[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Debian-sf-users] Re: Problem with debian SF install
From: |
Christian BAYLE |
Subject: |
[Debian-sf-users] Re: Problem with debian SF install |
Date: |
Thu, 08 Nov 2001 15:18:44 +0100 |
Emil Entchev wrote:
>
> Das sind die drei dateien die du willst.
>
> mein FQDN ist monet.da.t-online.net:
>
> Danke Ciao
> Emil
>
> Ich denke dass es ist etwas schlecht mit ldap/libnss-ldap config
> > You must check carefully
> > /etc/libnss-ldap.conf
> > /etc/ldap/slapd.conf
> > /etc/nsswitch.conf
> >
> > Du kanst mir das sendenn mit dein FQDN
> Encoding: base64
in libnss-ldap.conf
base line was not good
You probably entered bad DN in ldap config
I recommend that you
dpkg-reconfigure slapd & libnss-ldap & sourceforge
and take care to enter the right DN i.e.
dc=monet,dc=da,dc=t-online,dc=net
There are still some bugs in /usr/lib/sourceforge/bin/install-ldap.sh
Ldap cleaning for uninstall should not make such violent cleaning
You can try the attached file
install-ldap.sh purge
install-ldap.sh configure
Cheers
Christian
#! /bin/sh
#
# $Id: install-ldap.sh,v 1.11.2.2 2001/11/08 00:12:05 cbayle Exp $
#
# Configure LDAP for Sourceforge
# Christian Bayle, Roland Mas, debian-sf (Sourceforge for Debian)
set -e
if [ $(id -u) != 0 -a "x$1" != "xlist" ] ; then
echo "You must be root to run this, please enter passwd"
exec su -c "$0 $1"
fi
PATH=$PATH:/usr/sbin
# Should I do something for /etc/pam_ldap.conf ?
modify_pam_ldap(){
echo "Nothing to do"
}
# Check/Modify /etc/libnss-ldap.conf
modify_libnss_ldap(){
dn=$1
# Check if DN is correct
if ! grep -q "^base.[ ]*$dn" /etc/libnss-ldap.conf ; then
echo "WARNING: Probably incorrect base line in
/etc/libnss-ldap.conf"
fi
# Check bindpw
# Should contain the secret
# All users can see ldap stored gid/uid
chmod 644 /etc/libnss-ldap.conf
# It doesn't seem to be necessary, only rootbinddn is necessary
# if ! grep -q "^bindpw" /etc/libnss-ldap.conf ; then
# echo "# Next line added by Sourceforge install"
>>/etc/libnss-ldap.conf
# echo "bindpw secret" >>/etc/libnss-ldap.conf
# fi
# Check rootbinddn
# This seems to be necessary to display uid/gid
# Should be cn=admin,ou=People,dc=...
if ! grep -q "^rootbinddn" /etc/libnss-ldap.conf ; then
echo "# Next line added by Sourceforge install"
>>/etc/libnss-ldap.conf
echo "rootbinddn cn=admin,ou=People,$dn" >>/etc/libnss-ldap.conf
fi
}
# Purge /etc/libnss-ldap.conf
purge_libnss_ldap(){
perl -pi -e "s/^# Next line added by Sourceforge install\n/#SF#/g"
/etc/libnss-ldap.conf
perl -pi -e "s/^#SF#.*\n//g" /etc/libnss-ldap.conf
}
# Modify /etc/ldap/slapd.conf
modify_slapd(){
dn=$1
# Maybe should comment referral line too
echo "WARNING: Please check referal line in /etc/ldap/slapd.conf"
# Debian config by default only include core schema
if ! grep -q "Sourceforge" /etc/ldap/slapd.conf ; then
rm -f /etc/ldap/slapd.conf.sourceforge
for schema in /etc/ldap/schema/core.schema \
/etc/ldap/schema/cosine.schema \
/etc/ldap/schema/inetorgperson.schema \
/etc/ldap/schema/nis.schema \
/etc/sourceforge/sourceforge.schema
do
if ! grep -q "^include.[ ]*$schema"
/etc/ldap/slapd.conf ; then
echo "include $schema #Added by Sourceforge
