source: trunk/server/doc/ldap-kerberos-replication.txt @ 2163

Last change on this file since 2163 was 1693, checked in by ezyang, 13 years ago
Merge Fedora 13 development back to trunk.
File size: 3.8 KB
Line 
1How to migrate from SSL authentication to GSSAPI authentication
2===============================================================
3
4    :author: Edward Z. Yang <ezyang>
5    :author: Geoffrey Thomas <geofft>
6
7NOTE: This document is strictly for HISTORICAL purposes.  It may
8come in handy if you ever need to migrate from SSL to GSSAPI on
9another LDAP setup, though!  This assumes that ldap service keytabs
10are setup properly on all hosts involved.
11
12----
13
14On $CONSUMER (e.g. real-mccoy.mit.edu)
15
16To cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config:
17Add nsDS5ReplicaBindDN: uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu
18    This tells the CONSUMER to accept replication pushes from PRODUCER.
19    However, PRODUCER is not configured yet, so you should keep
20    the cn=repman,cn=config entry which is old style.
21
22Create uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu
23uid: ldap/$PRODUCER
24objectClass: account
25objectClass: top
26    This creates the LDAP user entry for GSSAPI authentication via the
27    service keytab of LDAP replication.  This information /is/
28    replicated, so if you felt like it you could create entries for all
29    PRODUCERS (which, in full multimaster replication, is all servers.)
30
31----
32
33On $PRODUCER (e.g. cats-whiskers.mit.edu)
34    You will destroy and recreate a replication agreement (well,
35    actually, ldapvi will attempt to create and then destroy the old
36    agreement).
37
38To cn="SSL Replication to $CONSUMER",cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
39Replace all instances of "SSL Replication" to "GSSAPI Replication"
40Replace the number on the entry with 'add'; to indicate destroy/recreate
41Replace nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
42    (instead of cn=repman,cn=config)
43Replace nsDS5ReplicaTransportInfo: LDAP
44    (instead of SSL)
45Replace nsDS5ReplicaPort: 389
46    (instead of 636)
47Replace nsDS5ReplicaBindMethod: SASL/GSSAPI
48    (instead of simple)
49Remove nsDS5ReplicaCredentials
50
51Here are some search-replace lines that will probably do what you want,
52but be sure to double check how many substitutions were made. '<,'> lines
53should exclude the cn=replica section.
54
55    # n = NUMBER OF SERVERS - 1 = 4
56    # n*3 substitutions
57    :%s/SSL Replication/GSSAPI Replication/g
58    # n substitutions
59    :'<,'>s/cn=repman,cn=config/uid=ldap\/$HOST,ou=People,dc=scripts,dc=mit,dc=edu/g
60    :%s/simple/SASL\/GSSAPI/
61    :%s/nsDS5ReplicaPort: 636/nsDS5ReplicaPort: 389/
62    :%s/SSL/LDAP/g
63    :%s/^nsDS5ReplicaCredentials.\+\n//g
64    :'<,'>s/^nsds5replicareapactive: 0\n//g
65    :%s/^[1-9] /add /g   # fix if more than 9 servers
66
67There is some cleanup that needs to happen after these values change;
68I had luck forcibly rebooting the servers and making LDAP cleanup
69after an unclean shutdown.  You can tell if this cleanup is necessary
70if LDAP refuses to start replication sessions.  This issue is known to
71clear up after several reboots or by destroying and recreating all
72replicas.
73
74----
75
76Once everything is on the new replication and you verify it's working
77correctly, you should then clean out the SSL configuration (most
78notably, turn nsslapd-security off. Despite its ominous name, it only
79controls SSL authentication, not GSSAPI authentication.)  You will need
80to take the server offline to do that; edit
81/etc/dirsrv/slapd-scripts/dse.ldif
82
83When that's gone, there may be some vestigial SSL configuration left.
84Scripts specifically had the following sections that needed to be
85cleaned up:
86
87    cn=RSA,cn=encryption,cn=config
88        (whole thing)
89    cn=encryption,cn=config
90        nsSSL3: on [change to off]
91        nsSSL3Ciphers: +rsa_rc4_128_md5 [delete]
92    cn=config
93        nsslapd-sslclientauth: on [change to off]
Note: See TracBrowser for help on using the repository browser.