close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Changes between Version 24 and Version 25 of dSite/e0LDAP


Ignore:
Timestamp:
Oct 16, 2014, 8:06:43 PM (6 years ago)
Author:
ssugrim
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • dSite/e0LDAP

    v24 v25  
    167167    }}}
    168168    [[CollapsibleEnd]]
    169 
     169    [[CollapsibleStart(/etc/nssw)]]
     170    The script will blindly replace the ''/etc/nsswitch.conf'' with the following:
     171    {{{
     172    passwd:         files ldap compat
     173    group:          files ldap compat
     174    shadow:         files compat
     175
     176    hosts:          files dns
     177    networks:       files
     178
     179    protocols:      db files
     180    services:       db files
     181    ethers:         db files
     182    rpc:            db files
     183
     184    netgroup:       nis
     185    }}}
     186    [[CollapsibleEnd]]
     187    [[CollapsibleStart(/etc/ldap/ldap.conf)]]
     188    The script will blindly replace the ''/etc/ldap/ldap.conf'' with the following
     189    {{{
     190#
     191# LDAP Defaults
     192#
     193
     194# See ldap.conf(5) for details
     195# This file should be world readable but not world writable.
     196
     197#BASE   dc=example,dc=com
     198#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
     199
     200#SIZELIMIT      12
     201#TIMELIMIT      15
     202#DEREF          never
     203
     204# TLS certificates (needed for GnuTLS)
     205TLS_CACERT      /etc/ssl/certs/cacert.pem
     206TLS_REQCERT     never
     207    }}}
     208    [[CollapsibleEnd]]
    170209    [[CollapsibleStart(/etc/bind/db.DOMAIN)]]
     210    The script will build a db.DOMAIN file in the ''/etc/bind'' directory based on contents of
     211    the site.yaml file, and the host FQDN. An example might look like (this assumed a domain
     212    of geni.rutgers.edu):
     213    {{{
     214;
     215; BIND data file for geni.rutgers.edu
     216;
     217$TTL    604800
     218@       IN      SOA     geni.rutgers.edu. root.geni.rutgers.edu. (
     219                   2014101501  ; Serial
     220                   604800      ; Refresh
     221                   86400       ; Retry
     222                   2419200     ; Expire
     223                   604800 )    ; Negative Cache TTL
     224;
     225                IN      A       10.1.0.254
     226@               IN      NS      consolec.geni.rutgers.edu.
     227@               IN      A       10.1.0.254
     228@               IN      AAAA    ::1
     229consolec        IN      A       10.1.0.254
     230xmpp            IN      CNAME   consolec.geni.rutgers.edu.
     231
     232node1           IN      A       10.1.0.1
     233node2           IN      A       10.1.0.2
     234node3           IN      A       10.1.0.3
     235
     236cons1           IN      A       10.3.0.101
     237cons2           IN      A       10.3.0.102
     238cons3           IN      A       10.3.0.103
     239
     240data1           IN      A       10.2.0.1
     241data2           IN      A       10.2.0.2
     242data3           IN      A       10.2.0.3
     243    }}}
    171244    [[CollapsibleEnd]]
    172245    [[CollapsibleStart(/etc/bind/db.10)]]
     246    The reverse database will also be created to match the db.DOMAIN.
     247    {{{
     248;
     249; BIND reverse data file for 10.
     250;
     251$TTL    604800
     252@       IN      SOA     consolec. root.geni.rutgers.edu. (
     253                   2014101501  ; Serial
     254                   604800      ; Refresh
     255                   86400       ; Retry
     256                   2419200     ; Expire
     257                   604800 )    ; Negative Cache TTL
     258;
     259@       IN      NS      consolec.
     260
     261101.0.3     IN      PTR     cons1.geni.rutgers.edu.
     262102.0.3     IN      PTR     cons2.geni.rutgers.edu.
     263103.0.3     IN      PTR     cons3.geni.rutgers.edu.
     264
     2651.0.1     IN      PTR     node1.geni.rutgers.edu.
     2662.0.1     IN      PTR     node2.geni.rutgers.edu.
     2673.0.1     IN      PTR     node3.geni.rutgers.edu.
     268
     269254.0.1   IN      PTR     consolec.geni.rutgers.edu.
     2701.0.2     IN      PTR     data1.geni.rutgers.edu.
     2712.0.2     IN      PTR     data2.geni.rutgers.edu.
     2723.0.2     IN      PTR     data3.geni.rutgers.edu.
     273
     274    }}}
    173275    [[CollapsibleEnd]]
    174276    [[CollapsibleStart(/etc/bin/named.conf.local)]]
     277    The supporting config files will also be created. The local file looks like:
     278    {{{
     279//
     280// Do any local configuration here
     281//
     282
     283// Consider adding the 1918 zones here, if they are not used in your
