Differences
This shows you the differences between two versions of the page.
|
scgc:laboratoare:02 [2018/03/06 19:54] victor.ciurel Fix points |
scgc:laboratoare:02 [2021/10/27 14:08] (current) maria.mihailescu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Laboratory 02. Directory Services: LDAP ====== | + | ====== Directory Services: LDAP ====== |
| ===== Lab Setup ===== | ===== Lab Setup ===== | ||
| - | * We will be using a virtual machine in the [[http://cloud.curs.pub.ro/|faculty's cloud]]. | + | * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]]. |
| - | * When creating a virtual machine follow the steps in this [[https://cloud.curs.pub.ro/about/tutorial-for-students/|tutorial]]. | + | |
| * Create a VM | * Create a VM | ||
| * When creating a virtual machine in the Launch Instance window: | * When creating a virtual machine in the Launch Instance window: | ||
| * Select **Boot from image** in **Instance Boot Source** section | * Select **Boot from image** in **Instance Boot Source** section | ||
| * Select **Centos 7** in **Image Name** section | * Select **Centos 7** in **Image Name** section | ||
| + | * Select the **m1.small** flavor. | ||
| * The username for connecting to the VM is ''student'' | * The username for connecting to the VM is ''student'' | ||
| ===== Tasks ====== | ===== Tasks ====== | ||
| ==== 1. [30p] 389-ds ==== | ==== 1. [30p] 389-ds ==== | ||
| - | In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands. | + | We will be working entirely on the VM. In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands. |
| === 1.1 [5p] Initial preparation === | === 1.1 [5p] Initial preparation === | ||
| Add in the ''/etc/hosts'' file an entry for our future hostname. This will be necessary for ldap to work. We will be using the ''scgc.ro'' domain in this laboratory and the server will be identified by ''server.scgc.ro''. | Add in the ''/etc/hosts'' file an entry for our future hostname. This will be necessary for ldap to work. We will be using the ''scgc.ro'' domain in this laboratory and the server will be identified by ''server.scgc.ro''. | ||
| + | <file> | ||
| + | 10.9.x.y server.scgc.ro | ||
| + | </file> | ||
| In order for 389-ds to function properly, some default Linux limitations have to be changed. Add the following lines in ''/etc/sysctl.conf'' | In order for 389-ds to function properly, some default Linux limitations have to be changed. Add the following lines in ''/etc/sysctl.conf'' | ||
| Line 22: | Line 25: | ||
| fs.file-max = 64000 | fs.file-max = 64000 | ||
| </file> | </file> | ||
| - | These are needed to allow more connections to the LDAP server. | + | These are needed to allow more connections to the LDAP server. To reload these settings run the following command: |
| + | <code> | ||
| + | sysctl -p | ||
| + | </code> | ||
| Also add the following lines in the ''/etc/security/limits.conf'' file: | Also add the following lines in the ''/etc/security/limits.conf'' file: | ||
| Line 356: | Line 362: | ||
| The ''-x'' parameter uses simple authentication. In this case the connection is anonymous. The ''-b'' parameter specifies the node in the LDAP tree/directory to traverse. | The ''-x'' parameter uses simple authentication. In this case the connection is anonymous. The ''-b'' parameter specifies the node in the LDAP tree/directory to traverse. | ||
| - | The GUI alternative will need to connect with X fowarding through SSH and also install xauth (''yum install xauth''). To forward X through ssh just add the -X parameter to the ssh command. | + | <note important> |
| + | The GUI alternative will need to connect with X fowarding through SSH and also install xauth (**yum install xauth**). To forward X through ssh just add the -X parameter to the ssh command. | ||
| + | </note> | ||
| + | |||
| + | <note> | ||
| + | Use -X for ssh to fep and also from fep to your VM. | ||
| + | </note> | ||
| To start the 389-ds GUI run the following command (from ''student'' user): | To start the 389-ds GUI run the following command (from ''student'' user): | ||
| Line 370: | Line 382: | ||
| === 1.4 [5p] Simple LDAP entry === | === 1.4 [5p] Simple LDAP entry === | ||
| - | Using the GUI from the previous subtask, add a User to LDAP to the People Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create'' | + | Using the GUI from the previous subtask, add a User to LDAP to the ''People'' Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create'' |
| Use ''ldapsearch'' to verify that the User is added. | Use ''ldapsearch'' to verify that the User is added. | ||
| Line 377: | Line 389: | ||
| === 2.1 [5p] Initial setup === | === 2.1 [5p] Initial setup === | ||
| - | We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package. The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups. | + | We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package(**yum install nss-pam-ldapd**). The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups. |
| We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this: | We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this: | ||
| Line 403: | Line 415: | ||
| <file> | <file> | ||
| session required pam_mkhomdir.so skel=/etc/skel umask=0027 | session required pam_mkhomdir.so skel=/etc/skel umask=0027 | ||
| - | session required /lib/security/pam_limits.so | ||
| </file> | </file> | ||
| + | We will need to enable this functionality by running the command: | ||
| + | <code> | ||
| + | [root@server ~]# authconfig --enablemkhomedir --update | ||
| + | </code> | ||
| Now when logging in for the first time, the home directories should be created. | Now when logging in for the first time, the home directories should be created. | ||
| === 2.4 [10p] Linux groups === | === 2.4 [10p] Linux groups === | ||
| Line 417: | Line 432: | ||
| We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail [[https://wiki.archlinux.org/index.php/LDAP_Hosts|here]]. | We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail [[https://wiki.archlinux.org/index.php/LDAP_Hosts|here]]. | ||
| - | Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. | + | Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. The name of our new OU will be ''Hosts''. |
| After creating our OU for our hosts, we will need more advanced functionality, so we will use the ''Directory Server'' from the ''Servers and Applications'' tabs. | After creating our OU for our hosts, we will need more advanced functionality, so we will use the ''Directory Server'' from the ''Servers and Applications'' tabs. | ||
| {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-48-57.png?300 |}} | {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-48-57.png?300 |}} | ||
| - | In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select iphost. We will add a new host for the server IP. | + | In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select ''iphost''. We will add a new host for the server IP. |
| {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-54-01.png?300 |}} | {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-54-01.png?300 |}} | ||
| Line 441: | Line 456: | ||
| ==== 3. [25p] More LDAP entries ==== | ==== 3. [25p] More LDAP entries ==== | ||
| - | Using the same methods from task 2, add entries for the following entities: | + | Using the same methods from task 2, add entries for the following entities (all entities will be Posix): |
| * group starwars | * group starwars | ||
| * user Han Solo | * user Han Solo | ||
