Index: branches/fc13-dev/server/doc/389-ds-enable-ssl-and-kerberos.diff =================================================================== --- branches/fc13-dev/server/doc/389-ds-enable-ssl-and-kerberos.diff (revision 1644) +++ (revision ) @@ -1,59 +1,0 @@ ---- o-f.config.ldif 2008-07-05 06:24:48.000000000 -0400 -+++ b-m.config.ldif 2008-07-05 06:25:34.000000000 -0400 -@@ -123,7 +123,7 @@ - passwordMaxFailure: 3 - nsslapd-accesslog: /var/log/dirsrv/slapd-scripts/access - nsslapd-lastmod: on --nsslapd-security: off -+nsslapd-security: on - passwordMaxAge: 8640000 - nsslapd-auditlog-logrotationtimeunit: day - passwordResetFailureCount: 600 -@@ -180,7 +180,7 @@ - nsslapd-referralmode: - nsslapd-maxdescriptors: 1024 - nsslapd-conntablesize: 1024 --nsslapd-sslclientauth: off -+nsslapd-sslclientauth: allowed - nsslapd-config: cn=config - nsslapd-instancedir: - nsslapd-schemadir: /etc/dirsrv/slapd-scripts/schema -@@ -217,7 +217,8 @@ - nsSSLSessionTimeout: 0 - nsSSLClientAuth: allowed - nsSSL2: off --nsSSL3: off -+nsSSL3: on -+nsSSL3Ciphers: +rsa_rc4_128_md5 - nsSSLSupportedCiphers: SSL3::rc4::RC4::MD5::128 - nsSSLSupportedCiphers: SSL3::rc4export::RC4::MD5::128 - nsSSLSupportedCiphers: SSL3::rc2::RC2::MD5::128 -@@ -315,6 +316,15 @@ - objectClass: extensibleObject - cn: uniqueid generator - -+# RSA, encryption, config -+dn: cn=RSA,cn=encryption,cn=config -+objectClass: top -+objectClass: nsEncryptionModule -+cn: RSA -+nsSSLPersonalitySSL: ldap/better-mousetrap -+nsSSLToken: internal (software) -+nsSSLActivation: on -+ - # options, features, config - dn: cn=options,cn=features,cn=config - objectClass: top -@@ -1264,3 +1274,12 @@ - nsslapd-pluginVendor: Fedora Project - nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512) - -+# mapname, mapping, sasl, config -+dn: cn=mapname,cn=mapping,cn=sasl,cn=config -+objectClass: top -+objectClass: nsSaslMapping -+cn: mapname -+nsSaslMapRegexString: \(.*\) -+nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu -+nsSaslMapFilterTemplate: (objectClass=posixAccount) -+ Index: branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP =================================================================== --- branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP (revision 1644) +++ branches/fc13-dev/server/doc/HOWTO-SETUP-LDAP (revision 1645) @@ -2,27 +2,51 @@ - Install the RPM 389-ds-base with yum -- root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds + root# yum install -y 389-ds-base +- We want to run the directory server as its own user, so create fedora-ds + root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds +- root# yum install -y policycoreutils-python - root# /usr/sbin/setup-ds.pl - Choose a typical install - Tell it to use the fedora-ds user and group - Directory server identifier: scripts + Needed to remove this from the config file first - Suffix: dc=scripts,dc=mit,dc=edu - Input directory manager password + (this can be found in ~/.ldapvirc) + [XXX: Got error: sh: semanage: command not found; turns out this is in + policycoreutils-python. Don't know if this will cause problems.] - yum install ldapvi -- /sbin/service dirsrv start -- Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually -- Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket - and nsslapd-ldapilisten: on, otherwise ldapi won't work. +- Check if dirsrv starts: /sbin/service dirsrv start +- Apply the following configuration changes. If you're editing + dse.ldif, you don't want dirsrv to be on, otherwise it will + overwrite your changes. [XXX: show how to do these changes with + dsconf, which is the "blessed" method] + +# Inside cn=config. These changes definitely require a restart. +nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket +nsslapd-ldapilisten: on + +# Add these blocks + +# mapname, mapping, sasl, config +# This is the most liberal mapping you can have for SASL: you can +# basically add authentication for any given GSSAPI mechanism by +# explicitly creating the UID for that SASL string. +dn: cn=mapname,cn=mapping,cn=sasl,cn=config +objectClass: top +objectClass: nsSaslMapping +cn: mapname +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu +nsSaslMapFilterTemplate: (objectClass=posixAccount) + - /sbin/service dirsrv stop -- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts -- wget http://web.mit.edu/geofft/Public/scripts-ca.pem -- certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem -- Generate a pkcs12 cert for the server: -- openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12 -- pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts -- Put LDAP keytab in /etc/dirsrv/keytab -- Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME -- mkdir -p /var/tmp/dirsrv -- chown fedora-ds:fedora-ds /var/tmp/dirsrv +- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't + know how to do this, but placing them in /etc might be sufficient?] +- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make + sure you chown/chgrp it to be readable by fedora-ds +- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME +- mkdir -p /var/run/dirsrv +- chown fedora-ds:fedora-ds /var/run/dirsrv - chmod 755 /var/run/dirsrv - /sbin/service dirsrv restart @@ -97,10 +121,164 @@ /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot + (/etc/signup-ldap-pw is the LDAP root password, make sure it's + chmodded correctly and chowned to signup. Also, make sure it doesn't + have a trailing