FedFsOpenLdapServer0.8
From Linux NFS
Chucklever (Talk | contribs) (Created page with "== Project: fedfs-utils == [ Project Home | News | Downloads | Docs | [[FedFsUtilsMailingList...") |
Chucklever (Talk | contribs) (→Configuring an OpenLDAP server for use with FedFS) |
||
(3 intermediate revisions not shown) | |||
Line 15: | Line 15: | ||
The purpose of this article is to provide recipes for quickly setting up an NSDB service on an OpenLDAP server. If you are already familiar with OpenLDAP or have existing servers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB. | The purpose of this article is to provide recipes for quickly setting up an NSDB service on an OpenLDAP server. If you are already familiar with OpenLDAP or have existing servers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB. | ||
- | These instructions are useful with Fedora 16 and | + | These instructions are useful with Fedora 16 and newer. |
A reference web article: [http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Directory_Servers.html] | A reference web article: [http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Directory_Servers.html] | ||
Line 37: | Line 37: | ||
On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically. | On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically. | ||
- | By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section | + | By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section by opening the "ldap" port. Or disable the firewall entirely if you are sure that's safe to do. |
== Install the OpenLDAP server software == | == Install the OpenLDAP server software == | ||
Line 71: | Line 71: | ||
Generally, separate passwords are created for "cn=config" and the entity that administers the DIT under dc=... . Repeat the steps above to generate a second password, if desired. | Generally, separate passwords are created for "cn=config" and the entity that administers the DIT under dc=... . Repeat the steps above to generate a second password, if desired. | ||
- | == | + | == Install the fedfs schema == |
Copy the FedFS schema from fedfs-utils-0.8/doc/ldap/fedfs.schema to /etc/openldap/schema/fedfs.schema on your LDAP server. | Copy the FedFS schema from fedfs-utils-0.8/doc/ldap/fedfs.schema to /etc/openldap/schema/fedfs.schema on your LDAP server. | ||
+ | |||
+ | == Configure the LDAP server == | ||
Install the sample configuration file | Install the sample configuration file | ||
Line 116: | Line 118: | ||
# sudo -u ldap slapadd -l /tmp/ldif | # sudo -u ldap slapadd -l /tmp/ldif | ||
- | == Create | + | == Create initial entries under the domain root suffix == |
The LDAP server configuration process automatically creates a dc-style root suffix, and we can use that here. We'll assume your LDAP server's domain name is example.net. Delete then edit the file /tmp/ldif and add only these lines: | The LDAP server configuration process automatically creates a dc-style root suffix, and we can use that here. We'll assume your LDAP server's domain name is example.net. Delete then edit the file /tmp/ldif and add only these lines: | ||
Line 122: | Line 124: | ||
dn: dc=example,dc=net | dn: dc=example,dc=net | ||
objectClass: domain | objectClass: domain | ||
- | |||
dc: example | dc: example | ||
- | |||
Then run this command: | Then run this command: | ||
Line 168: | Line 168: | ||
# systemctl disable slapd.service | # systemctl disable slapd.service | ||
+ | |||
+ | == Create a FedFS NSDB Container Entry == | ||
+ | |||
+ | On your administrative client, identify your LDAP server as an NSDB. Let's as | ||
+ | |||
+ | # nsdbparams update ldap.example.net | ||
+ | |||
+ | This enables the NSDB client tools to recognize your new LDAP server as an NSDB. Now, identify the entry you just added as the NCE for dc=example,dc=net. This command does the trick: | ||
+ | |||
+ | $ nsdb-update-nci -D "cn=Directory Manager" -l ldap.example.net -e ou=fedfs,dc=example,dc=net |
Latest revision as of 22:51, 23 November 2012
Project: fedfs-utils
[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]
Configuring an OpenLDAP server for use with FedFS
The purpose of this article is to provide recipes for quickly setting up an NSDB service on an OpenLDAP server. If you are already familiar with OpenLDAP or have existing servers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.
These instructions are useful with Fedora 16 and newer.
A reference web article: [1]
Uninstalling
If at any point you find the need to erase everything and start over, use:
# systemctl stop slapd.service # systemctl disable slapd.service # rm -rf /etc/openldap /var/lib/ldap
# yum erase openldap-servers openldap-clients
This removes all slapd instances and software.
Networking pre-requisites
Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.
On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically.
By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section by opening the "ldap" port. Or disable the firewall entirely if you are sure that's safe to do.
Install the OpenLDAP server software
After installing, updating, and configuring Fedora, install the pre-packaged OpenLDAP server components with:
# yum install openldap openldap-clients openldap-servers
This command adds a new UID and GID, which is user and group "ldap", (55, 55).
Copy in the DB_CONFIG file.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown ldap.ldap /var/lib/ldap/DB_CONFIG
The OpenLDAP community recommends building and installing the OpenLDAP server software from source. The source distribution can be found here:
http://www.openldap.org/software/download/
Create an encrypted administrator password
This step generates the value of the LDAP administrator password, but doesn't actually set it. The purpose of this step is to ensure that the password is stored by LDAP as an encrypted value.
$ slappasswd New password: Re-enter new password: {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K
Copy the final encrypted output (e.g. {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K) for use below.
For an NSDB that will be used during testing events on secure networks, an easy-to-type well-known administrator password is advised. "test123" or "cthon201x" are typical values. Otherwise, a stronger password is recommended.
Generally, separate passwords are created for "cn=config" and the entity that administers the DIT under dc=... . Repeat the steps above to generate a second password, if desired.
Install the fedfs schema
Copy the FedFS schema from fedfs-utils-0.8/doc/ldap/fedfs.schema to /etc/openldap/schema/fedfs.schema on your LDAP server.
Configure the LDAP server
Install the sample configuration file
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
Edit this file:
- At the end of the list of include directives at the top of the file, add:
- include /etc/openldap/schema/fedfs.schema
- Just after "database config", add:
- rootdn "cn=admin,cn=config"
- rootpw <your hashed PW created above>
- Replace "dc=my-domain,dc=com" everywhere with your local domain name
- Just after "database hdb", add:
- rootdn "cn=Manager,dc=your-domain,dc=net"
- rootpw <your hashed password created above>
Test the new configuration:
# slaptest -u -f /etc/openldap/slapd.conf
Correct any errors before continuing. Then build the new configuration:
# cd /etc/openldap # rm -rf slapd.d/* ; mkdir slapd.d ; chown ldap.ldap slapd.d # sudo -u ldap slaptest -f ./slapd.conf -F ./slapd.d # mv slapd.conf slapd.conf.bak
Create an entry for the dc naming context
This step creates a standard domain controller entry under the dc=... root suffix you created above. This prepares your new LDAP server for the creation of other entries under this suffix.
slapd must be stopped. On the LDAP server, edit the file /tmp/ldif and add only these lines:
dn: dc=your-domain,dc=net objectClass: domain dc: your-domain
Then run these commands:
# sudo -u ldap slapadd -l /tmp/ldif
Create initial entries under the domain root suffix
The LDAP server configuration process automatically creates a dc-style root suffix, and we can use that here. We'll assume your LDAP server's domain name is example.net. Delete then edit the file /tmp/ldif and add only these lines:
dn: dc=example,dc=net objectClass: domain dc: example
Then run this command:
# sudo -u ldap slapadd -l /tmp/ldif
Now, add the LDAP entry under which FedFS-related records are stored. Delete then edit the file /tmp/ldif and add only these lines:
dn: ou=fedfs,dc=example,dc=net objectClass: organizationalUnit ou: fedfs
And run this command:
# sudo -u ldap slapadd -l /tmp/ldif
Configure logging
First:
# touch /var/log/slapd # chown ldap:ldap /var/log/slapd
Edit /etc/rsyslog.conf and add a line like this: "local4.* /var/log/slapd" and restart rsyslogd.
In /etc/sysconfig/ldap, uncomment the SLAPD_OPTIONS line, and add "-s ###" where the ### is some set of or'd flags indicating what you'd like logged. Log level options are described in slapd.conf(5). A useful level of logging is 768.
Start the server
To start the server once:
# systemctl start slapd.service
To start the server automatically during system boot:
# systemctl enable slapd.service
To stop the server once:
# systemctl stop slapd.service
To prevent the server from starting during system boot:
# systemctl disable slapd.service
Create a FedFS NSDB Container Entry
On your administrative client, identify your LDAP server as an NSDB. Let's as
# nsdbparams update ldap.example.net
This enables the NSDB client tools to recognize your new LDAP server as an NSDB. Now, identify the entry you just added as the NCE for dc=example,dc=net. This command does the trick:
$ nsdb-update-nci -D "cn=Directory Manager" -l ldap.example.net -e ou=fedfs,dc=example,dc=net