Version 1 (modified by 9 years ago) ( diff ) | ,
---|
Configure LDAP
We will asume that the FQDN based DN base is dc=geni,dc=net
Setting up LDAP server
These need to be fixed - we are copying all the neccessary files and should not need anything here
- Edit /etc/ldap.conf
- Check that you have a proper URI (round line 30):
uri ldap://console.geni.net/
- Uncommend line for host attribute:
pam_check_host_attr yes
- Check that you have a proper URI (round line 30):
- Add these two schemas to your ldap by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema)
cd /etc/ldap/slapd.d/cn\=config/cn\=schema wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif
- Import initial group and user
cd /etc/ldap wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif
- Fix the configuration for LDAP for phpldapadmin:
edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net $servers->setValue('server','base',array('dc=geni,dc=net')); $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
- Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
- Make sure you can access the service with admin credentials:
ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
Configure the client
- Edit the /etc/ldap.conf file to configure the ldap client.
base dc=geni,dc=net uri ldap://ldap.geni.net/ ldap_version 3 binddn rootbinddn cn=admin,dc=geni,dc=net pam_password md5 nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
- The /etc/nsswitch.conf file should have the follow non comment lines:
passwd: files ldap compat group: files ldap compat shadow: files compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text.
- Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).
%admin ALL=(ALL) ALL %sysadmin ALL=NOPASSWD: ALL
This has to be done manually.
Attachments (1)
- GENIinit.ldif (1.0 KB ) - added by 9 years ago.
Download all attachments as: .zip
Note:
See TracWiki
for help on using the wiki.