Age | Commit message (Collapse) | Author | Files | Lines |
|
With the extra moduleload lines (which succeed if it's already
staticly linked), we now work with OpenLDAP overlays as modules.
Andrew Bartlett
|
|
|
|
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
|
|
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
|
|
|
|
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
|
|
These extensions add mmr (multi-master-replication) and olc
(openldap-online-configuration) capabilities to the
provisioning-scripts (provision-backend and provision.py), for use
with the openldap-backend (only versions >=2.4.15!).
Changes / additions made to the provision-backend -script:
added new command-line-options:
--ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr
(can be combined with --ol-olc=yes),
--ol-olc=[yes/no] (activate automatic conversion from static slapd.conf
to olc),
--ol-slaptest=<path to slaptest binary> (needed in conjunction with
--ol-olc=yes)
Changes / additions made to the provision.py -script: added
extensions, that will automatically generate the chosen mmr and/or olc
setup for the openldap backend, according to the to chosen parameters
set in the provision-backend script
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
depending on the backend
This just changes the existing stratagy of loading different modules
for the OpenLDAP backend to also include extended_dn_out_*
When we provision the OpenLDAP backend, we make sure to include the
'deref' overlay (which must be made available by the OpenLDAP build)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This avoids passing rootdn passwords or replicated data in cleartext
across the network.
Signed-of-by: Andrew Bartlett <abartlet@samba.org>
(This used to be commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f)
|
|
This changes the MMR password from hard-coded value of 'linux',
adds tests and fixes the Fedora DS backend.
Currently the MMR password matches the admin password, but we can
change this to be another random value if required.
Also require the port to be specified on the command line, so we don't
hard-code a port of 9000.
Andrew Bartlett
(This used to be commit 08257c6d6ce809fcd53f9b2b4d558fef616b74ce)
|
|
This patches provision-backend and the related scripts to generate the
correct configuration blobs for N-way multi-master replication using
OpenLDAP.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(This used to be commit 6ed0b3f2475022288f636605492ca27fde97cd52)
|
|
This defines a rootdn globally, and due to OpenLDAP bugs, gives it
manage access to the whole database. This makes the memberOf module
able to validate the links again, now we have database ACLs.
Andrew Bartlett
(This used to be commit 9fe3e9f09f89fd92f8a16768e53391ff5f8489ec)
|
|
(This used to be commit d2a527acc5ee6fe9b943657dc9c3ace920b2d619)
|
|
Set a memberof-dn in a fruitless attempt to fix the ACL problem I'm
having with OpenLDAP
Andrew Bartlett
(This used to be commit 6d6e03834a1a77a8ceba41fbe8c9d49680065ba3)
|
|
(This used to be commit a3912801fb25f715725c06402d4bdff9a926f15d)
|
|
This reworks our LDAP backend code to move from anonymous access to a
shared-secret SASL-protected connection. (SASL selects NTLM or
DIGEST-MD5 on my system).
To get this working, we must pre-populate the LDAP backend with a DN
to store ths SASL secret on, and we use back-ldif for this.
This gives us a reasonable basis to deploy a replicated OpenLDAP
backend solution.
Andrew Bartlett
(This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa)
|
|
Instead of extensibleObject, we use the new (more correct) ad2oLschema
tool, and a new objectClass called 'samba4Top', which we add and
remove in the same way we did extensibleObject.
Andrew Bartlett
(This used to be commit 5ab20aa8b43415751f77602fff3a3008bf2186db)
|
|
Instead of using an include file, put the generated configurationd
directly into slapd.conf.
Andrew Bartlett
(This used to be commit 95ac786136aebfe5ededeb3fb81cbd4e296e3988)
|
|
This module needs to be loaded on each database, not just the main
partition. We use it to create the usn for the entries.
Andrew Bartlett
(This used to be commit ffb12aad8a80bb90d66dc66baba81b856622a6bb)
|
|
use global.
Andrew Bartlett
(This used to be commit 3b6f461e9a1b0fee7a589b8d171f4fcec6340ca4)
|
|
attributes, as found in the schema.
Index 'cn', as otherwise exact match searches on this attribute always
fail (need to figure out what is so special about cn in OpenLDAP).
Andrew Bartlett
(This used to be commit 5a4a2d10bc5729d4adac4b173b0dc05e2e076c32)
|
|
of OpenLDAP.
This makes it consistant with the Fedora DS setup, and doesn't mix
both hdb and bdb.
Andrew Bartlett
(This used to be commit 1ffada95d269c8f7d054bec7f6eaff8449995d40)
|
|
openldap, and fully support different LDAP server locations.
Andrew Bartlett
(This used to be commit a00bb942537f0f638c2a8295770749cb4b5d9ef3)
|
|
setting OPENLDAP_PATH, move to using hdb as the backend (allows
subtree renames), and re-enable the --quiet option.
Andrew Bartlett
(This used to be commit a186a0fa68cdcfb3abd430534657e5e278a5ebda)
|
|
--ldap-manager-pass= option to work.
Andrew Bartlett
(This used to be commit fbcb1ec14125a4ca57922ec75b01af9a99dcd954)
|
|
Andrew Bartlett
(This used to be commit 17dad5d8c345c2c3a7643bff7a43473339a22d40)
|
|
easily try this out.
I also intend to use this for the selftest, but I'm chasing issues
with the OpenlDAP (but not Fedora DS) backend.
Andrew Bartlett
(This used to be commit 0f457b1d2e20c36ab220b4a6711ce7930c4c7d21)
|
|
OpenLDAP or Fedora DS backend.
This required a new mkdir() call in ejs.
We can now provision just the schema for ad2oLschema to operate on
(with provision_schema(), without performing the whole provision, just
to wipe it again (adjustments to 'make test' to come soon).
Andrew Bartlett
(This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)
|