secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
lp=lp)
secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
+
+ if credentials.authentication_requested:
+ if credentials.get_bind_dn() is not None:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
+ "LDAPMANAGERDN": credentials.get_bind_dn(),
+ "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
+ })
+ else:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
+ "LDAPADMINUSER": credentials.get_username(),
+ "LDAPADMINREALM": credentials.get_realm(),
+ "LDAPADMINPASS_B64": b64encode(credentials.get_password())
+ })
+
return secrets_ldb
domain_oc = "samba4LocalDomain"
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
- "DOMAINDN": names.domaindn,
- "ACI": aci,
- "DOMAIN_OC": domain_oc
- })
+ "DOMAINDN": names.domaindn,
+ "ACI": aci,
+ "DOMAIN_OC": domain_oc
+ })
message("Modifying DomainDN: " + names.domaindn + "")
if domainguid is not None:
"DOMAINDN": names.domaindn,
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
- "LDAPMANAGERDN": names.ldapmanagerdn,
- "LDAPMANAGERPASS": adminpass,
"MEMBEROF_CONFIG": memberof_config})
setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema")))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
+
+ if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")):
+ os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"))
+
+ setup_file(setup_path("cn=samba.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"),
+ { "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+ setup_file(setup_path("cn=samba-admin.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
+ {"LDAPADMINPASS_B64": b64encode(adminpass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
+#"LDAPMANAGERDN": names.ldapmanagerdn,
+
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
-access to * by * write
-allow update_anon
+#authz-regexp
+# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
-authz-regexp
- uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+#authz-regexp
+# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+ ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+ uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
+ ldap:///cn=samba??one?(cn=\$1)
+
+access to dn.base=""
+ by dn=cn=samba-admin,cn=samba manage
+ by anonymous read
+ by * read
+
+access to dn.subtree="cn=samba"
+ by anonymous auth
+
+access to dn.subtree="${DOMAINDN}"
+ by dn=cn=samba-admin,cn=samba manage
+ by * read
+
+password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
${MEMBEROF_CONFIG}
+database ldif
+suffix cn=Samba
+directory ${LDAPDIR}/db/samba
+
+
database hdb
suffix ${SCHEMADN}
directory ${LDAPDIR}/db/schema
index nETBIOSName eq
index cn eq
-rootdn ${LDAPMANAGERDN}
-rootpw ${LDAPMANAGERPASS}
-
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov