| | 1 | == Configure LDAP == |
| | 2 | |
| | 3 | We will asume that the FQDN based DN base is '''dc=geni,dc=net''' |
| | 4 | |
| | 5 | |
| | 6 | === Setting up LDAP server === |
| | 7 | |
| | 8 | '''These need to be fixed - we are copying all the neccessary files and should not need anything here''' |
| | 9 | 2. Edit /etc/ldap.conf |
| | 10 | 1. Check that you have a proper URI (round line 30): |
| | 11 | {{{ |
| | 12 | uri ldap://console.geni.net/ |
| | 13 | }}} |
| | 14 | 2. Uncommend line for host attribute: |
| | 15 | {{{ |
| | 16 | pam_check_host_attr yes |
| | 17 | }}} |
| | 18 | 3. Add these two schemas to your ldap by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema) |
| | 19 | {{{ |
| | 20 | cd /etc/ldap/slapd.d/cn\=config/cn\=schema |
| | 21 | wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif |
| | 22 | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| | 23 | }}} |
| | 24 | |
| | 25 | 4. Import initial group and user |
| | 26 | {{{ |
| | 27 | cd /etc/ldap |
| | 28 | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| | 29 | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif |
| | 30 | }}} |
| | 31 | |
| | 32 | 5. Fix the configuration for LDAP for phpldapadmin: |
| | 33 | {{{ |
| | 34 | edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net |
| | 35 | |
| | 36 | $servers->setValue('server','base',array('dc=geni,dc=net')); |
| | 37 | $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net'); |
| | 38 | }}} |
| | 39 | 6. Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| | 40 | |
| | 41 | |
| | 42 | 7. Make sure you can access the service with admin credentials: |
| | 43 | {{{ |
| | 44 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" |
| | 45 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" |
| | 46 | ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" |
| | 47 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" |
| | 48 | ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=* |
| | 49 | }}} |
| | 50 | |
| | 51 | === Configure the client === |
| | 52 | 1. Edit the /etc/ldap.conf file to configure the ldap client. |
| | 53 | {{{ |
| | 54 | base dc=geni,dc=net |
| | 55 | uri ldap://ldap.geni.net/ |
| | 56 | ldap_version 3 |
| | 57 | binddn |
| | 58 | rootbinddn cn=admin,dc=geni,dc=net |
| | 59 | pam_password md5 |
| | 60 | nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data |
| | 61 | }}} |
| | 62 | |
| | 63 | 2. The /etc/nsswitch.conf file should have the follow non comment lines: |
| | 64 | {{{ |
| | 65 | passwd: files ldap compat |
| | 66 | group: files ldap compat |
| | 67 | shadow: files compat |
| | 68 | |
| | 69 | hosts: files dns |
| | 70 | networks: files |
| | 71 | |
| | 72 | protocols: db files |
| | 73 | services: db files |
| | 74 | ethers: db files |
| | 75 | rpc: db files |
| | 76 | |
| | 77 | netgroup: nis |
| | 78 | }}} |
| | 79 | |
| | 80 | 3. Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text. |
| | 81 | 4. Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command). |
| | 82 | {{{ |
| | 83 | %admin ALL=(ALL) ALL |
| | 84 | %sysadmin ALL=NOPASSWD: ALL |
| | 85 | }}} |
| | 86 | This has to be done manually. |
