FedFsOpenLdapServer0.9

From Linux NFS

Revision as of 22:00, 1 October 2012 (view source) Chucklever (Talk | contribs) (→Configuring an OpenLDAP server for use with FedFS) ← Older edit		Revision as of 22:50, 1 October 2012 (view source) Chucklever (Talk | contribs) (→Uninstalling) Newer edit →
Line 24:		Line 24:
	# systemctl stop slapd.service		# systemctl stop slapd.service
		+	# systemctl disable slapd.service
	# rm -rf /etc/openldap /var/lib/ldap		# rm -rf /etc/openldap /var/lib/ldap

---

Revision as of 22:50, 1 October 2012

Contents 1 Project: fedfs-utils 1.1 Configuring an OpenLDAP server for use with FedFS 1.1.1 Uninstalling 1.1.2 Networking pre-requisites 1.1.3 Install OpenLDAP server package 1.1.4 Install the fedfs schema 1.1.5 Create an encrypted administrator password 1.1.6 Configure the LDAP server 1.1.7 Create an entry for the dc naming context 1.1.8 Configure logging 1.1.9 Start the server

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]

---

Configuring an OpenLDAP server for use with FedFS

These instructions are useful with Fedora 16 and following.

A reference web article:

 http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Directory_Servers.html

Uninstalling

If at any point you find the need to erase everything and start over, use:

# systemctl stop slapd.service
# systemctl disable slapd.service
# rm -rf /etc/openldap /var/lib/ldap

# yum erase openldap-servers openldap-clients

This removes all slapd instances and software.

Networking pre-requisites

Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.

On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically.

By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section. Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.

Install OpenLDAP server package

After installing, updating, and configuring Fedora, install the OpenLDAP server components with:

# yum install openldap openldap-clients openldap-servers

This command adds a new UID and GID, which is user and group "ldap", (55, 55).

Copy in the DB_CONFIG file (why doesn't the package install do this automatically?)

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap.ldap /var/lib/ldap/DB_CONFIG

Install the fedfs schema

Extract the FedFS schema from the LDAP/NSDB draft. Copy the result to /etc/openldap/schema/fedfs.schema. Ensure that the security context, group, owner, and mode bits match the other files in this directory. See also:

 http://www.openldap.org/doc/admin/schema.html

or

 http://www.zytrax.com/books/ldap/ch6/slapd-config.html

Create an encrypted administrator password

This step generates the value of the LDAP administrator password, but doesn't actually set it. The purpose of this step is to ensure that the password is stored by LDAP as an encrypted value.

$ slappasswd
New password:
Re-enter new password:
{SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K

Copy the final encrypted output (e.g. {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K) for use below.

For an NSDB that will be used during testing events on secure networks, an easy-to-type well-known administrator password is advised. "test123" or "cthon201x" are typical values. Otherwise, a stronger password is recommended.

Generally, separate passwords are created for "cn=config" and the entity that administers the dc=example,dc=net DIT. Repeat the steps above to generate a second password, if desired.

Configure the LDAP server

Install the sample configuration file

# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

Edit this file:

1. Just after "database config", add:
   1. rootdn "cn=admin,cn=config"
   2. rootpw <your hashed PW created above>
2. Replace "dc=my-domain,dc=com" everywhere with your local domain name
3. Just after "database hdb", add:
   1. rootdn "cn=Manager,dc=your-domain,dc=net"
   2. rootpw <your hashed password created above>
4. Merge the FedFS schema
   1. Either add an include directive for the fedfs.schema file added above
   2. Or use the LDAP OLC configuration tool in fedfs-utils/contrib/ldap to add the schema dynamically after the server is running

Test the new configuration:

# slaptest -u -f /etc/openldap/slapd.conf

Correct any errors before continuing. Then build the new configuration:

# cd /etc/openldap
# rm -rf slapd.d/*
# slaptest -f ./slapd.conf -F ./slapd.d
# mv slapd.conf slapd.conf.bak
# chown -R ldap:ldap ./slapd.d

Create an entry for the dc naming context

slapd must be stopped. Edit the file /tmp/ldif and add only these lines:

dn: dc=your-domain,dc=net objectClass: domain dc: your-domain

Then run these commands:

# slapadd -l /tmp/ldif
# chown -R ldap:ldap /var/lib/ldap

[ Note that 389-ds creates this entry automatically during the installation procedure. ]

Configure logging

First:

# touch /var/log/slapd
# chown ldap:ldap /var/log/slapd

Edit /etc/rsyslog.conf and add a line like this: "local4.* /var/log/slapd" and restart rsyslogd.

In /etc/sysconfig/ldap, uncomment the SLAPD_OPTIONS line, and add "-s ###" where the ### is some set of or'd flags indicating what you'd like logged. Restart slapd.

Start the server

To start the server once:

# systemctl start slapd.service

To start the server automatically during system boot:

# systemctl enable slapd.service

To stop the server once:

# systemctl stop slapd.service

To prevent the server from starting during system boot:

# systemctl disable slapd.service