LDAP Setup

  1. start up instance (IdP): ami-78e03211
  2. install ldap
    sudo apt-get install slapd ldap-utils -y
    sudo dpkg-reconfigure slapd
    
    • password=xxx
    • set baseDN = idp.duracloud.org (redo as 'duracloud.org')
  3. populate
    vi add_content.ldif
    
    dn: ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: organizationalUnit
    ou: people
    
    dn: ou=groups,dc=idp,dc=duracloud,dc=org
    objectClass: organizationalUnit
    ou: groups
    
    dn: cn=curators,ou=groups,dc=idp,dc=duracloud,dc=org
    objectClass: groupOfNames
    cn: curators
    description: DfR Curators
    member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
    member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
    ou: curator
    
    dn: cn=admin,ou=groups,dc=idp,dc=duracloud,dc=org
    objectClass: groupOfNames
    cn: admins
    description: DfR Curators
    member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
    member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
    member: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
    ou: admin
    
    dn: cn=user,ou=groups,dc=idp,dc=duracloud,dc=org
    objectClass: groupOfNames
    cn: users
    description: DfR Curators
    member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
    member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
    member: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
    ou: user
    
    dn: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: awoods
    sn: Woods
    givenName: Andrew
    cn: Andrew Woods
    displayName: Andrew Woods
    userPassword: awoodspw
    
    dn: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: ddavis
    sn: Davis
    givenName: Dan
    cn: Dan Davis
    displayName: Dan Davis
    userPassword: ddavispw
    
    dn: uid=bbranan,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: bbranan
    sn: Branan
    givenName: Bill
    cn: Bill Branan
    displayName: Bill Branan
    userPassword: bbrananpw
    
    dn: uid=cwilper,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: cwilper
    sn: Wilper
    givenName: Chris
    cn: Chris Wilper
    displayName: Chris Wilper
    userPassword: cwilperpw
    
    dn: uid=bmclean,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: bmclean
    sn: McLean
    givenName: Brad
    cn: Brad McLean
    displayName: Brad McLean
    userPassword: bmcleanpw
    
    dn: uid=jmarkow,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: jmarkow
    sn: Markow
    givenName: Jonathan
    cn: Jonathan Markow
    displayName: Jonathan Markow
    userPassword: jmarkowpw
    
    dn: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
    objectClass: inetOrgPerson
    uid: root
    sn: Monkey
    givenName: Root
    cn: Root Monkey
    displayName: Root Monkey
    userPassword: rootpw
    
    1. run
      ldapadd -x -D cn=admin,dc=idp,dc=duracloud,dc=org -W -f add_content.ldif
      
  4. adjust logging
    vi logging.ldif
    
    • add
      dn: cn=config
      changetype: modify
      add: olcLogLevel
      olcLogLevel: stats
      
    • run
      sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
      
  5. secure remote access
    sudo vi certinfo.ldif
    
    • add
      dn: cn=config
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle.crt
      -
      add: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/ssl/certs/duracloud.org.crt
      -
      add: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/ssl/private/duracloud.org.key
      
    • run
      sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
      
    • add user
      sudo adduser openldap ssl-cert
      
    • restart
      sudo service slapd restart
      

shibboleth / LDAP integration

  1. reference
  2. replace basic-auth with ldap-auth
    sudo vi /opt/shibboleth-idp/conf/handler.xml
    
    • update
      comment out:
          <ph:LoginHandler xsi:type="ph:RemoteUser">...
      
      uncomment:
          <ph:LoginHandler xsi:type="ph:UsernamePassword"...
      
  3. update jaas config
    sudo vi /opt/shibboleth-idp/conf/login.config
    
    • uncomment and update
         edu.vt.middleware.ldap.jaas.LdapLoginModule required
            ldapUrl="ldap://idp.duracloud.org:389"
            baseDn="ou=people,dc=idp,dc=duracloud,dc=org"
            tls="true"
            userFilter="uid={0}";
      

helpful commands

ldapsearch -x -LLL -H ldap:/// -b dc=duracloud,dc=org dn
ldapsearch -x -LLL -H ldap:/// -b dc=compute-1,dc=internal dn
ldapsearch -x -LLL -b dc=idp,dc=duracloud,dc=org 'uid=awoods'

todo

  1. investigate idp.duracloud.org:/opt/shibboleth-idp/metadata/idp-metadata.xml : AttributeAuthority

other

sudo apt-get install phpldapadmin -y
  • No labels