Fedora DS Support

Endi Sukma Dewata edewata at redhat.com
Fri Sep 4 15:26:10 MDT 2009


----- "Andrew Bartlett" <abartlet at samba.org> wrote:

> The best way might be to provision as directory manager, and bound over
> LDAPI directly remove the SASL mappings before we start, also fix ACI
> once we are done.  We should still have pretty good control over the DS
> (and not be exposed on TCP) at this point - I hope!

Please have a look at the attached patch. It does the following:

1. During instance creation it will import the SASL mapping for
   samba-admin. It's done here because of the schema problem I mentioned
   previously preventing adding the mapping via ldapi.

2. After that it will use ldif2db to import the cn=samba-admin.

3. Then it will start FDS and continue to do provisioning using DM with
   simple bind to as before.

4. The SASL credentials will be stored in secrets.ldb, so when Samba
   server runs later it will use the SASL credentials.

5. The aci attribute has been removed from Samba schema. It no longer
   uses *_fds.ldif files. The ACL is hardcoded in provision.py.

6. After the provisioning is done (just before stopping the slapd)
   it will use the DM over direct ldapi to delete the default SASL
   mappings included automatically by FDS, leaving just the new
   samba-admin mapping.

7. Also before stopping slapd it will use the DM over direct ldapi to
   set the ACL on the root entries of the user, configuration, and
   schema partitions. The ACL will give samba-admin the full access
   to these partitions.

We can also move the step #6 and/or #7 to somewhere earlier in the
process if you prefer.

> The other option might be to work with the Fedora DS team to add an
> option to the fedorads.inf fed to setup-ds.pl to specify the default
> ACL, so that it is possible to start a Fedora DS instance
> locked-down.

Would it be the same if we do it this way? After creating the instance,
we import the entries including the ACL using ldif2db, so when FDS is
started it's already locked-down. The problem is in the current code the
root entries are imported in setup_samdb() whereas instance creation is
done in provision_fds_backend(). If we change the code that way we have
to fix it for OpenLDAP as well. What do you think?

> Thankyou for your persistence with this!

Thanks for your patience. :)

Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sasl2.patch
Type: text/x-patch
Size: 10718 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090904/b0e9839e/attachment.bin>

More information about the samba-technical mailing list