Changeset 1645 for branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP
- Timestamp:
- Sep 12, 2010, 6:00:55 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP
r1532 r1645 2 2 3 3 - Install the RPM 389-ds-base with yum 4 - root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds 4 root# yum install -y 389-ds-base 5 - We want to run the directory server as its own user, so create fedora-ds 6 root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds 7 - root# yum install -y policycoreutils-python 5 8 - root# /usr/sbin/setup-ds.pl 6 9 - Choose a typical install 7 10 - Tell it to use the fedora-ds user and group 8 11 - Directory server identifier: scripts 12 Needed to remove this from the config file first 9 13 - Suffix: dc=scripts,dc=mit,dc=edu 10 14 - Input directory manager password 15 (this can be found in ~/.ldapvirc) 16 [XXX: Got error: sh: semanage: command not found; turns out this is in 17 policycoreutils-python. Don't know if this will cause problems.] 11 18 - yum install ldapvi 12 - /sbin/service dirsrv start 13 - Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually 14 - Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket 15 and nsslapd-ldapilisten: on, otherwise ldapi won't work. 19 - Check if dirsrv starts: /sbin/service dirsrv start 20 - Apply the following configuration changes. If you're editing 21 dse.ldif, you don't want dirsrv to be on, otherwise it will 22 overwrite your changes. [XXX: show how to do these changes with 23 dsconf, which is the "blessed" method] 24 25 # Inside cn=config. These changes definitely require a restart. 26 nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket 27 nsslapd-ldapilisten: on 28 29 # Add these blocks 30 31 # mapname, mapping, sasl, config 32 # This is the most liberal mapping you can have for SASL: you can 33 # basically add authentication for any given GSSAPI mechanism by 34 # explicitly creating the UID for that SASL string. 35 dn: cn=mapname,cn=mapping,cn=sasl,cn=config 36 objectClass: top 37 objectClass: nsSaslMapping 38 cn: mapname 39 nsSaslMapRegexString: \(.*\) 40 nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu 41 nsSaslMapFilterTemplate: (objectClass=posixAccount) 42 16 43 - /sbin/service dirsrv stop 17 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts 18 - wget http://web.mit.edu/geofft/Public/scripts-ca.pem 19 - certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem 20 - Generate a pkcs12 cert for the server: 21 - openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12 22 - pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts 23 - Put LDAP keytab in /etc/dirsrv/keytab 24 - Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 25 - mkdir -p /var/tmp/dirsrv 26 - chown fedora-ds:fedora-ds /var/tmp/dirsrv 44 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't 45 know how to do this, but placing them in /etc might be sufficient?] 46 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 47 sure you chown/chgrp it to be readable by fedora-ds 48 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 49 - mkdir -p /var/run/dirsrv 50 - chown fedora-ds:fedora-ds /var/run/dirsrv 27 51 - chmod 755 /var/run/dirsrv 28 52 - /sbin/service dirsrv restart … … 97 121 /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot 98 122 123 (/etc/signup-ldap-pw is the LDAP root password, make sure it's 124 chmodded correctly and chowned to signup. Also, make sure it doesn't 125 have a trailing newline!) 126 99 127 - Watch for the indexing operations to finish with this command: 100 128 101 129 ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config 102 130 103 - Set up replication: 104 (basically, execute 105 http://directory.fedoraproject.org/sources/contrib/mmr.pl 106 manually) 131 (look for nktaskstatus) 132 133 - Set up replication. 134 135 We used to tell people to go execute 136 http://directory.fedoraproject.org/sources/contrib/mmr.pl manually 137 (manually because that script assumes only two masters and we have 138 every one of our servers set up as a master.) However, those 139 instructions are inaccurate, because we use GSSAPI, not SSL and 140 because the initializing procedure is actually prone to a race 141 condition. Here are some better instructions. 142 143 LDAP replication is based around producers and consumers. Producers 144 push changes in LDAP to consumers: these arrangements are called 145 "replication agreements" and the producer will hold a 146 nsDS5ReplicationAgreement object that represents this commitment, 147 as well as some extra configuration to say who consumers will accept 148 replication data from (a nsDS5Replica). 