~akapoor92/ubuntu-docs/fix-for-889089

* General:
  - Fixes to scripts/fix-url.sh (including LP: #482862)
  - Fix character encoding in contributors.xml (LP: #448618)
  - Updated version in browser-startpage html files, LP: #526320
  - Refresh pot files
* Add-applications:
  - Updates for UI changes, Phil Bull
* Config-desktop:
  - Added topic on changing window buttons from the left, Phil Bull
* Hardware:
  - Added mention of gsynaptics, Connor Imes, LP: #450567
* Internet:
  - Refresh list of plugins supplied by ubuntu-restricted-extras, branch
    from Nathan Murray, LP: #504981
  - Updates to reflect that Ekiga no longer installed by default, Connor Imes,
    LP: #508572
  - Grammar fix from Alex Wardle, LP: #517776
  - Order adjustment for shares-admin usage, Alex Wardle, LP: #518119
  - Button name change for shares-admin app, Alex Wardle, LP: #518170
  - Use unlock icon in networking section, Alex Wardle, LP: #518117
  - Updated directions on changing text size and page zooming in firefox,
    Alison Rowland, LP: #512556
  - Fixed guilabel usage in modem section. Alex Wardle, LP: #521243
  - Updated button and tab names in Static Connections section,
    Alex Wardle, LP: #521508
  - Typo fix in adsl section. Alex Wardle, LP: #525349
  - Removed unused and empty basics.xml, LP: #525431
  - Minor wording update to directions for sharing folders via nautilus,
    Connor Imes, LP: #518175
  - Use 'NetworkManager' not 'Network Manager' for consistency, Connor Imes
    LP: #518107
  - Update to troubleshooting mobile devices, Connor Imes, LP: #453459
  - Adjusted description of NetworkManager applet icons, Connor Imes
    LP: #440826
  - Additions to VPN section of connecting guide, Alex Wardle, LP: #452647
  - Expanded on using config files for vpn connections, Connor Imes
  - Command line substitution for Services utility which is not in Karmic or
    Lucid, Connor Imes, LP: #518460
  - Structural and language changes + updates for UI changes, Phil Bull
* Musicvideophotos:
  - Added section for recording and editing video, Book 'em Dano, LP: #367569
* Newtoubuntu:
  - Complete rewrite, Matthew East
* Printing:
  - Simple Scan replaced xsane for scanning documents, Alex Wardle, LP: #546193
* Serverguide:
  - Rename link to serverguide in advanced-topics.xml, Gilbert
    Mendoza, LP: #505708
  - Use distro-short-codename variable for vmbuilder documentation in
    serverguide rather than static version example, Connor Imes,. LP: #509653
  - Small fixes to security chapter, Connor Imes, LP: #510703
  - Small fixes from Nathan Handler, LP: #507624
  - Configuration change for OpenLDAP, Connor Imes, LP: #511090
  - Refresh of network-config section, Gilbert Mendoza, LP: #506800
  - Update manpage links to use distro-short-codename, Connor Imes
  - Changed OpenLDAP replication to use single Provider/Consumer configuration,
    Adam Sommer
  - Removed grub-password-security section - it does not apply to Grub2,
    Gilbert Mendoza, LP: #384148
  - Reference Grub2 community doc page for advanced configuration directions,
    Connor Imes, LP: #437446
  - Added necessary configuration options for apt Periodic in automatic-updates
    section, Connor Imes, LP: #532661
  - Added subsections for consumer and provider configuration steps, Adam Sommer
  - Changed TLS Replication section to use Single-Master scheme, Adam Sommer
  - Clarified Postfix TLS/SSL using a CA configuration steps, Adam Sommer,
    LP: #518289
  - Changed Apache2 Subversion configuration to use VirtualHost file instead
    of apache2.conf, Adam Sommer, LP: #515298.
  - Adding Ubuntu Wiki links to each section's Resources subsection, Adam Sommer
  - Added note in mail section about some packages being in multiverse,
    Connor Imes, LP: #509355
  - Use default serverguide index.html file location for accessing serverguide
    in terminal, Connor Imes, LP: #537167#
  - Updated to use Grub2 directions, Connor Imes, LP: #533582
  - Updated MySQL information for mysql-server-5.1, Adam Sommer
  - Replaced screen-profiles with byobu project, Adam Sommer
  - Changed egrep command with kvm-ok script, Adam Sommer
  - Removed references to likewise-open5, Adam Sommer
  - Add reporting-bugs.xml - Steve Beattie
  - Replaced Eucalyptus section with information on UEC, Adam Sommer
  - Updated command and configuration mistakes in vpn.xml, Adam Sommer
    LP: #489819
  - Replaced update-motd section with newer pam_motd, Adam Sommer, LP: #496184
  - Updated LocalSettings.php command for new file path, and recommending upping
    the memory limit based on feedback from Cornelius Brümmer, Adam Sommer
  - Updated Installation section for Lucid, and added row seperator for UEC
    requirement tables, Adam Sommer
  - Changed OpenLDAP TLS/SSL options to use gnutls to create certificate instead
    of OpenSSL, Adam Sommer
* Switching/Windows:
  - Updated dualboot section to use startupmanager for changing
    boot options (valid for Grub and Grub2), Connor Imes
  - Fixed 'Ubuntu Ubuntu' typo, Alex Wardle, LP: #526083
  - Removed old string from Windows section and copied correct string to
    Switching guide, Connor Imes, LP: #527905
  - Split off directions for exporting favorites in IE8. Broke different
    IE versions down into subsections, Connor Imes, LP: #528808

files added:
libs/img/applications-office.svg

libs/img/dialog-password.png

libs/img/distributor-logo.svg

libs/img/empathy.png

libs/img/evolution.svg

libs/img/f-spot.png

libs/img/firefox-3.5.png

libs/img/gnome-apt.svg

libs/img/gnome-help.svg

libs/img/gnome-netstatus-disconn.svg

libs/img/gnome-volume-control.svg

libs/img/network-wired.svg

libs/img/network-wireless.svg

libs/img/rhythmbox.png

libs/img/ubuntuone-client.png

libs/img/update-manager.svg

serverguide/C/reporting-bugs.xml

files removed:
internet/C/basics.xml

files modified:
Makefile

about-ubuntu/po/about-ubuntu.pot

add-applications/C/add-applications.xml

add-applications/po/add-applications.pot

administrative/po/administrative.pot

advanced-topics/C/advanced-topics.xml

advanced-topics/po/advanced-topics.pot

basic-commands/po/basic-commands.pot

browser-startpage/README

browser-startpage/index-ar.html

browser-startpage/index-ca.html

browser-startpage/index-cs_CZ.html

browser-startpage/index-da.html

browser-startpage/index-de.html

browser-startpage/index-es.html

browser-startpage/index-eu.html

browser-startpage/index-fi_FI.html

browser-startpage/index-fr.html

browser-startpage/index-fr_CA.html

browser-startpage/index-gl.html

browser-startpage/index-he_IL.html

browser-startpage/index-hu_HU.html

browser-startpage/index-it_IT.html

browser-startpage/index-ja_JP.html

browser-startpage/index-ka_GE.html

browser-startpage/index-ko.html

browser-startpage/index-ku.html

browser-startpage/index-lt.html

browser-startpage/index-nl.html

browser-startpage/index-pl_PL.html

browser-startpage/index-pt.html

browser-startpage/index-pt_BR.html

browser-startpage/index-ru_RU.html

browser-startpage/index-sk.html

browser-startpage/index-sv_SE.html

browser-startpage/index-uk.html

browser-startpage/index-zh_CN.html

browser-startpage/index-zh_TW.html

browser-startpage/index.html

config-desktop/C/config-desktop.xml

config-desktop/po/config-desktop.pot

debian/changelog

desktop-effects/po/desktop-effects.pot

files-and-docs/po/files-and-docs.pot

games/po/games.pot

hardware/C/hardware.xml

hardware/po/hardware.pot

internet/C/adsl.xml

internet/C/connecting.xml

internet/C/disconnecting.xml

internet/C/faq.xml

internet/C/information.xml

internet/C/internet.xml

internet/C/modem.xml

internet/C/networking.xml

internet/C/nm.xml

internet/C/troubleshooting.xml

internet/C/web-apps.xml

internet/po/internet.pot

keeping-safe/C/keeping-safe.xml

keeping-safe/po/keeping-safe.pot

libs/C/contributors.xml

libs/global.ent

libs/gnome-menus-C.ent

libs/ubuntu-banner.xsl

musicvideophotos/C/video.xml

musicvideophotos/po/musicvideophotos.pot

newtoubuntu/C/newtoubuntu.xml

newtoubuntu/po/newtoubuntu.pot

office/po/office.pot

printing/C/printing.xml

printing/po/printing.pot

scripts/fix-urls.sh

serverguide/C/backups.xml

serverguide/C/chat.xml

serverguide/C/clustering.xml

serverguide/C/databases.xml

serverguide/C/dns.xml

serverguide/C/file-server.xml

serverguide/C/installation.xml

serverguide/C/introduction.xml

serverguide/C/lamp-applications.xml

serverguide/C/mail.xml

serverguide/C/monitoring.xml

serverguide/C/network-auth.xml

serverguide/C/network-config.xml

serverguide/C/other-apps.xml

serverguide/C/package-management.xml

serverguide/C/remote-administration.xml

serverguide/C/security.xml

serverguide/C/serverguide.xml

serverguide/C/vcs.xml

serverguide/C/virtualization.xml

serverguide/C/vpn.xml

serverguide/C/web-servers.xml

serverguide/C/windows-networking.xml

serverguide/po/serverguide.pot

switching/C/applications.xml

switching/C/dualboot.xml

switching/C/preparing.xml

usb-creator/po/usb-creator.pot

windows/C/preparing.xml

windows/po/windows.pot

Show diffs side-by-side

added added

removed removed

serverguide/C/network-auth.xml

<para>

The backend <emphasis>cn=config</emphasis> directory has only a minimal configuration and will

need additional options in order to populate the frontend directory. The frontend will be populated

need additional configuration options in order to populate the frontend directory. The frontend will be populated

with a "classical" scheme that will be compatible with address book applications and with Unix Posix

accounts. Posix accounts will allow authentication to various applications, such as web

applications, email Mail Transfer Agent (MTA) applications, etc.

144

olcDbIndex: objectClass eq

145

olcLastMod: TRUE

146

olcDbCheckpoint: 512 30

147

olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

147

olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

148

olcAccess: to attrs=shadowLastChange by self write by * read

148

149

olcAccess: to dn.base="" by * read

149

150

olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

150

151

354

355

SASL SSF: 0

355

356

<userinput>dn: olcDatabase={1}hdb,cn=config

356

357

add: olcDbIndex

357

olcDbIndex: entryUUID eq</userinput>

358

olcDbIndex: uidNumber eq</userinput>

358

359

360

modifying entry "olcDatabase={1}hdb,cn=config"

360

361

</computeroutput>

518

519

</sect2>

519

520

521

521

<title>LDAP replication</title>

522

<title>LDAP Replication</title>

522

523

524

<para>

524

525

LDAP often quickly becomes a highly critical service to the network. Multiple systems

528

529

530

<para>

530

531

Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the

531

directory to be synced using either a <emphasis>push</emphasis> or <emphasis>pull</emphasis> based

532

system. In a push based configuration a <quote>primary</quote> server will push directory updates

533

to <quote>secondary</quote> servers, while a pull based approach allows replication servers to sync on

534

a time based interval.

535

</para>

536

537

<para>

538

The following is an example of a <emphasis>Multi-Master</emphasis> configuration. In this configuration each

539

OpenLDAP server is configured for both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication.

540

</para>

532

changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model.

533

A provider sends directory changes to consumers.

534

</para>

535

536

537

<title>Provider Configuration</title>

538

539

<para>

540

The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one

541

OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>.

542

</para>

541

543

542

544

543

545

<step>

544

546

545

547

<para>

546

First, configure the server to sync the <emphasis>cn=config</emphasis> database. Copy the following to a

547

file named <filename>syncrepl_cn-config.ldif</filename>:

548

First, configure the provider server. Copy the following to a

549

file named <filename>provider_sync.ldif</filename>:

548

550

</para>

549

551

550

552

553

# Add indexes to the frontend db.

554

dn: olcDatabase={1}hdb,cn=config

555

changetype: modify

556

add: olcDbIndex

557

olcDbIndex: entryCSN eq

558

559

add: olcDbIndex

560

olcDbIndex: entryUUID eq

561

562

#Load the syncprov and accesslog modules.

551

563

dn: cn=module{0},cn=config

552

564

changetype: modify

553

565

add: olcModuleLoad

554

566

olcModuleLoad: syncprov

555

556

dn: cn=config

557

changetype: modify

558

replace: olcServerID

559

olcServerID: 1 ldap://ldap01.example.com

560

olcServerID: 2 ldap://ldap02.example.com

561

562

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config

563

changetype: add

564

objectClass: olcOverlayConfig

565

objectClass: olcSyncProvConfig

566

olcOverlay: syncprov

567

568

dn: olcDatabase={0}config,cn=config

569

changetype: modify

570

add: olcSyncRepl

571

olcSyncRepl: rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn=config" bindmethod=simple

572

credentials=secret searchbase="cn=config" type=refreshAndPersist

573

retry="5 5 300 5" timeout=1

574

olcSyncRepl: rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn=config" bindmethod=simple

575

credentials=secret searchbase="cn=config" type=refreshAndPersist

576

retry="5 5 300 5" timeout=1

577

578

add: olcMirrorMode

579

olcMirrorMode: TRUE

580

581

add: olcRootPW

582

olcRootPW: secret

583

</programlisting>

567

568

add: olcModuleLoad

569

olcModuleLoad: accesslog

570

571

# Accesslog database definitions

572

dn: olcDatabase={2}hdb,cn=config

573

objectClass: olcDatabaseConfig

574

objectClass: olcHdbConfig

575

olcDatabase: {2}hdb

576

olcDbDirectory: /var/lib/ldap/accesslog

577

olcSuffix: cn=accesslog

578

olcRootDN: cn=admin,dc=example,dc=com

579

olcDbIndex: default eq

580

olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

581

582

# Accesslog db syncprov.

583

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

584

changetype: add

585

objectClass: olcOverlayConfig

586

objectClass: olcSyncProvConfig

587

olcOverlay: syncprov

588

olcSpNoPresent: TRUE

589

olcSpReloadHint: TRUE

590

591

# syncrepl Provider for primary db

592

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config

593

changetype: add

594

objectClass: olcOverlayConfig

595

objectClass: olcSyncProvConfig

596

olcOverlay: syncprov

597

olcSpNoPresent: TRUE

598

599

# accesslog overlay definitions for primary db

600

dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config

601

objectClass: olcOverlayConfig

602

objectClass: olcAccessLogConfig

603

olcOverlay: accesslog

604

olcAccessLogDB: cn=accesslog

605

olcAccessLogOps: writes

606

olcAccessLogSuccess: TRUE

607

# scan the accesslog DB every day, and purge entries older than 7 days

608

olcAccessLogPurge: 07+00:00 01+00:00

609

</programlisting>

610

611

</step>

612

<step>

613

614

<para>

615

The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the

616

accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding:

617

</para>

618

619

620

/var/lib/ldap/accesslog/ r,

621

/var/lib/ldap/accesslog/** rwk,

622

</programlisting>

623

624

<para>

625

Then create the directory, reload the <application>apparmor</application> profile, and copy

626

the <filename>DB_CONFIG</filename> file:

627

</para>

628

629

630

<command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>

631

<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/</command>

632

<command>sudo /etc/init.d/apparmor reload</command>

633

</screen>

584

634

585

635

<note>

586

636

<para>

587

Change <emphasis>secret</emphasis> to an appropriate password for the admin user.

637

Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above

638

removes the need to adjust permissions for the new directory later.

588

639

</para>

589

640

</note>

590

591

</step>

592

<step>

593

594

<para>

595

Edit the file changing:

596

</para>

597

598

599

600

<para>

601

<emphasis>ldap://ldap01.example.com</emphasis> and <emphasis>ldap://ldap02.example.com</emphasis>

602

to the hostnames of your LDAP servers.

603

</para>

604

<note>

605

<para>

606

You can have more than two LDAP servers, and when a change is made to one of them it will by synced

607

to the rest. Be sure to increment the <emphasis>olcServerID</emphasis> for each server, and the

608

<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry.

609

</para>

610

</note>

611

</listitem>

612

613

<para>

614

And adjust <emphasis>credentials=secret</emphasis> to match your admin password.

615

</para>

616

</listitem>

617

</itemizedlist>

618

619

</step>

620

<step>

621

622

623

<para>

624

Next, add the LDIF file using the <application>ldapmodify</application> utility:

625

</para>

626

627

628

<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif</command>

629

</screen>

630

631

</step>

632

<step>

633

<para>

634

On the second LDAP server, <emphasis>ldap02.example.com</emphasis> in this case, add the additional schema files:

641

642

</step>

643

<step>

644

645

<para>

646

Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory:

647

</para>

648

649

650

olcRootDN: cn=admin,dc=example,dc=com

651

</programlisting>

652

653

</step>

654

<step>

655

656

657

<para>

658

Next, add the LDIF file using the <application>ldapadd</application> utility:

659

</para>

660

661

662

<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>

663

</screen>

664

665

</step>

666

<step>

667

668

669

<para>

670

Restart <application>slapd</application>:

671

</para>

672

673

674

<command>sudo /etc/init.d/slapd restart</command>

675

</screen>

676

677

</step>

678

</procedure>

679

680

<para>

681

The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis>

682

server.

