User Tools
Sidebar
snippets:linux_quickshotsetups:rhds_rhel7
Table of Contents
What?
Setup of RHDS (red hat directory server) on rhel7, just for testing.
RHDS setup on rhel7
# setup rhel7u2 echo '* - nofile 8192' >>/etc/security/limits.conf echo 'session required /lib/security/$ISA/pam_limits.so' >> \ /etc/pam.d/system-auth subscription-manager register --autosubscribe subscription-manager repos --list subscription-manager repos --disable='*' \ --enable=rhel-7-server-rpms \ --enable=rhel-7-server-rhds-10-rpms yum install -y redhat-ds /usr/sbin/setup-ds-admin.pl systemctl enable dirsrv-admin systemctl start dirsrv-admin systemctl start dirsrv@$(hostname) # TODO: enable dirsrv@$(hostname) # requirements to start the idm-console: yum -y install 'xorg-x11-font*' xauth # log out and in again to get x-forwarding working # to run the console /usr/bin/redhat-idm-console -a http://localhost:9830 # for now using openldap client tools, test ldapsearch ldapsearch -x -b dc=fluxcoil,dc=net '(cn=*)' ldapsearch -x -b dc=fluxcoil,dc=net -D 'cn=Directory Manager' -W '(cn=*)' # lets fill in some data curl -o ldap_initial_datasets_rhds.ldif \ https://fluxcoil.net/files/puppet_scripts/ldap_initial_datasets_rhds.ldif ldapadd -x -D 'cn=Directory Manager' -W -f ldap_initial_datasets_rhds.ldif
setting up ssl/tls
cd /etc/dirsrv/slapd-* tar -cf /tmp/db-backup.tar * (umask 377; echo secret >/tmp/pwdfile) chown nobody /tmp/pwdfile certutil -N -d . -f /tmp/pwdfile certutil -S -n "CA certificate" \ -s "cn=My Org CA cert,dc=example,dc=com" -2 -x -t "CT,," \ -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile certutil -S -n "Server-Cert" -s "cn=rhel7u2a.fluxcoil.net" \ -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . \ -k rsa -f /tmp/pwdfile certutil -d . -L -n "CA certificate" -a > cacert.asc openssl x509 -in cacert.asc -noout -text (umask 377; echo 'Internal (Software) Token:secret' >pin.txt) chown nobody:nobody pin.txt # verify currently we only listen on :389 netstat -ntlp # login with 'cn=Directory Manager' / $chosenpassword, # then activate encryption: /usr/bin/redhat-idm-console -a http://localhost:9830 # click "Directory Server", open # configuration, encryption, "enable SSL for this server" # "use this cyper family: RSA", save # then close the console # restart instance systemctl restart dirsrv@$(hostname) # verify we now listen at :636 additionally netstat -ntlp
using ssl/tls as client
# create the hashes, we will be using the # cacert /etc/dirsrv/slapd-*/cacert.asc from RHDS cp /etc/dirsrv/slapd-*/cacert.asc /etc/openldap/certs cacertdir_rehash /etc/openldap/certs # now configure the openldap client utilities to use the cacert sed -ie 's,^TLS_CACERTDIR,#TLS_CACERTDIR,' /etc/openldap/ldap.conf echo 'TLS_CACERT /etc/openldap/certs/cacert.asc' >>/etc/openldap/ldap.conf # now verify tls works ldapsearch -x -b dc=fluxcoil,dc=net -h rhel7u2a.fluxcoil.net -ZZZ '(cn=*)'
setting users passwords
# now with the secured connection, setting passwords works: ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \ -W -s redhat -ZZ cn=user0,ou=users,dc=fluxcoil,dc=net ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \ -W -s redhat -ZZ cn=user1,ou=users,dc=fluxcoil,dc=net # verify bind with new password works ldapsearch -x -b dc=fluxcoil,dc=net \ -D 'cn=user0,ou=users,dc=fluxcoil,dc=net' -w redhat -ZZZ '(cn=*)'
snippets/linux_quickshotsetups/rhds_rhel7.txt ยท Last modified: 2024/03/03 09:02 by chris
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
