sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
Code
samba-mirror/source4/setup/slapd.conf

144 lines
3.1 KiB
Plaintext
Raw Normal View History

r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
loglevel 0
Use DIGEST-MD5 authentication for OpenLDAP replication This avoids passing rootdn passwords or replicated data in cleartext across the network. Signed-of-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f)
2008-09-08 14:39:54 +10:00
### needed for initial content load ###
sizelimit unlimited
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
### Multimaster-ServerIDs and URLs ###
${MMR_SERVERIDS_CONFIG}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
#authz-regexp
# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
#authz-regexp
# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
ldap:///cn=samba??one?(cn=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
ldap:///cn=samba??one?(cn=\$1)
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
Use DIGEST-MD5 authentication for OpenLDAP replication This avoids passing rootdn passwords or replicated data in cleartext across the network. Signed-of-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f)
2008-09-08 14:39:54 +10:00
by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
Make invalid 'member' detection work again. This defines a rootdn globally, and due to OpenLDAP bugs, gives it manage access to the whole database. This makes the memberOf module able to validate the links again, now we have database ACLs. Andrew Bartlett (This used to be commit 9fe3e9f09f89fd92f8a16768e53391ff5f8489ec)
2008-07-21 09:36:24 +10:00
by dn=cn=manager manage
Lock down the LDAP backend - only samba may read or write (This used to be commit a3912801fb25f715725c06402d4bdff9a926f15d)
2008-07-15 22:07:45 +10:00
by * none
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
password-hash {CLEARTEXT}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
r23189: Work towards a totally scripted setup of LDAP backends, so others can easily try this out. I also intend to use this for the selftest, but I'm chasing issues with the OpenlDAP (but not Fedora DS) backend. Andrew Bartlett (This used to be commit 0f457b1d2e20c36ab220b4a6711ce7930c4c7d21)
2007-05-29 12:18:41 +00:00
defaultsearchbase ${DOMAINDN}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
Make invalid 'member' detection work again. This defines a rootdn globally, and due to OpenLDAP bugs, gives it manage access to the whole database. This makes the memberOf module able to validate the links again, now we have database ACLs. Andrew Bartlett (This used to be commit 9fe3e9f09f89fd92f8a16768e53391ff5f8489ec)
2008-07-21 09:36:24 +10:00
rootdn cn=Manager
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
moduleload rdnval
moduleload deref
s4:provision: use extended_dn_out_ldb or extended_dn_out_dereference depending on the backend This just changes the existing stratagy of loading different modules for the OpenLDAP backend to also include extended_dn_out_* When we provision the OpenLDAP backend, we make sure to include the 'deref' overlay (which must be made available by the OpenLDAP build) Signed-off-by: Stefan Metzmacher <metze@samba.org>
2008-12-16 09:18:21 +01:00
overlay deref
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
moduleload refint
Make a seperate template for the refint configuration too (This used to be commit d2a527acc5ee6fe9b943657dc9c3ace920b2d619)
2008-07-18 18:58:56 +10:00
${REFINT_CONFIG}
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
moduleload memberof
Rework memberof handling in slapd.conf (used for OpenLDAP backend) Instead of using an include file, put the generated configurationd directly into slapd.conf. Andrew Bartlett (This used to be commit 95ac786136aebfe5ededeb3fb81cbd4e296e3988)
2008-03-15 19:03:04 +11:00
${MEMBEROF_CONFIG}
r26636: Remove useless 'backend' parameter, and make the memberof overlay use global. Andrew Bartlett (This used to be commit 3b6f461e9a1b0fee7a589b8d171f4fcec6340ca4)
2008-01-01 04:01:07 -06:00
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
moduleload syncprov
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
database ldif
suffix cn=Samba
directory ${LDAPDIR}/db/samba
Make invalid 'member' detection work again. This defines a rootdn globally, and due to OpenLDAP bugs, gives it manage access to the whole database. This makes the memberOf module able to validate the links again, now we have database ACLs. Andrew Bartlett (This used to be commit 9fe3e9f09f89fd92f8a16768e53391ff5f8489ec)
