diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-07-15 15:15:12 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-07-15 15:15:12 +1000 |
commit | a6b842f9634cbeb4075c2bbaf7e49c19104602be (patch) | |
tree | 17fae6772e9d44ab32835ab7ddc454c9a075bafa /source4/setup/slapd.conf | |
parent | 403f4f94ffec28d1c1dc910e1960531f4c14534b (diff) | |
download | samba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.tar.gz samba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.tar.bz2 samba-a6b842f9634cbeb4075c2bbaf7e49c19104602be.zip |
Connect to the LDAP backend with SASL credentials.
This reworks our LDAP backend code to move from anonymous access to a
shared-secret SASL-protected connection. (SASL selects NTLM or
DIGEST-MD5 on my system).
To get this working, we must pre-populate the LDAP backend with a DN
to store ths SASL secret on, and we use back-ldif for this.
This gives us a reasonable basis to deploy a replicated OpenLDAP
backend solution.
Andrew Bartlett
(This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
Diffstat (limited to 'source4/setup/slapd.conf')
-rw-r--r-- | source4/setup/slapd.conf | 39 |
1 files changed, 30 insertions, 9 deletions
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 15b9d3104e..b1ce6f6492 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema pidfile ${LDAPDIR}/slapd.pid argsfile ${LDAPDIR}/slapd.args sasl-realm ${DNSDOMAIN} -access to * by * write -allow update_anon +#authz-regexp +# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) -authz-regexp - uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) +#authz-regexp +# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) + ldap:///cn=samba??one?(cn=\$1) + +authz-regexp + uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth + ldap:///cn=samba??one?(cn=\$1) + +access to dn.base="" + by dn=cn=samba-admin,cn=samba manage + by anonymous read + by * read + +access to dn.subtree="cn=samba" + by anonymous auth + +access to dn.subtree="${DOMAINDN}" + by dn=cn=samba-admin,cn=samba manage + by * read + +password-hash {CLEARTEXT} include ${LDAPDIR}/modules.conf @@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN} ${MEMBEROF_CONFIG} +database ldif +suffix cn=Samba +directory ${LDAPDIR}/db/samba + + database hdb suffix ${SCHEMADN} directory ${LDAPDIR}/db/schema @@ -78,9 +102,6 @@ index dnsRoot eq index nETBIOSName eq index cn eq -rootdn ${LDAPMANAGERDN} -rootpw ${LDAPMANAGERPASS} - #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov |