Differences
This shows you the differences between two versions of the page.
|
scgc:laboratoare:02 [2018/03/06 20:23] alexandru.carp |
scgc:laboratoare:02 [2021/10/27 14:08] (current) maria.mihailescu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Laboratory 02. Directory Services: LDAP ====== | + | ====== Directory Services: LDAP ====== |
| ===== Lab Setup ===== | ===== Lab Setup ===== | ||
| - | * We will be using a virtual machine in the [[http://cloud.curs.pub.ro/|faculty's cloud]]. | + | * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]]. |
| - | * When creating a virtual machine follow the steps in this [[https://cloud.curs.pub.ro/about/tutorial-for-students/|tutorial]]. | + | |
| * Create a VM | * Create a VM | ||
| * When creating a virtual machine in the Launch Instance window: | * When creating a virtual machine in the Launch Instance window: | ||
| * Select **Boot from image** in **Instance Boot Source** section | * Select **Boot from image** in **Instance Boot Source** section | ||
| * Select **Centos 7** in **Image Name** section | * Select **Centos 7** in **Image Name** section | ||
| + | * Select the **m1.small** flavor. | ||
| * The username for connecting to the VM is ''student'' | * The username for connecting to the VM is ''student'' | ||
| ===== Tasks ====== | ===== Tasks ====== | ||
| ==== 1. [30p] 389-ds ==== | ==== 1. [30p] 389-ds ==== | ||
| - | In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands. | + | We will be working entirely on the VM. In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands. |
| === 1.1 [5p] Initial preparation === | === 1.1 [5p] Initial preparation === | ||
| Line 25: | Line 25: | ||
| fs.file-max = 64000 | fs.file-max = 64000 | ||
| </file> | </file> | ||
| - | These are needed to allow more connections to the LDAP server. | + | These are needed to allow more connections to the LDAP server. To reload these settings run the following command: |
| + | <code> | ||
| + | sysctl -p | ||
| + | </code> | ||
| Also add the following lines in the ''/etc/security/limits.conf'' file: | Also add the following lines in the ''/etc/security/limits.conf'' file: | ||
| Line 359: | Line 362: | ||
| The ''-x'' parameter uses simple authentication. In this case the connection is anonymous. The ''-b'' parameter specifies the node in the LDAP tree/directory to traverse. | The ''-x'' parameter uses simple authentication. In this case the connection is anonymous. The ''-b'' parameter specifies the node in the LDAP tree/directory to traverse. | ||
| - | The GUI alternative will need to connect with X fowarding through SSH and also install xauth (''yum install xauth''). To forward X through ssh just add the -X parameter to the ssh command. | + | <note important> |
| + | The GUI alternative will need to connect with X fowarding through SSH and also install xauth (**yum install xauth**). To forward X through ssh just add the -X parameter to the ssh command. | ||
| + | </note> | ||
| + | |||
| + | <note> | ||
| + | Use -X for ssh to fep and also from fep to your VM. | ||
| + | </note> | ||
| To start the 389-ds GUI run the following command (from ''student'' user): | To start the 389-ds GUI run the following command (from ''student'' user): | ||
| Line 373: | Line 382: | ||
| === 1.4 [5p] Simple LDAP entry === | === 1.4 [5p] Simple LDAP entry === | ||
| - | Using the GUI from the previous subtask, add a User to LDAP to the People Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create'' | + | Using the GUI from the previous subtask, add a User to LDAP to the ''People'' Organizational Unit. Use your name for the User data. Hint: ''User and Groups'', ''Create'' |
| Use ''ldapsearch'' to verify that the User is added. | Use ''ldapsearch'' to verify that the User is added. | ||
| Line 380: | Line 389: | ||
| === 2.1 [5p] Initial setup === | === 2.1 [5p] Initial setup === | ||
| - | We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package. The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups. | + | We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the ''nss-pam-ldapd'' package(**yum install nss-pam-ldapd**). The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups. |
| We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this: | We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this: | ||
| Line 406: | Line 415: | ||
| <file> | <file> | ||
| session required pam_mkhomdir.so skel=/etc/skel umask=0027 | session required pam_mkhomdir.so skel=/etc/skel umask=0027 | ||
| - | session required /lib/security/pam_limits.so | ||
| </file> | </file> | ||
| + | We will need to enable this functionality by running the command: | ||
| + | <code> | ||
| + | [root@server ~]# authconfig --enablemkhomedir --update | ||
| + | </code> | ||
| Now when logging in for the first time, the home directories should be created. | Now when logging in for the first time, the home directories should be created. | ||
| === 2.4 [10p] Linux groups === | === 2.4 [10p] Linux groups === | ||
| Line 420: | Line 432: | ||
| We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail [[https://wiki.archlinux.org/index.php/LDAP_Hosts|here]]. | We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail [[https://wiki.archlinux.org/index.php/LDAP_Hosts|here]]. | ||
| - | Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. | + | Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. The name of our new OU will be ''Hosts''. |
| After creating our OU for our hosts, we will need more advanced functionality, so we will use the ''Directory Server'' from the ''Servers and Applications'' tabs. | After creating our OU for our hosts, we will need more advanced functionality, so we will use the ''Directory Server'' from the ''Servers and Applications'' tabs. | ||
| {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-48-57.png?300 |}} | {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-48-57.png?300 |}} | ||
| - | In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select iphost. We will add a new host for the server IP. | + | In the ''Directory Server'', in the ''Directory'' tab, we will select the ''Hosts'' from ''scgc''. Right clicking will bring up a menu from which we will select ''New...'' and ''Other''. From the list we will select ''iphost''. We will add a new host for the server IP. |
| {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-54-01.png?300 |}} | {{ :scgc:laboratoare:screenshot_from_2018-03-06_17-54-01.png?300 |}} | ||
| Line 444: | Line 456: | ||
| ==== 3. [25p] More LDAP entries ==== | ==== 3. [25p] More LDAP entries ==== | ||
| - | Using the same methods from task 2, add entries for the following entities: | + | Using the same methods from task 2, add entries for the following entities (all entities will be Posix): |
| * group starwars | * group starwars | ||
| * user Han Solo | * user Han Solo | ||