2008-07-21 09:36:24 +10:00
rootdn cn=Manager,cn=Samba
Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
2008-07-15 15:15:12 +10:00
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
########################################
## olc - configuration ###
s4:provision Rework provision-backend into provision This removes a *lot* of duplicated code and the cause of much administrator frustration. We now handle starting and stopping the slapd (at least for the provision), and ensure that there is only one 'right' way to configure the OpenLDAP and Fedora DS backend We now run OpenLDAP in 'cn=config' mode for online configuration. To test what was the provision-backend code, a new --ldap-dryrun-mode option has been added to provision. It quits the provision just before it would start the LDAP binaries Andrew Bartlett
2009-08-13 17:01:27 +10:00
database config
rootdn cn=config
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
${OLC_SYNCREPL_CONFIG}
${OLC_MMR_CONFIG}
s4:provision Rework provision-backend into provision This removes a *lot* of duplicated code and the cause of much administrator frustration. We now handle starting and stopping the slapd (at least for the provision), and ensure that there is only one 'right' way to configure the OpenLDAP and Fedora DS backend We now run OpenLDAP in 'cn=config' mode for online configuration. To test what was the provision-backend code, a new --ldap-dryrun-mode option has been added to provision. It quits the provision just before it would start the LDAP binaries Andrew Bartlett
2009-08-13 17:01:27 +10:00
access to dn.sub="cn=config"
by dn="cn=samba-admin,cn=samba" write
by dn="cn=replicator,cn=samba" read
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
########################################
### cn=schema ###
r26424: Patch and hits from Howard Chu <hyc@symas.com> for our automated setup of OpenLDAP. This makes it consistant with the Fedora DS setup, and doesn't mix both hdb and bdb. Andrew Bartlett (This used to be commit 1ffada95d269c8f7d054bec7f6eaff8449995d40)
2007-12-13 09:46:41 +01:00
database hdb
r23189: Work towards a totally scripted setup of LDAP backends, so others can easily try this out. I also intend to use this for the selftest, but I'm chasing issues with the OpenlDAP (but not Fedora DS) backend. Andrew Bartlett (This used to be commit 0f457b1d2e20c36ab220b4a6711ce7930c4c7d21)
2007-05-29 12:18:41 +00:00
suffix ${SCHEMADN}
Put the memberof template into a seperate setup/ file. Set a memberof-dn in a fruitless attempt to fix the ACL problem I'm having with OpenLDAP Andrew Bartlett (This used to be commit 6d6e03834a1a77a8ceba41fbe8c9d49680065ba3)
2008-07-18 18:44:07 +10:00
rootdn cn=Manager,${SCHEMADN}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
directory ${LDAPDIR}/db/schema
s4:provision Rework and further automate setup of OpenLDAP backend heres the summary of all changes/extensions: - Andrew Bartlett's patch to generate indext - Howard Chu's idea to use nosync on the DB included, but made optional - slaptest-path is not needed any more (slapd -Ttest is used instead) and is therefore removed. slapd-path is now recommended when openldap-backend is chosen. its also used for olc-conversion - slapd-detection is now always done by ldapsearch (ldb module), looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri. - if ldapsearch was not successfull, (no slapd listening on our socket) slapd is started via special generated slapdcommand_prov (ldapi_uri only) - slapd-"provision-process" startup is done via pythons subprocess. - the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid. - after provision-backend is finished: --- slapd.pid is compared with our stored slapd_provision_pid. if the are unique, slapd.pid will be read out, and the slapd "provison"-process will be shut down. --- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri -> rootDSE. --- if the pids are different or one of the pid-files is missing, slapd will not be shut down, instead an error message is displayed to locate slapd manually --- extended help-messages (relevant to slapd) are always displayed, e.g. the commandline with which slapd has to be started when everythings finished (slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt)) - upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
2009-08-10 09:45:01 +10:00
${NOSYNC}
${INDEX_CONFIG}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
#We need this for the contextCSN attribute and mmr.
