Fedora Directory Server
NOTE
- The examples cited in this guide are for FDS 1.1 on Scientific Linux 5.x
- When installing a few versions with different path or package names may differ.
- It ‘also strongly recommended that the IP address, IP Name and Hostname of the machine is consistent.
Contents
- Preparing the System
- Installing FDS
- FDS Setup
- Extension key for INFN
- Configuring SSL / TLS for the Directory Server
- Configuring SSL / TLS for the Administration Server
- Configuration Mapping x509 certificates
- Configuring SASL / GSSAPI
- Plugin Configuration Kerberos password backend
- Configuring Read-Only Replica
- PADL migration through migrationtools
- Fedora Management Console
Preparing the System
Change the kernel parameters in /etc/sysctl.conf by putting the lines:
net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
Recharge sysctl:
sysctl -p
Modify the limits in /etc/security/limits.conf by inserting the line:
* - nofile 8192
Make sure the file /etc/pam.d/login is this line:
auth required pam_securetty.so
Make log out and log-in to reload the limits.
Create the user fds:
useradd -r -s /bin/false fds
Download and install “J2SE (TM) Runtime Environment 5.0″. In particular http://www.sun.com/java/ available from: http://www.java.com/en/download/manual.jsp#lin
wget 'http://javadl.sun.com/webapps/download/AutoDL?BundleId=23104' -O jre-6u7-linux-x64-rpm.bin sh jre-6u7-linux-x64-rpm.bin
Once installed jre update-alternatives:
update-alternatives --install /usr/bin/java java /usr/java/latest/bin/java 500 update-alternatives --set java /usr/java/latest/bin/java
Installing the packages needed to FDS
yum install ldapjdk svrcore mozldap perl-Mozilla-LDAP xorg-x11-deprecated-libs httpd libstdc++ \ cyrus-sasl-gssapi openldap-clients libgcj libicu
For 64-bit machines, eliminating the SASL libraries 32bit. ONLY FOR SPECIAL 64bit
NOTE: This step may be required to delete many packages as a dependency, you should accept and delete them.
They are just copies with 32bit libraries of software that will remain in the 64bit version.
yum remove cyrus-sasl.i386 cyrus-sasl-devel.i386 cyrus-sasl-gssapi.i386 cyrus-sasl-plain.i386 cyrus-sasl-lib.i386
Installing FDS
Set the YUM repository for Fedora DS. For installation on 32bit machines replace “x86_64” with “i386“.
rpm --import http://download.fedora.redhat.com/pub/fedora/linux/core/6/x86_64/os/RPM-GPG-KEY-fedora rpm --import http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras rpm --import 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/extras/6/x86_64/adminutil-1.1.5-1.fc6.x86_64.rpm rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/extras/6/x86_64/jss-4.2.5-1.fc6.x86_64.rpm cd /etc/yum.repos.d wget -O - http://directory.fedoraproject.org/sources/idmcommon.repo | sed 's/$releasever/6/g' > idmcommon.repo wget -O - http://directory.fedoraproject.org/sources/dirsrv.repo | sed 's/$releasever/6/g' > dirsrv.repo
Install fedora-ds:
yum install fedora-ds
FDS Setup
Run the setup FDS
/usr/sbin/setup-ds-admin.pl
3 Choose the option to customize the installation:
- Set up as a user / group “fds”;
- Set the root suffix of the form “dc = OFFICE, DC = INFN, dc = com” DNS domain as the site;
- Select the port 1500 for the Administration Server;
- Everything else can be left at default. (Walkthrough)
Set the starting services at boot FDS
chkconfig on dirsrv chkconfig-admin on dirsrv
Extension key for INFN
Stop FDS:
/etc/init.d/stop dirsrv
Edit the file /etc/dirsrv/slapd-DS-UID/schema/99user.ldif and added at the end:
objectClasses: ( krbprincipal-oid NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName X-ORIGIN 'user defined' ) objectClasses: ( CertObject-oid NAME 'CertObject' SUP top STRUCTURAL MUST Cert SubjectDN X-ORIGIN 'user defined' ) attributeTypes: ( CertSubjectDN-oid NAME 'CertSubjectDN' SYNTAX 1.3.6.1.4.1.1 466.115.121.1.12 X-ORIGIN 'user defined' ) attributeTypes: ( krbPrincipalName-oid NAME 'krbPrincipalName' SYNTAX 1.3.6.1 .4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
Restart FDS:
/etc/init.d/start dirsrv
Configuring SSL/TLS for the Directory Server
For a tutorial of the tutorial found AAI server certificates and CA: http://www.lnf.infn.it/dmaselli~/aai/crt/
Convert the server’s private key certificate in pkcs12 format in a temporary file. It is not necessary to set a password.
openssl pkcs12 -export -inkey ds_server_key.pem -in ds_server_crt.pem -out /tmp/crt.p12 -nodes -name 'Server-Cert'
Import the certificate with private key in the DB server of FDS. It ‘must set a password for the DB and remember it. The first password (more confirms) that is sought is that of DB FDS, the second is that if there is one in exports.
cd /etc/dirsrv/slapd-DS-UID/ pk12util -i /tmp/crt.p12 -d . rm /tmp/crt.p12
where DS-UID and ‘the name of the FDS.
Create a file with the password of the DB Certificate:
cd /etc/dirsrv/slapd-DS-UID cat > pin.txt < Internal (Software) Token:PASSWORD EOF chown fds:fds pin.txt chmod 600 pin.txt
Starting the console
fedora-idm-console
In the first tab “Servers and Applications” to expand the tree on the left, click the right mouse button on “Directory Server” and choose “Open”
Go Console -> Tasks tab -> Certificate manager -> CA Certs tab (screenshot)
Using the button “Install” to install the CA certificate.
Go Console -> Configuration tab -> Encryption (screenshots)
Enable the options “Enable SSL for this server” and “Use this Cipher Family: RSA”
Make sure that there’s Certificate “Server-Cert“, otherwise leave and return to the console.
Click “Save” and confirm the message.
Restart FDS:
/etc/init.d/restart dirsrv
To configure the client’s default linux ldap (openldap) to enter the CA’s public key in the /etc/openldap/cacerts/ and create a link as follows:
cd /etc/openldap/cacerts/ cp /where/is/the/ca/cert . for pem in `ls *pem` ; do ln -s $pem `openssl x509 -noout -hash -in $pem`.0 ; done
NOTE: If you want to set or change the password of the DB Certificate of FDS:
cd /etc/dirsrv/slapd-DS-UID modutil -dbdir . -changepw "NSS Certificate DB"
Configuring SSL / TLS for the Administration Server
To configure the Administration Server of Fedora must also know that the host certificates.
Since the name of the node is obviously the same, we share the database of the Directory Server.
Create links to the db directory of the certificates in the configuration of ‘Server Administration.
cd /etc/dirsrv/admin-serv ln -sf ../slapd-DS-UID/*.db . cp -pf ../slapd-DS-UID/pin.txt . sed -i s/Internal/internal/ pin.txt sed -i "s@NSSPassPhraseDialog *builtin@NSSPassPhraseDialog file://///etc/dirsrv/admin-serv/pin.txt@" nss.conf
Restart the Administration Server:
/etc/init.d/restart-admin dirsrv
Starting the console
fedora-idm-console
In the first tab “Servers and Applications” to expand the left tree, right-click on “Server Administration” and choose “Open”
Go Console ->; Configuration tab ->; Encryption
Enable the options “Enable SSL for this server” and “Use this Cipher Family: RSA”
Make sure that there’s Certificate “Server-Cert“, otherwise leave and return to the console.
Click “Save” and confirm the message.
