wiki:dSite/e0LDAP
close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 2 (modified by seskar, 6 years ago) ( diff )

Configure LDAP

We will asume that the FQDN based DN base is dc=geni,dc=net

Table of Contents

    Setting up LDAP server

    These need to be fixed - we are copying all the neccessary files and should not need anything here

    1. Edit /etc/ldap.conf
      1. Check that you have a proper URI (round line 30):
        uri ldap://console.geni.net/
        
      2. Uncommend line for host attribute:
        pam_check_host_attr yes
        
    2. Add these two schemas to your ldap by copying to schema directory (/etc/ldap/slapd.d/cn=config/cn=schema)
      cd  /etc/ldap/slapd.d/cn\=config/cn\=schema
      wget http://wimax.orbit-lab.org/mmm/cn={4}openssh-lpk-opnldap.ldif
      wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif
      
    1. Import initial group and user
      cd /etc/ldap
      wget http://www.orbit-lab.org/mmm/cn={5}ldapns.ldif
      ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif
      
    1. Fix the configuration for LDAP for phpldapadmin:
      edit /etc/phpldapadmin/config.php and change dc=example,dc=com to dc=geni,dc=net
      
      $servers->setValue('server','base',array('dc=geni,dc=net'));
      $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
      
    2. Point the Firefox web browser to http://<ip>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
    1. Make sure you can access the service with admin credentials:
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
         ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
      

    Configure the client

    1. Edit the /etc/ldap.conf file to configure the ldap client.
          base dc=geni,dc=net
          uri ldap://ldap.geni.net/
          ldap_version 3
          binddn
          rootbinddn cn=admin,dc=geni,dc=net
          pam_password md5
          nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt- qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
      
    1. The /etc/nsswitch.conf file should have the follow non comment lines:
          passwd:         files ldap compat
          group:          files ldap compat
          shadow:         files compat
      
          hosts:          files dns
          networks:       files
      
          protocols:      db files
          services:       db files
          ethers:         db files
          rpc:            db files
      
          netgroup:       nis
      
    1. Copy or create the /etc/ldap.secret file. It should contain the ldap password in clear text.
    2. Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).
          %admin ALL=(ALL) ALL
          %sysadmin ALL=NOPASSWD: ALL
      

    This has to be done manually.

    Attachments (1)

    Download all attachments as: .zip

    Note: See TracWiki for help on using the wiki.