[3351] | 1 | #===================================================== |
---|
| 2 | # |
---|
| 3 | # (c) 2008 Darin Perusich <darin _AT_ darins _DOT_ net> |
---|
| 4 | # |
---|
| 5 | # This program is free software: you can redistribute it and/or modify |
---|
| 6 | # it under the terms of the GNU General Public License as published by |
---|
| 7 | # the Free Software Foundation, either version 3 of the License, or |
---|
| 8 | # (at your option) any later version. |
---|
| 9 | # |
---|
| 10 | # This program is distributed in the hope that it will be useful, |
---|
| 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 13 | # GNU General Public License for more details. |
---|
| 14 | # |
---|
| 15 | # You should have received a copy of the GNU General Public License |
---|
| 16 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 17 | # |
---|
| 18 | #===================================================== |
---|
| 19 | |
---|
[3342] | 20 | Documentation : |
---|
| 21 | --------------- |
---|
| 22 | |
---|
| 23 | Schema Modifications : |
---|
| 24 | ---------------------- |
---|
| 25 | |
---|
| 26 | pykota-schema-sunds.ldif : |
---|
| 27 | |
---|
[3351] | 28 | This file can be used to extend the schema for |
---|
| 29 | Sun Directory Server to add the necessary object classes |
---|
| 30 | and attribute type for use with PyKota. |
---|
[3342] | 31 | |
---|
[3351] | 32 | To extend the schema: |
---|
[3342] | 33 | |
---|
[3351] | 34 | % ldapmodify -h ldap.domain.com -D "cn=Directory Manager" -f pykota-schema-sunds.ldif |
---|
[3342] | 35 | |
---|
[3351] | 36 | Sun Directory Server will replicate schema changes in a |
---|
| 37 | multi-master replication environment. |
---|
[3342] | 38 | |
---|
| 39 | Database Indexes : |
---|
| 40 | ------------------ |
---|
| 41 | |
---|
| 42 | pykota-sunds-indexes.ldif : |
---|
| 43 | |
---|
[3351] | 44 | Creating indexes while not mandatory will speed up queries |
---|
| 45 | to the PyKota objects. This will setup the following indexes: |
---|
[3342] | 46 | |
---|
[3351] | 47 | pykotaUserName: presence, equality, substring |
---|
| 48 | pykotaGroupName: presence, equality, substring |
---|
| 49 | pykotaPrinterName: presence, equality, substring |
---|
| 50 | pykotaBillingCode: presence, equality, substring |
---|
| 51 | pykotaLastJobIdent: equality |
---|
[3342] | 52 | |
---|
[3351] | 53 | To define the indexes: |
---|
[3342] | 54 | |
---|
[3351] | 55 | % ldapmodify -a -h ldap.domain.com -D "cn=Directory Manager" -f pykota-sunds-indexes.ldif |
---|
| 56 | |
---|
| 57 | By default configuration settings are NOT replicated in a |
---|
| 58 | replication environment so the following indexes must be |
---|
| 59 | defined on all hosts. |
---|
[3342] | 60 | |
---|
[3351] | 61 | To initialize the indexes: |
---|
[3342] | 62 | |
---|
[3351] | 63 | % ServerRoot/slapd-serverID/db2index.pl \ |
---|
| 64 | -D "cn=Directory Manager" -w password -n userRoot \ |
---|
| 65 | -t pykotaUserName |
---|
[3342] | 66 | |
---|
[3351] | 67 | % ServerRoot/slapd-serverID/db2index.pl \ |
---|
| 68 | -D "cn=Directory Manager" -w password -n userRoot \ |
---|
| 69 | -t pykotaGroupName |
---|
[3342] | 70 | |
---|
[3351] | 71 | % ServerRoot/slapd-serverID/db2index.pl \ |
---|
| 72 | -D "cn=Directory Manager" -w password -n userRoot \ |
---|
| 73 | -t pykotaPrinterName |
---|
[3342] | 74 | |
---|
[3351] | 75 | % ServerRoot/slapd-serverID/db2index.pl \ |
---|
| 76 | -D "cn=Directory Manager" -w password -n userRoot \ |
---|
| 77 | -t pykotaBillingCode |
---|
[3342] | 78 | |
---|
[3351] | 79 | % ServerRoot/slapd-serverID/db2index.pl \ |
---|
| 80 | -D "cn=Directory Manager" -w password -n userRoot \ |
---|
| 81 | -t pykotaLastJobIdent |
---|
[3342] | 82 | |
---|
[3351] | 83 | This must be preformed on all hosts within a replication environment. |
---|
[3342] | 84 | |
---|
[3351] | 85 | Managing Indexes References : |
---|
| 86 | http://docs.sun.com/source/816-6698-10/indexing.html |
---|
[3342] | 87 | |
---|
| 88 | Directory Information Tree (DIT) : |
---|
| 89 | ---------------------------------- |
---|
| 90 | |
---|
| 91 | pykota-sample.ldif : |
---|
| 92 | |
---|
[3351] | 93 | This is provided with PyKota though it will need to be modified |
---|
| 94 | in order to be incorporated into your environment. Sun Directory Server |
---|
| 95 | will encrypt the userPassword entry so you may wish to leave it as |
---|
| 96 | plain text when creating the pykotaadmin and pykotauser entries. |
---|
| 97 | |
---|
| 98 | If a Password Policy is being enforced it would be advisable exclude |
---|
| 99 | both the pykotauser and pykotaadmin from that policy. This is especially |
---|
| 100 | true if passwordMustChange is set to 'On' since they will fail to authenticate |
---|
| 101 | until the password is changed. |
---|
[3342] | 102 | |
---|
[3351] | 103 | Sun Directory Server will replicate DIT changes in a |
---|
| 104 | multi-master replication environment. |
---|
[3342] | 105 | |
---|
| 106 | Access Control Instructions (ACI) : |
---|
| 107 | ----------------------------------- |
---|
| 108 | |
---|
[3351] | 109 | The provided ACI's must not be blindly added using ldapmodify or |
---|
| 110 | ldapadd, if you do so you will clobber any existing ACI's for a |
---|
| 111 | given object! You must first query the server for any existing |
---|
| 112 | ACI's and capture them to a file, append the PyKota ACI's to said |
---|
| 113 | file and then modify the object. This is especially pertinent in |
---|
| 114 | regards to ou=People which has 5 default ACI's associated with it. |
---|
[3342] | 115 | |
---|
[3351] | 116 | It is stongly recommended to use the Directory Server Console to |
---|
| 117 | add the ACI's. You have been warned, there is no warrenty, good luck. |
---|
[3342] | 118 | |
---|
[3351] | 119 | Managing Access Control: |
---|
| 120 | http://docs.sun.com/source/816-6698-10/aci.html |
---|
[3342] | 121 | |
---|
| 122 | pykota-admin-aci : |
---|
| 123 | |
---|
[3351] | 124 | dn: ou=pykota,dc=example,dc=com |
---|
| 125 | aci: (targetattr="*") (version 3.0; acl "PyKota Pykota ACI"; allow(all) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
---|
[3342] | 126 | |
---|
[3351] | 127 | dn: ou=People,dc=example,dc=com |
---|
| 128 | aci: (targetattr="*") (version 3.0; acl "PyKota People ACI"; allow(add, write) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
---|
[3342] | 129 | |
---|
[3351] | 130 | dn: ou=groups,dc=example,dc=com |
---|
| 131 | aci: (targetattr="*") (version 3.0; acl "PyKota Groups ACI"; allow(add, write) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
---|
[3342] | 132 | |
---|
[3351] | 133 | Sun Directory Server will replicate ACI changes in a |
---|
| 134 | multi-master replication environment. |
---|