Index: server/doc/HOWTO-SETUP-LDAP
===================================================================
--- server/doc/HOWTO-SETUP-LDAP	(revision 861)
+++ server/doc/HOWTO-SETUP-LDAP	(revision 861)
@@ -0,0 +1,25 @@
+To set up a new LDAP server:
+
+- Install the RPM fedora-ds-base with yum
+- root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
+- root# /usr/sbin/setup-ds.pl
+    - Choose a typical install
+    - Tell it to use the fedora-ds user and group
+    - Directory server identifier: scripts
+    - Suffix: dc=scripts,dc=mit,dc=edu
+    - Input directory manager password
+- yum install ldapvi
+- /sbin/service dirsrv start
+- Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually
+- /sbin/service dirsrv stop
+- wget http://web.mit.edu/geofft/Public/scripts-ca.pem
+- certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem
+- Generate a pkcs12 cert for the server
+- pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts
+- Put LDAP keytab in /etc/dirsrv/keytab
+- Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
+- mkdir -p /var/tmp/dirsrv
+- chown fedora-ds:fedora-ds /var/tmp/dirsrv
+- /sbin/service dirsrv restart
+
+- Set up replication
Index: server/doc/fedora-ds-enable-ssl-and-kerberos.diff
===================================================================
--- server/doc/fedora-ds-enable-ssl-and-kerberos.diff	(revision 861)
+++ server/doc/fedora-ds-enable-ssl-and-kerberos.diff	(revision 861)
@@ -0,0 +1,59 @@
+--- o-f.config.ldif	2008-07-05 06:24:48.000000000 -0400
++++ b-m.config.ldif	2008-07-05 06:25:34.000000000 -0400
+@@ -123,7 +123,7 @@
+ passwordMaxFailure: 3
+ nsslapd-accesslog: /var/log/dirsrv/slapd-scripts/access
+ nsslapd-lastmod: on
+-nsslapd-security: off
++nsslapd-security: on
+ passwordMaxAge: 8640000
+ nsslapd-auditlog-logrotationtimeunit: day
+ passwordResetFailureCount: 600
+@@ -180,7 +180,7 @@
+ nsslapd-referralmode:
+ nsslapd-maxdescriptors: 1024
+ nsslapd-conntablesize: 1024
+-nsslapd-sslclientauth: off
++nsslapd-sslclientauth: allowed
+ nsslapd-config: cn=config
+ nsslapd-instancedir:
+ nsslapd-schemadir: /etc/dirsrv/slapd-scripts/schema
+@@ -217,7 +217,8 @@
+ nsSSLSessionTimeout: 0
+ nsSSLClientAuth: allowed
+ nsSSL2: off
+-nsSSL3: off
++nsSSL3: on
++nsSSL3Ciphers: +rsa_rc4_128_md5
+ nsSSLSupportedCiphers: SSL3::rc4::RC4::MD5::128
+ nsSSLSupportedCiphers: SSL3::rc4export::RC4::MD5::128
+ nsSSLSupportedCiphers: SSL3::rc2::RC2::MD5::128
+@@ -315,6 +316,15 @@
+ objectClass: extensibleObject
+ cn: uniqueid generator
+ 
++# RSA, encryption, config
++dn: cn=RSA,cn=encryption,cn=config
++objectClass: top
++objectClass: nsEncryptionModule
++cn: RSA
++nsSSLPersonalitySSL: ldap/better-mousetrap
++nsSSLToken: internal (software)
++nsSSLActivation: on
++
+ # options, features, config
+ dn: cn=options,cn=features,cn=config
+ objectClass: top
+@@ -1264,3 +1274,12 @@
+ nsslapd-pluginVendor: Fedora Project
+ nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512)
+ 
++# mapname, mapping, sasl, config
++dn: cn=mapname,cn=mapping,cn=sasl,cn=config
++objectClass: top
++objectClass: nsSaslMapping
++cn: mapname
++nsSaslMapRegexString: \(.*\)
++nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu
++nsSaslMapFilterTemplate: (objectClass=posixAccount)
++
Index: server/doc/install-howto
===================================================================
--- server/doc/install-howto	(revision 860)
+++ server/doc/install-howto	(revision 861)
@@ -1,3 +1,9 @@
 This document is a how-to for installing a Fedora scripts.mit.edu server.
+
+Helper files for the install are located in server/fedora/config.
+
+* Start with a normal install of Fedora 9.
+
+* Edit /etc/selinux/config so it has SELINUX=disabled.
 
 * Check out the scripts.mit.edu svn repository. Configure svn not to cache
@@ -6,9 +12,17 @@
 * cd to server/fedora in the svn repository.
 
-* Run "make install-deps" to install various prereqs.
+* Run "make install-deps" to install various prereqs.  Nonstandard
+  deps are in /mit/scripts/rpm.
 
-* Create a scripts-build account, and set up rpm to build in $HOME.
-  If you just use the default setup, it will generate packages
-  in /usr/src/redhat.
+* Create a scripts-build user account, and set up rpm to build in 
+  $HOME by doing a 
+  cp config/home/scripts-build/.rpmmacros /home/scripts-build/
+  (If you just use the default setup, it will generate packages 
+  in /usr/src/redhat.)
+
+* su scripts-build -
+
+* Make sure that server/fedora (where you currently are) is writable
+  by user scripts-build.
 
 * Use the Makefile to build the scripts.mit.edu-specific Fedora
@@ -19,26 +33,49 @@
   - make all
   - openafs-devel is a build-dependency of accountadm, so you'll need to
-    install it by hand when that fails.
-  Then install all the packages as root.
+    install the openafs-devel package you just built by hand when that fails.
+
+* Then install the packages you just built as root:
+   - yum localinstall --nogpgcheck accountadm-0.00-0.x86_64.rpm \
+       execsys-0.00-0.x86_64.rpm httpd* \
+       kmod-openafs-1.4.7-1.1.2.6.25_14.fc9.x86_64.rpm \
+       krb5-{debuginfo,devel,libs,pki,workstation-1}* \
+       logview-0.00-0.x86_64.rpm mit-zephyr-2.1-6-linux.x86_64.rpm \
+       mod_ssl-2.2.8-3.x86_64.rpm nss_nonlocal-* \
+       openafs-1.4.7-1.1.1.x86_64.rpm \
+       openafs-{authlibs,client,debuginfo,devel,docs,krb5}* openssh* \
+       sql-signup-0.00-0.x86_64.rpm tokensys-0.00-0.x86_64.rpm \
+       whoisd-0.00-0.x86_64.rpm
 
 * Rebuild mit-zephyr on a 32-bit machine, like the one at Joe's home.
 
-* Run "make suexec" and "make suexec-install" to overwrite
+* Run "make suexec" and "make install-suexec" to overwrite
   /usr/sbin/suexec with one that works. The one installed by the
   newly-built Apache RPM is misconfigured.
 
+* Install and configure bind
+  - env NSS_NONLOCAL_IGNORE=1 yum install bind
+  - chkconfig named on
+  - service named start
+
 * Check out the scripts /etc configuration, which is done most easily by
-  - svn co https://scripts.mit.edu:1111/server/fedora/config/etc
-  - \cp -a etc /
+  $ svn co svn://scripts.mit.edu/server/fedora/config/etc
+  # \cp -a etc /
 
-* Copy over root's dotfiles.
+* Copy over root's dotfiles from one of the other machines.
+
+* Replace rsyslog with syslog-ng by doing:
+  # rpm -e --nodeps rsyslog
+  # yum install syslog-ng
 
 * Install various dependencies of the scripts system, including syslog-ng,
   glibc-devel.i386, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all.
 
-* Disable SELinux and NetworkManager.
+* Disable NetworkManager (with yum remove).
 
-* Figure out why Zephyr isn't working and why the openafs /usr/vice/etc <->
-  /etc/openafs mapping isn't in sync.
+* Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing
+   /usr/vice/etc/cacheinfo to contain:
+        /afs:/usr/vice/cache:10000000
+
+* Figure out why Zephyr isn't working
 
 * Install the full list of RPMs that users expect to be on the
@@ -78,6 +115,6 @@
   localhost.
 
-* Install fedora-ds-base and set up replication (see /mit/scripts/doc
-  and /mit/geofft/Public/fedora-ds-enable-ssl-and-kerberos.diff).
+* Install fedora-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
+    and ./fedora-ds-enable-ssl-and-kerberos.diff).
 
 * Install nslcd / nss-ldapd, which, unlike nss-ldap, doesn't crash every few