summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-07-15 15:15:12 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-07-15 15:15:12 +1000
commita6b842f9634cbeb4075c2bbaf7e49c19104602be (patch)
tree17fae6772e9d44ab32835ab7ddc454c9a075bafa
parent403f4f94ffec28d1c1dc910e1960531f4c14534b (diff)
downloadsamba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.tar.gz
samba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.tar.bz2
samba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.zip
Connect to the LDAP backend with SASL credentials.
This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
-rw-r--r--source4/scripting/python/samba/provision.py47
-rw-r--r--source4/selftest/target/Samba4.pm2
-rw-r--r--source4/setup/cn=samba-admin.ldif12
-rw-r--r--source4/setup/cn=samba.ldif11
-rwxr-xr-xsource4/setup/provision4
-rw-r--r--source4/setup/secrets_init.ldif2
-rw-r--r--source4/setup/secrets_sasl_ldap.ldif9
-rw-r--r--source4/setup/secrets_simple_ldap.ldif6
-rw-r--r--source4/setup/slapd.conf39
9 files changed, 111 insertions, 21 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 504044253e..d0f612c7a8 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
lp=lp)
secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
+
+ if credentials.authentication_requested:
+ if credentials.get_bind_dn() is not None:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
+ "LDAPMANAGERDN": credentials.get_bind_dn(),
+ "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
+ })
+ else:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
+ "LDAPADMINUSER": credentials.get_username(),
+ "LDAPADMINREALM": credentials.get_realm(),
+ "LDAPADMINPASS_B64": b64encode(credentials.get_password())
+ })
+
return secrets_ldb
@@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
domain_oc = "samba4LocalDomain"
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
- "DOMAINDN": names.domaindn,
- "ACI": aci,
- "DOMAIN_OC": domain_oc
- })
+ "DOMAINDN": names.domaindn,
+ "ACI": aci,
+ "DOMAIN_OC": domain_oc
+ })
message("Modifying DomainDN: " + names.domaindn + "")
if domainguid is not None:
@@ -1265,15 +1279,30 @@ refint_attributes""" + refint_attributes + "\n"
"DOMAINDN": names.domaindn,
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
- "LDAPMANAGERDN": names.ldapmanagerdn,
- "LDAPMANAGERPASS": adminpass,
"MEMBEROF_CONFIG": memberof_config})
setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema")))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
+
+ if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")):
+ os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"))
+
+ setup_file(setup_path("cn=samba.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"),
+ { "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+ setup_file(setup_path("cn=samba-admin.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
+ {"LDAPADMINPASS_B64": b64encode(adminpass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
+#"LDAPMANAGERDN": names.ldapmanagerdn,
+
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm
index 2347dfc742..0be1acf371 100644
--- a/source4/selftest/target/Samba4.pm
+++ b/source4/selftest/target/Samba4.pm
@@ -719,7 +719,7 @@ nogroup:x:65534:nobody
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
push (@provision_options, "--root=$unix_name");
- push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
+ push (@provision_options, "--username=samba-admin");
push (@provision_options, "--password=$password");
push (@provision_options, "--server-role=\"$server_role\"");
diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif
new file mode 100644
index 0000000000..c59ffd9ab6
--- /dev/null
+++ b/source4/setup/cn=samba-admin.ldif
@@ -0,0 +1,12 @@
+dn: cn=samba-admin
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241038Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif
new file mode 100644
index 0000000000..3be6242fe3
--- /dev/null
+++ b/source4/setup/cn=samba.ldif
@@ -0,0 +1,11 @@
+dn: cn=Samba
+objectClass: top
+objectClass: container
+cn: Samba
+structuralObjectClass: container
+entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
+creatorsName:
+createTimestamp: 20080714010529Z
+entryCSN: 20080714010529.194412Z#000000#000#000000
+modifiersName:
+modifyTimestamp: 20080714010529Z
diff --git a/source4/setup/provision b/source4/setup/provision
index c1d6cd157a..7bd61fc1d8 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -30,7 +30,7 @@ import os, sys
sys.path.insert(0, "bin/python")
import samba
-
+from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
import samba.getopt as options
from samba import param
@@ -131,6 +131,8 @@ else:
creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = "setup"
diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif
index 9eda47e463..eb423a5122 100644
--- a/source4/setup/secrets_init.ldif
+++ b/source4/setup/secrets_init.ldif
@@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE
#Add modules to the list to activate them by default
#beware often order is important
dn: @MODULES
-@LIST: update_keytab,operational,objectguid
+@LIST: update_keytab,operational,objectguid,rdn_name
diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif
new file mode 100644
index 0000000000..81ccfee209
--- /dev/null
+++ b/source4/setup/secrets_sasl_ldap.ldif
@@ -0,0 +1,9 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPADMINPASS_B64}
+samAccountName: ${LDAPADMINUSER}
+realm: ${LDAPADMINREALM}
+
+
diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif
new file mode 100644
index 0000000000..3f5ccd2df1
--- /dev/null
+++ b/source4/setup/secrets_simple_ldap.ldif
@@ -0,0 +1,6 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPMANAGERPASS_B64}
+ldapBindDn: ${LDAPMANAGERDN}
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf
index 15b9d3104e..b1ce6f6492 100644
--- a/source4/setup/slapd.conf
+++ b/source4/setup/slapd.conf
@@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
-access to * by * write
-allow update_anon
+#authz-regexp
+# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
-authz-regexp
- uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+#authz-regexp
+# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+ ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+ uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
+ ldap:///cn=samba??one?(cn=\$1)
+
+access to dn.base=""
+ by dn=cn=samba-admin,cn=samba manage
+ by anonymous read
+ by * read
+
+access to dn.subtree="cn=samba"
+ by anonymous auth
+
+access to dn.subtree="${DOMAINDN}"
+ by dn=cn=samba-admin,cn=samba manage
+ by * read
+
+password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
@@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN}
${MEMBEROF_CONFIG}
+database ldif
+suffix cn=Samba
+directory ${LDAPDIR}/db/samba
+
+
database hdb
suffix ${SCHEMADN}
directory ${LDAPDIR}/db/schema
@@ -78,9 +102,6 @@ index dnsRoot eq
index nETBIOSName eq
index cn eq
-rootdn ${LDAPMANAGERDN}
-rootpw ${LDAPMANAGERPASS}
-
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov