Difference between revisions of "Node"
From DHVLab
Wiki admin (talk | contribs) |
Wiki admin (talk | contribs) (→LDAP login) |
||
Line 1: | Line 1: | ||
[[Category:VMs]] | [[Category:VMs]] | ||
== LDAP login == | == LDAP login == | ||
+ | For LDAP based authentication and authorization SSSD is used. | ||
+ | Copy the SSL certificates from your LDAP server to /etc/openldap/certs/ before continuing. | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | #install sssd and authconfig | ||
+ | yum install sssd-client sssd-common sssd-common-pac sssd-ldap sssd-proxy python-sssdconfig authconfig | ||
+ | #configure authentication | ||
+ | authconfig \ | ||
+ | --enablesssd \ | ||
+ | --enablesssdauth \ | ||
+ | --enablelocauthorize \ | ||
+ | #enable LDAP | ||
+ | --enableldap \ | ||
+ | --enableldapauth \ | ||
+ | --ldapserver=ldaps://LDAP_SERVER:636 \ | ||
+ | --ldapbasedn=dc=YOUR_DOMAIN,dc=YOUR_TLD \ | ||
+ | --enablemkhomedir \ | ||
+ | --enablecachecreds \ | ||
+ | --update | ||
+ | </syntaxhighlight> | ||
+ | '''If you do not allow anonymous bind, specify ldap_default_bind_dn and ldap_default_authtok in /etc/sssd/sssd.conf!'''<br/> | ||
+ | This will generate a sssd.conf like the following<br/> | ||
+ | /etc/sssd/sssd.conf | ||
+ | <syntaxhighlight lang="text"> | ||
+ | [domain/default] | ||
+ | autofs_provider = ldap | ||
+ | ldap_default_bind_dn = YOUR_BIND_DN | ||
+ | ldap_default_authtok_type = password | ||
+ | ldap_default_authtok = YOUR_BIND_DN_PASSWORD | ||
+ | ldap_schema = rfc2307bis | ||
+ | ldap_search_base = dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | id_provider = ldap | ||
+ | auth_provider = ldap | ||
+ | ldap_tls_reqcert = allow | ||
+ | chpass_provider = ldap | ||
+ | ldap_uri = ldaps://LDAP_SERVER:636/ | ||
+ | ldap_id_use_start_tls = True | ||
+ | cache_credentials = True | ||
+ | ldap_tls_cacertdir = /etc/openldap/cacerts | ||
+ | enumerate = True | ||
+ | [sssd] | ||
+ | services = nss, pam, autofs | ||
+ | config_file_version = 2 | ||
+ | domains = default, ldap | ||
+ | debug_level = 9 | ||
+ | [nss] | ||
+ | [pam] | ||
+ | [sudo] | ||
+ | [autofs] | ||
+ | [ssh] | ||
+ | </syntaxhighlight> | ||
+ | Enable and restart the service | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | systemctl restart sssd | ||
+ | systemctl enable sssd | ||
+ | </syntaxhighlight> | ||
+ | Adapt ldap.conf to reflect the config | ||
+ | <syntaxhighlight lang="text"> | ||
+ | URI ldaps://LDAP_SERVER:636 | ||
+ | BASE dc=YOUR_DOMAIN,dc=YOUR_TLD | ||
+ | debug 10 | ||
+ | binddn YOUR_BIND_DN | ||
+ | bindpw YOUR_BIND_DN_PASSWORD | ||
+ | TLS_CACERTDIR /etc/openldap/cacerts | ||
+ | TLS_CACERT /etc/openldap/cacerts/CAcert.pem | ||
+ | SASL_NOCANON on | ||
+ | </syntaxhighlight> | ||
== Mount NFS shares == | == Mount NFS shares == |
Revision as of 20:17, 9 September 2016
Contents
LDAP login
For LDAP based authentication and authorization SSSD is used. Copy the SSL certificates from your LDAP server to /etc/openldap/certs/ before continuing.
#install sssd and authconfig
yum install sssd-client sssd-common sssd-common-pac sssd-ldap sssd-proxy python-sssdconfig authconfig
#configure authentication
authconfig \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
#enable LDAP
--enableldap \
--enableldapauth \
--ldapserver=ldaps://LDAP_SERVER:636 \
--ldapbasedn=dc=YOUR_DOMAIN,dc=YOUR_TLD \
--enablemkhomedir \
--enablecachecreds \
--update
If you do not allow anonymous bind, specify ldap_default_bind_dn and ldap_default_authtok in /etc/sssd/sssd.conf!
