169 | | |
| 169 | [[CollapsibleStart(/etc/nssw)]] |
| 170 | The script will blindly replace the ''/etc/nsswitch.conf'' with the following: |
| 171 | {{{ |
| 172 | passwd: files ldap compat |
| 173 | group: files ldap compat |
| 174 | shadow: files compat |
| 175 | |
| 176 | hosts: files dns |
| 177 | networks: files |
| 178 | |
| 179 | protocols: db files |
| 180 | services: db files |
| 181 | ethers: db files |
| 182 | rpc: db files |
| 183 | |
| 184 | netgroup: nis |
| 185 | }}} |
| 186 | [[CollapsibleEnd]] |
| 187 | [[CollapsibleStart(/etc/ldap/ldap.conf)]] |
| 188 | The script will blindly replace the ''/etc/ldap/ldap.conf'' with the following |
| 189 | {{{ |
| 190 | # |
| 191 | # LDAP Defaults |
| 192 | # |
| 193 | |
| 194 | # See ldap.conf(5) for details |
| 195 | # This file should be world readable but not world writable. |
| 196 | |
| 197 | #BASE dc=example,dc=com |
| 198 | #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
| 199 | |
| 200 | #SIZELIMIT 12 |
| 201 | #TIMELIMIT 15 |
| 202 | #DEREF never |
| 203 | |
| 204 | # TLS certificates (needed for GnuTLS) |
| 205 | TLS_CACERT /etc/ssl/certs/cacert.pem |
| 206 | TLS_REQCERT never |
| 207 | }}} |
| 208 | [[CollapsibleEnd]] |
| 246 | The reverse database will also be created to match the db.DOMAIN. |
| 247 | {{{ |
| 248 | ; |
| 249 | ; BIND reverse data file for 10. |
| 250 | ; |
| 251 | $TTL 604800 |
| 252 | @ IN SOA consolec. root.geni.rutgers.edu. ( |
| 253 | 2014101501 ; Serial |
| 254 | 604800 ; Refresh |
| 255 | 86400 ; Retry |
| 256 | 2419200 ; Expire |
| 257 | 604800 ) ; Negative Cache TTL |
| 258 | ; |
| 259 | @ IN NS consolec. |
| 260 | |
| 261 | 101.0.3 IN PTR cons1.geni.rutgers.edu. |
| 262 | 102.0.3 IN PTR cons2.geni.rutgers.edu. |
| 263 | 103.0.3 IN PTR cons3.geni.rutgers.edu. |
| 264 | |
| 265 | 1.0.1 IN PTR node1.geni.rutgers.edu. |
| 266 | 2.0.1 IN PTR node2.geni.rutgers.edu. |
| 267 | 3.0.1 IN PTR node3.geni.rutgers.edu. |
| 268 | |
| 269 | 254.0.1 IN PTR consolec.geni.rutgers.edu. |
| 270 | 1.0.2 IN PTR data1.geni.rutgers.edu. |
| 271 | 2.0.2 IN PTR data2.geni.rutgers.edu. |
| 272 | 3.0.2 IN PTR data3.geni.rutgers.edu. |
| 273 | |
| 274 | }}} |
| 298 | This option file assumes that you can directly query Google's 8.8.8.8 DNS server. If this is |
| 299 | not the case, you may need to adjust these values to reflect your environments DNS settings. |
| 300 | {{{ |
| 301 | options { |
| 302 | directory "/var/cache/bind"; |
| 303 | |
| 304 | // If there is a firewall between you and nameservers you want |
| 305 | // to talk to, you may need to fix the firewall to allow multiple |
| 306 | // ports to talk. See http://www.kb.cert.org/vuls/id/800113 |
| 307 | |
| 308 | // If your ISP provided one or more IP addresses for stable |
| 309 | // nameservers, you probably want to use them as forwarders. |
| 310 | // Uncomment the following block, and insert the addresses replacing |
| 311 | // the all-0's placeholder. |
| 312 | |
| 313 | forwarders { |
| 314 | 8.8.8.8; |
| 315 | }; |
| 316 | |
| 317 | //======================================================================== |
| 318 | // If BIND logs error messages about the root key being expired, |
| 319 | // you will need to update your keys. See https://www.isc.org/bind-keys |
| 320 | //======================================================================== |
| 321 | dnssec-validation no; |
| 322 | |
| 323 | auth-nxdomain no; # conform to RFC1035 |
| 324 | listen-on-v6 { any; }; |
| 325 | }; |
| 326 | }}} |
| 327 | [[CollapsibleEnd]] |
| 328 | [[CollapsibleStart(/etc/ldap.conf)]] |
| 329 | The Ldap clinet configurations that were choosen during the package installation will be overwritten |
| 330 | with the following: |
| 331 | {{{ |
| 332 | base dc=geni,dc=rutgers,dc=edu |
| 333 | uri ldap://localhost |
| 334 | rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu |
| 335 | ldap_version 3 |
| 336 | pam_check_host_attr yes |
| 337 | pam_password md5 |
| 338 | ssl start_tls |
| 339 | tls_checkpeer yes |
| 340 | tls_cacertfile /etc/ssl/certs/cacert.pem |
| 341 | tls_cacertdir /etc/ssl/certs |
| 342 | nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl |
| 343 | og,tftp,usbmux,uucp,whoopsie,www-data |
| 344 | }}} |
| 345 | [[CollapsibleEnd]] |
| 346 | [[CollapsibleStart(/etc/ssl/geni-site-ca.info)]] |
| 347 | This file will be generated based on the FQDN: |
| 348 | {{{ |
| 349 | cn = GENI 4G Authority for geni.rutgers.edu |
| 350 | ca |
| 351 | cert_signing_key |
| 352 | }}} |
| 353 | [[CollapsibleEnd]] |
| 354 | [[CollapsibleStart(/etc/ssl/geni-site-console.info)]] |
| 355 | This file will be generated based on the FQDN: |
| 356 | {{{ |
| 357 | organization = GENI 4G Site for geni.rutgers.edu |
| 358 | cn = console.geni.rutgers.edu |
| 359 | tls_www_server |
| 360 | encryption_key |
| 361 | signing_key |
| 362 | expiration_days = 3650 |
| 363 | }}} |