wiki:dSite/e0LDAP
close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 14 (modified by ssugrim, 6 years ago) ( diff )

Configure OS Services

Table of Contents

    Post-installation OS Services Configuration

    Run the OS configuration script:

    /usr/sbin/geni_os_setup.rb
    

    It should produce:

    user@testcons:~# sudo /usr/sbin/geni_os_setup.rb
    Loading /etc/omf-aggmgr-5.4/site.yaml... done.
    Generating a 2432 bit RSA private key...
    Generating a self signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 543811fb
    	Validity:
    		Not Before: Fri Oct 10 17:06:03 UTC 2014
    		Not After: Sat Oct 10 17:06:03 UTC 2015
    	Subject: CN=GENI 4G Authority for orbit-lab.org
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Normal
    		Modulus (bits 2432):
    			00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92
    			ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb
    			f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85
    			5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b
    			94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b
    			c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39
    			1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a
    			2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79
    			c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5
    			81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8
    			68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4
    			78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25
    			25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a
    			9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5
    			fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18
    			69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b
    			13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65
    			b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c
    			9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b
    			a7
    		Exponent (bits 24):
    			01:00:01
    	Extensions:
    		Basic Constraints (critical):
    			Certificate Authority (CA): TRUE
    		Subject Key Identifier (not critical):
    			89161ffe61f729a0fc210f3e8b22e8b4379a5638
    Other Information:
    	Public Key Id:
    		89161ffe61f729a0fc210f3e8b22e8b4379a5638
    
    
    
    Signing certificate...
    ** Note: Please use the --sec-param instead of --bits
    Generating a 1024 bit RSA private key...
    Generating a signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 543811fb
    	Validity:
    		Not Before: Fri Oct 10 17:06:03 UTC 2014
    		Not After: Sat Oct 10 17:06:03 UTC 2015
    	Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Weak
    		Modulus (bits 1024):
    			00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48
    			d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b
    			6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18
    			91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a
    			3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33
    			64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55
    			e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc
    			98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0
    			93
    		Exponent (bits 24):
    			01:00:01
    	Extensions:
    		Basic Constraints (critical):
    			Certificate Authority (CA): FALSE
    		Key Purpose (not critical):
    			TLS WWW Server.
    		Key Usage (critical):
    			Digital signature.
    			Key encipherment.
    		Subject Key Identifier (not critical):
    			0324b56406f97f7d19bdc1619dd29cbab231d52f
    		Authority Key Identifier (not critical):
    			89161ffe61f729a0fc210f3e8b22e8b4379a5638
    Other Information:
    	Public Key Id:
    		0324b56406f97f7d19bdc1619dd29cbab231d52f
    
    
    
    Signing certificate...
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    

    After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost, e.g.:

    # The primary network interface
    auto eth2
    iface eth2 inet static
          address 10.50.0.249
          netmask 255.255.0.0
          gateway 10.50.0.1
          dns-nameservers localhost
    
    

    then restart the networking service to reflect the DNS change:

    /etc/init.d/networking restart
    

    Once this setting is done you can test the local dns by tring to resolve node names e.g.:

    host node1.geni.rutgers.edu
    node1.geni.rutgers.edu has address 10.1.1.1
    

    External name resolution should also work.

    Next edit /etc/nsswitch.conf file so that is has the follow non comment lines:

        passwd:         files ldap compat
        group:          files ldap compat
        shadow:         files compat
    
        hosts:          files dns
        networks:       files
    
        protocols:      db files
        services:       db files
        ethers:         db files
        rpc:            db files
    
        netgroup:       nis
    

    Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).

        %admin ALL=(ALL) ALL
        %sysadmin ALL=NOPASSWD: ALL
    

    In file /etc/ldap/ldap.conf make sure you have:

    TLS_CACERT	/etc/ssl/certs/cacert.pem
    TLS_REQCERT     never
    

    Import initial LDAP content

    Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:

    dn: ou=GENI,dc=geni,dc=net
    objectClass: organizationalUnit
    objectClass: top
    ou: GENI
    description: GENI
    businessCategory: Academic
    
    dn: cn=GENI,ou=GENI,dc=geni,dc=net
    objectClass: posixGroup
    cn: GENI
    memberUid: globaladmin
    gidNumber: 1001
    
    dn: uid=globaladmin,ou=GENI,dc=geni,dc=net
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: hostObject
    objectClass: shadowAccount
    objectClass: organizationalPerson
    uid: globaladmin
    sn: admin
    givenName: global
    cn: global admin
    uidNumber: 1000
    gidNumber: 1001
    loginShell: /bin/bash
    homeDirectory: /home/globaladmin
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: ivan@example.org
    userPassword: password
    o: GENI
    host: null.orbit-lab.org
    
    dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net
    objectClass: posixGroup
    cn: GENI-admin
    memberUid: globaladmin
    gidNumber: 1002
    
    dn: cn=admin,ou=GENI,dc=geni,dc=net
    objectClass: organizationalRole
    objectClass: top
    cn: admin
    roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net
    

    Typically you will needs to replace:

    1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=rutgers,dc=edu)
    2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
    3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
    4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

    Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

    In order to create initial LDAP structure:

    • Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
        wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
      
    • Modify it with your favorite text editor according to the rules described prior.
    • Finally import it into LDAP:
         ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
      

    Attachments (1)

    Download all attachments as: .zip

    Note: See TracWiki for help on using the wiki.