Sep 12, 2010, 6:00:55 PM (12 years ago)
Dramatically expand LDAP and installation documentation.
1 edited


  • branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP

    r1532 r1645  
    33- Install the RPM 389-ds-base with yum
    4 - root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
     4  root# yum install -y 389-ds-base
     5- We want to run the directory server as its own user, so create fedora-ds
     6  root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
     7- root# yum install -y policycoreutils-python
    58- root# /usr/sbin/setup-ds.pl
    69    - Choose a typical install
    710    - Tell it to use the fedora-ds user and group
    811    - Directory server identifier: scripts
     12        Needed to remove this from the config file first
    913    - Suffix: dc=scripts,dc=mit,dc=edu
    1014    - Input directory manager password
     15      (this can be found in  ~/.ldapvirc)
     16        [XXX: Got error: sh: semanage: command not found; turns out this is in
     17        policycoreutils-python.  Don't know if this will cause problems.]
    1118- yum install ldapvi
    12 - /sbin/service dirsrv start
    13 - Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually
    14 - Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket
    15   and nsslapd-ldapilisten: on, otherwise ldapi won't work.
     19- Check if dirsrv starts: /sbin/service dirsrv start
     20- Apply the following configuration changes.  If you're editing
     21  dse.ldif, you don't want dirsrv to be on, otherwise it will
     22  overwrite your changes. [XXX: show how to do these changes with
     23  dsconf, which is the "blessed" method]
     25# Inside cn=config.  These changes definitely require a restart.
     26nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket
     27nsslapd-ldapilisten: on
     29# Add these blocks
     31# mapname, mapping, sasl, config
     32# This is the most liberal mapping you can have for SASL: you can
     33# basically add authentication for any given GSSAPI mechanism by
     34# explicitly creating the UID for that SASL string.
     35dn: cn=mapname,cn=mapping,cn=sasl,cn=config
     36objectClass: top
     37objectClass: nsSaslMapping
     38cn: mapname
     39nsSaslMapRegexString: \(.*\)
     40nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu
     41nsSaslMapFilterTemplate: (objectClass=posixAccount)
    1643- /sbin/service dirsrv stop
    17 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts
    18 - wget http://web.mit.edu/geofft/Public/scripts-ca.pem
    19 - certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem
    20 - Generate a pkcs12 cert for the server:
    21 - openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12
    22 - pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts
    23 - Put LDAP keytab in /etc/dirsrv/keytab
    24 - Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
    25 - mkdir -p /var/tmp/dirsrv
    26 - chown fedora-ds:fedora-ds /var/tmp/dirsrv
     44- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't
     45  know how to do this, but placing them in /etc might be sufficient?]
     46- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab.  Make
     47  sure you chown/chgrp it to be readable by fedora-ds
     48- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
     49- mkdir -p /var/run/dirsrv
     50- chown fedora-ds:fedora-ds /var/run/dirsrv
    2751- chmod 755 /var/run/dirsrv
    2852- /sbin/service dirsrv restart
    97121    /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot
     123  (/etc/signup-ldap-pw is the LDAP root password, make sure it's
     124  chmodded correctly and chowned to signup. Also, make sure it doesn't
     125  have a trailing newline!)
    99127-  Watch for the indexing operations to finish with this command:
    101129    ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config
    103 - Set up replication:
    104   (basically, execute
    105    http://directory.fedoraproject.org/sources/contrib/mmr.pl
    106    manually)
     131  (look for nktaskstatus)
     133- Set up replication.
     135  We used to tell people to go execute
     136  http://directory.fedoraproject.org/sources/contrib/mmr.pl manually
     137  (manually because that script assumes only two masters and we have
     138  every one of our servers set up as a master.)  However, those
     139  instructions are inaccurate, because we use GSSAPI, not SSL and
     140  because the initializing procedure is actually prone to a race
     141  condition.  Here are some better instructions.
     143  LDAP replication is based around producers and consumers.  Producers
     144  push changes in LDAP to consumers: these arrangements are called
     145  "replication agreements" and the producer will hold a
     146  nsDS5ReplicationAgreement object that represents this commitment,
     147  as well as some extra configuration to say who consumers will accept
     148  replication data from (a nsDS5Replica).
