close
Warning:
Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.
- Timestamp:
-
Oct 3, 2014, 6:02:04 PM (10 years ago)
- Author:
-
ssugrim
- Comment:
-
—
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v10
|
v11
|
|
| 1 | 1 | == Configure LDAP == |
| 2 | | |
| 3 | | These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is '''dc=geni,dc=net'''. |
| 4 | 2 | |
| 5 | 3 | [[TOC(WiMAX/dSite*)]] |
| 6 | 4 | |
| | 5 | The following steps will configure the LDAP server. |
| 7 | 6 | === Setting up LDAP server === |
| 8 | | 1. Create file '''/etc/ssl/geni-site-ca.info''' with: |
| 9 | | |
| | 7 | 1. Create file ''/etc/ssl/geni-site-ca.info'' with: |
| | 8 | {{{ |
| 10 | 9 | cn = GENI WiMAX Company |
| 11 | 10 | ca |
| 12 | 11 | cert_signing_key |
| 13 | | }}} |
| 14 | | 1. Create file '''/etc/ssl/geni-site-console.info''' with (please change console.geni.net to match your FQDN): |
| 15 | | {{{ |
| | 12 | }}} |
| | 13 | 1. Create file ''/etc/ssl/geni-site-console.info'' with (please change console.geni.net to match |
| | 14 | your FQDN): |
| | 15 | {{{ |
| 16 | 16 | organization = Example Company |
| 17 | 17 | cn = console.geni.net |
| … |
… |
|
| 20 | 20 | signing_key |
| 21 | 21 | expiration_days = 3650 |
| 22 | | |
| 23 | | |
| 24 | | |
| | 22 | }}} |
| | 23 | 1. Execute the following command to create SSL certificates: |
| | 24 | {{{ |
| 25 | 25 | /usr/sbin/create_ldap_certificates.sh |
| 26 | | }}} |
| 27 | | 1. Create LDIF file for our newly created certificates in the file named '''/etc/ssl/geni-cert-info.ldif''': |
| 28 | | {{{ |
| | 26 | }}} |
| | 27 | 1. Create LDIF file for our newly created certificates in the file named |
| | 28 | ''/etc/ssl/geni-cert-info.ldif'': |
| | 29 | {{{ |
| 29 | 30 | dn: cn=config |
| 30 | 31 | add: olcTLSCACertificateFile |
| … |
… |
|
| 36 | 37 | add: olcTLSCertificateKeyFile |
| 37 | 38 | olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem |
| 38 | | |
| 39 | | |
| 40 | | |
| | 39 | }}} |
| | 40 | and then execute: |
| | 41 | {{{ |
| 41 | 42 | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif |
| 42 | | |
| 43 | | |
| 44 | | |
| | 43 | }}} |
| | 44 | The expected output is: |
| | 45 | {{{ |
| 45 | 46 | SASL/EXTERNAL authentication started |
| 46 | 47 | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
| 47 | 48 | SASL SSF: 0 |
| 48 | 49 | modifying entry "cn=config" |
| 49 | | |
| 50 | | 5. Fix the configuration for newly create LDAP for phpldapadmin by editing '''/etc/phpldapadmin/config.php''' and changing ''dc=example,dc=com'' to ''dc=geni,dc=net'' |
| 51 | | {{{ |
| 52 | | |
| | 50 | }}} |
| | 51 | 5. Fix the configuration for newly create LDAP for phpldapadmin by editing |
| | 52 | ''/etc/phpldapadmin/config.php'' and changing ''dc=example,dc=com'' to ''dc=geni,dc=net'' |
| | 53 | {{{ |
| 53 | 54 | $servers->setValue('server','base',array('dc=geni,dc=net')); |
| 54 | 55 | $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net'); |
| 55 | | |
| 56 | | 1. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| 57 | | 1. Make sure you can access the service with admin credentials: |
| 58 | | |
| | 56 | }}} |
| | 57 | 6. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| | 58 | 7. Make sure you can access the service with admin credentials: |
| | 59 | {{{ |
| 59 | 60 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" |
| 60 | 61 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" |
| … |
… |
|
| 62 | 63 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" |
| 63 | 64 | ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=* |
| 64 | | |
| | 65 | }}} |
| 65 | 66 | |
| 66 | 67 | === Import initial LDAP content === |
| 67 | | Import initial content consisting of first group and account that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. That could be done through ''phpldapadmin'' or through LDIF configuration file and command line tools. LDIF config for initial import: |
| | 68 | Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through ''phpldapadmin'' or through LDIF configuration file and command line tools. The LDIF config for initial import looks like: |
| 68 | 69 | {{{ |
| 69 | 70 | dn: ou=GENI,dc=geni,dc=net |
| … |
… |
|
| 117 | 118 | roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net |
| 118 | 119 | }}} |
| 119 | | Typically one needs to replace: |
| | 120 | Typically you will needs to replace: |
| 120 | 121 | 1. Every occurrence of DN base in the file (i.e. do a global replace of '''dc=geni,dc=net''' with corresponding DN e.g. '''dc=rutgers,dc=edu''') |
| 121 | 122 | 1. Initial group/organization name (i.e. do a global replace of '''GENI'' with the group name e.g. '''Rutgers''') |
| … |
… |
|
| 123 | 124 | 1. (optional) Initial administrator account user id (i.e. replace every occurrence of '''globaladmin''' with say '''ruadmin''') |
| 124 | 125 | |
| 125 | | Also, any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts. |
| | 126 | Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts. |
| 126 | 127 | |
| 127 | 128 | In order to create initial LDAP structure: |
| 128 | | * Grab the initial configuration file that is attached to this page: |
| | 129 | * Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory): |
| 129 | 130 | {{{ |
| 130 | 131 | wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif |
| 131 | 132 | }}} |
| 132 | | * Modify it with your favorite editor |
| 133 | | * Import it into LDAP: |
| | 133 | * Modify it with your favorite text editor according to the rules described prior. |
| | 134 | * Finally import it into LDAP: |
| 134 | 135 | {{{ |
| 135 | 136 | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif |
