Show page

Differences

This shows you the differences between two versions of the page.

--- scgc:laboratoare:02 [2018/03/06 19:41]
victor.ciurel [2. Linux integration] Add new subtask
+++ scgc:laboratoare:02 [2021/10/27 14:08] (current)
maria.mihailescu
@@ Line 1: / Line 1: @@
-====== Laboratory 02. Directory Services: LDAP ======
+====== Directory Services: LDAP ======
 ===== Lab Setup =====
-  * We will be using two virtual machines in the [[http://cloud.curs.pub.ro/|faculty's cloud]].
+  * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]].
-  * When creating a virtual machine follow the steps in this [[https://cloud.curs.pub.ro/about/tutorial-for-students/|tutorial]].
+  * Create a VM
-  * Create two VMs (one will be our LDAP server and one will be our LDAP external client)
   * When creating a virtual machine in the Launch Instance window:
     * Select **Boot from image** in **Instance Boot Source** section
-    * For the server VM select **Centos 7** in **Image Name** section
+    * Select **Centos 7** in **Image Name** section
-    * For the client VM select **Debian 8.6** in **Image Name** section
+    * Select the **m1.small** flavor.
-  * The usernames for connecting to the VMs are:
+  * The username for connecting to the VM is ''student''
-    * ''student'' for **CentOS 7**
-    * ''debian'' for **Debian 8.6**
-  * For ease of use we recommend adding entries in the ''/etc/hosts'' file corresponding to the slave and master VMs
-    * ''<ip_server> server''
-    * ''<ip_client> client''
-    * These two lines will allow using ''server'' instead of the IP address of the server VM for clarity. Likewise, we can use ''client'' instead of the IP address of the client VM.
 ===== Tasks ======
-==== 1. 389-ds ====
+==== 1. [30p] 389-ds ====
-In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands.
+We will be working entirely on the VM. In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands.
-=== 1.1 Initial preparation ===
+=== 1.1 [5p] Initial preparation ===
 Add in the ''/etc/hosts'' file an entry for our future hostname. This will be necessary for ldap to work. We will be using the ''scgc.ro'' domain in this laboratory and the server will be identified by ''server.scgc.ro''.
+<file>
+.9.x.y  server.scgc.ro
+</file>
 In order for 389-ds to function properly, some default Linux limitations have to be changed. Add the following lines in ''/etc/sysctl.conf''
@@ Line 29: / Line 25: @@
 fs.file-max = 64000
 </file>
-These are needed to allow more connections to the LDAP server.
+These are needed to allow more connections to the LDAP server. To reload these settings run the following command:
+<code>
+sysctl -p
+</code>
 Also add the following lines in the ''/etc/security/limits.conf'' file:
@@ Line 37: / Line 36: @@
 </file>
 This will allow 389-ds to open up to 8192 processes, if needed. You will need to relogin for these change to take place.
+Finally, add the following line to the ''/etc/pam.d/login'' file.
+<file>
+session    required     /lib/security/pam_limits.so
+</file>
 We will also need a user account for LDAP. Create a new account and set a password for it.
@@ Line 54: / Line 58: @@
 </code>
-=== 1.2 389-ds setup ===
+=== 1.2 [10p] 389-ds setup ===
 Now it’s time to configure LDAP server. Run the following command to configure 389 directory server.
@@ Line 265: / Line 269: @@
 </code>
-=== 1.3 LDAP check ===
+=== 1.3 [10p] LDAP check ===
 To check that LDAP is working we can use either CLI commands or the 389-ds GUI.
@@ Line 358: / Line 362: @@
 The ''-x'' parameter uses simple authentication. In this case the connection is anonymous. The ''-b'' parameter specifies the node in the LDAP tree/directory to traverse.
-The GUI alternative will need to connect with X fowarding through SSH and also install xauth (''yum install xauth''). To forward X through ssh just add the -X parameter to the ssh command.
+<note important>
+The GUI alternative will need to connect with X fowarding through SSH and also install xauth (**yum install xauth**). To forward X through ssh just add the -X parameter to the ssh command.
+</note>
+<note>
+Use -X for ssh to fep and also from fep to your VM.
+</note>
 To start the 389-ds GUI run the following command (from ''student'' user):
@@ Line 370: / Line 380: @@
 Login as admin with password used at setup. To see the LDAP entries, go to ''Users and Groups'' tab and press ''Search''.
-=== 1.4 Simple LDAP entry ===
+=== 1.4 [5p] Simple LDAP entry ===
-Using the GUI from the previous subtask, add a User to LDAP to the People Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create''
+Using the GUI from the previous subtask, add a User to LDAP to the ''People'' Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create''
 Use ''ldapsearch'' to verify that the User is added.
-==== 2. Linux integration ====
+==== 2. [45p] Linux integration ====
-=== 2.1 Initial setup ===
+=== 2.1 [5p] Initial setup ===
-We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package. The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
+We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package(**yum install nss-pam-ldapd**). The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
 We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this:
@@ Line 386: / Line 396: @@
 </code>
-=== 2.2 Linux users ===
+=== 2.2 [15p] Linux users ===
 Let us now add a new user from LDAP. To do this we will use the GUI interface. Create a new user and enable the Posix User Attributes from the Posix User section. For UID and GID use unused values.
 {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-26-42.png?300 |}}
@@ Line 401: / Line 411: @@
 Edit the User created at 1.4 to also be a Linux user.
-=== 2.3 Homedir creation ===
+=== 2.3 [5p] Homedir creation ===
 When authenticating as a new user through LDAP, the home directory will not automatically be created. This can be problematic. In order to solve this issue, we can configure pam to create the home directory on the first login. For this you need to add the following line in the ''/etc/pam.d/login'' file.
 <file>
 session    required     pam_mkhomdir.so skel=/etc/skel umask=0027
-session    required     /lib/security/pam_limits.so
 </file>
+We will need to enable this functionality by running the command:
+<code>
+[root@server ~]# authconfig --enablemkhomedir --update
+</code>
 Now when logging in for the first time, the home directories should be created.
-=== 2.4 Linux groups ===
+=== 2.4 [10p] Linux groups ===
 Add a group from LDAP in which you will include the user created previously. Create a ''Group'' in the ''Groups'' organizational unit. Don't forget to add Posix attributes.
-=== 2.5 Linux hostnames ===
+=== 2.5 [10p] Linux hostnames ===
 Name resolving can be done using different resources (e.g. DNS, files such as /etc/hosts). The way in which name resolving is performed is specified in the ''/etc/nsswitch.conf'' file, in particular the ''hosts'' component. We can also use LDAP for name resolving. In order to this we first need to add ldap to the ''/etc/nsswitch.conf'' file.
@@ Line 419: / Line 432: @@
 We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail [[https://wiki.archlinux.org/index.php/LDAP_Hosts|here]].
-Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit.
+Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. The name of our new OU will be ''Hosts''.
 After creating our OU for our hosts, we will need more advanced functionality, so we will use the ''Directory Server'' from the ''Servers and Applications'' tabs.
 {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-48-57.png?300 |}}
-In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select iphost. We will add a new host for the server IP.
+In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select ''iphost''. We will add a new host for the server IP.
 {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-54-01.png?300 |}}
@@ Line 441: / Line 454: @@
 rtt min/avg/max/mdev = 0.046/0.046/0.046/0.000 ms
 </code>
+==== 3. [25p] More LDAP entries ====
+Using the same methods from task 2, add entries for the following entities (all entities will be Posix):
+  * group starwars
+    * user Han Solo
+    * user Yoda
+    * user Leia Organa
+    * user Luke Skywalker
+  * group lotr
+    * user Gandalf
+    * user Frodo Baggins
+  * hostname hogwarts (for the server IP)

Resources

Laboratories

scgc/laboratoare/02.1520358068.txt.gz · Last modified: 2018/03/06 19:41 by victor.ciurel

Show page Old revisions

Media Manager Back to top