| 1 | == Configure LDAP == |
| 2 | |
| 3 | We will asume that the FQDN based DN base is '''dc=geni,dc=net''' |
| 4 | |
| 5 | |
| 6 | === Setting up LDAP server === |
| 7 | |
| 8 | '''These need to be fixed - we are copying all the neccessary files and should not need anything here''' |
| 9 | 2. Edit /etc/ldap.conf |
| 10 | 1. Check that you have a proper URI (round line 30): |
| 11 | {{{ |
| 12 | uri ldap://console.geni.net/ |
| 13 | }}} |
| 14 | 2. Uncommend line for host attribute: |
| 15 | {{{ |
| 16 | pam_check_host_attr yes |
| 17 | }}} |
| 18 | 3. Add these two schemas to your ldap by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema) |
| 19 | {{{ |
| 20 | cd /etc/ldap/slapd.d/cn\=config/cn\=schema |
| 21 | wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif |
| 22 | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| 23 | }}} |
| 24 | |
| 25 | 4. Import initial group and user |
| 26 | {{{ |
| 27 | cd /etc/ldap |
| 28 | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| 29 | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif |
| 30 | }}} |
| 31 | |
| 32 | 5. Fix the configuration for LDAP for phpldapadmin: |
| 33 | {{{ |
| 34 | edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net |
| 35 | |
| 36 | $servers->setValue('server','base',array('dc=geni,dc=net')); |
| 37 | $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net'); |
| 38 | }}} |
| 39 | 6. Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| 40 | |
| 41 | |
| 42 | 7. Make sure you can access the service with admin credentials: |
| 43 | {{{ |
| 44 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" |
| 45 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" |
| 46 | ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" |
| 47 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" |
| 48 | ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=* |
| 49 | }}} |
| 50 | |
| 51 | === Configure the client === |
| 52 | 1. Edit the /etc/ldap.conf file to configure the ldap client. |
| 53 | {{{ |
| 54 | base dc=geni,dc=net |
| 55 | uri ldap://ldap.geni.net/ |
| 56 | ldap_version 3 |
| 57 | binddn |
| 58 | rootbinddn cn=admin,dc=geni,dc=net |
| 59 | pam_password md5 |
| 60 | nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data |
| 61 | }}} |
| 62 | |
| 63 | 2. The /etc/nsswitch.conf file should have the follow non comment lines: |
| 64 | {{{ |
| 65 | passwd: files ldap compat |
| 66 | group: files ldap compat |
| 67 | shadow: files compat |
| 68 | |
| 69 | hosts: files dns |
| 70 | networks: files |
| 71 | |
| 72 | protocols: db files |
| 73 | services: db files |
| 74 | ethers: db files |
| 75 | rpc: db files |
| 76 | |
| 77 | netgroup: nis |
| 78 | }}} |
| 79 | |
| 80 | 3. Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text. |
| 81 | 4. Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command). |
| 82 | {{{ |
| 83 | %admin ALL=(ALL) ALL |
| 84 | %sysadmin ALL=NOPASSWD: ALL |
| 85 | }}} |
| 86 | This has to be done manually. |