Sep 12, 2010, 6:00:55 PM (14 years ago)
Dramatically expand LDAP and installation documentation.
1 deleted
2 edited


  • branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP

    r1532 r1645  
    33- Install the RPM 389-ds-base with yum
    4 - root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
     4  root# yum install -y 389-ds-base
     5- We want to run the directory server as its own user, so create fedora-ds
     6  root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
     7- root# yum install -y policycoreutils-python
    58- root# /usr/sbin/setup-ds.pl
    69    - Choose a typical install
    710    - Tell it to use the fedora-ds user and group
    811    - Directory server identifier: scripts
     12        Needed to remove this from the config file first
    913    - Suffix: dc=scripts,dc=mit,dc=edu
    1014    - Input directory manager password
     15      (this can be found in  ~/.ldapvirc)
     16        [XXX: Got error: sh: semanage: command not found; turns out this is in
     17        policycoreutils-python.  Don't know if this will cause problems.]
    1118- yum install ldapvi
    12 - /sbin/service dirsrv start
    13 - Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually
    14 - Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket
    15   and nsslapd-ldapilisten: on, otherwise ldapi won't work.
     19- Check if dirsrv starts: /sbin/service dirsrv start
     20- Apply the following configuration changes.  If you're editing
     21  dse.ldif, you don't want dirsrv to be on, otherwise it will
     22  overwrite your changes. [XXX: show how to do these changes with
     23  dsconf, which is the "blessed" method]
     25# Inside cn=config.  These changes definitely require a restart.
     26nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket
     27nsslapd-ldapilisten: on
     29# Add these blocks
     31# mapname, mapping, sasl, config
     32# This is the most liberal mapping you can have for SASL: you can
     33# basically add authentication for any given GSSAPI mechanism by
     34# explicitly creating the UID for that SASL string.
     35dn: cn=mapname,cn=mapping,cn=sasl,cn=config
     36objectClass: top
     37objectClass: nsSaslMapping
     38cn: mapname
     39nsSaslMapRegexString: \(.*\)
     40nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu
     41nsSaslMapFilterTemplate: (objectClass=posixAccount)
    1643- /sbin/service dirsrv stop
    17 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts
    18 - wget http://web.mit.edu/geofft/Public/scripts-ca.pem
    19 - certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem
    20 - Generate a pkcs12 cert for the server:
    21 - openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12
    22 - pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts
    23 - Put LDAP keytab in /etc/dirsrv/keytab
    24 - Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
    25 - mkdir -p /var/tmp/dirsrv
    26 - chown fedora-ds:fedora-ds /var/tmp/dirsrv
     44- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't
     45  know how to do this, but placing them in /etc might be sufficient?]
     46- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab.  Make
     47  sure you chown/chgrp it to be readable by fedora-ds
     48- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
     49- mkdir -p /var/run/dirsrv
     50- chown fedora-ds:fedora-ds /var/run/dirsrv
    2751- chmod 755 /var/run/dirsrv
    2852- /sbin/service dirsrv restart
    97121    /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot
     123  (/etc/signup-ldap-pw is the LDAP root password, make sure it's
     124  chmodded correctly and chowned to signup. Also, make sure it doesn't
     125  have a trailing newline!)
    99127-  Watch for the indexing operations to finish with this command:
    101129    ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config
    103 - Set up replication:
    104   (basically, execute
    105    http://directory.fedoraproject.org/sources/contrib/mmr.pl
    106    manually)
     131  (look for nktaskstatus)
     133- Set up replication.
     135  We used to tell people to go execute
     136  http://directory.fedoraproject.org/sources/contrib/mmr.pl manually
     137  (manually because that script assumes only two masters and we have
     138  every one of our servers set up as a master.)  However, those
     139  instructions are inaccurate, because we use GSSAPI, not SSL and
     140  because the initializing procedure is actually prone to a race
     141  condition.  Here are some better instructions.
     143  LDAP replication is based around producers and consumers.  Producers
     144  push changes in LDAP to consumers: these arrangements are called
     145  "replication agreements" and the producer will hold a
     146  nsDS5ReplicationAgreement object that represents this commitment,
     147  as well as some extra configuration to say who consumers will accept
     148  replication data from (a nsDS5Replica).
     150  The procedure, at a high level, is this:
     152    1. Pick an arbitrary existing master.  The current server will
     153       be configured as a slave to that master.  Initialize a changelog,
     154       then request a replication to populate our server with
     155       information.
     157            M1 <---> M2 ---> S
     159    2. Configure the new server to be replicated back.
     161            M1 <---> M2 <---> S
     163    3. Set up the rest of the replication agreements at your leisure.
     165                M1 <---> M2
     166                ^         ^
     167                |         |
     168                +--> S <--+
     170  Here's how you do it.
     172    1. Pull open the replication part of the database. It's fairly empty
     173       right now.
     175        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
     177    2. Configure the server $SLAVE (this server) to accept $MASTER
     178       replications by adding the following LDAP entries:
     180add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     181objectClass: top
     182objectClass: nsDS5Replica
     183cn: replica
     184nsDS5ReplicaId: $REPLICA_ID
     185nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     186nsDS5Flags: 1
     187nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     188nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     189nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     190nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     191nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     192nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     194nsds5ReplicaPurgeDelay: 604800
     195nsds5ReplicaLegacyConsumer: off
     196nsDS5ReplicaType: 3
     198        $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find
     199        out.)  You might wonder why we are binding to all servers;
     200        weren't we going to replicate from only one server?  That is
     201        correct, however, simply binding won't mean we will receive
     202        updates; we have to setup the $MASTER to send data $SALVE.
     204    3. Although we allowed those uids to bind, that user information
     205       doesn't exist on $SLAVE yet.  So you'll need to create the entry
     206       for just $MASTER.
     208add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
     209uid: ldap/$MASTER
     210objectClass: account
     211objectClass: top
     213    4. Though our $SLAVE will not be making changes to LDAP, we need to
     214       initialize the changelog because we intend to be able to do this
     215       later.
     217add cn=changelog5,cn=config
     218objectclass: top
     219objectclass: extensibleObject
     220cn: changelog5
     221nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb
     223    5. Ok, now go to your $MASTER server that you picked (it should have
     224       been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell
     225       it to replicate to $SLAVE.
     227add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     228objectClass: top
     229objectClass: nsDS5ReplicationAgreement
     230cn: "GSSAPI Replication to $SLAVE"
     231cn: GSSAPI Replication to $SLAVE
     232nsDS5ReplicaHost: $SLAVE
     233nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     234nsDS5ReplicaPort: 389
     235nsDS5ReplicaTransportInfo: LDAP
     238nsDS5ReplicaBindMethod: SASL/GSSAPI
     239nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
     240nsDS5ReplicaTimeout: 120
     242    4. Run the replication. (you could fold this into the previous step)
     244# under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     245nsDS5BeginReplicaRefresh: start
     247    5. Check that the replication is running; the status will be stored
     248    in the object we've been mucking around with.
     250    If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
     251    for more information.  It might be because fedora-ds can't read
     252    /etc/dirsrv/keytab
     254    6. Replicate in the other direction.  On $MASTER, add $SLAVE
     255    as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
     256    Also, add an account for $SLAVE
     258add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
     259uid: ldap/$SLAVE
     260objectClass: account
     261objectClass: top
     263    On $SLAVE,
     265add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     266objectClass: top
     267objectClass: nsDS5ReplicationAgreement
     268cn: "GSSAPI Replication to $MASTER"
     269cn: GSSAPI Replication to $MASTER
     270nsDS5ReplicaHost: $MASTER
     271nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     272nsDS5ReplicaPort: 389
     273nsDS5ReplicaTransportInfo: LDAP
     274nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
     275nsDS5ReplicaBindMethod: SASL/GSSAPI
     276nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
     277nsDS5ReplicaTimeout: 120
     279    If you get a really scary internal server error, that might mean you
     280    forgot to initialize the changelog.  Remove the replication
     281    agreement (you'll need to turn off dirsrv), add the changelog, and
     282    then try again.
     284[XXX: Do we need the referrals?]
  • branches/fc13-dev/server/doc/install-howto.sh

    r1620 r1645  
    2727# Start with a normal install of Fedora.
     29# Take updates
     30    YUM update
    2932if [ $boot = 0 ]; then
    7174    svn co svn://$source_server/$branch repository
     76    # XXX These sed scripts don't work
    7377    sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config
    7478    sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
    9094    # won't work.
     96# Get some packages necessary for OpenAFS
     97    YUM install -y redhat-lsb
     98    YUM install -y autofs
    92100# Add scripts-build to the group 'mock'
    93101    usermod -a -G mock scripts-build
    110118# You can get password SSH back by editing /etc/ssh/sshd_config (allow
    111119# password auth) and /etc/pam.d/sshd (comment out the first three auth
    112 # lines)
     120# lines).  However, you can also temporarily install krb5 and setup the
     121# keytabs and k5login to get Kerberized authentication.
    114123    service named start
    118127# packages for a new Fedora release.  Consult 'upgrade-tips' for more
    119128# information.
    121 # In the case of the Kerberos libraries, you'll be told that
    122 # there are conflicting files with the 64-bit versions of the packages,
    123 # which we scriptsify.  You'll have to use --force to install those
    124 # rpms despite the conflicts.  After doing that, you may want to
    125 # install the corresponding 64-bit scriptsified versions again, just
    126 # to be safe in case the 32-bit versions overwrite files that differ.
    127 # When you try this, it will complain that you already have the same
    128 # version installed; again, you'll need to use --force to do it anyway.
    130 # We need yumdownloader to force some RPMs
    131     # XXX: This might be wrong. Sanity check what packages ou
    132     # have when done
    133     YUM install -y yum-utils
    134     yumdownloader krb5-libs
    135     # XXX: These version numbers are hardcoded, need some cli-fu to generalize
    136     # FC13: Check if they are necessary
    137     rpm -i krb5-libs-*.i586.rpm
    138     rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm
    140130# env NSS_NONLOCAL_IGNORE=1 yum install scripts-base
    174164    YUM install -y nrpe
    175165    YUM install -y nagios-plugins-all
     166    YUM install -y fprintd-pam
    177168# Disable NetworkManager with chkconfig NetworkManager off. Configure
    198189# Edit the parameters in /etc/sysconfig/openafs
    200 # Figure out why Zephyr isn't working. Most recently, it was because there
    201 # was a 64-bit RPM installed; remove it and install Joe's 32-bit one
    202     YUM erase -y mit-zephyr
    203     # mit-zephyr has a spurious dependency on mit-krb-config
    204     yumdownloader mit-zephyr.i386
    205     # if deps change, this breaks
    206     YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586
    207     rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm
    208     # test if it worked by sending an un-authed message
    209     zwrite -d -c scripts -i test
     191# Test that zephyr is working
     192    chkconfig zhm on
     193    service zhm start
     194    echo 'Test!' | zwrite -d -c scripts -i test
    211196# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs
    251236    mkdir vice
    252237    cd vice
    253     svn co svn://scripts.mit.edu/trunk/server/fedora/config/usr/vice/etc etc
     238    svn co svn://scripts.mit.edu/$branch/server/fedora/config/usr/vice/etc etc
    254239    \cp -a etc /usr/vice
    308293    echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    310 # Install the credentials.  There are a lot of things to remember here:
     295# Install the credentials.  There are a lot of things to remember here.
     296# Be sure to make sure the permissions match up (ls -l on an existing
     297# server!).
    311298#   o This will be different if you're setting up our build/update server.
    312299#   o You probably installed the machine keytab long ago
    313300    ls -l /etc/krb5.keytab
    314 #   o Use ktutil to combine the host/scripts.mit.edu and
     301#     Use ktutil to combine the host/scripts.mit.edu and
    315302#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
    316303#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    317 #     or you'll break the other servers. (real servers only)
     304#     or you'll break the other servers. (real servers only).  Be
     305#     careful about writing out the keytab: if you write it to an
     306#     existing file the keys will just get appended
    318307#   o The daemon.scripts keytab
    319308    ls -l /etc/daemon.keytab
    320309#   o The SSL cert private key (real servers only)
     310    ls -l /etc/pki/tls/private/scripts.key
    321311#   o The LDAP password for the signup process (real servers only)
    322 #   o The SQL password for the signup process (real servers only)
     312    ls -l /etc/signup-ldap-pw
     313#   o The SQL password for the signup process (real servers only) (you
     314#     only need one)
     315    ls -l /usr/local/etc/sql-mit-edu.cfg.php
     316    ls -l /etc/sql-mit-edu.cfg.php
    323317#   o The whoisd password (real servers only)
    324 #   o The LDAP keytab for this server, which will be used later (real servers only)
     318#   o The LDAP keytab for this server, which will be used later (real
     319#     servers only).
     320    ls -l /etc/dirsrv/keytab
    325321#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
    326 #   o You'll install an LDAP certificate signed by the scripts CA later (real servers only)
     322    ls -l /etc/ssh/*key*
    327323#   o Make sure root's .k5login is correct
    328324    cat /root/.k5login
    329325#   o Make sure logview's .k5login is correct (real servers only)
     326    cat /home/logview/.k5login
    331328# If you are setting up a test server, pay attention to
    353350    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    355 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
    356 #   and ./389-ds-enable-ssl-and-kerberos.diff).
     352# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP).
    358354# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
    421417# XXX: our SVN checkout should be updated to use scripts.mit.edu
    422 # (repository and etc)
     418# (repository and etc) once serving actually works.
Note: See TracChangeset for help on using the changeset viewer.