In the tab “DS Configuration” enable “Secure Connection”
In the tab “User DS” select “Set User Directory”
Enter HOSTNAME: 636
Enable the “Secure Connection”
Set your base-suffix
Click Save.
Close the console and open that of the Administration Server Directory Server
Go to Configuration tab -> Encryption
Enable the “Use SSL Console”
FDS and restart the Administration Server:
/etc/init.d/dirsrv restart /etc/init.d/dirsrv-admin restart
From this point the url inserted in the console login window should have https and not http.
Configuration Mapping x509 certificates
To enable authentication with x509 certificates, you must configure a mapping between the subject of certificates and entry of the DS.
In the /etc/dirsrv/slapd-DS-UID/certmap.conf we can set the attribute of the DS in which the subject will FDS x509. The only uncommented lines should be:
certmap default default default:CmapLdapAttr certSubjectDN
Restart FDS:
/etc/init.d/dirsrv restart
Configuring SASL / GSSAPI
To configure authentication GSSAPI on FDS requires a keytab “ldap/fqdn.del.server.fds REALM.KRB5@“.
Place the keytab in /etc/dirsrv/krb5.keytab fds and ensure that the user can access:
chown fds /etc/dirsrv/krb5.keytab
Edit the file /etc/init.d/dirsrv inserting the definition of the keytab.
In the first lines of the script, after the definition of “fdsRoot” insert:
Export KRB5_KTNAME=/etc/dirsrv/krb5.keytab
Restart FDS.
In the Management Console to define the SASL Mappings:
- In the first tab “Servers and Applications” to expand the tree on the left and click your right mouse button on “Directory Server”
- Will open the Management Console
- Click on the tab “Configuration”
- Click on the name of the server to the left and right click the tab “Mapping SASL”
- Click Add
For example, to configure so that users with a valid ticket “[email protected]” are mapped as “uid=user, ou=People, dc=LNF, dc=INFN , dc=com”, configure as follows:
Name: krb5-lnf
Regular Expression: \(.*\)@LNF.INFN.IT
Search Base DN: ou=People, dc=lnf, dc=infn, dc=it
Search Filter: (uid=\1)Where “krb5-LNF” is a simple description.
It ‘possible that the changes are not actual SASL mapping until you restart FDS.
Plugin Configuration Kerberos password backend
Coming soon …
Configuring Read-Only Replica
Coming soon …
PADL migration through migrationtools
And ‘possible to carry out a migration from NIS or LDAP Over PASSWD to the tools available to: http://www.padl.com/OSS/MigrationTools.html
Download and extract migrationtools:
wget http://www.padl.com/download/MigrationTools.tgz tar -xzvf MigrationTools.tgz cd MigrationTools-47/
Change the following lines of the file migrate_common.ph:
#$DEFAULT_MAIL_DOMAIN = "padl.com"; # COMMENTARE $DEFAULT_BASE = "dc=SEDE,dc=infn,dc=it"; # INSERIRE IL PROPRIO BASE DN #$DEFAULT_MAIL_HOST = "mail.padl.com"; # COMMENTARE $EXTENDED_SCHEMA = 1; # IMPOSTARE A 1
Prepare the passwd and group in two rows.
For example, for NIS:
ypcat passwd > passwd.nis ypcat group > group.nis
To convert files in LDIF format for LDAP:
./migrate_passwd.pl passwd.nis passwd.ldif ./migrate_group.pl group.nis group.ldif
Fedora Management Console
The FDS Management console is the main tool to access the directory server.
To start it:
fedora-idm-console
It ‘always a good idea to login as “admin“.
It ‘can also install it locally to your clients significantly improve the speed.
The only requirement is to have the Java JRE in the system, whether Windows, Linux or Mac
You can find version 1.1 standalone script with “fedora-idm-console” tested for Windows and Linux: http://www.lnf.infn.it/~dmaselli/aai/fds-console-1.1.tar.gz