LDAP Setup

  1. start up instance (IdP): ami-78e03211
  2. install ldap 
    sudo apt-get install slapd ldap-utils -y
sudo dpkg-reconfigure slapd
    • password=xxx
    • set baseDN = idp.duracloud.org (redo as 'duracloud.org')
  3. populate 
    vi add_content.ldif

    dn: ou=people,dc=idp,dc=duracloud,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=idp,dc=duracloud,dc=org
objectClass: organizationalUnit
ou: groups

dn: cn=curators,ou=groups,dc=idp,dc=duracloud,dc=org
objectClass: groupOfNames
cn: curators
description: DfR Curators
member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
ou: curator

dn: cn=admin,ou=groups,dc=idp,dc=duracloud,dc=org
objectClass: groupOfNames
cn: admins
description: DfR Curators
member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
member: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
ou: admin

dn: cn=user,ou=groups,dc=idp,dc=duracloud,dc=org
objectClass: groupOfNames
cn: users
description: DfR Curators
member: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
member: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
member: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
ou: user

dn: uid=awoods,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: awoods
sn: Woods
givenName: Andrew
cn: Andrew Woods
displayName: Andrew Woods
userPassword: awoodspw

dn: uid=ddavis,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: ddavis
sn: Davis
givenName: Dan
cn: Dan Davis
displayName: Dan Davis
userPassword: ddavispw

dn: uid=bbranan,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: bbranan
sn: Branan
givenName: Bill
cn: Bill Branan
displayName: Bill Branan
userPassword: bbrananpw

dn: uid=cwilper,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: cwilper
sn: Wilper
givenName: Chris
cn: Chris Wilper
displayName: Chris Wilper
userPassword: cwilperpw

dn: uid=bmclean,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: bmclean
sn: McLean
givenName: Brad
cn: Brad McLean
displayName: Brad McLean
userPassword: bmcleanpw

dn: uid=jmarkow,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: jmarkow
sn: Markow
givenName: Jonathan
cn: Jonathan Markow
displayName: Jonathan Markow
userPassword: jmarkowpw

dn: uid=root,ou=people,dc=idp,dc=duracloud,dc=org
objectClass: inetOrgPerson
uid: root
sn: Monkey
givenName: Root
cn: Root Monkey
displayName: Root Monkey
userPassword: rootpw
    1. run 
      ldapadd -x -D cn=admin,dc=idp,dc=duracloud,dc=org -W -f add_content.ldif
  4. adjust logging 
    vi logging.ldif
    • add 
      dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
    • run 
      sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
  5. secure remote access 
    sudo vi certinfo.ldif
    • add 
      dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/duracloud.org.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/duracloud.org.key
    • run 
      sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
    • add user 
      sudo adduser openldap ssl-cert
    • restart 
      sudo service slapd restart

shibboleth / LDAP integration

  1. reference
  2. replace basic-auth with ldap-auth 
    sudo vi /opt/shibboleth-idp/conf/handler.xml
    • update 
      comment out:
    <ph:LoginHandler xsi:type="ph:RemoteUser">...

uncomment:
    <ph:LoginHandler xsi:type="ph:UsernamePassword"...
  3. update jaas config 
    sudo vi /opt/shibboleth-idp/conf/login.config
    • uncomment and update 
         edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://idp.duracloud.org:389"
      baseDn="ou=people,dc=idp,dc=duracloud,dc=org"
      tls="true"
      userFilter="uid={0}";

helpful commands

ldapsearch -x -LLL -H ldap:/// -b dc=duracloud,dc=org dn
ldapsearch -x -LLL -H ldap:/// -b dc=compute-1,dc=internal dn
ldapsearch -x -LLL -b dc=idp,dc=duracloud,dc=org 'uid=awoods'

todo

  1. investigate idp.duracloud.org:/opt/shibboleth-idp/metadata/idp-metadata.xml : AttributeAuthority

other

sudo apt-get install phpldapadmin -y
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.