Difference between revisions of "Manager"
From DHVLab
Wiki admin (talk | contribs) (→NFS Server) |
Wiki admin (talk | contribs) (→LDAP Server) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 24: | Line 24: | ||
== DHCP Daemon == | == DHCP Daemon == | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | #install required packages | ||
+ | yum install dhcp | ||
+ | </syntaxhighlight> | ||
+ | Edit configuration file <br/> | ||
+ | /etc/dhcp/dhcpd.conf | ||
+ | <syntaxhighlight lang="text"> | ||
+ | authoritative; | ||
+ | #DMZ network definition | ||
+ | subnet DMZ_NETWORK netmask DMZ_SUBNETMASK { | ||
+ | interface NIC2; | ||
+ | range DMZ_NETWORK_START_IP DMZ_NETWORK_END_IP; | ||
+ | default-lease-time 600; | ||
+ | max-lease-time 7200; | ||
+ | option domain-name "DMZ.YOUR_DOMAIN"; | ||
+ | option domain-name-servers MANAGER_DMZ_IP; | ||
+ | option broadcast-address DMZ_NETWORK_BROADCAST; | ||
+ | option subnet-mask DMZ_SUBNETMASK; | ||
+ | option routers MANAGER_DMZ_IP; | ||
+ | } | ||
+ | #Nodes network definition | ||
+ | subnet NODES_NETWORK netmask NODES_SUBNETMASK { | ||
+ | interface NIC1; | ||
+ | range NODE_NETWORK_START_IP NODE_NETWORK_START_IP; | ||
+ | default-lease-time 600; | ||
+ | max-lease-time 7200; | ||
+ | option domain-name "NODE.YOUR_DOMAIN"; | ||
+ | option domain-name-servers MANAGER_NODE_IP; | ||
+ | option broadcast-address NODE_NETWORK_BROADCAST; | ||
+ | option subnet-mask NODES_SUBNETMASK; | ||
+ | option routers MANAGER_NODES_IP; | ||
+ | } | ||
+ | #... | ||
+ | #define fixed addresses | ||
+ | host HOST_0_NAME { | ||
+ | hardware ethernet XX:XX:XX:XX:XX:XX; | ||
+ | fixed-address HOST_0_IP; | ||
+ | option host-name "HOST_0_NAME"; | ||
+ | } | ||
+ | host HOST_1_NAME { | ||
+ | hardware ethernet XX:XX:XX:XX:XX:XX; | ||
+ | fixed-address HOST_1_IP; | ||
+ | option host-name "HOST_1_NAME"; | ||
+ | } | ||
+ | #.... | ||
+ | </syntaxhighlight> | ||
− | == BIND Daemon == | + | |
+ | <syntaxhighlight lang="bash"> | ||
+ | systemctl start dhcpd.service | ||
+ | systemctl enable dhcpd.service | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == BIND Daemon == | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | #install required packages | ||
+ | yum install bind bind-utils | ||
+ | </syntaxhighlight> | ||
+ | /etc/named.conf | ||
+ | <syntaxhighlight lang="text"> | ||
+ | options { | ||
+ | listen-on port 53 { 127.0.0.1; DMZ_MANAGER_IP; NODES_MANAGER_IP;}; | ||
+ | directory "/var/named"; | ||
+ | dump-file "/var/named/data/cache_dump.db"; | ||
+ | statistics-file "/var/named/data/named_stats.txt"; | ||
+ | memstatistics-file "/var/named/data/named_mem_stats.txt"; | ||
+ | allow-query { 127.0.0.1; DMZ_NETWORK/24; NODES_NETWORK/24;}; | ||
+ | allow-transfer { trusted; }; | ||
+ | recursion yes; | ||
+ | forwarders { | ||
+ | LOCAL_DNS_SERVER_IP; | ||
+ | PROVIDER_DNS_SERVER_IP; | ||
+ | OTHER_DNS_SERVERS; | ||
+ | }; | ||
+ | forward only ; | ||
+ | dnssec-enable yes; | ||
+ | dnssec-validation yes; | ||
+ | bindkeys-file "/etc/named.iscdlv.key"; | ||
+ | managed-keys-directory "/var/named/dynamic"; | ||
+ | pid-file "/run/named/named.pid"; | ||
+ | session-keyfile "/run/named/session.key"; | ||
+ | }; | ||
+ | acl "trusted" { | ||
+ | localhost; | ||
+ | }; | ||
+ | logging { | ||
+ | channel default_debug { | ||
+ | file "data/named.run"; | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | }; | ||
+ | zone "." IN { | ||
+ | type hint; | ||
+ | file "named.ca"; | ||
+ | }; | ||
+ | include "/etc/named.rfc1912.zones"; | ||
+ | include "/etc/named.root.key"; | ||
+ | include "/etc/named/named.conf.local"; | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/named/named.conf.local | ||
+ | <syntaxhighlight lang="text"> | ||
+ | zone "DMZ.YOUR_DOMAIN" IN { | ||
+ | type master; | ||
+ | file "/etc/named/zones/dmz.YOUR_DOMAIN.zone"; | ||
+ | }; | ||
+ | |||
+ | zone "XXX.XXX.XXX.in-addr.arpa" IN { | ||
+ | type master; | ||
+ | file "/etc/named/zones/XXX.XXX.XXX.zone"; | ||
+ | }; | ||
+ | |||
+ | zone "nodes.YOUR_DOMAIN" IN { | ||
+ | type master; | ||
+ | file "/etc/named/zones/nodes.YOUR_DOMAIN.zone"; | ||
+ | }; | ||
+ | |||
+ | zone "XXX.XXX.XXX.in-addr.arpa" IN { | ||
+ | type master; | ||
+ | file "/etc/named/zones/XXX.XXX.XXX.zone"; | ||
+ | }; | ||
+ | </syntaxhighlight> | ||
+ | Create zone files<br/> | ||
+ | /etc/named/zones/dmz.YOUR_DOMAIN.zone | ||
+ | <syntaxhighlight lang=""> | ||
+ | $TTL 1D | ||
+ | |||
+ | dmz.YOUR_DOMAIN. IN SOA MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. ( | ||
+ | 200612060 ; serial | ||
+ | 2H ; refresh slaves | ||
+ | 5M ; retry | ||
+ | 1W ; expire | ||
+ | 1M ; Negative TTL | ||
+ | ) | ||
+ | @ IN NS MANAGER.dmz.YOUR_DOMAIN. | ||
+ | MANAGER.YOUR_DOMAIN. IN A MANAGER_IP ; Firewall/Gateway | ||
+ | WEB.dmz.YOUR_DOMAIN. IN A WEBSERVER_IP ; Webserver | ||
+ | ... | ||
+ | </syntaxhighlight> | ||
+ | /etc/named/zones/XXX.XXX.XXX.zone | ||
+ | <syntaxhighlight lang="text"> | ||
+ | $TTL 1D | ||
+ | @ IN SOA MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. ( | ||
+ | 200612060 ; serial | ||
+ | 2H ; refresh slaves | ||
+ | 5M ; retry | ||
+ | 1W ; expire | ||
+ | 1M ; Negative TTL | ||
+ | ) | ||
+ | IN NS MANAGER.dmz.YOUR_DOMAIN. | ||
+ | XXX IN PTR MANAGER.dmz.YOUR_DOMAIN. | ||
+ | XXX IN PTR WEB.dmz.YOUR_DOMAIN. | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | #fix permissions | ||
+ | chgrp named -R /var/named | ||
+ | chown -v root:named /etc/named.conf | ||
+ | |||
+ | #enable service | ||
+ | systemctl enable named | ||
+ | systemctl start named | ||
+ | |||
+ | #use own nameserver | ||
+ | echo "nameserver localhost" >> /etc/resolv.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | For further information read [http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.pdf BIND Documentation] | ||
== LDAP Server == | == LDAP Server == | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | #install required packages | ||
+ | yum install openldap-servers libtool-ltdl openldap-clients openldap gnutls-bin ssl-cert | ||
+ | |||
+ | #create directory for LDIF files | ||
+ | mkdir /etc/openldap/ldif | ||
+ | chown ldap:ldap /etc/openldap/ldif | ||
+ | nano -w /etc/openldap/ldap.conf | ||
+ | </syntaxhighlight> | ||
+ | <syntaxhighlight lang="text"> | ||
+ | BASE dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | URI ldap://MANAGER | ||
+ | TLS_CACERTDIR /etc/openldap/certs | ||
+ | TLS_REQCERT allow | ||
+ | SASL_NOCANON on | ||
+ | </syntaxhighlight> | ||
+ | Setup the database | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | ||
+ | chown ldap:ldap /var/lib/ldap/DB_CONFIG | ||
+ | </syntaxhighlight> | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | #start SLAPD | ||
+ | systemctl start slapd.service | ||
+ | systemctl enable slapd.service | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Configuration === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | #generate master password | ||
+ | /usr/sbin/slappasswd -h {SSHA} | ||
+ | </syntaxhighlight> | ||
+ | Now generate the corresponding LDIF<br/> | ||
+ | /etc/openldap/ldif/cn=config_olcRootPW.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | dn: olcDatabase={0}config,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcRootPW | ||
+ | olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXX | ||
+ | </syntaxhighlight> | ||
+ | Now apply the LDIF by executing | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/cn\=config_olcRootPW.ldif | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/01-cn=config_BaseDN.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #create base DN | ||
+ | dn: olcDatabase={1}monitor,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcAccess | ||
+ | olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD" read by * none | ||
+ | |||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcSuffix | ||
+ | olcSuffix: dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | |||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | replace: olcRootDN | ||
+ | olcRootDN: cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/02-cn=config_ManagerPW.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | add: olcRootPW | ||
+ | olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/03-cn=config_GLOBAL_olcIdleTimeout.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #modify IdleTimeout | ||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | add: olcIdleTimeout | ||
+ | olcIdleTimeout: 15 | ||
+ | </syntaxhighlight> | ||
+ | See [https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls#create-ca-key-and-certificate StartTLS] how to generate the certificates. | ||
+ | |||
+ | /etc/openldap/ldif/04-cn=config_TLS_olcTLSProtocolMin.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #set minimal TLS version to 3.1 | ||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | add: olcTLSProtocolMin | ||
+ | olcTLSProtocolMin: 3.1 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/05-cn=config_TLS.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #add TLS support and certificates | ||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | replace: olcTLSCipherSuite | ||
+ | olcTLSCipherSuite: HIGH | ||
+ | - | ||
+ | replace: olcTLSCertificateFile | ||
+ | olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem | ||
+ | - | ||
+ | replace: olcTLSCertificateKeyFile | ||
+ | olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem | ||
+ | - | ||
+ | replace: olcTLSCACertificateFile | ||
+ | olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/06-cn=config_DIT.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #create structure | ||
+ | dn: dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | dc: YOUR_DOMAIN | ||
+ | ou: YOUR_DOMAIN dot YOUR_TLD | ||
+ | objectClass: top | ||
+ | objectClass: dcObject | ||
+ | objectClass: organizationalUnit | ||
+ | |||
+ | # People | ||
+ | dn: ou=People,dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | ou: People | ||
+ | objectClass: top | ||
+ | objectClass: organizationalUnit | ||
+ | |||
+ | # Group | ||
+ | dn: ou=Group,dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | ou: Group | ||
+ | objectClass: top | ||
+ | objectClass: organizationalUnit | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/07-cn=config_DisableAnonymousBind.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #disallow anonymous users to query LDAP | ||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | add: olcDisallows | ||
+ | olcDisallows: bind_anon | ||
+ | - | ||
+ | add: olcRequires | ||
+ | olcRequires: authc | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/08-cn=config_CreateDbIndex.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #create and define indexes for LDAP | ||
+ | #http://www.zytrax.com/books/ldap/apa/indeces.html | ||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: uidNumber,gidNumber,loginShell eq,pres | ||
+ | olcDbIndex: uid,memberUid eq,pres,sub | ||
+ | olcDbIndex: nisMapName,nisMapEntry eq,pres,sub | ||
+ | olcDbIndex: uniqueMember eq,pres | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/12-cn=config_SudoGroup.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #Add group of users that can sudo | ||
+ | dn: cn=YOUR_ADMIN_GROUP, ou=Group, dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | cn: sysops | ||
+ | gidNumber: YOUR_ADMIN_GROUP_GID | ||
+ | description: Group can sudo without restriction | ||