     284// organization
     285//include "/etc/bind/zones.rfc1918";
     286
     287  zone "geni.rutgers.edu" {
     288   type master;
     289   file "/etc/bind/db.geni.rutgers.edu";
     290  };
     291  zone "10.in-addr.arpa" {
     292    type master;
     293    file "/etc/bind/db.10";
     294  };
     295    }}}
    175296    [[CollapsibleEnd]]
    176297    [[CollapsibleStart(/etc/bin/named.conf.options)]]
     298    This option file assumes that you can directly query Google's 8.8.8.8 DNS server. If this is
     299    not the case, you may need to adjust these values to reflect your environments DNS settings.
     300    {{{
     301options {
     302        directory "/var/cache/bind";
     303
     304        // If there is a firewall between you and nameservers you want
     305        // to talk to, you may need to fix the firewall to allow multiple
     306        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
     307
     308        // If your ISP provided one or more IP addresses for stable
     309        // nameservers, you probably want to use them as forwarders. 
     310        // Uncomment the following block, and insert the addresses replacing
     311        // the all-0's placeholder.
     312
     313         forwarders {
     314          8.8.8.8;
     315         };
     316
     317        //========================================================================
     318        // If BIND logs error messages about the root key being expired,
     319        // you will need to update your keys.  See https://www.isc.org/bind-keys
     320        //========================================================================
     321        dnssec-validation no;
     322
     323        auth-nxdomain no;    # conform to RFC1035
     324        listen-on-v6 { any; };
     325};
     326    }}}
     327    [[CollapsibleEnd]]
     328    [[CollapsibleStart(/etc/ldap.conf)]]
     329    The Ldap clinet configurations that were choosen during the package installation will be overwritten
     330    with the following:
     331    {{{
     332base dc=geni,dc=rutgers,dc=edu
     333uri ldap://localhost
     334rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu
     335ldap_version 3
     336pam_check_host_attr yes
     337pam_password md5
     338ssl start_tls
     339tls_checkpeer yes
     340tls_cacertfile /etc/ssl/certs/cacert.pem
     341tls_cacertdir /etc/ssl/certs
     342nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl
     343og,tftp,usbmux,uucp,whoopsie,www-data
     344    }}}
     345    [[CollapsibleEnd]]
     346    [[CollapsibleStart(/etc/ssl/geni-site-ca.info)]]
     347    This file will be generated based on the FQDN:
     348    {{{
     349cn = GENI 4G Authority for geni.rutgers.edu
     350ca
     351cert_signing_key
     352    }}}
     353    [[CollapsibleEnd]]
     354    [[CollapsibleStart(/etc/ssl/geni-site-console.info)]]
     355    This file will be generated based on the FQDN:   
     356    {{{
     357organization = GENI 4G Site for geni.rutgers.edu
     358cn = console.geni.rutgers.edu
     359tls_www_server
     360encryption_key
     361signing_key
     362expiration_days = 3650
     363    }}}
    177364    [[CollapsibleEnd]]
    178365 2. After this script is run, we will need to point the dns resolver to the localhost. To do
     
    201388    }}}
    202389    External name resolution should also work.
    203 
    204  3. Edit ''/etc/nsswitch.conf'' file so that is has the follow non comment lines:
    205     {{{
    206     passwd:         files ldap compat
    207     group:          files ldap compat
    208     shadow:         files compat
    209 
    210     hosts:          files dns
    211     networks:       files
    212 
    213     protocols:      db files
    214     services:       db files
    215     ethers:         db files
    216     rpc:            db files
    217 
    218     netgroup:       nis
    219     }}}
    220  4. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
     390 3. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
    221391    {{{
    222392    %admin ALL=(ALL) ALL
    223393    %sysadmin ALL=NOPASSWD: ALL
    224394    }}}
    225  
    226 
    227  5. Edit the file /etc/ldap/ldap.conf and make sure the following lines have these values (add
    228     them if they are missing):
    229     {{{
    230 TLS_CACERT      /etc/ssl/certs/cacert.pem
    231 TLS_REQCERT     never
    232     }}}
    233     then restart the ldap daemon with:
    234     {{{
    235 /etc/init.d/slapd restart
    236     }}}
     395 
    237396=== Configure PHPLDAPADMIN ===
    238397Edit the ''/etc/phpldapadmin/config.php'' file and modify the following lines: