close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Changes between Version 12 and Version 13 of dSite/e0LDAP


Ignore:
Timestamp:
Oct 10, 2014, 6:32:24 PM (6 years ago)
Author:
seskar
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • dSite/e0LDAP

    v12 v13  
    1 == Configure LDAP ==
     1== Configure OS Services ==
    22
    33[[TOC(WiMAX/dSite*)]]
    4  
    5 The following steps will configure the LDAP server.
    6 === Setting up LDAP server ===
    7  1. Create file ''/etc/ssl/geni-site-ca.info'' with:
    8     {{{
    9 cn = GENI WiMAX Company
    10 ca
    11 cert_signing_key
    12     }}}
    13  1. Create file ''/etc/ssl/geni-site-console.info'' with (please change console.geni.net to match
    14     your FQDN):
    15     {{{
    16 organization = Example Company
    17 cn = console.geni.net
    18 tls_www_server
    19 encryption_key
    20 signing_key
    21 expiration_days = 3650
    22     }}}
    23  1. Execute the following command to create SSL certificates:
    24     {{{
    25 /usr/sbin/create_ldap_certificates.sh
    26     }}}
    27  1. Create LDIF file for our newly created certificates in the file named
    28     ''/etc/ssl/geni-cert-info.ldif'':
    29     {{{
    30 dn: cn=config
    31 add: olcTLSCACertificateFile
    32 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
    33 -
    34 add: olcTLSCertificateFile
    35 olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
    36 -
    37 add: olcTLSCertificateKeyFile
    38 olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
    39     }}}
    40     and then execute:
    41     {{{
    42 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
    43     }}}
    44     The expected output is:
    45     {{{
     4
     5=== Post-installation OS Services Configuration ===
     6
     7Run the OS configuration script:
     8{{{
     9/usr/sbin/geni_os_setup.rb
     10}}}
     11It should produce:
     12{{{
     13user@testcons:~# sudo /usr/sbin/geni_os_setup.rb
     14Loading /etc/omf-aggmgr-5.4/site.yaml... done.
     15Generating a 2432 bit RSA private key...
     16Generating a self signed certificate...
     17X.509 Certificate Information:
     18        Version: 3
     19        Serial Number (hex): 543811fb
     20        Validity:
     21                Not Before: Fri Oct 10 17:06:03 UTC 2014
     22                Not After: Sat Oct 10 17:06:03 UTC 2015
     23        Subject: CN=GENI 4G Authority for orbit-lab.org
     24        Subject Public Key Algorithm: RSA
     25        Certificate Security Level: Normal
     26                Modulus (bits 2432):
     27                        00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92
     28                        ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb
     29                        f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85
     30                        5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b
     31                        94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b
     32                        c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39
     33                        1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a
     34                        2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79
     35                        c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5
     36                        81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8
     37                        68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4
     38                        78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25
     39                        25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a
     40                        9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5
     41                        fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18
     42                        69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b
     43                        13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65
     44                        b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c
     45                        9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b
     46                        a7
     47                Exponent (bits 24):
     48                        01:00:01
     49        Extensions:
     50                Basic Constraints (critical):
     51                        Certificate Authority (CA): TRUE
     52                Subject Key Identifier (not critical):
     53                        89161ffe61f729a0fc210f3e8b22e8b4379a5638
     54Other Information:
     55        Public Key Id:
     56                89161ffe61f729a0fc210f3e8b22e8b4379a5638
     57
     58
     59
     60Signing certificate...
     61** Note: Please use the --sec-param instead of --bits
     62Generating a 1024 bit RSA private key...
     63Generating a signed certificate...
     64X.509 Certificate Information:
     65        Version: 3
     66        Serial Number (hex): 543811fb
     67        Validity:
     68                Not Before: Fri Oct 10 17:06:03 UTC 2014
     69                Not After: Sat Oct 10 17:06:03 UTC 2015
     70        Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org
     71        Subject Public Key Algorithm: RSA
     72        Certificate Security Level: Weak
     73                Modulus (bits 1024):
     74                        00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48
     75                        d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b
     76                        6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18
     77                        91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a
     78                        3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33
     79                        64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55
     80                        e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc
     81                        98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0
     82                        93
     83                Exponent (bits 24):
     84                        01:00:01
     85        Extensions:
     86                Basic Constraints (critical):
     87                        Certificate Authority (CA): FALSE
     88                Key Purpose (not critical):
     89                        TLS WWW Server.
     90                Key Usage (critical):
     91                        Digital signature.
     92                        Key encipherment.
     93                Subject Key Identifier (not critical):
     94                        0324b56406f97f7d19bdc1619dd29cbab231d52f
     95                Authority Key Identifier (not critical):
     96                        89161ffe61f729a0fc210f3e8b22e8b4379a5638
     97Other Information:
     98        Public Key Id:
     99                0324b56406f97f7d19bdc1619dd29cbab231d52f
     100
     101
     102
     103Signing certificate...
    46104SASL/EXTERNAL authentication started
    47105SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    48106SASL SSF: 0
    49 modifying entry "cn=config"
    50     }}}
    51  5. Fix the configuration for newly create LDAP for phpldapadmin by editing
    52     ''/etc/phpldapadmin/config.php'' and changing ''dc=example,dc=com'' to ''dc=geni,dc=net''
    53     {{{
    54 $servers->setValue('server','base',array('dc=geni,dc=net'));
    55 $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
    56     }}}
    57  6. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
    58  7. Make sure you can access the service with admin credentials:
    59     {{{
    60    ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
    61    ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
    62    ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
    63    ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
    64    ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
    65     }}}
     107SASL/EXTERNAL authentication started
     108SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
     109SASL SSF: 0
     110}}}
     111
     112Next edit /etc/nsswitch.conf file so that is has the follow non comment lines:
     113{{{
     114    passwd:         files ldap compat
     115    group:          files ldap compat
     116    shadow:         files compat
     117
     118    hosts:          files dns
     119    networks:       files
     120
     121    protocols:      db files
     122    services:       db files
     123    ethers:         db files
     124    rpc:            db files
     125
     126    netgroup:       nis
     127}}}
     128Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).
     129{{{
     130    %admin ALL=(ALL) ALL
     131    %sysadmin ALL=NOPASSWD: ALL
     132}}}
     133 
    66134
    67135In file /etc/ldap/ldap.conf make sure you have: