From b76f383eefe961e8a2f42ac782031e3e09ff7192 Mon Sep 17 00:00:00 2001 From: Oliver Liebel Date: Mon, 8 Sep 2008 14:39:54 +1000 Subject: [PATCH] Use DIGEST-MD5 authentication for OpenLDAP replication This avoids passing rootdn passwords or replicated data in cleartext across the network. Signed-of-by: Andrew Bartlett (This used to be commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f) --- source4/scripting/python/samba/provision.py | 12 ++++++++++++ source4/setup/cn=replicator.ldif | 12 ++++++++++++ source4/setup/mmr_syncrepl.conf | 5 +++-- source4/setup/slapd.conf | 8 ++++---- 4 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 source4/setup/cn=replicator.ldif diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 9c2a208460e..f37d09d5e09 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1266,6 +1266,7 @@ def provision_backend(setup_dir=None, message=None, # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts mmr_on_config = "" + mmr_replicator_acl = "" mmr_serverids_config = "" mmr_syncrepl_schema_config = "" mmr_syncrepl_config_config = "" @@ -1278,6 +1279,7 @@ def provision_backend(setup_dir=None, message=None, mmr_on_config = "MirrorMode On" + mmr_replicator_acl = " by dn=cn=replicator,cn=samba read" serverid=0 for url in url_list: serverid=serverid+1 @@ -1315,6 +1317,7 @@ def provision_backend(setup_dir=None, message=None, "SCHEMADN": names.schemadn, "MEMBEROF_CONFIG": memberof_config, "MIRRORMODE": mmr_on_config, + "REPLICATOR_ACL": mmr_replicator_acl, "MMR_SERVERIDS_CONFIG": mmr_serverids_config, "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config, "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config, @@ -1340,6 +1343,15 @@ def provision_backend(setup_dir=None, message=None, {"LDAPADMINPASS_B64": b64encode(adminpass), "UUID": str(uuid.uuid4()), "LDAPTIME": timestring(int(time.time()))} ) + + if ol_mmr_urls is not None: + setup_file(setup_path("cn=replicator.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"), + {"LDAPADMINPASS_B64": b64encode(adminpass), + "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + + mapping = "schema-map-openldap-2.3" backend_schema = "backend-schema.schema" diff --git a/source4/setup/cn=replicator.ldif b/source4/setup/cn=replicator.ldif new file mode 100644 index 00000000000..e7c5a2408c4 --- /dev/null +++ b/source4/setup/cn=replicator.ldif @@ -0,0 +1,12 @@ +dn: cn=replicator +objectClass: top +objectClass: person +cn: replicator +userPassword:: ${LDAPADMINPASS_B64} +structuralObjectClass: person +entryUUID: ${UUID} +creatorsName: +createTimestamp: ${LDAPTIME} +entryCSN: 20080714010529.241039Z#000000#000#000000 +modifiersName: +modifyTimestamp: ${LDAPTIME} diff --git a/source4/setup/mmr_syncrepl.conf b/source4/setup/mmr_syncrepl.conf index 3a207b2d13a..1373858c4e6 100644 --- a/source4/setup/mmr_syncrepl.conf +++ b/source4/setup/mmr_syncrepl.conf @@ -5,7 +5,8 @@ syncrepl rid=${RID} searchbase="${MMRDN}" type=refreshAndPersist retry="10 +" - bindmethod=simple - binddn="CN=Manager,${MMRDN}" + bindmethod=sasl + saslmech=DIGEST-MD5 + authcid="replicator" credentials="${MMR_PASSWORD}" diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 141c0cd27a6..b64d581e0d3 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -1,5 +1,8 @@ loglevel 0 +### needed for initial content load ### +sizelimit unlimited + ### Multimaster-ServerIDs and URLs ### ${MMR_SERVERIDS_CONFIG} @@ -36,7 +39,7 @@ access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" - by dn=cn=samba-admin,cn=samba manage + by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL} by dn=cn=manager manage by * none @@ -62,7 +65,6 @@ rootdn cn=Manager,cn=Samba database hdb suffix ${SCHEMADN} rootdn cn=Manager,${SCHEMADN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/schema index objectClass eq index samAccountName eq @@ -89,7 +91,6 @@ ${MIRRORMODE} database hdb suffix ${CONFIGDN} rootdn cn=Manager,${CONFIGDN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/config index objectClass eq index samAccountName eq @@ -118,7 +119,6 @@ ${MIRRORMODE} database hdb suffix ${DOMAINDN} rootdn cn=Manager,${DOMAINDN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/user index objectClass eq index samAccountName eq