4 069
contributi
Riga 523: | Riga 523: | ||
slapcat > ~/slapd.ldif | slapcat > ~/slapd.ldif | ||
</pre> | </pre> | ||
Adesso dobbiamo copiare in <tt>/etc/ldap/schema</tt> lo schema LDAP necessario per SAMBA. | Adesso dobbiamo recuperare gli schemi mancanti, che aggiungeremo poi alla configurazione di LDAP, e copiare in <tt>/etc/ldap/schema</tt> lo schema LDAP necessario per SAMBA. | ||
<pre> | <pre> | ||
# wget http://www.pepinet.com/download/samba/hdb.schema -P /etc/ldap/schema/ | |||
# wget http://www.pepinet.com/download/samba/qmailuser.schema -P /etc/ldap/schema/ | |||
# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema | # zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema | ||
</pre> | </pre> | ||
Riga 532: | Riga 534: | ||
</pre> | </pre> | ||
e prendete nota del risultato.<br/> | e prendete nota del risultato.<br/> | ||
Ora occorre modificare il file di configurazione di slapd (<tt>/etc/ldap/slapd.conf</tt>) aggiungendo | Ora occorre modificare pesantemente il file di configurazione di slapd (<tt>/etc/ldap/slapd.conf</tt>) aggiungendo diverse sezioni. Il contenuto del file dovrebbe essere il seguente:<br/> | ||
Il contenuto del file dovrebbe essere il seguente:<br/> | |||
'''/etc/ldap/sldap.conf''': | '''/etc/ldap/sldap.conf''': | ||
<pre> | <pre> | ||
# | ####################################################################### | ||
# Global Directives: | |||
sizelimit 20 | |||
timelimit -1 | |||
threads 8 | |||
# Features to permit | |||
allow bind_v2 | allow bind_v2 | ||
# Schema and objectClass definitions | # Schema and objectClass definitions | ||
include /etc/ldap/schema/core.schema | include /etc/ldap/schema/core.schema | ||
include /etc/ldap/schema/cosine.schema | include /etc/ldap/schema/cosine.schema | ||
include /etc/ldap/schema/nis.schema | include /etc/ldap/schema/nis.schema | ||
include /etc/ldap/schema/inetorgperson.schema | include /etc/ldap/schema/inetorgperson.schema | ||
include /etc/ldap/schema/samba.schema | include /etc/ldap/schema/qmailuser.schema | ||
pidfile /var/run/slapd/slapd.pid | include /etc/ldap/schema/samba.schema | ||
argsfile /var/run/slapd/slapd.args | include /etc/ldap/schema/hdb.schema | ||
loglevel | |||
modulepath /usr/lib/ldap | ######################################################### | ||
moduleload back_bdb | # Configurazione di TLS e SSL | ||
sizelimit 500 | ######################################################### | ||
TLSCertificateFile /etc/ldap/ssl/servercrt.pem | |||
TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem | |||
TLSCACertificateFile /etc/ldap/ssl/cacert.pem | |||
sasl-host doc.pepinet.local | |||
sasl-realm PEPINET.LOCAL | |||
# Mapping of SASL authentication identities to LDAP entries | |||
authz-regexp | |||
uid=(.+),cn=(.+),cn=.+,cn=auth | |||
ldap:///dc=pepinet,dc=local??sub?(|(uid=$1)(cn=$1@$2)) | |||
authz-regexp | |||
uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth | |||
krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrincipals,ou=Use$ | |||
authz-regexp | |||
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth | |||
krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrincipals,ou=Use$ | |||
authz-regexp | |||
uid=(.+),cn=.+,cn=auth | |||
ldap:///dc=pepinet,dc=local??sub?(|(uid=$1)(krb5PrincipalName=$1@PEPINET.LOCA$ | |||
sasl-secprops noanonymous | |||
security ssf=0 | |||
##################################################### | |||
# Fine blocco TLS e SSL | |||
##################################################### | |||
# Where the pid file is put. The init.d script | |||
# will not stop the server if you change this. | |||
pidfile /var/run/slapd/slapd.pid | |||
# List of arguments that were passed to the server | |||
argsfile /var/run/slapd/slapd.args | |||
# Read slapd.conf(5) for possible values | |||
loglevel none | |||
# Where the dynamically loaded modules are stored | |||
modulepath /usr/lib/ldap | |||
moduleload back_bdb | |||
moduleload unique | |||
moduleload auditlog | |||
# The maximum number of entries that is returned for a search operation | |||
#sizelimit 500 | |||
# The tool-threads parameter sets the actual amount of cpu's that is used | |||
# for indexing. | |||
tool-threads 1 | tool-threads 1 | ||
backend bdb | |||
####################################################################### | |||
database bdb | # Specific Backend Directives for bdb: | ||
suffix "dc= | # Backend specific directives apply to this backend until another | ||
rootdn "cn=admin,dc= | # 'backend' directive occurs | ||
rootpw {MD5} | backend bdb | ||
directory "/var/lib/ldap" | |||
####################################################################### | |||
# Specific Backend Directives for 'other': | |||
# Backend specific directives apply to this backend until another | |||
# 'backend' directive occurs | |||
#backend <other> | |||
####################################################################### | |||
# Specific Directives for database #1, of type bdb: | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
database bdb | |||
# The base of your directory in database #1 | |||
suffix "dc=pepinet,dc=local" | |||
