Changeset 1645 for branches/fc13-dev
- Timestamp:
- Sep 12, 2010, 6:00:55 PM (15 years ago)
- Location:
- branches/fc13-dev/server/doc
- Files:
- 
          - 1 deleted
- 2 edited
 
 - 
          389-ds-enable-ssl-and-kerberos.diff (deleted)
- 
          HOWTO-SETUP-LDAP (modified) (2 diffs)
- 
          install-howto.sh (modified) (11 diffs)
 
Legend:
- Unmodified
- Added
- Removed
- 
        branches/fc13-dev/server/doc/HOWTO-SETUP-LDAPr1532 r1645 2 2 3 3 - Install the RPM 389-ds-base with yum 4 - root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds 4 root# yum install -y 389-ds-base 5 - We want to run the directory server as its own user, so create fedora-ds 6 root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds 7 - root# yum install -y policycoreutils-python 5 8 - root# /usr/sbin/setup-ds.pl 6 9 - Choose a typical install 7 10 - Tell it to use the fedora-ds user and group 8 11 - Directory server identifier: scripts 12 Needed to remove this from the config file first 9 13 - Suffix: dc=scripts,dc=mit,dc=edu 10 14 - Input directory manager password 15 (this can be found in ~/.ldapvirc) 16 [XXX: Got error: sh: semanage: command not found; turns out this is in 17 policycoreutils-python. Don't know if this will cause problems.] 11 18 - yum install ldapvi 12 - /sbin/service dirsrv start 13 - Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually 14 - Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket 15 and nsslapd-ldapilisten: on, otherwise ldapi won't work. 19 - Check if dirsrv starts: /sbin/service dirsrv start 20 - Apply the following configuration changes. If you're editing 21 dse.ldif, you don't want dirsrv to be on, otherwise it will 22 overwrite your changes. [XXX: show how to do these changes with 23 dsconf, which is the "blessed" method] 24 25 # Inside cn=config. These changes definitely require a restart. 26 nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket 27 nsslapd-ldapilisten: on 28 29 # Add these blocks 30 31 # mapname, mapping, sasl, config 32 # This is the most liberal mapping you can have for SASL: you can 33 # basically add authentication for any given GSSAPI mechanism by 34 # explicitly creating the UID for that SASL string. 35 dn: cn=mapname,cn=mapping,cn=sasl,cn=config 36 objectClass: top 37 objectClass: nsSaslMapping 38 cn: mapname 39 nsSaslMapRegexString: \(.*\) 40 nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu 41 nsSaslMapFilterTemplate: (objectClass=posixAccount) 42 16 43 - /sbin/service dirsrv stop 17 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts 18 - wget http://web.mit.edu/geofft/Public/scripts-ca.pem 19 - certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem 20 - Generate a pkcs12 cert for the server: 21 - openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12 22 - pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts 23 - Put LDAP keytab in /etc/dirsrv/keytab 24 - Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 25 - mkdir -p /var/tmp/dirsrv 26 - chown fedora-ds:fedora-ds /var/tmp/dirsrv 44 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't 45 know how to do this, but placing them in /etc might be sufficient?] 46 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 47 sure you chown/chgrp it to be readable by fedora-ds 48 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 49 - mkdir -p /var/run/dirsrv 50 - chown fedora-ds:fedora-ds /var/run/dirsrv 27 51 - chmod 755 /var/run/dirsrv 28 52 - /sbin/service dirsrv restart … … 97 121 /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot 98 122 123 (/etc/signup-ldap-pw is the LDAP root password, make sure it's 124 chmodded correctly and chowned to signup. Also, make sure it doesn't 125 have a trailing newline!) 126 99 127 - Watch for the indexing operations to finish with this command: 100 128 101 129 ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config 102 130 103 - Set up replication: 104 (basically, execute 105 http://directory.fedoraproject.org/sources/contrib/mmr.pl 106 manually) 131 (look for nktaskstatus) 132 133 - Set up replication. 134 135 We used to tell people to go execute 136 http://directory.fedoraproject.org/sources/contrib/mmr.pl manually 137 (manually because that script assumes only two masters and we have 138 every one of our servers set up as a master.) However, those 139 instructions are inaccurate, because we use GSSAPI, not SSL and 140 because the initializing procedure is actually prone to a race 141 condition. Here are some better instructions. 142 143 LDAP replication is based around producers and consumers. Producers 144 push changes in LDAP to consumers: these arrangements are called 145 "replication agreements" and the producer will hold a 146 nsDS5ReplicationAgreement object that represents this commitment, 147 as well as some extra configuration to say who consumers will accept 148 replication data from (a nsDS5Replica). 