close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Changes between Version 2 and Version 3 of dSite/e0LDAP


Ignore:
Timestamp:
Oct 1, 2014, 7:24:41 PM (6 years ago)
Author:
seskar
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • dSite/e0LDAP

    v2 v3  
    11== Configure LDAP ==
    22
    3 We will asume that the FQDN based DN base is '''dc=geni,dc=net'''
     3These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is '''dc=geni,dc=net'''.
    44
    55[[TOC(WiMAX/dSite*)]]
    66 
    77=== Setting up LDAP server ===
    8 
    9 '''These need to be fixed - we are copying all the neccessary files and should not need anything here'''
    10 2. Edit /etc/ldap.conf
    11  1. Check that you have a proper URI (round line 30):
     81. Create file '''/etc/ssl/geni-site-ca.info" with:
    129{{{
    13 uri ldap://console.geni.net/
     10cn = GENI WiMAX Company
     11ca
     12cert_signing_key
    1413}}}
    15  2. Uncommend line for host attribute:
     141. Create file '''/etc/ssl/geni-site-console.info''' with (please change console.geni.net to match your FQDN):
    1615{{{
    17 pam_check_host_attr yes
     16organization = Example Company
     17cn = console.geni.net
     18tls_www_server
     19encryption_key
     20signing_key
     21expiration_days = 3650
    1822}}}
    19 3. Add these two schemas to your ldap  by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema)
     231. Execute the following command to create SSL certificates:
    2024{{{
    21 cd  /etc/ldap/slapd.d/cn\=config/cn\=schema
    22 wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif
    23 wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif
     25/usr/sbin/create_ldap_certificates.sh
    2426}}}
    25 
    26 4. Import initial group and user
     271. Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cer-info.ldif:
    2728{{{
    28 cd /etc/ldap
    29 wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif
    30 ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif
     29dn: cn=config
     30add: olcTLSCACertificateFile
     31olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
     32-
     33add: olcTLSCertificateFile
     34olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
     35-
     36add: olcTLSCertificateKeyFile
     37olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
    3138}}}
    32 
    33 5. Fix the configuration for LDAP for phpldapadmin:
     39and then execute:
     40{{{
     41ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
     42}}}
     435. Fix the configuration for newly create LDAP for phpldapadmin:
    3444{{{
    3545edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net
     
    3848$servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
    3949}}}
    40 6. Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
    41 
    42 
    43 7. Make sure you can access the service with admin credentials:
     501. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
     511. Make sure you can access the service with admin credentials:
    4452{{{
    4553   ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
     
    5058}}}
    5159
    52 === Configure the client ===
    53 1. Edit the /etc/ldap.conf file to configure the ldap client.
    54 {{{
    55     base dc=geni,dc=net
    56     uri ldap://ldap.geni.net/
    57     ldap_version 3
    58     binddn
    59     rootbinddn cn=admin,dc=geni,dc=net
    60     pam_password md5
    61     nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
    62 }}}
    63 
    64 2.  The /etc/nsswitch.conf file should have the follow non comment lines:
    65 {{{
    66     passwd:         files ldap compat
    67     group:          files ldap compat
    68     shadow:         files compat
    69 
    70     hosts:          files dns
    71     networks:       files
    72 
    73     protocols:      db files
    74     services:       db files
    75     ethers:         db files
    76     rpc:            db files
    77 
    78     netgroup:       nis
    79 }}}
    80 
    81 3. Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text.
    82 4. Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).
    83 {{{
    84     %admin ALL=(ALL) ALL
    85     %sysadmin ALL=NOPASSWD: ALL
    86 }}}
    87     This has to be done manually.