Set up LDAP server on tumaz

[xuanweishan]

Progress

• [x] Set up LDAP server
• [x] Set up TLS for LDAP server
• [x] Make pacific join LDAP
• [x] Test quota setting for LDAP users
• [x] Set quota back for projectV users

Installtion and setup process

Tumaz

ref. :

• https://magiclen.org/ubuntu-server-ldap/
• https://dic.vbird.tw/linux_server/unit07.php
• https://ubuntu.com/server/docs/service-ldap-introduction

1. Install dlap server : apt install slapd ldap-utils

   It would need to be setup password after first install

2. Configure slapd : dpkg-reconfigure slapd

   Omit OpenLDAP server configuration? No
   DNS domain name: tumaz.gpucluster.calab
   Organization name? gpucluster.calab
   Administrator password: PASSWORD
   Confirm password: PASSWORD
   Database backend to use: MDB
   Do you want the database to be removed when slapd is purged? No
   Move old database? Yes

3. Check port 389 is opened : ss -tlnp | grep slapd

   LISTEN   0         128                 0.0.0.0:389              0.0.0.0:*        users:(("slapd",pid=6758,fd=8))
   LISTEN   0         128                    [::]:389                 [::]:*        users:(("slapd",pid=6758,fd=9))

4. Edit Manager info

   1. Get password SSHA: slappasswd

      Copy the result and paste to ${password ssha} below

   2. Create a file 'basedn.ldif' with content:

      dn: olcDatabase={1}mdb,cn=config
      changetype: modify
      replace: olcRootDN
      olcRootDN: cn=admincalab,dc=tumaz,dc=gpucluster,dc=calab
      
      dn: olcDatabase={1}mdb,cn=config
      changetype: modify
      replace: olcRootPW
      olcRootPW: ${password ssha}

   3. Add file to database ldapmodify -Y EXTERNAL -H ldapi:/// -f basedn.ldif
   4. Check grep olcRootDN /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif

      olcRootDN: cn=admincalab,dc=tumaz,dc=gpucluster,dc=calab

5. Add necessary schema

   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

   The schema files need to be loaded in right order.

6. Check slaptest -u

   config file testing succeeded

7. Add user and group nodes to database

   1. Create 'ou.ldif' with content:

      dn: cn=Manager,dc=tumaz,dc=gpucluster,dc=calab
      objectClass: organizationalRole
      cn: Manager
      description: Directory Manager
      
      dn: ou=People,dc=tumaz,dc=gpucluster,dc=calab
      objectClass: organizationalUnit
      ou: People
      
      dn: ou=Group,dc=tumaz,dc=gpucluster,dc=calab
      objectClass: organizationalUnit
      ou: Group

   2. Add the file to database ldapadd -x -W -D "cn=admincalab,dc=tumaz,dc=gpucluster,dc=calab" -f ./ou.ldif

      Returns: adding new entry "cn=Manager,dc=tumaz,dc=gpucluster,dc=calab" adding new entry "ou=People,dc=tumaz,dc=gpucluster,dc=calab" adding new entry "ou=Group,dc=tumaz,dc=gpucluster,dc=calab"

8. Add linux users information to database ref. https://kb.brightcomputing.com/knowledge-base/how-can-i-migrate-system-users-to-ldap/

   1. Install migrationtools:
      1. apt install migrationtools
      2. Modify /usr/share/perl5/migrate_common.ph:

         $DEFAULT_MAIL_DOMAIN = "gpucluster.calab";
         $DEFAULT_BASE = "dc=tumaz,dc=gpucluster,dc=calab";
         $EXTENDED_SCHEMA = 1;

         Modify /usr/share/migrationtools/migrate_passwd.pl

         #print $HANDLE "objectClass: krb5Principal\n";
         #print $HANDLE "krb5PrincipalName: $user\@$DEFAULT_REALM\n";

      3. Extract user and group information from /etc/passwd and /etc/group to local file, user and group.
      4. Convert user and group to ldif files

         /usr/share/migrationtools/migrate_group.pl ./group > group.ldif
         /usr/share/migrationtools/migrate_passwd.pl ./users > user.ldif

      5. Check user.ldif and group.ldif
         1. Change the mail items to user emails in '()'
         2. Make cn and sn items the same as uid
      6. Add group and user informations to database

         ldapadd -x -W -D "cn=admincalab,dc=tumaz,dc=gpucluster,dc=calab" -f group.ldif
         ldapadd -x -W -D "cn=admincalab,dc=tumaz,dc=gpucluster,dc=calab" -f user.ldif

9. Set up TLS for LDAP server

   1. apt install gnutls-bin ssl-cert
   2. Create a private key for the Certificate Authority: certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem
   3. Create the template/file /etc/ssl/ca.info to define the CA:

      cn = gpucluster calab
      ca
      cert_signing_key
      expiration_days = 3650

   4. Create the self-signed CA certificate: certtool --generate-self-signed --load-privkey /etc/ssl/private/mycakey.pem --template /etc/ssl/ca.info --outfile /usr/local/share/ca-certificates/mycacert.crt
   5. update-ca-certificates
   6. Make a private key for the server: certtool --generate-privkey --bits 2048 --outfile /etc/ldap/ldap01_slapd_key.pem
   7. Create the /etc/ssl/tumaz.gpucluster.calab.info:

      organization = gpucluster calab
      cn = tumaz.gpucluster.calab
      tls_www_server
      encryption_key
      signing_key
      expiration_days = 3650

   8. Create the server’s certificate: certtool --generate-certificate --load-privkey /etc/ldap/ldap01_slapd_key.pem --load-ca-certificate /etc/ssl/certs/mycacert.pem --load-ca-privkey /etc/ssl/private/mycakey.pem --template /etc/ssl/ldap01.info --outfile /etc/ldap/ldap01_slapd_cert.pem
   9. Adjust permissions and ownership:

      chgrp openldap /etc/ldap/ldap01_slapd_key.pem
      chmod 0640 /etc/ldap/ldap01_slapd_key.pem

   10. Create the file certinfo.ldif:

       dn: cn=config
       add: olcTLSCACertificateFile
       olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
       -
       add: olcTLSCertificateFile
       olcTLSCertificateFile: /etc/ldap/ldap01_slapd_cert.pem
       -
       add: olcTLSCertificateKeyFile
       olcTLSCertificateKeyFile: /etc/ldap/ldap01_slapd_key.pem

   11. Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database: ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif 12.edit /etc/default/slapd and include ldaps:/// in SLAPD_SERVICES

       SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

   12. systemctl restart slapd

10. Install samba tools: apt install samba smbldap-tools

    1. Import samba.ldif to SLAP : ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/samba/examples/LDAP/samba.ldif
    2. Check ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
    3. Samba indices
       1. Create a file samba_indices.ldif with content:

          dn: olcDatabase={1}mdb,cn=config
          changetype: modify
          replace: olcDbIndex
          olcDbIndex: objectClass eq
          olcDbIndex: uidNumber,gidNumber eq
          olcDbIndex: loginShell eq
          olcDbIndex: uid,cn eq,sub
          olcDbIndex: memberUid eq,sub
          olcDbIndex: member,uniqueMember eq
          olcDbIndex: sambaSID eq
          olcDbIndex: sambaPrimaryGroupSID eq
          olcDbIndex: sambaGroupType eq
          olcDbIndex: sambaSIDList eq
          olcDbIndex: sambaDomainName eq
          olcDbIndex: default sub,eq

       2. Import samba_indices.ldif to slap : ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

Pacific

1. Add LDAP to machine: Contral Panel > LDAP > Server Address: 192.168.0.149 > Next

2. Bind DN or LDAP manager account: cn=admin,dc=tumaz,dc=gpucluster,dc=calab
   encryption: TLS
   Password: *******
   Base DN: dc=tumaz,dc=gpucluster,dc=calab

3. Check server archetecture > SMB not support > detail > use CIFs code > Done
4. Check
   1. Check informations of LDAP accounts
   2. Check informations of LDAP groups

[xuanweishan]

Remove

1. apt remove --purge slapd