Mercurial > hg > savane-forge
annotate doc/LDAP @ 363:7d64cbe0ef62 draft
Remove useless symlinks
| author | Jordi Gutiérrez Hermoso <jordigh@octave.org> |
|---|---|
| date | Tue, 24 Apr 2012 13:22:15 -0400 |
| parents | 82e2c77565bb |
| children |
| rev | line source |
|---|---|
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
1 Goal |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
2 ==== |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
3 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
4 LDAP is supported by several 3rd-party applications to connect to an |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
5 existing users/groups base. Using LDAP natively in our project would |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
6 allow to maintain a users/groups base that other projects could use, |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
7 with real-time updates. |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
8 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
9 Ideally Savane could connect to an existing LDAP, either pre-existing |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
10 or dedicated to Savane, have a separate app for write accesses to |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
11 LDAP, |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
12 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
13 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
14 Issues |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
15 ====== |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
16 |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
17 There are a few issues with using LDAP+Django+Unix: |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
18 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
19 - (Open)LDAP is much slower than MySQL (20s to list 60000 users, < 1s |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
20 in MySQL without cache). Increasing slapd's cache didn't help. We |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
21 didn't find any way to improve this, and even then, this would mean |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
22 it's hard to install properly and poorly documented. 389DS, another |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
23 free LDAP server implementation, doesn't advertise improved |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
24 performances, and praises OpenLDAP's, so there's little hope there. |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
25 http://directory.fedoraproject.org/wiki/FAQ#How_is_Fedora_Directory_Server_different_from_OpenLDAP.3F |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
26 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
27 - There's no ORM for LDAP, so much User-related Django code would need |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
28 to be replaced |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
29 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
30 - There's no official support for LDAP in Django, and what's planned |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
31 is a low-quality, replication based backend (instead of direct, |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
32 synchronized use without caching), that needs to be complemented |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
33 with a cron'd refresh of user profile data (email, real name, etc.) |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
34 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
35 Backend: http://code.djangoproject.com/ticket/11526 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
36 Synchro: http://www.djangosnippets.org/snippets/893/ |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
37 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
38 - Django's "sha1$" passwords are ridiculously incompatible with SSHA |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
39 passwords used by LDAP (among others). |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
40 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
41 - LDAP queries are limited. For example you cannot use the '<' |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
42 operator on shadowExpire or uidNumber, because you need to alter the |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
43 schema for this, and this is considered bad practice since you're |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
44 diverging from the RFC. This means it's difficult to implement |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
45 sanity checks such as uidNumber >= 1000 when importing system users. |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
46 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
47 Some solutions: |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
48 |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
49 - Use slapd-sql so LDAP fetchs the data transparently in SQL. But it's |
| 165 | 50 experimental, we didn't test. |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
51 http://www.openldap.org/software/man.cgi?query=slapd-sql |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
52 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
53 - Export the database to LDAP (instead of the other way around). This |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
54 involves a replication delay. Possible Savane could update LDAP |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
55 when a user ou group information is changed. This means however |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
56 than LDAP isn't the canonical users/groups base anymore - just a |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
57 convenience copy. Also implement a custom Django auth backend with |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
58 support for CRYPT or SSHA passwords. |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
59 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
60 - Modify 3rd-party apps so they use an external database for |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
61 authentication, instead of using an external LDAP directory. |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
62 |
| 165 | 63 - If LDAP is used for the system (Unix) through libnss-ldap(d), the |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
64 performances issues are not fixed. Either you need to rely on nscd |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
65 (but this means you'll get a cache delay before changes are taken |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
66 into account, which defeats the point of using libnss-*), either you |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
67 rely on libnss-mysql-bg, which is more efficient (cf. NSS-MYSQL). |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
68 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
69 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
70 Plan |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
71 ==== |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
72 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
73 Currently we plan to: |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
74 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
75 - Use libnss-mysql-bg (possible switch to libnss-pgsql later) for the |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
76 system. |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
77 |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
78 - Export the DB to LDAP if we need a 3rd-party app with LDAP support |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