This will generate a sssd.conf like the following
/etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
ldap_default_bind_dn = YOUR_BIND_DN
ldap_default_authtok_type = password
ldap_default_authtok = YOUR_BIND_DN_PASSWORD
ldap_schema = rfc2307bis
ldap_search_base = dc=YOUR_DOMAIN,dc=YOUR_TLD
id_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = allow
chpass_provider = ldap
ldap_uri = ldaps://LDAP_SERVER:636/
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
enumerate = True
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default, ldap
debug_level = 9
[nss]
[pam]
[sudo]
[autofs]
[ssh]
Enable and restart the service
systemctl restart sssd
systemctl enable sssd
Adapt ldap.conf to reflect the config
URI ldaps://LDAP_SERVER:636
BASE dc=YOUR_DOMAIN,dc=YOUR_TLD
debug 10
binddn YOUR_BIND_DN
bindpw YOUR_BIND_DN_PASSWORD
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/CAcert.pem
SASL_NOCANON on
To separate local from LDAP users we mount user homes under /home/users.
For a unified skel directory we use the central one.
mkdir /home/users
rm -Rf /etc/skel/*
echo "NFS_SERVER:/exports/homes /home/users/ nfs rw,nosuid,noexec 0 0" >> /etc/fstab
echo "NFS_SERVER:/exports/skel /etc/skel nfs ro,nosuid,noexec 0 0" >> /etc/fstab
mount /home/users
mount /etc/skel
Install Desktop
yum groupinstall "X Window System"
yum groupinstall "Fonts"
yum install kde-workspace
yum install gdm
unlink /etc/systemd/system/default.target
ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
systemctl isolate graphical.target
Install VNC
yum install tigervnc-server xorg-x11-fonts-Type1 xinetd
nano -w /etc/gdm/custom.conf
/etc/gdm/custom.conf
[daemon]
[security]
AllowRemoteRoot=true
DisallowTCP=false
[xdmcp]
Enable=true
MaxSessions=40
[greeter]
[chooser]
[debug]
Create Xinetd service
/etc/xinetd.d/vncserver
service vncserver
{
flags = IPv4
disable = no
socket_type = stream
protocol = tcp
group = tty
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -geometry 1024x768 -depth 24 -once -fp /usr/share/X11/fonts/Type1 -securitytypes=none
}
#create a VNC service
echo "vncserver 5900/tcp # VNC and GDM" >> /etc/services
#restart and enable xinetd
systemctl enable xinetd.service
systemctl restart xinetd.service
Install Tomcat
yum install java-1.7.0-openjdk-devel
#add tomcat user
groupadd tomcat
useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
#download tomcat
wget -O /tmp/tomcat.tar.gz http://mirror.sdunix.com/apache/tomcat/tomcat-8/v8.0.23/bin/apache-tomcat-8.0.23.tar.gz
mkdir /opt/tomcat
tar xvf /tmp/tomcat.tar.gz -C /opt/tomcat --strip-components=1
cd /opt/tomcat
#fix permissions
chgrp -R tomcat conf
chmod g+rwx conf
chmod g+r conf/*
sudo chown -R tomcat webapps/ work/ temp/ logs/
#create service file
nano -w /etc/systemd/system/tomcat.service
/etc/systemd/system/tomcat.service
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
#enable and start tomcat
systemctl daemon-reload
systemctl start tomcat
systemctl enable tomcat
Setup Tomcat
/opt/tomcat/conf/tomcat-users.xml
<tomcat-users>
<user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>
systemctl restart tomcat
Install and setup Guacamole
#install dependencies
yum install wget
yum install cairo-devel freerdp-devel gcc java-1.8.0-openjdk.x86_64 libguac libguac-client-rdp libguac-client-ssh \
libguac-client-vnc libjpeg-turbo-devel libpng-devel libssh2-devel libtelnet-devel libvncserver-devel \
libvorbis-devel libwebp-devel openssl-devel pango-devel pulseaudio-libs-devel terminus-fonts uuid-devel
#download and extract guacamole 0.9.9
cd /tmp
wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.9.tar.gz
tar -xzf guacamole-server-0.9.9.tar.gz
cd guacamole-server-0.9.9
#build
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
#download guacamole webapp
mkdir -p /var/lib/guacamole
wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.9.war -O /var/lib/guacamole/guacamole.war
ln -s /var/lib/guacamole/guacamole.war /opt/tomcat/webapps/
#fix RDP library
rm -rf /usr/lib64/freerdp/guacdr.so
ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/
#install noauth plugin
mkdir -p /opt/tomcat/.guacamole/extensions/
wget -O /opt/tomcat/.guacamole/extensions/guacamole-auth-noauth-0.9.9.jar \
https://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-noauth-0.9.9.tar.gz
#configure guacamole
mkdir -p /etc/guacamole/
nano -w /etc/guacamole/guacamole.properties
/etc/guacamole/guacamole.properties
guacd-hostname: localhost
guacd-port: 4822
lib-directory: /opt/tomcat/webapps/guacamole/WEB-INF/classes
noauth-config: /etc/guacamole/noauth-config.xml
/etc/guacamole/noauth-config.xml
<configs>
<config name="NODE_NAME" protocol="vnc">
<param name="hostname" value="localhost" />
<param name="port" value="5900" />
</config>
</configs>
#link config to webapp directory
ln -s /etc/guacamole/guacamole.properties /opt/tomcat/.guacamole/
#cleanup
rm -rf /tmp/guacamole*
#enable and start service
chkconfig guacd on
systemctl restart guacd