The branch, v4-0-test has been updated via 57d19ad002c523fb9a09694e6710ab7f588d44ec (commit) via 67373c143a1d8a9f310fd116dbf81c1dd123b75f (commit) from 36f727c4a73ffc8634692b0c5645343cb414de93 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 57d19ad002c523fb9a09694e6710ab7f588d44ec Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Mon Sep 8 15:09:06 2008 +1000 Make it clear that the MMR password can differ from the admin passsword In the future, we might simply randomly generate this, or allow the admin to specify it seperate to the admin password. However, both are highly sensitive, as they imply read access to the krbtgt. Andrew Bartlett commit 67373c143a1d8a9f310fd116dbf81c1dd123b75f Author: Oliver Liebel <[EMAIL PROTECTED]> Date: Mon Sep 8 14:39:54 2008 +1000 Use DIGEST-MD5 authentication for OpenLDAP replication This avoids passing rootdn passwords or replicated data in cleartext across the network. Signed-of-by: Andrew Bartlett <[EMAIL PROTECTED]> ----------------------------------------------------------------------- Summary of changes: source/scripting/python/samba/provision.py | 24 +++++++++++++++---- .../{cn=samba-admin.ldif => cn=replicator.ldif} | 8 +++--- source/setup/mmr_syncrepl.conf | 5 ++- source/setup/slapd.conf | 8 +++--- 4 files changed, 30 insertions(+), 15 deletions(-) copy source/setup/{cn=samba-admin.ldif => cn=replicator.ldif} (58%) Changeset truncated at 500 lines: diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py index 9c2a208..68f6153 100644 --- a/source/scripting/python/samba/provision.py +++ b/source/scripting/python/samba/provision.py @@ -1266,18 +1266,23 @@ def provision_backend(setup_dir=None, message=None, # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts mmr_on_config = "" + mmr_replicator_acl = "" mmr_serverids_config = "" mmr_syncrepl_schema_config = "" mmr_syncrepl_config_config = "" mmr_syncrepl_user_config = "" if ol_mmr_urls is not None: - url_list=filter(None,ol_mmr_urls.split(' ')) + # For now, make these equal + mmr_pass = adminpass + + url_list=filter(None,ol_mmr_urls.split(' ')) if (len(url_list) == 1): url_list=filter(None,ol_mmr_urls.split(',')) mmr_on_config = "MirrorMode On" + mmr_replicator_acl = " by dn=cn=replicator,cn=samba read" serverid=0 for url in url_list: serverid=serverid+1 @@ -1290,21 +1295,21 @@ def provision_backend(setup_dir=None, message=None, { "RID" : str(rid), "MMRDN": names.schemadn, "LDAPSERVER" : url, - "MMR_PASSWORD": adminpass}) + "MMR_PASSWORD": mmr_pass}) rid=rid+1 mmr_syncrepl_config_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"), { "RID" : str(rid), "MMRDN": names.configdn, "LDAPSERVER" : url, - "MMR_PASSWORD": adminpass}) + "MMR_PASSWORD": mmr_pass}) rid=rid+1 mmr_syncrepl_user_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"), { "RID" : str(rid), "MMRDN": names.domaindn, "LDAPSERVER" : url, - "MMR_PASSWORD": adminpass }) + "MMR_PASSWORD": mmr_pass }) setup_file(setup_path("slapd.conf"), paths.slapdconf, @@ -1315,11 +1320,11 @@ def provision_backend(setup_dir=None, message=None, "SCHEMADN": names.schemadn, "MEMBEROF_CONFIG": memberof_config, "MIRRORMODE": mmr_on_config, + "REPLICATOR_ACL": mmr_replicator_acl, "MMR_SERVERIDS_CONFIG": mmr_serverids_config, "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config, "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config, "MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config, - "MMR_PASSWORD": adminpass, "REFINT_CONFIG": refint_config}) setup_file(setup_path("modules.conf"), paths.modulesconf, {"REALM": names.realm}) @@ -1340,6 +1345,15 @@ def provision_backend(setup_dir=None, message=None, {"LDAPADMINPASS_B64": b64encode(adminpass), "UUID": str(uuid.uuid4()), "LDAPTIME": timestring(int(time.time()))} ) + + if ol_mmr_urls is not None: + setup_file(setup_path("cn=replicator.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"), + {"MMR_PASSWORD_B64": b64encode(mmr_pass), + "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + + mapping = "schema-map-openldap-2.3" backend_schema = "backend-schema.schema" diff --git a/source/setup/cn=samba-admin.ldif b/source/setup/cn=replicator.ldif similarity index 58% copy from source/setup/cn=samba-admin.ldif copy to source/setup/cn=replicator.ldif index c59ffd9..6001456 100644 --- a/source/setup/cn=samba-admin.ldif +++ b/source/setup/cn=replicator.ldif @@ -1,12 +1,12 @@ -dn: cn=samba-admin +dn: cn=replicator objectClass: top objectClass: person -cn: samba-admin -userPassword:: ${LDAPADMINPASS_B64} +cn: replicator +userPassword:: ${MMR_PASSWORD_B64} structuralObjectClass: person entryUUID: ${UUID} creatorsName: createTimestamp: ${LDAPTIME} -entryCSN: 20080714010529.241038Z#000000#000#000000 +entryCSN: 20080714010529.241039Z#000000#000#000000 modifiersName: modifyTimestamp: ${LDAPTIME} diff --git a/source/setup/mmr_syncrepl.conf b/source/setup/mmr_syncrepl.conf index 3a207b2..1373858 100644 --- a/source/setup/mmr_syncrepl.conf +++ b/source/setup/mmr_syncrepl.conf @@ -5,7 +5,8 @@ syncrepl rid=${RID} searchbase="${MMRDN}" type=refreshAndPersist retry="10 +" - bindmethod=simple - binddn="CN=Manager,${MMRDN}" + bindmethod=sasl + saslmech=DIGEST-MD5 + authcid="replicator" credentials="${MMR_PASSWORD}" diff --git a/source/setup/slapd.conf b/source/setup/slapd.conf index 141c0cd..b64d581 100644 --- a/source/setup/slapd.conf +++ b/source/setup/slapd.conf @@ -1,5 +1,8 @@ loglevel 0 +### needed for initial content load ### +sizelimit unlimited + ### Multimaster-ServerIDs and URLs ### ${MMR_SERVERIDS_CONFIG} @@ -36,7 +39,7 @@ access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" - by dn=cn=samba-admin,cn=samba manage + by dn=cn=samba-admin,cn=samba manage${REPLICATOR_ACL} by dn=cn=manager manage by * none @@ -62,7 +65,6 @@ rootdn cn=Manager,cn=Samba database hdb suffix ${SCHEMADN} rootdn cn=Manager,${SCHEMADN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/schema index objectClass eq index samAccountName eq @@ -89,7 +91,6 @@ ${MIRRORMODE} database hdb suffix ${CONFIGDN} rootdn cn=Manager,${CONFIGDN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/config index objectClass eq index samAccountName eq @@ -118,7 +119,6 @@ ${MIRRORMODE} database hdb suffix ${DOMAINDN} rootdn cn=Manager,${DOMAINDN} -rootpw "${MMR_PASSWORD}" directory ${LDAPDIR}/db/user index objectClass eq index samAccountName eq -- Samba Shared Repository