Difference between revisions of "Manager"

Latest revision as of 22:19, 9 September 2016

Network Configuration

NFS Server

#install required packages
yum install nfs-utils libnfsidmap

#create exports
cat << EOT >> /etc/exports
/exports/homes     DMZ_NETWORK/DMZ_SUBNETMASK  (rw,sync,no_root_squash,no_all_squash,fsid=1)   
                   NODE_NETWORK/NODE_SUBNETMASK(rw,sync,no_root_squash,no_all_squash,fsid=1)
EOT

#start and enable NFS server
systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
systemctl start rpc-statd
systemctl start nfs-idmapd

DHCP Daemon

#install required packages
yum install dhcp

Edit configuration file
/etc/dhcp/dhcpd.conf

authoritative;
#DMZ network definition
subnet DMZ_NETWORK netmask DMZ_SUBNETMASK {
        interface NIC2;
        range DMZ_NETWORK_START_IP DMZ_NETWORK_END_IP;
        default-lease-time 600;
        max-lease-time 7200;
        option domain-name "DMZ.YOUR_DOMAIN";
        option domain-name-servers MANAGER_DMZ_IP;
        option broadcast-address DMZ_NETWORK_BROADCAST;
        option subnet-mask DMZ_SUBNETMASK;
        option routers MANAGER_DMZ_IP;
}
#Nodes network definition
subnet NODES_NETWORK netmask NODES_SUBNETMASK {
        interface NIC1;
        range NODE_NETWORK_START_IP NODE_NETWORK_START_IP;
        default-lease-time 600;
        max-lease-time 7200;
        option domain-name "NODE.YOUR_DOMAIN";
        option domain-name-servers MANAGER_NODE_IP;
        option broadcast-address NODE_NETWORK_BROADCAST;
        option subnet-mask NODES_SUBNETMASK;
        option routers MANAGER_NODES_IP;
}
#...
#define fixed addresses
host HOST_0_NAME {
                hardware ethernet XX:XX:XX:XX:XX:XX;
                fixed-address HOST_0_IP;
                option host-name "HOST_0_NAME";
}
host HOST_1_NAME {
                hardware ethernet XX:XX:XX:XX:XX:XX;
                fixed-address HOST_1_IP;
                option host-name "HOST_1_NAME";
}
#....

systemctl start dhcpd.service
systemctl enable dhcpd.service

BIND Daemon

#install required packages
yum install bind bind-utils

/etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; DMZ_MANAGER_IP; NODES_MANAGER_IP;};
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { 127.0.0.1; DMZ_NETWORK/24; NODES_NETWORK/24;};
        allow-transfer { trusted; };
        recursion yes;
        forwarders {
                LOCAL_DNS_SERVER_IP;
                PROVIDER_DNS_SERVER_IP;
                OTHER_DNS_SERVERS;
        };
        forward only ;
        dnssec-enable yes;
        dnssec-validation yes;
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
acl "trusted" {
        localhost;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";

/etc/named/named.conf.local

zone "DMZ.YOUR_DOMAIN" IN {
        type master;
        file "/etc/named/zones/dmz.YOUR_DOMAIN.zone";
};

zone "XXX.XXX.XXX.in-addr.arpa" IN {
        type master;
        file "/etc/named/zones/XXX.XXX.XXX.zone";
};

zone "nodes.YOUR_DOMAIN" IN {
        type master;
        file "/etc/named/zones/nodes.YOUR_DOMAIN.zone";
};

zone "XXX.XXX.XXX.in-addr.arpa" IN {
        type master;
        file "/etc/named/zones/XXX.XXX.XXX.zone";
};

Create zone files
/etc/named/zones/dmz.YOUR_DOMAIN.zone

$TTL 1D

dmz.YOUR_DOMAIN.      IN     SOA     MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. (
                             200612060                 ; serial
                             2H                        ; refresh slaves
                             5M                        ; retry
                             1W                        ; expire
                             1M                        ; Negative TTL
)
@                     IN      NS      MANAGER.dmz.YOUR_DOMAIN.
MANAGER.YOUR_DOMAIN.  IN      A       MANAGER_IP       ; Firewall/Gateway
WEB.dmz.YOUR_DOMAIN.  IN      A       WEBSERVER_IP     ; Webserver
...

/etc/named/zones/XXX.XXX.XXX.zone

$TTL 1D
@                     IN      SOA     MANAGER.dmz.YOUR_DOMAIN. YOUR_EMAIL.YOUR_DOMAIN. (
                              200612060                ; serial
                              2H                       ; refresh slaves
                              5M                       ; retry
                              1W                       ; expire
                              1M                       ; Negative TTL
)
                      IN      NS      MANAGER.dmz.YOUR_DOMAIN.
XXX                   IN      PTR     MANAGER.dmz.YOUR_DOMAIN.
XXX                   IN      PTR     WEB.dmz.YOUR_DOMAIN.

#fix permissions
chgrp named -R /var/named
chown -v root:named /etc/named.conf

#enable service
systemctl enable named
systemctl start named

#use own nameserver
echo "nameserver localhost" >> /etc/resolv.conf

For further information read BIND Documentation

LDAP Server

#install required packages
yum install openldap-servers libtool-ltdl openldap-clients openldap gnutls-bin ssl-cert

#create directory for LDIF files 
mkdir /etc/openldap/ldif
chown ldap:ldap /etc/openldap/ldif
nano -w /etc/openldap/ldap.conf

BASE    dc=YOUR_DOMAIN,dc=YOUR_TLD
URI     ldap://MANAGER
TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     allow
SASL_NOCANON    on

Setup the database

cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

#start SLAPD
systemctl start slapd.service
systemctl enable slapd.service

Configuration

#generate master password
/usr/sbin/slappasswd -h {SSHA}

Now generate the corresponding LDIF
/etc/openldap/ldif/cn=config_olcRootPW.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXX

Now apply the LDIF by executing

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/cn\=config_olcRootPW.ldif

/etc/openldap/ldif/01-cn=config_BaseDN.ldif

#create base DN
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=YOUR_DOMAIN,dc=YOUR_TLD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=YOUR_DOMAIN,dc=YOUR_TLD

/etc/openldap/ldif/02-cn=config_ManagerPW.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

/etc/openldap/ldif/03-cn=config_GLOBAL_olcIdleTimeout.ldif

#modify IdleTimeout
dn: cn=config
changetype: modify
add: olcIdleTimeout
olcIdleTimeout: 15

See StartTLS how to generate the certificates.

/etc/openldap/ldif/04-cn=config_TLS_olcTLSProtocolMin.ldif

#set minimal TLS version to 3.1
dn: cn=config
changetype: modify
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.1

/etc/openldap/ldif/05-cn=config_TLS.ldif

#add TLS support and certificates
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem

/etc/openldap/ldif/06-cn=config_DIT.ldif

#create structure
dn: dc=YOUR_DOMAIN,dc=YOUR_TLD
dc: YOUR_DOMAIN
ou: YOUR_DOMAIN dot YOUR_TLD
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit

# People
dn: ou=People,dc=YOUR_DOMAIN,dc=YOUR_TLD
ou: People
objectClass: top
objectClass: organizationalUnit

# Group
dn: ou=Group,dc=YOUR_DOMAIN,dc=YOUR_TLD
ou: Group
objectClass: top
objectClass: organizationalUnit

/etc/openldap/ldif/07-cn=config_DisableAnonymousBind.ldif

#disallow anonymous users to query LDAP
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-
add: olcRequires
olcRequires: authc

/etc/openldap/ldif/08-cn=config_CreateDbIndex.ldif

#create and define indexes for LDAP
#http://www.zytrax.com/books/ldap/apa/indeces.html
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
olcDbIndex: uniqueMember eq,pres

/etc/openldap/ldif/12-cn=config_SudoGroup.ldif

#Add group of users that can sudo
dn: cn=YOUR_ADMIN_GROUP, ou=Group, dc=YOUR_DOMAIN,dc=YOUR_TLD
cn: sysops
gidNumber: YOUR_ADMIN_GROUP_GID
description: Group can sudo without restriction
objectclass: posixGroup

/etc/openldap/ldif/13-cn=config_AddUniqueIndex.ldif

#create unique indexes
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: /usr/lib64/openldap/unique.la

dn: olcOverlay=unique,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: unique

dn: olcOverlay={4}unique,olcDatabase={2}hdb,cn=config
changetype: modify
add: olcUniqueURI
olcUniqueURI: ldap:///?uid?sub
olcUniqueURI: ldap:///?uidNumber?sub
olcUniqueURI: ldap:///?homeDirectory?sub