Archive

Posts Tagged ‘fedora server’

Fedora Directory Server

October 6th, 2011 No comments

NOTE

  • The examples cited in this guide are for FDS 1.1 on Scientific Linux 5.x
  • When installing a few versions with different path or package names may differ.
  • It ‘also strongly recommended that the IP address, IP Name and Hostname of the machine is consistent.

Contents

  • Preparing the System
  • Installing FDS
  • FDS Setup
  • Extension key for INFN
  • Configuring SSL / TLS for the Directory Server
  • Configuring SSL / TLS for the Administration Server
  • Configuration Mapping x509 certificates
  • Configuring SASL / GSSAPI
  • Plugin Configuration Kerberos password backend
  • Configuring Read-Only Replica
  • PADL migration through migrationtools
  • Fedora Management Console

Preparing the System

Change the kernel parameters in /etc/sysctl.conf by putting the lines:

net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Recharge sysctl:

sysctl -p

Modify the limits in /etc/security/limits.conf by inserting the line:

*        -        nofile        8192

Make sure the file /etc/pam.d/login is this line:

auth       required     pam_securetty.so

Make log out and log-in to reload the limits.

Create the user fds:

useradd -r -s /bin/false fds

Download and install “J2SE (TM) Runtime Environment 5.0″. In particular http://www.sun.com/java/ available from: http://www.java.com/en/download/manual.jsp#lin

wget 'http://javadl.sun.com/webapps/download/AutoDL?BundleId=23104' -O jre-6u7-linux-x64-rpm.bin
sh jre-6u7-linux-x64-rpm.bin

Once installed jre update-alternatives:

update-alternatives --install /usr/bin/java java /usr/java/latest/bin/java 500
update-alternatives --set java /usr/java/latest/bin/java

 

Installing the packages needed to FDS

yum install ldapjdk svrcore mozldap perl-Mozilla-LDAP xorg-x11-deprecated-libs httpd libstdc++ \
 cyrus-sasl-gssapi openldap-clients libgcj libicu

For 64-bit machines, eliminating the SASL libraries 32bit. ONLY FOR SPECIAL 64bit

NOTE: This step may be required to delete many packages as a dependency, you should accept and delete them.
They are just copies with 32bit libraries of software that will remain in the 64bit version.

yum remove cyrus-sasl.i386 cyrus-sasl-devel.i386 cyrus-sasl-gssapi.i386 cyrus-sasl-plain.i386 cyrus-sasl-lib.i386

 

Installing FDS

Set the YUM repository for Fedora DS. For installation on 32bit machines replace “x86_64” with “i386“.

rpm --import http://download.fedora.redhat.com/pub/fedora/linux/core/6/x86_64/os/RPM-GPG-KEY-fedora
rpm --import http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras
rpm --import 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652'

rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/extras/6/x86_64/adminutil-1.1.5-1.fc6.x86_64.rpm
rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/extras/6/x86_64/jss-4.2.5-1.fc6.x86_64.rpm

cd /etc/yum.repos.d
wget -O - http://directory.fedoraproject.org/sources/idmcommon.repo | sed 's/$releasever/6/g' > idmcommon.repo
wget -O - http://directory.fedoraproject.org/sources/dirsrv.repo | sed 's/$releasever/6/g' > dirsrv.repo

Install fedora-ds:

yum install fedora-ds

 

FDS Setup

Run the setup FDS

/usr/sbin/setup-ds-admin.pl

3 Choose the option to customize the installation:

  •  Set up as a user / group “fds”;
  •  Set the root suffix of the form “dc = OFFICE, DC = INFN, dc = com” DNS domain as the site;
  •  Select the port 1500 for the Administration Server;
  •  Everything else can be left at default. (Walkthrough)

Set the starting services at boot FDS

chkconfig on dirsrv
chkconfig-admin on dirsrv

 

Extension key for INFN

Stop FDS:

/etc/init.d/stop dirsrv

Edit the file /etc/dirsrv/slapd-DS-UID/schema/99user.ldif and added at the end:

objectClasses: ( krbprincipal-oid NAME 'krbPrincipal' SUP top STRUCTURAL MUST
 krbPrincipalName X-ORIGIN 'user defined' )
objectClasses: ( CertObject-oid NAME 'CertObject' SUP top STRUCTURAL MUST Cert
 SubjectDN X-ORIGIN 'user defined' )
attributeTypes: ( CertSubjectDN-oid NAME 'CertSubjectDN'  SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.12 X-ORIGIN 'user defined' )
attributeTypes: ( krbPrincipalName-oid NAME 'krbPrincipalName'  SYNTAX 1.3.6.1
 .4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

Restart FDS:

/etc/init.d/start dirsrv

 

Configuring SSL/TLS for the Directory Server

For a tutorial of the tutorial found AAI server certificates and CA: http://www.lnf.infn.it/dmaselli~/aai/crt/

Convert the server’s private key certificate in pkcs12 format in a temporary file. It is not necessary to set a password.

openssl pkcs12 -export -inkey ds_server_key.pem -in ds_server_crt.pem -out /tmp/crt.p12 -nodes -name 'Server-Cert'

Import the certificate with private key in the DB server of FDS. It ‘must set a password for the DB and remember it. The first password (more confirms) that is sought is that of DB FDS, the second is that if there is one in exports.

cd /etc/dirsrv/slapd-DS-UID/
pk12util -i /tmp/crt.p12 -d .
rm /tmp/crt.p12

where DS-UID and ‘the name of the FDS.

Create a file with the password of the DB Certificate:

cd /etc/dirsrv/slapd-DS-UID
cat > pin.txt <
Internal (Software) Token:PASSWORD
EOF
chown fds:fds pin.txt
chmod 600 pin.txt

Starting the console

fedora-idm-console

In the first tab “Servers and Applications” to expand the tree on the left, click the right mouse button on “Directory Server” and choose “Open

Go Console -> Tasks tab -> Certificate manager -> CA Certs tab (screenshot)
Fedora Server Config

Using the button “Install” to install the CA certificate.

Go Console -> Configuration tab -> Encryption (screenshots)
Fedora Server

Enable the options “Enable SSL for this server” and “Use this Cipher Family: RSA

Make sure that there’s Certificate “Server-Cert“, otherwise leave and return to the console.
Click “Save” and confirm the message.

Restart FDS:

/etc/init.d/restart dirsrv

To configure the client’s default linux ldap (openldap) to enter the CA’s public key in the /etc/openldap/cacerts/ and create a link as follows:

cd /etc/openldap/cacerts/
cp /where/is/the/ca/cert .
for pem in `ls *pem` ; do ln -s $pem `openssl x509 -noout -hash -in $pem`.0 ; done

NOTE: If you want to set or change the password of the DB Certificate of FDS:

cd /etc/dirsrv/slapd-DS-UID
modutil -dbdir . -changepw "NSS Certificate DB"

 

Configuring SSL / TLS for the Administration Server

To configure the Administration Server of Fedora must also know that the host certificates.
Since the name of the node is obviously the same, we share the database of the Directory Server.

Create links to the db directory of the certificates in the configuration of ‘Server Administration.

cd /etc/dirsrv/admin-serv
ln -sf ../slapd-DS-UID/*.db .
cp -pf ../slapd-DS-UID/pin.txt .
sed -i s/Internal/internal/ pin.txt
sed -i "s@NSSPassPhraseDialog  *builtin@NSSPassPhraseDialog  file://///etc/dirsrv/admin-serv/pin.txt@" nss.conf

Restart the Administration Server:

/etc/init.d/restart-admin dirsrv

Starting the console

fedora-idm-console

In the first tab “Servers and Applications” to expand the left tree, right-click on “Server Administration” and choose “Open

Go Console ->; Configuration tab ->; Encryption
Enable the options “Enable SSL for this server” and “Use this Cipher Family: RSA
Make sure that there’s Certificate “Server-Cert“, otherwise leave and return to the console.
Click “Save” and confirm the message.