+ | objectclass: posixGroup | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | /etc/openldap/ldif/13-cn=config_AddUniqueIndex.ldif | ||
+ | <syntaxhighlight lang="text"> | ||
+ | #create unique indexes | ||
+ | dn: cn=module{0},cn=config | ||
+ | changetype: add | ||
+ | objectClass: olcModuleList | ||
+ | cn: module{0} | ||
+ | olcModuleLoad: /usr/lib64/openldap/unique.la | ||
+ | |||
+ | dn: olcOverlay=unique,olcDatabase={2}hdb,cn=config | ||
+ | changetype: add | ||
+ | objectClass: olcUniqueConfig | ||
+ | objectClass: olcOverlayConfig | ||
+ | objectClass: olcConfig | ||
+ | objectClass: top | ||
+ | olcOverlay: unique | ||
+ | |||
+ | dn: olcOverlay={4}unique,olcDatabase={2}hdb,cn=config | ||
+ | changetype: modify | ||
+ | add: olcUniqueURI | ||
+ | olcUniqueURI: ldap:///?uid?sub | ||
+ | olcUniqueURI: ldap:///?uidNumber?sub | ||
+ | olcUniqueURI: ldap:///?homeDirectory?sub | ||
+ | </syntaxhighlight> |
Latest revision as of 22:19, 9 September 2016
Contents
Network Configuration
NFS Server
#install required packages
yum install nfs-utils libnfsidmap
#create exports
cat << EOT >> /etc/exports
/exports/homes DMZ_NETWORK/DMZ_SUBNETMASK (rw,sync,no_root_squash,no_all_squash,fsid=1)
NODE_NETWORK/NODE_SUBNETMASK(rw,sync,no_root_squash,no_all_squash,fsid=1)
EOT
#start and enable NFS server
systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
systemctl start rpc-statd
systemctl start nfs-idmapd
DHCP Daemon
#install required packages
yum install dhcp
Edit configuration file
/etc/dhcp/dhcpd.conf
authoritative;
#DMZ network definition
subnet DMZ_NETWORK netmask DMZ_SUBNETMASK {
interface NIC2;
range DMZ_NETWORK_START_IP DMZ_NETWORK_END_IP;
default-lease-time 600;
max-lease-time 7200;
option domain-name "DMZ.YOUR_DOMAIN";
option domain-name-servers MANAGER_DMZ_IP;
option broadcast-address DMZ_NETWORK_BROADCAST;
option subnet-mask DMZ_SUBNETMASK;
option routers MANAGER_DMZ_IP;
}
#Nodes network definition
subnet NODES_NETWORK netmask NODES_SUBNETMASK {
interface NIC1;
range NODE_NETWORK_START_IP NODE_NETWORK_START_IP;
default-lease-time 600;
max-lease-time 7200;
option domain-name "NODE.YOUR_DOMAIN";
option domain-name-servers MANAGER_NODE_IP;
option broadcast-address NODE_NETWORK_BROADCAST;
option subnet-mask NODES_SUBNETMASK;
option routers MANAGER_NODES_IP;
}
#...
#define fixed addresses
host HOST_0_NAME {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address HOST_0_IP;
option host-name "HOST_0_NAME";
}
host HOST_1_NAME {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address HOST_1_IP;
option host-name "HOST_1_NAME";
}
#....
systemctl start dhcpd.service
systemctl enable dhcpd.service
BIND Daemon
#install required packages
yum install bind bind-utils
/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; DMZ_MANAGER_IP; NODES_MANAGER_IP;};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 127.0.0.1; DMZ_NETWORK/24; NODES_NETWORK/24;};
allow-transfer { trusted; };
recursion yes;
forwarders {
LOCAL_DNS_SERVER_IP;
PROVIDER_DNS_SERVER_IP;
OTHER_DNS_SERVERS;
};
forward only ;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
acl "trusted" {
localhost;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
/etc/named/named.conf.local
zone "DMZ.YOUR_DOMAIN" IN {
type master;
file "/etc/named/zones/dmz.YOUR_DOMAIN.zone";
};
zone "XXX.XXX.XXX.in-addr.arpa" IN {
type master;
file "/etc/named/zones/XXX.XXX.XXX.zone";
};
zone "nodes.YOUR_DOMAIN" IN {
type master;
file "/etc/named/zones/nodes.YOUR_DOMAIN.zone";
};
zone "XXX.XXX.XXX.in-addr.arpa" IN {
type master;
file "/etc/named/zones/XXX.XXX.XXX.zone";
};
Create zone files
/etc/named/zones/dmz.YOUR_DOMAIN.zone
$TTL 1D
dmz.YOUR_DOMAIN. IN SOA MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. (
200612060 ; serial
2H ; refresh slaves
5M ; retry
1W ; expire
1M ; Negative TTL
)
@ IN NS MANAGER.dmz.YOUR_DOMAIN.
