FedFsOpenLdapServer0.9

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
m (Create an entry for the dc naming context)
 
(21 intermediate revisions not shown)
Line 11: Line 11:
----
----
-
=== Configuring an OpenLDAP server for use with FedFS ===
+
== Configuring an OpenLDAP server for use with FedFS ==
-
These instructions are useful with Fedora 16 and following.
+
The purpose of this article is to provide recipes for quickly setting up an NSDB service on an OpenLDAP server.  If you are already familiar with OpenLDAP or have existing servers, browse this article to get a flavor for what is needed.  Otherwise, follow the specific steps here to install and configure an NSDB.
-
A reference web article:
+
These instructions are useful with Fedora 16 and newer.
-
  http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Directory_Servers.html
+
A reference web article:  [http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Directory_Servers.html]
-
==== Uninstalling ====
+
== Uninstalling ==
If at any point you find the need to erase everything and start over, use:
If at any point you find the need to erase everything and start over, use:
Line 31: Line 31:
This removes all slapd instances and software.
This removes all slapd instances and software.
-
==== Networking pre-requisites ====
+
== Networking pre-requisites ==
Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.
Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.
Line 37: Line 37:
On some RH-based distributions, networking doesn't start until a user logs in on the console.  If this is the case, configure the system's network to start automatically.
On some RH-based distributions, networking doesn't start until a user logs in on the console.  If this is the case, configure the system's network to start automatically.
-
By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install.  Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration.  On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall.  You can poke a hole for LDAP in the "Other Ports" section.  Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.
+
By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install.  Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration.  On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall.  You can poke a hole for LDAP in the "Other Ports" section by opening the "ldap" port.  Or disable the firewall entirely if you are sure that's safe to do.
-
==== Install OpenLDAP server package ====
+
== Install the OpenLDAP server software ==
-
After installing, updating, and configuring Fedora, install the OpenLDAP server components with:
+
After installing, updating, and configuring Fedora, install the pre-packaged OpenLDAP server components with:
  # yum install openldap openldap-clients openldap-servers
  # yum install openldap openldap-clients openldap-servers
Line 47: Line 47:
This command adds a new UID and GID, which is user and group "ldap", (55, 55).
This command adds a new UID and GID, which is user and group "ldap", (55, 55).
-
Copy in the DB_CONFIG file (why doesn't the package install do this automatically?)
+
Copy in the DB_CONFIG file.
  # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  # chown ldap.ldap /var/lib/ldap/DB_CONFIG
  # chown ldap.ldap /var/lib/ldap/DB_CONFIG
-
==== Install the fedfs schema ====
+
The OpenLDAP community recommends building and installing the OpenLDAP server software from source.  The source distribution can be found [http://www.openldap.org/software/download/ here].
-
Extract the FedFS schema from the LDAP/NSDB draft.  Copy the result to /etc/openldap/schema/fedfs.schema.  Ensure that the security context, group, owner, and mode bits match the other files in this directory.  See also:
+
== Create an encrypted administrator password ==
-
 
+
-
  http://www.openldap.org/doc/admin/schema.html
+
-
 
+
-
or
+
-
 
+
-
  http://www.zytrax.com/books/ldap/ch6/slapd-config.html
+
-
 
+
-
==== Create an encrypted administrator password ====
+
This step generates the value of the LDAP administrator password, but doesn't actually set it.  The purpose of this step is to ensure that the password is stored by LDAP as an encrypted value.
This step generates the value of the LDAP administrator password, but doesn't actually set it.  The purpose of this step is to ensure that the password is stored by LDAP as an encrypted value.
Line 75: Line 67:
For an NSDB that will be used during testing events on secure networks, an easy-to-type well-known administrator password is advised.  "test123" or "cthon201x" are typical values.  Otherwise, a stronger password is recommended.
For an NSDB that will be used during testing events on secure networks, an easy-to-type well-known administrator password is advised.  "test123" or "cthon201x" are typical values.  Otherwise, a stronger password is recommended.
-
Generally, separate passwords are created for "cn=config" and the entity that administers the dc=example,dc=net DIT.  Repeat the steps above to generate a second password, if desired.
+
Generally, separate passwords are created for "cn=config" and the entity that administers the DIT under dc=... .  Repeat the steps above to generate a second password, if desired.
-
==== Configure the LDAP server ====
+
== Configure the LDAP server ==
Install the sample configuration file
Install the sample configuration file
Line 92: Line 84:
## rootdn "cn=Manager,dc=your-domain,dc=net"
## rootdn "cn=Manager,dc=your-domain,dc=net"
## rootpw <your hashed password created above>
## rootpw <your hashed password created above>
-
# Merge the FedFS schema
 
-
## Either add an include directive for the fedfs.schema file added above
 
-
## Or use the LDAP OLC configuration tool in fedfs-utils/contrib/ldap to add the schema dynamically after the server is running
 
Test the new configuration:
Test the new configuration:
Line 103: Line 92:
  # cd /etc/openldap
  # cd /etc/openldap
-
  # rm -rf slapd.d/*
+
  # rm -rf slapd.d/* ; mkdir slapd.d ; chown ldap.ldap slapd.d
-
  # slaptest -f ./slapd.conf -F ./slapd.d
+
  # sudo -u ldap slaptest -f ./slapd.conf -F ./slapd.d
  # mv slapd.conf slapd.conf.bak
  # mv slapd.conf slapd.conf.bak
-
# chown -R ldap:ldap ./slapd.d
 
-
==== Create an entry for the dc naming context ====
+
== Create an entry for the dc naming context ==
-
slapd must be stopped.  Edit the file /tmp/ldif and add only these lines:
+
This step creates a standard domain controller entry under the dc=... root suffix you created above.  This prepares your new LDAP server for the creation of other entries under this suffix.
 +
 
 +
slapd must be stopped.  On the LDAP server, edit the file /tmp/ldif and add only these lines:
  dn: dc=your-domain,dc=net
  dn: dc=your-domain,dc=net
Line 118: Line 108:
Then run these commands:
Then run these commands:
-
  # slapadd -l /tmp/ldif
+
  # sudo -u ldap slapadd -l /tmp/ldif
-
# chown -R ldap:ldap /var/lib/ldap
+
-
[ Note that 389-ds creates this entry automatically during the installation procedure. ]
+
== Configure logging ==
-
 
+
-
==== Configure logging ====
+
First:
First:
Line 132: Line 119:
Edit /etc/rsyslog.conf and add a line like this: "local4.*  /var/log/slapd" and restart rsyslogd.
Edit /etc/rsyslog.conf and add a line like this: "local4.*  /var/log/slapd" and restart rsyslogd.
-
In /etc/sysconfig/ldap, uncomment the SLAPD_OPTIONS line, and add "-s ###" where the ### is some set of or'd flags indicating what you'd like logged.  Restart slapd.
+
In /etc/sysconfig/ldap, uncomment the SLAPD_OPTIONS line, and add "-s ###" where the ### is some set of or'd flags indicating what you'd like logged.  Log level options are described in slapd.conf(5).  A useful level of logging is 768.
-
==== Start the server ====
+
== Start the server ==
To start the server once:
To start the server once:
Line 151: Line 138:
  # systemctl disable slapd.service
  # systemctl disable slapd.service
 +
 +
== Add the FedFS schema ==
 +
 +
Go to your administrative client.  Your new LDAP server must be running for this step.
 +
 +
Use the "add-schema-olc" script in the fedfs-utils/contrib/ldap directory to introduce the FedFS schema.  On the command line, supply the DNS hostname of the new LDAP server and the DN of its cn=config administrator.  If the administrator DN contains blanks, use double-quotes.
 +
 +
  $ ./add-schema-olc ldap.example.net "cn=admin,cn=config"
 +
  Enter LDAP password:
 +
 +
== Create a FedFS NSDB Container Entry ==
 +
 +
On your administrative client, identify your LDAP server as an NSDB.
 +
 +
  # nsdbparams update ldap.hostname.example.net
 +
 +
This enables the NSDB client tools to recognize your new LDAP server as an NSDB.
 +
 +
Now, add the LDAP entry under which all FedFS-related records are stored with the nsdb-simple-nce command.  The LDAP server installation process automatically creates a dc-style root suffix, and we can use that here.  Assuming your new LDAP server's name is "ldap.example.net," this command does the trick:
 +
 +
  $ nsdb-simple-nce -D "cn=Manager,dc=example,dc=net" -l ldap.example.net dc=example,dc=net
 +
  Enter NSDB password:
 +
 +
Note that, here, you need to use the administrative DN for the dc=example,dc=net database, not the cn=config administrator DN.
 +
 +
Confirm the addition with the nsdb-nces command:
 +
 +
  $ nsdb-nces -l ldap.example.net
 +
  NSDB: ldap.example.net:389
 +
    namingContext 'dc=example,dc=net' hosts an NCE at 'ou=fedfs,dc=example,dc=net'.
 +
    namingContext 'o=netscaperoot' does not host an NCE.

Latest revision as of 20:55, 9 January 2013

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Configuring an OpenLDAP server for use with FedFS

The purpose of this article is to provide recipes for quickly setting up an NSDB service on an OpenLDAP server. If you are already familiar with OpenLDAP or have existing servers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.

These instructions are useful with Fedora 16 and newer.

A reference web article: [1]

Uninstalling

If at any point you find the need to erase everything and start over, use:

# systemctl stop slapd.service
# systemctl disable slapd.service
# rm -rf /etc/openldap /var/lib/ldap
# yum erase openldap-servers openldap-clients

This removes all slapd instances and software.

Networking pre-requisites

Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.

On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically.

By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section by opening the "ldap" port. Or disable the firewall entirely if you are sure that's safe to do.

Install the OpenLDAP server software

After installing, updating, and configuring Fedora, install the pre-packaged OpenLDAP server components with:

# yum install openldap openldap-clients openldap-servers

This command adds a new UID and GID, which is user and group "ldap", (55, 55).

Copy in the DB_CONFIG file.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap.ldap /var/lib/ldap/DB_CONFIG

The OpenLDAP community recommends building and installing the OpenLDAP server software from source. The source distribution can be found here.

Create an encrypted administrator password

This step generates the value of the LDAP administrator password, but doesn't actually set it. The purpose of this step is to ensure that the password is stored by LDAP as an encrypted value.

$ slappasswd
New password:
Re-enter new password:
{SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K

Copy the final encrypted output (e.g. {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K) for use below.

For an NSDB that will be used during testing events on secure networks, an easy-to-type well-known administrator password is advised. "test123" or "cthon201x" are typical values. Otherwise, a stronger password is recommended.

Generally, separate passwords are created for "cn=config" and the entity that administers the DIT under dc=... . Repeat the steps above to generate a second password, if desired.

Configure the LDAP server

Install the sample configuration file

# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

Edit this file:

  1. Just after "database config", add:
    1. rootdn "cn=admin,cn=config"
    2. rootpw <your hashed PW created above>
  2. Replace "dc=my-domain,dc=com" everywhere with your local domain name
  3. Just after "database hdb", add:
    1. rootdn "cn=Manager,dc=your-domain,dc=net"
    2. rootpw <your hashed password created above>

Test the new configuration:

# slaptest -u -f /etc/openldap/slapd.conf

Correct any errors before continuing. Then build the new configuration:

# cd /etc/openldap
# rm -rf slapd.d/* ; mkdir slapd.d ; chown ldap.ldap slapd.d
# sudo -u ldap slaptest -f ./slapd.conf -F ./slapd.d
# mv slapd.conf slapd.conf.bak

Create an entry for the dc naming context

This step creates a standard domain controller entry under the dc=... root suffix you created above. This prepares your new LDAP server for the creation of other entries under this suffix.

slapd must be stopped. On the LDAP server, edit the file /tmp/ldif and add only these lines:

dn: dc=your-domain,dc=net
objectClass: domain
dc: your-domain

Then run these commands:

# sudo -u ldap slapadd -l /tmp/ldif

Configure logging

First:

# touch /var/log/slapd
# chown ldap:ldap /var/log/slapd

Edit /etc/rsyslog.conf and add a line like this: "local4.* /var/log/slapd" and restart rsyslogd.

In /etc/sysconfig/ldap, uncomment the SLAPD_OPTIONS line, and add "-s ###" where the ### is some set of or'd flags indicating what you'd like logged. Log level options are described in slapd.conf(5). A useful level of logging is 768.

Start the server

To start the server once:

# systemctl start slapd.service

To start the server automatically during system boot:

# systemctl enable slapd.service

To stop the server once:

# systemctl stop slapd.service

To prevent the server from starting during system boot:

# systemctl disable slapd.service

Add the FedFS schema

Go to your administrative client. Your new LDAP server must be running for this step.

Use the "add-schema-olc" script in the fedfs-utils/contrib/ldap directory to introduce the FedFS schema. On the command line, supply the DNS hostname of the new LDAP server and the DN of its cn=config administrator. If the administrator DN contains blanks, use double-quotes.

 $ ./add-schema-olc ldap.example.net "cn=admin,cn=config"
 Enter LDAP password:

Create a FedFS NSDB Container Entry

On your administrative client, identify your LDAP server as an NSDB.

 # nsdbparams update ldap.hostname.example.net

This enables the NSDB client tools to recognize your new LDAP server as an NSDB.

Now, add the LDAP entry under which all FedFS-related records are stored with the nsdb-simple-nce command. The LDAP server installation process automatically creates a dc-style root suffix, and we can use that here. Assuming your new LDAP server's name is "ldap.example.net," this command does the trick:

 $ nsdb-simple-nce -D "cn=Manager,dc=example,dc=net" -l ldap.example.net dc=example,dc=net
 Enter NSDB password:

Note that, here, you need to use the administrative DN for the dc=example,dc=net database, not the cn=config administrator DN.

Confirm the addition with the nsdb-nces command:

 $ nsdb-nces -l ldap.example.net
 NSDB: ldap.example.net:389
   namingContext 'dc=example,dc=net' hosts an NCE at 'ou=fedfs,dc=example,dc=net'.
   namingContext 'o=netscaperoot' does not host an NCE.
Personal tools