Maintenance script: Created page with " === Procedure for the installation of the LDAP master server at IIHE === This procedure describes the installation on a Fedora Core 10 machine. ==== RPM installation ====..."

2015-08-26T12:28:44Z

Created page with " === Procedure for the installation of the LDAP master server at IIHE === This procedure describes the installation on a Fedora Core 10 machine. ==== RPM installation ====..."

New page

=== Procedure for the installation of the LDAP master server at IIHE ===
This procedure describes the installation on a Fedora Core 10 machine.

==== RPM installation ====
To install the needed RPM, just type :
<pre>
yum install openldap-servers
yum install openldap-clients
</pre>

==== LDAP service configuration ====
The service must be start automatically :
<pre>
chkconfig --level 345 ldap on
</pre>

The parameters to be passed at the starting of the LDAP service can be added or changed in the /etc/sysconfig/ldap file. Modifying this file, we can, for example, define the URLs that must be used to access the LDAP service.

Now, adpapt the LDAP service configuration file /etc/openldap/slapd.conf :
<pre>
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 2047

# Load dynamic backend modules:
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# The following module is needed for replication with shadow LDAP server
modulepath /usr/lib64/openldap
moduleload syncprov.la

# The next three lines allow use of TLS for encrypting connections
TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem
TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key

TLSVerifyClient try

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=64

# disable anonymous bind
disallow bind_anon

# Access restricted to the password (even if they are hashed !)
access to attrs=userPassword
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self write
by anonymous auth
by * none

# Prevent simple users to modify their uid and gid
access to attrs=uidNumber,gidNumber
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self read
by anonymous auth
by * none

# Access read-only for everybody to the rest of the directory
access to *
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self write
by anonymous auth
by users read

#######################################################################
# Backend database definition
#######################################################################

database bdb
suffix "dc=tier2,dc=be"
#checkpoint 1024 15
rootdn "cn=manager,dc=tier2,dc=be"
rootpw {MD5}C0v0wBolHmN9pDpfWbdxyz==

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended and owner must be ldap user
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index nisDomain eq
# indices added for syncrepl
index entryCSN,entryUUID eq

# loads and configures the syncprov overlay
overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 100

</pre>

Note that, as we didn't want the manager's account password to appear in clear, we encrypted it with :
<pre>
slappassword -h '{MD5}'
</pre>
and we simply copy-past the result in slapd.conf (see the value of rootpw).

This configuration file enables two important features :
*A security layer with TLS/SSL (authentication of the server by its certificate and encryption)
*Replication to another shadow server with syncrepl

From the above config file, you also guess that the LDAP directory content will be stored into a BDB database. Before this backend is created, you must be sure that the user ldap exists, and then check that the directory /var/lib/ldap exists with permission 700 and owner ldap. If it is not the case :
<pre>
useradd ldap
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown -R ldap:ldap /var/lib/ldap
</pre>

For tuning the performance of the Berkeley DB backends, a file DB_CONFIG is needed in /var/lib/ldap :
<pre>
cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap /var/lib/ldap/DB_CONFIG
</pre>

Finally, we have to configure the local client tool, changing /etc/openldap/ldap.conf, because we need it to make some checks on the server :
<pre>
BASE dc=iihe,dc=ac,dc=be
URI ldap://ldap.iihe.ac.be/
</pre>

==== Test server configuration ====
To simply test the configuration, just type :
<pre>
service ldap configtest
</pre>

==== Populate the LDAP directory ====
We will populate the directory with the following ldif file :
<pre>
dn: dc=tier2,dc=be
dc: tier2
description: Toplevel domain
associatedDomain: tier2.be
nisDomain: tier2.be
objectClass: top
objectClass: domain
objectClass: domainRelatedObject

dn: dc=iihe,dc=tier2,dc=be
dc: iihe
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
description: IIHE's subdomain
associatedDomain: iihe.tier2.be

dn: dc=fynu,dc=tier2,dc=be
dc: fynu
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
description: FYNU's subdomain
associatedDomain: fynu.tier2.be

dn: ou=Group,dc=fynu,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: Group
description: The groups

dn: ou=People,dc=fynu,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: People
description: The users

dn: ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: Group
description: The groups

dn: ou=People,dc=iihe,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: People
description: The users

dn: cn=extrausers,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: extrausers
gidNumber: 20900

dn: cn=localgrid,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: localgrid
gidNumber: 20501

dn: cn=localusers,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: localusers
gidNumber: 20500

dn: ou=System,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: System
description: System accounts

dn: uid=syncrepl,ou=System,dc=tier2,dc=be
uid: syncrepl
ou: System
description: Special account for SyncRepl
objectClass: account
objectClass: simpleSecurityObject

dn: uid=proxyuser,ou=System,dc=tier2,dc=be
uid: proxyuser
ou: System
objectClass: account
objectClass: simpleSecurityObject
description: System account to bind to ldap in readonly mode
userPassword:: e0NSWUBVfXdCejlQehRaSzFsYzI=
</pre>

Here is the command to import this ldif file :
<pre>
slapadd -v -l test.ldif
</pre>

Note : for security reason, the above ldif file does not give the actual content of our LDAP server. You will find the real content in our restricted area : [https://mon.iihe.ac.be/trac/t2b-iihe/wiki/Tier2LdapServer here]

==== Final check of the service ====
First, we must start the service :
<pre>
service ldap start
</pre>
Then, we can try a few searches through the directory :
<pre>
ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "ou=Users,dc=iihe,dc=ac,dc=be"
ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "dc=iihe,dc=ac,dc=be"
</pre>

=== Procedure describing how to configure an UI for LDAP authentication ===

=== Procedure for the renewal of the LDAP server certificates ===
Here are the files to update :
<pre>
TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem
TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
</pre>
For your information, here is the private key :
TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key
It should not be changed.

Use the BELNET Web interface to request a new certificate. A request file will be asked. Simply give this file :
<pre>
ldap01:/root/host_req.pem
</pre>
(Since we allways reuse the same key, it is not useful to generate a new request.)

Once you have got the new certificates from BELNET, first, make a backup of the old ones :
<pre>
ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt.old"
ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem.old"
</pre>
Then, copy the new ones :
<pre>
scp ldap01_iihe_ac_be.pem root@ldap01:/etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
</pre>

=== How to synchronise accounts on the LDAP server with accounts created by Quattor in flat files ? ===
Since the LDAP server is not managed by Quattor, accounts have to be synchronised by a "manual" step. To make this task easy, a Perl script has been written (see attachment of this page). Simply launch this script as root on CCQ.

{{TracNotice|{{PAGENAME}}}}

LDAP UCL IIHE - Revision history

Maintenance script: Created page with " === Procedure for the installation of the LDAP master server at IIHE === This procedure describes the installation on a Fedora Core 10 machine. ==== RPM installation ====..."