wiki:dSite/e0LDAP
close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 19 (modified by ssugrim, 6 years ago) ( diff )

Configure OS Services

Table of Contents

    Post-installation OS Services Configuration

    1. Run the OS configuration script:
      /usr/sbin/geni_os_setup.rb
      
      It should produce:
      user@testcons:~# sudo /usr/sbin/geni_os_setup.rb
      Loading /etc/omf-aggmgr-5.4/site.yaml... done.
      Generating a 2432 bit RSA private key...
      Generating a self signed certificate...
      X.509 Certificate Information:
      	Version: 3
      	Serial Number (hex): 543811fb
      	Validity:
      		Not Before: Fri Oct 10 17:06:03 UTC 2014
      		Not After: Sat Oct 10 17:06:03 UTC 2015
      	Subject: CN=GENI 4G Authority for orbit-lab.org
      	Subject Public Key Algorithm: RSA
      	Certificate Security Level: Normal
      		Modulus (bits 2432):
      			00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92
      			ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb
      			f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85
      			5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b
      			94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b
      			c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39
      			1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a
      			2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79
      			c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5
      			81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8
      			68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4
      			78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25
      			25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a
      			9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5
      			fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18
      			69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b
      			13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65
      			b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c
      			9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b
      			a7
      		Exponent (bits 24):
      			01:00:01
      	Extensions:
      		Basic Constraints (critical):
      			Certificate Authority (CA): TRUE
      		Subject Key Identifier (not critical):
      			89161ffe61f729a0fc210f3e8b22e8b4379a5638
      Other Information:
      	Public Key Id:
      		89161ffe61f729a0fc210f3e8b22e8b4379a5638
      
      
      
      Signing certificate...
      ** Note: Please use the --sec-param instead of --bits
      Generating a 1024 bit RSA private key...
      Generating a signed certificate...
      X.509 Certificate Information:
      	Version: 3
      	Serial Number (hex): 543811fb
      	Validity:
      		Not Before: Fri Oct 10 17:06:03 UTC 2014
      		Not After: Sat Oct 10 17:06:03 UTC 2015
      	Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org
      	Subject Public Key Algorithm: RSA
      	Certificate Security Level: Weak
      		Modulus (bits 1024):
      			00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48
      			d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b
      			6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18
      			91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a
      			3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33
      			64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55
      			e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc
      			98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0
      			93
      		Exponent (bits 24):
      			01:00:01
      	Extensions:
      		Basic Constraints (critical):
      			Certificate Authority (CA): FALSE
      		Key Purpose (not critical):
      			TLS WWW Server.
      		Key Usage (critical):
      			Digital signature.
      			Key encipherment.
      		Subject Key Identifier (not critical):
      			0324b56406f97f7d19bdc1619dd29cbab231d52f
      		Authority Key Identifier (not critical):
      			89161ffe61f729a0fc210f3e8b22e8b4379a5638
      Other Information:
      	Public Key Id:
      		0324b56406f97f7d19bdc1619dd29cbab231d52f
      
      
      
      Signing certificate...
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      
    2. After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost. We also need to add a dns-search field to specify the local domain, (e.g geni.rutgers.edu). This should look like:
      # The primary network interface
      auto eth2
      iface eth2 inet static
            address 10.50.0.249
            netmask 255.255.0.0
            gateway 10.50.0.1
            dns-search geni.rutgers.edu
            dns-nameservers localhost
      
      
      then restart the networking service to reflect the DNS change:
      /etc/init.d/networking restart
      
      Once this setting is done you can test the local dns by tring to resolve node names e.g.:
      host node1
      node1.geni.rutgers.edu has address 10.1.0.1
      
      External name resolution should also work.
    1. Edit /etc/nsswitch.conf file so that is has the follow non comment lines:
      passwd:         files ldap compat
      group:          files ldap compat
      shadow:         files compat
      
      hosts:          files dns
      networks:       files
      
      protocols:      db files
      services:       db files
      ethers:         db files
      rpc:            db files
      
      netgroup:       nis
      
    2. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
      %admin ALL=(ALL) ALL
      %sysadmin ALL=NOPASSWD: ALL
      

    1. Edit the file /etc/ldap/ldap.conf and make sure the following lines have these values (add them if they are missing):
      TLS_CACERT	/etc/ssl/certs/cacert.pem
      TLS_REQCERT     never
      
      then restart the ldap daemon with:
      /etc/init.d/slapd restart
      

    Import initial GENI LDAP content

    Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:

    dn: ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: organizationalUnit
    objectClass: top
    ou: GENI
    description: GENI
    businessCategory: Academic
    
    dn: cn=GENI,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: posixGroup
    cn: GENI
    memberUid: globaladmin
    gidNumber: 1001
    
    dn: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: hostObject
    objectClass: shadowAccount
    objectClass: organizationalPerson
    uid: globaladmin
    sn: admin
    givenName: global
    cn: global admin
    uidNumber: 1000
    gidNumber: 1001
    loginShell: /bin/bash
    homeDirectory: /home/globaladmin
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: ivan@example.org
    userPassword: password
    o: GENI
    host: null.orbit-lab.org
    
    dn: cn=GENI-admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: posixGroup
    cn: GENI-admin
    memberUid: globaladmin
    gidNumber: 1002
    
    dn: cn=admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: organizationalRole
    objectClass: top
    cn: admin
    roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    

    Typically you will need to replace:

    1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=geni,dc=rutgers,dc=edu as was done in the example above)
    2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
    3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
    4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

    Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

    In order to create initial LDAP structure:

    • Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
        wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
      
    • Modify it with your favorite text editor according to the rules described prior.
    • Finally import it into LDAP (Note: change the value of the -D flag in the command below to reflect your domain):
      ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
      
      You will be prompted for the LDAP password you specified during installation.

    Attachments (1)

    Download all attachments as: .zip

    Note: See TracWiki for help on using the wiki.