| 4 | | |
| 5 | | The following steps will configure the LDAP server. |
| 6 | | === Setting up LDAP server === |
| 7 | | 1. Create file ''/etc/ssl/geni-site-ca.info'' with: |
| 8 | | {{{ |
| 9 | | cn = GENI WiMAX Company |
| 10 | | ca |
| 11 | | cert_signing_key |
| 12 | | }}} |
| 13 | | 1. Create file ''/etc/ssl/geni-site-console.info'' with (please change console.geni.net to match |
| 14 | | your FQDN): |
| 15 | | {{{ |
| 16 | | organization = Example Company |
| 17 | | cn = console.geni.net |
| 18 | | tls_www_server |
| 19 | | encryption_key |
| 20 | | signing_key |
| 21 | | expiration_days = 3650 |
| 22 | | }}} |
| 23 | | 1. Execute the following command to create SSL certificates: |
| 24 | | {{{ |
| 25 | | /usr/sbin/create_ldap_certificates.sh |
| 26 | | }}} |
| 27 | | 1. Create LDIF file for our newly created certificates in the file named |
| 28 | | ''/etc/ssl/geni-cert-info.ldif'': |
| 29 | | {{{ |
| 30 | | dn: cn=config |
| 31 | | add: olcTLSCACertificateFile |
| 32 | | olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
| 33 | | - |
| 34 | | add: olcTLSCertificateFile |
| 35 | | olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem |
| 36 | | - |
| 37 | | add: olcTLSCertificateKeyFile |
| 38 | | olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem |
| 39 | | }}} |
| 40 | | and then execute: |
| 41 | | {{{ |
| 42 | | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif |
| 43 | | }}} |
| 44 | | The expected output is: |
| 45 | | {{{ |
| | 4 | |
| | 5 | === Post-installation OS Services Configuration === |
| | 6 | |
| | 7 | Run the OS configuration script: |
| | 8 | {{{ |
| | 9 | /usr/sbin/geni_os_setup.rb |
| | 10 | }}} |
| | 11 | It should produce: |
| | 12 | {{{ |
| | 13 | user@testcons:~# sudo /usr/sbin/geni_os_setup.rb |
| | 14 | Loading /etc/omf-aggmgr-5.4/site.yaml... done. |
| | 15 | Generating a 2432 bit RSA private key... |
| | 16 | Generating a self signed certificate... |
| | 17 | X.509 Certificate Information: |
| | 18 | Version: 3 |
| | 19 | Serial Number (hex): 543811fb |
| | 20 | Validity: |
| | 21 | Not Before: Fri Oct 10 17:06:03 UTC 2014 |
| | 22 | Not After: Sat Oct 10 17:06:03 UTC 2015 |
| | 23 | Subject: CN=GENI 4G Authority for orbit-lab.org |
| | 24 | Subject Public Key Algorithm: RSA |
| | 25 | Certificate Security Level: Normal |
| | 26 | Modulus (bits 2432): |
| | 27 | 00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92 |
| | 28 | ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb |
| | 29 | f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85 |
| | 30 | 5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b |
| | 31 | 94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b |
| | 32 | c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39 |
| | 33 | 1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a |
| | 34 | 2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79 |
| | 35 | c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5 |
| | 36 | 81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8 |
| | 37 | 68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4 |
| | 38 | 78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25 |
| | 39 | 25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a |
| | 40 | 9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5 |
| | 41 | fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18 |
| | 42 | 69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b |
| | 43 | 13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65 |
| | 44 | b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c |
| | 45 | 9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b |
| | 46 | a7 |
| | 47 | Exponent (bits 24): |
| | 48 | 01:00:01 |
| | 49 | Extensions: |
| | 50 | Basic Constraints (critical): |
| | 51 | Certificate Authority (CA): TRUE |
| | 52 | Subject Key Identifier (not critical): |
| | 53 | 89161ffe61f729a0fc210f3e8b22e8b4379a5638 |
| | 54 | Other Information: |
| | 55 | Public Key Id: |
| | 56 | 89161ffe61f729a0fc210f3e8b22e8b4379a5638 |
| | 57 | |
| | 58 | |
| | 59 | |
| | 60 | Signing certificate... |
| | 61 | ** Note: Please use the --sec-param instead of --bits |
| | 62 | Generating a 1024 bit RSA private key... |
| | 63 | Generating a signed certificate... |
| | 64 | X.509 Certificate Information: |
| | 65 | Version: 3 |
| | 66 | Serial Number (hex): 543811fb |
| | 67 | Validity: |
| | 68 | Not Before: Fri Oct 10 17:06:03 UTC 2014 |
| | 69 | Not After: Sat Oct 10 17:06:03 UTC 2015 |
| | 70 | Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org |
| | 71 | Subject Public Key Algorithm: RSA |
| | 72 | Certificate Security Level: Weak |
| | 73 | Modulus (bits 1024): |
| | 74 | 00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48 |
| | 75 | d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b |
| | 76 | 6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18 |
| | 77 | 91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a |
| | 78 | 3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33 |
| | 79 | 64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55 |
| | 80 | e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc |
| | 81 | 98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0 |
| | 82 | 93 |
| | 83 | Exponent (bits 24): |
| | 84 | 01:00:01 |
| | 85 | Extensions: |
| | 86 | Basic Constraints (critical): |
| | 87 | Certificate Authority (CA): FALSE |
| | 88 | Key Purpose (not critical): |
| | 89 | TLS WWW Server. |
| | 90 | Key Usage (critical): |
| | 91 | Digital signature. |
| | 92 | Key encipherment. |
| | 93 | Subject Key Identifier (not critical): |
| | 94 | 0324b56406f97f7d19bdc1619dd29cbab231d52f |
| | 95 | Authority Key Identifier (not critical): |
| | 96 | 89161ffe61f729a0fc210f3e8b22e8b4379a5638 |
| | 97 | Other Information: |
| | 98 | Public Key Id: |
| | 99 | 0324b56406f97f7d19bdc1619dd29cbab231d52f |
| | 100 | |
| | 101 | |
| | 102 | |
| | 103 | Signing certificate... |
| 49 | | modifying entry "cn=config" |
| 50 | | }}} |
| 51 | | 5. Fix the configuration for newly create LDAP for phpldapadmin by editing |
| 52 | | ''/etc/phpldapadmin/config.php'' and changing ''dc=example,dc=com'' to ''dc=geni,dc=net'' |
| 53 | | {{{ |
| 54 | | $servers->setValue('server','base',array('dc=geni,dc=net')); |
| 55 | | $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net'); |
| 56 | | }}} |
| 57 | | 6. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| 58 | | 7. Make sure you can access the service with admin credentials: |
| 59 | | {{{ |
| 60 | | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" |
| 61 | | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" |
| 62 | | ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" |
| 63 | | ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" |
| 64 | | ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=* |
| 65 | | }}} |
| | 107 | SASL/EXTERNAL authentication started |
| | 108 | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
| | 109 | SASL SSF: 0 |
| | 110 | }}} |
| | 111 | |
| | 112 | Next edit /etc/nsswitch.conf file so that is has the follow non comment lines: |
| | 113 | {{{ |
| | 114 | passwd: files ldap compat |
| | 115 | group: files ldap compat |
| | 116 | shadow: files compat |
| | 117 | |
| | 118 | hosts: files dns |
| | 119 | networks: files |
| | 120 | |
| | 121 | protocols: db files |
| | 122 | services: db files |
| | 123 | ethers: db files |
| | 124 | rpc: db files |
| | 125 | |
| | 126 | netgroup: nis |
| | 127 | }}} |
| | 128 | Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command). |
| | 129 | {{{ |
| | 130 | %admin ALL=(ALL) ALL |
| | 131 | %sysadmin ALL=NOPASSWD: ALL |
| | 132 | }}} |
| | 133 | |
