|Version 6 (modified by 6 years ago) ( diff ),|
These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is dc=geni,dc=net.
Table of Contents
Setting up LDAP server
- Create file /etc/ssl/geni-site-ca.info with:
cn = GENI WiMAX Company ca cert_signing_key
- Create file /etc/ssl/geni-site-console.info with (please change console.geni.net to match your FQDN):
organization = Example Company cn = console.geni.net tls_www_server encryption_key signing_key expiration_days = 3650
- Execute the following command to create SSL certificates:
- Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cert-info.ldif:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
and then execute:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
The expected output is:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
- Fix the configuration for newly create LDAP for phpldapadmin by editing /etc/phpldapadmin/config.php and changing dc=example,dc=com to dc=geni,dc=net
- Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
- Import initial content (first group and account that will be used as administrators for the Control Panel service): This is a brief reasoning behind the entries in the ldif file. Please change the file as per your organizational needs.
Each organizational unit(ou) has a PI who is the admin for the OU and a group which has all the accounts for the OU. So that is why your first organization and first acount have to conform to such a structure. OU admin can only manage accounts for that organization.
Any person that is a member of sysadmin group in LDAP and admin group in ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts
ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif
- Make sure you can access the service with admin credentials:
ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*