Differences between revisions 6 and 7
Revision 6 as of 2012-03-03 18:20:35
Size: 4182
Editor: ?PaulvanderVlis
Comment:
Revision 7 as of 2012-03-03 18:36:43
Size: 4260
Editor: ?PaulvanderVlis
Comment:
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
# When you did install LDAP or Kerberos before, it is a good idea to remove it to have a clean start:
apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server
# When you did install LDAP or Kerberos before, it is a good idea to remove it to
#
have a clean start:
apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server slapd
Line 22: Line 23:
echo "SERVER: $SERVER"
echo "DOMAIN: $DOMAIN"
echo "REALM: $REALM"
echo "SERVER: $SERVER"; echo "DOMAIN: $DOMAIN"; echo "REALM: $REALM"
Line 34: Line 33:
# Install packages without questions. You can also answer the questions put this is pointless,
# because the configuration will be overwritten later.
# Install packages without questions. You can also answer the questions put this is
# pointless, because the configuration will be overwritten later.
# An error from kadmin about a missing file or directory is normal

This will become a setup for NFS4 with Kerberos and LDAP. Most information in this setup comes from Heiko Noordhof. I know, there are allready pages in this wiki about NFS4, Kerberos and LDAP. This setup tries to be easy.

Server setup:

# become root:
su -

# When you did install LDAP or Kerberos before, it is a good idea to remove it to 
# have a clean start:
apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server slapd
rm -rf /var/lib/ldap

# Your fqdn hostname should be OK, it should be something like:  server1.example.com
# When it's wrong, change your /etc/hosts, there should be a line like:
# 127.0.1.1       server1.example.com   server1
# with this command you can check your fqdn hostname:
hostname --fqdn

# Main setup variables, should be OK normally:
SERVER=$(hostname --fqdn)   # something like: server1.example.com
DOMAIN=${SERVER#*.}         # something like: example.com
REALM=$(echo $DOMAIN | tr a-z A-Z)   # something like: EXAMPLE.COM
echo "SERVER: $SERVER"; echo "DOMAIN: $DOMAIN"; echo "REALM:  $REALM"

# Construct LDAP root base
LDAPROOT=""
IFS="."
for DC in $DOMAIN ; do
  LDAPROOT="${LDAPROOT},dc=$DC"
done
LDAPROOT="${LDAPROOT#,}"

# Install packages without questions. You can also answer the questions put this is 
# pointless, because the configuration will be overwritten later.
# An error from kadmin about a missing file or directory is normal
DEBIAN_FRONTEND=noninteractive apt-get install ldap-utils slapd nfs-kernel-server \
  krb5-admin-server krb5-kdc krb5-kdc-ldap krb5-doc libnss-ldap nscd libpam-ldap \
  gnutls-bin ssl-cert ntp pwgen

# Directory for temporary setup files
SETUPDIR=$(mktemp --directory /tmp/server-setup.XXXXXXXXXX)
cd "$SETUPDIR"
echo "Setup directory: $SETUPDIR"

# Setup ldap.conf for clients
cat <<EOF >/etc/ldap/ldap.conf
BASE    ${LDAPROOT}
URI     ldapi://
EOF

# Setup SSL/TLS certificate (self-signed) for TLS on LDAP
CA_KEY=/etc/ssl/private/CAself-key.pem
CA_INFO=/etc/ssl/CAself.info
CA_CERT=/etc/ssl/certs/CAself-cert.pem
certtool --generate-privkey >"${CA_KEY}"
cat <<EOF >"${CA_INFO}"
cn = ${DOMAIN}
ca
cert_signing_key
EOF
certtool \
    --generate-self-signed \
    --load-privkey "${CA_KEY}" \
    --template "${CA_INFO}" \
    --outfile "${CA_CERT}"
chgrp ssl-cert "${CA_KEY}"
chmod 0640 "${CA_KEY}"

# Generate private-key for TLS on the LDAP-service
LDAP_TLS_KEY="/etc/ssl/private/${SERVER}_slapd_key.pem"
LDAP_TLS_INFO="/etc/ssl/${SERVER}.info"
LDAP_TLS_CERT="/etc/ssl/certs/${SERVER}_slapd_cert.pem"
certtool --generate-privkey >"${LDAP_TLS_KEY}"
certtool \
    --generate-certificate \
    --load-privkey "${LDAP_TLS_KEY}" \
    --load-ca-certificate "${CA_CERT}" \
    --load-ca-privkey "${CA_KEY}" \
    --template "${LDAP_TLS_INFO}" \
    --outfile "${LDAP_TLS_CERT}"

# Generate hash from admin password
LDAP_ADMIN_PW=`pwgen -s 10 1`
echo -n "$LDAP_ADMIN_PW" >ldap-admin-pw.txt
chmod 600 ldap-admin-pw.txt
LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap-admin-pw.txt)

# Create ldifs and load them into LDAP
cat <<EOF >slapd-loglevel.ldif
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-loglevel.ldif
cat <<EOF >slapd-tls.ldif
dn: cn=config
changeType: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: ${CA_CERT}
-
add: olcTLSCertificateFile
olcTLSCertificateFile: ${LDAP_TLS_CERT}
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: ${LDAP_TLS_KEY}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-tls.ldif
cat <<EOF >slapd-database.ldif
dn: olcDatabase={1}hdb,cn=config
changeType: modify
replace: olcDbConfig
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
-
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_HASH}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif

# Do not listen on the clear-text port (389) only SSL/LDAPS (636)
sed -i 's|^SLAPD_SERVICES.*|SLAPD_SERVICES="ldaps:/// ldapi:///"|' /etc/default/slapd

# Restart LDAP-server
/etc/init.d/slapd restart