
lp = param.LoadParm()
lp.load(smbconf)
@@ -1276,52 +1303,95 @@
{ "LINK_ATTRS" : refint_attributes})
# generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
- mmr_on_config = ""
- mmr_replicator_acl = ""
- mmr_serverids_config = ""
+ mmr_on_config = ""
+ mmr_replicator_acl = ""
+ mmr_serverids_config = ""
mmr_syncrepl_schema_config = ""
- mmr_syncrepl_config_config = ""
- mmr_syncrepl_user_config = ""
-
- if ol_mmr_urls is not None:
+ mmr_syncrepl_config_config = ""
+ mmr_syncrepl_user_config = ""
+
+
+ if ol_mmr_urls is not None:
# For now, make these equal
mmr_pass = adminpass
- url_list=filter(None,ol_mmr_urls.split(' '))
+ url_list=filter(None,ol_mmr_urls.split(' '))
if (len(url_list) == 1):
url_list=filter(None,ol_mmr_urls.split(','))
- mmr_on_config = "MirrorMode On"
- mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
- serverid=0
- for url in url_list:
- serverid=serverid+1
- mmr_serverids_config += read_and_sub_file(setup_path("mmr_serverids.conf"),
- { "SERVERID" : str(serverid),
- "LDAPSERVER" : url })
+ mmr_on_config = "MirrorMode On"
+ mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
+ serverid=0
+ for url in url_list:
+ serverid=serverid+1
+ mmr_serverids_config += read_and_sub_file(setup_path("mmr_serverids.conf"),
+ { "SERVERID" : str(serverid),
+ "LDAPSERVER" : url })
rid=serverid*10
- rid=rid+1
- mmr_syncrepl_schema_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
- { "RID" : str(rid),
- "MMRDN": names.schemadn,
- "LDAPSERVER" : url,
+ rid=rid+1
+ mmr_syncrepl_schema_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
+ { "RID" : str(rid),
+ "MMRDN": names.schemadn,
+ "LDAPSERVER" : url,
"MMR_PASSWORD": mmr_pass})
- rid=rid+1
- mmr_syncrepl_config_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
- { "RID" : str(rid),
- "MMRDN": names.configdn,
- "LDAPSERVER" : url,
+ rid=rid+1
+ mmr_syncrepl_config_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
+ { "RID" : str(rid),
+ "MMRDN": names.configdn,
+ "LDAPSERVER" : url,
"MMR_PASSWORD": mmr_pass})
- rid=rid+1
- mmr_syncrepl_user_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
- { "RID" : str(rid),
- "MMRDN": names.domaindn,
- "LDAPSERVER" : url,
+ rid=rid+1
+ mmr_syncrepl_user_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
+ { "RID" : str(rid),
+ "MMRDN": names.domaindn,
+ "LDAPSERVER" : url,
"MMR_PASSWORD": mmr_pass })
+ # olc = yes?
+ olc_config_pass = ""
+ olc_config_acl = ""
+ olc_syncrepl_config = ""
+ olc_mmr_config = ""
+ if ol_olc == "yes":
+ olc_config_pass += read_and_sub_file(setup_path("olc_pass.conf"),
+ { "OLC_PW": adminpass })
+ olc_config_acl += read_and_sub_file(setup_path("olc_acl.conf"),{})
+
+ # if olc = yes + mmr = yes, generate cn=config-replication directives
+ # and olc_seed.lif for the other mmr-servers
+ if ol_olc == "yes" and ol_mmr_urls is not None:
+ serverid=0
+ olc_serverids_config = ""
+ olc_syncrepl_config = ""
+ olc_syncrepl_seed_config = ""
+ olc_mmr_config = ""
+ olc_mmr_config += read_and_sub_file(setup_path("olc_mmr.conf"),{})
+ rid=1000
+ for url in url_list:
+ serverid=serverid+1
+ olc_serverids_config += read_and_sub_file(setup_path("olc_serverid.conf"),
+ { "SERVERID" : str(serverid),
+ "LDAPSERVER" : url })
+
+ rid=rid+1
+ olc_syncrepl_config += read_and_sub_file(setup_path("olc_syncrepl.conf"),
+ { "RID" : str(rid),
+ "LDAPSERVER" : url,
+ "MMR_PASSWORD": adminpass})
+
+ olc_syncrepl_seed_config += read_and_sub_file(setup_path("olc_syncrepl_seed.conf"),
+ { "RID" : str(rid),
+ "LDAPSERVER" : url})
+
+ setup_file(setup_path("olc_seed.ldif"), paths.olcseedldif,
+ {"OLC_SERVER_ID_CONF": olc_serverids_config,
+ "OLC_PW": adminpass,
+ "OLC_SYNCREPL_CONF": olc_syncrepl_seed_config})
+
+ # end olc
setup_file(setup_path("slapd.conf"), paths.slapdconf,
{"DNSDOMAIN": names.dnsdomain,
@@ -1336,8 +1406,12 @@
"MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
"MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
"MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
+ "OLC_CONFIG_PASS": olc_config_pass,
+ "OLC_SYNCREPL_CONFIG": olc_syncrepl_config,
+ "OLC_CONFIG_ACL": olc_config_acl,
+ "OLC_MMR_CONFIG": olc_mmr_config,
"REFINT_CONFIG": refint_config})
- setup_file(setup_path("modules.conf"), paths.modulesconf,
+ setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
@@ -1356,16 +1430,15 @@
{"LDAPADMINPASS_B64": b64encode(adminpass),
"UUID": str(uuid.uuid4()),
"LDAPTIME": timestring(int(time.time()))} )
-
- if ol_mmr_urls is not None:
- setup_file(setup_path("cn=replicator.ldif"),
+
+ if ol_mmr_urls is not None:
+ setup_file(setup_path("cn=replicator.ldif"),
os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
{"MMR_PASSWORD_B64": b64encode(mmr_pass),
"UUID": str(uuid.uuid4()),
"LDAPTIME": timestring(int(time.time()))} )
-
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
@@ -1375,7 +1448,18 @@
else:
server_port_string = ""
- slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string
+ if ol_olc != "yes" and ol_mmr_urls is None:
+ slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string
+
+ if ol_olc == "yes" and ol_mmr_urls is None:
+ slapdcommand="Start slapd with: slapd -F " + paths.olcdir + " -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
+
+ if ol_olc != "yes" and ol_mmr_urls is not None:
+ slapdcommand="Start slapd with: slapd -F " + paths.ldapdir + "/slapd.conf -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
+
+ if ol_olc == "yes" and ol_mmr_urls is not None:
+ slapdcommand="Start slapd with: slapd -F " + paths.olcdir + " -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
+
ldapuser = "--username=samba-admin"
@@ -1399,6 +1483,27 @@
message(slapdcommand)
message("Run provision with: --ldap-backend=ldapi --ldap-backend-type=" + ldap_backend_type + " --password=" + adminpass + " " + ldapuser)
+ # if --ol-olc=yes, generate online-configuration in ../private/ldap/slapd.d
+ if ol_olc == "yes":
+ if not os.path.isdir(paths.olcdir):
+ os.makedirs(paths.olcdir, 0770)
+ paths.olslaptest = str(ol_slaptest)
+ olc_command = paths.olslaptest + " -f" + paths.slapdconf + " -F" + paths.olcdir + " >/dev/null 2>&1"
+ os.system(olc_command)
+ #os.remove(paths.slapdconf)
+ # use line below for debugging during olc-conversion with slaptest
+ #olc_command = paths.olslaptest + " -f" + paths.slapdconf + " -F" + paths.olcdir"
+
+ # workaround, if overlay syncprov is was not created properly during conversion to cn=config.
+ # otherwise, cn=config won't be replicated
+ if ol_olc == "yes" and ol_mmr_urls is not None:
+ if not os.path.exists(paths.olcsyncprovdir):
+ os.makedirs(paths.olcsyncprovdir, 0770)
+ setup_file(setup_path("olcOverlay={0}syncprov.ldif"),
+ os.path.join(paths.olcsyncprovdir, "olcOverlay={0}syncprov.ldif"), {})
+
+
+
def create_phpldapadmin_config(path, setup_path, ldapi_uri):
"""Create a PHP LDAP admin configuration file.
-------------- next part --------------
--- setup/provision-backend.org 2009-01-06 13:01:01.000000000 +0100
+++ setup/provision-backend 2009-02-11 11:48:04.000000000 +0100
@@ -65,8 +65,12 @@
parser.add_option("--targetdir", type="string", metavar="DIR",
help="Set target directory")
parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
- help="List of LDAP-URLS [ ldap://<FQDN>:port/ (where port != 389) ] separated with whitespaces for use with OpenLDAP-MMR")
-
+ help="List of LDAP-URLS [ ldap://<FQDN>:port/ (where port != 389) ] separated with whitespaces for use with OpenLDAP-MMR (Multi-Master-Replication)")
+parser.add_option("--ol-olc", type="choice", metavar="OPENLDAP-OLC",
+ help="To setup OpenLDAP-Backend with Online-Configuration [slapd.d] choose 'yes'",
+ choices=["yes", "no"])
+parser.add_option("--ol-slaptest", type="string", metavar="SLAPTEST-PATH",
+ help="Path to slaptest-binary [e.g.:'/usr/local/sbin']. Only for use with --ol-olc='yes'")
opts = parser.parse_args()[0]
@@ -103,5 +107,7 @@
root=opts.root, serverrole=server_role,
ldap_backend_type=opts.ldap_backend_type,
ldap_backend_port=opts.ldap_backend_port,
- ol_mmr_urls=opts.ol_mmr_urls)
+ ol_mmr_urls=opts.ol_mmr_urls,
+ ol_olc=opts.ol_olc,
+ ol_slaptest=opts.ol_slaptest)
-------------- next part --------------
set_cachesize 0 524288 0
set_lg_regionmax 104857
set_lg_max 1048576
set_lg_bsize 209715
set_lg_dir ${LDAPDBDIR}/bdb-logs
set_tmp_dir ${LDAPDBDIR}/tmp
-------------- next part --------------
ServerID ${SERVERID} "${LDAPSERVER}"