# rootdn directive for specifying a superuser on the database. This is needed | |||
# for syncrepl. | |||
# rootdn "cn=admin,dc=pepinet,dc=local" | |||
rootdn "krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPr$ | |||
rootpw {MD5}5S2YxFmBmhF3WTbY37t5KQ== | |||
# Where the database file are physically stored for database #1 | |||
directory "/var/lib/ldap" | |||
# The dbconfig settings are used to generate a DB_CONFIG file the first | |||
# time slapd starts. | |||
dbconfig set_cachesize 0 2097152 0 | dbconfig set_cachesize 0 2097152 0 | ||
# Number of objects that can be locked at the same time. | |||
dbconfig set_lk_max_objects 1500 | dbconfig set_lk_max_objects 1500 | ||
# Number of locks (both requested and granted) | |||
dbconfig set_lk_max_locks 1500 | dbconfig set_lk_max_locks 1500 | ||
# Number of lockers | |||
dbconfig set_lk_max_lockers 1500 | dbconfig set_lk_max_lockers 1500 | ||
index | |||
# Indexing options for database #1 | |||
index | index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres,$ | ||
index | index cn pres,sub,eq | ||
index displayName | index sn pres,sub,eq | ||
index | index uid pres,sub,eq | ||
index sambaSID eq | index displayName pres,sub,eq | ||
index sambaPrimaryGroupSID eq | index uidNumber eq | ||
index sambaDomainName eq | index gidNumber eq | ||
index | index memberUID eq | ||
index | index sambaSID eq | ||
index | index sambaPrimaryGroupSID eq | ||
index sambaDomainName eq | |||
lastmod on | index mailHost eq | ||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword, | index givenName pres,sub,eq | ||
by dn=" | index default sub | ||
by anonymous auth | index krb5PrincipalName,krb5PrincipalRealm eq,pres | ||
by self write | |||
by * none | # Password Hash Definition | ||
access to attrs=shadowLastChange, | password-hash {MD5} | ||
# Overlay Unique | |||
overlay unique | |||
unique_uri ldap:///dc=pepinet,dc=local?uidNumber,uid,krb5PrincipalName?sub | |||
unique_uri ldap:///ou=Groups,dc=pepinet,dc=local?gidNumber,cn?sub | |||
# Overlay Auditlog | |||
overlay auditlog | |||
auditlog /var/log/ldapchanges.log | |||
# Save the time that the entry gets modified, for database #1 | |||
lastmod on | |||
# Checkpoint the BerkeleyDB database periodically in case of system | |||
# failure and to speed slapd shutdown. | |||
checkpoint 512 30 | |||
# Where to store the replica logs for database #1 | |||
# replogfile /var/lib/ldap/replog | |||
#################################################### | |||
# Configurazione permessi per i vari utenti | |||
# dell'albero LDAP | |||
#################################################### | |||
# Heimdal User mapping | |||
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" | |||
dn="krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrincip$ | |||
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=KerberosPrincipals,ou=Use$ | |||
# The userPassword by default can be changed | |||
# by the entry owning it if they are authenticated. | |||
# Others should not be able to see it, except the | |||
# admin entry below | |||
# These access lines apply to database #1 only | |||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sa$ | |||
by dn="krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrin$ | |||
by anonymous auth | |||
by self write | |||
by * none | |||
# Everyone must be able to read password expiry attributes, | |||
# if you are not granting rootdn access to workstations. | |||
# Otherwise, the client system won't be able to know if | |||
# user's password has expired, and will prompt him/her to | |||
# change his/her password everytime he/she logs in. | |||
# The owner must also be able to write it when he/she | |||
# changes his/her own password. | |||
access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange | |||
by dn="krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrin$ | |||
by self write | by self write | ||
by * read | by * read | ||
# Ensure read access to the base for things like | |||
# supportedSASLMechanisms. Without this you may | |||
# have problems with SASL not knowing what | |||
# mechanisms are available and the like. | |||
# Note that this is covered by the 'access to *' | |||
# ACL below too but if you change that as people | |||
# are wont to do you'll still need this if you | |||
# want SASL (and possible other things) to work | |||
# happily. | |||
access to dn.base="" by * read | access to dn.base="" by * read | ||
# The admin dn has full write access, everyone else | |||
# can read everything. | |||
access to * | access to * | ||
by dn="cn=admin,dc= | by dn="krb5PrincipalName=ldapmaster/admin@PEPINET.LOCAL,ou=KerberosPrin$ | ||
by | by * read | ||
# For Netscape Roaming support, each user gets a roaming | |||
# profile for which they have write access to | |||
#access to dn=".*,ou=Roaming,o=morsnet" | |||
# by dn="cn=admin,dc=pepinet,dc=local" write | |||
# by dnattr=owner write | |||
####################################################################### | |||
# Specific Directives for database #2, of type 'other' (can be bdb too): | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
#database <other> | |||
# The base of your directory for database #2 | |||
#suffix "dc=debian,dc=org" | |||
</pre> | </pre> | ||
Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. |