MANAGER.YOUR_DOMAIN. IN A MANAGER_IP ; Firewall/Gateway
WEB.dmz.YOUR_DOMAIN. IN A WEBSERVER_IP ; Webserver
...
/etc/named/zones/XXX.XXX.XXX.zone
$TTL 1D
@ IN SOA MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. (
200612060 ; serial
2H ; refresh slaves
5M ; retry
1W ; expire
1M ; Negative TTL
)
IN NS MANAGER.dmz.YOUR_DOMAIN.
XXX IN PTR MANAGER.dmz.YOUR_DOMAIN.
XXX IN PTR WEB.dmz.YOUR_DOMAIN.
#fix permissions
chgrp named -R /var/named
chown -v root:named /etc/named.conf
#enable service
systemctl enable named
systemctl start named
#use own nameserver
echo "nameserver localhost" >> /etc/resolv.conf
For further information read BIND Documentation
LDAP Server
#install required packages
yum install openldap-servers libtool-ltdl openldap-clients openldap gnutls-bin ssl-cert
#create directory for LDIF files
mkdir /etc/openldap/ldif
chown ldap:ldap /etc/openldap/ldif
nano -w /etc/openldap/ldap.conf
BASE dc=YOUR_DOMAIN,dc=YOUR_TLD
URI ldap://MANAGER
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
SASL_NOCANON on
Setup the database
cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
#start SLAPD
systemctl start slapd.service
systemctl enable slapd.service
Configuration
#generate master password
/usr/sbin/slappasswd -h {SSHA}
Now generate the corresponding LDIF
/etc/openldap/ldif/cn=config_olcRootPW.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXX
Now apply the LDIF by executing
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/cn\=config_olcRootPW.ldif
/etc/openldap/ldif/01-cn=config_BaseDN.ldif
#create base DN
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=YOUR_DOMAIN,dc=YOUR_TLD
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD
/etc/openldap/ldif/02-cn=config_ManagerPW.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/etc/openldap/ldif/03-cn=config_GLOBAL_olcIdleTimeout.ldif
#modify IdleTimeout
dn: cn=config
changetype: modify
add: olcIdleTimeout
olcIdleTimeout: 15
See StartTLS how to generate the certificates.
/etc/openldap/ldif/04-cn=config_TLS_olcTLSProtocolMin.ldif
#set minimal TLS version to 3.1
dn: cn=config
changetype: modify
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.1
/etc/openldap/ldif/05-cn=config_TLS.ldif
#add TLS support and certificates
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem
/etc/openldap/ldif/06-cn=config_DIT.ldif
#create structure
dn: dc=YOUR_DOMAIN,dc=YOUR_TLD
dc: YOUR_DOMAIN
ou: YOUR_DOMAIN dot YOUR_TLD
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit
# People
dn: ou=People,dc=YOUR_DOMAIN,dc=YOUR_TLD
ou: People
objectClass: top
objectClass: organizationalUnit
# Group
dn: ou=Group,dc=YOUR_DOMAIN,dc=YOUR_TLD
ou: Group
objectClass: top
objectClass: organizationalUnit
/etc/openldap/ldif/07-cn=config_DisableAnonymousBind.ldif
#disallow anonymous users to query LDAP
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-
add: olcRequires
olcRequires: authc
/etc/openldap/ldif/08-cn=config_CreateDbIndex.ldif
#create and define indexes for LDAP
#http://www.zytrax.com/books/ldap/apa/indeces.html
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
olcDbIndex: uniqueMember eq,pres
/etc/openldap/ldif/12-cn=config_SudoGroup.ldif
#Add group of users that can sudo
dn: cn=YOUR_ADMIN_GROUP, ou=Group, dc=YOUR_DOMAIN,dc=YOUR_TLD
cn: sysops
gidNumber: YOUR_ADMIN_GROUP_GID
description: Group can sudo without restriction
objectclass: posixGroup
/etc/openldap/ldif/13-cn=config_AddUniqueIndex.ldif
#create unique indexes
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: /usr/lib64/openldap/unique.la
dn: olcOverlay=unique,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: unique
dn: olcOverlay={4}unique,olcDatabase={2}hdb,cn=config
changetype: modify
add: olcUniqueURI
olcUniqueURI: ldap:///?uid?sub
olcUniqueURI: ldap:///?uidNumber?sub
olcUniqueURI: ldap:///?homeDirectory?sub