Original: /afs/zcu.cz/users/v/valtri/public/instalace_ldapu.txt ============================================================================== Poznamky k instalaci LDAPu z Debianich zdroju a k instalaci Oracloveho klienta (nutny ke krmeni LDAPu). Balicky Debian (master i replika): slapd (libiodbc2 libldap-2.2-7 libltdl3 libperl5.8 libslp1) libsasl2, libsasl2-modules, libsasl2-gssapi-mit, ldap-utils Pri pouziti saslauthd (pro portal) take: sasl2-bin Bacha na slapd>=2.4, chain CA strcit do souboru s klicem: * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517188 * test: openssl s_client -host clotho.zcu.cz -port 637 Balicky Debian (master-ldap-krmic): libdbi-perl (libnet-daemon-perl libplrpc-perl) xbase-clients (libdps1 libxaw7 libxft1 xbase-clients xlibmesa-gl xlibmesa-glu xlibs) DBD::Oracle z CPANu (libdbd-oracle-perl neni), po nainstalovani Oraclu, viz. dale Balicky Fedora Core 2 (master i replika): openldap openldap-clients openldap-servers cyrus-sasl-gssapi Balicky Solaris 9: # zavislosti z CD: SUNWgss pkg-add -d . # http://www.blastwave.org/ pkg-get -i openldap saslauthd pridani LDAPare do k5login :-): echo "valtri/root@ZCU.CZ" >> /root/.k5login /etc/hosts.allow: (jinak can't contact LDAP server (12)) slapd: * /etc/syslog.conf: (logovani do /var/log/slapd.log) local4.* -/var/log/slapd.log local5.* -/var/log/slapd-portal.log *.*;auth,authpriv.none;local4.none;local5.none -/var/log/syslog /etc/init.d/sysklog stop /etc/init.d/sysklog start iptables: :LDAP - [0:0] -A INPUT -j LDAP -A LDAP -p tcp --dport 389 -j ACCEPT -A LDAP -p tcp --dport 636 -j ACCEPT -A LDAP -p tcp --dport 390 -j ACCEPT -A LDAP -p tcp --dport 637 -j ACCEPT # u mastera pak i pravidla pro Moiru, viz. Master /etc/init.d/iptables save active # load balancer (spravny zpusob?) -A INPUT -s 147.228.52.20 -j LBCD -A INPUT -s 147.228.52.24 -j LBCD -A LBCD -p udp --dport 4330 -j ACCEPT ((taky spravny lokalni hostname a (?nebo) DNS daneho LDAP serveru)) /etc/ldap, /etc/ldap/schema (i dva vlastni soubory se schematy): # cd /etc/ldap cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/etc/ldap cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d schema service/ldap/servers/ldap3/etc/ldap/schema # na Fedore: ln -s openldap ldap # na Solarisu: ln -s /opt/csw/etc/openldap /etc/ldap vim /etc/ldap/slapd.conf # zmeny prefixu vim /etc/ldap/slapd-portal.conf # zmeny prefixu uzivatele, nagios (dobry zvyk je neprivilegovany uzivatel, student6 pro testy): groupadd ldap useradd -g ldap -G sasl ldap # solaris: mkdir -p /var/run/slapd/ chown ldap:ldap /var/run/slapd/ chown -R ldap:ldap /var/lib/ldap/ #mkdir /var/spool/slurpd/replica/ #chown -R ldap:ldap /var/spool/slurpd/replica/ useradd -m student6 -s /bin/sh cd /home/student6 echo uptime > .profile echo logout >> .profile echo student6@ZCU.CZ > .k5login chown student6:users .profile chown student6:users .k5login /var/lib/ldap/DATADIRS/DB_CONFIG: () cd /var/lib/ldap rm * cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -P -d . service/ldap/servers/ldap3/var/lib/ldap chown ldap:ldap phonebook resources rfc2307 root chmod 0750 phonebook resources rfc2307 root mkdir /var/lib/ldap-portal cd /var/lib/ldap-portal cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -P -d . service/ldap/servers/ldap3/var/lib/ldap-portal chown ldap:ldap portal chmod 0750 portal (obsah DB_CONFIG: # cache & tuning set_lg_max 104857600 set_lg_bsize 262144 set_flags DB_LOG_AUTOREMOVE set_cachesize 0 209715200 2 # jinak can't allocate memory pri slapadd set_lk_max_objects 50000 set_lk_max_locks 50000 set_lk_max_lockers 50000 ) kerberos: kadmin -p makac/root ank +requires_preauth -randkey -policy default_nohistory host/stroj.zcu.cz@ZCU.CZ ktadd host/stroj.zcu.cz@ZCU.CZ ank +requires_preauth -randkey -policy default_nohistory ldap/stroj.zcu.cz@ZCU.CZ ktadd ldap/stroj.zcu.cz@ZCU.CZ ank +requires_preauth -randkey -policy default_nohistory ldapmgr/stroj.zcu.cz@ZCU.CZ ktadd ldapmgr/stroj.zcu.cz@ZCU.CZ cp /etc/krb5.keytab /etc/ldap/krb5kt_slapd chown root:ldap /etc/ldap/krb5kt_slapd chmod g+r /etc/ldap/krb5kt_slapd /usr/lib/sasl2/slapd.conf: (jinak nejde GSSAPI ale heslo, kouka se do /var/sasldb misto pres saslauth) cd /usr/lib/sasl2/ cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/usr/lib/sasl2 # obsah: #mech_list: gssapi #pwcheck_method: saslauthd #auxprop_plugin: slapd /etc/default/slapd: (jinak nejde ldaps:/// a hlasky o IPv6, pouziti neroota) SLAPD_USER=ldap SLAPD_GROUP=ldap SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" SLAPD_OPTIONS="-4" TRY_BDB_RECOVERY=yes SLURPD_START=no export KRB5_KTNAME=/etc/ldap/krb5kt_slapd /etc/default/slapd-portal: (jiny conf, jinak nejde ldaps:/// a hlasky o IPv6, pouziti neroota) SLAPD_CONF=/etc/ldap/slapd-portal.conf SLAPD_USER=ldap SLAPD_GROUP=ldap SLAPD_SERVICES="ldap://:390/ ldaps://:637/" SLAPD_OPTIONS="-4 -l LOCAL5" TRY_BDB_RECOVERY=yes SLURPD_START=no export KRB5_KTNAME=/etc/ldap/krb5kt_slapd /etc/default/saslauthd: (pro portal pouzivame saslauth) START=yes # krz bodikuv pam oracle MECHANISMS="pam" # jinak hapa THREADS=0 OPTIONS="-c" /opt/csw/etc/openldaprc: (Solaris misto DebJanu) cat > /opt/csw/etc/openldaprc << EOF SLAPD_GROUP=ldap SLAPD_USER=ldap SLAPD_URL_LIST="ldap:/// ldaps:/// ldapi:///" SLAPD_IPV4_ONLY=1 LD_LIBRARY_PATH=/opt/csw/bdb4/lib:/opt/csw/lib/sasl2 EOF /opt/csw/etc/openldaprc-portal: (Solaris misto DebJanu) cat > /opt/csw/etc/openldaprc-portal << EOF SLAPD_GROUP=ldap SLAPD_USER=ldap SLAPD_URL_LIST="ldap://127.0.0.1:390/ ldaps://127.0.0.1:637/" SLAPD_IPV4_ONLY=1 SLAPD_CONFIG_FILE=/etc/ldap/slapd-portal.conf LD_LIBRARY_PATH=/opt/csw/bdb4/lib:/opt/csw/lib/sasl2 EOF Pusteni na Solarisu: /etc/init.d/cswopenldap start # nutne zmeny: k jakemukoliv slapd, slurpd a openldaprc pridat suffix -portal # (procesy se hledaji dle jmen) /etc/init.d/cswopenldap-portal start cd /opt/csw/libexec ln slapd slapd-portal ln slurpd slurpd-portal patch /etc/init.d/slapd: (jinak problemy pri obnove DB, bude opraveno v dalsi verzi po 2.2.23-8) 1) nahradit kontrolu beziciho ldapu (vicero procesu ldap) # if pidof /usr/lib/slapd >/dev/null; then bdb_envs2=$(echo $bdb_envs | sed -e 's/ */,/g') if echo $bdb_envs2 | grep ',' >/dev/null; then bdb_envs2=$(eval echo {$bdb_envs2}/*) else bdb_envs2=$bdb_envs2/* fi if [ "$(lsof $bdb_envs2 | wc -l)" != "0" ]; then echo -n " (slapd running, no recovery), " return 0 fi 2) obnova pod uzivatelem (oficialne opraveno lip) reason="`$DB_RECOVER_CMD -eh $dbdir 2>&1`" || \ db_recover_failed $dbdir if [ -n "$SLAPD_USER" -o -n "$SLAPD_GROUP" ]; then chown $SLAPD_USER:$SLAPD_GROUP $dbdir/__db.* fi /etc/init.d/slapd-portal: (pouziti jinych defaultnich hodnot pro portal) --- slapd 2006-01-23 18:35:17.000000000 +0100 +++ slapd-portal 2006-02-06 13:53:12.000000000 +0100 -if [ -f "/etc/default/slapd" ]; then - . /etc/default/slapd +if [ -f "/etc/default/slapd-portal" ]; then + . /etc/default/slapd-portal pousteni postartu: # default bylo 0, 1, 6: K80; 2, 3, 4, 5: S19 update-rc.d slapd defaults 19 80 update-rc.d slapd-portal defaults 19 80 # odstraneni: # update-rc.d -f slapd remove # update-rc.d -f slapd-portal remove krmici skripty (lisi se master LDAP a replicacni LDAP): mkdir /usr/local/pleiades cd /usr/local/pleiades #Master: cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/update-master ln -s update-master.sh update.sh #Replika: cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/update-replica ln -s update-slave.sh update.sh # uprava jmena listku update.sh (pripadne i reload-master.sh), # slapd-refresh-ticket.sh (pripadne i slurpd-refresh-ticket.sh) mkdir /usr/local/pleiades-portal cd /usr/local/pleiades-portal #Master: cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/portal-master ln -s /usr/local/pleiades/rfc2307 rfc2307 ln -s update-master.sh update.sh ln -s update-master.sh reload.sh #Replika: cvs -d:local:/afs/.zcu.cz/project/software/cvsroot co -d . service/ldap/servers/ldap3/portal-replica ln -s update-slave.sh update.sh ln -s update-slave.sh reload.sh certifikaty: # root mkdir /etc/ldap/security cd /etc/ldap/security wget http://crl.zcu.cz/crl/ZCUrootCA.pem mv ZCUrootCA.pem zcu-ca.crt ln -s zcu-ca.crt 78a29cbc.0 # serverove (to asi nebude ve FAI...) ... openssl rsa -in server.key -out server.key.unsecure chown ldap:ldap server.key.unsecure chmod 0440 * chmod 0400 server.key.unsecure load balancer ze Standfordu (TODO: jail): ---------------------------------------- #iptables viz vyse scp nagios.zcu.cz:/usr/lib/netsaint/plugins.zcu/check_ldap.pl /usr/local/bin cp /afs/zcu.cz/users/v/valtri/home/CIV/ldap/lbnamed/getweight.sh /usr/local/bin cat >> /etc/apt/sources.list < /dev/null 2>&1 ; then - SLURPD_START=yes - else - SLURPD_START=no - fi -fi +SLURPD_START=yes # Find out the name of slapd's pid file if [ -z "$SLAPD_PIDFILE" ]; then @@ -198,7 +190,7 @@ fi echo -n " slurpd" reason="`start-stop-daemon --start --quiet --oknodo \ - --exec /usr/sbin/slurpd -- $SLURPD_OPTIONS 2>&1`" + --exec /bin/sh -- -c "KRB5CCNAME=/var/lib/ldap/krb5cc_slurpd /usr/sbin/slurpd -- $SLURPD_OPTIONS 2>&1"`" } # Stop the slapd daemon and capture the error message (if any) to @@ -225,10 +217,6 @@ start() { echo -n "Starting OpenLDAP:" trap 'report_failure' 0 - if [ "$TRY_BDB_RECOVERY" = "yes" ]; then - try_fix_db - fi - start_slapd start_slurpd trap "-" 0 echo . @@ -239,7 +227,6 @@ echo -n "Stopping OpenLDAP:" trap 'report_failure' 0 stop_slurpd - stop_slapd trap "-" 0 echo . } crontab -e (pouze pro mastera, upper a zaloha vsude): #MAILTO=valtri@civ.zcu.cz PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin SHELL=/bin/bash ORACLE_BASE=/home/oracle ORACLE_HOME=/home/oracle/oracle/product/10.2.0/client_1 NLS_LANG='AMERICAN_AMERICA.EE8ISO8859P2' */2 * * * * /usr/local/bin/ldap-upper.sh 0 */4 * * * /usr/local/pleiades/slurpd-refresh-ticket.sh 00 23 * * * /usr/local/pleiades/update-cron.sh 50 03 * * * bash -c 'cd /var/backups/bacula-ldaps; bash -x /etc/ldap/dobackup 1' > /var/lib/ldap/backup.log 2>&1 moira (pouze pro mastera): cp /afs/zcu.cz/i386_linux24/usr/athena/bin/blanche /usr/local/bin # aby blanche fungoval echo "sms_db 775/tcp" >> /etc/services # prikazy pres rsh na charybde potrebuji tuto: iptables -A SHELL -s char -p tcp -j ACCEPT /etc/init.d/iptables save active Oracle (pouze pro mastera), original ve wiki: Uživatel/Valtri/Oracle: groupadd oracle groupadd dba useradd -m -g oracle -G dba oracle echo "RedHat Enterprise Linux 3" > /etc/redhat-release # do /etc/ssh/sshd_config X11Forwarding=yes # interaktivni instalace su oracle cd /tmp /afs/zcu.cz/project/departments/civ/oracle-install/linux/10.2.0.1/client/runInstaller # next # check $ORACLE_BASE/oraInventory, check oracle group, next # product languages, runtime, next # update installation path, next # check installation settings, install # (oracle net assistant) # in different session under root run /home/oracle/oraInventory/orainstRoot.sh # /home/oracle/oracle/product/10.2.0/client_1/root.sh, OK # exit exit rm /etc/redhat-release echo 'export ORACLE_BASE=/home/oracle' >> /etc/profile echo 'export ORACLE_HOME=$ORACLE_BASE/oracle/product/10.2.0/client_1' >> /etc/profile echo 'export PATH=$PATH:$ORACLE_HOME/bin' >> /etc/profile # nastaveni na univerzitni servery scp hyperochus:/home/oracle/product/9.2/network/admin/tnsnames.ora $ORACLE_HOME/network/admin/ # test export TWO_TASK=STAG2.ZCU.CZ sqlplus user/password # instalace DBD::Oracle z CPANu (/usr/local/lib/perl/5.8.4/) # URL: http://search.cpan.org/~timb # podadresar: DBD-Oracle-1.16 wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBD-Oracle-1.16.tar.gz apt-get install dh-make-perl tar xzf DBD-Oracle-1.16.tar.gz cd DBD-Oracle-1.16 dh-make-perl # nechodi pro testing, chodi make -f Makefile.PL && make && make install # vim debian/rules - odstraneni make check dpkg-buildpackage dpkg -i libdbd-oracle-perl_1.16-1_i386.deb