This article details how to setup a free standing LDAP server for authentication, and setup an OpenFiler SAN that will authenticate from the LDAP server.
LDAP Server
CentOS 5.1
2G hdd
256M RAM
OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M
LDAP Server
256M is required for a graphical install.
Some options have not been developed for the text install, so this is the way to go.
Boot from the CD and press <ENTER> for a graphical install
If you burned media and have not used it before, test the CDs or DVD before you begin installing.
- CentOS 5 screen, Next
- Language, English, Next
- Keyboard, English, Next
- Partitioning, (defaults) Remove linux partitions on selected drives and create default layout, Next
- Networking…
Most servers have static IPs. You network is probably using 192.168.x.x. I would recommend that you pick a range of addresses to assign statically. I keep my records in spreadsheet. Something like:
192.168.1.x subnet 255.255.255.0
Gateway 192.168.1.1
P.DNS 192.168.1.1
.1 router
.2 LDAP
.3 openFiler
Generally if you are using a SOHO Router (you know, the kind Best Buy, Fry’s, etc sells) your Gateway and DNS will be your router.
- …Networking
Click Edit
check Enable IPv4 support
Manual configuration
(you should use your IP scheme, but I will stay consistent with my notes above)
IP Address 192.168.1.2
Prefix (Netmask) 255.255.255.0
un-check Enable IPv6 support
Click OK
hostname ldap.example.com
You will use the domain during LDAP configuration as well, and we will use example.com.
gateway 192.168.1.1
Primary DNS 192.168.1.1
Secondary DNS (leave it blank) - Timezone
America/Chicago (because that is my timezone, duh)
un-check System clock uses UTC - root account password
Choose something complex but easy to remember. I am fond of using a phrase or long word with letters, numbers and symbols mixed in. For example, I would think linux is good and my password would be 1!Nuxisgood. The first “letter” is a one, and the exclamation reminds me of an i upside down.
Click Next - Package Selection
I uncheck Desktop – Gnome. There are a couple of reasons; Gnome takes about 800MHZ to maintain, where a simple text linux install could run samba or ldap with 200MHz. There is also memory overhead. You could very easily get a $30 PC from oklahomabargains.com (sign up for the email newsletter and he will eventually have a good buy on low end desktops).
Customize later
Click Next
Click Next to begin the installation
A kickstart will be created in /root/anaconda-ks.cfg
And now a Reboot
—
Now to install the packages I am sure I will need (maybe more later)…
yum install openldap-servers openldap-clients apache php php-ldap samba
cp /usr/share/doc/samba-3.0.25b/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIGYou will need an LDAP Manager password. Think of a password, write it down and then run:
(It does not really display the password you type)
# slappasswd -h {crypt}
New password: 1!Nuxisgood
Re-enter new password: 1!Nuxisgood
{CRYPT}MW4NYF1pNdc/Anano /etc/openldap/slapd.conf
In the schema part at the top, add:
include /etc/openldap/schema/samba.schema
We will enable TLS so you can securely query LDAP. It automatically generates a self signed Certificate Authority (CA) and a certificate for the LDAP daemon.
Find these lines, and remove the “# ” at the beginning of the line. (The # makes the line a note or remark so the rest of the line is ignored):
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
Find these lines:
database bdb
suffix “dc=my-domain,dc=com”
rootdn “cn=Manager,dc=my-domain,dc=com”
Change them, and add the additional line:
database bdb
suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”
rootpw {CRYPT}MW4NYF1pNdc/A
At the bottom of the file add these access lines:
access to attrs=userPassword,shadowLastChange
by dn=”cn=Manager,dc=example,dc=com” write
by anonymous auth
by self write
by * none
access to dn.base=”" by * read
access to *
by dn=”cn=Manager,dc=example,dc=com” write
by * read
nano /var/run/openldap/slapd.args
/usr/sbin/slapd -h ‘ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock’ -u ldap
[root@ldap openldap]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap openldap]# chkconfig ldap on
[root@ldap openldap]# ldapsearch -D “cn=Manager,dc=example,dc=com” -x -W
Now that LDAP is working, we will migrate a little structure from the newly installed system so we have a base to build on.
—
There is a lot of good LDAP material out there. When I initially wrote this, I included detail on how to export information from the new install to use in LDAP. We really only need a base directory and we will use OpenFiler to populate LDAP. There are two articles at the bottom of this post that would be useful if you are migrating an existing environment.
dn means Distinguished Name and is similar to referring to you by your full name to identification in a group.
dc means Domain Component, and is it one part of the name.
objectClass defines what purpose the entry serve; as a person (not LDAP) I might have father, husband, technician, bugSquisher.
Create a file named base.ldif and paste these lines. Change example, com and example.com to match your setup.
dn: dc=example,dc=com dc: example objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: example.com dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: example.com dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: example.com
ldapadd -D “cn=Manager,dc=example,dc=com” -x -W -f /tmp/base.ldif
nano /etc/openldap/ldap.conf
BASE dc=example,dc=com URI ldap://localhost
ldapsearch -D “cn=Manager,dc=example,dc=com” -x -W
Firewall
Run: system-config-securitylevel,
tab to Customize and select it,
tab to WWW (HTTP) and use SPACE to select it,
tab to Other ports and add “389:tcp,636:tcp” (LDAP and LDAP with SSL),
Select OK until you are back at a prompt.
/etc/init.d/iptables restart
phpldapadmin
You can do user administration with OpenFiler, so if that is your only ldap application you don’t need phpldapadmin. I include it because it is not much trouble and gives you the ability to investigate the ldap layout.
nano /etc/php.ini
find: memory_limit = 16M
change if to: memory_limit = 32M
[root@ldap openldap]# /etc/init.d/httpd start
[root@ldap openldap]# chkconfig httpd on
http://phpldapadmin.sourceforge.net/
I’m going to install 1.1.0.5, and I used wget to pull the file directly in to /var/www/html, but you can use another method if you prefer.
[root@ldap html]# tar xzvf phpldapadmin-1.1.0.5.tar.gz
[root@ldap html]# ln -s phpldapadmin-1.1.0.5 phpldapadminThe link makes it easier later to upgrade.
cd phpldapadmin/config
cp config.php.example config.php
nano config.php
Find the section:
/*********************************************/
/* Define your LDAP servers in this section */
/*********************************************/
Unremark the line:
$config->custom->session['blowfish'] = ‘randomstring125678!@#$%^’;
$ldapservers->SetValue($i,’server’,'host’,'127.0.0.1′);
# This should work, but didn’t:
# $ldapservers->SetValue($i,’server’,'host’,'ldaps://127.0.0.1′);
$ldapservers->SetValue($i,’login’,'dn’,'cn=Manager,dc=example,dc=com’);
Bring up the web interface somewhere and login.
Login DN: cn=Manager,dc=example,dc=com
Password:
You can expand Groups and click “Create new entry here”, and on the next screen select Posix Group. Give it a name and name users.You can expand People and click “Create new entry here”, and on the next screen select User Account. Fill in the fields and select a default group.
—
openfiler
I would recommend that you have a small “system” drive and then a group of “data” drives.
Installing openFiler 2.2, boot from the CD
openfiler screen, Next
U.S. English, Next
Automatically partition, Next, Yes I am sure
Select (check mark) only the system drive
Select Remove all Linux partitions on this system, Next
Take a look at the partition layout, smile, nod and click, Next
Network, Click Edit
Uncheck Configure using DHCP
Assign the IP Address and Subnet Mask from your IP Log (remember, the one you wrote earlier), Click OK
Assign a hostname: san.example.com
Assign Gateway and Primary DNS, Click Next
Timezone: Hopefully you know where you live. System clock uses UTC is already unchecked. Click Next
Root password, I would make it the same. You could be paranoid and make it different, but if you choose that I would recommend that you get a good password wallet. And Click Next.
Click Next to begin installing.
Reboot when it completes.Open a browser and go to https://192.168.1.3:446
Scroll down the license, read it, and if you agree continue. If you do not quit reading.
The default login is username: openfiler, password: password
Accounts tab
Click the Accounts tab, and Admin Password sub-tab. Change the password, and write it down.
Back to the Authentication sub-tab
Check mark “Use LDAP”
Check mark “Use TLS” (This is encryption so you are not sending you password over the network in plain text)
Server: 192.168.1.2
Base DN: dc=example,dc=com
Root bind DN: cn=Manager,dc=example,dc=com
Root bind password: 1!Nuxisgood
click Submit
- Account Administration sub-tab
Group Administration, Add new group,
Group Name: Users
Uncheck “Override automatic GID” (unchecked is default)
Click “Add Group”
Success
User Administration, Add new user,
Username: charles
password: asdfgh
type the password again
Primary Group: 500: Users
Uncheck “Override automatic GID” (unchecked is default)
Success
— Side Note
I fought with this error for a while. It was because I did not have the samba.schema on the LDAP server. I am leaving it so if someone else is having this error they will know what I had to fix.
An error has occured:
Error changing password.
Failed to add entry for user Charles.
Failed to modify password entry for user Charles
The List of users and List of Groups is empty. I am going to continue since it shows users and I will come back to it if they don’t populate after I create volumes and shares. (FIXED)
— END Side Note
Go check the sub-tab List of users, List of groups and Account Administration to see if you can view your users.
General Tab
There are two sets of security, user based and IP based. Next we navigate to the General tab.
I’m going to create two networks.
Name Network/Host Netmask Type localhost 127.0.0.1 255.255.255.255 Share nat 192.168.1.0 255.255.255.0 Share
Navigate to the Clock sub-tab and set the time and date.
Navigate to the Notification sub-tab. I strongly recommend that you set an email so you will be notified if a drive fails.
Services tab
Enable/Disable sub-tab
If you want sharing with Windows machines, enable SMB/CIFS. If you are looking for other services you should already be familiar with them (NFS or iSCSI).
SMB Settings
All of the default settings should be sufficient.
Volumes tab
The tabs will seem “backwards” since you will use them right to left. This walk through is tailored to systems using software raid. The software raid is preferable to fakeraid (if it is on a motherboard or you paid less than $150 it is probably fakeraid) and hardware raid is expensive.
- Physical Storage Mgmt. sub-tab
The first drive should be your system drive. Each of the others is a data drive.
Click /dev/sdb,
Scroll down to the section to “Create a partition” ,
Change the Partition Type to “RAID array member”,
The other options are fine with defaults,
Click Create.
You are taken to an “Edit partitions” page, click the link “Back to the list of physical storage devices”.
I repeated that process on /dev/sdc and /dev/sdd, and you should continue on the remaining members of this RAID array. Then continue…
- Software RAID Mgmt. sub-tab
Select RAID array type: RAID-5 (parity),
Checkmark all of the RAID members,
If you have a “Spare” you can also select it here, if you do not or you are not sure what it means don’t worry about it now and read about it later,
Click “Add array”,
Move on…
- Volume Group Mgmt. sub-tab
“Create a new volume group”,
Fill in the “Volume group name” – realize that this will appear as part of the path. I will call mine VolGroup01.
Select the /dev/md0 – this is the RAID you just created,
Click “Add volume group”,
Move on…
- Create New Volume sub-tab
Now we are down to the meat. This is where you start carving out chunks to share. You will probably use this tab fairly frequently until you have your shares completed.
“Create a volume in “volgroup01″”,
Volume Name – Avoid spaces, use letters, numbers, dashes or underscores – I used “store”,
Describe the store – you may use any character you would like – I used “A new store for example”,
Required Space (MB): 100 – 100MB for this example,
Filesystem type – I would recommend Ext3 with a few exceptions:
If you want an iSCSI share choose iSCSI,
If the Filesystem is 8TB for 32 bit or 16TB for 64 bit you will need a different filesystem,
Click Create – This can take quite a long time for large filesystems, go get a coke.
- List of Existing Volumes sub-tab
So, you are sitting here now. If you have an Ext3 partition and need more space you can make it bigger with the Properties: Edit.
Shares tab
List of Current Shares
You should see a tree with:
volgroup01
A new store for example
Click the Volume (“A new store for example”),
Name the folder (I will name it “folder”) and click Create a Sub-folder,
Click the folder,
There are several options to create a sub-folder, rename the folder, create a description, delete the folder, but most importantly,
Click Make Share.
First, the settings I used and then an explanation.
Controlled access
Users: PG and RW
Click Update
Host access configuration
Under SMB/CIFS
localhost RW
nat RW
The Restart services automatically checks
Click Update
— Explanation
You will remember earlier I said there is user and IP security…
Group access configuration
You have 2 options, Public guest and Controlled access. Public guest permits access without authentication and Controlled provides authentication.
Each share must have a “Parent Group” or PG. Think of this as the owner group.
You can also assign each group permission with NO Access, Read Only (RO) or Read and Write (RW).
—
Host access configuration
SMB/CIFS
Enable oplocks – leave this at default
Restart services – this will automatically become marked if you change something
that requires a service restart
Each of the services provides the option to advertise the share on the respective protocol. Make something available here does NOT enable the service, but it is possible to have one share available to Windows clients and another as an NFS share, or even both options on the same share.
Each network you created earlier can have NO Access, Read Only or Read Write.
NFS provides options for Root Access and Run Insecure; Explaining these is beyond the scope of this article and you really should do some more reading before you enable either one.
— END Explanation
You have enough configuration now that you should be able to browse it on your Windows workstation. Just type \\192.168.1.3 and you should be able to see the share. At some point it will ask you for your username and password.
—
I referenced this article for some information. There are parts of the configuration that cause informational errors and I have omitted those sections. http://howtoforge.com/linux_ldap_authentication.
Another good article is http://www.grennan.com/ldap-HOWTO.html
[...] Revantine, The Life and Times Tech notes, photography and lifes musing « OpenFiler project – 2 servers [...]