Use DIGEST-MD5 authentication for OpenLDAP replication

This avoids passing rootdn passwords or replicated data in cleartext
across the network.

Signed-of-by: Andrew Bartlett <abartlet@samba.org>
(This used to be commit 67373c143a)

source4/scripting/python/samba/provision.py

@@ -1266,6 +1266,7 @@ def provision_backend(setup_dir=None, message=None,
 
 # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
 	mmr_on_config = ""
+	mmr_replicator_acl = ""
 	mmr_serverids_config = ""
         mmr_syncrepl_schema_config = "" 
 	mmr_syncrepl_config_config = "" 
@@ -1278,6 +1279,7 @@ def provision_backend(setup_dir=None, message=None,
                      
 
 		mmr_on_config = "MirrorMode On"
+		mmr_replicator_acl = "  by dn=cn=replicator,cn=samba read"
  		serverid=0
 		for url in url_list:
 			serverid=serverid+1
@@ -1315,6 +1317,7 @@ def provision_backend(setup_dir=None, message=None,
                     "SCHEMADN": names.schemadn,
                     "MEMBEROF_CONFIG": memberof_config,
                     "MIRRORMODE": mmr_on_config,
+                    "REPLICATOR_ACL": mmr_replicator_acl,
                     "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
                     "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
                     "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
@@ -1340,6 +1343,15 @@ def provision_backend(setup_dir=None, message=None,
                               {"LDAPADMINPASS_B64": b64encode(adminpass),
                                "UUID": str(uuid.uuid4()), 
                                "LDAPTIME": timestring(int(time.time()))} )
+	
+	if ol_mmr_urls is not None:
+ 	   setup_file(setup_path("cn=replicator.ldif"),
+                              os.path.join(paths.ldapdir, "db", "samba",  "cn=samba", "cn=replicator.ldif"),
+                              {"LDAPADMINPASS_B64": b64encode(adminpass),
+                               "UUID": str(uuid.uuid4()),
+                               "LDAPTIME": timestring(int(time.time()))} )
+
+
 
         mapping = "schema-map-openldap-2.3"
         backend_schema = "backend-schema.schema"

source4/setup/cn=replicator.ldif

@@ -0,0 +1,12 @@
+dn: cn=replicator
+objectClass: top
+objectClass: person
+cn: replicator
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241039Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}

source4/setup/mmr_syncrepl.conf

@@ -5,7 +5,8 @@ syncrepl rid=${RID}
 	searchbase="${MMRDN}"
 	type=refreshAndPersist
 	retry="10 +"
-	bindmethod=simple
-	binddn="CN=Manager,${MMRDN}"
+	bindmethod=sasl
+	saslmech=DIGEST-MD5
+	authcid="replicator"
 	credentials="${MMR_PASSWORD}"
 

source4/setup/slapd.conf

@@ -1,5 +1,8 @@
 loglevel 0
 
+### needed for initial content load ###
+sizelimit unlimited
+
 ### Multimaster-ServerIDs and URLs ###
 
 ${MMR_SERVERIDS_CONFIG}
@@ -36,7 +39,7 @@ access to dn.subtree="cn=samba"
        by anonymous auth
 
 access to dn.subtree="${DOMAINDN}"
-       by dn=cn=samba-admin,cn=samba manage
+       by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL}
        by dn=cn=manager manage
        by * none
 
@@ -62,7 +65,6 @@ rootdn          cn=Manager,cn=Samba
 database        hdb
 suffix		${SCHEMADN}
 rootdn          cn=Manager,${SCHEMADN}
-rootpw		"${MMR_PASSWORD}"
 directory	${LDAPDIR}/db/schema
 index           objectClass eq
 index           samAccountName eq
@@ -89,7 +91,6 @@ ${MIRRORMODE}
 database        hdb
 suffix		${CONFIGDN}
 rootdn          cn=Manager,${CONFIGDN}
-rootpw		"${MMR_PASSWORD}"
 directory	${LDAPDIR}/db/config
 index           objectClass eq
 index           samAccountName eq
@@ -118,7 +119,6 @@ ${MIRRORMODE}
 database        hdb
 suffix		${DOMAINDN}
 rootdn          cn=Manager,${DOMAINDN}
-rootpw		"${MMR_PASSWORD}"
 directory	${LDAPDIR}/db/user
 index           objectClass eq
 index           samAccountName eq