     150  The procedure, at a high level, is this:
     152    1. Pick an arbitrary existing master.  The current server will
     153       be configured as a slave to that master.  Initialize a changelog,
     154       then request a replication to populate our server with
     155       information.
     157            M1 <---> M2 ---> S
     159    2. Configure the new server to be replicated back.
     161            M1 <---> M2 <---> S
     163    3. Set up the rest of the replication agreements at your leisure.
     165                M1 <---> M2
     166                ^         ^
     167                |         |
     168                +--> S <--+
     170  Here's how you do it.
     172    1. Pull open the replication part of the database. It's fairly empty
     173       right now.
     175        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
     177    2. Configure the server $SLAVE (this server) to accept $MASTER
     178       replications by adding the following LDAP entries:
     180add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     181objectClass: top
     182objectClass: nsDS5Replica
     183cn: replica
     184nsDS5ReplicaId: $REPLICA_ID
     185nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     186nsDS5Flags: 1
     187nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     188nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     189nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     190nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     191nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     192nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     194nsds5ReplicaPurgeDelay: 604800
     195nsds5ReplicaLegacyConsumer: off
     196nsDS5ReplicaType: 3
     198        $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find
     199        out.)  You might wonder why we are binding to all servers;
     200        weren't we going to replicate from only one server?  That is
     201        correct, however, simply binding won't mean we will receive
     202        updates; we have to setup the $MASTER to send data $SALVE.
     204    3. Although we allowed those uids to bind, that user information
     205       doesn't exist on $SLAVE yet.  So you'll need to create the entry
     206       for just $MASTER.
     208add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
     209uid: ldap/$MASTER
     210objectClass: account
     211objectClass: top
     213    4. Though our $SLAVE will not be making changes to LDAP, we need to
     214       initialize the changelog because we intend to be able to do this
     215       later.
     217add cn=changelog5,cn=config
     218objectclass: top
     219objectclass: extensibleObject
     220cn: changelog5
     221nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb
     223    5. Ok, now go to your $MASTER server that you picked (it should have
     224       been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell
     225       it to replicate to $SLAVE.
     227add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     228objectClass: top
     229objectClass: nsDS5ReplicationAgreement
     230cn: "GSSAPI Replication to $SLAVE"
     231cn: GSSAPI Replication to $SLAVE
     232nsDS5ReplicaHost: $SLAVE
     233nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     234nsDS5ReplicaPort: 389
     235nsDS5ReplicaTransportInfo: LDAP
     238nsDS5ReplicaBindMethod: SASL/GSSAPI
     239nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
     240nsDS5ReplicaTimeout: 120
     242    4. Run the replication. (you could fold this into the previous step)
     244# under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     245nsDS5BeginReplicaRefresh: start
     247    5. Check that the replication is running; the status will be stored
     248    in the object we've been mucking around with.
     250    If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
     251    for more information.  It might be because fedora-ds can't read
     252    /etc/dirsrv/keytab
     254    6. Replicate in the other direction.  On $MASTER, add $SLAVE
     255    as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
     256    Also, add an account for $SLAVE
     258add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
     259uid: ldap/$SLAVE
     260objectClass: account
     261objectClass: top
     263    On $SLAVE,
     265add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     266objectClass: top
     267objectClass: nsDS5ReplicationAgreement
     268cn: "GSSAPI Replication to $MASTER"
     269cn: GSSAPI Replication to $MASTER
     270nsDS5ReplicaHost: $MASTER
     271nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
     272nsDS5ReplicaPort: 389
     273nsDS5ReplicaTransportInfo: LDAP
     274nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
     275nsDS5ReplicaBindMethod: SASL/GSSAPI
     276nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
     277nsDS5ReplicaTimeout: 120
     279    If you get a really scary internal server error, that might mean you
     280    forgot to initialize the changelog.  Remove the replication
     281    agreement (you'll need to turn off dirsrv), add the changelog, and
     282    then try again.
     284[XXX: Do we need the referrals?]
Note: See TracChangeset for help on using the changeset viewer.