pátek 26. září 2014

[PART 1] Ovirt with SSO - openldap

This tutorial was tested with fedora 18 for openldap, and centos 6.5 for ovirt.  I will try to give detailed steps how to get work ovirt with SSO.
I assume that you have some basic information about ovirt, LDAP and Kerberos.

Installing OpenLDAP

First of all, we need to install OpenLDAP as a LDAP provider.
We will later install kerberos, as authN provider:
$ yum -y install openldap-{clients,servers}
Ok, once we have both packages installed, we will start the service and enable autostart:
$ systemctl start slapd
$ systemctl enable slapd
Now we have up and running OpenLDAP, but we are far what we need.

Configuring schemas, overlay, dn and password

First of all we need to add cosine and inetorgperson schemas:
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/inetorgperson.ldif
If we would need to oVirt work corectly with groups, we have to add memberof overlay.
$ cat /tmp/memberof.ldif
dn: cn={0}module,cn=config
objectClass: olcModuleList
cn: {0}module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: {0}memberof.la
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}memberof
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /tmp/memberof.ldif
view raw memberof.sh hosted with ❤ by GitHub
Now, we have to create password for directory administrator.:
$ slappasswd
New password:
Re-enter new password:
{SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA</i>
view raw slappasswd.sh hosted with ❤ by GitHub
Specify our suffix, rootdn and password of directory manager.
$ cat /tmp/config.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=openldap,dc=yourdomain,dc=com
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=openldap,dc=yourdomain,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA
-
$ ldapmodify -H ldapi:/// -Y EXTERNAL -f /tmp/config.ldif
view raw config.sh hosted with ❤ by GitHub

Create OU for users and groups

Create oraganization and organization unit for users and groups.
$ cat /tmp/structure.ldif
dn: dc=openldap,dc=yourdomain,dc=com
objectClass: dcObject
objectClass: organization
dc: openldap
o: OpenLDAP Example
dn: ou=Users,dc=openldap,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=openldap,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: Groups
$ ldapadd -x -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -W -f structure.ldif
Create user and group.
$ cat /tmp/users.ldif
dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com
objectclass: inetOrgPerson
objectclass: uidObject
uid: user0
cn: User2
givenName: User
title: User
mail: user0@openldap.yourdomain.com
sn: user0
$ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/users.ldif
$ cat /tmp/group.ldif
dn: cn=Group0,ou=Groups,dc=openldap,dc=yourdomain,dc=com
objectclass: groupOfNames
cn: Group0
member: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com
member: uid=user1,ou=Users,dc=openldap,dc=yourdomain,dc=com
$ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/group.ldif

Try it

$ ldapsearch -LLL -H ldapi:/// -b 'dc=openldap,dc=yourdomain,dc=com' -x '(uid=user0)'
dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com
objectclass: inetOrgPerson
objectclass: uidObject
uid: user0
cn: User2
title: User
sn: user0
givenName: User
mail: user0@openldap.yourdomain.com
In next part we will configure OpenLDAP with kerberos.

Žádné komentáře:

Okomentovat