Clone this wiki locally
OpenLDAP + MIT Kerberos + Samba setup for Puavo on Ubuntu 10.04 requires the slapd-smbkrb5pwd package that is available from Opinsys’s PPA in Launchpad. First add the PPA in apt’s sources:
deb http://ppa.launchpad.net/opinsys/ppa/ubuntu lucid main deb-src http://ppa.launchpad.net/opinsys/ppa/ubuntu lucid main
Add the key:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 95EE71C8 sudo apt-get update
Install the packages:
sudo apt-get install ldap-utils ruby libldap-ruby1.8 krb5-kdc-ldap krb5-kdc krb5-admin-server \ krb5-config krb5-user gnutls-bin slapd rubygems sasl2-bin libsasl2-modules-gssapi-mit \ libsasl2-modules-ldap libsasl2-2 libsasl2-modules slapd-smbkrb5pwd
Configuration is done by creating a single configuration file
config/puavo.yml and executing a script that uses the configuration file to configure slapd, krb5-kdc and kadmind.
In this example two separate user databases are created:
The databases are separate from each other and are stored in separate databases in the filesystem. In addition to the configured databases, a special database o=Puavo is created to store id information and internal users in Puavo. The following directories are created by the script:
settings: ldap_server: host: ldap1.example.org bind_dn: uid=admin,o=puavo password: XXXXXXXXXXXXXXXXXXXXXXXXXX method: tls puavo: bind_dn: uid=puavo,o=puavo password: XXXXXXXXXXXXXXXXXXXXXXXXXX puppet: bind_dn: uid=puppet,o=puavo password: XXXXXXXXXXXXXXXXXXXXXXXXXX kdc: bind_dn: uid=kdc,o=puavo password: XXXXXXXXXXXXXXXXXXXXXXXXXX kadmin: bind_dn: uid=kadmin,o=puavo password: XXXXXXXXXXXXXXXXXXXXXXXXXX syncrepl: urls: - ldap://ldap1.example.org - ldap://ldap2.example.org - ldap://ldap3.example.org puppetmaster: enable: true file_dir: /etc/puppet/files
The following names must be available in name service or /etc/hosts when the script is run:
- ca.example.org (as defined in puavo.yml)
- ldap.example.org (as defined in puavo.yml)
NOTE: hostname -f must return the hostname as fqdn (easiest way to achieve this is by setting the fqdn as the first name in /etc/hosts for server’s ip)
xx.xx.xx.xx ldap.example.org puavo.example.org puavo ca.example.org
Run the configuration script
The configuration script is run simply by:
sudo ruby init_ldap.rb
The script can be run multiple times as it doesn’t touch configurations that have already been done. If there are errors, they are outputted along with other information of what is being done. Make sure to read the output to understand what has been done.
Create organisation owners
Before Puavo-users can use a database, one must create a school, role, group and user that owns the organisation. This user has access to all school, group, role and user data in the database. Owners can also add new schools to the organisation.
To create organisation owner, you will need rootdn ja rootpw for ldap server. If using the example above, rootdn is uid=admin,o=puavo and rootpw something that you chose yourself. Organisation owners need to be created separately for every organisation.
cd puavo-users ./script/create_organisation_owner example1 Using district1 organisation configuration Create a new owner of the organisation Organisation: District1 Bind DN: uid=admin,o=puavo Password: ******** Create new school School name: Administration Create new role Role name: Administrator Create new group Group name: Administrators Create new user: Given name: Super Surname: User Username: super Password: ******** Password confirmation: ******** Sets the user (super) as the owner of the organisation
As you can see the script also created school, role and group.
Now you can log in with the new user and start using Puavo-users.
Along with the setup script there is a basic troubleshooting script to check the status of the current configuration and to do simple automatic checks. One of the most common problems is misconfiguration of DNS names somewhere in the system. When names do not match, many components fail silently.
sudo ruby check_slapd.rb
When run, the script should return something like this:
@puavo:~/$ sudo ruby check_slapd.rb Password: Checking slapd settings: * Installed schemas: cosine, nis, inetorgperson, misc, ppolicy, samba, autofs, kerberos, eduorg, eduperson, edumember, puppet, dnsdomain2, printer, puavo * Missing schemas: Checking modules: * Installed modules: back_hdb, dynlist, unique, ppolicy, syncprov, memberof, valsort, auditlog, refint * Missing modules: Configured databases: * o=puavo * dc=edu,dc=example1,dc=org * dc=edu,dc=example2,dc=org Checking certificates: SSL/TLS certificate configuration OK: * TLSCACertificateFile /etc/ssl/certs/slapd-ca-cert.pem * TLSCertificateFile /etc/ssl/certs/slapd-server.crt * TLSCertificateKeyFile /etc/ssl/certs/slapd-server.key * CA cert hostname: ca.example.org (192.168.4.50) * Cert hostname: ldap.example.org (192.168.4.50) * Server hostname: puavo.example.org (192.168.4.50)
Another useful debugging method is to run wireshark, e.g. from the command line:
sudo tshark -i lo -R ldap