LDAP Master/Provider configuration

LDAP Master/Provider configuration

Configure the LDAP Master as provider

File: provider.ldif

IOF>
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog

# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=thor,dc=loc
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
<EOF

Copy de DB_CONFIG

shell# sudo -u openldap mkdir /var/lib/ldap/accesslog
shell# sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/

Add the provider LDIF to the LDAP master

shell# ldapadd -Y EXTERNAL -H ldapi:/// -f provider.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
modifying entry "cn=module{0},cn=config"
adding new entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}hdb,cn=config"
adding new entry "olcOverlay=accesslog,olcDatabase={1}hdb,cn=config"

LDAP Slave/Consumer configuration

LDAP Slave/Consumer configuration

Add the additional schema files

shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Configure the LDAP Slave as consumer

File: consumer.ldif

#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://LDAP-01.thor.loc bindmethod=simple binddn="cn=admin,dc=thor,dc=loc"
 credentials=XXXX searchbase="dc=thor,dc=loc" logbase="cn=accesslog"
 logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
 type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://LDAP-01.thor.loc

Add the LDIF file to the configuration tree
shell# ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
modifying entry "olcDatabase={1}hdb,cn=config"

Default Linux configuration services such as ssh, login, etc for authentication against a LDAP server

Default Linux configuration services such as ssh, login, etc for authentication against a LDAP server

Install the PAM ldap module and NSS lib

shell# apt-get install libnss-ldap libpam-ldap ldap-utils

Configure the libnss-ldap package
LDAP server URI: ldap://LDAP-02.thor.loc:389/
Distinguished name of the search base: dc=thor,dc=loc
LDAP version to use: 3
LDAP account for root: cn=admin,dc=thor,dc=loc
LDAP root account password: XXXX

The password is stored in /etc/libnss-ldap.secret

Configure the libpam-ldap package
Allow LDAP admin account to behave like local root? Yes
Does the LDAP database require login? No
LDAP administrative account: cn=admin,dc=thor,dc=loc
LDAP administrative password: XXXX

The password is stored in /etc/pam_ldap.secret

Local encryption algorithm to use for passwords: crypt

Automatic configure about PAM files

File: /etc/pam.d/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

File: /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so

File: /etc/pam.d/common-password
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

File: /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                pam_unix.so
session optional                        pam_ldap.so
session optional             pam_mkhomedir.so skel=/etc/skel umask=077

File: /etc/pam.d/common-session-noninteractive
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                pam_unix.so
session optional                        pam_ldap.so

Manual NSS configuration

File /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       ldap
 

Base installation about slapd daemon

Base installation about slapd daemon

shell# apt-get install slapd ldap-utils

Provide the LDAP administrator password

Setting up libltdl7 (2.2.6b-2) …
Setting up libperl5.10 (5.10.1-17squeeze2) …
Setting up libslp1 (1.2.1-7.8) …
Setting up ldap-utils (2.4.23-7.2) …
Setting up odbcinst (2.2.14p2-1) …
Setting up odbcinst1debian2 (2.2.14p2-1) …
Setting up unixodbc (2.2.14p2-1) …
Setting up slapd (2.4.23-7.2) …
  Creating new user openldap… done.
  Creating initial configuration… done.
  Creating LDAP directory… done.
Starting OpenLDAP: slapd.

Test the slapd daemon
root@LDAP-02:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config

Setup the SHA LDAP administrator password in the config database
shell# slappasswd
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXX

shell# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Cute & Paste

dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXX
modifying entry "olcDatabase={0}config,cn=config"

Display the LDAP server configuration

shell# slapcat
dn: dc=thor,dc=loc
objectClass: top
objectClass: dcObject
objectClass: organization
o: thor.loc
dc: thor
structuralObjectClass: organization
entryUUID: c4db9414-a018-1030-8c55-0544f97800ac
creatorsName: cn=admin,dc=thor,dc=loc
createTimestamp: 20111110185139Z
entryCSN: 20111110185139.949528Z#000000#000#000000
modifiersName: cn=admin,dc=thor,dc=loc
modifyTimestamp: 20111110185139Z

dn: cn=admin,dc=thor,dc=loc
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9bjMvbzA1UnFWTGFYTlBUMzlPZUxJNlBEZXNzZUhlN24=
structuralObjectClass: organizationalRole
entryUUID: c503f1b6-a018-1030-8c56-0544f97800ac
creatorsName: cn=admin,dc=thor,dc=loc
createTimestamp: 20111110185140Z
entryCSN: 20111110185140.214073Z#000000#000#000000
modifiersName: cn=admin,dc=thor,dc=loc
modifyTimestamp: 20111110185140Z

Configure the LDAP database

File: config.ldif

IOF>
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=thor,dc=loc
-
replace: olcRootDN
olcRootDN: cn=admin,dc=thor,dc=loc
-
replace: olcAccess
olcAccess: to attrs=userPassword by dn="cn=admin,dc=thor,dc=loc" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=thor,dc=loc" write by * read
-
<EOF

shell# ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

Test the new configuration

sheel# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcLastMod: TRUE
olcRootPW: {SSHA}n3/o05RqVLaXNPT39OeLI6PDesseHe7n
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcSuffix: dc=thor,dc=loc
olcRootDN: cn=admin,dc=thor,dc=loc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=thor,dc=loc" write by a
 nonymous auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=thor,dc=loc" write by * read
 

Install the Xen VM-Tools in a linux debian virtual machine

Im going to look for a Virtual Machine in "halted" power-state to deploy the Xen VM-Tools

shell> xe vm-list | grep -B 3 "halt"

uuid ( RO)           : 21c6f196-69f4-748d-58e2-e4d1023c257b
name-label ( RW): Debian-Desktop-1.0
power-state ( RO): halted
 

Attach the ISO CD iso for the VM

shell> xe vm-cd-insert cd-name="xs-tools.iso" uuid=21c6f196-69f4-748d-58e2-e4d1023c257b

Check it

shell> xe vm-cd-list uuid=21c6f196-69f4-748d-58e2-e4d1023c257b
CD 0 VBD:
uuid ( RO)             : f99cb0b7-6d3a-9920-e8c3-99f630a95459
vm-name-label ( RO): Debian-Desktop-1.0
empty ( RO): false
userdevice ( RW): 3

CD 0 VDI:
uuid ( RO)             : eb7c6851-7d85-4982-a377-d5c30f916ee5
name-label ( RW): xs-tools.iso
sr-name-label ( RO): XenServer Tools
virtual-size ( RO): 66879488
 

Start the VM

shell> xe vm-start uuid=21c6f196-69f4-748d-58e2-e4d1023c257b

shell> xe vm-list | grep -A 1 -B 1 "Debian-Desktop"
uuid ( RO)           : 21c6f196-69f4-748d-58e2-e4d1023c257b
name-label ( RW): Debian-Desktop-1.0
power-state ( RO): running
 

shell> ssh simonalsa@Debian-01

shell> mount /dev/scd0 /mnt

shell> uname -a
Linux Debian-01 2.6.32-5-amd64 #1 SMP Wed Aug 31 16:50:35 UTC 2011 x86_64 GNU/Linux

shell> dpkg -i /mnt/Linux/xe-guest-utilities_1.0.0-647_amd64.deb
Selecting previously deselected package xe-guest-utilities.
(Reading database … 24211 files and directories currently installed.)
Unpacking xe-guest-utilities (from …/xe-guest-utilities_1.0.0-647_amd64.deb) …
Setting up xe-guest-utilities (1.0.0-647) …
Mounting xenfs on /proc/xen: OK
Detecting Linux distribution version: OK
Starting xe daemon:  OK
 

shell> umount /mnt

shell> reboot

Its done