[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy and rwm/relay segfaulting
And the practical way to have a legacy namespace translation working
together with a nice new LDAP server seems to be:
ldapmaster.example.com <- This is shiney, new namespace, ppolicy and
anything else. It has no legacy crap on it at all.
ldaplegacy.example.com <- Translation server on different machine with a
config roughly like:
slapd.conf
#######################################################################
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_anon_cred bind_anon_dn update_anon
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#loglevel config sync stats ACL parse
loglevel sync stats
# The maximum number of entries that is returned for a search operation
sizelimit 5000
tool-threads 1
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload back_relay
moduleload rwm
# TLS
TLSCipherSuite SECURE256:!AES-128-CBC
TLSCACertificateFile /etc/ssl/certs/CA-example.com.pem
TLSCertificateFile /etc/ldap/ssl/ldaplegacy.example.com.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldaplegacy.example.com.key
# Overlays
overlay rwm
rwm-rewriteEngine on
backend ldap
#######################################################################
# Global ACLs
#
# Note - we are read only as we are a legacy translation proxy.
by * auth
# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
by * read
#######################################################################
# Main example.com relay
#
database ldap
suffix dc=new,dc=example,dc=com
uri ldap://ldapmaster.example.com/
#######################################################################
# Virtual maps - compatibility with cch.kcl.a.cuk only
#
#
# These are all used by old apache + mod_ldap configs
#
#
# map ou=staff,dc=old to dc=new
#
database relay
suffix "ou=staff,dc=old,dc=example,dc=com"
relay "dc=new,dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=new,dc=example,dc=com"
#
# map ou=external,dc=old to dc=new
#
database relay
suffix "ou=external,dc=old,dc=example,dc=com"
relay "dc=new,dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=new,dc=example,dc=com"
# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword,shadowLastChange
######################################################################
It's limited - no write passthough - but that's not a problem for me. I
can switch NSS and PAM linux clients over to the new schema and server
fairly easily. This is a catchall for the misc crap - and once I have
enough logging enabled I will be able to locate what is asking for what
LDAP records and hunt down the remaining bad config.
Then when the legacy stuff is gone, ldaplegacy gets turned off - no
changes to ldapmaster - simples :)
--
Tim Watts
Personal Blog:
http://www.dionic.net/tim/
"It would be better to live under robber barons than under omnipotent
moral busybodies."