newline!) + - Watch for the indexing operations to finish with this command: ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config -- Set up replication: - (basically, execute - http://directory.fedoraproject.org/sources/contrib/mmr.pl - manually) + (look for nktaskstatus) + +- Set up replication. + + We used to tell people to go execute + http://directory.fedoraproject.org/sources/contrib/mmr.pl manually + (manually because that script assumes only two masters and we have + every one of our servers set up as a master.) However, those + instructions are inaccurate, because we use GSSAPI, not SSL and + because the initializing procedure is actually prone to a race + condition. Here are some better instructions. + + LDAP replication is based around producers and consumers. Producers + push changes in LDAP to consumers: these arrangements are called + "replication agreements" and the producer will hold a + nsDS5ReplicationAgreement object that represents this commitment, + as well as some extra configuration to say who consumers will accept + replication data from (a nsDS5Replica). + + The procedure, at a high level, is this: + + 1. Pick an arbitrary existing master. The current server will + be configured as a slave to that master. Initialize a changelog, + then request a replication to populate our server with + information. + + M1 <---> M2 ---> S + + 2. Configure the new server to be replicated back. + + M1 <---> M2 <---> S + + 3. Set up the rest of the replication agreements at your leisure. + + M1 <---> M2 + ^ ^ + | | + +--> S <--+ + + Here's how you do it. + + 1. Pull open the replication part of the database. It's fairly empty + right now. + + ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config + + 2. Configure the server $SLAVE (this server) to accept $MASTER + replications by adding the following LDAP entries: + +add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5Replica +cn: replica +nsDS5ReplicaId: $REPLICA_ID +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5Flags: 1 +nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +# ADD SERVERS HERE AS YOU ADD NEW SERVERS +nsds5ReplicaPurgeDelay: 604800 +nsds5ReplicaLegacyConsumer: off +nsDS5ReplicaType: 3 + + $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find + out.) You might wonder why we are binding to all servers; + weren't we going to replicate from only one server? That is + correct, however, simply binding won't mean we will receive + updates; we have to setup the $MASTER to send data $SALVE. + + 3. Although we allowed those uids to bind, that user information + doesn't exist on $SLAVE yet. So you'll need to create the entry + for just $MASTER. + +add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu +uid: ldap/$MASTER +objectClass: account +objectClass: top + + 4. Though our $SLAVE will not be making changes to LDAP, we need to + initialize the changelog because we intend to be able to do this + later. + +add cn=changelog5,cn=config +objectclass: top +objectclass: extensibleObject +cn: changelog5 +nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb + + 5. Ok, now go to your $MASTER server that you picked (it should have + been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell + it to replicate to $SLAVE. + +add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5ReplicationAgreement +cn: "GSSAPI Replication to $SLAVE" +cn: GSSAPI Replication to $SLAVE +nsDS5ReplicaHost: $SLAVE +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5ReplicaPort: 389 +nsDS5ReplicaTransportInfo: LDAP +nsDS5ReplicaBindDN: +uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindMethod: SASL/GSSAPI +nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" +nsDS5ReplicaTimeout: 120 + + 4. Run the replication. (you could fold this into the previous step) + +# under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +nsDS5BeginReplicaRefresh: start + + 5. Check that the replication is running; the status will be stored + in the object we've been mucking around with. + + If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER + for more information. It might be because fedora-ds can't read + /etc/dirsrv/keytab + + 6. Replicate in the other direction. On $MASTER, add $SLAVE + as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config + Also, add an account for $SLAVE + +add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu +uid: ldap/$SLAVE +objectClass: account +objectClass: top + + On $SLAVE, + +add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5ReplicationAgreement +cn: "GSSAPI Replication to $MASTER" +cn: GSSAPI Replication to $MASTER +nsDS5ReplicaHost: $MASTER +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5ReplicaPort: 389 +nsDS5ReplicaTransportInfo: LDAP +nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindMethod: SASL/GSSAPI +nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" +nsDS5ReplicaTimeout: 120 + + If you get a really scary internal server error, that might mean you + forgot to initialize the changelog. Remove the replication + agreement (you'll need to turn off dirsrv), add the changelog, and + then try again. + +[XXX: Do we need the referrals?] Index: branches/fc13-dev/server/doc/install-howto.sh =================================================================== --- branches/fc13-dev/server/doc/install-howto.sh (revision 1644) +++ branches/fc13-dev/server/doc/install-howto.sh (revision 1645) @@ -26,4 +26,7 @@ # Start with a normal install of Fedora. + +# Take updates + YUM update if [ $boot = 0 ]; then @@ -71,4 +74,5 @@ svn co svn://$source_server/$branch repository + # XXX These sed scripts don't work sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config @@ -90,4 +94,8 @@ # won't work. +# Get some packages necessary for OpenAFS + YUM install -y redhat-lsb + YUM install -y autofs + # Add scripts-build to the group 'mock' usermod -a -G mock scripts-build @@ -110,5 +118,6 @@ # You can get password SSH back by editing /etc/ssh/sshd_config (allow # password auth) and /etc/pam.d/sshd (comment out the first three auth -# lines) +# lines). However, you can also temporarily install krb5 and setup the +# keytabs and k5login to get Kerberized authentication. service named start @@ -118,23 +127,4 @@ # packages for a new Fedora release. Consult 'upgrade-tips' for more # information. - -# In the case of the Kerberos libraries, you'll be told that -# there are conflicting files with the 64-bit versions of the packages, -# which we scriptsify. You'll have to use --force to install those -# rpms despite the conflicts. After doing that, you may want to -# install the corresponding 64-bit scriptsified versions again, just -# to be safe in case the 32-bit versions overwrite files that differ. -# When you try this, it will complain that you already have the same -# version installed; again, you'll need to use --force to do it anyway. - -# We need yumdownloader to force some RPMs - # XXX: This might be wrong. Sanity check what packages ou - # have when done - YUM install -y yum-utils - yumdownloader krb5-libs - # XXX: These version numbers are hardcoded, need some cli-fu to generalize - # FC13: Check if they are necessary - rpm -i krb5-libs-*.i586.rpm - rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base @@ -174,4 +164,5 @@ YUM install -y nrpe YUM install -y nagios-plugins-all + YUM install -y fprintd-pam # Disable NetworkManager with chkconfig NetworkManager off. Configure @@ -198,14 +189,8 @@ # Edit the parameters in /etc/sysconfig/openafs -# Figure out why Zephyr isn't working. Most recently, it was because there -# was a 64-bit RPM installed; remove it and install Joe's 32-bit one - YUM erase -y mit-zephyr - # mit-zephyr has a spurious dependency on mit-krb-config - yumdownloader mit-zephyr.i386 - # if deps change, this breaks - YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586 - rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm - # test if it worked by sending an un-authed message - zwrite -d -c scripts -i test +# Test that zephyr is working + chkconfig zhm on + service zhm start + echo 'Test!' | zwrite -d -c scripts -i test # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs @@ -251,5 +236,5 @@ mkdir vice cd vice - svn co svn://scripts.mit.edu/trunk/server/fedora/config/usr/vice/etc etc + svn co svn://scripts.mit.edu/$branch/server/fedora/config/usr/vice/etc etc \cp -a etc /usr/vice @@ -308,24 +293,36 @@ echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth -# Install the credentials. There are a lot of things to remember here: +# Install the credentials. There are a lot of things to remember here. +# Be sure to make sure the permissions match up (ls -l on an existing +# server!). # o This will be different if you're setting up our build/update server. # o You probably installed the machine keytab long ago ls -l /etc/krb5.keytab -# o Use ktutil to combine the host/scripts.mit.edu and +# Use ktutil to combine the host/scripts.mit.edu and # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in # the keytab. Do not use 'k5srvutil change' on the combined keytab -# or you'll break the other servers. (real servers only) +# or you'll break the other servers. (real servers only). Be +# careful about writing out the keytab: if you write it to an +# existing file the keys will just get appended # o The daemon.scripts keytab ls -l /etc/daemon.keytab # o The SSL cert private key (real servers only) + ls -l /etc/pki/tls/private/scripts.key # o The LDAP password for the signup process (real servers only) -# o The SQL password for the signup process (real servers only) + ls -l /etc/signup-ldap-pw +# o The SQL password for the signup process (real servers only) (you +# only need one) + ls -l /usr/local/etc/sql-mit-edu.cfg.php + ls -l /etc/sql-mit-edu.cfg.php # o The whoisd password (real servers only) -# o The LDAP keytab for this server, which will be used later (real servers only) +# o The LDAP keytab for this server, which will be used later (real +# servers only). + ls -l /etc/dirsrv/keytab # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) -# o You'll install an LDAP certificate signed by the scripts CA later (real servers only) + ls -l /etc/ssh/*key* # o Make sure root's .k5login is correct cat /root/.k5login # o Make sure logview's .k5login is correct (real servers only) + cat /home/logview/.k5login # If you are setting up a test server, pay attention to @@ -353,6 +350,5 @@ vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu -# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP -# and ./389-ds-enable-ssl-and-kerberos.diff). +# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP). # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at @@ -420,3 +416,3 @@ # XXX: our SVN checkout should be updated to use scripts.mit.edu -# (repository and etc) +# (repository and etc) once serving actually works.