install" >>/etc/ldap/slapd.conf.sourceforge
echo "Adding $schema"
else
echo "Commenting $schema"
export schema
perl -pi -e "s/^include.[
]*\$schema/#Comment by Sourceforge install#include \$schema/g"
/etc/ldap/slapd.conf
echo "include $schema #Added by Sourceforge
install" >>/etc/ldap/slapd.conf.sourceforge
echo "Adding $schema"
fi
done
cat /etc/ldap/slapd.conf >>/etc/ldap/slapd.conf.sourceforge
mv /etc/ldap/slapd.conf.sourceforge /etc/ldap/slapd.conf
# Then write access for SF_robot
perl -pi -e "s/access to attribute=userPassword/# Next second
line added by Sourceforge install
access to attribute=userPassword
by dn=\"cn=SF_robot,$dn\" write/" /etc/ldap/slapd.conf
perl -pi -e "s/access to \*/# Next lines added by Sourceforge
install
access to dn=\".*,ou=People,$dn\"
by dn=\"cn=admin,ou=People,$dn\" write
by dn=\"cn=SF_robot,$dn\" write
by * read
access to dn=\"ou=People,$dn\"
by dn=\"cn=admin,ou=People,$dn\" write
by dn=\"cn=SF_robot,$dn\" write
by * read
access to dn=\"ou=Group,$dn\"
by dn=\"cn=admin,ou=People,$dn\" write
by dn=\"cn=SF_robot,$dn\" write
by * read
access to dn=\"ou=cvsGroup,$dn\"
by dn=\"cn=admin,ou=People,$dn\" write
by dn=\"cn=SF_robot,$dn\" write
by * read
# End of sourceforge add
access to */" /etc/ldap/slapd.conf
# Then this SASL things I was looking for several days
# But that is useless in fact ;-)
#cat >> /etc/ldap/slapd.conf <<-FIN
#sasl-realm localhost #Added by Sourceforge install
#sasl-host localhost #Added by Sourceforge install
#FIN
#/etc/init.d/slapd restart
fi
}
# Purge /etc/ldap/slapd.conf
purge_slapd(){
perl -pi -e "s/^.*#Added by Sourceforge install\n//"
/etc/ldap/slapd.conf
perl -pi -e "s/#Comment by Sourceforge install#//" /etc/ldap/slapd.conf
if grep -q "Next lines added by Sourceforge install" /etc/ldap/slapd.conf
then
vi -e /etc/ldap/slapd.conf <<-FIN
/# Next second line added by Sourceforge install
:d
/SF_robot
:d
/# Next lines added by Sourceforge install
:ma a
/# End of sourceforge add
:ma b
:'a,'bd
:w
:x
FIN
fi
}
# Modify /etc/nsswitch.conf
modify_nsswitch()
{
# This is sensitive file
if ! grep -q "Sourceforge" /etc/nsswitch.conf ; then
# By security i let priority to files
# Should maybe enhance this to take in account nis
# Maybe ask the order db/files/nis/ldap
perl -pi -e "s/^passwd/passwd files ldap #Added by
Sourceforge install\n#Comment by Sourceforge install#passwd/g"
/etc/nsswitch.conf
perl -pi -e "s/^group/group files ldap #Added by
Sourceforge install\n#Comment by Sourceforge install#group/g" /etc/nsswitch.conf
perl -pi -e "s/^shadow/shadow files ldap #Added by
Sourceforge install\n#Comment by Sourceforge install#shadow/g"
/etc/nsswitch.conf
fi
}
# Purge /etc/nsswitch.conf
purge_nsswitch()
{
perl -pi -e "s/^.*#Added by Sourceforge install\n//" /etc/nsswitch.conf
perl -pi -e "s/#Comment by Sourceforge install#//" /etc/nsswitch.conf
}
# Load ldap database from sourceforge database
load_ldap(){
naming_context=$1
secret=$2
if [ "x$secret" != "x" ]
then
# This load the ldap database
echo "Distinguished Name is $naming_context"
echo "Creating ldif file from database"
tmpldif="/tmp/ldif$$"
/usr/lib/sourceforge/bin/sql2ldif.pl >$tmpldif
echo "Filling LDAP with database"
# Only if the ldap server is local
# Maybe ask for the password, but will simple athentication
# Be allowed on remote server ?
#VERBOSE=-v
# -v Use verbose mode, with many diagnostics written to
# standard output.
# -c Continuous operation mode. Errors are reported,
# but ldapmodify will continue with modifications.
# The default is to exit after reporting an error.
# -x Use simple authentication instead of SASL.
# -w passwd Use passwd as the password for simple
# authentication.
# -r Replace existing values by default.
# add with -r don't modify and modify don't add so i do add and
modify
set +e
ldapadd $VERBOSE -r -c -D "cn=admin,ou=People,$naming_context"
-x -w"$secret" -f $tmpldif > /dev/null 2>&1
ldapmodify $VERBOSE -r -c -D
"cn=admin,ou=People,$naming_context" -x -w"$secret" -f $tmpldif > /dev/null 2>&1
set -e
rm -f $tmpldif
else
echo "WARNING: Can't load ldap table without /etc/lapd.secret
file"
echo "AFAIK : This file should be installed by libpam-ldap"
fi
}
print_ldif_default(){
dn=$1
cryptedpasswd=$2
cat <<-FIN
dn: $dn
objectClass: top
objectClass: domain
dc: rd
dn: ou=People, $dn
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=admin, ou=People, $dn
objectClass: top
userPassword: $cryptedpasswd
cn: admin
dn: ou=Roaming, $dn
objectClass: top
objectCLass: organizationalUnit
FIN
}
setup_vars() {
sys_ldap_base_dn=$(grep sys_ldap_base_dn /etc/sourceforge/local.inc |
cut -d\" -f2)
#echo "=====>sys_ldap_base_dn=$sys_ldap_base_dn"
sys_ldap_admin_dn=$(grep sys_ldap_admin_dn /etc/sourceforge/local.inc |
cut -d\" -f2)
#echo "=====>sys_ldap_admin_dn=$sys_ldap_admin_dn"
sys_ldap_bind_dn=$(grep sys_ldap_bind_dn /etc/sourceforge/local.inc |
cut -d\" -f2)
#echo "=====>sys_ldap_bind_dn=$sys_ldap_bind_dn"
sys_ldap_passwd=$(grep sys_ldap_passwd /etc/sourceforge/database.inc |
cut -d\" -f2)
#echo "=====>sys_ldap_passwd=$sys_ldap_passwd"
[ -f /etc/ldap.secret ] && secret=$(cat /etc/ldap.secret) ||
secret=$sys_ldap_passwd
cryptedpasswd=`slappasswd -s "$secret" -h {CRYPT}`
#echo "=====>$cryptedpasswd"
}
# Setup SF_robot Passwd
setup_robot() {
setup_vars
# The first account is only used in a multiserver SF
echo "Adding robot accounts"
set +e
ldapadd -r -c -D "$sys_ldap_admin_dn" -x -w"$secret" >/dev/null 2>&1
<<-FIN
dn: cn=Replicator,$sys_ldap_base_dn
cn: Replicator
sn: Replicator the Robot
description: empty
objectClass: top
objectClass: person
userPassword: {crypt}x
dn: cn=SF_robot,$sys_ldap_base_dn
cn: SF_robot
sn: SF the Robot
description: empty
objectClass: top
objectClass: person
userPassword: {crypt}x
FIN
set -e
echo "Changing SF_robot passwd using admin account"
ldapmodify -v -c -D "$sys_ldap_admin_dn" -x -w"$secret" >/dev/null
<<-FIN
dn: $sys_ldap_bind_dn
changetype: modify
replace: userPassword
userPassword: $cryptedpasswd
FIN
echo "Testing LDAP"
#naming_context=$(ldapsearch -x -b '' -s base '(objectclass=*)'
namingContexts | grep "namingContexts:" | cut -d" " -f2)
echo "Changing dummy cn using SF_robot account"
ldapmodify -v -c -D "$sys_ldap_bind_dn" -x -w"$secret" >/dev/null <<-FIN
dn: uid=dummy,ou=People,$sys_ldap_base_dn
changetype: modify
replace: cn
cn: Dummy User Tested
FIN
set +x
}
# Main
case "$1" in
configure)
dn=$(grep sys_ldap_base_dn /etc/sourceforge/local.pl | cut -d\'
-f2)
setup_vars
echo "Modifying /etc/ldap/slapd.conf"
purge_slapd
modify_slapd $dn
echo "Modifying /etc/libnss-ldap.conf"
modify_libnss_ldap $dn
echo "Modifying /etc/nsswitch.conf"
modify_nsswitch
echo "Load ldap"
load_ldap $dn "$secret"
# Restarting ldap
/etc/init.d/slapd restart
sleep 5
echo "Setup SF_robot account"
setup_robot
;;
update)
dn=$(grep sys_ldap_base_dn /etc/sourceforge/local.pl | cut -d\'
-f2)
setup_vars
load_ldap $dn "$secret"
# [ -f /etc/ldap.secret ] && secret=$(cat /etc/ldap.secret) &&
load_ldap $dn $secret &>/dev/null
# [ -f /etc/ldap.secret ] || load_ldap $dn $secret
;;
purge)
echo "Purging /etc/ldap/slapd.conf"
purge_slapd
echo "Purging /etc/nsswitch.conf"
purge_nsswitch
echo "Purging /etc/libnss-ldap.conf"
purge_libnss_ldap
$0 init
;;
list)
naming_context=$(ldapsearch -x -b '' -s base '(objectclass=*)'
namingContexts | grep "namingContexts:" | cut -d" " -f2)
# Display what is now in the database
ldapsearch -x -b "$naming_context" '(objectclass=*)'
;;
empty)
setup_vars
# [ -f /etc/ldap.secret ] && secret=$(cat /etc/ldap.secret)
naming_context=$(ldapsearch -x -b '' -s base '(objectclass=*)'
namingContexts | grep "namingContexts:" | cut -d" " -f2)
# This should work with SASL auth if i find how to make it work
# See saslpasswd, /usr/share/doc/libsasl7/sysadmin.html
# The command will be
# ldapdelete -D "cn=admin,ou=People,$naming_context" -W -r
"$naming_context"
#
for target in ou=Aliases ou=Hosts ou=Roaming ou=Group
ou=cvsGroup cn=SF_robot cn=Replicator ou=People
do
echo "Destroying LDAP database $target, $naming_context
..."
set +e
ldapdelete -D "cn=admin,ou=People,$naming_context" -x
-w"$secret" -r "$target, $naming_context"
set -e
done
;;
init)
/etc/init.d/slapd stop
rm -f /var/lib/ldap/*.dbb
setup_vars
/etc/init.d/slapd start
print_ldif_default $sys_ldap_base_dn $cryptedpasswd >
/tmp/ldif$$
slapadd -l /tmp/ldif$$
rm -f /tmp/ldif$$
;;
test)
setup_robot
;;
*)
echo "Usage: $0 {configure|update|purge|list|empty|init}"
exit 1
;;
esac
# Ancient ldaptest follow
# All info found in /usr/share/doc/openldap-guide
# This is testing local ldap server
##echo "============ LDAP SEARCH ==================="
##ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
##echo "============ LDAP SEARCH ==================="
# Then you need LDIF file and run ldapadd
# To fill this you need to get your namingContexts
# This do this and should be used a the sourceforge base DN
##naming_context=$(ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
| grep "namingContexts:" | cut -d" " -f2)
##echo "Naming Context is: ===>$naming_context<=="
# Un fichier ldif d'exemple
##echo "============ Example ldif file =============="
##tee /tmp/example.ldif <<-FIN
##dn: cn=Bob Smith,ou=People,$naming_context
##objectClass: person
##cn: Bob Smith
##sn: Smith
##FIN
##echo "============ Example ldif file =============="
##echo "============ Adding this to the database ===="
#/usr/sbin/slapadd -v -d2 -l /tmp/example.ldif
#ldapadd -U admin -D "cn=admin,ou=People,$naming_context" -W -f
/tmp/example.ldif
#ldapadd -v -D "cn=admin,ou=People,$naming_context" -X u:admin -f
/tmp/example.ldif
##ldapadd -v -D "cn=admin,ou=People,$naming_context" -x -W -f /tmp/example.ldif
##echo "============ Checking the database =========="
##ldapsearch -x -b "$naming_context" '(objectclass=*)'
##Un ACL exemple pour la partie web
#access to dn=".*,ou=People,dc=dragoninc,dc=on,dc=ca"
#attr=userpassword,ntpassword,lmpassword
# by dn="uid=root,ou=People,dc=dragoninc,dc=on,dc=ca" write
# by * none
#
#access to dn=".*,ou=Group,dc=dragoninc,dc=on,dc=ca" attr=userpassword
# by dn="uid=root,ou=People,dc=dragoninc,dc=on,dc=ca" write
# by * none
#
# La mine d'or http://www.bayour.com/LDAPv3-HOWTO.html
# http://www.ameritech.net/users/mhwood/ldap-sec-setup.html
# A lire /usr/share/doc/openssl/README.Debian
# /usr/share/doc/libsasl7/sysadmin.html
#
# To create the certificate that OpenLDAP will use, we issue the command
openssl like this:
# openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
# openssl x509 -in server.pem -text
#
#
# Until this work: ldapsearch -b "dc=g-tt,dc=rd,dc=francetelecom,dc=fr"
'(objectclass=*)'
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1
# The distinguished name of the search base.
#base dc=example,dc=net
base dc=monet,dc=da,dc=t-online,dc=net
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Next line added by Sourceforge install
rootbinddn cn=admin,ou=People,dc=monet,dc=da,dc=t-online,dc=net
- [Debian-sf-users] Re: Problem with debian SF install,
Christian BAYLE <=