[1662] | 1 | How to migrate from SSL authentication to GSSAPI authentication |
---|
| 2 | =============================================================== |
---|
| 3 | |
---|
| 4 | :author: Edward Z. Yang <ezyang> |
---|
| 5 | :author: Geoffrey Thomas <geofft> |
---|
| 6 | |
---|
| 7 | NOTE: This document is strictly for HISTORICAL purposes. It may |
---|
| 8 | come in handy if you ever need to migrate from SSL to GSSAPI on |
---|
| 9 | another LDAP setup, though! This assumes that ldap service keytabs |
---|
| 10 | are setup properly on all hosts involved. |
---|
| 11 | |
---|
| 12 | ---- |
---|
| 13 | |
---|
| 14 | On $CONSUMER (e.g. real-mccoy.mit.edu) |
---|
| 15 | |
---|
| 16 | To cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config: |
---|
| 17 | Add nsDS5ReplicaBindDN: uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 18 | This tells the CONSUMER to accept replication pushes from PRODUCER. |
---|
| 19 | However, PRODUCER is not configured yet, so you should keep |
---|
| 20 | the cn=repman,cn=config entry which is old style. |
---|
| 21 | |
---|
| 22 | Create uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 23 | uid: ldap/$PRODUCER |
---|
| 24 | objectClass: account |
---|
| 25 | objectClass: top |
---|
| 26 | This creates the LDAP user entry for GSSAPI authentication via the |
---|
| 27 | service keytab of LDAP replication. This information /is/ |
---|
| 28 | replicated, so if you felt like it you could create entries for all |
---|
| 29 | PRODUCERS (which, in full multimaster replication, is all servers.) |
---|
| 30 | |
---|
| 31 | ---- |
---|
| 32 | |
---|
| 33 | On $PRODUCER (e.g. cats-whiskers.mit.edu) |
---|
| 34 | You will destroy and recreate a replication agreement (well, |
---|
| 35 | actually, ldapvi will attempt to create and then destroy the old |
---|
| 36 | agreement). |
---|
| 37 | |
---|
| 38 | To cn="SSL Replication to $CONSUMER",cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config |
---|
| 39 | Replace all instances of "SSL Replication" to "GSSAPI Replication" |
---|
| 40 | Replace the number on the entry with 'add'; to indicate destroy/recreate |
---|
| 41 | Replace nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 42 | (instead of cn=repman,cn=config) |
---|
| 43 | Replace nsDS5ReplicaTransportInfo: LDAP |
---|
| 44 | (instead of SSL) |
---|
| 45 | Replace nsDS5ReplicaPort: 389 |
---|
| 46 | (instead of 636) |
---|
| 47 | Replace nsDS5ReplicaBindMethod: SASL/GSSAPI |
---|
| 48 | (instead of simple) |
---|
| 49 | Remove nsDS5ReplicaCredentials |
---|
| 50 | |
---|
| 51 | Here are some search-replace lines that will probably do what you want, |
---|
| 52 | but be sure to double check how many substitutions were made. '<,'> lines |
---|
| 53 | should exclude the cn=replica section. |
---|
| 54 | |
---|
| 55 | # n = NUMBER OF SERVERS - 1 = 4 |
---|
| 56 | # n*3 substitutions |
---|
| 57 | :%s/SSL Replication/GSSAPI Replication/g |
---|
| 58 | # n substitutions |
---|
| 59 | :'<,'>s/cn=repman,cn=config/uid=ldap\/$HOST,ou=People,dc=scripts,dc=mit,dc=edu/g |
---|
| 60 | :%s/simple/SASL\/GSSAPI/ |
---|
| 61 | :%s/nsDS5ReplicaPort: 636/nsDS5ReplicaPort: 389/ |
---|
| 62 | :%s/SSL/LDAP/g |
---|
| 63 | :%s/^nsDS5ReplicaCredentials.\+\n//g |
---|
| 64 | :'<,'>s/^nsds5replicareapactive: 0\n//g |
---|
| 65 | :%s/^[1-9] /add /g # fix if more than 9 servers |
---|
| 66 | |
---|
| 67 | There is some cleanup that needs to happen after these values change; |
---|
| 68 | I had luck forcibly rebooting the servers and making LDAP cleanup |
---|
| 69 | after an unclean shutdown. You can tell if this cleanup is necessary |
---|
| 70 | if LDAP refuses to start replication sessions. This issue is known to |
---|
| 71 | clear up after several reboots or by destroying and recreating all |
---|
| 72 | replicas. |
---|
| 73 | |
---|
| 74 | ---- |
---|
| 75 | |
---|
| 76 | Once everything is on the new replication and you verify it's working |
---|
| 77 | correctly, you should then clean out the SSL configuration (most |
---|
| 78 | notably, turn nsslapd-security off. Despite its ominous name, it only |
---|
| 79 | controls SSL authentication, not GSSAPI authentication.) You will need |
---|
| 80 | to take the server offline to do that; edit |
---|
| 81 | /etc/dirsrv/slapd-scripts/dse.ldif |
---|
| 82 | |
---|
| 83 | When that's gone, there may be some vestigial SSL configuration left. |
---|
| 84 | Scripts specifically had the following sections that needed to be |
---|
| 85 | cleaned up: |
---|
| 86 | |
---|
| 87 | cn=RSA,cn=encryption,cn=config |
---|
| 88 | (whole thing) |
---|
| 89 | cn=encryption,cn=config |
---|
| 90 | nsSSL3: on [change to off] |
---|
| 91 | nsSSL3Ciphers: +rsa_rc4_128_md5 [delete] |
---|
| 92 | cn=config |
---|
| 93 | nsslapd-sslclientauth: on [change to off] |
---|