Fedora DS Support
Endi Sukma Dewata
edewata at redhat.com
Fri Sep 4 15:26:10 MDT 2009
Andrew,
----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> The best way might be to provision as directory manager, and bound over
> LDAPI directly remove the SASL mappings before we start, also fix ACI
> once we are done. We should still have pretty good control over the DS
> (and not be exposed on TCP) at this point - I hope!
Please have a look at the attached patch. It does the following:
1. During instance creation it will import the SASL mapping for
samba-admin. It's done here because of the schema problem I mentioned
previously preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin.
3. Then it will start FDS and continue to do provisioning using DM with
simple bind to as before.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. The aci attribute has been removed from Samba schema. It no longer
uses *_fds.ldif files. The ACL is hardcoded in provision.py.
6. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
7. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
We can also move the step #6 and/or #7 to somewhere earlier in the
process if you prefer.
> The other option might be to work with the Fedora DS team to add an
> option to the fedorads.inf fed to setup-ds.pl to specify the default
> ACL, so that it is possible to start a Fedora DS instance
> locked-down.
Would it be the same if we do it this way? After creating the instance,
we import the entries including the ACL using ldif2db, so when FDS is
started it's already locked-down. The problem is in the current code the
root entries are imported in setup_samdb() whereas instance creation is
done in provision_fds_backend(). If we change the code that way we have
to fix it for OpenLDAP as well. What do you think?
> Thankyou for your persistence with this!
Thanks for your patience. :)
--
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sasl2.patch
Type: text/x-patch
Size: 10718 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090904/b0e9839e/attachment.bin>
More information about the samba-technical
mailing list