[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and rwm/relay segfaulting



And the practical way to have a legacy namespace translation working
together with a nice new LDAP server seems to be:

ldapmaster.example.com <- This is shiney, new namespace, ppolicy and
anything else. It has no legacy crap on it at all.

ldaplegacy.example.com <- Translation server on different machine with a
config roughly like:





slapd.conf
#######################################################################
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
allow bind_anon_cred bind_anon_dn update_anon

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
#loglevel        config sync stats ACL parse
loglevel        sync stats

# The maximum number of entries that is returned for a search operation
sizelimit 5000
tool-threads 1

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_ldap
moduleload      back_relay
moduleload      rwm

# TLS
TLSCipherSuite          SECURE256:!AES-128-CBC
TLSCACertificateFile    /etc/ssl/certs/CA-example.com.pem
TLSCertificateFile      /etc/ldap/ssl/ldaplegacy.example.com.crt
TLSCertificateKeyFile   /etc/ldap/ssl/ldaplegacy.example.com.key

# Overlays
overlay rwm
rwm-rewriteEngine on

backend         ldap

#######################################################################
# Global ACLs
#

# Note - we are read only as we are a legacy translation proxy.
        by * auth

# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
        by * read

#######################################################################
# Main example.com relay
#

database        ldap
suffix          dc=new,dc=example,dc=com
uri             ldap://ldapmaster.example.com/

#######################################################################
# Virtual maps - compatibility with cch.kcl.a.cuk only
#

#
# These are all used by old apache + mod_ldap configs
#

#
# map ou=staff,dc=old to dc=new
#
database                relay
suffix                  "ou=staff,dc=old,dc=example,dc=com"
relay                   "dc=new,dc=example,dc=com"
overlay                 rwm
rwm-suffixmassage       "dc=new,dc=example,dc=com"
#
# map ou=external,dc=old to dc=new
#
database                relay
suffix                  "ou=external,dc=old,dc=example,dc=com"
relay                   "dc=new,dc=example,dc=com"
overlay                 rwm
rwm-suffixmassage       "dc=new,dc=example,dc=com"

# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword,shadowLastChange

######################################################################




It's limited - no write passthough - but that's not a problem for me. I can switch NSS and PAM linux clients over to the new schema and server fairly easily. This is a catchall for the misc crap - and once I have enough logging enabled I will be able to locate what is asking for what LDAP records and hunt down the remaining bad config.

Then when the legacy stuff is gone, ldaplegacy gets turned off - no changes to ldapmaster - simples :)






--
Tim Watts
Personal Blog:
http://www.dionic.net/tim/

"It would be better to live under robber barons than under omnipotent
moral busybodies."