-------------- next part --------------
# Generated from template mmr_syncrepl.conf
syncrepl rid=${RID}
provider="${LDAPSERVER}"
searchbase="${MMRDN}"
type=refreshAndPersist
retry="10 +"
bindmethod=sasl
saslmech=DIGEST-MD5
authcid="replicator"
credentials="${MMR_PASSWORD}"
-------------- next part --------------
access to dn.sub="cn=config"
by dn="cn=samba-admin,cn=samba" write
by dn="cn=replicator,cn=samba" read
-------------- next part --------------
overlay syncprov
MirrorMode on
-------------- next part --------------
database config
rootdn cn=config
-------------- next part --------------
dn: cn=config
objectClass: olcGlobal
cn: config
${OLC_SERVER_ID_CONF}
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=config
olcRootPW: ${OLC_PW}
${OLC_SYNCREPL_CONF}olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcSyncProvConfig
olcOverlay: syncprov
-------------- next part --------------
olcServerID: ${SERVERID} "${LDAPSERVER}"
-------------- next part --------------
# Generated from template olc_syncrepl.conf
syncrepl rid=${RID}
provider="${LDAPSERVER}"
searchbase="cn=config"
filter="(!(olcDatabase={0}config))"
type=refreshAndPersist
retry="10 +"
bindmethod=sasl
saslmech=DIGEST-MD5
authcid="replicator"
credentials="${MMR_PASSWORD}"
-------------- next part --------------
olcSyncRepl: rid=${RID} provider="${LDAPSERVER}"
binddn="cn=config" bindmethod=sasl saslmech=DIGEST-MD5
authcid="replicator" credentials="linux"
searchbase="cn=config" filter="(!(olcDatabase={0}config))"
type=refreshAndPersist retry="10 +"
-------------- next part --------------
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
structuralObjectClass: olcSyncProvConfig
entryUUID: 41df5aca-785a-102d-9077-999999999999
creatorsName: cn=config
createTimestamp: 20090116201111Z
entryCSN: 20090116201111.111111Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090116201111Z
-------------- next part --------------
loglevel 0
### needed for initial content load ###
sizelimit unlimited
### Multimaster-ServerIDs and URLs ###
${MMR_SERVERIDS_CONFIG}
include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
#authz-regexp
# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
#authz-regexp
# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
ldap:///cn=samba??one?(cn=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
ldap:///cn=samba??one?(cn=\$1)
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
by dn=cn=manager manage
by * none
password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
defaultsearchbase ${DOMAINDN}
rootdn cn=Manager
overlay deref
${REFINT_CONFIG}
${MEMBEROF_CONFIG}
database ldif
suffix cn=Samba
directory ${LDAPDIR}/db/samba
rootdn cn=Manager,cn=Samba
########################################
## olc - configuration ###
${OLC_CONFIG_PASS}
${OLC_SYNCREPL_CONFIG}
${OLC_MMR_CONFIG}
${OLC_CONFIG_ACL}
########################################
### cn=schema ###
database hdb
suffix ${SCHEMADN}
rootdn cn=Manager,${SCHEMADN}
directory ${LDAPDIR}/db/schema
index objectClass eq
index samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We need this for the contextCSN attribute and mmr.
overlay syncprov
syncprov-sessionlog 100
syncprov-checkpoint 100 10
### Multimaster-Replication of cn=schema Subcontext ###
${MMR_SYNCREPL_SCHEMA_CONFIG}
${MIRRORMODE}
#########################################
### cn=config ###
database hdb
suffix ${CONFIGDN}
rootdn cn=Manager,${CONFIGDN}
directory ${LDAPDIR}/db/config
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We need this for the contextCSN attribute and mmr.
overlay syncprov
syncprov-sessionlog 100
syncprov-checkpoint 100 10
### Multimaster-Replication of cn=config Subcontext ###
${MMR_SYNCREPL_CONFIG_CONFIG}
${MIRRORMODE}
########################################
### cn=users /base-dn ###
database hdb
suffix ${DOMAINDN}
rootdn cn=Manager,${DOMAINDN}
directory ${LDAPDIR}/db/user
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We need this for the contextCSN attribute and mmr.
overlay syncprov
syncprov-sessionlog 100
syncprov-checkpoint 100 10
### Multimaster-Replication of cn=user/base-dn context ###
${MMR_SYNCREPL_USER_CONFIG}
${MIRRORMODE}
More information about the samba-technical
mailing list