Changes between Version 24 and Version 25 of dSite/e0LDAP

Timestamp:

Oct 16, 2014, 8:06:43 PM (10 years ago)

Author:

ssugrim

Comment:

—

dSite/e0LDAP

@@ -167 +167 @@
     }}}
     [[CollapsibleEnd]]
-
+    [[CollapsibleStart(/etc/nssw)]]
+    The script will blindly replace the ''/etc/nsswitch.conf'' with the following:
+    {{{
+    passwd:         files ldap compat
+    group:          files ldap compat
+    shadow:         files compat
+
+    hosts:          files dns
+    networks:       files
+
+    protocols:      db files
+    services:       db files
+    ethers:         db files
+    rpc:            db files
+
+    netgroup:       nis
+    }}}
+    [[CollapsibleEnd]]
+    [[CollapsibleStart(/etc/ldap/ldap.conf)]]
+    The script will blindly replace the ''/etc/ldap/ldap.conf'' with the following
+    {{{
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE   dc=example,dc=com
+#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/cacert.pem
+TLS_REQCERT     never
+    }}}
+    [[CollapsibleEnd]]
     [[CollapsibleStart(/etc/bind/db.DOMAIN)]]
+    The script will build a db.DOMAIN file in the ''/etc/bind'' directory based on contents of 
+    the site.yaml file, and the host FQDN. An example might look like (this assumed a domain 
+    of geni.rutgers.edu):
+    {{{
+;
+; BIND data file for geni.rutgers.edu
+;
+$TTL    604800
+@       IN      SOA     geni.rutgers.edu. root.geni.rutgers.edu. (
+                   2014101501  ; Serial
+                   604800      ; Refresh
+                   86400       ; Retry
+                   2419200     ; Expire
+                   604800 )    ; Negative Cache TTL
+;
+                IN      A       10.1.0.254
+@               IN      NS      consolec.geni.rutgers.edu.
+@               IN      A       10.1.0.254
+@               IN      AAAA    ::1
+consolec        IN      A       10.1.0.254
+xmpp            IN      CNAME   consolec.geni.rutgers.edu.
+
+node1           IN      A       10.1.0.1
+node2           IN      A       10.1.0.2
+node3           IN      A       10.1.0.3
+
+cons1           IN      A       10.3.0.101
+cons2           IN      A       10.3.0.102
+cons3           IN      A       10.3.0.103
+
+data1           IN      A       10.2.0.1
+data2           IN      A       10.2.0.2
+data3           IN      A       10.2.0.3
+    }}}
     [[CollapsibleEnd]]
     [[CollapsibleStart(/etc/bind/db.10)]]
+    The reverse database will also be created to match the db.DOMAIN.
+    {{{
+;
+; BIND reverse data file for 10.
+;
+$TTL    604800
+@       IN      SOA     consolec. root.geni.rutgers.edu. (
+                   2014101501  ; Serial
+                   604800      ; Refresh
+                   86400       ; Retry
+                   2419200     ; Expire
+                   604800 )    ; Negative Cache TTL
+;
+@       IN      NS      consolec.
+
+101.0.3     IN      PTR     cons1.geni.rutgers.edu.
+102.0.3     IN      PTR     cons2.geni.rutgers.edu.
+103.0.3     IN      PTR     cons3.geni.rutgers.edu.
+
+1.0.1     IN      PTR     node1.geni.rutgers.edu.
+2.0.1     IN      PTR     node2.geni.rutgers.edu.
+3.0.1     IN      PTR     node3.geni.rutgers.edu.
+
+254.0.1   IN      PTR     consolec.geni.rutgers.edu.
+1.0.2     IN      PTR     data1.geni.rutgers.edu.
+2.0.2     IN      PTR     data2.geni.rutgers.edu.
+3.0.2     IN      PTR     data3.geni.rutgers.edu.
+
+    }}}
     [[CollapsibleEnd]]
     [[CollapsibleStart(/etc/bin/named.conf.local)]]
+    The supporting config files will also be created. The local file looks like:
+    {{{
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+  zone "geni.rutgers.edu" {
+   type master;
+   file "/etc/bind/db.geni.rutgers.edu";
+  };
+  zone "10.in-addr.arpa" {
+    type master;
+    file "/etc/bind/db.10";
+  };
+    }}}
     [[CollapsibleEnd]]
     [[CollapsibleStart(/etc/bin/named.conf.options)]]
+    This option file assumes that you can directly query Google's 8.8.8.8 DNS server. If this is 
+    not the case, you may need to adjust these values to reflect your environments DNS settings. 
+    {{{
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable 
+        // nameservers, you probably want to use them as forwarders.  
+        // Uncomment the following block, and insert the addresses replacing 
+        // the all-0's placeholder.
+
+         forwarders {
+          8.8.8.8;
+         };
+
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation no;
+
+        auth-nxdomain no;    # conform to RFC1035
+        listen-on-v6 { any; };
+};
+    }}}
+    [[CollapsibleEnd]]
+    [[CollapsibleStart(/etc/ldap.conf)]]
+    The Ldap clinet configurations that were choosen during the package installation will be overwritten
+    with the following:
+    {{{
+base dc=geni,dc=rutgers,dc=edu
+uri ldap://localhost
+rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu
+ldap_version 3
+pam_check_host_attr yes
+pam_password md5
+ssl start_tls
+tls_checkpeer yes
+tls_cacertfile /etc/ssl/certs/cacert.pem
+tls_cacertdir /etc/ssl/certs
+nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl
+og,tftp,usbmux,uucp,whoopsie,www-data
+    }}}
+    [[CollapsibleEnd]]
+    [[CollapsibleStart(/etc/ssl/geni-site-ca.info)]]
+    This file will be generated based on the FQDN:
+    {{{
+cn = GENI 4G Authority for geni.rutgers.edu
+ca
+cert_signing_key
+    }}}
+    [[CollapsibleEnd]]
+    [[CollapsibleStart(/etc/ssl/geni-site-console.info)]]
+    This file will be generated based on the FQDN:   
+    {{{
+organization = GENI 4G Site for geni.rutgers.edu
+cn = console.geni.rutgers.edu
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 3650
+    }}}
     [[CollapsibleEnd]]
  2. After this script is run, we will need to point the dns resolver to the localhost. To do 
@@ -201 +388 @@
     }}}
     External name resolution should also work.
-
- 3. Edit ''/etc/nsswitch.conf'' file so that is has the follow non comment lines:
-    {{{
-    passwd:         files ldap compat
-    group:          files ldap compat
-    shadow:         files compat
-
-    hosts:          files dns
-    networks:       files
-
-    protocols:      db files
-    services:       db files
-    ethers:         db files
-    rpc:            db files
-
-    netgroup:       nis
-    }}}
- 4. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
+ 3. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
     {{{
     %admin ALL=(ALL) ALL
     %sysadmin ALL=NOPASSWD: ALL
     }}}
-  
-
- 5. Edit the file /etc/ldap/ldap.conf and make sure the following lines have these values (add 
-    them if they are missing):
-    {{{
-TLS_CACERT      /etc/ssl/certs/cacert.pem
-TLS_REQCERT     never
-    }}}
-    then restart the ldap daemon with:
-    {{{
-/etc/init.d/slapd restart
-    }}}
+ 
 === Configure PHPLDAPADMIN ===
 Edit the ''/etc/phpldapadmin/config.php'' file and modify the following lines: