Menu
▾
▴
[Opensync-commits] r5331 - plugins/ldap-sync
|
From: <svn...@op...> - 2009-03-26 00:12:49
|
Author: scriptor Date: Thu Mar 26 01:12:20 2009 New Revision: 5331 URL: http://www.opensync.org/changeset/5331 Log: Initial version of the LDAP plugin having been ported to libopensync-0.3x. Added: plugins/ldap-sync/README.lyx (contents, props changed) Added: plugins/ldap-sync/README.lyx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ plugins/ldap-sync/README.lyx Thu Mar 26 01:12:20 2009 (r5331) @@ -0,0 +1,6667 @@ +#LyX 1.6.0 created this file. For more info see http://www.lyx.org/ +\lyxformat 345 +\begin_document +\begin_header +\textclass article +\use_default_options true +\language english +\inputencoding auto +\font_roman default +\font_sans default +\font_typewriter default +\font_default_family default +\font_sc false +\font_osf false +\font_sf_scale 100 +\font_tt_scale 100 + +\graphics default +\paperfontsize default +\use_hyperref false +\papersize default +\use_geometry false +\use_amsmath 1 +\use_esint 1 +\cite_engine basic +\use_bibtopic false +\paperorientation portrait +\secnumdepth 3 +\tocdepth 3 +\paragraph_separation indent +\defskip medskip +\quotes_language english +\papercolumns 1 +\papersides 1 +\paperpagestyle default +\tracking_changes false +\output_changes false +\author "" +\author "" +\end_header + +\begin_body + +\begin_layout Title +opensync-plugin-ldap-0.39 +\end_layout + +\begin_layout Author +by Juergen Leising (c) 2009 +\end_layout + +\begin_layout Standard +\begin_inset CommandInset toc +LatexCommand tableofcontents + +\end_inset + + +\end_layout + +\begin_layout Standard +\begin_inset Newpage newpage +\end_inset + + +\end_layout + +\begin_layout Part +Installation +\end_layout + +\begin_layout Section +Compiling the source code with cmake +\end_layout + +\begin_layout Subsection +The following cmake modules are required for the LDAP plugin +\end_layout + +\begin_layout Itemize +FindLibLdap.cmake +\end_layout + +\begin_layout Itemize +FindLibGCrypt.cmake +\end_layout + +\begin_layout Itemize +FindLibSASL2.cmake +\end_layout + +\begin_layout Itemize +FindLibGSSAPIV2.cmake +\end_layout + +\begin_layout Standard +See the directory cmake/modules. +\end_layout + +\begin_layout Subsection +Regular build +\end_layout + +\begin_layout LyX-Code +tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2 +\end_layout + +\begin_layout LyX-Code +cd libopensync-plugin-ldap-0.39 +\end_layout + +\begin_layout LyX-Code +mkdir build +\end_layout + +\begin_layout LyX-Code +cd build +\end_layout + +\begin_layout LyX-Code +PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo +cal -DUPDATE_TYPE=svn /home/user1/libopensync-plugin-ldap-0.39 +\end_layout + +\begin_layout LyX-Code +make -s +\end_layout + +\begin_layout LyX-Code +sudo make -s install +\end_layout + +\begin_layout LyX-Code +sudo ldconfig +\end_layout + +\begin_layout LyX-Code +cd ../.. +\end_layout + +\begin_layout Subsection +Debug build +\end_layout + +\begin_layout LyX-Code +tar -xvjf libopensync-plugin-ldap-0.39.tar.bz2 +\end_layout + +\begin_layout LyX-Code +cd libopensync-plugin-ldap-0.39 +\end_layout + +\begin_layout LyX-Code +mkdir build_debug +\end_layout + +\begin_layout LyX-Code +cd build_debug +\end_layout + +\begin_layout LyX-Code +PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/" cmake -DCMAKE_INSTALL_PREFIX=/usr/lo +cal -DUPDATE_TYPE=svn -DCMAKE_BUILD_TYPE=Debug -DCMAKE_VERBOSE_MAKEFILE=ON + /home/user1/libopensync-plugin-ldap-0.39 +\end_layout + +\begin_layout LyX-Code +make -s +\end_layout + +\begin_layout LyX-Code +sudo make -s install +\end_layout + +\begin_layout LyX-Code +sudo ldconfig +\end_layout + +\begin_layout LyX-Code +cd ../.. +\end_layout + +\begin_layout Subsection +Build doxygen based documentation of the source code +\end_layout + +\begin_layout LyX-Code +cd build +\end_layout + +\begin_layout LyX-Code +make doxygen +\end_layout + +\begin_layout LyX-Code +firefox doc/html/index.html & +\end_layout + +\begin_layout Section +Tests +\end_layout + +\begin_layout Standard +There is a "test" target. + It is primarily intended for developers. + Tests which I expect to fail are commented out in the CMakeLists.txt. +\end_layout + +\begin_layout Subsection +Required software +\end_layout + +\begin_layout Standard +The tests make use of external tools, most notably: +\end_layout + +\begin_layout Itemize +xmllint +\end_layout + +\begin_layout Itemize +xsltproc +\end_layout + +\begin_layout Itemize +ldapsearch +\end_layout + +\begin_layout Itemize +ldapadd +\end_layout + +\begin_layout Itemize +ldapmodify +\end_layout + +\begin_layout Itemize +ldapdelete +\end_layout + +\begin_layout Itemize +valgrind +\end_layout + +\begin_layout Subsection +Running the tests +\end_layout + +\begin_layout LyX-Code +cd build +\end_layout + +\begin_layout LyX-Code +make test +\end_layout + +\begin_layout Subsection +Display a list of tests +\end_layout + +\begin_layout LyX-Code +cd build +\end_layout + +\begin_layout LyX-Code +ctest -N +\end_layout + +\begin_layout Subsection +Run only one particular test +\end_layout + +\begin_layout LyX-Code +cd build +\end_layout + +\begin_layout LyX-Code +ctest -I 51,51 +\end_layout + +\begin_layout LyX-Code +ctest -R remove_test_ldifs +\end_layout + +\begin_layout Part +Configuration +\end_layout + +\begin_layout Section +Prepare the LDAP server +\begin_inset Quotes eld +\end_inset + +slapd +\begin_inset Quotes erd +\end_inset + + +\end_layout + +\begin_layout Subsection +Configure the LDAP server +\end_layout + +\begin_layout Standard +vim /etc/openldap/slapd.conf +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +include /etc/openldap/schema/core.schema +\end_layout + +\begin_layout LyX-Code +include /etc/openldap/schema/inetorgperson.schema +\end_layout + +\begin_layout LyX-Code +include /etc/openldap/schema/evolutionperson.schema +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +database bdb +\end_layout + +\begin_layout LyX-Code +suffix "dc=example,dc=com" +\end_layout + +\begin_layout LyX-Code +checkpoint 1024 15 +\end_layout + +\begin_layout LyX-Code +####### Root +\begin_inset CommandInset label +LatexCommand label +name "rootdn" + +\end_inset + + account, +\begin_inset Quotes eld +\end_inset + +simple +\begin_inset Quotes erd +\end_inset + + authentication +\end_layout + +\begin_layout LyX-Code +rootdn "cn=root,dc=example,dc=com" +\end_layout + +\begin_layout LyX-Code +rootpw password +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +### Mappings to gain the bind-DN's in order +\end_layout + +\begin_layout LyX-Code +### to answer the question about access rights +\end_layout + +\begin_layout LyX-Code +### for SASL based authentication: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=digest-md5,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=cram-md5,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=plain,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=login,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=gssapi,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + email=([^@]+)@host +\backslash +.([^.]+) +\backslash +.([^,]+),cn=host +\backslash +.example +\backslash +.com,ou=[^#]+[^ +\backslash + ]+ +\backslash + ldap +\backslash + client +\backslash + [^,]+,o=a +\backslash + private +\backslash + site +\backslash +.,st=city,c=us +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=$2,dc=$3 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +sasl-host host.example.com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +### Minimal access rights for a given bind-DN: +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=addressbook,dc=example,dc=com" by users write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=calendar,dc=example,dc=com" by users write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="ou=todo,dc=example,dc=com" by users write +\end_layout + +\begin_layout LyX-Code +access to dn.subtree="o=notes,dc=example,dc=com" by users write +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +access to dn.base="cn=Subschema" by * read +\end_layout + +\begin_layout LyX-Code +access to dn.one="ou=people,dc=example,dc=com" by * read +\end_layout + +\begin_layout LyX-Code +directory /var/lib/ldap +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Subsection +Syntax test of the configuration file +\end_layout + +\begin_layout LyX-Code +slapd -Ttest +\end_layout + +\begin_layout Subsection +Build the directory information tree (= DIT) +\end_layout + +\begin_layout Standard +We are going to create a hierarchical tree like this one: +\end_layout + +\begin_layout Standard +\begin_inset Graphics + filename /tmp/dit1.tiff + +\end_inset + + +\end_layout + +\begin_layout Standard +ou=people will contain the user accounts for the so-called +\begin_inset Quotes eld +\end_inset + +simple +\begin_inset Quotes erd +\end_inset + + authentication method. +\end_layout + +\begin_layout Standard +ou=addressbook is intended to store entries for object type +\begin_inset Quotes eld +\end_inset + +contact +\begin_inset Quotes erd +\end_inset + + (object type here is a libopensync specific term; not to be confused with + +\begin_inset Quotes eld +\end_inset + +object class +\begin_inset Quotes erd +\end_inset + +, which is an LDAP specific term). +\end_layout + +\begin_layout Standard +ou=calendar is for object type +\begin_inset Quotes eld +\end_inset + +event +\begin_inset Quotes erd +\end_inset + +. +\end_layout + +\begin_layout Standard +ou=todo is for object type +\begin_inset Quotes eld +\end_inset + +todo +\begin_inset Quotes erd +\end_inset + +. + Applications often refer to this as +\begin_inset Quotes eld +\end_inset + +tasks +\begin_inset Quotes erd +\end_inset + +. +\end_layout + +\begin_layout Standard +o=notes is for object type +\begin_inset Quotes eld +\end_inset + +note +\begin_inset Quotes erd +\end_inset + +. + The object class +\begin_inset Quotes eld +\end_inset + +organization +\begin_inset Quotes erd +\end_inset + + has been chosen here just to demonstrate that this decision has been made + in an arbitrary way. + A dedicated LDAP schema is currently used for object +\begin_inset Quotes eld +\end_inset + +contact +\begin_inset Quotes erd +\end_inset + +, only. + All the other object types currently use general object classes, which + will hopefully be changed eventually. +\end_layout + +\begin_layout Standard +Establish the root subtree +\begin_inset Quotes eld +\end_inset + +dc=example,dc=com +\begin_inset Quotes erd +\end_inset + +, which is to hold the people subtree, the addressbook subtree, the todo + subtree and the notes subtree. +\end_layout + +\begin_layout LyX-Code +vim root1.ldif +\end_layout + +\begin_layout LyX-Code +dn: dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: top +\end_layout + +\begin_layout LyX-Code +objectClass: dcObject +\end_layout + +\begin_layout LyX-Code +objectClass: organizationalUnit +\end_layout + +\begin_layout LyX-Code +dc: example +\end_layout + +\begin_layout LyX-Code +ou: top node of LDAP Server +\end_layout + +\begin_layout Standard +Now add this to the DIT: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f root1.ldif +\end_layout + +\begin_layout Subsubsection +Establish an addressbook +\end_layout + +\begin_layout Standard +We use the LDAP root DN and the LDAP root password to establish an addressbook: +\end_layout + +\begin_layout LyX-Code +vim addressbook.ldif +\end_layout + +\begin_layout LyX-Code +dn: ou=addressbook,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: top +\end_layout + +\begin_layout LyX-Code +objectClass: organizationalUnit +\end_layout + +\begin_layout LyX-Code +ou: addressbook +\end_layout + +\begin_layout LyX-Code +description: Personal Addressbook +\end_layout + +\begin_layout Standard +Now add this LDIF file: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f addressbook.ldif +\end_layout + +\begin_layout Subsubsection +Estalish a calendar +\end_layout + +\begin_layout LyX-Code +vim calendar1.ldif +\end_layout + +\begin_layout LyX-Code +dn: ou=calendar,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: top +\end_layout + +\begin_layout LyX-Code +objectClass: organizationalUnit +\end_layout + +\begin_layout LyX-Code +ou: calendar +\end_layout + +\begin_layout LyX-Code +description: Calendar +\end_layout + +\begin_layout Standard +Now add this LDIF file: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f calendar1.ldif +\end_layout + +\begin_layout Subsubsection +Establish the todo's +\end_layout + +\begin_layout LyX-Code +vim todo1.ldif +\end_layout + +\begin_layout LyX-Code +dn: ou=todo,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: top +\end_layout + +\begin_layout LyX-Code +objectClass: organizationalUnit +\end_layout + +\begin_layout LyX-Code +ou: todo +\end_layout + +\begin_layout LyX-Code +description: Calendar +\end_layout + +\begin_layout Standard +Now add this LDIF file to the DIT: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f todo1.ldif +\end_layout + +\begin_layout Subsubsection +Establish notes +\end_layout + +\begin_layout LyX-Code +vim notes.ldif +\end_layout + +\begin_layout LyX-Code +dn: o=notes,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: top +\end_layout + +\begin_layout LyX-Code +objectClass: dcObject +\end_layout + +\begin_layout LyX-Code +objectClass: organization +\end_layout + +\begin_layout LyX-Code +dc: notes +\end_layout + +\begin_layout LyX-Code +o: notes +\end_layout + +\begin_layout LyX-Code +description: Notes +\end_layout + +\begin_layout Standard +Now add this LDIF file: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w password -a -f notes.ldif +\end_layout + +\begin_layout Section +The different authentication methods with the LDAP server +\end_layout + +\begin_layout Subsection +The +\begin_inset Quotes eld +\end_inset + +simple +\begin_inset Quotes erd +\end_inset + + authentication +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "simple_authentication" + +\end_inset + +The credentials for the +\begin_inset Quotes eld +\end_inset + +simple +\begin_inset Quotes erd +\end_inset + + authentication can be configured either in slapd.conf itself or in the LDAP + DIT, i.e. + in a particular database. + We have already used the first method for the LDAP root DN (see above +\begin_inset CommandInset ref +LatexCommand ref +reference "rootdn" + +\end_inset + +). + Now we are going to use the second method for an ordinary user +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + +: +\end_layout + +\begin_layout LyX-Code +vim ldap_user.ldif +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +dn: ou=people,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: organizationalUnit +\end_layout + +\begin_layout LyX-Code +description: LDAP user accounts. +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +dn: cn=ldap_user,ou=people,dc=example,dc=com +\end_layout + +\begin_layout LyX-Code +objectClass: inetOrgPerson +\end_layout + +\begin_layout LyX-Code +cn: ldap_user +\end_layout + +\begin_layout LyX-Code +sn: ldap_user +\end_layout + +\begin_layout LyX-Code +givenname: ldap_user +\end_layout + +\begin_layout LyX-Code +mail: lda...@ex... +\end_layout + +\begin_layout LyX-Code +telephonenumber: 000-000-0001 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout Standard +We use the LDAP root DN and the LDAP root password to add this entry to + the DIT: +\end_layout + +\begin_layout LyX-Code +ldapadd -x -D "cn=root,dc=example,dc=com" -w "password" -f ldap_user.ldif +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout Standard +Provide +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + with the password +\begin_inset Quotes eld +\end_inset + +secret +\begin_inset Quotes erd +\end_inset + +. + Note the difference between -w and -s: We authenticate ourselves as root + (in terms of LDAP: root-DN with the corresponding password as configured + in slapd.conf) +\end_layout + +\begin_layout LyX-Code +ldappasswd -x -D "cn=root,dc=example,dc=com" -w "password" -s "secret" "cn=ldap_ +user,ou=people,dc=example,dc=com" +\end_layout + +\begin_layout Subsection +Configure the SASL library +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "sasl_in_general" + +\end_inset + +Which SASL mechanisms does the SASL library offer? +\end_layout + +\begin_layout LyX-Code +sasl2-shared-mechlist +\end_layout + +\begin_layout LyX-Code +Available mechanisms: DIGEST-MD5,GSSAPI,CRAM-MD5,LOGIN,PLAIN,ANONYMOUS +\end_layout + +\begin_layout LyX-Code +Library supports: EXTERNAL,ANONYMOUS,PLAIN,LOGIN,CRAM-MD5,GSSAPI,DIGEST-MD5 +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "sasl_mechanisms_offered_by_slapd" + +\end_inset + +Which SASL mechanisms are supported by the LDAP server slapd with unencrypted + sessions? +\end_layout + +\begin_layout LyX-Code +ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms +\end_layout + +\begin_layout LyX-Code +dn: +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: DIGEST-MD5 +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: GSSAPI +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: CRAM-MD5 +\end_layout + +\begin_layout Standard +Which SASL mechanisms are supported by the LDAP server slapd with encrypted + sessions: +\end_layout + +\begin_layout LyX-Code +ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms +\end_layout + +\begin_layout LyX-Code +dn: +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: DIGEST-MD5 +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: GSSAPI +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: CRAM-MD5 +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: LOGIN +\end_layout + +\begin_layout LyX-Code +supportedSASLMechanisms: PLAIN +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout Standard +Configure SASL: +\end_layout + +\begin_layout Standard +The SASL library is configured with respect to slapd in a file called +\begin_inset Quotes eld +\end_inset + +slapd.conf +\begin_inset Quotes erd +\end_inset + +. + This file is located in /usr/lib/sasl2/ and it MUST NOT be confused with + /etc/openldap/slapd.conf. +\end_layout + +\begin_layout Standard +The mech_list in the following file determines which authentication mechanisms + are to be supported by libsasl: +\end_layout + +\begin_layout Standard +Cf. + cyrus-sasl-lib-2.1.22/options.html in the source code of the sasl library. +\end_layout + +\begin_layout LyX-Code +vim /usr/lib/sasl2/slapd.conf +\end_layout + +\begin_layout LyX-Code +pwcheck_method: saslauthd auxprop +\end_layout + +\begin_layout LyX-Code +mech_list: plain login cram-md5 digest-md5 gssapi external anonymous +\end_layout + +\begin_layout LyX-Code +keytab: /etc/krb5.keytab +\end_layout + +\begin_layout LyX-Code +log_level: 7 +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "sasldb_account" + +\end_inset + +Create the account for +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + in the SASL database as root: +\end_layout + +\begin_layout LyX-Code +saslpasswd2 -c ldap_user +\end_layout + +\begin_layout Standard +Check the result as root: +\end_layout + +\begin_layout LyX-Code +sasldblistusers2 +\end_layout + +\begin_layout LyX-Code +ld...@ho...: userPassword +\end_layout + +\begin_layout Standard +Do the various mechanisms work as expected? +\end_layout + +\begin_layout Standard +As root in an xterm: +\end_layout + +\begin_layout LyX-Code +sasl2-sample-server -s ldap +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +DIGEST-MD5 GSSAPI CRAM-MD5 LOGIN PLAIN ANONYMOUS +\end_layout + +\begin_layout Standard +As a simple user in another xterm: +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -m PLAIN localhost +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -m DIGEST-MD5 localhost +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -m CRAM-MD5 localhost +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -m LOGIN localhost +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -m ANONYMOUS localhost +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout Standard +Assuming the Kerberos V5 system is already configured. + See below +\begin_inset CommandInset ref +LatexCommand ref +reference "kerberosv5" + +\end_inset + +. +\end_layout + +\begin_layout LyX-Code +kinit -V ldap_user +\end_layout + +\begin_layout LyX-Code +sasl2-sample-client -s ldap -m GSSAPI host.example.com +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout Standard + +\end_layout + +\begin_layout Subsection +SASL/DIGEST-MD5 +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "digest_md5" + +\end_inset + +SASL using DIGEST-MD5 with the password being stored in the sasldb as shown + above under +\begin_inset CommandInset ref +LatexCommand ref +reference "sasldb_account" + +\end_inset + +. + For the authentication itself nothing else has to be configured. + +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=digest-md5,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout Standard +Configure the opensync-plugin-ldap: +\end_layout + +\begin_layout LyX-Code + osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authcid</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>ldap_user</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>password</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>secret</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>DIGEST-MD5</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Subsection +SASL/CRAM-MD5 +\end_layout + +\begin_layout Standard +SASL using CRAM-MD5 with the password being stored in the sasldb as shown + above under +\begin_inset CommandInset ref +LatexCommand ref +reference "sasldb_account" + +\end_inset + +. + For the authentication itself nothing else has to be configured. + +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=cram-md5,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout Standard +Configure the opensync-plugin-ldap: +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authcid</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>ldap_user</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>password</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>secret</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>CRAM-MD5</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Subsection +SASL/PLAIN over an encrypted connection +\end_layout + +\begin_layout Standard +SASL using the PLAIN mechanism with the password being stored in the sasldb. + The default configuration of newer slapd versions does not accept such + an insecure authentication method without encryption. + See above under +\begin_inset CommandInset ref +LatexCommand ref +reference "sasl_mechanisms_offered_by_slapd" + +\end_inset + +. + As a consequence the ldap plugin must establish an encrypted connection. + This can be configured EITHER by setting the option +\begin_inset Quotes eld +\end_inset + +encryption +\begin_inset Quotes erd +\end_inset + + to 1 OR by setting a network connection that leads to a port used for encrypted + sessions only: +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authcid</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>ldap_user</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>password</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>secret</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>PLAIN</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>encryption</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>1</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<Connection> +\end_layout + +\begin_layout LyX-Code + +\begin_inset CommandInset label +LatexCommand label +name "encrypted_connection1" + +\end_inset + +<ActiveConnection>Network</ActiveConnection> +\end_layout + +\begin_layout LyX-Code + <Network> +\end_layout + +\begin_layout LyX-Code + <Address>host.example.com</Address> +\end_layout + +\begin_layout LyX-Code + <Port>636</Port> +\end_layout + +\begin_layout LyX-Code + <Protocol>ldaps</Protocol> +\end_layout + +\begin_layout LyX-Code + </Network> +\end_layout + +\begin_layout LyX-Code +</Connection> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=plain,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout Subsection +SASL/LOGIN over an encrypted connection +\end_layout + +\begin_layout Standard +SASL using LOGIN with the password being stored in the sasldb. + The default configuration of newer slapd versions does not accept such + an insecure authentication method without encryption. + See above under +\begin_inset CommandInset ref +LatexCommand ref +reference "sasl_mechanisms_offered_by_slapd" + +\end_inset + +. + As a consequence the ldap plugin must establish an encrypted connection. + This can be configured EITHER by setting the option +\begin_inset Quotes eld +\end_inset + +encryption +\begin_inset Quotes erd +\end_inset + + to 1 OR by setting a network connection that leads to a port used for encrypted + sessions only: +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authcid</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>ldap_user</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>password</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>secret</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>PLAIN</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>encryption</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>1</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<Connection> +\end_layout + +\begin_layout LyX-Code + <ActiveConnection>Network</ActiveConnection> +\end_layout + +\begin_layout LyX-Code + <Network> +\end_layout + +\begin_layout LyX-Code + <Address>host.example.com</Address> +\end_layout + +\begin_layout LyX-Code + <Port>636</Port> +\end_layout + +\begin_layout LyX-Code + <Protocol>ldaps</Protocol> +\end_layout + +\begin_layout LyX-Code + </Network> +\end_layout + +\begin_layout LyX-Code +</Connection> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=login,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout Subsection +SASL/GSSAPI (KERBEROS V5) +\end_layout + +\begin_layout Standard +\begin_inset CommandInset label +LatexCommand label +name "kerberosv5" + +\end_inset + +SASL using GSSAPI with the password being stored in the kerberos subsystem. + This has the advantage that the password is not sent over the connection + to the LDAP server. +\end_layout + +\begin_layout Subsubsection +Preparing KERBEROS V5 +\end_layout + +\begin_layout Paragraph +DNS configuration +\end_layout + +\begin_layout Standard +Check resolver settings: +\end_layout + +\begin_layout LyX-Code +vim /etc/nsswitch.conf +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +hosts: files dns +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +Add "kerberos" host name to DNS: +\end_layout + +\begin_layout LyX-Code +vim /etc/hosts +\end_layout + +\begin_layout LyX-Code +192.168.1.2 host.example.com host www kerberos +\end_layout + +\begin_layout Standard +Propagate KDCs via SRV record types in terms of RFC 2782: +\end_layout + +\begin_layout LyX-Code +vim /etc/dnsmasq.conf +\end_layout + +\begin_layout LyX-Code +srv-host=_kerberos._udp,host.example.com,88 +\end_layout + +\begin_layout LyX-Code +srv-host=_kerberos-master._udp,host.example.com,88 +\end_layout + +\begin_layout LyX-Code +srv-host=_kerberos-adm._tcp,host.example.com,749 +\end_layout + +\begin_layout LyX-Code +srv-host=_kpasswd._udp,host.example.com,464 +\end_layout + +\begin_layout Standard +Make changes effective: +\end_layout + +\begin_layout LyX-Code +service dnsmasq restart +\end_layout + +\begin_layout Standard +Test it: +\end_layout + +\begin_layout LyX-Code +host kerberos +\end_layout + +\begin_layout Paragraph +Determine realm on a fedora 10 system +\end_layout + +\begin_layout LyX-Code +vim /etc/sysconfig/krb5kdc +\end_layout + +\begin_layout LyX-Code +KRB5KDC_ARGS= +\end_layout + +\begin_layout LyX-Code +KRB5REALM=EXAMPLE.COM +\end_layout + +\begin_layout Paragraph +Configure main configuration file for kerberos +\end_layout + +\begin_layout LyX-Code +vim /etc/krb5.conf +\end_layout + +\begin_layout LyX-Code +[libdefaults] +\end_layout + +\begin_layout LyX-Code + default_realm = EXAMPLE.COM +\end_layout + +\begin_layout LyX-Code + dns_lookup_realm = false +\end_layout + +\begin_layout LyX-Code + dns_lookup_kdc = false +\end_layout + +\begin_layout LyX-Code + ticket_lifetime = 24h +\end_layout + +\begin_layout LyX-Code + forwardable = yes +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +[realms] +\end_layout + +\begin_layout LyX-Code + EXAMPLE.COM = { +\end_layout + +\begin_layout LyX-Code + kdc = host.example.com:88 +\end_layout + +\begin_layout LyX-Code + kdc = kerberos.example.com:88 +\end_layout + +\begin_layout LyX-Code + kdc = localhost.localdomain:88 +\end_layout + +\begin_layout LyX-Code + kdc = localhost +\end_layout + +\begin_layout LyX-Code + admin_server = kerberos.example.com:749 +\end_layout + +\begin_layout LyX-Code + default_domain = example.com +\end_layout + +\begin_layout LyX-Code + } +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +[domain_realm] +\end_layout + +\begin_layout LyX-Code + .example.com = EXAMPLE.COM +\end_layout + +\begin_layout LyX-Code + example.com = EXAMPLE.COM +\end_layout + +\begin_layout LyX-Code + localdomain = EXAMPLE.COM +\end_layout + +\begin_layout LyX-Code + .localdomain = EXAMPLE.COM +\end_layout + +\begin_layout Paragraph +Configure configuration file of the KDC, i.e. + for issuing tickets per realm +\end_layout + +\begin_layout LyX-Code +vim /var/kerberos/krb5kdc/kdc.conf +\end_layout + +\begin_layout LyX-Code +[kdcdefaults] +\end_layout + +\begin_layout LyX-Code + v4_mode = nopreauth +\end_layout + +\begin_layout LyX-Code + kdc_ports = 88,750 +\end_layout + +\begin_layout LyX-Code + kdc_tcp_ports = 88 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +[realms] +\end_layout + +\begin_layout LyX-Code + EXAMPLE.COM = { +\end_layout + +\begin_layout LyX-Code + acl_file = /var/kerberos/krb5kdc/kadm5.acl +\end_layout + +\begin_layout LyX-Code + dict_file = /usr/share/dict/words +\end_layout + +\begin_layout LyX-Code + admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab +\end_layout + +\begin_layout LyX-Code + supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:norm +al arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:norma +l des-cbc-crc:v4 des-cbc-crc:afs3 +\end_layout + +\begin_layout LyX-Code + } +\end_layout + +\begin_layout Paragraph +Create the database for this particular realm EXAMPLE.COM and a stash file + for the server to authenticate itself using the password +\begin_inset Quotes eld +\end_inset + +master +\begin_inset Quotes erd +\end_inset + + +\end_layout + +\begin_layout Standard +If you choose not to install a stash file, the KDC will prompt you for the + master key each time it starts up. + This means that the KDC will not be able to start automatically, such as + after a system reboot. +\end_layout + +\begin_layout LyX-Code +kdb5_util create -r EXAMPLE.COM -s +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +Enter KDC database master key: master +\end_layout + +\begin_layout LyX-Code +Re-enter KDC database master key to verify: master +\end_layout + +\begin_layout Paragraph +Grant administrative access +\end_layout + +\begin_layout LyX-Code +vim /var/kerberos/krb5kdc/kadm5.acl +\end_layout + +\begin_layout LyX-Code +*/ad...@EX... * +\end_layout + +\begin_layout Paragraph +Add administrative principals to the Kerberos database +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "addprinc root/admin" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Paragraph +Create service principal "ldap/host.example.com" +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "addprinc ldap/host.example.com" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Paragraph +Create keytab file for service principal "ldap" +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "ktadd ldap/host.example.com" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Paragraph +Adjust permissions: The keytab file must be readable by the LDAP server +\end_layout + +\begin_layout Standard +For a dissenting opinion on this (suggests building a second keytab file): + Cf. + +\begin_inset CommandInset href +LatexCommand href +name "http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630" +target "http://www.openldap.org/faq/index.cgi?_highlightWords=keytab&file=630" + +\end_inset + + +\end_layout + +\begin_layout LyX-Code +chown root:ldap /etc/krb5.keytab +\end_layout + +\begin_layout LyX-Code +chmod g+r /etc/krb5.keytab +\end_layout + +\begin_layout Paragraph +Create the user principal "ldap_user" with password "secret" +\end_layout + +\begin_layout LyX-Code +useradd ldap_user +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +passwd ldap_user +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "addprinc ldap_user" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Paragraph +Useful commands +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "list_principals" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +ktutil +\end_layout + +\begin_layout LyX-Code +ktutil: read_kt /etc/krb5.keytab +\end_layout + +\begin_layout LyX-Code +ktutil: list +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +ktutil: quit +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "get_principal ldap" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +kadmin.local -q "get_principal ldap_user" +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Paragraph +Adjust SELinux +\end_layout + +\begin_layout LyX-Code +setsebool -P allow_kerberos 1 +\end_layout + +\begin_layout Paragraph +Start up the kdc on a fedora system +\end_layout + +\begin_layout LyX-Code +chkconfig --level 345 kadmin on +\end_layout + +\begin_layout LyX-Code +chkconfig --level 345 krb5kdc on +\end_layout + +\begin_layout LyX-Code +service krb5kdc start +\end_layout + +\begin_layout LyX-Code +service kadmin start +\end_layout + +\begin_layout Paragraph +Kerberos related log files +\end_layout + +\begin_layout LyX-Code +tail -f /var/log/krb5kdc.log +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +tail -f /var/log/kadmind.log +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Subsubsection +Configure the opensync-plugin-ldap: +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authcid</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>ldap_user</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>GSSAPI</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + uid=([^,]*),cn=gssapi,cn=auth +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=example,dc=com +\end_layout + +\begin_layout Subsubsection +Using KERBEROS with SASL +\end_layout + +\begin_layout Standard +Retrieve a ticket-granting ticket: +\end_layout + +\begin_layout LyX-Code +kinit -V ldap_user +\end_layout + +\begin_layout LyX-Code +Password for lda...@EX...: secret +\end_layout + +\begin_layout LyX-Code +Authenticated to Kerberos v5 +\end_layout + +\begin_layout Standard +Get to know the expiration date: +\end_layout + +\begin_layout LyX-Code +klist +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +Run osynctool: +\end_layout + +\begin_layout LyX-Code +osynctool --configure ... +\end_layout + +\begin_layout LyX-Code +osynctool --discover ... +\end_layout + +\begin_layout LyX-Code +osynctool --sync ... +\end_layout + +\begin_layout Subsection +SASL/EXTERNAL using the TLS cert used in a TLS encrypted connection +\end_layout + +\begin_layout Standard +SASL using the EXTERNAL mechanism with both the identifier and the password + being stored in the SSL/TLS subsystem. +\end_layout + +\begin_layout Subsubsection +Generate server and client certificates +\end_layout + +\begin_layout LyX-Code +\begin_inset CommandInset label +LatexCommand label +name "tls_certs" + +\end_inset + +cd /etc/openldap/cacerts/ +\end_layout + +\begin_layout Standard +Create server certificate signing request and server key +\end_layout + +\begin_layout LyX-Code +openssl req -new -nodes -out server.csr -keyout server.key +\end_layout + +\begin_layout Standard +Sign the server certificate +\end_layout + +\begin_layout LyX-Code +openssl ca -policy policy_anything -out server.crt -infiles ./server.csr +\end_layout + +\begin_layout Standard +Display contents of the LDAP server certificate +\end_layout + +\begin_layout LyX-Code +openssl x509 -text -in server.crt +\end_layout + +\begin_layout Standard +Create client certificate signing request and client key +\end_layout + +\begin_layout LyX-Code +openssl req -new -nodes -out client.csr -keyout client.key +\end_layout + +\begin_layout Standard +Sign the client certificate +\end_layout + +\begin_layout LyX-Code +openssl ca -out client.crt -infiles ./client.csr +\end_layout + +\begin_layout Standard +Display contents of the LDAP client certificate +\end_layout + +\begin_layout LyX-Code +openssl x509 -text -in client.crt +\end_layout + +\begin_layout Subsubsection +Configuration of the LDAP server +\end_layout + +\begin_layout Standard +Tell slapd about the TLS key and the TLS certificate: +\end_layout + +\begin_layout LyX-Code +vim /etc/openldap/slapd.conf +\end_layout + +\begin_layout LyX-Code +TLSCACertificatePath /etc/openldap/cacerts +\end_layout + +\begin_layout LyX-Code +TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA +\end_layout + +\begin_layout LyX-Code +TLSCertificateFile /etc/openldap/cacerts/server.crt +\end_layout + +\begin_layout LyX-Code +TLSCertificateKeyFile /etc/openldap/cacerts/server.key +\end_layout + +\begin_layout Standard +Change slapd start up options on a fedora 10 system +\end_layout + +\begin_layout LyX-Code +vim /etc/sysconfig/ldap +\end_layout + +\begin_layout LyX-Code +SLAPD_LDAP=no +\end_layout + +\begin_layout LyX-Code +SLAPD_LDAPS=yes +\end_layout + +\begin_layout Standard +For the access rules to work the authentication identifier (bind-DN) can + be rewritten by these lines in /etc/openldap/slapd.conf: +\end_layout + +\begin_layout LyX-Code +authz-regexp +\end_layout + +\begin_layout LyX-Code + email=([^@]+)@host +\backslash +.([^.]+) +\backslash +.([^,]+),cn=host +\backslash +.example +\backslash +.com,ou=[^#]+[^ +\backslash + ]+ +\backslash + ldap +\backslash + client +\backslash + [^,]+,o=a +\backslash + private +\backslash + site +\backslash +.,st=city,c=us +\end_layout + +\begin_layout LyX-Code + cn=$1,dc=$2,dc=$3 +\end_layout + +\begin_layout Standard +Check syntax of slapd.conf +\end_layout + +\begin_layout LyX-Code +slapd -Ttest +\end_layout + +\begin_layout Subsubsection +Configuration of the LDAP client side +\end_layout + +\begin_layout LyX-Code +vim /etc/openldap/ldap.conf +\end_layout + +\begin_layout LyX-Code +URI ldaps://host.example.com/ +\end_layout + +\begin_layout LyX-Code +BASE dc=example,dc=com +\end_layout + +\begin_layout Standard +The TLS_* variables MUST NOT be configured in /etc/openldap/ldap.conf. +\end_layout + +\begin_layout Standard +They MUST be configured in ~/ldaprc or ~/.ldaprc: +\end_layout + +\begin_layout LyX-Code +vim /home/user1/.ldaprc +\end_layout + +\begin_layout LyX-Code +TLS_CACERTDIR /etc/openldap/cacerts +\end_layout + +\begin_layout LyX-Code +TLS_CACERT /etc/openldap/cacerts/server.crt +\end_layout + +\begin_layout LyX-Code +TLS_CERT /etc/openldap/cacerts/client.crt +\end_layout + +\begin_layout LyX-Code +TLS_KEY /etc/openldap/cacerts/client.key +\end_layout + +\begin_layout LyX-Code +TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP +\end_layout + +\begin_layout LyX-Code +TLS_REQCERT never +\end_layout + +\begin_layout Subsubsection +Configure the opensync-plugin-ldap +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 2 +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>anonymous</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>0</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>authmech</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>EXTERNAL</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<AdvancedOption> +\end_layout + +\begin_layout LyX-Code + <MaxOccurs>2147483647</MaxOccurs> +\end_layout + +\begin_layout LyX-Code + <Max>2147483647</Max> +\end_layout + +\begin_layout LyX-Code + <Name>encryption</Name> +\end_layout + +\begin_layout LyX-Code + <Type>string</Type> +\end_layout + +\begin_layout LyX-Code + <Value>1</Value> +\end_layout + +\begin_layout LyX-Code +</AdvancedOption> +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +<Connection> +\end_layout + +\begin_layout LyX-Code + <ActiveConnection>Network</ActiveConnection> +\end_layout + +\begin_layout LyX-Code + <Network> +\end_layout + +\begin_layout LyX-Code + <Address>host.example.com</Address> +\end_layout + +\begin_layout LyX-Code + <Port>636</Port> +\end_layout + +\begin_layout LyX-Code + <Protocol>ldaps</Protocol> +\end_layout + +\begin_layout LyX-Code + </Network> +\end_layout + +\begin_layout LyX-Code +</Connection> +\end_layout + +\begin_layout Standard +Any configuration setting performed by +\begin_inset Quotes eld +\end_inset + +osynctool --configure ... +\begin_inset Quotes erd +\end_inset + + must additionally be set into effect by: +\end_layout + +\begin_layout LyX-Code +osynctool --discover "sync_ldap_with_evolution" +\end_layout + +\begin_layout Part +Usage +\end_layout + +\begin_layout Section +Synchronizing between evolution and LDAP +\end_layout + +\begin_layout Standard +If you want to start from scratch: +\end_layout + +\begin_layout LyX-Code +osynctool --delgroup "sync_ldap_with_evolution" +\end_layout + +\begin_layout Standard +The very first configuration step: Choose a name for a particular synchronizatio +n group: +\end_layout + +\begin_layout LyX-Code +osynctool --addgroup "sync_ldap_with_evolution" +\end_layout + +\begin_layout Standard +Which plugins could we use for this synchronization group? +\end_layout + +\begin_layout LyX-Code +osynctool --listplugins +\end_layout + +\begin_layout LyX-Code +Available plugins: +\end_layout + +\begin_layout LyX-Code +ldap-sync +\end_layout + +\begin_layout LyX-Code +syncml-http-server +\end_layout + +\begin_layout LyX-Code +syncml-http-client +\end_layout + +\begin_layout LyX-Code +syncml-obex-client +\end_layout + +\begin_layout LyX-Code +file-sync +\end_layout + +\begin_layout LyX-Code +evo2-sync +\end_layout + +\begin_layout Standard +Here we choose the +\begin_inset Quotes eld +\end_inset + +evo2-sync +\begin_inset Quotes erd +\end_inset + + and the +\begin_inset Quotes eld +\end_inset + +ldap-sync +\begin_inset Quotes erd +\end_inset + + plugin: +\end_layout + +\begin_layout LyX-Code +osynctool --addmember "sync_ldap_with_evolution" evo2-sync +\end_layout + +\begin_layout LyX-Code + +\end_layout + +\begin_layout LyX-Code +osynctool --addmember "sync_ldap_with_evolution" ldap-sync +\end_layout + +\begin_layout Standard +Which formats are available for configuring each plugin? +\end_layout + +\begin_layout LyX-Code +osynctool --listformats +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout LyX-Code +Format: ldap-evolutionperson +\end_layout + +\begin_layout LyX-Code + Object Type: contact +\end_layout + +\begin_layout LyX-Code +Format: ldap-inetorgperson +\end_layout + +\begin_layout LyX-Code + Object Type: contact +\end_layout + +\begin_layout LyX-Code +Format: ldap-event +\end_layout + +\begin_layout LyX-Code + Object Type: event +\end_layout + +\begin_layout LyX-Code +Format: ldap-todo +\end_layout + +\begin_layout LyX-Code + Object Type: todo +\end_layout + +\begin_layout LyX-Code +Format: ldap-note +\end_layout + +\begin_layout LyX-Code + Object Type: note +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +Configure the evo2-sync plugin: +\end_layout + +\begin_layout LyX-Code +osynctool --configure "sync_ldap_with_evolution" 1 +\end_layout + +\begin_layout LyX-Code +(...) +\end_layout + +\begin_layout Standard +Configure the +\begin_inset Quotes eld +\end_inset + +ldap-sync +\begin_inset Quotes erd +\end_inset + + plugin: The following configuration lets only the objtype +\begin_inset Quotes eld +\end_inset + +contact +\begin_inset Quotes erd +\end_inset + + be enabled. + It chooses SASL/DIGEST-MD5 as authentication mechanism with the authcid + being +\begin_inset Quotes eld +\end_inset + +ldap_user +\begin_inset Quotes erd +\end_inset + + and the password +\begin_inset Quotes eld +\end_inset + +secret +\begin_inset Quotes erd +\end_inset + +. + It connects to a host +\begin_inset Quotes eld +\end_inset + +host.example.com +\begin_inset Quotes erd +\end_inset + + on port 389 with the protocol +\begin_inset Quotes eld +\end_inset + +ldap +\begin_inset Quotes erd +\end_inset + +. +\end_layout + +\begin_layout Standard +For how to set up an encrypted connection see above +\begin_inset CommandInset ref +LatexCommand ref +reference "encrypted_connection1" + +\end_inset + + and ... [truncated message content] |
