4 069
contributi
Samba e OpenLDAP: creare un controller di dominio con Debian Lenny: differenze tra le versioni
Samba e OpenLDAP: creare un controller di dominio con Debian Lenny (visualizza wikitesto)
Versione delle 16:14, 28 gen 2010
, 28 gen 2010→Configurazione del server LDAP
| Riga 563: | Riga 563: | ||
TLSCACertificateFile /etc/ldap/ssl/cacert.pem | TLSCACertificateFile /etc/ldap/ssl/cacert.pem | ||
sasl-host | sasl-host server.dominio.local | ||
sasl-realm | sasl-realm DOMINIO.LOCAL | ||
# Mapping of SASL authentication identities to LDAP entries | # Mapping of SASL authentication identities to LDAP entries | ||
authz-regexp | authz-regexp | ||
uid=(.+),cn=(.+),cn=.+,cn=auth | uid=(.+),cn=(.+),cn=.+,cn=auth | ||
ldap:///dc= | ldap:///dc=dominio,dc=local??sub?(|(uid=$1)(cn=$1@$2)) | ||
authz-regexp | authz-regexp | ||
uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth | uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth | ||
krb5PrincipalName=ldapmaster/admin@ | krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local | ||
authz-regexp | authz-regexp | ||
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth | gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth | ||
krb5PrincipalName=ldapmaster/admin@ | krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local | ||
authz-regexp | authz-regexp | ||
uid=(.+),cn=.+,cn=auth | uid=(.+),cn=.+,cn=auth | ||
ldap:///dc= | ldap:///dc=dominio,dc=local??sub?(|(uid=$1)(krb5PrincipalName=$1@DOMINIO.LOCAL)) | ||
sasl-secprops noanonymous | sasl-secprops noanonymous | ||
| Riga 632: | Riga 632: | ||
# The base of your directory in database #1 | # The base of your directory in database #1 | ||
suffix "dc= | suffix "dc=dominio,dc=local" | ||
# rootdn directive for specifying a superuser on the database. This is needed | # rootdn directive for specifying a superuser on the database. This is needed | ||
# for syncrepl. | # for syncrepl. | ||
# rootdn "cn=admin,dc= | # rootdn "cn=admin,dc=dominio,dc=local" | ||
rootdn "krb5PrincipalName=ldapmaster/admin@ | rootdn "krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" | ||
rootpw {MD5}5S2YxFmBmhF3WTbY37t5KQ== | rootpw {MD5}5S2YxFmBmhF3WTbY37t5KQ== | ||
| Riga 654: | Riga 654: | ||
# Indexing options for database #1 | # Indexing options for database #1 | ||
index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres, | index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres,eq | ||
index cn pres,sub,eq | index cn pres,sub,eq | ||
index sn pres,sub,eq | index sn pres,sub,eq | ||
| Riga 675: | Riga 675: | ||
# Overlay Unique | # Overlay Unique | ||
overlay unique | overlay unique | ||
unique_uri ldap:///dc= | unique_uri ldap:///dc=dominio,dc=local?uidNumber,uid,krb5PrincipalName?sub | ||
unique_uri ldap:///ou=Groups,dc= | unique_uri ldap:///ou=Groups,dc=dominio,dc=local?gidNumber,cn?sub | ||
# Overlay Auditlog | # Overlay Auditlog | ||
| Riga 700: | Riga 700: | ||
# Heimdal User mapping | # Heimdal User mapping | ||
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" | authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" | ||
dn="krb5PrincipalName=ldapmaster/admin@ | dn="krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" | ||
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=KerberosPrincipals,ou= | authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" write | ||
# The userPassword by default can be changed | # The userPassword by default can be changed | ||
| Riga 708: | Riga 708: | ||
# admin entry below | # admin entry below | ||
# These access lines apply to database #1 only | # These access lines apply to database #1 only | ||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, | access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,krb5Key,krb5KeyVersionNumber | ||
by dn="krb5PrincipalName=ldapmaster/admin@ | by dn="krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" write | ||
by anonymous auth | by anonymous auth | ||
by self write | by self write | ||
| Riga 722: | Riga 722: | ||
# changes his/her own password. | # changes his/her own password. | ||
access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange | access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange | ||
by dn="krb5PrincipalName=ldapmaster/admin@ | by dn="krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" write | ||
by self write | by self write | ||
by * read | by * read | ||
| Riga 740: | Riga 740: | ||
# can read everything. | # can read everything. | ||
access to * | access to * | ||
by dn="krb5PrincipalName=ldapmaster/admin@ | by dn="krb5PrincipalName=ldapmaster/admin@DOMINIO.LOCAL,ou=KerberosPrincipals,ou=Users,dc=dominio,dc=local" write | ||
by * read | by * read | ||
| Riga 746: | Riga 746: | ||
# profile for which they have write access to | # profile for which they have write access to | ||
#access to dn=".*,ou=Roaming,o=morsnet" | #access to dn=".*,ou=Roaming,o=morsnet" | ||
# by dn="cn=admin,dc= | # by dn="cn=admin,dc=dominio,dc=local" write | ||
# by dnattr=owner write | # by dnattr=owner write | ||
| Riga 757: | Riga 757: | ||
# The base of your directory for database #2 | # The base of your directory for database #2 | ||
#suffix "dc=debian,dc=org" | #suffix "dc=debian,dc=org" | ||
</pre> | </pre> | ||
Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | ||