wiki:dSite/e0LDAP
close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 9 (modified by seskar, 5 years ago) (diff)

--

Configure LDAP

These instructions assume that the FQDN is console.geni.net and that (based on FQDN) LDAP DN base is dc=geni,dc=net.

Table of Contents

    Setting up LDAP server

    1. Create file /etc/ssl/geni-site-ca.info with:
      cn = GENI WiMAX Company
      ca
      cert_signing_key
      
    2. Create file /etc/ssl/geni-site-console.info with (please change console.geni.net to match your FQDN):
      organization = Example Company
      cn = console.geni.net
      tls_www_server
      encryption_key
      signing_key
      expiration_days = 3650
      
    3. Execute the following command to create SSL certificates:
      /usr/sbin/create_ldap_certificates.sh
      
    4. Create LDIF file for our newly created certificates in the file named /etc/ssl/geni-cert-info.ldif:
      dn: cn=config
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
      -
      add: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
      -
      add: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
      

    and then execute:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
    

    The expected output is:

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"
    
    1. Fix the configuration for newly create LDAP for phpldapadmin by editing /etc/phpldapadmin/config.php and changing dc=example,dc=com to dc=geni,dc=net
      $servers->setValue('server','base',array('dc=geni,dc=net'));
      $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
      
    2. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
    3. Make sure you can access the service with admin credentials:
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
         ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
         ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
      

    Import initial LDAP content

    Import initial content consisting of first group and account that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. That could be done through phpldapadmin or through LDIF configuration file and command line tools. LDIF config for initial import:

    dn: ou=GENI,dc=geni,dc=net
    objectClass: organizationalUnit
    objectClass: top
    structuralObjectClass: organizationalUnit
    ou: GENI
    description: GENI
    businessCategory: Academic
    
    dn: cn=GENI,ou=GENI,dc=geni,dc=net
    objectClass: posixGroup
    cn: GENI
    memberUid: globaladmin
    gidNumber: 1001
    
    dn: uid=globaladmin,ou=GENI,dc=geni,dc=net
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: hostObject
    objectClass: shadowAccount
    objectClass: organizationalPerson
    structuralObjectClass: inetOrgPerson
    uid: globaladmin
    sn: admin
    givenName: global
    cn: global admin
    uidNumber: 1000
    gidNumber: 1001
    loginShell: /bin/bash
    homeDirectory: /home/globaladmin
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: ivan@example.org
    userPassword: password
    o: GENI
    host: null.orbit-lab.org
    
    dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net
    objectClass: posixGroup
    cn: GENI-admin
    memberUid: globaladmin
    gidNumber: 1002
    
    dn: cn=admin,ou=GENI,dc=geni,dc=net
    objectClass: organizationalRole
    objectClass: top
    cn: admin
    structuralObjectClass: organizationalRole
    roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net
    

    Typically one needs to replace:

    1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=rutgers,dc=edu)
    2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
    3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
    4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

    Also, any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

    In order to create initial LDAP structure:

    • Grab the initial configuration file that is attached to this page:
        wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
      
    • Modify it with your favorite editor
    • Import it into LDAP:
         ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
      

    Attachments (1)

    Download all attachments as: .zip