In the tab “DS Configuration” enable “Secure Connection

In the tab “User DS” select “Set User Directory

Enter HOSTNAME: 636
Enable the “Secure Connection”
Set your base-suffix
Click Save.

Close the console and open that of the Administration Server Directory Server
Go to Configuration tab -> Encryption
Enable the “Use SSL Console”

FDS and restart the Administration Server:

/etc/init.d/dirsrv restart
/etc/init.d/dirsrv-admin restart

From this point the url inserted in the console login window should have https and not http.

 

Configuration Mapping x509 certificates

To enable authentication with x509 certificates, you must configure a mapping between the subject of certificates and entry of the DS.

In the /etc/dirsrv/slapd-DS-UID/certmap.conf we can set the attribute of the DS in which the subject will FDS x509. The only uncommented lines should be:

certmap default         default
default:CmapLdapAttr    certSubjectDN

Restart FDS:

/etc/init.d/dirsrv restart

 

Configuring SASL / GSSAPI

To configure authentication GSSAPI on FDS requires a keytab “ldap/fqdn.del.server.fds REALM.KRB5@“.
Place the keytab in /etc/dirsrv/krb5.keytab fds and ensure that the user can access:

chown fds /etc/dirsrv/krb5.keytab

Edit the file /etc/init.d/dirsrv inserting the definition of the keytab.
In the first lines of the script, after the definition of “fdsRoot” insert:

Export KRB5_KTNAME=/etc/dirsrv/krb5.keytab

Restart FDS.

In the Management Console to define the SASL Mappings:
- In the first tab “Servers and Applications” to expand the tree on the left and click your right mouse button on “Directory Server”
- Will open the Management Console
- Click on the tab “Configuration”
- Click on the name of the server to the left and right click the tab “Mapping SASL”
- Click Add

For example, to configure so that users with a valid ticket “[email protected]” are mapped as “uid=user, ou=People, dc=LNF, dc=INFN , dc=com”, configure as follows:

              Name:  krb5-lnf
Regular Expression:  \(.*\)@LNF.INFN.IT
    Search Base DN:  ou=People, dc=lnf, dc=infn, dc=it
     Search Filter:  (uid=\1)

Where “krb5-LNF” is a simple description.

It ‘possible that the changes are not actual SASL mapping until you restart FDS.

 

Plugin Configuration Kerberos password backend

Coming soon …

 

Configuring Read-Only Replica

Coming soon …

 

PADL migration through migrationtools

And ‘possible to carry out a migration from NIS or LDAP Over PASSWD to the tools available to: http://www.padl.com/OSS/MigrationTools.html

Download and extract migrationtools:

wget http://www.padl.com/download/MigrationTools.tgz
tar -xzvf MigrationTools.tgz
cd MigrationTools-47/

Change the following lines of the file migrate_common.ph:

#$DEFAULT_MAIL_DOMAIN = "padl.com";              # COMMENTARE
$DEFAULT_BASE = "dc=SEDE,dc=infn,dc=it";         # INSERIRE IL PROPRIO BASE DN
#$DEFAULT_MAIL_HOST = "mail.padl.com";           # COMMENTARE
$EXTENDED_SCHEMA = 1;                            # IMPOSTARE A 1

Prepare the passwd and group in two rows.
For example, for NIS:

ypcat passwd > passwd.nis
ypcat group  > group.nis

To convert files in LDIF format for LDAP:

./migrate_passwd.pl passwd.nis passwd.ldif
./migrate_group.pl  group.nis  group.ldif

 

Fedora Management Console

The FDS Management console is the main tool to access the directory server.
To start it:

fedora-idm-console

It ‘always a good idea to login as “admin“.

It ‘can also install it locally to your clients significantly improve the speed.
The only requirement is to have the Java JRE in the system, whether Windows, Linux or Mac

You can find version 1.1 standalone script with “fedora-idm-console” tested for Windows and Linux: http://www.lnf.infn.it/~dmaselli/aai/fds-console-1.1.tar.gz

Categories: Linux Commands, Linux Tips Tags: , , , , , , , ,