149 150 The procedure, at a high level, is this: 151 152 1. Pick an arbitrary existing master. The current server will 153 be configured as a slave to that master. Initialize a changelog, 154 then request a replication to populate our server with 155 information. 156 157 M1 <---> M2 ---> S 158 159 2. Configure the new server to be replicated back. 160 161 M1 <---> M2 <---> S 162 163 3. Set up the rest of the replication agreements at your leisure. 164 165 M1 <---> M2 166 ^ ^ 167 | | 168 +--> S <--+ 169 170 Here's how you do it. 171 172 1. Pull open the replication part of the database. It's fairly empty 173 right now. 174 175 ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config 176 177 2. Configure the server $SLAVE (this server) to accept $MASTER 178 replications by adding the following LDAP entries: 179 180 add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 181 objectClass: top 182 objectClass: nsDS5Replica 183 cn: replica 184 nsDS5ReplicaId: $REPLICA_ID 185 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 186 nsDS5Flags: 1 187 nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 188 nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 189 nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 190 nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 191 nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 192 nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 193 # ADD SERVERS HERE AS YOU ADD NEW SERVERS 194 nsds5ReplicaPurgeDelay: 604800 195 nsds5ReplicaLegacyConsumer: off 196 nsDS5ReplicaType: 3 197 198 $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find 199 out.) You might wonder why we are binding to all servers; 200 weren't we going to replicate from only one server? That is 201 correct, however, simply binding won't mean we will receive 202 updates; we have to setup the $MASTER to send data $SALVE. 203 204 3. Although we allowed those uids to bind, that user information 205 doesn't exist on $SLAVE yet. So you'll need to create the entry 206 for just $MASTER. 207 208 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 209 uid: ldap/$MASTER 210 objectClass: account 211 objectClass: top 212 213 4. Though our $SLAVE will not be making changes to LDAP, we need to 214 initialize the changelog because we intend to be able to do this 215 later. 216 217 add cn=changelog5,cn=config 218 objectclass: top 219 objectclass: extensibleObject 220 cn: changelog5 221 nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb 222 223 5. Ok, now go to your $MASTER server that you picked (it should have 224 been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell 225 it to replicate to $SLAVE. 226 227 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 228 objectClass: top 229 objectClass: nsDS5ReplicationAgreement 230 cn: "GSSAPI Replication to $SLAVE" 231 cn: GSSAPI Replication to $SLAVE 232 nsDS5ReplicaHost: $SLAVE 233 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 234 nsDS5ReplicaPort: 389 235 nsDS5ReplicaTransportInfo: LDAP 236 nsDS5ReplicaBindDN: 237 uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 238 nsDS5ReplicaBindMethod: SASL/GSSAPI 239 nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" 240 nsDS5ReplicaTimeout: 120 241 242 4. Run the replication. (you could fold this into the previous step) 243 244 # under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 245 nsDS5BeginReplicaRefresh: start 246 247 5. Check that the replication is running; the status will be stored 248 in the object we've been mucking around with. 249 250 If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER 251 for more information. It might be because fedora-ds can't read 252 /etc/dirsrv/keytab 253 254 6. Replicate in the other direction. On $MASTER, add $SLAVE 255 as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config 256 Also, add an account for $SLAVE 257 258 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu 259 uid: ldap/$SLAVE 260 objectClass: account 261 objectClass: top 262 263 On $SLAVE, 264 265 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 266 objectClass: top 267 objectClass: nsDS5ReplicationAgreement 268 cn: "GSSAPI Replication to $MASTER" 269 cn: GSSAPI Replication to $MASTER 270 nsDS5ReplicaHost: $MASTER 271 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 272 nsDS5ReplicaPort: 389 273 nsDS5ReplicaTransportInfo: LDAP 274 nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu 275 nsDS5ReplicaBindMethod: SASL/GSSAPI 276 nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" 277 nsDS5ReplicaTimeout: 120 278 279 If you get a really scary internal server error, that might mean you 280 forgot to initialize the changelog. Remove the replication 281 agreement (you'll need to turn off dirsrv), add the changelog, and 282 then try again. 283 284 [XXX: Do we need the referrals?]
Note: See TracChangeset
for help on using the changeset viewer.