Configure LDAP

These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is dc=geni,dc=net.

Setting up LDAP server

1. Create file /etc/ssl/geni-site-ca.info with:

   cn = GENI WiMAX Company
   ca
   cert_signing_key
   

2. Create file /etc/ssl/geni-site-console.info with (please change console.geni.net to match your FQDN):

   organization = Example Company
   cn = console.geni.net
   tls_www_server
   encryption_key
   signing_key
   expiration_days = 3650
   

3. Execute the following command to create SSL certificates:

   /usr/sbin/create_ldap_certificates.sh
   

4. Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cert-info.ldif:

   dn: cn=config
   add: olcTLSCACertificateFile
   olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
   -
   add: olcTLSCertificateFile
   olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
   -
   add: olcTLSCertificateKeyFile
   olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
   

and then execute:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif

The expected output is:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

5. Fix the configuration for newly create LDAP for phpldapadmin by editing /etc/phpldapadmin/config.php and changing dc=example,dc=com to dc=geni,dc=net

   $servers->setValue('server','base',array('dc=geni,dc=net'));
   $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
   

6. Point the Firefox web browser to ​http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
7. Make sure you can access the service with admin credentials:

      ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
      ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
      ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
      ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
      ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
   

Import initial LDAP content

Import initial content consisting of first group and account that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. That could be done through phpldapadmin or through LDIF configuration file and command line tools. LDIF config for initial import:

dn: ou=GENI,dc=geni,dc=net
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
ou: GENI
description: GENI
businessCategory: Academic

dn: cn=GENI,ou=GENI,dc=geni,dc=net
objectClass: posixGroup
cn: GENI
memberUid: globaladmin
gidNumber: 1001

dn: uid=globaladmin,ou=GENI,dc=geni,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: organizationalPerson
structuralObjectClass: inetOrgPerson
uid: globaladmin
sn: admin
givenName: global
cn: global admin
uidNumber: 1000
gidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/globaladmin
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: ivan@example.org
userPassword: password
o: GENI
host: null.orbit-lab.org

dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net
objectClass: posixGroup
cn: GENI-admin
memberUid: globaladmin
gidNumber: 1002

dn: cn=admin,ou=GENI,dc=geni,dc=net
objectClass: organizationalRole
objectClass: top
cn: admin
structuralObjectClass: organizationalRole
roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net

Typically one needs to replace:

1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=rutgers,dc=edu)
2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

Also, any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

In order to create initial LDAP structure:

• Grab the initial configuration file that is attached to this page:

    wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
  

• Modify it with your favorite editor
• Import it into LDAP:

     ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif