Difference between revisions of "ApacheDS"
(→Kerberos) |
(→ldap & kerberos client) |
||
(30 intermediate revisions by 2 users not shown) | |||
Line 13: | Line 13: | ||
reference Materials's to read: <br> | reference Materials's to read: <br> | ||
[[http://www.zytrax.com/books/ldap/ch1/index.html#objectives|LDAP for Rocket Siectist]]<br> | [[http://www.zytrax.com/books/ldap/ch1/index.html#objectives|LDAP for Rocket Siectist]]<br> | ||
− | + | [[https://wiki.debian.org/nfs4-kerberos-ldap|Debian LDAP & Kerberos]] | |
== Installation 64bit system - current version == | == Installation 64bit system - current version == | ||
Line 77: | Line 77: | ||
− | === Ldap for | + | === replication === |
+ | |||
+ | http://joacim.breiler.com/apacheds/ch08s02.html<br> | ||
+ | |||
+ | === bind config for kerberos === | ||
+ | http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers<br> | ||
+ | http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php<br> | ||
+ | |||
+ | === sssd === | ||
+ | |||
+ | It look's that nscd dose not work whit NFS4 + kerberos so next I'am testind sssd, based on: | ||
+ | http://askubuntu.com/questions/526004/ubuntu-14-with-kerberos-authentication-nslcd-still-needed<br> | ||
+ | Any better ideas let me know! | ||
+ | It seems that nslcd is for ubuntu and sssd for feodoras,.. ?? | ||
+ | back to https://help.ubuntu.com/community/SingleSignOn | ||
+ | |||
+ | === Ldap for DHCP === | ||
+ | |||
+ | copyed from: http://wiki.herzbube.ch/index.php/ISCDHCP <br> | ||
+ | |||
+ | == Debian packages == | ||
+ | |||
+ | The following Debian packages need to be installed | ||
+ | isc-dhcp-server | ||
+ | |||
+ | |||
+ | == References == | ||
+ | |||
+ | The following man pages are sufficient to configure DHCP | ||
+ | dhcpd.conf | ||
+ | dhcp-options | ||
+ | |||
+ | |||
+ | == Configuration == | ||
+ | |||
+ | The interfaces to listen on are configured in | ||
+ | /etc/defaults/isc-dhcp-server | ||
+ | |||
+ | The configuration is stored in | ||
+ | /etc/dhcp/dhcpd.conf | ||
+ | |||
+ | Global options look like this: | ||
+ | <pre> | ||
+ | # Whether DNS is updated dynamically, and if so, what method/style should be used | ||
+ | ddns-update-style none; | ||
+ | # List an external time server if you don't have your own server | ||
+ | #option time-servers time.euro.apple.com; | ||
+ | # 1 day (24 * 3600 seconds) | ||
+ | default-lease-time 86400; | ||
+ | # 7 days | ||
+ | max-lease-time 604800; | ||
+ | # Use this to send dhcp log messages to a different log file (you also | ||
+ | # have to hack syslog.conf to complete the redirection). | ||
+ | log-facility local7; | ||
+ | </pre> | ||
+ | |||
+ | What remains is the part where we actually give out IP addresses: | ||
+ | <pre> | ||
+ | # Share options in the 192.168.1.0 subnet | ||
+ | group { | ||
+ | option domain-name "lan.herzbube.ch"; | ||
+ | option domain-name-servers 192.168.1.11 212.101.0.10, 212.101.4.253; | ||
+ | option subnet-mask 255.255.255.0; | ||
+ | option broadcast-address 192.168.1.255; | ||
+ | option routers 192.168.1.11; | ||
+ | option smtp-server 192.168.1.11; | ||
+ | option time-servers 192.168.1.11; | ||
+ | |||
+ | # Provide 48 dynamic addresses between 64 and 111 | ||
+ | subnet 192.168.1.0 netmask 255.255.255.0 { | ||
+ | range 192.168.1.64 192.168.1.111; | ||
+ | authoritative; # the server is authoritative | ||
+ | } | ||
+ | |||
+ | # # aka hyperion | ||
+ | # host technocore { | ||
+ | # fixed-address 192.168.1.1; | ||
+ | # hardware ethernet :::::; | ||
+ | # } | ||
+ | |||
+ | # host mirkwood { | ||
+ | # fixed-address 192.168.1.2; | ||
+ | # # Busmaster ethernet card 10/100 MBit/s | ||
+ | # hardware ethernet 00:C0:26:60:01:A1; | ||
+ | # } | ||
+ | |||
+ | host isengard { | ||
+ | fixed-address 192.168.1.3; | ||
+ | hardware ethernet 00:05:02:71:EC:AB; | ||
+ | } | ||
+ | |||
+ | host moria { | ||
+ | fixed-address 192.168.1.4; | ||
+ | hardware ethernet 00:30:65:ef:74:8e; | ||
+ | } | ||
+ | |||
+ | # host imladris { | ||
+ | # fixed-address 192.168.1.5; | ||
+ | # hardware ethernet :::::; | ||
+ | # } | ||
+ | |||
+ | # host osgiliath { | ||
+ | # # Override the router setting. If we don't do this, and ifup on | ||
+ | # # osgiliath acquires a DHCP lease, ifup will add a default route | ||
+ | # # to 192.168.1.6 because it thinks this is the default gateway. | ||
+ | # # Because osgiliath ***IS*** 192.168.1.6, and the default route | ||
+ | # # therefore points back to itself, normal routing to the outside | ||
+ | # # world via ADSL no longer works. Effectively, the default route | ||
+ | # # to 192.168.1.6 conflicts with the other (correct) default route | ||
+ | # # to 192.168.0.1. | ||
+ | # option routers 192.168.0.1; | ||
+ | |||
+ | # fixed-address 192.168.1.6; | ||
+ | # # Integrated ethernet controller 3Com | ||
+ | # hardware ethernet 00:26:54:0C:52:06 | ||
+ | |||
+ | # fixed-address 172.16.13.57; | ||
+ | # # National Semiconductor ethernet card | ||
+ | # hardware ethernet 00:40:F4:38:E6:FA | ||
+ | |||
+ | # fixed-address 192.168.2.1; | ||
+ | # # Integrated ethernet controller nVidia | ||
+ | # hardware ethernet 00:0C:6E:32:65:91; | ||
+ | |||
+ | # fixed-address 192.168.3.1; | ||
+ | # # Busmaster DEC ethernet card 10/100 MBit/s | ||
+ | # hardware ethernet 00:C0:26:60:01:A1; | ||
+ | # } | ||
+ | |||
+ | host fornost { | ||
+ | hardware ethernet 00:00:e8:88:ab:80; | ||
+ | fixed-address 192.168.1.7; | ||
+ | } | ||
+ | |||
+ | host tharbad { | ||
+ | hardware ethernet 00:0d:93:b1:eb:c2; | ||
+ | fixed-address 192.168.1.8; | ||
+ | } | ||
+ | |||
+ | host nargothrond { | ||
+ | hardware ethernet 00:17:f2:cd:5d:09; | ||
+ | fixed-address 192.168.1.9; | ||
+ | } | ||
+ | |||
+ | host nindalf { | ||
+ | hardware ethernet 10:9a:dd:5d:bb:eb; | ||
+ | fixed-address 192.168.1.10; | ||
+ | } | ||
+ | |||
+ | # host pelargir { | ||
+ | # # Override the router setting. For details see the comments above | ||
+ | # # in the entry for osgiliath. | ||
+ | # option routers 192.168.0.1; | ||
+ | |||
+ | # fixed-address 192.168.1.11; | ||
+ | # # Integrated gigabit ethernet controller (Intranet wired connections) | ||
+ | # hardware ethernet 34:15:9e:2e:ca:38 | ||
+ | |||
+ | # fixed-address 192.168.0.2; | ||
+ | # # Fast ethernet-over-USB controller (Internet uplink) | ||
+ | # hardware ethernet 00:24:32:01:a7:83 | ||
+ | # } | ||
+ | |||
+ | host laserjet1300n { | ||
+ | hardware ethernet 00:30:6e:d0:e4:20; | ||
+ | fixed-address 192.168.1.126; | ||
+ | } | ||
+ | } # end group | ||
+ | |||
+ | # Share options in the 192.168.2.0 subnet | ||
+ | group { | ||
+ | option domain-name "wifi.herzbube.ch"; | ||
+ | option domain-name-servers 192.168.2.6 212.101.0.10, 212.101.4.253; | ||
+ | option subnet-mask 255.255.255.0; | ||
+ | option broadcast-address 192.168.2.255; | ||
+ | option routers 192.168.2.6; | ||
+ | option smtp-server 192.168.2.6; | ||
+ | option time-servers 192.168.2.6; | ||
+ | |||
+ | # Provide 48 dynamic addresses between 64 and 111 | ||
+ | subnet 192.168.2.0 netmask 255.255.255.0 { | ||
+ | range 192.168.2.64 192.168.2.111; | ||
+ | authoritative; # the server is authoritative | ||
+ | } | ||
+ | |||
+ | # host osgiliath { | ||
+ | # fixed-address 192.168.2.1; | ||
+ | # # Integrated ethernet controller nVidia | ||
+ | # hardware ethernet 00:0C:6E:32:65:91; | ||
+ | # } | ||
+ | |||
+ | host landroval { | ||
+ | fixed-address 192.168.2.2; | ||
+ | hardware ethernet 00:25:00:fe:f4:e3; | ||
+ | } | ||
+ | |||
+ | host nargothrond { | ||
+ | fixed-address 192.168.2.3; | ||
+ | hardware ethernet 00:19:e3:08:00:a5; | ||
+ | } | ||
+ | |||
+ | host buschtrommel { | ||
+ | fixed-address 192.168.2.4; | ||
+ | hardware ethernet 00:26:4a:f3:8d:2f; | ||
+ | } | ||
+ | |||
+ | host nindalf { | ||
+ | fixed-address 192.168.2.5; | ||
+ | hardware ethernet c8:bc:c8:f1:77:61; | ||
+ | } | ||
+ | |||
+ | # host pelargir { | ||
+ | # fixed-address 192.168.2.6; | ||
+ | # # Gigabit ethernet-over-USB controller (Intranet wireless connections) | ||
+ | # hardware ethernet 00:12:17:f2:34:05 | ||
+ | # } | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | == Dynamic DNS updates == | ||
+ | |||
+ | === Overview === | ||
+ | |||
+ | When the DHCP server assigns a new address to a client, it can send this information to a cooperating DNS server which will then update its DNS records accordingly. | ||
+ | |||
+ | '''This does not work for fixed IP addresses!''' Clients whose IP addresses should be managed like this must not contain the <code>fixed-address</code> option. I have tried adding <code>ddns-updates on</code> for such hosts, but it didn't work. | ||
+ | |||
+ | |||
+ | === References === | ||
+ | |||
+ | The information in this chapter primarily comes from the <code>dhcpd.conf</code> man page, section "DYNAMIC DNS UPDATES". The following article has also been valuable as a starter: http://www.debian-administration.org/article/Configuring_Dynamic_DNS__DHCP_on_Debian_Stable. | ||
+ | |||
+ | |||
+ | === Enable dynamic DNS updates === | ||
+ | |||
+ | The main configuration option that needs to be set to make the DHCP daemon perform dynamic DNS updates is this: | ||
+ | ddns-update-style interim; | ||
+ | |||
+ | |||
+ | === Defining who is responsible for updating the DNS server === | ||
+ | |||
+ | When the DHCP daemon hands out an IP address, DNS needs to be updated in two ways: | ||
+ | * Forward resolution, or the "A" record needs to be updated | ||
+ | * Reverse resolution, or the "PTR" record needs to be updated | ||
+ | |||
+ | |||
+ | It is possible to configure the DHCP daemon so that it allows the client to update its own "A" record. This feature is actually turned on by default, but in my network I don't want this and therefore set the following configuration option: | ||
+ | deny client-updates; # tell the client it is not allowed to do updates | ||
+ | |||
+ | |||
+ | === Client FQDN used for talking to the DNS server === | ||
+ | |||
+ | The DHCP daemon will form the FQDN of a client by concatenating the client's hostname and domain name: | ||
+ | * The client's hostname is determined by one of the following options. Options further up in the list have precedence. | ||
+ | ** <code>ddns-hostname</code> inside a host declaration | ||
+ | ** <code>host-name</code> inside a host declaration | ||
+ | ** The name used for the host declaration (this is the declaration that starts with the keyword <code>host</code>) | ||
+ | * The domain name is determined by one of the following options. Options further up in the list have precedence. | ||
+ | ** <code>ddns-domainname</code> | ||
+ | ** Probably <code>domain-name</code>. I say "probably" because this has not been thoroughly researched. The only statement I can make is this: Even though <code>ddns-domainname</code> is not specified, everything seems to work. The only other source for the domain name that I can see is <code>domain-name</code>. | ||
+ | |||
+ | |||
+ | === Communication with the DNS server === | ||
+ | |||
+ | The DHCP daemon needs to know where the DNS server to update lives. This is achieved by a configuration file snippet like this: | ||
+ | <pre> | ||
+ | # This file defines a secret that is used by DHCP to authenticate itself to the | ||
+ | # DNS server. It is also included by the DNS server configuration. There is no | ||
+ | # need for two files with different formats because both DHCP and BIND servers | ||
+ | # are implemented by ISC. | ||
+ | include "/etc/bind/dhcp-updater.key"; | ||
+ | |||
+ | # The forward zone (note the trailing ".") | ||
+ | zone lan.herzbube.ch. { | ||
+ | # Where does the primary DNS server live? | ||
+ | primary 127.0.0.1; | ||
+ | # Reference to the key defined in the file included further up | ||
+ | key dhcp-updater; | ||
+ | } | ||
+ | |||
+ | # The reverse zone | ||
+ | zone 1.168.192.in-addr.arpa. { | ||
+ | primary 127.0.0.1; | ||
+ | key dhcp-updater; | ||
+ | } | ||
+ | |||
+ | # The forward zone (note the trailing ".") | ||
+ | zone wifi.herzbube.ch. { | ||
+ | # Where does the primary DNS server live? | ||
+ | primary 127.0.0.1; | ||
+ | # Reference to the key defined in the file included further up | ||
+ | key dhcp-updater; | ||
+ | } | ||
+ | |||
+ | # The reverse zone | ||
+ | zone 2.168.192.in-addr.arpa. { | ||
+ | primary 127.0.0.1; | ||
+ | key dhcp-updater; | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | For a detailed discussion about the authentication secret file, see the [[BIND]] page. | ||
+ | |||
+ | |||
+ | === Noteworthy options that remain unused === | ||
+ | |||
+ | The following options are noteworthy, but remain unused since the defaults are acceptable: | ||
+ | * <code>ddns-rev-domainname</code>: Can be used to specify the domain name for the reverse zone. This is appended to the reversed IP address of the client. The default is "in-addr.arpa." | ||
+ | * <code>ddns-updates</code>: Can be used to turn dynamic DNS updates on or off within the scope where this option appears. The default is "on". | ||
+ | |||
+ | |||
+ | |||
+ | == Configuration with LDAP == | ||
+ | |||
+ | === Reference === | ||
+ | |||
+ | The reference for the following configuration steps is | ||
+ | /usr/share/doc/isc-dhcp-server-ldap | ||
+ | |||
+ | This document can also be found online. | ||
+ | |||
+ | |||
+ | === Task overview === | ||
+ | |||
+ | To integrate the ISC DHCP server with LDAP, the following tasks need to be done in the listed order. Most of them are explained in more detail in one of the following chapters. | ||
+ | * Install Debian package | ||
+ | * Configure the LDAP server | ||
+ | ** Use the schema provided by the DHCP package | ||
+ | ** Use additional indices | ||
+ | ** Add new ACLs for the DHCP DN (the DN that DHCP is going to use for directory access) | ||
+ | * Modify the LDAP directory | ||
+ | ** Add entries to the directory that represent the DHCP configuration formerly located in <tt>/etc/dhcp/dhcpd.conf</tt> | ||
+ | ** Add an entry to the directory that is used by the DHCP server for authentication | ||
+ | * Configure DHCP to use LDAP | ||
+ | |||
+ | |||
+ | === Install Debian package === | ||
+ | |||
+ | The following Debian package needs to be installed: | ||
+ | isc-dhcp-server-ldap | ||
+ | |||
+ | This package seamlessly replaces the original DHCP server by installing a new version of the DHCP server binary. The original binary is preserved under a new name. | ||
+ | <pre> | ||
+ | osgiliath:~# ls -l /usr/sbin/dhcpd* | ||
+ | -rwxr-xr-x 1 root root 755332 May 19 08:13 /usr/sbin/dhcpd | ||
+ | -rwxr-xr-x 1 root root 730408 May 19 08:13 /usr/sbin/dhcpd-noldap | ||
+ | </pre> | ||
+ | |||
+ | The package also provides important files in <tt>/usr/share/doc/isc-dhcp-server-ldap</tt> which we are going to use in the next steps: | ||
+ | * The LDAP schema for DHCP | ||
+ | * A utility perl script that converts the regular DHCP configuration file <tt>/etc/dhcp/dhcpd.conf</tt> into an LDIF data file that can then be used to populate the LDAP directory | ||
+ | |||
+ | |||
+ | === Configure the LDAP server === | ||
+ | |||
+ | ==== Schema ==== | ||
+ | |||
+ | Manually copy <tt>dhcp.schema</tt> into the LDAP schema directory: | ||
+ | <pre> | ||
+ | cd /etc/ldap/schema | ||
+ | cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema.gz . | ||
+ | gunzip dhcp.schema.gz | ||
+ | </pre> | ||
− | https://help.ubuntu.com/community/Kerberos | + | Configure <tt>slapd</tt> to load the schema by adding the following line to <tt>/etc/ldap/slapd.conf</tt>: |
+ | include /etc/ldap/schema/dhcp.schema | ||
+ | |||
+ | |||
+ | ==== Indices ==== | ||
+ | |||
+ | Configure additional indices by adding the following lines to <tt>/etc/ldap/slapd.conf</tt>: | ||
+ | |||
+ | <pre> | ||
+ | # Indices for DHCP (taken from /usr/share/doc/isc-dhcp-server-ldap/README.ldap.gz) | ||
+ | index dhcpHWAddress eq | ||
+ | index dhcpClassData eq | ||
+ | </pre> | ||
+ | |||
+ | After modifying the file, perform reindexing: | ||
+ | |||
+ | <pre> | ||
+ | /etc/init.d/slapd stop | ||
+ | slapindex -n 1 | ||
+ | /etc/init.d/slapd start | ||
+ | chown openldap:openldap /var/lib/ldap/herzbube.ch/* | ||
+ | </pre> | ||
+ | |||
+ | '''Note:''' I am not sure if any of these indices are ''required'' for DHCP/LDAP integration to work. I was too lazy to test this out, I simply assume that the guy who wrote the README file knew what he was writing about. | ||
+ | |||
+ | |||
+ | ==== ACLs ==== | ||
+ | |||
+ | '''Note: The actual ACLs developed in theory in this chapter can be found over on the [[OpenLDAP]] page.''' | ||
+ | |||
+ | The DHCP server will be accessing the LDAP directory using the DN | ||
+ | cn=dhcp-service,ou=users,dc=herzbube,dc=ch | ||
+ | |||
+ | Our new ACLs do not have to work on the attribute level (e.g. there is no password attribute to protect), instead they simply need to give read-only access to the DHCP server to the following entries: | ||
+ | * All entries under the tree <tt>ou=dhcp,dc=herzbube,dc=ch</tt> | ||
+ | * All entries directly under the base DN with <tt>objectClass=dhcpServer</tt>. Note: Every such entry refers to one DHCP server; since we only have one server, there will be only one LDAP entry, but we still use a general-purpose ACL that could be used in a setup with 2 or more DHCP servers. | ||
+ | |||
+ | |||
+ | See the [[OpenLDAP]] page for the actual ACLs. | ||
+ | |||
+ | |||
+ | === Modify the LDAP directory === | ||
+ | |||
+ | ==== Overview ==== | ||
+ | |||
+ | The following entries need to be modified in the LDAP directory: | ||
+ | * The DHCP server itself needs to be defined with a top-level entry directly below the base DN. | ||
+ | * A subtree <tt>cn=dhcp,dc=herzbube,dc=ch</tt> must be created with corresponding entries that form the DHCP setup. | ||
+ | * Host entries need to be created for machines with known MAC addresses which will get a fixed IP address | ||
+ | * Last but not least, the DN <tt>cn=dhcp-service,ou=users,dc=herzbube,dc=ch</tt> used for authentication by the DHCP server must be created. ACLs developed further up will refer to this DN, and the DHCP server will be configured later on to use this DN. | ||
+ | |||
+ | |||
+ | ==== Converting <tt>dhcpd.conf</tt> to LDIF ==== | ||
+ | |||
+ | The task of creating the necessary LDAP directory entries can be vastly simplified by using a utility perl script that converts an existing DHCP configuration file into an LDIF data file. After a review and a couple of minor modifications, the LDIF file can then be simply imported into the LDAP directory. | ||
+ | |||
+ | The script in question is | ||
+ | /usr/share/doc/isc-dhcp-server-ldap/dhcpd-conf-to-ldap.pl.gz | ||
+ | |||
+ | After copying and gunzip'ping the script in <tt>/tmp</tt>, I used the following command line to generate my LDIF file: | ||
+ | /tmp/dhcpd-conf-to-ldap.pl --dhcpdn "cn=dhcp,dc=herzbube,dc=ch" --conf /etc/dhcp/dhcpd.conf --ldif /tmp/dhcpd.ldif | ||
+ | |||
+ | |||
+ | ==== Add entry that represents the DHCP server ==== | ||
+ | |||
+ | Add the following entry to the LDAP directory: | ||
+ | |||
+ | <pre> | ||
+ | # You must specify the server's host name in LDAP that you are going to run | ||
+ | # DHCP on and point it to which config tree you want to use. Whenever DHCP | ||
+ | # first starts up, it will do a search for this entry to find out which | ||
+ | # config to use. | ||
+ | # | ||
+ | # Note: We really want the hostname only, not the FQDN. | ||
+ | dn: cn=pelargir,dc=herzbube,dc=ch | ||
+ | cn: pelargir | ||
+ | objectClass: top | ||
+ | objectClass: dhcpServer | ||
+ | dhcpServiceDN: cn=dhcp,dc=herzbube,dc=ch | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==== The <tt>cn=dhcp,dc=herzbube,dc=ch</tt> subtree ==== | ||
+ | |||
+ | Create the entry with DN <tt>cn=dhcp,dc=herzbube,dc=ch</tt>. This entry forms the root of a subtree into which we will now place further entries that form the entire DHCP configuration. | ||
+ | |||
+ | <pre> | ||
+ | # Here is the entry that starts the DHCP config subtree | ||
+ | # that cn=osgiliath,dc=herzbube,dc=ch points to. | ||
+ | dn: cn=dhcp,dc=nherzbube,dc=ch | ||
+ | cn: dhcp | ||
+ | objectClass: top | ||
+ | objectClass: dhcpService | ||
+ | objectClass: dhcpOptions | ||
+ | dhcpPrimaryDN: cn=pelargir,dc=herzbube,dc=ch | ||
+ | dhcpStatements: ddns-update-style interim | ||
+ | dhcpStatements: default-lease-time 86400 | ||
+ | dhcpStatements: max-lease-time 604800 | ||
+ | dhcpStatements: log-facility local7 | ||
+ | dhcpStatements: deny client-updates | ||
+ | dhcpStatements: include "/etc/bind/dhcp-updater.key" | ||
+ | #dhcpOption: time-servers time.euro.apple.com | ||
+ | |||
+ | # Define a group for hosts in the 192.168.1.0 network. This includes | ||
+ | # all of our known MAC addresses, and a range of 48 dynamically | ||
+ | # allocated addresses. The group entry also contains common options for | ||
+ | # all hosts in this group. | ||
+ | dn: cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: group-192.168.1.0 | ||
+ | objectClass: top | ||
+ | objectClass: dhcpGroup | ||
+ | objectClass: dhcpOptions | ||
+ | dhcpStatements: zone lan.herzbube.ch. { primary 127.0.0.1; key dhcp-updater; } | ||
+ | dhcpStatements: zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; } | ||
+ | dhcpOption: domain-name "lan.herzbube.ch" | ||
+ | dhcpOption: domain-name-servers 192.168.1.11, 212.101.0.10, 212.101.4.253 | ||
+ | dhcpOption: subnet-mask 255.255.255.0 | ||
+ | dhcpOption: broadcast-address 192.168.1.255 | ||
+ | dhcpOption: routers 192.168.1.11 | ||
+ | dhcpOption: smtp-server 192.168.1.11 | ||
+ | dhcpOption: time-servers 192.168.1.11 | ||
+ | |||
+ | # The 192.168.1.0 subnet definition is a child of the group entry. | ||
+ | # The subnet definition specifies that only 48 addresses may be | ||
+ | # dynamically allocated. | ||
+ | dn: cn=192.168.1.0,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: 192.168.1.0 | ||
+ | objectClass: top | ||
+ | objectClass: dhcpSubnet | ||
+ | dhcpNetMask: 24 | ||
+ | dhcpRange: 192.168.1.64 192.168.1.111 | ||
+ | dhcpStatements: authoritative | ||
+ | |||
+ | # Define a group for hosts in the 192.168.2.0 network. This includes | ||
+ | # all of our known MAC addresses, and a range of 48 dynamically | ||
+ | # allocated addresses. The group entry also contains common options for | ||
+ | # all hosts in this group. | ||
+ | dn: cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: group-192.168.2.0 | ||
+ | objectClass: top | ||
+ | objectClass: dhcpGroup | ||
+ | objectClass: dhcpOptions | ||
+ | dhcpStatements: zone wifi.herzbube.ch. { primary 127.0.0.1; key dhcp-updater; } | ||
+ | dhcpStatements: zone 2.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; } | ||
+ | dhcpOption: domain-name "wifi.herzbube.ch" | ||
+ | dhcpOption: domain-name-servers 192.168.2.6, 212.101.0.10, 212.101.4.253 | ||
+ | dhcpOption: subnet-mask 255.255.255.0 | ||
+ | dhcpOption: broadcast-address 192.168.2.255 | ||
+ | dhcpOption: routers 192.168.2.6 | ||
+ | dhcpOption: smtp-server 192.168.2.6 | ||
+ | dhcpOption: time-servers 192.168.2.6 | ||
+ | |||
+ | # The 192.168.2.0 subnet definition is a child of the group entry. | ||
+ | # The subnet definition specifies that only 48 addresses may be | ||
+ | # dynamically allocated. | ||
+ | dn: cn=192.168.2.0,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: 192.168.2.0 | ||
+ | objectClass: top | ||
+ | objectClass: dhcpSubnet | ||
+ | dhcpNetMask: 24 | ||
+ | dhcpRange: 192.168.2.64 192.168.2.111 | ||
+ | dhcpStatements: authoritative | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==== Host definitions ==== | ||
+ | |||
+ | The idea would have been to use the <tt>dhcpHostDN</tt> attribute, which is possible inside the <tt>dhcpGroup</tt> object class, to refer to host entries in the <tt>ou=hosts,dc=herzbube,dc=ch</tt>, and to augment those entries with the object class <tt>dhcpHost</tt>. | ||
+ | |||
+ | Unfortunately there is a problem with the current DHCP LDAP schema definition: The object class <tt>dhcpHost</tt> is not auxiliary! This means that other existing objects in the LDAP directory which represent a host, such as the <tt>ipHost</tt> entries below the subtree <tt>ou=hosts,dc=herzbube,dc=ch</tt>, cannot be augmented with the <tt>dhcpHost</tt> object class. So in the end, the whole idea of referring to entries in the <tt>ou=hosts</tt> subtree falls flat on its face. For the moment I ignore the possibility that the scheme would not have worked anyway because I don't know the exact semantics of <tt>dhcpHostDN</tt>, and whether the patched DHCP server would follow a reference to another subtree in the first place. | ||
+ | |||
+ | Although the DHCP LDAP schema is only a draft and not a formal standard (see [http://tools.ietf.org/id/draft-ietf-dhc-ldap-schema-00.txt this document]), I am currently reluctant to modify the schema to make it fit my purposes, because I don't know what trouble I would be inviting and at the moment just want the damn thing to work. After a bit of googling, I found that somebody else would also have preferred <tt>dhcpHost</tt> to be an auxiliary object class, but one of the co-authors of the draft [http://lists.debian.org/debian-edu/2008/08/msg00060.html responds] that it would be better to create a new object class <tt>dhcpHostAux</tt> which essentially duplicates the original object class but has the AUXILIARY flag turned on. I don't see the reason for this, and unfortunately the draft co-author doesn't give a reason, either. | ||
+ | |||
+ | |||
+ | So after all this thinking, the final defeat: Here are the host definitions that have to be placed below the <tt>cn=dhcp,dc=herzbube,dc=ch</tt> subtree: | ||
+ | <pre> | ||
+ | dn: cn=technocore,cn=group-192.168.1.1,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: technocore | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | #dhcpHWAddress: ethernet ??:??:??:??:??:?? | ||
+ | dhcpStatements: fixed-address 192.168.1.1 | ||
+ | |||
+ | dn: cn=mirkwood,cn=group-192.168.1.1,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: mirkwood | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:c0:26:60:01:a1 | ||
+ | dhcpStatements: fixed-address 192.168.1.2 | ||
+ | |||
+ | dn: cn=isengard,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: isengard | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:05:02:71:ec:ab | ||
+ | dhcpStatements: fixed-address 192.168.1.3 | ||
+ | |||
+ | dn: cn=moria,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: moria | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:30:65:ef:74:8e | ||
+ | dhcpStatements: fixed-address 192.168.1.4 | ||
+ | |||
+ | # 192.168.1.5 = imladris.lan.herzbube.ch | ||
+ | |||
+ | # 192.168.1.6 = osgiliath.lan.herzbube.ch | ||
+ | |||
+ | dn: cn=fornost,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: fornost | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:00:e8:88:ab:80 | ||
+ | dhcpStatements: fixed-address 192.168.1.7 | ||
+ | |||
+ | dn: cn=tharbad,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: tharbad | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:0d:93:b1:eb:c2 | ||
+ | dhcpStatements: fixed-address 192.168.1.8 | ||
+ | |||
+ | dn: cn=nargothrond,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: nargothrond | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:17:f2:cd:5d:09 | ||
+ | dhcpStatements: fixed-address 192.168.1.9 | ||
+ | |||
+ | dn: cn=nindalf,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: nindalf | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 10:9a:dd:5d:bb:eb | ||
+ | dhcpStatements: fixed-address 192.168.1.10 | ||
+ | |||
+ | # 192.168.1.11 = pelargir.lan.herzbube.ch | ||
+ | |||
+ | dn: cn=laserjet1300n,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: laserjet1300n | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:30:6e:d0:e4:20 | ||
+ | dhcpStatements: fixed-address 192.168.1.126 | ||
+ | |||
+ | # 192.168.2.1 = osgiliath.wifi.herzbube.ch | ||
+ | |||
+ | dn: cn=landroval,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: landroval | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:25:00:fe:f4:e3 | ||
+ | dhcpStatements: fixed-address 192.168.2.2 | ||
+ | |||
+ | dn: cn=nargothrond,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: nargothrond | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:19:e3:08:00:a5 | ||
+ | dhcpStatements: fixed-address 192.168.2.3 | ||
+ | |||
+ | dn: cn=buschtrommel,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: buschtrommel | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 00:26:4a:f3:8d:2f | ||
+ | dhcpStatements: fixed-address 192.168.2.4 | ||
+ | |||
+ | dn: cn=bundeslade,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: bundeslade | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet d8:a2:5e:07:b7:7d | ||
+ | dhcpStatements: fixed-address 192.168.2.5 | ||
+ | |||
+ | # 192.168.2.6 = pelargir.wifi.herzbube.ch | ||
+ | |||
+ | dn: cn=nindalf,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: nindalf | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet c8:bc:c8:f1:77:61 | ||
+ | dhcpStatements: fixed-address 192.168.2.7 | ||
+ | |||
+ | dn: cn=ihoernchen,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: ihoernchen | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet c8:bc:c8:f1:77:61 | ||
+ | dhcpStatements: fixed-address 192.168.2.8 | ||
+ | |||
+ | dn: cn=wundertuete,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch | ||
+ | cn: wundertuete | ||
+ | objectClass: top | ||
+ | objectClass: dhcpHost | ||
+ | dhcpHWAddress: ethernet 04:54:53:28:aa:9f | ||
+ | dhcpStatements: fixed-address 192.168.2.9 | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==== Create authentication DN ==== | ||
+ | |||
+ | The DHCP server needs to authenticate in order to access the LDAP directory. For this purpose, we need to create an authentication entry with DN <tt>cn=dhcp-service,ou=users,dc=herzbube,dc=ch</tt>. Give the entry a password and a nice description, and that's all there is to it. | ||
+ | |||
+ | |||
+ | === Configure DHCP to use LDAP === | ||
+ | |||
+ | Place the following block into <tt>/etc/dhcp/dhcpd.conf</tt>: | ||
+ | <pre> | ||
+ | ldap-server "localhost"; | ||
+ | ldap-port 389; | ||
+ | ldap-username "cn=dhcp-service,ou=users,dc=herzbube,dc=ch"; | ||
+ | ldap-password "secret"; | ||
+ | ldap-base-dn "dc=herzbube,dc=ch"; | ||
+ | # Dynamic = Hosts are looked up every time a DHCP request comes in | ||
+ | # Static = Read entire configuration, including hosts, only once at startup | ||
+ | ldap-method dynamic; | ||
+ | ldap-debug-file "/var/log/dhcp-ldap-startup.log"; | ||
+ | </pre> | ||
+ | |||
+ | Because the configuration file now contains a password, change the file's permissions: | ||
+ | chmod 600 /etc/dhcp/dhcpd.conf | ||
+ | |||
+ | |||
+ | == Leases == | ||
+ | |||
+ | The current leases are stored in the following file (regardless of whether the DHCP server uses LDAP or not): | ||
+ | /var/lib/dhcp/dhcpd.leases | ||
+ | |||
+ | The leases file can be modified but the DHCP server must be restarted for the changes to have any effect. | ||
+ | |||
+ | |||
+ | '''Note:''' The leases file may contain many entries for the same IP address. The reason for this is that the DHCP server simply appends an entry when a new lease is handed out. When the server is restarted, the leases file is cleaned up. | ||
+ | |||
+ | |||
+ | [[Category:Infrastructure Service]] | ||
+ | |||
+ | |||
+ | === Ldap for kerberos / nfs === | ||
+ | |||
+ | https://help.ubuntu.com/community/Kerberos<br> | ||
+ | https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html<br> | ||
+ | https://directory.apache.org/apacheds/kerberos-user-guide.html<br> | ||
+ | |||
+ | apacheDS configuration notes (this what I get working): | ||
+ | |||
+ | 1) at apache director studio first add new server and then modify it's default name ext. dc=example, dc=com to dc=yoursserver,dc=edu that can be done at Partitions sheet, touch dc=example,dc=com and change name !<br> | ||
+ | 2) mark LDAP and KERBEROS on<br> | ||
+ | 3) whit nfs only ads-krbEncryptionTypes: des-cbc-md5 and ads-krbEncryptionTypes: des3-cbc-sha1-kd could work https://bugzilla.redhat.com/show_bug.cgi?id=573968 . Due this /etc/krb5.conf you must have: | ||
+ | |||
+ | [libdefaults] | ||
+ | allow_weak_crypto = yes | ||
+ | default_tkt_enctypes = des-cbc-md5 | ||
+ | default_tgs_enctypes = des-cbc-md5 | ||
=== Kerberos clients === | === Kerberos clients === | ||
+ | I have used MIT client packages and libraryes. | ||
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config | sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config | ||
+ | = Single SING ON = | ||
+ | |||
+ | https://help.ubuntu.com/community/SingleSignOn<br> | ||
+ | |||
+ | |||
+ | == pam gid and uid for nfs == | ||
+ | http://hswong3i.net/blog/hswong3i/ldap-single-sign-webmin-ubuntu-12-04-howto<br> | ||
+ | sudo apt-get install libnet-ldap-perl libpam-ldapd libnss-ldapd ldap-utils nscd nslcd | ||
+ | sudo dpkg-reconfigure libpam-ldapd select: group password shadow | ||
+ | sudo dpkg-reconfigure libnss-ldapd | ||
+ | sudo dpkg-reconfigure nslcd | ||
+ | |||
+ | test: | ||
+ | getent passwd | ||
+ | getent group | ||
+ | |||
+ | You should see users at your ldap as well | ||
+ | |||
+ | = Postfix & LDAP = | ||
+ | |||
+ | http://www.postfix.org/LDAP_README.html<br> | ||
+ | http://blog.wains.be/2010/01/25/postfix-virtual-usersgroupsaliases-stored-in-ldap/<br> | ||
= PGP server = | = PGP server = | ||
Line 93: | Line 833: | ||
== nfs4 & Kerberos == | == nfs4 & Kerberos == | ||
+ | https://wiki.debian.org/LDAP/NSS<br> | ||
https://we.riseup.net/stefani/kerberos-and-nfs4<br> | https://we.riseup.net/stefani/kerberos-and-nfs4<br> | ||
https://help.ubuntu.com/community/NFSv4Howto<br> | https://help.ubuntu.com/community/NFSv4Howto<br> | ||
Line 98: | Line 839: | ||
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html<br> | https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html<br> | ||
https://wiki.debian.org/nfs4-kerberos-ldap<br> | https://wiki.debian.org/nfs4-kerberos-ldap<br> | ||
+ | |||
+ | ===ldap & kerberos client=== | ||
+ | https://wiki.debian.org/LDAP/NSS<br | ||
+ | |||
+ | sudo apt-get install nfs-common krb5-user krb5-config | ||
+ | sudo apt-get install sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit | ||
+ | sudo apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart | ||
+ | # sudo apt-get install libpam-ccreds LAP TOP's, nscd dose this job as well | ||
+ | |||
+ | libnet-ldap-perl libpam-ldapd libnss-ldapd ldap-utils nscd nslcd | ||
+ | |||
+ | dpkg-reconfigure libpam-ldapd # PAM profiles to enable: Unix authentication, LDAP Authentication | ||
+ | dpkg-reconfigure libnss-ldapd # Name services to configure: group, passwd, shadow | ||
+ | dpkg-reconfigure nslcd # LDAP server URI: ldap://dev6c1/ | ||
+ | # LDAP server search base: dc=localdomain | ||
+ | # LDAP authentication to use: none | ||
+ | #Use StartTLS? No | ||
+ | |||
+ | http://hswong3i.net/blog/hswong3i/ldap-single-sign-webmin-ubuntu-12-04-howto<br> | ||
+ | ldap & kesberos ubuntu to go trough: | ||
+ | |||
+ | http://raerek.blogspot.fi/2012/06/kerberos-with-ldap-backend-on-ubuntu_07.html<br> | ||
+ | http://raerek.blogspot.fi/2012/06/kerberos-with-ldap-backend-on-ubuntu.html<br> part two | ||
+ | http://raerek.blogspot.fi/2012/08/kerberos-with-ldap-backend-on-ubuntu.html<br> part five | ||
+ | |||
+ | === sssd, nss-ldap === | ||
+ | |||
+ | There is several variations to do this,... at moment these are , DO NOT! | ||
+ | |||
+ | http://jurjenbokma.com/ApprenticesNotes/sss_ad_auth.html<br> | ||
+ | |||
+ | check uid= gid used whit pam_sss | ||
+ | sudo nano /etc/pam.d/common-auth | ||
+ | |||
===nfs server=== | ===nfs server=== | ||
+ | |||
+ | http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration<br> | ||
sudo apt-get install nfs-kernel-server | sudo apt-get install nfs-kernel-server | ||
Line 152: | Line 929: | ||
ktutil: wkt /etc/krb5.keytab | ktutil: wkt /etc/krb5.keytab | ||
ktutil: q | ktutil: q | ||
+ | |||
+ | addent -password -p host/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5 | ||
+ | addent -password -p ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5 | ||
+ | addent -password -p nfs/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5 | ||
+ | |||
+ | sudo kinit -p ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -t /etc/krb5.keytab | ||
+ | |||
+ | kinit -k ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -t /etc/krb5.keytab | ||
+ | |||
---- | ---- | ||
CategoryNetworking | CategoryNetworking | ||
+ | |||
+ | ==Apache== | ||
+ | |||
+ | http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html<br> | ||
+ | |||
+ | = DIAGNOSE LDAP INSTALL = | ||
+ | |||
+ | kinit joni | ||
+ | sudo kinit -k | ||
+ | sudo klist -e | ||
+ | sudo klist -ke | ||
+ | klist -e | ||
+ | getent hosts mpi1.kurrola.dy.fi | ||
+ | getent hosts mpi2.kurrola.dy.fi | ||
+ | ps -A | grep nfs | ||
+ | ps xuwa | grep grep rpc.gssd | ||
+ | sudo exportfs -v | ||
+ | showmount -e mpi1.kurrola.dy.fi | ||
+ | rpcinfo -p |
Latest revision as of 19:39, 3 November 2014
Contents
- 1 ApacheDS - LDAP - Kerberos - NFS4 here
- 1.1 Installation 64bit system - current version
- 1.2 Get started
- 1.3 Debian packages
- 1.4 References
- 1.5 Configuration
- 1.6 Dynamic DNS updates
- 1.7 Configuration with LDAP
- 1.8 Leases
- 2 Single SING ON
- 3 Postfix & LDAP
- 4 PGP server
- 5 Kerberos
- 6 DIAGNOSE LDAP INSTALL
ApacheDS - LDAP - Kerberos - NFS4 here
STATUS: UNDER WORK
There are many alternatives for LDAP. Most of them are hard to manage, configure and erroneus. apacheDS project is not 100% ready yet but offers solution at least get NFS4, Kerberos and LDAP deployed timely manner for small network. More at [pages] and [[2]] packages. Soem help can be found IRC support .
Kindly use user'manuals at project site. These instruction's are Ubuntu Spesific and give's some contextual knowledge how apacheDS differs from other LDAP solutions.
reference Materials's to read:
[for Rocket Siectist]
[LDAP & Kerberos]
Installation 64bit system - current version
prerequisite
To confirm the version of java installed run
java -version
You'll get an output that looks like:
java version "1.7.0_15"
OpenJDK Runtime Environment (IcedTea7 2.3.7) (7u15-2.3.7-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
This one runs JRE version 7update15
If Java environment is not installed, install it:
sudo apt-get install openjdk-7-jdk
apacheDS - LDAP - Kerberos server code
mkdir /mpi3/S4/apacheds
wget http://www.trieuvan.com/apache//directory/apacheds/dist/2.0.0-M17/apacheds-2.0.0-M17-amd64.deb
dbkg -i apacheds-2.0.0-M17-amd64.deb
After that Server can be found: /opt/apacheds-2.0.0-M17
LDAP database located:/var/lib/apacheds-2.0.0-M17/ <instance name>
Server's can be started via apache Directory Studio, by init script or commandline:
/opt/apacheds-2.0.0-M17/bin/apacheds <command> <instance name>
apache Directory studio - The tool to configure and manage servers
cd /mpi3/S4/apacheds
wget http://apache.spinellicreations.com//directory/studio/dist/2.0.0.v20130628/ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar.gz
extract tar
Get started
apacheDS Directory Studio start's
cd /mpi3/S4/apacheds/ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628
.ApacheDirectoryStudio
apacheDS is structured such way you can manage several servers. Directory studio gives easy way to add, modify, duplicate LDAP directoryes and Kerberos. There is build in mechanisms for replication setup. Whit studio you can import/export *.ldif and *.schema to and from your installations. Look User's Manuals. At future there could be NTP, DHCP and DNS. Those are allready build as experimental servers. This project needs more people to grow.
Created server's configuration, database ( <inctance name> ) is located and can be deployed it just copying created database at directory /var/lib/apacheds-2.0.0-M17/<instance name>
replication
http://joacim.breiler.com/apacheds/ch08s02.html
bind config for kerberos
http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers
http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php
sssd
It look's that nscd dose not work whit NFS4 + kerberos so next I'am testind sssd, based on:
http://askubuntu.com/questions/526004/ubuntu-14-with-kerberos-authentication-nslcd-still-needed
Any better ideas let me know!
It seems that nslcd is for ubuntu and sssd for feodoras,.. ??
back to https://help.ubuntu.com/community/SingleSignOn
Ldap for DHCP
copyed from: http://wiki.herzbube.ch/index.php/ISCDHCP
Debian packages
The following Debian packages need to be installed
isc-dhcp-server
References
The following man pages are sufficient to configure DHCP
dhcpd.conf dhcp-options
Configuration
The interfaces to listen on are configured in
/etc/defaults/isc-dhcp-server
The configuration is stored in
/etc/dhcp/dhcpd.conf
Global options look like this:
# Whether DNS is updated dynamically, and if so, what method/style should be used ddns-update-style none; # List an external time server if you don't have your own server #option time-servers time.euro.apple.com; # 1 day (24 * 3600 seconds) default-lease-time 86400; # 7 days max-lease-time 604800; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7;
What remains is the part where we actually give out IP addresses:
# Share options in the 192.168.1.0 subnet group { option domain-name "lan.herzbube.ch"; option domain-name-servers 192.168.1.11 212.101.0.10, 212.101.4.253; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.11; option smtp-server 192.168.1.11; option time-servers 192.168.1.11; # Provide 48 dynamic addresses between 64 and 111 subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.64 192.168.1.111; authoritative; # the server is authoritative } # # aka hyperion # host technocore { # fixed-address 192.168.1.1; # hardware ethernet :::::; # } # host mirkwood { # fixed-address 192.168.1.2; # # Busmaster ethernet card 10/100 MBit/s # hardware ethernet 00:C0:26:60:01:A1; # } host isengard { fixed-address 192.168.1.3; hardware ethernet 00:05:02:71:EC:AB; } host moria { fixed-address 192.168.1.4; hardware ethernet 00:30:65:ef:74:8e; } # host imladris { # fixed-address 192.168.1.5; # hardware ethernet :::::; # } # host osgiliath { # # Override the router setting. If we don't do this, and ifup on # # osgiliath acquires a DHCP lease, ifup will add a default route # # to 192.168.1.6 because it thinks this is the default gateway. # # Because osgiliath ***IS*** 192.168.1.6, and the default route # # therefore points back to itself, normal routing to the outside # # world via ADSL no longer works. Effectively, the default route # # to 192.168.1.6 conflicts with the other (correct) default route # # to 192.168.0.1. # option routers 192.168.0.1; # fixed-address 192.168.1.6; # # Integrated ethernet controller 3Com # hardware ethernet 00:26:54:0C:52:06 # fixed-address 172.16.13.57; # # National Semiconductor ethernet card # hardware ethernet 00:40:F4:38:E6:FA # fixed-address 192.168.2.1; # # Integrated ethernet controller nVidia # hardware ethernet 00:0C:6E:32:65:91; # fixed-address 192.168.3.1; # # Busmaster DEC ethernet card 10/100 MBit/s # hardware ethernet 00:C0:26:60:01:A1; # } host fornost { hardware ethernet 00:00:e8:88:ab:80; fixed-address 192.168.1.7; } host tharbad { hardware ethernet 00:0d:93:b1:eb:c2; fixed-address 192.168.1.8; } host nargothrond { hardware ethernet 00:17:f2:cd:5d:09; fixed-address 192.168.1.9; } host nindalf { hardware ethernet 10:9a:dd:5d:bb:eb; fixed-address 192.168.1.10; } # host pelargir { # # Override the router setting. For details see the comments above # # in the entry for osgiliath. # option routers 192.168.0.1; # fixed-address 192.168.1.11; # # Integrated gigabit ethernet controller (Intranet wired connections) # hardware ethernet 34:15:9e:2e:ca:38 # fixed-address 192.168.0.2; # # Fast ethernet-over-USB controller (Internet uplink) # hardware ethernet 00:24:32:01:a7:83 # } host laserjet1300n { hardware ethernet 00:30:6e:d0:e4:20; fixed-address 192.168.1.126; } } # end group # Share options in the 192.168.2.0 subnet group { option domain-name "wifi.herzbube.ch"; option domain-name-servers 192.168.2.6 212.101.0.10, 212.101.4.253; option subnet-mask 255.255.255.0; option broadcast-address 192.168.2.255; option routers 192.168.2.6; option smtp-server 192.168.2.6; option time-servers 192.168.2.6; # Provide 48 dynamic addresses between 64 and 111 subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.64 192.168.2.111; authoritative; # the server is authoritative } # host osgiliath { # fixed-address 192.168.2.1; # # Integrated ethernet controller nVidia # hardware ethernet 00:0C:6E:32:65:91; # } host landroval { fixed-address 192.168.2.2; hardware ethernet 00:25:00:fe:f4:e3; } host nargothrond { fixed-address 192.168.2.3; hardware ethernet 00:19:e3:08:00:a5; } host buschtrommel { fixed-address 192.168.2.4; hardware ethernet 00:26:4a:f3:8d:2f; } host nindalf { fixed-address 192.168.2.5; hardware ethernet c8:bc:c8:f1:77:61; } # host pelargir { # fixed-address 192.168.2.6; # # Gigabit ethernet-over-USB controller (Intranet wireless connections) # hardware ethernet 00:12:17:f2:34:05 # } }
Dynamic DNS updates
Overview
When the DHCP server assigns a new address to a client, it can send this information to a cooperating DNS server which will then update its DNS records accordingly.
This does not work for fixed IP addresses! Clients whose IP addresses should be managed like this must not contain the fixed-address
option. I have tried adding ddns-updates on
for such hosts, but it didn't work.
References
The information in this chapter primarily comes from the dhcpd.conf
man page, section "DYNAMIC DNS UPDATES". The following article has also been valuable as a starter: http://www.debian-administration.org/article/Configuring_Dynamic_DNS__DHCP_on_Debian_Stable.
Enable dynamic DNS updates
The main configuration option that needs to be set to make the DHCP daemon perform dynamic DNS updates is this:
ddns-update-style interim;
Defining who is responsible for updating the DNS server
When the DHCP daemon hands out an IP address, DNS needs to be updated in two ways:
- Forward resolution, or the "A" record needs to be updated
- Reverse resolution, or the "PTR" record needs to be updated
It is possible to configure the DHCP daemon so that it allows the client to update its own "A" record. This feature is actually turned on by default, but in my network I don't want this and therefore set the following configuration option:
deny client-updates; # tell the client it is not allowed to do updates
Client FQDN used for talking to the DNS server
The DHCP daemon will form the FQDN of a client by concatenating the client's hostname and domain name:
- The client's hostname is determined by one of the following options. Options further up in the list have precedence.
ddns-hostname
inside a host declarationhost-name
inside a host declaration- The name used for the host declaration (this is the declaration that starts with the keyword
host
)
- The domain name is determined by one of the following options. Options further up in the list have precedence.
ddns-domainname
- Probably
domain-name
. I say "probably" because this has not been thoroughly researched. The only statement I can make is this: Even thoughddns-domainname
is not specified, everything seems to work. The only other source for the domain name that I can see isdomain-name
.
Communication with the DNS server
The DHCP daemon needs to know where the DNS server to update lives. This is achieved by a configuration file snippet like this:
# This file defines a secret that is used by DHCP to authenticate itself to the # DNS server. It is also included by the DNS server configuration. There is no # need for two files with different formats because both DHCP and BIND servers # are implemented by ISC. include "/etc/bind/dhcp-updater.key"; # The forward zone (note the trailing ".") zone lan.herzbube.ch. { # Where does the primary DNS server live? primary 127.0.0.1; # Reference to the key defined in the file included further up key dhcp-updater; } # The reverse zone zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; } # The forward zone (note the trailing ".") zone wifi.herzbube.ch. { # Where does the primary DNS server live? primary 127.0.0.1; # Reference to the key defined in the file included further up key dhcp-updater; } # The reverse zone zone 2.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; }
For a detailed discussion about the authentication secret file, see the BIND page.
Noteworthy options that remain unused
The following options are noteworthy, but remain unused since the defaults are acceptable:
ddns-rev-domainname
: Can be used to specify the domain name for the reverse zone. This is appended to the reversed IP address of the client. The default is "in-addr.arpa."ddns-updates
: Can be used to turn dynamic DNS updates on or off within the scope where this option appears. The default is "on".
Configuration with LDAP
Reference
The reference for the following configuration steps is
/usr/share/doc/isc-dhcp-server-ldap
This document can also be found online.
Task overview
To integrate the ISC DHCP server with LDAP, the following tasks need to be done in the listed order. Most of them are explained in more detail in one of the following chapters.
- Install Debian package
- Configure the LDAP server
- Use the schema provided by the DHCP package
- Use additional indices
- Add new ACLs for the DHCP DN (the DN that DHCP is going to use for directory access)
- Modify the LDAP directory
- Add entries to the directory that represent the DHCP configuration formerly located in /etc/dhcp/dhcpd.conf
- Add an entry to the directory that is used by the DHCP server for authentication
- Configure DHCP to use LDAP
Install Debian package
The following Debian package needs to be installed:
isc-dhcp-server-ldap
This package seamlessly replaces the original DHCP server by installing a new version of the DHCP server binary. The original binary is preserved under a new name.
osgiliath:~# ls -l /usr/sbin/dhcpd* -rwxr-xr-x 1 root root 755332 May 19 08:13 /usr/sbin/dhcpd -rwxr-xr-x 1 root root 730408 May 19 08:13 /usr/sbin/dhcpd-noldap
The package also provides important files in /usr/share/doc/isc-dhcp-server-ldap which we are going to use in the next steps:
- The LDAP schema for DHCP
- A utility perl script that converts the regular DHCP configuration file /etc/dhcp/dhcpd.conf into an LDIF data file that can then be used to populate the LDAP directory
Configure the LDAP server
Schema
Manually copy dhcp.schema into the LDAP schema directory:
cd /etc/ldap/schema cp /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema.gz . gunzip dhcp.schema.gz
Configure slapd to load the schema by adding the following line to /etc/ldap/slapd.conf:
include /etc/ldap/schema/dhcp.schema
Indices
Configure additional indices by adding the following lines to /etc/ldap/slapd.conf:
# Indices for DHCP (taken from /usr/share/doc/isc-dhcp-server-ldap/README.ldap.gz) index dhcpHWAddress eq index dhcpClassData eq
After modifying the file, perform reindexing:
/etc/init.d/slapd stop slapindex -n 1 /etc/init.d/slapd start chown openldap:openldap /var/lib/ldap/herzbube.ch/*
Note: I am not sure if any of these indices are required for DHCP/LDAP integration to work. I was too lazy to test this out, I simply assume that the guy who wrote the README file knew what he was writing about.
ACLs
Note: The actual ACLs developed in theory in this chapter can be found over on the OpenLDAP page.
The DHCP server will be accessing the LDAP directory using the DN
cn=dhcp-service,ou=users,dc=herzbube,dc=ch
Our new ACLs do not have to work on the attribute level (e.g. there is no password attribute to protect), instead they simply need to give read-only access to the DHCP server to the following entries:
- All entries under the tree ou=dhcp,dc=herzbube,dc=ch
- All entries directly under the base DN with objectClass=dhcpServer. Note: Every such entry refers to one DHCP server; since we only have one server, there will be only one LDAP entry, but we still use a general-purpose ACL that could be used in a setup with 2 or more DHCP servers.
See the OpenLDAP page for the actual ACLs.
Modify the LDAP directory
Overview
The following entries need to be modified in the LDAP directory:
- The DHCP server itself needs to be defined with a top-level entry directly below the base DN.
- A subtree cn=dhcp,dc=herzbube,dc=ch must be created with corresponding entries that form the DHCP setup.
- Host entries need to be created for machines with known MAC addresses which will get a fixed IP address
- Last but not least, the DN cn=dhcp-service,ou=users,dc=herzbube,dc=ch used for authentication by the DHCP server must be created. ACLs developed further up will refer to this DN, and the DHCP server will be configured later on to use this DN.
Converting dhcpd.conf to LDIF
The task of creating the necessary LDAP directory entries can be vastly simplified by using a utility perl script that converts an existing DHCP configuration file into an LDIF data file. After a review and a couple of minor modifications, the LDIF file can then be simply imported into the LDAP directory.
The script in question is
/usr/share/doc/isc-dhcp-server-ldap/dhcpd-conf-to-ldap.pl.gz
After copying and gunzip'ping the script in /tmp, I used the following command line to generate my LDIF file:
/tmp/dhcpd-conf-to-ldap.pl --dhcpdn "cn=dhcp,dc=herzbube,dc=ch" --conf /etc/dhcp/dhcpd.conf --ldif /tmp/dhcpd.ldif
Add entry that represents the DHCP server
Add the following entry to the LDAP directory:
# You must specify the server's host name in LDAP that you are going to run # DHCP on and point it to which config tree you want to use. Whenever DHCP # first starts up, it will do a search for this entry to find out which # config to use. # # Note: We really want the hostname only, not the FQDN. dn: cn=pelargir,dc=herzbube,dc=ch cn: pelargir objectClass: top objectClass: dhcpServer dhcpServiceDN: cn=dhcp,dc=herzbube,dc=ch
The cn=dhcp,dc=herzbube,dc=ch subtree
Create the entry with DN cn=dhcp,dc=herzbube,dc=ch. This entry forms the root of a subtree into which we will now place further entries that form the entire DHCP configuration.
# Here is the entry that starts the DHCP config subtree # that cn=osgiliath,dc=herzbube,dc=ch points to. dn: cn=dhcp,dc=nherzbube,dc=ch cn: dhcp objectClass: top objectClass: dhcpService objectClass: dhcpOptions dhcpPrimaryDN: cn=pelargir,dc=herzbube,dc=ch dhcpStatements: ddns-update-style interim dhcpStatements: default-lease-time 86400 dhcpStatements: max-lease-time 604800 dhcpStatements: log-facility local7 dhcpStatements: deny client-updates dhcpStatements: include "/etc/bind/dhcp-updater.key" #dhcpOption: time-servers time.euro.apple.com # Define a group for hosts in the 192.168.1.0 network. This includes # all of our known MAC addresses, and a range of 48 dynamically # allocated addresses. The group entry also contains common options for # all hosts in this group. dn: cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: group-192.168.1.0 objectClass: top objectClass: dhcpGroup objectClass: dhcpOptions dhcpStatements: zone lan.herzbube.ch. { primary 127.0.0.1; key dhcp-updater; } dhcpStatements: zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; } dhcpOption: domain-name "lan.herzbube.ch" dhcpOption: domain-name-servers 192.168.1.11, 212.101.0.10, 212.101.4.253 dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.1.255 dhcpOption: routers 192.168.1.11 dhcpOption: smtp-server 192.168.1.11 dhcpOption: time-servers 192.168.1.11 # The 192.168.1.0 subnet definition is a child of the group entry. # The subnet definition specifies that only 48 addresses may be # dynamically allocated. dn: cn=192.168.1.0,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: 192.168.1.0 objectClass: top objectClass: dhcpSubnet dhcpNetMask: 24 dhcpRange: 192.168.1.64 192.168.1.111 dhcpStatements: authoritative # Define a group for hosts in the 192.168.2.0 network. This includes # all of our known MAC addresses, and a range of 48 dynamically # allocated addresses. The group entry also contains common options for # all hosts in this group. dn: cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: group-192.168.2.0 objectClass: top objectClass: dhcpGroup objectClass: dhcpOptions dhcpStatements: zone wifi.herzbube.ch. { primary 127.0.0.1; key dhcp-updater; } dhcpStatements: zone 2.168.192.in-addr.arpa. { primary 127.0.0.1; key dhcp-updater; } dhcpOption: domain-name "wifi.herzbube.ch" dhcpOption: domain-name-servers 192.168.2.6, 212.101.0.10, 212.101.4.253 dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.2.255 dhcpOption: routers 192.168.2.6 dhcpOption: smtp-server 192.168.2.6 dhcpOption: time-servers 192.168.2.6 # The 192.168.2.0 subnet definition is a child of the group entry. # The subnet definition specifies that only 48 addresses may be # dynamically allocated. dn: cn=192.168.2.0,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: 192.168.2.0 objectClass: top objectClass: dhcpSubnet dhcpNetMask: 24 dhcpRange: 192.168.2.64 192.168.2.111 dhcpStatements: authoritative
Host definitions
The idea would have been to use the dhcpHostDN attribute, which is possible inside the dhcpGroup object class, to refer to host entries in the ou=hosts,dc=herzbube,dc=ch, and to augment those entries with the object class dhcpHost.
Unfortunately there is a problem with the current DHCP LDAP schema definition: The object class dhcpHost is not auxiliary! This means that other existing objects in the LDAP directory which represent a host, such as the ipHost entries below the subtree ou=hosts,dc=herzbube,dc=ch, cannot be augmented with the dhcpHost object class. So in the end, the whole idea of referring to entries in the ou=hosts subtree falls flat on its face. For the moment I ignore the possibility that the scheme would not have worked anyway because I don't know the exact semantics of dhcpHostDN, and whether the patched DHCP server would follow a reference to another subtree in the first place.
Although the DHCP LDAP schema is only a draft and not a formal standard (see this document), I am currently reluctant to modify the schema to make it fit my purposes, because I don't know what trouble I would be inviting and at the moment just want the damn thing to work. After a bit of googling, I found that somebody else would also have preferred dhcpHost to be an auxiliary object class, but one of the co-authors of the draft responds that it would be better to create a new object class dhcpHostAux which essentially duplicates the original object class but has the AUXILIARY flag turned on. I don't see the reason for this, and unfortunately the draft co-author doesn't give a reason, either.
So after all this thinking, the final defeat: Here are the host definitions that have to be placed below the cn=dhcp,dc=herzbube,dc=ch subtree:
dn: cn=technocore,cn=group-192.168.1.1,cn=dhcp,dc=herzbube,dc=ch cn: technocore objectClass: top objectClass: dhcpHost #dhcpHWAddress: ethernet ??:??:??:??:??:?? dhcpStatements: fixed-address 192.168.1.1 dn: cn=mirkwood,cn=group-192.168.1.1,cn=dhcp,dc=herzbube,dc=ch cn: mirkwood objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:c0:26:60:01:a1 dhcpStatements: fixed-address 192.168.1.2 dn: cn=isengard,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: isengard objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:05:02:71:ec:ab dhcpStatements: fixed-address 192.168.1.3 dn: cn=moria,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: moria objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:30:65:ef:74:8e dhcpStatements: fixed-address 192.168.1.4 # 192.168.1.5 = imladris.lan.herzbube.ch # 192.168.1.6 = osgiliath.lan.herzbube.ch dn: cn=fornost,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: fornost objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:00:e8:88:ab:80 dhcpStatements: fixed-address 192.168.1.7 dn: cn=tharbad,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: tharbad objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:0d:93:b1:eb:c2 dhcpStatements: fixed-address 192.168.1.8 dn: cn=nargothrond,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: nargothrond objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:17:f2:cd:5d:09 dhcpStatements: fixed-address 192.168.1.9 dn: cn=nindalf,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: nindalf objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 10:9a:dd:5d:bb:eb dhcpStatements: fixed-address 192.168.1.10 # 192.168.1.11 = pelargir.lan.herzbube.ch dn: cn=laserjet1300n,cn=group-192.168.1.0,cn=dhcp,dc=herzbube,dc=ch cn: laserjet1300n objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:30:6e:d0:e4:20 dhcpStatements: fixed-address 192.168.1.126 # 192.168.2.1 = osgiliath.wifi.herzbube.ch dn: cn=landroval,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: landroval objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:25:00:fe:f4:e3 dhcpStatements: fixed-address 192.168.2.2 dn: cn=nargothrond,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: nargothrond objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:19:e3:08:00:a5 dhcpStatements: fixed-address 192.168.2.3 dn: cn=buschtrommel,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: buschtrommel objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:26:4a:f3:8d:2f dhcpStatements: fixed-address 192.168.2.4 dn: cn=bundeslade,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: bundeslade objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet d8:a2:5e:07:b7:7d dhcpStatements: fixed-address 192.168.2.5 # 192.168.2.6 = pelargir.wifi.herzbube.ch dn: cn=nindalf,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: nindalf objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet c8:bc:c8:f1:77:61 dhcpStatements: fixed-address 192.168.2.7 dn: cn=ihoernchen,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: ihoernchen objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet c8:bc:c8:f1:77:61 dhcpStatements: fixed-address 192.168.2.8 dn: cn=wundertuete,cn=group-192.168.2.0,cn=dhcp,dc=herzbube,dc=ch cn: wundertuete objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 04:54:53:28:aa:9f dhcpStatements: fixed-address 192.168.2.9
Create authentication DN
The DHCP server needs to authenticate in order to access the LDAP directory. For this purpose, we need to create an authentication entry with DN cn=dhcp-service,ou=users,dc=herzbube,dc=ch. Give the entry a password and a nice description, and that's all there is to it.
Configure DHCP to use LDAP
Place the following block into /etc/dhcp/dhcpd.conf:
ldap-server "localhost"; ldap-port 389; ldap-username "cn=dhcp-service,ou=users,dc=herzbube,dc=ch"; ldap-password "secret"; ldap-base-dn "dc=herzbube,dc=ch"; # Dynamic = Hosts are looked up every time a DHCP request comes in # Static = Read entire configuration, including hosts, only once at startup ldap-method dynamic; ldap-debug-file "/var/log/dhcp-ldap-startup.log";
Because the configuration file now contains a password, change the file's permissions:
chmod 600 /etc/dhcp/dhcpd.conf
Leases
The current leases are stored in the following file (regardless of whether the DHCP server uses LDAP or not):
/var/lib/dhcp/dhcpd.leases
The leases file can be modified but the DHCP server must be restarted for the changes to have any effect.
Note: The leases file may contain many entries for the same IP address. The reason for this is that the DHCP server simply appends an entry when a new lease is handed out. When the server is restarted, the leases file is cleaned up.
Ldap for kerberos / nfs
https://help.ubuntu.com/community/Kerberos
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
https://directory.apache.org/apacheds/kerberos-user-guide.html
apacheDS configuration notes (this what I get working):
1) at apache director studio first add new server and then modify it's default name ext. dc=example, dc=com to dc=yoursserver,dc=edu that can be done at Partitions sheet, touch dc=example,dc=com and change name !
2) mark LDAP and KERBEROS on
3) whit nfs only ads-krbEncryptionTypes: des-cbc-md5 and ads-krbEncryptionTypes: des3-cbc-sha1-kd could work https://bugzilla.redhat.com/show_bug.cgi?id=573968 . Due this /etc/krb5.conf you must have:
[libdefaults] allow_weak_crypto = yes default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5
Kerberos clients
I have used MIT client packages and libraryes. sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
Single SING ON
https://help.ubuntu.com/community/SingleSignOn
pam gid and uid for nfs
http://hswong3i.net/blog/hswong3i/ldap-single-sign-webmin-ubuntu-12-04-howto
sudo apt-get install libnet-ldap-perl libpam-ldapd libnss-ldapd ldap-utils nscd nslcd sudo dpkg-reconfigure libpam-ldapd select: group password shadow sudo dpkg-reconfigure libnss-ldapd sudo dpkg-reconfigure nslcd
test:
getent passwd getent group
You should see users at your ldap as well
Postfix & LDAP
http://www.postfix.org/LDAP_README.html
http://blog.wains.be/2010/01/25/postfix-virtual-usersgroupsaliases-stored-in-ldap/
PGP server
http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html
Kerberos
nfs4 & Kerberos
https://wiki.debian.org/LDAP/NSS
https://we.riseup.net/stefani/kerberos-and-nfs4
https://help.ubuntu.com/community/NFSv4Howto
https://help.ubuntu.com/community/Kerberos
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
https://wiki.debian.org/nfs4-kerberos-ldap
ldap & kerberos client
https://wiki.debian.org/LDAP/NSS<br
sudo apt-get install nfs-common krb5-user krb5-config sudo apt-get install sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit sudo apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
- sudo apt-get install libpam-ccreds LAP TOP's, nscd dose this job as well
libnet-ldap-perl libpam-ldapd libnss-ldapd ldap-utils nscd nslcd
dpkg-reconfigure libpam-ldapd # PAM profiles to enable: Unix authentication, LDAP Authentication dpkg-reconfigure libnss-ldapd # Name services to configure: group, passwd, shadow dpkg-reconfigure nslcd # LDAP server URI: ldap://dev6c1/ # LDAP server search base: dc=localdomain # LDAP authentication to use: none #Use StartTLS? No
http://hswong3i.net/blog/hswong3i/ldap-single-sign-webmin-ubuntu-12-04-howto
ldap & kesberos ubuntu to go trough:
http://raerek.blogspot.fi/2012/06/kerberos-with-ldap-backend-on-ubuntu_07.html
http://raerek.blogspot.fi/2012/06/kerberos-with-ldap-backend-on-ubuntu.html
part two http://raerek.blogspot.fi/2012/08/kerberos-with-ldap-backend-on-ubuntu.html
part five
sssd, nss-ldap
There is several variations to do this,... at moment these are , DO NOT!
http://jurjenbokma.com/ApprenticesNotes/sss_ad_auth.html
check uid= gid used whit pam_sss sudo nano /etc/pam.d/common-auth
nfs server
http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
sudo apt-get install nfs-kernel-server
sudo nano /etc/exports :
/export 192.168.0.0/255.255.255.0(rw,no_subtree_check,fsid=0,sync) #/export/jaettava 192.168.0.40/255.255.255.0(rw,async,insecure,no_subtree_check,fsid=0) /export/jaettava gss/krb5(rw,async,insecure,no_subtree_check,fsid=0)
sudo nano /etc/krb.conf
....
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
.....
[realms]
KURROLA.FI = {
kdc = mpi1.kurrola.dy.fi:60088
kdc = mpi2.kurrola.dy.fi:60088
kdc = 192.168.0.41:60088
kdc = 192.168.0.40:60088
admin_server = mpi1.kurrola.dy.fi:60088
}
[domain_realm]
.kurrola.dy.fi = KURROLA.FI
kurrola.dy.fi = KURROLA.FI
[login]
krb4_convert = true
krb4_get_tickets = false
server:
ktutil
ktutil: addent -password -p nfs/KURROLA.FI@KURROLA.FI -k 1 -e des3-hmac-sha1
<password>
ktutil: wkt /etc/krb5.keytab
ktutil: q
nfs client
sudo apt-get install nfs-common krb5-user krb5-config
client:
ktutil ktutil: addent -password -p nfs/kaak.kurrola.dy.fi@KURROLA.FI -k 1 -e des3-hmac-sha1 <password> ktutil: wkt /etc/krb5.keytab ktutil: q
addent -password -p host/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5 addent -password -p ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5 addent -password -p nfs/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -e des-cbc-md5
sudo kinit -p ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -t /etc/krb5.keytab
kinit -k ldap/mpi1.kurrola.dy.fi@KURROLA.FI -k 1 -t /etc/krb5.keytab
CategoryNetworking
Apache
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
DIAGNOSE LDAP INSTALL
kinit joni sudo kinit -k sudo klist -e sudo klist -ke klist -e getent hosts mpi1.kurrola.dy.fi getent hosts mpi2.kurrola.dy.fi ps -A | grep nfs ps xuwa | grep grep rpc.gssd sudo exportfs -v showmount -e mpi1.kurrola.dy.fi rpcinfo -p