close
Warning:
Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.
- Timestamp:
-
Oct 1, 2014, 7:24:41 PM (10 years ago)
- Author:
-
seskar
- Comment:
-
—
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v2
|
v3
|
|
| 1 | 1 | == Configure LDAP == |
| 2 | 2 | |
| 3 | | We will asume that the FQDN based DN base is '''dc=geni,dc=net''' |
| | 3 | These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is '''dc=geni,dc=net'''. |
| 4 | 4 | |
| 5 | 5 | [[TOC(WiMAX/dSite*)]] |
| 6 | 6 | |
| 7 | 7 | === Setting up LDAP server === |
| 8 | | |
| 9 | | '''These need to be fixed - we are copying all the neccessary files and should not need anything here''' |
| 10 | | 2. Edit /etc/ldap.conf |
| 11 | | 1. Check that you have a proper URI (round line 30): |
| | 8 | 1. Create file '''/etc/ssl/geni-site-ca.info" with: |
| 12 | 9 | {{{ |
| 13 | | uri ldap://console.geni.net/ |
| | 10 | cn = GENI WiMAX Company |
| | 11 | ca |
| | 12 | cert_signing_key |
| 14 | 13 | }}} |
| 15 | | 2. Uncommend line for host attribute: |
| | 14 | 1. Create file '''/etc/ssl/geni-site-console.info''' with (please change console.geni.net to match your FQDN): |
| 16 | 15 | {{{ |
| 17 | | pam_check_host_attr yes |
| | 16 | organization = Example Company |
| | 17 | cn = console.geni.net |
| | 18 | tls_www_server |
| | 19 | encryption_key |
| | 20 | signing_key |
| | 21 | expiration_days = 3650 |
| 18 | 22 | }}} |
| 19 | | 3. Add these two schemas to your ldap by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema) |
| | 23 | 1. Execute the following command to create SSL certificates: |
| 20 | 24 | {{{ |
| 21 | | cd /etc/ldap/slapd.d/cn\=config/cn\=schema |
| 22 | | wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif |
| 23 | | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| | 25 | /usr/sbin/create_ldap_certificates.sh |
| 24 | 26 | }}} |
| 25 | | |
| 26 | | 4. Import initial group and user |
| | 27 | 1. Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cer-info.ldif: |
| 27 | 28 | {{{ |
| 28 | | cd /etc/ldap |
| 29 | | wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif |
| 30 | | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif |
| | 29 | dn: cn=config |
| | 30 | add: olcTLSCACertificateFile |
| | 31 | olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
| | 32 | - |
| | 33 | add: olcTLSCertificateFile |
| | 34 | olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem |
| | 35 | - |
| | 36 | add: olcTLSCertificateKeyFile |
| | 37 | olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem |
| 31 | 38 | }}} |
| 32 | | |
| 33 | | 5. Fix the configuration for LDAP for phpldapadmin: |
| | 39 | and then execute: |
| | 40 | {{{ |
| | 41 | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif |
| | 42 | }}} |
| | 43 | 5. Fix the configuration for newly create LDAP for phpldapadmin: |
| 34 | 44 | {{{ |
| 35 | 45 | edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net |
| … |
… |
|
| 38 | 48 | $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net'); |
| 39 | 49 | }}} |
| 40 | | 6. Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| 41 | | |
| 42 | | |
| 43 | | 7. Make sure you can access the service with admin credentials: |
| | 50 | 1. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object) |
| | 51 | 1. Make sure you can access the service with admin credentials: |
| 44 | 52 | {{{ |
| 45 | 53 | ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" |
| … |
… |
|
| 50 | 58 | }}} |
| 51 | 59 | |
| 52 | | === Configure the client === |
| 53 | | 1. Edit the /etc/ldap.conf file to configure the ldap client. |
| 54 | | {{{ |
| 55 | | base dc=geni,dc=net |
| 56 | | uri ldap://ldap.geni.net/ |
| 57 | | ldap_version 3 |
| 58 | | binddn |
| 59 | | rootbinddn cn=admin,dc=geni,dc=net |
| 60 | | pam_password md5 |
| 61 | | nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data |
| 62 | | }}} |
| 63 | | |
| 64 | | 2. The /etc/nsswitch.conf file should have the follow non comment lines: |
| 65 | | {{{ |
| 66 | | passwd: files ldap compat |
| 67 | | group: files ldap compat |
| 68 | | shadow: files compat |
| 69 | | |
| 70 | | hosts: files dns |
| 71 | | networks: files |
| 72 | | |
| 73 | | protocols: db files |
| 74 | | services: db files |
| 75 | | ethers: db files |
| 76 | | rpc: db files |
| 77 | | |
| 78 | | netgroup: nis |
| 79 | | }}} |
| 80 | | |
| 81 | | 3. Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text. |
| 82 | | 4. Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command). |
| 83 | | {{{ |
| 84 | | %admin ALL=(ALL) ALL |
| 85 | | %sysadmin ALL=NOPASSWD: ALL |
| 86 | | }}} |
| 87 | | This has to be done manually. |
