wiki:dSite/e0LDAP

OS Services Configuration

Post-installation OS Services Configuration

  1. Run the OS configuration script as root:
    /usr/sbin/geni_os_setup
    
    It should produce:
    root@console:~# /usr/sbin/geni_os_setup 
    Loading /etc/omf-aggmgr-5.4/site.yaml... done.
    stop: Unknown instance: 
    Generating a 2432 bit RSA private key...
    Generating a self signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 544e96f4
    	Validity:
    		Not Before: Mon Oct 27 19:03:16 UTC 2014
    		Not After: Tue Oct 27 19:03:16 UTC 2015
    	Subject: CN=GENI 4G Authority for geni.rutgers.edu
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Normal
    		Modulus (bits 2432):
    			00:ae:1c:e0:9e:94:a3:00:5e:ed:9f:e1:c3:2e:c2:31
    			4e:7a:24:2f:50:f9:82:d2:dd:55:ea:4f:1b:25:5d:45
    			c8:33:20:3c:32:63:8c:8b:54:ad:85:2b:14:b0:2b:fc
    			ea:6e:2d:8b:65:85:37:cd:bc:77:47:40:7b:90:66:1a
    			89:4b:03:a4:e3:3e:4d:20:b8:11:54:ea:af:d4:e4:2d
    			05:59:3c:ff:e7:bb:08:9b:eb:20:1f:63:98:0d:1e:be
    			30:b3:16:54:26:31:b3:3a:f1:22:2a:36:ea:ce:c7:d1
    			96:f5:24:e5:e0:c9:22:74:bb:6c:c2:35:72:8f:64:0b
    			fe:cf:d4:ba:3a:b9:05:0c:fb:70:93:c5:5a:4e:b7:1a
    			0c:07:a8:1c:fe:25:8d:e3:76:d4:88:fa:43:e7:fb:15
    			0e:4f:8e:18:2d:52:24:ba:66:f6:ca:21:04:43:4b:4c
    			05:3a:9a:d0:18:e8:21:18:0c:a6:5d:5f:f7:cc:45:8a
    			ad:35:72:80:49:cc:1f:93:72:00:2f:30:38:80:a0:eb
    			06:41:84:ca:f8:8d:dc:d2:b0:f4:d4:99:7c:dd:7a:4c
    			64:71:54:b6:46:5b:24:b7:a9:d0:9d:e1:97:6f:d0:00
    			23:50:15:d4:da:f1:11:e5:2c:3d:7c:79:db:27:3e:92
    			83:f9:aa:3a:dc:74:c2:59:b2:a3:c1:83:0f:4c:01:8b
    			ff:c9:d2:b5:e1:fc:81:a2:b0:e9:18:d7:3e:3d:bd:5e
    			e3:21:d4:6b:9c:69:c8:bf:ca:22:98:f0:89:27:29:33
    			47
    		Exponent (bits 24):
    			01:00:01
    	Extensions:
    		Basic Constraints (critical):
    			Certificate Authority (CA): TRUE
    		Subject Key Identifier (not critical):
    			ec71a260a6edde0542673af61f1c3dacaa1a41f9
    Other Information:
    	Public Key Id:
    		ec71a260a6edde0542673af61f1c3dacaa1a41f9
    
    
    
    Signing certificate...
    ** Note: Please use the --sec-param instead of --bits
    Generating a 1024 bit RSA private key...
    Generating a signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 544e96f4
    	Validity:
    		Not Before: Mon Oct 27 19:03:16 UTC 2014
    		Not After: Tue Oct 27 19:03:16 UTC 2015
    	Subject: O=GENI 4G Site for geni.rutgers.edu,CN=console.geni.rutgers.edu
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Weak
    		Modulus (bits 1024):
    			00:bc:11:96:7b:6e:b4:8d:b9:59:a3:82:be:25:a9:3c
    			1f:48:3b:0f:bf:12:73:e8:22:19:bd:11:76:dc:a0:7a
    			54:ef:56:22:bb:7d:d6:a8:61:bc:10:a6:ea:80:c5:7a
    			a1:b7:9c:54:de:7b:85:01:6c:5c:f3:a1:a0:74:96:c2
    			10:9d:e4:d8:3c:1e:71:e9:ad:3a:3a:bc:c3:e5:2a:96
    			1a:79:e7:e9:58:0b:44:b1:2c:6d:32:5d:e0:21:c6:0d
    			4e:2b:a3:f8:ef:ca:a5:a3:61:c4:6b:14:e9:40:0f:a5
    			e8:ba:82:16:cf:aa:0e:de:98:14:50:0e:8b:2d:ce:38
    			a7
    		Exponent (bits 24):
    			01:00:01
    	Extensions:
    		Basic Constraints (critical):
    			Certificate Authority (CA): FALSE
    		Key Purpose (not critical):
    			TLS WWW Server.
    		Key Usage (critical):
    			Digital signature.
    			Key encipherment.
    		Subject Key Identifier (not critical):
    			2d594c02809caa7e5e7e5fca9e1176034cfce849
    		Authority Key Identifier (not critical):
    			ec71a260a6edde0542673af61f1c3dacaa1a41f9
    Other Information:
    	Public Key Id:
    		2d594c02809caa7e5e7e5fca9e1176034cfce849
    
    
    
    Signing certificate...
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    
    This script attempts to configure several of the services to standard defaults. It depends on the following files:
    • site.yaml
    • /usr/sbin/geni_common
    • /etc/hostname (via the hostname -f command)

The following files are modified:

/etc/dhcpd/dhcpd.conf

This file is populated based on the contents of the site.yaml file. It will produce appropriate entries for all the interfaces of the nodes. Note that this requires the interfaces be ordered according to the original labeling. The contents looks like:

option domain-name "geni.rutgers.edu";
authoritative;
use-host-decl-names on;
get-lease-hostnames true;
ping-check false;
ping-timeout 0;
log-facility local7;
default-lease-time 86400;
max-lease-time 86400;
ddns-updates off;

subnet 10.3.0.0 netmask 255.255.255.0 {
 option domain-name-servers 10.3.0.254;
 option routers 10.3.0.254;
 option ntp-servers 10.3.0.254;
 next-server 10.3.0.254;

 host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address 10.3.0.101; }
 host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address 10.3.0.102; }
 host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address 10.3.0.103; }

}

subnet 10.1.0.0 netmask 255.255.255.0 {
 option domain-name-servers 10.1.0.254;
 option routers 10.1.0.254;
 option log-servers 10.1.0.254;
 option ntp-servers 10.1.0.254;
 filename "pxelinux.0";
 next-server 10.1.0.254;

 host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address node1.geni.rutgers.edu; }
 host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address node2.geni.rutgers.edu; }
 host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address node3.geni.rutgers.edu; }

}

subnet 10.2.0.0 netmask 255.255.255.0 {
 option ntp-servers 10.2.0.254;
 filename "/pxelinux.fake";

 host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address 10.2.0.1; }
 host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address 10.2.0.2; }
 host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address 10.2.0.3; }

}

/etc/nssw

The script will blindly replace the /etc/nsswitch.conf with the following:

passwd:         files ldap compat
group:          files ldap compat
shadow:         files compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/ldap/ldap.conf

The script will blindly replace the /etc/ldap/ldap.conf with the following

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

# TLS certificates (needed for GnuTLS)
TLS_CACERT	/etc/ssl/certs/cacert.pem
TLS_REQCERT     never

/etc/bind/db.DOMAIN

The script will build a db.DOMAIN file in the /etc/bind directory based on contents of the site.yaml file, and the host FQDN. An example might look like (this assumed a domain of geni.rutgers.edu):

;
; BIND data file for geni.rutgers.edu
;
$TTL    604800
@       IN      SOA     geni.rutgers.edu. root.geni.rutgers.edu. (
                   2014101501  ; Serial
                   604800      ; Refresh
                   86400       ; Retry
                   2419200     ; Expire
                   604800 )    ; Negative Cache TTL
;
                IN      A       10.1.0.254
@               IN      NS      consolec.geni.rutgers.edu.
@               IN      A       10.1.0.254
@               IN      AAAA    ::1
consolec        IN      A       10.1.0.254
xmpp            IN      CNAME   consolec.geni.rutgers.edu.

node1           IN      A       10.1.0.1
node2           IN      A       10.1.0.2
node3           IN      A       10.1.0.3

cons1           IN      A       10.3.0.101
cons2           IN      A       10.3.0.102
cons3           IN      A       10.3.0.103

data1           IN      A       10.2.0.1
data2           IN      A       10.2.0.2
data3           IN      A       10.2.0.3

/etc/bind/db.10

The reverse database will also be created to match the db.DOMAIN.

;
; BIND reverse data file for 10.
;
$TTL    604800
@       IN      SOA     consolec. root.geni.rutgers.edu. (
                   2014101501  ; Serial
                   604800      ; Refresh
                   86400       ; Retry
                   2419200     ; Expire
                   604800 )    ; Negative Cache TTL
;
@       IN      NS      consolec.

101.0.3     IN      PTR     cons1.geni.rutgers.edu.
102.0.3     IN      PTR     cons2.geni.rutgers.edu.
103.0.3     IN      PTR     cons3.geni.rutgers.edu.

1.0.1     IN      PTR     node1.geni.rutgers.edu.
2.0.1     IN      PTR     node2.geni.rutgers.edu.
3.0.1     IN      PTR     node3.geni.rutgers.edu.

254.0.1   IN      PTR     consolec.geni.rutgers.edu.
1.0.2     IN      PTR     data1.geni.rutgers.edu.
2.0.2     IN      PTR     data2.geni.rutgers.edu.
3.0.2     IN      PTR     data3.geni.rutgers.edu.

/etc/bin/named.conf.local

The supporting config files will also be created. The local file looks like:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

  zone "geni.rutgers.edu" {
   type master;
   file "/etc/bind/db.geni.rutgers.edu";
  };
  zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.10";
  };

/etc/bin/named.conf.options

This option file assumes that you can directly query Google's 8.8.8.8 DNS server. If this is not the case, you may need to adjust these values to reflect your environments DNS settings.

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

         forwarders {
          8.8.8.8;
         };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

/etc/ldap.conf

The Ldap clinet configurations that were choosen during the package installation will be overwritten with the following:

base dc=geni,dc=rutgers,dc=edu
uri ldap://localhost
rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu
ldap_version 3
pam_check_host_attr yes
pam_password md5
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/cacert.pem
tls_cacertdir /etc/ssl/certs
nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl
og,tftp,usbmux,uucp,whoopsie,www-data

/etc/ssl/geni-site-ca.info

This file will be generated based on the FQDN:

cn = GENI 4G Authority for geni.rutgers.edu
ca
cert_signing_key

/etc/ssl/geni-site-console.info

This file will be generated based on the FQDN:

organization = GENI 4G Site for geni.rutgers.edu
cn = console.geni.rutgers.edu
tls_www_server
encryption_key
signing_key
expiration_days = 3650

/etc/phpldapadmin/config.php

The /etc/phpldapadmin/config.php will have the following lines modified:

...
$servers->setValue('server','base',array('dc=example,dc=com'));
...
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
...

These lines should have your LDAP DN which is dervied from your FQDN. (e.g. for geni.rutgers.edu ⇒ dc=geni,dc=rutgers,dc=edu). The result should look like:

...
$servers->setValue('server','base',array('dc=geni,dc=rutgers,dc=edu'));
...
$servers->setValue('login','bind_id','cn=admin,dc=geni,dc=rutgers,dc=edu');
...

http://console.geni.DOMAN/phpldapamin should be accessible, and you should be able to login to the portal using the ldap credentials you specified during package installation.

/etc/default/tftpd-hpa

The contents of this file will be blindly replaced with:

TFTP_USERNAME="root"
TFTP_DIRECTORY="/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="-s -l"

  1. After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost. We also need to add a dns-search field to specify the local domain, (e.g geni.rutgers.edu). This should look like:
    # The primary network interface
    auto eth2
    iface eth2 inet static
          address 10.50.0.249
          netmask 255.255.0.0
          gateway 10.50.0.1
          dns-search geni.rutgers.edu
          dns-nameservers localhost
    
    
    then reboot the machine to reflect the DNS change:

    Note: If you have to use a specfic DNS server for external name resolution, you will need to modify the forwarders field in /etc/bind/named.conf.options. e.g.:
    forwarders {
     10.0.0.9;
    };
    
    This may also require a restart.

    Once this setting is done you can test the local dns by tring to resolve node names e.g.:
    host node1
    node1.geni.rutgers.edu has address 10.1.0.1
    
    External name resolution should also work.

  1. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
    %admin ALL=(ALL) ALL
    %sysadmin ALL=NOPASSWD: ALL
    

Import initial GENI LDAP content

Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:

dn: ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: GENI
description: GENI
businessCategory: Academic

dn: cn=GENI,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: posixGroup
cn: GENI
memberUid: globaladmin
gidNumber: 1001

dn: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: organizationalPerson
uid: globaladmin
sn: admin
givenName: global
cn: global admin
uidNumber: 1000
gidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/globaladmin
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: ivan@example.org
userPassword: password
o: GENI
host: null.orbit-lab.org

dn: cn=GENI-admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: posixGroup
cn: GENI-admin
memberUid: globaladmin
gidNumber: 1002

dn: cn=admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: organizationalRole
objectClass: top
cn: admin
roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu

Typically you will need to replace:

  1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=geni,dc=rutgers,dc=edu as was done in the example above)
  2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
  3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
  4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

In order to create initial LDAP structure:

  • Download the prototype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
    wget http://wimax.orbit-lab.org/raw-attachment/wiki/dSite/e0LDAP/GENIinit.ldif
    
  • Modify it with your favorite text editor according to the rules described prior.
  • Finally import it into LDAP (Note: change the value of the -D flag in the command below to reflect your domain):
    ldapadd -vvv -x -D cn=admin,dc=geni,dc=rutgers,dc=edu -H ldap:/// -W -f GENIinit.ldif
    
    You will be prompted for the LDAP password you specified during installation.
Last modified 2 years ago Last modified on 06/08/15 18:58:06

Attachments (1)

Download all attachments as: .zip