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
overlay syncprov
syncprov-sessionlog 100
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
syncprov-checkpoint 100 10
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
overlay rdnval
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
### Multimaster-Replication of cn=schema Subcontext ###
${MMR_SYNCREPL_SCHEMA_CONFIG}
${MIRRORMODE}
#########################################
### cn=config ###
r25450: Make it easier to test with a particular version of OpenLDAP, by setting OPENLDAP_PATH, move to using hdb as the backend (allows subtree renames), and re-enable the --quiet option. Andrew Bartlett (This used to be commit a186a0fa68cdcfb3abd430534657e5e278a5ebda)
2007-10-01 21:07:07 +00:00
database hdb
r23189: Work towards a totally scripted setup of LDAP backends, so others can easily try this out. I also intend to use this for the selftest, but I'm chasing issues with the OpenlDAP (but not Fedora DS) backend. Andrew Bartlett (This used to be commit 0f457b1d2e20c36ab220b4a6711ce7930c4c7d21)
2007-05-29 12:18:41 +00:00
suffix ${CONFIGDN}
Put the memberof template into a seperate setup/ file. Set a memberof-dn in a fruitless attempt to fix the ACL problem I'm having with OpenLDAP Andrew Bartlett (This used to be commit 6d6e03834a1a77a8ceba41fbe8c9d49680065ba3)
2008-07-18 18:44:07 +10:00
rootdn cn=Manager,${CONFIGDN}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
directory ${LDAPDIR}/db/config
s4:provision Rework and further automate setup of OpenLDAP backend heres the summary of all changes/extensions: - Andrew Bartlett's patch to generate indext - Howard Chu's idea to use nosync on the DB included, but made optional - slaptest-path is not needed any more (slapd -Ttest is used instead) and is therefore removed. slapd-path is now recommended when openldap-backend is chosen. its also used for olc-conversion - slapd-detection is now always done by ldapsearch (ldb module), looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri. - if ldapsearch was not successfull, (no slapd listening on our socket) slapd is started via special generated slapdcommand_prov (ldapi_uri only) - slapd-"provision-process" startup is done via pythons subprocess. - the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid. - after provision-backend is finished: --- slapd.pid is compared with our stored slapd_provision_pid. if the are unique, slapd.pid will be read out, and the slapd "provison"-process will be shut down. --- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri -> rootDSE. --- if the pids are different or one of the pid-files is missing, slapd will not be shut down, instead an error message is displayed to locate slapd manually --- extended help-messages (relevant to slapd) are always displayed, e.g. the commandline with which slapd has to be started when everythings finished (slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt)) - upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
2009-08-10 09:45:01 +10:00
${NOSYNC}
${INDEX_CONFIG}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
#We need this for the contextCSN attribute and mmr.
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
overlay syncprov
syncprov-sessionlog 100
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
syncprov-checkpoint 100 10
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
s4:OpenLDAP-backend Use the new rdnval module in OpenLDAP This is rather than rdn_name, which tries to do the job on the client side. We need to leave this module in the stack for Fedora DS (and of course the LDB backend). Andrew Bartlett
2010-04-20 15:35:51 +10:00
overlay rdnval
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
### Multimaster-Replication of cn=config Subcontext ###
${MMR_SYNCREPL_CONFIG_CONFIG}
${MIRRORMODE}
Use syncrepl on all OpenLDAP databases (creates contextCSN attribute) This module needs to be loaded on each database, not just the main partition. We use it to create the usn for the entries. Andrew Bartlett (This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
2008-01-18 13:28:52 +11:00
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
########################################
### cn=users /base-dn ###
r25450: Make it easier to test with a particular version of OpenLDAP, by setting OPENLDAP_PATH, move to using hdb as the backend (allows subtree renames), and re-enable the --quiet option. Andrew Bartlett (This used to be commit a186a0fa68cdcfb3abd430534657e5e278a5ebda)
2007-10-01 21:07:07 +00:00
database hdb
r23189: Work towards a totally scripted setup of LDAP backends, so others can easily try this out. I also intend to use this for the selftest, but I'm chasing issues with the OpenlDAP (but not Fedora DS) backend. Andrew Bartlett (This used to be commit 0f457b1d2e20c36ab220b4a6711ce7930c4c7d21)
2007-05-29 12:18:41 +00:00
suffix ${DOMAINDN}
Put the memberof template into a seperate setup/ file. Set a memberof-dn in a fruitless attempt to fix the ACL problem I'm having with OpenLDAP Andrew Bartlett (This used to be commit 6d6e03834a1a77a8ceba41fbe8c9d49680065ba3)
2008-07-18 18:44:07 +10:00
rootdn cn=Manager,${DOMAINDN}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
directory ${LDAPDIR}/db/user
s4:provision Rework and further automate setup of OpenLDAP backend heres the summary of all changes/extensions: - Andrew Bartlett's patch to generate indext - Howard Chu's idea to use nosync on the DB included, but made optional - slaptest-path is not needed any more (slapd -Ttest is used instead) and is therefore removed. slapd-path is now recommended when openldap-backend is chosen. its also used for olc-conversion - slapd-detection is now always done by ldapsearch (ldb module), looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri. - if ldapsearch was not successfull, (no slapd listening on our socket) slapd is started via special generated slapdcommand_prov (ldapi_uri only) - slapd-"provision-process" startup is done via pythons subprocess. - the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid. - after provision-backend is finished: --- slapd.pid is compared with our stored slapd_provision_pid. if the are unique, slapd.pid will be read out, and the slapd "provison"-process will be shut down. --- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri -> rootDSE. --- if the pids are different or one of the pid-files is missing, slapd will not be shut down, instead an error message is displayed to locate slapd manually --- extended help-messages (relevant to slapd) are always displayed, e.g. the commandline with which slapd has to be started when everythings finished (slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt)) - upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
2009-08-10 09:45:01 +10:00
${NOSYNC}
${INDEX_CONFIG}
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
#We need this for the contextCSN attribute and mmr.
r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend. This required a new mkdir() call in ejs. We can now provision just the schema for ad2oLschema to operate on (with provision_schema(), without performing the whole provision, just to wipe it again (adjustments to 'make test' to come soon). Andrew Bartlett (This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
2007-05-29 01:20:47 +00:00
overlay syncprov
syncprov-sessionlog 100
Added mmr and olc to the OpenLDAP backend provisioning-scripts These extensions add mmr (multi-master-replication) and olc (openldap-online-configuration) capabilities to the provisioning-scripts (provision-backend and provision.py), for use with the openldap-backend (only versions >=2.4.15!). Changes / additions made to the provision-backend -script: added new command-line-options: --ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr (can be combined with --ol-olc=yes), --ol-olc=[yes/no] (activate automatic conversion from static slapd.conf to olc), --ol-slaptest=<path to slaptest binary> (needed in conjunction with --ol-olc=yes) Changes / additions made to the provision.py -script: added extensions, that will automatically generate the chosen mmr and/or olc setup for the openldap backend, according to the to chosen parameters set in the provision-backend script Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 11:37:58 +11:00
syncprov-checkpoint 100 10
s4:provision Make OpenLDAP backend more robust With the extra moduleload lines (which succeed if it's already staticly linked), we now work with OpenLDAP overlays as modules. Andrew Bartlett
2010-04-22 17:20:21 +10:00
s4:OpenLDAP-backend Use the new rdnval module in OpenLDAP This is rather than rdn_name, which tries to do the job on the client side. We need to leave this module in the stack for Fedora DS (and of course the LDB backend). Andrew Bartlett
2010-04-20 15:35:51 +10:00
overlay rdnval
Rework memberof handling in slapd.conf (used for OpenLDAP backend) Instead of using an include file, put the generated configurationd directly into slapd.conf. Andrew Bartlett (This used to be commit 95ac786136aebfe5ededeb3fb81cbd4e296e3988)
2008-03-15 19:03:04 +11:00
Generate Multi-Master Replication configuration for OpenLDAP This patches provision-backend and the related scripts to generate the correct configuration blobs for N-way multi-master replication using OpenLDAP. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
2008-08-19 12:03:04 +10:00
### Multimaster-Replication of cn=user/base-dn context ###
${MMR_SYNCREPL_USER_CONFIG}
${MIRRORMODE}
Copy Permalink