Changes

Yi Sun · b4392aa8
--- a/Create-LDAP-server.md
+++ b/Create-LDAP-server.md
-This instruction is used to create LDAP server on Centos 7. The schema is for BAND environment. It is currently does not support other schemas. It will require changes to other BAND components if you would like to use your own schema.
+This instruction is used to create LDAP server on Centos 7. For a recent version for RockyLinux 8, go to [here](RockyLinux-8--LDAP)
+The schema is for BAND environment. It is currently does not support other schemas. It will require changes to other BAND components if you would like to use your own schema.
-create CentOS server and ssh to it
+create CentOS server and ssh to it
-`yum update`
+`yum update`
-`yum install openssl openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel`
+`yum install openssl openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel`
-`cd /etc/pki/CA`
+`cd /etc/pki/CA`
-create index.txt and serial file to keep track of issued certs
+create index.txt and serial file to keep track of issued certs
-`echo 0001 > serial`
+`echo 0001 > serial`
-`touch index.txt`
+`touch index.txt`
-create root ca
+create root ca
-`openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem`
+`openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem`
-create CA certificate
+create CA certificate
-`openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem`
+`openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem`
-generate key and certificates for LDAP
+generate key and certificates for LDAP
-`cd /etc/pki/CA`
+`cd /etc/pki/CA`
-`openssl genrsa -out private/YOUR_LDAP_PRIVATE_KEY`
+`openssl genrsa -out private/YOUR_LDAP_PRIVATE_KEY`
-`openssl req -new -key private/YOUR_LDAP_PRIVATE_KEY -out certs/YOUR_LDAP_SERVER_CSR`
+`openssl req -new -key private/YOUR_LDAP_PRIVATE_KEY -out certs/YOUR_LDAP_SERVER_CSR`
-sign certificate with CA
+sign certificate with CA
-`openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in certs/YOUR_LDAP_SERVER_CSR -out certs/YOUR_LDAP_SERVER_CRT`
+`openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in certs/YOUR_LDAP_SERVER_CSR -out certs/YOUR_LDAP_SERVER_CRT`
-check index.txt make sure certs are properly signed
+check index.txt make sure certs are properly signed
-`cat index.txt`
+`cat index.txt`
-verify all issued certs against CA
+verify all issued certs against CA
-`openssl verify -CAfile certs/ca.cert.pem certs/YOUR_LDAP_SERVER_CRT`
+`openssl verify -CAfile certs/ca.cert.pem certs/YOUR_LDAP_SERVER_CRT`
-copy certs file to /etc/openldap/certs, make sure user ldap has rw right to the folder
+copy certs file to /etc/openldap/certs, make sure user ldap has rw right to the folder
-`cp -v certs/* /etc/openldap/certs/`
+`cp -v certs/* /etc/openldap/certs/`
-`cp -v private/ldap-dev.eosc-life.eu.key /etc/openldap/certs/`
+`cp -v private/ldap-dev.eosc-life.eu.key /etc/openldap/certs/`
-`cp -v certs/ca.cert.pem /etc/openldap/certs/`
+`cp -v certs/ca.cert.pem /etc/openldap/certs/`
-download all files from [https://git.embl.de/ysun/ldap-dev-files](https://git.embl.de/ysun/ldap-dev-files)
+download all files from [https://git.embl.de/ysun/ldap-dev-files](https://git.embl.de/ysun/ldap-dev-files)
-modify userPassword in users.ldif with hashed value (you can use your own ldap files here)
+modify userPassword in users.ldif with hashed value (you can use your own ldap files here)
-ex:
+ex:
-`slappasswd -h {SSHA} -s PASSWORD`
+`slappasswd -h {SSHA} -s PASSWORD`
-start slapd
+start slapd
-`systemctl start slapd.service`
+`systemctl start slapd.service`
-`systemctl enable slapd.service`
+`systemctl enable slapd.service`
-push config
+push config
-`ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif`
+`ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif`
-restrict monitor access to admin user
+restrict monitor access to admin user
-`ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif`
+`ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif`
-push certs config
+push certs config
-`ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif`
+`ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif`
-copy sample db configuration file to /var/lib/ldap and update permission
+copy sample db configuration file to /var/lib/ldap and update permission
-`cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG`
+`cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG`
-`chown ldap:ldap /var/lib/ldap/*`
+`chown ldap:ldap /var/lib/ldap/*`
-add cosine and nis LDAP schemas
+add cosine and nis LDAP schemas
-`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif`
+`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif`
-`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif`
+`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif`
-`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif`
+`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif`
-push base.ldif to openldap using admin user
+push base.ldif to openldap using admin user
-`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f base.ldif`
+`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f base.ldif`
-push groups and users
+push groups and users
-`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f groups.ldif`
+`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f groups.ldif`
-`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f users.ldif`
+`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f users.ldif`
-secure ldap with tls
+secure ldap with tls
-`ldapmodify -Y EXTERNAL -H ldapi:// -f tls.ldif`
+`ldapmodify -Y EXTERNAL -H ldapi:// -f tls.ldif`
-`ldapmodify -Y EXTERNAL -H ldapi:// -f /home/centos/tls1.ldif`
+`ldapmodify -Y EXTERNAL -H ldapi:// -f /home/centos/tls1.ldif`
-check tls config point to the correct directory
+check tls config point to the correct directory
-`slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile"`
+`slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile"`
-add &quot;ldaps:///&quot; to /etc/sysconfig/sldapd
+add &quot;ldaps:///&quot; to /etc/sysconfig/sldapd
-make sure `TLSREQCERT allow` is in /etc/openldap/ldap.conf
+make sure `TLSREQCERT allow` is in /etc/openldap/ldap.conf
-restart slapd
+restart slapd
-`systemctl restart slapd`
+`systemctl restart slapd`
-test search
+test search
-`ldapsearch -v -W -ZxLLLD cn=admin,dc=YOUR_DC,dc=YOUR_DC -b dc=YOUR_DC,dc=YOUR_DC "(objectClass=posixAccount)"`
+`ldapsearch -v -W -ZxLLLD cn=admin,dc=YOUR_DC,dc=YOUR_DC -b dc=YOUR_DC,dc=YOUR_DC "(objectClass=posixAccount)"`
-NOTES on LDAP client (compute node, login node, mgmt node in the cluster)
+NOTES on LDAP client (compute node, login node, mgmt node in the cluster)
-*   make sure ca.pem.key is in /etc/openldap/certs
-*   make sure /etc/openldap/certs has correct permission
+*   make sure ca.pem.key is in /etc/openldap/certs
+*   make sure /etc/openldap/certs has correct permission
 *   make sure `TLSREQCERT allow` is in /etc/openldap/ldap.conf
\ No newline at end of file