wiki:dSite/e0LDAP
close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 6 (modified by olivera, 6 years ago) ( diff )

Configure LDAP

These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is dc=geni,dc=net.

Table of Contents

    Setting up LDAP server

    1. Create file /etc/ssl/geni-site-ca.info with:
      cn = GENI WiMAX Company
      ca
      cert_signing_key
      
    2. Create file /etc/ssl/geni-site-console.info with (please change console.geni.net to match your FQDN):
      organization = Example Company
      cn = console.geni.net
      tls_www_server
      encryption_key
      signing_key
      expiration_days = 3650
      
    3. Execute the following command to create SSL certificates:
      /usr/sbin/create_ldap_certificates.sh
      
    4. Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cert-info.ldif:
      dn: cn=config
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
      -
      add: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
      -
      add: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
      

    and then execute:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
    

    The expected output is:

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"
    
    1. Fix the configuration for newly create LDAP for phpldapadmin by editing /etc/phpldapadmin/config.php and changing dc=example,dc=com to dc=geni,dc=net
      $servers->setValue('server','base',array('dc=geni,dc=net'));
      $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
      
    2. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
    3. Import initial content (first group and account that will be used as administrators for the Control Panel service): This is a brief reasoning behind the entries in the ldif file. Please change the file as per your organizational needs.

    Each organizational unit(ou) has a PI who is the admin for the OU and a group which has all the accounts for the OU. So that is why your first organization and first acount have to conform to such a structure. OU admin can only manage accounts for that organization.

    Any person that is a member of sysadmin group in LDAP and admin group in ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif

    1. Make sure you can access the service with admin credentials:
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
         ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
      

    Attachments (1)

    Download all attachments as: .zip

    Note: See TracWiki for help on using the wiki.