Differences between revisions 13 and 14
Revision 13 as of 2012-03-03 21:51:19
Size: 4807
Editor: ?PaulvanderVlis
Comment:
Revision 14 as of 2012-03-03 21:56:05
Size: 4803
Editor: ?PaulvanderVlis
Comment:
Deletions are marked like this. Additions are marked like this.
Line 95: Line 95:

# Set permissions and access for LDAP-daemon (slapd)
adduser openldap ssl-cert
Line 100: Line 97:

# Set access to ssl keys for LDAP-daemon (slapd)
adduser openldap ssl-cert

This will become a setup for NFS4 with Kerberos and LDAP. Most information in this setup comes from Heiko Noordhof. I know, there are allready pages in this wiki about NFS4, Kerberos and LDAP. This setup tries to be easy.

Server setup:

# become root:
su -

# When you did install LDAP or Kerberos or NFS before, it is a good idea to remove it to 
# have a clean start. This also removes all files from this setup.
apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server nfs-kernel-server \
  ldap-utils slapd krb5-kdc

rm -rfv /var/lib/ldap
rm -v /etc/ssl/certs/CAself-cert.pem
rm -v /etc/ssl/certs/*_slapd_cert.pem
rm -v /etc/ssl/*.info
rm -v /etc/ssl/private/*_slapd_key.pem
rm -v /etc/ssl/private/CAself-key.pem

# Your fqdn hostname should be OK, it should be something like:  server1.example.com
# When it's wrong, change your /etc/hosts, there should be a line like:
# 127.0.1.1       server1.example.com   server1
# with this command you can check your fqdn hostname:
hostname --fqdn

# Main setup variables, change them if needed, but in most cases the defaults are OK
SERVER=$(hostname --fqdn)   # something like: server1.example.com
DOMAIN=${SERVER#*.}         # something like: example.com
REALM=$(echo $DOMAIN | tr a-z A-Z)   # something like: EXAMPLE.COM
echo "SERVER: $SERVER"; echo "DOMAIN: $DOMAIN"; echo "REALM:  $REALM"

# Construct LDAP root base
LDAPROOT=""
IFS="."
for DC in $DOMAIN ; do
  LDAPROOT="${LDAPROOT},dc=$DC"
done
LDAPROOT="${LDAPROOT#,}"

# Install packages without questions. You can also answer the questions put this is 
# pointless, because the configuration will be overwritten later.
# Some errors are normal
DEBIAN_FRONTEND=noninteractive apt-get install ldap-utils slapd nfs-kernel-server \
  krb5-admin-server krb5-kdc krb5-kdc-ldap krb5-doc libnss-ldap nscd libpam-ldap \
  gnutls-bin ssl-cert ntp pwgen

# Directory for temporary setup files
SETUPDIR=$(mktemp --directory /tmp/server-setup.XXXXXXXXXX)
cd "$SETUPDIR"
echo "Setup directory: $SETUPDIR"

# Setup ldap.conf for clients
cat <<EOF >/etc/ldap/ldap.conf
BASE    ${LDAPROOT}
URI     ldapi://
EOF

# Setup SSL/TLS certificate (self-signed) for TLS on LDAP
CA_KEY=/etc/ssl/private/CAself-key.pem
CA_INFO=/etc/ssl/CAself.info
CA_CERT=/etc/ssl/certs/CAself-cert.pem
certtool --generate-privkey >"${CA_KEY}"
cat <<EOF >"${CA_INFO}"
cn = ${DOMAIN}
ca
cert_signing_key
EOF
certtool \
    --generate-self-signed \
    --load-privkey "${CA_KEY}" \
    --template "${CA_INFO}" \
    --outfile "${CA_CERT}"
chgrp ssl-cert "${CA_KEY}"
chmod 0640 "${CA_KEY}"

# Generate private-key for TLS on the LDAP-service
LDAP_TLS_KEY="/etc/ssl/private/${SERVER}_slapd_key.pem"
LDAP_TLS_INFO="/etc/ssl/${SERVER}.info"
LDAP_TLS_CERT="/etc/ssl/certs/${SERVER}_slapd_cert.pem"
certtool --generate-privkey >"${LDAP_TLS_KEY}"
cat <<EOF >"${LDAP_TLS_INFO}"
organization = ${DOMAIN}
cn = ${SERVER}
tls_www_server
encryption_key
signing_key
EOF
certtool \
    --generate-certificate \
    --load-privkey "${LDAP_TLS_KEY}" \
    --load-ca-certificate "${CA_CERT}" \
    --load-ca-privkey "${CA_KEY}" \
    --template "${LDAP_TLS_INFO}" \
    --outfile "${LDAP_TLS_CERT}"
chgrp ssl-cert "${LDAP_TLS_KEY}"
chmod 0640 "${LDAP_TLS_KEY}"

# Set access to ssl keys for LDAP-daemon (slapd)
adduser openldap ssl-cert

# Generate hash from admin password
LDAP_ADMIN_PW=`pwgen -s 10 1`
echo -n "$LDAP_ADMIN_PW" >ldap-admin-pw.txt
chmod 600 ldap-admin-pw.txt
LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap-admin-pw.txt)

# Create ldifs and load them into LDAP
cat <<EOF >slapd-loglevel.ldif
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-loglevel.ldif

cat <<EOF >slapd-tls.ldif
dn: cn=config
changeType: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: ${CA_CERT}
-
add: olcTLSCertificateFile
olcTLSCertificateFile: ${LDAP_TLS_CERT}
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: ${LDAP_TLS_KEY}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-tls.ldif

cat <<EOF >slapd-database.ldif
dn: olcDatabase={1}hdb,cn=config
changeType: modify
replace: olcDbConfig
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
-
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_HASH}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif

# Do not listen on the clear-text port (389) only SSL/LDAPS (636)
sed -i 's|^SLAPD_SERVICES.*|SLAPD_SERVICES="ldaps:/// ldapi:///"|' /etc/default/slapd

# Restart LDAP-server
/etc/init.d/slapd restart