(SimpleBind)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
Purpose:
This document describes the steps involved in configuring a SUN Solaris8/9 Native LDAP Client to work against RedHat/Fedora Directory Server (FDS 7.1 is the previous version, the current release is 1.0.X) using "simple bind authentication" on Soalris8/9.
Fedora Directory Server is the OpenSource version (without support) of the commercial RedHat Directory Server. It is previously called Netscape Directory Server 7.1 prior to the products being bought over by RedHat, It is not a surprise that FDS/RDS (or NDS 7.1) and SUN ONE Directiry Server 5.2 (which is said to be based on NDS 6.X) share many similarities. Please visit the following URLs for more information.
Home:
http://directory.fedora.redhat.com/wiki/Main_Page
Features:
http://directory.fedora.redhat.com/wiki/Features
FAQ:
http://directory.fedora.redhat.com/wiki/FAQ
Download:
http://directory.fedora.redhat.com/wiki/Download
Setup:
http://directory.fedora.redhat.com/wiki/Setup
HOW-TO:
http://directory.fedora.redhat.com/wiki/Documentation#Howtos
Public Mail Lists:
https://www.redhat.com/mailman/listinfo/fedora-directory-users
http://lists.fini.net/mailman/listinfo/ldap-interop
http://forum.sun.com/jive/forum.jspa?forumID=13
http://www.dbforums.com (comp.unix.solaris)
GUI Based LDAP account management and data export tools other than
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Other LDAP GUI based Tools: http://www.ldapguru.com (check the Top Download links and so on)
· LDAP Expoter: http://www.novell.com/coolsolutions/tools/14287.html (export LDAP data to csv format)
· Novell LDAP CoolTools http://www.novell.com/coolsolutions/tools/bycategory/168.html
· LDAP Account Manager http://lam.sf.net
Example used:
· RedHat EL4 MASTER LDAP Server: ldap1.example.com, 192.168.1.168
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
Assumptions: A Fedora Directory Server has been installed with sample data (ou=People and ou=Groups, some sample Groups entries), its "slapd" and admin server have been successfully started.
One button script: if you would like an automated script to perform everything up to Step 1 for you, please click:
https://www.redhat.com/archives/fedora-directory-users/2006-April/msg00105.html
Preparation Steps:
Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain, "domainname `cat /etc/defaultdomain`" could be run to change the domainname with immediate effect.
Please also complete these VERY ESSENTIAL Preparation Steps:
P1) For Solaris8 client, latest kernel patch and LDAP patch 108993 must be applied.
P2) For Solaris9 client, latest kernel patch and LDAP patch 112960 must be applied.
Please refer to Appendix for a useful script to check multiple patches, modify to suit your need.
P3) At the FDS Server, copy 61DUAConfigProfile.ldif and 62nisDomain.ldif (see Appendix) to $SERVER_ROOT/slapd-`hostname`/config/schema directory, and restart FDS to activate these customized schema files.
P4) Change default password storage scheme in Fedora Management Console, open directory server, click Directory TAB, click "config (XXX acis)", right click and edit its properties, change "passwordStorageScheme" from the default "SSHA" to "CRYPT", this is to facilitate the migration of UNIX /etc/shadow and NIS CRYPTed passwords into LDAP DIT.
P5) Add TWO Access Control Instructioins (ACIs) to the rootDN in Fedora Management Console, click "dc=example,dc=com", click "Set Access Permissions", add new entry by copying and pasting the followings.
(targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
and
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
Note that the second ACL contains “allow (compare,search)” instead of “allow (compare,read,search)”, the “read” permission of userPassword to proxyAgent is removed so that pam_ldap with Account Management (Password Policy) for Solaris Native LDAP Client (if you do use it) will work.
P6) Add nisDomain “example.com”, perform P6 only after completing P3 follow the steps bellowed:
Log into Fedora Management Console, open
directory Server
Click the rootDN, i.e."dc=example,dc=com"
Right Click to edit its properties
Click Object Class, at the white area
showing the current values, i.e. "top" and "domain"
Click "Add Value" to
add additional objectclass
Click "nisdomainobject"
Note that "nisdomain"
attribute will be added at the same time
Click "nisdomain", at the
white area showing empty value
Enter "example.com" as
the value of nisdomain attribute, Click “OK”
This step is for LDAP Server, it is intended to add some testing users/groups, and add DUAConfigProfile based LDAP profiles for subsequent Solaris LDAP Client "initialization".
Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using Fedora Management Console.
Note that as FDS default installation does not create an "ou=group" which is more commonly used for group data than "ou=Groups" in setting up UNIX name service, the group.ldif should take care of ou=group creation.
Tips 1: When you use Fedora Management Console to add "People" entry, remember to check the “posix” user (posixAccount) option, so that uidNumber and gidNumber could be entered.
Tips 2: Use $SERVER_ROOT/slapd-`hostname`/getpwenc command to find the encrypted format of LDAP userPassword.
# cd /opt/fedora-ds/slapd-ldap1
# ./getpwenc CRYPT testpassword
{crypt}GFOZa/ZLlDdng
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: ou=group,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: group
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
memberUid: gtay
memberUid: tuser
A sample proxyAgent_and_profile.ldif containing ou=profile, proxyAgent and "default" (using simple bind authentication method) DUAConfigProfile based profile is show below:
dn: ou=profile,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: profile
dn: cn=proxyAgent,ou=profile,dc=example,dc=com
objectClass: top
objectClass: person
cn: proxyAgent
sn: proxyAgent
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 192.168.1.168
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
Now import the ldif files.
# PATH=/opt/fedora-ds/shared/bin:$PATH;
export PATH
#
LD_LIBRARY_PATH=/opt/fedora-ds/lib:/opt/fedora-ds/shared/lib:/opt/fedora-ds/clients/lib;
export LD_LIBRARY_PATH
# /opt/fedora-ds/shared/bin/ldapmodify
-a -w - -c -D "cn=Directory
Manager" -f People.ldif
# /opt/fedora-ds/shared/bin/ldapmodify
-a -w - -c -D "cn=Directory
Manager" -f group.ldif
# /opt/fedora-ds/shared/bin/ldapmodify
-a -w - -c -D "cn=Directory
Manager" -f proxyAgent_and_profile.ldif
For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.
IMPORTANT Note: “ldapaddent” must be run at the LDAP Client, not at the LDAP Server.
# cat test.txttest9991:x:9991:102:test9991:/var/tmp:/bin/sh # ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwdEnter password:SERVICE = passwdAdding entry : test99911 entries added # cat tests.txttest9991:ElnMr/iU805dA:12881:::::: # ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadowEnter password:SERVICE = shadowAdding entry : test99911 entries added#
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else “ldapadd” command will throw errors.
Try to list the LDAP content at the Solaris client by binding "anonymous"ly (without "-D" option), note that userPassword never get listed due to the ACI we have set at the server end.
# /usr/bin/ldapsearch –h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
objectClass: nisDomainObject
nisDomain: example.com
…
dn: ou=Groups, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
dn: ou=People, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
dn: ou=group,dc=example,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 192.168.1.168
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
serviceSearchDescriptor: passwd:ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group:ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow:ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup:ou=netgroup,dc=example,dc=com?one
bindTimeLimit: 10
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
memberUid: gtay
memberUid: tuser
Congratulation!!! You have populated a LDAP server that is capable for answering name service (uid) lookup requests from any LDAP Client.
This step is for Solaris8 and Solaris9 Native LDAP Clients.
Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.
Please note that for Solaris8 LDAP Client, lastest kernel patch and LDAP VERSION 2 Patch 108993-XX must be applied, for Solaris9 LDAP Client, latest kernel patch and LDAP Patch 112960-XX must be applied.
Log in to client2 or client3 as ‘root’.
There are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first contain all parameters and the second the password of “proxyAgent”.
To generate them for Solaris8 LDAP Client, as root run ldapclient_init_defaultprofile_sol8.sh
Content of ldapclient_init_defaultprofile_sol8.sh:
/usr/sbin/ldapclient
-v -i -a simple -b dc=example,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
-S "passwd: ou=People,dc=example,dc=com?one" \
-S "shadow: ou=People,dc=example,dc=com?one" \
-S "group: ou=group,dc=example,dc=com?one" \
-S "netgroup: ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo Done.
# ./ ldapclient_init_defaultprofile_sol8.sh
Arguments parsed:
authenticationMethod: simple
defaultSearchBase: dc=example,dc=com
credentialLevel: proxy
proxyDN: cn=proxyAgent,ou=profile, dc=example,dc=com
serviceSearchDescriptor:
arg[0]: passwd: ou=People,dc=example,dc=com?one
arg[1]: shadow: ou=People, dc=example,dc=com?one
arg[2]: group: ou=group, dc=example,dc=com?one
arg[3]: netgroup: ou=netgroup, dc=example,dc=com?one
proxyPassword: password
defaultServerList: 192.168.1.168
Handling manual option
Proxy DN: cn=proxyAgent,ou=profile, dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
...
As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
which contains a bug in hosts: entry, we need to repair it
...
Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
Done.
To generate them for Solaris9 LDAP Client, as root run "ldapclient_init_defaultprofile_sol9.sh"
Content of ldapclient_init_defaultprofile_sol9.sh:
/usr/sbin/ldapclient -v init \
-a profileName=default \
-a domainName=example.com \
-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \
-a proxyPassword=password 192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
# ./ ldapclient_init_defaultprofile_sol9.sh
Parsing profileName=default
Parsing domainName=example.com
Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com
Parsing proxyPassword=password
Arguments parsed:
domainName: example.com
proxyDN: cn=proxyagent,ou=profile, dc=example,dc=com
profileName: default
proxyPassword: password
defaultServerList: 192.168.1.168
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain= example.com))"
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile, dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
#
Now that /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred are generated, do take a look at their contents.
Coment of /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.1.168
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
Coment of /var/ldap/ldap_client_cred:
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
(Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)
Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed
# cd /var/ldap
# chmod 400 ldap_client_file ldap_client_cred
Edit /etc/nsswitch.conf, make sure that these lines exist:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
Now try refreshing ldap_cachemgr and nscd
# /etc/init.d/ldap.client stop
# /etc/init.d/ldap.client start
# ps -ef | grep ldap
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
# ps -ef | grep nscd
Make sure also that ldap1.example is defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".
To test the name service, on top of using "id" and "getent", there is also "ldaplist" command
# /usr/lib/ldap/ldap_cachemgr -g
# id tuser
uid=9999(tuser) gid=102(Users)
# getent passwd tuser
tuser::9999:102::/home/tuser:/bin/bash
# ldaplist -l passwd tuser
dn: uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
Congratulations!!! You have successfully configured a Solaris Native LDAP Client that is capable for querying name service (uid) from the LDAP Server.
Refer to http://directory.fedora.redhat.com/wiki/Howto:SSL, to have a simple button to set it up, create this script cr_ssl_certs.sh.
#! /bin/sh
#
# cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS
#
# Gary Tay
#
# 1) Make sure 'root' is used to run this script
# 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager
#
#set -vx
IS_ROOT_UID=`id | grep "uid=0(root)"`
if [ ! -n "$IS_ROOT_UID" ]; then
echo "Please run this script as root"
exit 1
fi
chmod 700 $0
if [ ! -f /home/ldap/dirmgr.pwd ]; then
echo "Please setup /home/ldap/dirmgr.pwd."
exit 1
else
chmod 600 /home/ldap/dirmgr.pwd
fi
# Pls customize the followings
HOST=`hostname`
DOMAIN="example.com"
BASEDN="dc=example,dc=com"
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
OU="Example Org Unit"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
# Uncomment for Fedora/RedHat Directory Server
#SERVER_ROOT="/opt/fedora-ds"
# Uncomment for SUN-ONE/Java System Directory Server
SERVER_ROOT="/var/Sun/mps"
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib
SLAPD_OWNER="ldap"
SLAPD_GROUP="ldap"
TAR_CVF="tar -Pcvf"
TAR_XVF="tar -Pxvf"
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
LD_LIBRARY_PATH=$SERVER_ROOT/lib
SLAPD_OWNER="ldap"
SLAPD_GROUP="daemon"
TAR_CVF="tar -cvf"
TAR_XVF="tar -xvf"
fi
export LD_LIBRARY_PATH
PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH
echo "Please shutdown slapd and Admin Server and perform a tar backup"
echo "and db2ldif backup of currently working system, and restart them again."
echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar $SERVER_ROOT"
echo "When you are ready, answer Yes and press Enter to continue."
echo "Press Ctrl-C to cancel."
read READY
[ "$READY" != "Yes" ] && exit 1
echo "Enter an UNIQUE SERIAL NUMBER for CA Cert."
echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..."
read UNIQUE_SN_CA
echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert."
echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3."
read UNIQUE_SN_LDAP
cd $SERVER_ROOT/alias
echo "Backing up existing *.db (if any) to backup_$$."
mkdir -p backup_$$ >/dev/null 2>/dev/null
cp -p *.db backup_$$ >/dev/null 2>/dev/null
/bin/rm -f *.db >/dev/null 2>/dev/null
echo "secretpwd" >pwdfile.txt
chmod 600 pwdfile.txt
echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt
echo "Creating new security key3.db/cert8.db pair."
../shared/bin/certutil -N -d . -f pwdfile.txt
echo "Generating encryption key."
../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed CA certificate."
../shared/bin/certutil -S -n "CA certificate" \
-s "cn=CAcert $HOST,O=$ORG,OU=$OU" -x \
-t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed Server certificate."
../shared/bin/certutil -S -n "Server-Cert" \
-s "cn=$FQDN,O=$ORG,OU=$OU,L=$LOCALITY,ST=$STATE,C=$COUNTRY" \
-c "CA certificate" \
-t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Renaming and linking modified security DBs."
mv -f key3.db slapd-$HOST-key3.db
mv -f cert8.db slapd-$HOST-cert8.db
ln -s slapd-$HOST-key3.db key3.db
ln -s slapd-$HOST-cert8.db cert8.db
echo "Setting the correct ownership of security DBs"
chown $SLAPD_OWNER:$SLAPD_GROUP *.db
echo "Self-signed CA and SSL Server certs generated."
echo ""
echo "The following commands are OPTIONAL."
echo "They are for backing up CA and Server Certs in PK12 format."
echo ""
echo "---Start of OPTIONAL commands---"
cat <<EOF >optional_cmds.txt
../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate"
../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert"
EOF
cat optional_cmds.txt
echo "---End of OPTIONAL commands---"
echo ""
#
echo "Enabling SSL."
echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown"
cat <<EOF >/tmp/ssl_enable.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
EOF
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
cat <<EOF >>/tmp/ssl_enable.ldif
dn: cn=config
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
EOF
fi
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
[ $? -eq 0 ] && \
echo "Enabling SSL in cn=encryption,cn=config and cn=config done."
[ $? -ne 0 ] && \
echo "Enabling SSL in cn=encryption,cn=config and cn=config failed."
#
cat <<EOF >/tmp/add_ssl_configs.ldif
dn: cn=encryption,cn=config
changetype: modify
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-$HOST-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-$HOST-cert8.db
EOF
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif
[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config done."
[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config failed."
#
cat <<EOF >/tmp/addRSA.ldif
dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done."
[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed."
#
echo "Creating a pin.txt for auto-starting of slapd."
echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt
chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
chmod 400 slapd-$HOST-pin.txt
echo "Exporting the CA Cert in ASCII format or DER format"
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
-a > cacert.asc
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
-r > cacert.der
echo "Copying Server-Cert to Admin Server for Admin Server SSL connection."
cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db
cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db
echo "Setting the correct ownership of Admin Server security DBs"
chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db
#if [ "$HAVE_CACERT" = "Yes" ]; then
# echo "Importing the CA Cert generated at 1st LDAP server"
# echo "Please enter the full path name of the CACERT in ASCII format"
# echo "Eg: /var/tmp/cacert_from_ldap1.asc"
# read CACERT
# ../shared/bin/certutil -A -d . -P admin-serv-$HOST- \
# -n "CA certificate from 1st LDAP Server" \
# -t "CT,," -a -i $CACERT
#fi
echo "Remember to enable SSL in Admin Server later."
echo "Remember to select 'Server-Cert' as the Certificate and click OK."
echo "Remember to restart Admin Server after that."
echo "Creating a pin.txt for auto-starting of Admin Server."
echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt
chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt
chmod 400 admin-serv-$HOST-pin.txt
echo "Patching start-admin and creating start-admin.auto."
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
sed -e \
'/^\$HTTPD/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
$SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
sed -e \
'/uxwdog/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
$SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
chmod 755 $SERVER_ROOT/start-admin.auto
echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart script."
echo ""
echo "IMPORTANT NOTES:"
echo ""
echo "1. How to check if SSL Configurations are done properly?"
echo "You may view config/dse.ldif after shutting down slapd"
echo "to verify all the required SSL configurations are there."
echo ""
echo "2. How to fix slapd startup issue due to mis-configuration of SSL?"
echo "If for any reason slapd fails to start due to SSL issue,"
echo "you may edit config/dse.ldif after shutting down slapd"
echo "and revert back to non-SSL configs."
echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off"
echo "and then try to restart slapd."
echo ""
echo "3. How to fix Admin Server login issue due to mis-configuration of SSL?"
echo "If for any reason Admin Server login fails and you wish to give up,"
echo "simply stop slapd and admin-serv and restore using the tar backup"
echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF /var/tmp/ds_backup.tar"
echo ""
Then run it.
# ./cr_ssl_certs_fds1ldap.sh
Please shutdown slapd and Admin
Server and perform a tar backup
and db2ldif backup of currently working system, and restart them again.
Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps
When you are ready, answer Yes and press Enter to continue.
Press Ctrl-C to cancel.
Yes
Enter an UNIQUE SERIAL NUMBER for CA Cert.
Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc...
1000
Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert.
Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3.
1001
Backing up existing *.db (if any) to backup_20426.
Creating new security key3.db/cert8.db pair.
Generating encryption key.
Generating key. This may take a few moments...
Generating self-signed CA certificate.
Generating key. This may take a few moments...
Generating self-signed Server certificate.
Generating key. This may take a few moments...
Renaming and linking modified security DBs.
Setting the correct ownership of security DBs
Self-signed CA and SSL Server certs generated.
The following commands are OPTIONAL.
They are for backing up CA and Server Certs in PK12 format.
---Start of OPTIONAL commands---
../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA certificate"
../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n "Server-Cert"
---End of OPTIONAL commands---
Enabling SSL.
NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
modifying entry cn=encryption,cn=config
modifying entry cn=config
Enabling SSL in cn=encryption,cn=config and cn=config done.
modifying entry cn=encryption,cn=config
Adding SSL configs in cn=encryption,cn=config done.
adding new entry cn=RSA,cn=encryption,cn=config
Adding cn=RSA,cn=encryption,cn=config done.
Creating a pin.txt for auto-starting of slapd.
Exporting the CA Cert in ASCII format or DER format
Copying Server-Cert to Admin Server for Admin Server SSL connection.
Setting the correct ownership of Admin Server security DBs
Remember to enable SSL in Admin Server later.
Remember to select 'Server-Cert' as the Certificate and click OK.
Remember to restart Admin Server after that.
Creating a pin.txt for auto-starting of Admin Server.
Patching start-admin and creating start-admin.auto.
Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script.
IMPORTANT NOTES:
1. How to check if SSL Configurations are done properly?
You may view config/dse.ldif after shutting down slapd
to verify all the required SSL configurations are there.
2. How to fix slapd startup issue due to mis-configuration of SSL?
If for any reason slapd fails to start due to SSL issue,
you may edit config/dse.ldif after shutting down slapd
and revert back to non-SSL configs.
i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off
and then try to restart slapd.
3. How to fix Admin Server login issue due to mis-configuration of SSL?
If for any reason Admin Server login fails and you wish to give up,
simply stop slapd and admin-serv and restore using the tar backup
i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar
After SSL is configured, restart slapd.
Consult “Installing and configuring iPlanet Directory Server for Solaris9” at http://web.singnet.com.sg/~garyttt, for similar instruction of:
Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries)
Step 4X: Configure Solaris Native LDAP Client (SUN Native LDAP libraries)
Step 6: Configure “netgroup” to work with RedHat or Solaris Native LDAP Clients
Step 7: Configure “sudo” to use LDAP maps for centralized management
Step 8: Configure “Apache” to use LDAP Authentication
Appendix:
Appendix 1: Content of chk_patches_sjes_ds52.sh:
#! /bin/sh
#
# chk_patches_sjes_ds52.sh
#
# Gary Tay, 1-Apr-2005 written
#
# Pls customize the patches you are checking, use blank to separate
# multiple patch ids, eg: 5.9:112345 113456
#
# Pls refer to:
# http://docs.sun.com/source/817-7611/index.html#wp33336
#
#114677-08 SunOS 5.9: International Components for Unicode Patch
#117724-10 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0
#115342-01 SunOS 5.9: Simple Authentication and Security Layer (2.01)
#115610-18 SunOS 5.9_sparc: Administration Server 5.2 patch
#115614-20 SunOS 5.9: Directory Server 5.2 patch
#117015-16 Patch for localized Solaris packages
#116837-02 LDAP CSDK - SUNWldk, SUNWldkx
#
# Solaris 8: (DS 5.2 Patch3 for the package version)
#115610 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (Adminserv)
#115614 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (DS)
#117722 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0...
#118615 LDAP Java Development Kit 4.17 SunOS 5.8 5.9 _x86: genesis patch
#
# Solaris 8: LDAP-Client
#108993 LDAP-Client for Solaris 8 (phase II)
#108808 LDAP-Client for Solaris 8 (man-pages)
cat >/tmp/chk_patches$$.tmp <<EOF
5.8:108993 115610 115614 117722 118615 108808 114045
5.9:114677 117724 115342 115610 115614 117015 116837
EOF
SOLARIS_VER=`uname -r`
PATCH_IDS=`grep "$SOLARIS_VER" /tmp/chk_patches$$.tmp | cut -d: -f2`
for i in `echo $PATCH_IDS`
do
RESULT=`showrev -p | grep "^Patch: $i-"`
[ -n "$RESULT" ] && echo $RESULT
[ -z "$RESULT" ] && echo PATCH $i not found...
done
/bin/rm -f /tmp/chk_patches$$.tmp
Example of running chk_patches_sjes_ds52.sh:
# ./chk_patches_sjes_ds52.sh
Patch: 114677-08 Obsoletes:
Requires: Incompatibles: Packages: SUNWicu, SUNWicux
Patch: 117724-10 Obsoletes:
115926-10 Requires: Incompatibles: Packages: SUNWtls, SUNWtlsx, SUNWpr,
SUNWjss, SUNWprx
Patch: 115342-01 Obsoletes:
Requires: Incompatibles: Packages: SUNWsasl, SUNWsaslx
Patch: 115610-17 Obsoletes:
Requires: Incompatibles: Packages: SUNWasvc, SUNWasvu, SUNWasvr, SUNWasvcp
Patch: 115614-19 Obsoletes:
117907-02 Requires: 115610-17 Incompatibles: Packages: SUNWdsvr, SUNWdsvcp,
SUNWdsvh, SUNWdsvhx, SUNWdsvu, SUNWdsvx, SUNWdsvpl
Patch: 116837-02 Obsoletes:
Requires: Incompatibles: Packages: SUNWldk
#
# cat cr_proxyAgent_pw_in_NS1_format.sh
/usr/sbin/ldap_gen_profile -P testprofile -b
"dc=example,dc=com" \
-D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w
password \
192.168.1.168
# ./cr_proxyAgent_pw_in_NS1_format.sh
dn: cn=testprofile,ou=profile,dc=example,dc=com
SolarisBindDN:
cn=proxyAgent,ou=profiLe,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisLDAPServers: 192.168.1.168
SolarisSearchBaseDN:
dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity:
NS_LDAP_SEC_NONE
SolarisSearchReferral:
NS_LDAP_FOLLOWREF
SolarisSearchScope:
NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: testprofile
SolarisBindTimeLimit: 30
ObjectClass: top
ObjectClass: SolarisNamingProfile
Appendix 3: Content of 61DUAConfigProfile.ldif
Appendix 4: Content of 62nisDomain.ldif