79 in the future. |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
80 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
81 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
82 OpenLDAP |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
83 ======== |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
84 |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
85 # Installation notes |
|
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
86 |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
87 # - domain: savannah.gnu.org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
88 # - organisation: (whatever) |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
89 # - Allow LDAPv2 protocol: no |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
90 # - HDB |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
91 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
92 cat <<EOF | debconf-set-selections |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
93 slapd slapd/no_configuration boolean false |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
94 slapd slapd/domain string savannah.gnu.org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
95 slapd shared/organization string GNU |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
96 slapd slapd/password2 password admin |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
97 slapd slapd/password1 password admin |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
98 EOF |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
99 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
100 apt-get --assume-yes install slapd |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
101 #dpkg-reconfigure slapd |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
102 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
103 # Test: |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
104 #ldapsearch -b 'dc=savannah,dc=gnu,dc=org' -D 'cn=admin,dc=savannah,dc=gnu,dc=org' -w admin -x |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
105 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
106 # Alternatively: minimal config: |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
107 cat <<EOF > /etc/ldap/slapd.conf: |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
108 pidfile /var/run/slapd/slapd.pid |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
109 modulepath /usr/lib/ldap |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
110 moduleload back_bdb |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
111 include /etc/ldap/schema/core.schema |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
112 sizelimit unlimited |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
113 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
114 index uid,uidNumber,gidNumber,memberUid,shadowExpire eq |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
115 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
116 # DB n1 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
117 database bdb |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
118 directory /var/lib/ldap |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
119 suffix "dc=savannah,dc=gnu,dc=org" |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
120 rootdn "cn=admin,dc=savannah,dc=gnu,dc=org" |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
121 rootpw admin |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
122 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
123 access to attrs=userPassword,shadowLastChange |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
124 by dn="cn=admin,dc=gnu,dc=org" write |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
125 by anonymous auth |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
126 by self write |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
127 by * none |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
128 EOF |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
129 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
130 (in all case add the indexes) |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
131 |
|
126
beffb0fafd5e
Update doc about LDAP and libnss-*
Sylvain Beucler <beuc@beuc.net>
parents:
121
diff
changeset
|
132 |
|
120
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
133 Unix auth |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
134 ========= |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
135 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
136 # Enable user lookup with libnss-ldap. For additional passwords |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
137 # support you'll need libpam-ldap but we don't need it for Savane, |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
138 # since we're using SSH keys instead of passwords. |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
139 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
140 cat <<EOF | debconf-set-selections |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
141 libnss-ldap shared/ldapns/ldap-server string ldap://127.0.0.1/ |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
142 libnss-ldap shared/ldapns/base-dn string dc=savannah,dc=gnu,dc=org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
143 libnss-ldap libnss-ldap/rootbinddn string cn=admin,dc=savannah,dc=gnu,dc=org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
144 libnss-ldap libnss-ldap/rootbindpw password admin |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
145 libnss-ldap shared/ldapns/ldap_version select 3 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
146 EOF |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
147 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
148 apt-get --assume-yes install libnss-ldap |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
149 cat <<EOF >> /etc/libnss-ldap.conf |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
150 nss_base_passwd ou=users,dc=savannah,dc=gnu,dc=org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
151 nss_base_shadow ou=users,dc=savannah,dc=gnu,dc=org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
152 nss_base_group ou=groups,dc=savannah,dc=gnu,dc=org |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
153 EOF |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
154 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
155 sed -i -e 's/^\(passwd:.*$\)/\1 ldap/' \ |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
156 -e 's/^\(group:.*$\)/\1 ldap/' \ |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
157 -e 's/^\(shadow:.*$\)/\1 ldap/' \ |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
158 /etc/nsswitch.conf |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
159 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
160 # Fetching a user's groups is sadly pretty inefficient (e.g. try 'id |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
161 # yourusername'). To compensate, you can install the Name Service |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
162 # Caching Daemon: |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
163 apt-get --assume-yes install nscd |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
164 |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
165 # To avoid user listings to be too long, you can either limit the |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
166 # number of result entries in slapd (sizelimit), or filter out some |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
167 # users, e.g. with nss_base_passwd |
|
8d4b08714c90
Import existing uid/gid; document LDAP setup; no-downtime LDAP repopulation script
Sylvain Beucler <beuc@beuc.net>
parents:
105
diff
changeset
|
168 # ou=users,dc=savannah,dc=gnu,dc=org?sub?!(shadowExpire=10) |