Difference between revisions of "Einstein"
(→TO DO) |
|||
(29 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | Einstein is currently a virtual machine running on [[Gourd]]. Go [[old_einstein|here]] for information about the old Einstein hardware. | |
− | + | =Virtual Hardware= | |
− | + | *Memory: 2 GB | |
+ | *Hard Disk: 20 GB | ||
+ | *Swap Disk: 4 GB | ||
+ | *Network 1 (eth0): Farm-Bridge | ||
+ | *Network 2 (eth1): UNH-Bridge | ||
+ | *SCSI Controller: LSI Logic | ||
− | + | =Network Settings= | |
+ | *IP Address farm (eth0): 10.0.0.248 | ||
+ | *IP Address UNH (eth1): 132.177.88.52 | ||
+ | =Software and Services= | ||
− | == | + | ==IPTables== |
− | + | Einstein uses the standard NPG [[iptables]] firewall. It allows ssh, LDAP, imap, smtp, and http connections. | |
− | |||
− | |||
− | == | + | ==LDAP== |
− | + | Einstein is our [[LDAP]] server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap. | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | ==Mail== | ||
− | + | Einstein is our [[Email]] server. The mail itself is stored in a raid1 volume on [[Gourd]], and Einstein mounts the NFS share to /var/spool/mail. | |
− | + | Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly. | |
− | + | ===Webmail=== | |
− | * | + | |
− | + | Einstein provides web-based access to e-mail using [[Squirrelmail]]. You can access it at [https://einstein.unh.edu/mail]. | |
− | + | ||
− | + | See also: [[Gourd/Einstein Migration Plan]] | |
− | + | ||
− | + | = Upgrade from RHEL5 to Centos7 = | |
+ | |||
+ | OK, this has not been fun, and taken way too long. | ||
+ | |||
+ | == Status == | ||
+ | |||
+ | We have a running Centos7 Einstein2 system. | ||
+ | * It has Named installed and running as a slave to Jalapeño. | ||
+ | * Slapd is installed. Still working on it. | ||
+ | |||
+ | === LDAP === | ||
+ | |||
+ | Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/ | ||
+ | |||
+ | Noted differences: | ||
+ | * Install extra schema: | ||
+ | ** core.ldif | ||
+ | ** inetorgperson.ldif | ||
+ | ** wget https://launchpadlibrarian.net/55451730/autofs.ldif | ||
+ | ** /usr/share/doc/samba-4.4.4/LDAP/samba.ldif | ||
+ | * for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file> | ||
+ | * (Left out misc.schema and RADIUS-LDAPv3.schema ) | ||
+ | |||
+ | ==== Certificate ==== | ||
+ | |||
+ | You need to configure the TLS certificate for the system. To create a new one (see: [https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7 certs creating]) : | ||
+ | cd /etc/pki/tls/private | ||
+ | DOMAIN=einstein.unh.edu | ||
+ | openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key | ||
+ | openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr | ||
+ | openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt | ||
+ | openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem | ||
+ | chmod 640 "$DOMAIN".key "$DOMAIN".pem | ||
+ | chgrp ldap "$DOMAIN".key "$DOMAIN".pem | ||
+ | mv "$DOMAIN".crt ../certs/ | ||
+ | cd ../certs | ||
+ | ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert. | ||
+ | |||
+ | ==== Install Certificate ==== | ||
+ | |||
+ | Edit an ldif file: | ||
+ | |||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | replace: olcTLSCACertificatePath | ||
+ | olcTLSCACertificatePath: /etc/pki/tls/certs | ||
+ | - | ||
+ | replace: olcTLSCACertificateFile | ||
+ | olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt | ||
+ | - | ||
+ | replace: olcTLSCertificateFile | ||
+ | olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt | ||
+ | - | ||
+ | replace: olcTLSCertificateKeyFile | ||
+ | olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem | ||
+ | |||
+ | To make a change to the ldap server: | ||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif | ||
+ | |||
+ | Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts i.e. 127.0.0.1 einstein localhost | ||
+ | |||
+ | Test, add -d1 -d2 or -d3 for increased debug output: | ||
+ | ldapsearch -x -ZZ | ||
+ | ldapsearch -x -H ldaps:// | ||
+ | |||
+ | Make sure that the "authconfig" line from [[Upgrading to Centos 7]] is executed and restart sssd | ||
+ | |||
+ | Import Old Database: | ||
+ | * Dump on old einstein, see /var/lib/ldap/dump.ldif created by /usr/local/bin/ldap_dump.sh | ||
+ | * Import with ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f /tmp/dump.ldif | ||
+ | |||
+ | Allow access over SSL: | ||
+ | * edit: /etc/sysconfig/slapd | ||
+ | * change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" | ||
+ | * There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein" | ||
+ | |||
+ | Setup /etc/openssl/ldap.conf: | ||
+ | * echo "tls_reqcert allow" >> /etc/nslcd.conf | ||
+ | ** Note that this makes it so that the TLS is not enforced. | ||
+ | |||
+ | ==== Allow passwd to work ==== | ||
+ | |||
+ | This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap | ||
+ | |||
+ | dn: olcDatabase={2}hdb,cn=config | ||
+ | add: olcAccess | ||
+ | olcAccess: {0}to attrs=userPassword | ||
+ | by dn="cn=root,dc=physics,dc=unh,dc=edu" write | ||
+ | by anonymous auth | ||
+ | by self write | ||
+ | by * none | ||
+ | olcAccess: {1}to dn.base="" | ||
+ | by * read | ||
+ | olcAccess: {2}to * | ||
+ | by dn="cn=Manager,dc=tuxfixer,dc=com" write | ||
+ | by * read | ||
+ | |||
+ | Then enter the info into LDAP: | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif | ||
+ | |||
+ | The documentation for olcAccess is here [https://www.openldap.org/doc/admin24/access-control.html Access Control] | ||
+ | It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that. | ||
+ | |||
+ | = Other Tasks = | ||
+ | |||
+ | Move the Mail configuration. See: [[E-mail]] | ||
+ | |||
+ | Move the SSH keys from the system. | ||
+ | |||
+ | Move the sudoers file. | ||
+ | |||
+ | == TO DO == |
Latest revision as of 22:21, 3 January 2018
Einstein is currently a virtual machine running on Gourd. Go here for information about the old Einstein hardware.
Virtual Hardware
- Memory: 2 GB
- Hard Disk: 20 GB
- Swap Disk: 4 GB
- Network 1 (eth0): Farm-Bridge
- Network 2 (eth1): UNH-Bridge
- SCSI Controller: LSI Logic
Network Settings
- IP Address farm (eth0): 10.0.0.248
- IP Address UNH (eth1): 132.177.88.52
Software and Services
IPTables
Einstein uses the standard NPG iptables firewall. It allows ssh, LDAP, imap, smtp, and http connections.
LDAP
Einstein is our LDAP server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.
Einstein is our Email server. The mail itself is stored in a raid1 volume on Gourd, and Einstein mounts the NFS share to /var/spool/mail.
Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.
Webmail
Einstein provides web-based access to e-mail using Squirrelmail. You can access it at [1].
See also: Gourd/Einstein Migration Plan
Upgrade from RHEL5 to Centos7
OK, this has not been fun, and taken way too long.
Status
We have a running Centos7 Einstein2 system.
- It has Named installed and running as a slave to Jalapeño.
- Slapd is installed. Still working on it.
LDAP
Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
Noted differences:
- Install extra schema:
- core.ldif
- inetorgperson.ldif
- wget https://launchpadlibrarian.net/55451730/autofs.ldif
- /usr/share/doc/samba-4.4.4/LDAP/samba.ldif
- for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file>
- (Left out misc.schema and RADIUS-LDAPv3.schema )
Certificate
You need to configure the TLS certificate for the system. To create a new one (see: certs creating) :
cd /etc/pki/tls/private DOMAIN=einstein.unh.edu openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem chmod 640 "$DOMAIN".key "$DOMAIN".pem chgrp ldap "$DOMAIN".key "$DOMAIN".pem mv "$DOMAIN".crt ../certs/ cd ../certs ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert.
Install Certificate
Edit an ldif file:
dn: cn=config changetype: modify replace: olcTLSCACertificatePath olcTLSCACertificatePath: /etc/pki/tls/certs - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem
To make a change to the ldap server:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif
Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts i.e. 127.0.0.1 einstein localhost
Test, add -d1 -d2 or -d3 for increased debug output:
ldapsearch -x -ZZ ldapsearch -x -H ldaps://
Make sure that the "authconfig" line from Upgrading to Centos 7 is executed and restart sssd
Import Old Database:
- Dump on old einstein, see /var/lib/ldap/dump.ldif created by /usr/local/bin/ldap_dump.sh
- Import with ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f /tmp/dump.ldif
Allow access over SSL:
- edit: /etc/sysconfig/slapd
- change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
- There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"
Setup /etc/openssl/ldap.conf:
- echo "tls_reqcert allow" >> /etc/nslcd.conf
- Note that this makes it so that the TLS is not enforced.
Allow passwd to work
This was darn tricky to find out how to do. The issue is properly modifying, or adding olcAccess to the database. The following does the trick. Create a file change_password_access_policy.ldif in /etc/openldap
dn: olcDatabase={2}hdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword by dn="cn=root,dc=physics,dc=unh,dc=edu" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=tuxfixer,dc=com" write by * read
Then enter the info into LDAP:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/change_password_access_policy.ldif
The documentation for olcAccess is here Access Control It appears that the entry for olcAccess: {0} gets encrypted. Weird, since I cannot find any documentation on that.
Other Tasks
Move the Mail configuration. See: E-mail
Move the SSH keys from the system.
Move the sudoers file.