Difference between revisions of "Einstein"
(→LDAP) |
|||
| Line 59: | Line 59: | ||
* for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file> | * for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file> | ||
* (Left out misc.schema and RADIUS-LDAPv3.schema ) | * (Left out misc.schema and RADIUS-LDAPv3.schema ) | ||
| + | |||
| + | ==== Certificate ==== | ||
You need to configure the TLS certificate for the system. To create a new one (see: [https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7 certs creating]) : | You need to configure the TLS certificate for the system. To create a new one (see: [https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7 certs creating]) : | ||
| Line 73: | Line 75: | ||
ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert. | ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert. | ||
| + | ==== Install Certificate ==== | ||
| + | Edit an ldif file: | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
dn: cn=config | dn: cn=config | ||
| − | + | changetype: modify | |
| − | + | replace: olcTLSCACertificatePath | |
| − | + | olcTLSCACertificatePath: /etc/pki/tls/certs | |
| − | + | - | |
| − | + | replace: olcTLSCACertificateFile | |
| − | + | olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt | |
| − | + | - | |
| − | + | replace: olcTLSCertificateFile | |
| − | + | olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt | |
| + | - | ||
| + | replace: olcTLSCertificateKeyFile | ||
| + | olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem | ||
| + | |||
To make a change to the ldap server: | To make a change to the ldap server: | ||
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif | ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif | ||
Revision as of 21:39, 9 August 2017
Einstein is currently a virtual machine running on Gourd. Go here for information about the old Einstein hardware.
Virtual Hardware
- Memory: 2 GB
- Hard Disk: 20 GB
- Swap Disk: 4 GB
- Network 1 (eth0): Farm-Bridge
- Network 2 (eth1): UNH-Bridge
- SCSI Controller: LSI Logic
Network Settings
- IP Address farm (eth0): 10.0.0.248
- IP Address UNH (eth1): 132.177.88.52
Software and Services
IPTables
Einstein uses the standard NPG iptables firewall. It allows ssh, LDAP, imap, smtp, and http connections.
LDAP
Einstein is our LDAP server. It provides user authentication among other useful services. LDAP configuration is located in /etc/openldap, and the LDAP database is stored in /var/lib/ldap.
Einstein is our Email server. The mail itself is stored in a raid1 volume on Gourd, and Einstein mounts the NFS share to /var/spool/mail.
Einstein should mount the NFS share at boot, but note that since it mounts by hostname you should make sure that DNS is accessible before starting the Einstein VM. Otherwise mail won't be mounted properly when the system boots. If for some reason DNS is unavailable you can manually mount the NFS share in /mail using gourd's IP address directly.
Webmail
Einstein provides web-based access to e-mail using Squirrelmail. You can access it at [1].
See also: Gourd/Einstein Migration Plan
Upgrade from RHEL5 to Centos7
OK, this has not been fun, and taken way too long.
Status
We have a running Centos7 Einstein2 system.
- It has Named installed and running as a slave to Jalapeño.
- Slapd is installed. Still working on it.
LDAP
Follow the installation instruction from https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
Noted differences:
- Install extra schema:
- core.ldif
- inetorgperson.ldif
- wget https://launchpadlibrarian.net/55451730/autofs.ldif
- /usr/share/doc/samba-4.4.4/LDAP/samba.ldif
- for each do: ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f <file>
- (Left out misc.schema and RADIUS-LDAPv3.schema )
Certificate
You need to configure the TLS certificate for the system. To create a new one (see: certs creating) :
cd /etc/pki/tls/private
DOMAIN=einstein.unh.edu
openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key
openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr
openssl x509 -req -days 3650 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key -out "$DOMAIN".crt
openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key -outform pem -nocrypt -out "$DOMAIN".pem
chmod 640 "$DOMAIN".key "$DOMAIN".pem
chgrp ldap "$DOMAIN".key "$DOMAIN".pem
mv "$DOMAIN".crt ../certs/
cd ../certs
ln -s ${DOMAIN}.crt `/etc/pki/tls/misc/c_hash ${DOMAIN}.crt | cut -d' ' -f1` # Set a link to the hash of the cert.
Install Certificate
Edit an ldif file:
dn: cn=config changetype: modify replace: olcTLSCACertificatePath olcTLSCACertificatePath: /etc/pki/tls/certs - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/einstein.unh.edu.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/einstein.unh.edu.pem
To make a change to the ldap server:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/certificate_change_localhost.ldif
Note that the hostname needs to be correct, so you probably need to set it in /etc/hosts i.e. 127.0.0.1 einstein localhost
Test, add -d1 -d2 or -d3 for increased debug output:
ldapsearch -x -ZZ ldapsearch -x -H ldaps://
Make sure that the "authconfig" line from Upgrading to Centos 7 is executed and restart sssd
Import Old Database:
- Dump on old einstein, see /var/lib/ldap/dump.ldif created by /usr/local/bin/ldap_dump.sh
- Import with ldapadd -x -w 'password' -D cn=root,dc=physics,dc=unh,dc=edu -f /tmp/dump.ldif
Allow access over SSL:
- edit: /etc/sysconfig/slapd
- change: SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
- There is still the issue that the TLS is for "einstein" while the testing node is not called "einstein"
Setup /etc/openssl/ldap.conf:
- echo "tls_reqcert allow" >> /etc/nslcd.conf
- Note that this makes it so that the TLS is not enforced.
Move the Mail configuration. See: E-mail
Move the SSH keys from the system.
Move the sudoers file.
TO DO
- Get certificates working when serving up the LDAP.
