4807
Comment:
|
4803
|
Deletions are marked like this. | Additions are marked like this. |
Line 95: | Line 95: |
# Set permissions and access for LDAP-daemon (slapd) adduser openldap ssl-cert |
|
Line 100: | Line 97: |
# Set access to ssl keys for LDAP-daemon (slapd) adduser openldap ssl-cert |
This will become a setup for NFS4 with Kerberos and LDAP. Most information in this setup comes from Heiko Noordhof. I know, there are allready pages in this wiki about NFS4, Kerberos and LDAP. This setup tries to be easy.
Server setup:
# become root: su - # When you did install LDAP or Kerberos or NFS before, it is a good idea to remove it to # have a clean start. This also removes all files from this setup. apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server nfs-kernel-server \ ldap-utils slapd krb5-kdc rm -rfv /var/lib/ldap rm -v /etc/ssl/certs/CAself-cert.pem rm -v /etc/ssl/certs/*_slapd_cert.pem rm -v /etc/ssl/*.info rm -v /etc/ssl/private/*_slapd_key.pem rm -v /etc/ssl/private/CAself-key.pem # Your fqdn hostname should be OK, it should be something like: server1.example.com # When it's wrong, change your /etc/hosts, there should be a line like: # 127.0.1.1 server1.example.com server1 # with this command you can check your fqdn hostname: hostname --fqdn # Main setup variables, change them if needed, but in most cases the defaults are OK SERVER=$(hostname --fqdn) # something like: server1.example.com DOMAIN=${SERVER#*.} # something like: example.com REALM=$(echo $DOMAIN | tr a-z A-Z) # something like: EXAMPLE.COM echo "SERVER: $SERVER"; echo "DOMAIN: $DOMAIN"; echo "REALM: $REALM" # Construct LDAP root base LDAPROOT="" IFS="." for DC in $DOMAIN ; do LDAPROOT="${LDAPROOT},dc=$DC" done LDAPROOT="${LDAPROOT#,}" # Install packages without questions. You can also answer the questions put this is # pointless, because the configuration will be overwritten later. # Some errors are normal DEBIAN_FRONTEND=noninteractive apt-get install ldap-utils slapd nfs-kernel-server \ krb5-admin-server krb5-kdc krb5-kdc-ldap krb5-doc libnss-ldap nscd libpam-ldap \ gnutls-bin ssl-cert ntp pwgen # Directory for temporary setup files SETUPDIR=$(mktemp --directory /tmp/server-setup.XXXXXXXXXX) cd "$SETUPDIR" echo "Setup directory: $SETUPDIR" # Setup ldap.conf for clients cat <<EOF >/etc/ldap/ldap.conf BASE ${LDAPROOT} URI ldapi:// EOF # Setup SSL/TLS certificate (self-signed) for TLS on LDAP CA_KEY=/etc/ssl/private/CAself-key.pem CA_INFO=/etc/ssl/CAself.info CA_CERT=/etc/ssl/certs/CAself-cert.pem certtool --generate-privkey >"${CA_KEY}" cat <<EOF >"${CA_INFO}" cn = ${DOMAIN} ca cert_signing_key EOF certtool \ --generate-self-signed \ --load-privkey "${CA_KEY}" \ --template "${CA_INFO}" \ --outfile "${CA_CERT}" chgrp ssl-cert "${CA_KEY}" chmod 0640 "${CA_KEY}" # Generate private-key for TLS on the LDAP-service LDAP_TLS_KEY="/etc/ssl/private/${SERVER}_slapd_key.pem" LDAP_TLS_INFO="/etc/ssl/${SERVER}.info" LDAP_TLS_CERT="/etc/ssl/certs/${SERVER}_slapd_cert.pem" certtool --generate-privkey >"${LDAP_TLS_KEY}" cat <<EOF >"${LDAP_TLS_INFO}" organization = ${DOMAIN} cn = ${SERVER} tls_www_server encryption_key signing_key EOF certtool \ --generate-certificate \ --load-privkey "${LDAP_TLS_KEY}" \ --load-ca-certificate "${CA_CERT}" \ --load-ca-privkey "${CA_KEY}" \ --template "${LDAP_TLS_INFO}" \ --outfile "${LDAP_TLS_CERT}" chgrp ssl-cert "${LDAP_TLS_KEY}" chmod 0640 "${LDAP_TLS_KEY}" # Set access to ssl keys for LDAP-daemon (slapd) adduser openldap ssl-cert # Generate hash from admin password LDAP_ADMIN_PW=`pwgen -s 10 1` echo -n "$LDAP_ADMIN_PW" >ldap-admin-pw.txt chmod 600 ldap-admin-pw.txt LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap-admin-pw.txt) # Create ldifs and load them into LDAP cat <<EOF >slapd-loglevel.ldif dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: stats EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-loglevel.ldif cat <<EOF >slapd-tls.ldif dn: cn=config changeType: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: ${CA_CERT} - add: olcTLSCertificateFile olcTLSCertificateFile: ${LDAP_TLS_CERT} - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: ${LDAP_TLS_KEY} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-tls.ldif cat <<EOF >slapd-database.ldif dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcDbConfig olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE - replace: olcRootPW olcRootPW: ${LDAP_ADMIN_HASH} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif # Do not listen on the clear-text port (389) only SSL/LDAPS (636) sed -i 's|^SLAPD_SERVICES.*|SLAPD_SERVICES="ldaps:/// ldapi:///"|' /etc/default/slapd # Restart LDAP-server /etc/init.d/slapd restart