149 150 The procedure, at a high level, is this: 151 152 1. Pick an arbitrary existing master. The current server will 153 be configured as a slave to that master. Initialize a changelog, 154 then request a replication to populate our server with 155 information. 156 157 M1 <---> M2 ---> S 158 159 2. Configure the new server to be replicated back. 160 161 M1 <---> M2 <---> S 162 163 3. Set up the rest of the replication agreements at your leisure. 164 165 M1 <---> M2 166 ^ ^ 167 | | 168 +--> S <--+ 169 170 Here's how you do it. 171 172 1. Pull open the replication part of the database. It's fairly empty 173 right now. 174 175 ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config 176 177 2. Configure the server $SLAVE (this server) to accept $MASTER 178 replications by adding the following LDAP entries: 179 180 add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 181 objectClass: top 182 objectClass: nsDS5Replica 183 cn: replica 184 nsDS5ReplicaId: $REPLICA_ID 185 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 186 nsDS5Flags: 1 187 nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 188 nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 189 nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 190 nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 191 nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 192 nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 193 # ADD SERVERS HERE AS YOU ADD NEW SERVERS 194 nsds5ReplicaPurgeDelay: 604800 195 nsds5ReplicaLegacyConsumer: off 196 nsDS5ReplicaType: 3 197 198 $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find 199 out.) You might wonder why we are binding to all servers; 200 weren't we going to replicate from only one server? That is 201 correct, however, simply binding won't mean we will receive 202 updates; we have to setup the $MASTER to send data $SALVE. 203 204 3. Although we allowed those uids to bind, that user information 205 doesn't exist on $SLAVE yet. So you'll need to create the entry 206 for just $MASTER. 207 208 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 209 uid: ldap/$MASTER 210 objectClass: account 211 objectClass: top 212 213 4. Though our $SLAVE will not be making changes to LDAP, we need to 214 initialize the changelog because we intend to be able to do this 215 later. 216 217 add cn=changelog5,cn=config 218 objectclass: top 219 objectclass: extensibleObject 220 cn: changelog5 221 nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb 222 223 5. Ok, now go to your $MASTER server that you picked (it should have 224 been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell 225 it to replicate to $SLAVE. 226 227 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 228 objectClass: top 229 objectClass: nsDS5ReplicationAgreement 230 cn: "GSSAPI Replication to $SLAVE" 231 cn: GSSAPI Replication to $SLAVE 232 nsDS5ReplicaHost: $SLAVE 233 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 234 nsDS5ReplicaPort: 389 235 nsDS5ReplicaTransportInfo: LDAP 236 nsDS5ReplicaBindDN: 237 uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 238 nsDS5ReplicaBindMethod: SASL/GSSAPI 239 nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" 240 nsDS5ReplicaTimeout: 120 241 242 4. Run the replication. (you could fold this into the previous step) 243 244 # under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 245 nsDS5BeginReplicaRefresh: start 246 247 5. Check that the replication is running; the status will be stored 248 in the object we've been mucking around with. 249 250 If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER 251 for more information. It might be because fedora-ds can't read 252 /etc/dirsrv/keytab 253 254 6. Replicate in the other direction. On $MASTER, add $SLAVE 255 as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config 256 Also, add an account for $SLAVE 257 258 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu 259 uid: ldap/$SLAVE 260 objectClass: account 261 objectClass: top 262 263 On $SLAVE, 264 265 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config 266 objectClass: top 267 objectClass: nsDS5ReplicationAgreement 268 cn: "GSSAPI Replication to $MASTER" 269 cn: GSSAPI Replication to $MASTER 270 nsDS5ReplicaHost: $MASTER 271 nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu 272 nsDS5ReplicaPort: 389 273 nsDS5ReplicaTransportInfo: LDAP 274 nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu 275 nsDS5ReplicaBindMethod: SASL/GSSAPI 276 nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" 277 nsDS5ReplicaTimeout: 120 278 279 If you get a really scary internal server error, that might mean you 280 forgot to initialize the changelog. Remove the replication 281 agreement (you'll need to turn off dirsrv), add the changelog, and 282 then try again. 283 284 [XXX: Do we need the referrals?] 
- 
        branches/fc13-dev/server/doc/install-howto.shr1620 r1645 26 26 27 27 # Start with a normal install of Fedora. 28 29 # Take updates 30 YUM update 28 31 29 32 if [ $boot = 0 ]; then … … 71 74 svn co svn://$source_server/$branch repository 72 75 76 # XXX These sed scripts don't work 73 77 sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config 74 78 sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config … … 90 94 # won't work. 91 95 96 # Get some packages necessary for OpenAFS 97 YUM install -y redhat-lsb 98 YUM install -y autofs 99 92 100 # Add scripts-build to the group 'mock' 93 101 usermod -a -G mock scripts-build … … 110 118 # You can get password SSH back by editing /etc/ssh/sshd_config (allow 111 119 # password auth) and /etc/pam.d/sshd (comment out the first three auth 112 # lines) 120 # lines). However, you can also temporarily install krb5 and setup the 121 # keytabs and k5login to get Kerberized authentication. 113 122 114 123 service named start … … 118 127 # packages for a new Fedora release. Consult 'upgrade-tips' for more 119 128 # information. 120 121 # In the case of the Kerberos libraries, you'll be told that122 # there are conflicting files with the 64-bit versions of the packages,123 # which we scriptsify. You'll have to use --force to install those124 # rpms despite the conflicts. After doing that, you may want to125 # install the corresponding 64-bit scriptsified versions again, just126 # to be safe in case the 32-bit versions overwrite files that differ.127 # When you try this, it will complain that you already have the same128 # version installed; again, you'll need to use --force to do it anyway.129 130 # We need yumdownloader to force some RPMs131 # XXX: This might be wrong. Sanity check what packages ou132 # have when done133 YUM install -y yum-utils134 yumdownloader krb5-libs135 # XXX: These version numbers are hardcoded, need some cli-fu to generalize136 # FC13: Check if they are necessary137 rpm -i krb5-libs-*.i586.rpm138 rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm139 129 140 130 # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base … … 174 164 YUM install -y nrpe 175 165 YUM install -y nagios-plugins-all 166 YUM install -y fprintd-pam 176 167 177 168 # Disable NetworkManager with chkconfig NetworkManager off. Configure … … 198 189 # Edit the parameters in /etc/sysconfig/openafs 199 190 200 # Figure out why Zephyr isn't working. Most recently, it was because there 201 # was a 64-bit RPM installed; remove it and install Joe's 32-bit one 202 YUM erase -y mit-zephyr 203 # mit-zephyr has a spurious dependency on mit-krb-config 204 yumdownloader mit-zephyr.i386 205 # if deps change, this breaks 206 YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586 207 rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm 208 # test if it worked by sending an un-authed message 209 zwrite -d -c scripts -i test 191 # Test that zephyr is working 192 chkconfig zhm on 193 service zhm start 194 echo 'Test!' | zwrite -d -c scripts -i test 210 195 211 196 # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs … … 251 236 mkdir vice 252 237 cd vice 253 svn co svn://scripts.mit.edu/ trunk/server/fedora/config/usr/vice/etc etc238 svn co svn://scripts.mit.edu/$branch/server/fedora/config/usr/vice/etc etc 254 239 \cp -a etc /usr/vice 255 240 … … 308 293 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 309 294 310 # Install the credentials. There are a lot of things to remember here: 295 # Install the credentials. There are a lot of things to remember here. 296 # Be sure to make sure the permissions match up (ls -l on an existing 297 # server!). 311 298 # o This will be different if you're setting up our build/update server. 312 299 # o You probably installed the machine keytab long ago 313 300 ls -l /etc/krb5.keytab 314 # oUse ktutil to combine the host/scripts.mit.edu and301 # Use ktutil to combine the host/scripts.mit.edu and 315 302 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 316 303 # the keytab. Do not use 'k5srvutil change' on the combined keytab 317 # or you'll break the other servers. (real servers only) 304 # or you'll break the other servers. (real servers only). Be 305 # careful about writing out the keytab: if you write it to an 306 # existing file the keys will just get appended 318 307 # o The daemon.scripts keytab 319 308 ls -l /etc/daemon.keytab 320 309 # o The SSL cert private key (real servers only) 310 ls -l /etc/pki/tls/private/scripts.key 321 311 # o The LDAP password for the signup process (real servers only) 322 # o The SQL password for the signup process (real servers only) 312 ls -l /etc/signup-ldap-pw 313 # o The SQL password for the signup process (real servers only) (you 314 # only need one) 315 ls -l /usr/local/etc/sql-mit-edu.cfg.php 316 ls -l /etc/sql-mit-edu.cfg.php 323 317 # o The whoisd password (real servers only) 324 # o The LDAP keytab for this server, which will be used later (real servers only) 318 # o The LDAP keytab for this server, which will be used later (real 319 # servers only). 320 ls -l /etc/dirsrv/keytab 325 321 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) 326 # o You'll install an LDAP certificate signed by the scripts CA later (real servers only) 322 ls -l /etc/ssh/*key* 327 323 # o Make sure root's .k5login is correct 328 324 cat /root/.k5login 329 325 # o Make sure logview's .k5login is correct (real servers only) 326 cat /home/logview/.k5login 330 327 331 328 # If you are setting up a test server, pay attention to … … 353 350 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 354 351 355 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP 356 # and ./389-ds-enable-ssl-and-kerberos.diff). 352 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP). 357 353 358 354 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at … … 420 416 421 417 # XXX: our SVN checkout should be updated to use scripts.mit.edu 422 # (repository and etc) 418 # (repository and etc) once serving actually works. 
Note: See TracChangeset
          for help on using the changeset viewer.
      