683

</para>

684

685

</sect3>

686

687

<title>Consumer Configuration</title>

688

689

690

<step>

691

692

<para>

693

On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the

694

<emphasis>Syncrepl</emphasis> configuration steps.

695

</para>

696

697

<para>

698

Add the additional schema files:

635

699

</para>

636

700

637

701

641

705

</screen>

642

706

643

707

<para>

644

Also, load the <emphasis>cn=module</emphasis> object. Create a <filename>module.ldif</filename> with the

645

following contents:

708

Also, create, or copy from the provider server, the <filename>backend.example.com.ldif</filename>

646

709

</para>

647

710

648

711

652

715

cn: module

653

716

olcModulepath: /usr/lib/ldap

654

717

olcModuleload: back_hdb

718

719

# Database settings

720

dn: olcDatabase=hdb,cn=config

721

objectClass: olcDatabaseConfig

722

objectClass: olcHdbConfig

723

olcDatabase: {1}hdb

724

olcSuffix: dc=example,dc=com

725

olcDbDirectory: /var/lib/ldap

726

olcRootDN: cn=admin,dc=example,dc=com

727

olcRootPW: secret

728

olcDbConfig: set_cachesize 0 2097152 0

729

olcDbConfig: set_lk_max_objects 1500

730

olcDbConfig: set_lk_max_locks 1500

731

olcDbConfig: set_lk_max_lockers 1500

732

olcDbIndex: objectClass eq

733

olcLastMod: TRUE

734

olcDbCheckpoint: 512 30

735

olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

736

olcAccess: to attrs=shadowLastChange by self write by * read

737

olcAccess: to dn.base="" by * read

738

olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

655

739

</programlisting>

656

740

657

741

<para>

659

743

</para>

660

744

661

745

662

<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif</command>

663

</screen>

664

665

</step>

666

<step>

667

668

<para>

669

Now copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP server and add it to the directory:

670

</para>

671

672

673

<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif</command>

674

</screen>

675

676

</step>

677

<step>

678

679

<para>

680

Because a new module has been added, the <application>slapd</application> daemon, on all replicated

681

servers, needs to be restarted:

682

</para>

683

684

685

<command>sudo /etc/init.d/slapd restart</command>

686

</screen>

687

688

</step>

689

<step>

690

691

<para>

692

To Test that the <emphasis>cn=config</emphasis> directory is being synced add another index to the frontend directory:

693

</para>

694

695

696

<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>

697

</screen>

698

699

700

701

SASL/EXTERNAL authentication started

702

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

703

SASL SSF: 0

704

<userinput>dn: olcDatabase={1}hdb,cn=config

705

add: olcDbIndex

706

olcDbIndex: cn eq,pres,sub</userinput>

707

708

modifying entry "olcDatabase={1}hdb,cn=config"

709

</computeroutput>

710

</screen>

711

712

713

</step>

714

<step>

715

716

<para>

717

Now that the configuration directory is synced between servers, the <emphasis>frontend</emphasis>

718

database needs to be synced as well. Copy and paste the following into another LDIF file named

719

<filename>syncrepl_frontend.ldif</filename>:

746

<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command>

747

</screen>

748

749

</step>

750

<step>

751

752

<para>

753

Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it:

754

</para>

755

756

757

<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command>

758

</screen>

759

760

<para>

761

The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis>

762

options.

763

</para>

764

765

</step>

766

<step>

767

768

<para>

769

Now create a file named <filename>consumer_sync.ldif</filename> containing:

720

770

</para>

721

771

722

772

773

#Load the syncprov module.

774

dn: cn=module{0},cn=config

775

changetype: modify

776

add: olcModuleLoad

777

olcModuleLoad: syncprov

778

779

# syncrepl specific indices

723

780

dn: olcDatabase={1}hdb,cn=config

724

781

changetype: modify

782

add: olcDbIndex

783

olcDbIndex: entryUUID eq

784

725

785

add: olcSyncRepl

726

olcSyncRepl: rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=com"

727

bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly

728

interval=00:00:00:10 retry="5 5 300 5" timeout=1

729

olcSyncRepl: rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=com"

730

bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly

731

interval=00:00:00:10 retry="5 5 300 5" timeout=1

786

olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com"

787

credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"

788

logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on

789

type=refreshAndPersist retry="60 +" syncdata=accesslog

732

790

733

add: olcMirrorMode

734

olcMirrorMode: TRUE

735

736

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config

737

changetype: add

738

objectClass: olcOverlayConfig

739

objectClass: olcSyncProvConfig

740

olcOverlay: syncprov

791

add: olcUpdateRef

792

olcUpdateRef: ldap://ldap01.example.com

741

793

</programlisting>

742

794

743

</step>

744

<step>

745

746

795

<para>

747

Like the previous LDIF file, edit this one changing:

796

You will probably want to change the following attributes:

748

797

</para>

749

798

750

799

751

752

<para>

753

<emphasis>searchbase="dc=example,dc=com"</emphasis> to your directory's searchbase.

754

</para>

755

</listitem>

756

757

<para>

758

If you use a different admin user, change <emphasis>binddn="cn=admin,dc=example,dc=com"</emphasis>.

759

</para>

760

</listitem>

761

762

<para>

763

Also, replace <emphasis>credentials=secret</emphasis> with your admin password.

764

</para>

765

</listitem>

800

<listitem><para><emphasis>ldap01.example.com</emphasis> to your server's hostname.</para></listitem>

801

<listitem><para><emphasis>binddn</emphasis></para></listitem>

802

<listitem><para><emphasis>credentials</emphasis></para></listitem>

803

<listitem><para><emphasis>searchbase</emphasis></para></listitem>

804

<listitem><para><emphasis>olcUpdateRef:</emphasis></para></listitem>

766

805

</itemizedlist>

767

806

768

807

</step>

769

808

<step>

770

809

771

810

<para>

772

Add the LDIF file:

811

Add the LDIF file to the configuration tree:

773

812

</para>

774

813

775

814

776

<command>ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_frontend.ldif</command>

815

<command>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command>

777

816

</screen>

778

817

779

<para>

780

Because the servers' configuration is already synced there is no need to copy this LDIF

781

file to the other servers.

782

</para>

783

784

818

</step>

785

819

</procedure>

786

820

787

821

<para>

788

The configuration and backend databases should now sycnc to the other servers. You can add additional servers using the

789

<application>ldapmodify</application> utility as the need arises. See <xref linkend="openldap-configuration"/> for details.

822

The frontend database should now sync between servers. You can add additional servers using the

823

steps above as the need arises.

790

824

</para>

791

825

792

826

<note>

797

831

with a line similar to: <programlisting>127.0.0.1 ldap01.example.com ldap01</programlisting>.

798

832

</para>

799

833

</note>

800

834

835

</sect3>

801

836

</sect2>

802

837

803

838

839

874

</para>

840

875

841

876

<para>

842

The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. See <xref linkend="certificates-and-security"/>

843

and <xref linkend="certificate-authority"/> for details.

877

The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application>

878

is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be

879

used to create certificates.

844

880

</para>

881

882

883

<step>

884

885

<para>

886

First, install <application>gnutls-bin</application> by entering the following in a terminal:

887

</para>

888

889

890

<command>sudo apt-get install gnutls-bin</command>

891

</screen>

892

893

</step>

894

<step>

895

896

<para>

897

Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA):

898

</para>

899

900

901

<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"</command>

902

</screen>

903

904

</step>

905

<step>

906

907

<para>

908

Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing:

909

</para>

910

911

912

cn = Example Company

913

914

cert_signing_key

915

</programlisting>

916

917

</step>

918

<step>

919

920

<para>

921

Now create the self-signed CA certificate:

922

</para>

923

924

925

<command>sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \

926

--template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem</command>

927

</screen>

928

929

</step>

930

<step>

931

932

<para>

933

Make a private key for the server:

934

</para>

935

936

937

<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem"</command>

938

</screen>

939

940

<note>

941

<para>

942

Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host

943

and service that will be using them will help keep filenames and paths straight.

944

</para>

945

</note>

946

947

</step>

948

<step>

949

950

<para>

951

To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing:

952

</para>

953

954

955

organization = Example Company

956

cn = ldap01.example.com

957

tls_www_server

958

encryption_key

959

signing_key

960

</programlisting>

961

962

</step>

963

<step>

964

965

<para>

966

Create the server's certificate:

967

</para>

968

969

970

<command>sudo certtool --generate-certificate --load-privkey /etc/ssl/private/x01-test_slapd_key.pem \

971

--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \

972

--template /etc/ssl/x01-test.info --outfile /etc/ssl/certs/x01-test_slapd_cert.pem</command>

973

</screen>

974

975

</step>

976

</procedure>

845

977

846

978

<para>

847

979

Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new

849

981

</para>

850

982

851

983

852

<command>ldapmodify -x -D cn=admin,cn=config -W</command>

984

<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>

853

985

</screen>

854

986

855

987

859

991

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

860

992

861

993

add: olcTLSCertificateFile

862

olcTLSCertificateFile: /etc/ssl/certs/server.crt

994

olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem

863

995

864

996

add: olcTLSCertificateKeyFile

865

olcTLSCertificateKeyFile: /etc/ssl/private/server.key</userinput>

997

olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem</userinput>

866

998

867

999

modifying entry "cn=config"

868

1000

</computeroutput>

870

1002

871

1003

<note>

872

1004

<para>

873

Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, and <filename>cacert.pem</filename>

874

names if yours are different. If you have a self-signed

875

certificate, do <emphasis>NOT</emphasis> add the olcTLSCACertificateFile property, as it will cause GnuTLS to fail..

1005

Adjust the <filename>ldap01_slapd_cert.pem</filename>, <filename>ldap01_slapd_key.pem</filename>, and

1006

<filename>cacert.pem</filename> names if yours are different.

876

1007

</para>

877

1008

</note>

878

1009

890

1021

891

1022

892

1023

<command>sudo adduser openldap ssl-cert</command>

893

<command>sudo chgrp ssl-cert /etc/ssl/private/server.key</command>

894

<command>sudo chmod g+r /etc/ssl/private/server.key</command>

1024

<command>sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem</command>

1025

<command>sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem</command>

895

1026

</screen>

896

1027

897

1028

<note>

936

1067

</para>

937

1068

938

1069

<para>

939

After setting up replication, and following the instructions in <xref linkend="openldap-tls"/>, there are a couple of

940

consequences that should be kept in mind:

941

</para>

942

943

944

945

<para>

946

The configuration only needs to be modified on <emphasis>one</emphasis> server.

947

</para>

948

</listitem>

949

950

<para>

951

The path names for the <emphasis>certificate</emphasis> and <emphasis>key</emphasis> must be the

952

same on all servers.

953

</para>

954

</listitem>

955

</itemizedlist>

956

957

<para>

958

So on each replicated server: install a certificate, edit <filename>/etc/default/slapd</filename>, and

959

restart <application>slapd</application>.

960

</para>

961

962

<para>

963

Once <emphasis>TLS</emphasis> has been setup on each server, modify the <emphasis>cn=config</emphasis> replication

964

by entering the following in a terminal:

965

</para>

966

967

968

<command>ldapmodify -x -D cn=admin,cn=config -W</command>

969

</screen>

970

971

972

<computeroutput>Enter LDAP Password:

973

<userinput>dn: olcDatabase={0}config,cn=config

974

replace: olcSyncrepl

975

olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn

976

=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre

977

shAndPersist retry="5 5 300 5" timeout=1 starttls=yes

978

olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn

979

=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre

980

shAndPersist retry="5 5 300 5" timeout=1 starttls=yes</userinput>

981

982

modifying entry "olcDatabase={0}config,cn=config"

983

</computeroutput>

984

</screen>

985

986

<para>

987

Now adjust the <emphasis>backend</emphasis> database replication:

988

</para>

989

990

991

<command>ldapmodify -x -D cn=admin,cn=config -W</command>

1070

Assuming you have followed the above instructions and created a CA certificate and server certificate on the

1071

<emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the

1072

<emphasis>Consumer</emphasis> server.

1073

</para>

1074

1075

1076

<step>

1077

1078

<para>

1079

Create a new key for the Consumer server:

1080

</para>

1081

1082

1083

<command>mkdir ldap02-ssl</command>

1084

1085

<command>certtool --generate-privkey > ldap02_slapd_key.pem</command>

1086

</screen>

1087

1088

<note>

1089

<para>

1090

Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the

1091

files to the Consumer server.

1092

</para>

1093

</note>

1094

1095

</step>

1096

<step>

1097

1098

<para>

1099

Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your

1100

locality and server:

1101

</para>

1102

1103

1104

country = US

1105

state = North Carolina

1106

locality = Winston-Salem

1107

organization = Example Company

1108

cn = ldap02.salem.edu

1109

tls_www_client

1110

encryption_key

1111

signing_key

1112

</programlisting>

1113

1114

</step>

1115

<step>

1116

1117

<para>

1118

Create the certificate:

1119

</para>

1120

1121

1122

<command>sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \

1123

--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \

1124

--template ldap02.info --outfile ldap02_slapd_cert.pem</command>

1125

</screen>

1126

1127

</step>

1128

<step>

1129

1130

<para>

1131

Copy the <filename>cacert.pem</filename> to the dicretory:

1132

</para>

1133

1134

1135

<command>cp /etc/ssl/certs/cacert.pem .</command>

1136

</screen>

1137

1138

</step>

1139

<step>

1140

1141

<para>

1142

The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy

1143

<filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>,

1144

and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>.

1145

</para>

1146

1147

</step>

1148

<step>

1149

1150

<para>

1151

Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering:

1152

</para>

1153

1154

1155

<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>

992

1156

</screen>

993

1157

994

1158

995

1159

<computeroutput>Enter LDAP Password:

996

<userinput>dn: olcDatabase={1}hdb,cn=config

1160

<userinput>dn: cn=config

1161

add: olcTLSCACertificateFile

1162

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

1163

1164

add: olcTLSCertificateFile

1165

olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem

1166

1167

add: olcTLSCertificateKeyFile

1168

olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem</userinput>

1169

1170

modifying entry "cn=config"

1171

</computeroutput>

1172

</screen>

1173

1174

</step>

1175

<step>

1176

1177

<para>

1178

As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis>

1179

parameter to the <emphasis>SLAPD_SERVICES</emphasis> option.

1180

</para>

1181

1182

</step>

1183

</procedure>

1184

1185

<para>

1186

Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's

1187

<emphasis>cn=config</emphasis> tree by entering the following in a terminal:

1188

</para>

1189

1190

1191

<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>

1192

</screen>

1193

1194

1195

<computeroutput>SASL/EXTERNAL authentication started

1196

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

1197

SASL SSF: 0

1198

1199

dn: olcDatabase={1}hdb,cn=config

997

1200

replace: olcSyncrepl

998

olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=

999

com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r

1000

efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes

1001

olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=

1002

com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r

1003

efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes</userinput>

1201

olcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=ad

1202

min,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbas

1203

e="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" s

1204

chemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=yes</userinput>

1004

1205

1005

modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>

1206

modifying entry "olcDatabase={1}hdb,cn=config"

1207

</computeroutput>

1006

1208

</screen>

1007

1209

1008

1210

<para>

1011

1213

</para>

1012

1214

1013

1215

1014

TLS_CERT /etc/ssl/certs/server.crt

1015

TLS_KEY /etc/ssl/private/server.key

1216

TLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem

1217

TLS_KEY /etc/ssl/private/ldap02_slapd_key.pem

1016

1218

TLS_CACERT /etc/ssl/certs/cacert.pem

1017

1219

</programlisting>

1018

1220

1329

1531

<title>Resources</title>

1330

1532

1331

1533

1332

<para>

1534

<para>

1535

The <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP Ubuntu Wiki</ulink> page has more details.

1536

</para>

1537

</listitem>

1538

1539

<para>

1333

1540

For more information see <ulink url="http://www.openldap.org/">OpenLDAP Home Page</ulink>

1334

1541

</para>

1335

1542

</listitem>

1793

2000

etc.

1794

2001

</para>

1795

2002

</listitem>

2003

2004

<para>

2005

Also, there is a list of

2006

<ulink url="https://help.ubuntu.com/community/Samba#samba-ldap">Ubuntu wiki</ulink> articles with more information.

2007

</para>

2008

</listitem>

1796

2009

</itemizedlist>

1797

2010

</sect2>

1798

2011

</sect1>

2373

2586

</listitem>

2374

2587

2375

2588

<para>

2589

The <ulink url="https://help.ubuntu.com/community/Kerberos">Ubuntu Wiki Kerberos</ulink> page has more details.

2590

</para>

2591

</listitem>

2592

2593

<para>

2376

2594

O'Reilly's <ulink url="http://oreilly.com/catalog/9780596004033/">Kerberos: The Definitive Guide</ulink> is a great reference when

2377

2595

setting up Kerberos.

2378

2596

</para>

2880

3098

For more information on <application>kdb5_ldap_util</application> see

2881

3099

2882

3100

Section 5.6</ulink> and the

2883

<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.html">kdb5_ldap_util man page</ulink>.

2884

</para>

2885

</listitem>

2886

2887

<para>

2888

Another useful link is the <ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html">krb5.conf man page</ulink>.

3101

<ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man8/kdb5_ldap_util.8.html">kdb5_ldap_util man page</ulink>.

3102

</para>

3103

</listitem>

3104

3105

<para>

3106

Another useful link is the <ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man5/krb5.conf.5.html">krb5.conf man page</ulink>.

3107

</para>

3108

</listitem>

3109

3110

<para>

3111

Also, see the <ulink url="https://help.ubuntu.com/community/Kerberos#kerberos-ldap">Kerberos and LDAP</ulink> Ubuntu wiki page.

2889

3112

</para>

2890

3113

</listitem>

2891

3114

</itemizedlist>

Older »