History

LDAP installation and deployment guide

Preparation

  • Download the image here
  • Configure the virtual machine with the following parameters:
    • Volume size: 3GB
    • RAM: 128 MB
    • Name: ldap
  vmcreate --size 3G --file ldap-1.1_3.tgz --mem 128 --ip 192.168.69.21 ldap
  • Boot the virtual machine:
  xm create -c /etc/xen/auto/ldap
  • Login as root using the password: passwd.root and change the default password

Machine configuration

There are two configuration options available:
  • Centralised configuration: if the machine is going to be integrated in a ModularIT management structure
  • Local configuration: if the machine is not going to be integrated in a ModularIT management structure

Centralized configuration

On the Puppet server

  • The global LDAP parameters are defined within the machines client group
  ## LDAP service variables
  # IP of the LDAP server
  $ldap_ip = "192.168.69.21" 
  # LDAP
  $ldapsuffix = "dc=modularit,dc=com" 
  $ldappass = "ldap.pass" 
  # DHCP
  $domainname = "modularit.lan" 
  $dnsservers = "$ldap_ip" 
  $router = "192.168.69.1" 
  $netprefix = "192.168.69" 
  $nbservers = "$samba_ip" 
  $dhcpkey = "wezsyLWspcFUDAA0iZu0jQMtLTTcyRlWnOcrpYxNerYbalGODZVGmTvMjUbh" 
  # Intranet
  $clientname = "Entorno de pruebas ModularIT" 
  # Installed ModularIT services in this client
  $modularit_services = [ "ldap", "mail", "samba" ]
  ## Samba: Even if you are not using samba, you should set these variables because the LDAP schema needs them 
  $smbdomain = "MYDOMAIN" 
  $sambasid = "S-1-5-21-2790672475-122728562-422803382"
  • Create the entry of the ModularIT machine being installed:
  node "devel.ldap" inherits "devel" {
        # First installation?
        $bootstrap = yes

        $modularit_name = "devel.ldap" 
        $comment = "Development LDAP" 
        include modularit 
  }

Client configuration (The machine being installed)

  • puppetd is restarted in debug mode to ensure that it updates correctly:
  /etc/init.d/puppet stop
  puppetd --debug --no-daemonize --runinterval 60 --fqdn NOMBRE_MODULARIT --server PUPPET_MODULARIT
  • The parameters NOMBRE_MODULARIT and PUPPET_MODULARIT will be provided by the service manager (register with the mailing list if you have questions regarding this)
  • The puppet is started as a service after it has completed several cycles without generating errors:
  /etc/init.d/puppet restart
  • PIFIA should be executed to ensure that notifications to Nagios are functioning correctly
  /var/lib/pica/bin/scheduler Emergency
  /var/lib/pica/bin/scheduler Warning
  • Ensure that Nagios is not generating alerts that read OK. At this point critical AIDE alerts are expected

Local configuration

The following installation mode is needed when the machine is not integrated in a centralized ModularIT management structure

  • Go to the /opt directory
  • Download the ModularIT configuration tree:
  links --source "http://git.modularit.org/?p=modularit.git;a=snapshot;h=HEAD;sf=tgz" | tar xvzf -
  • This will create the /opt/modularit directory
  • A directory for the puppet modules is created:
  mkdir /etc/puppet/modules
  ln -s /opt/modularit/Puppet/modularit /etc/puppet/modules/
  • Edit the file /opt/modularit/Puppet/offline/variables.pp and modify it so that the correct configuration is used. This file will be common to all ModularIT installations. Remember the LDAP service is mandatory in a ModularIT configuration.
  • Edit the file /opt/modularit/Puppet/offline/offline.pp to reflect the name and type of the ModularIT machine, in this case: ldap. The file will be different for each machine (The name and type of machine are always different)
  • Once the configuration has been completed, execute puppet in off-line mode
  puppet --debug /opt/modularit/Puppet/offline/offline.pp
  • The process should finish without errors

Service preparation

  • Execute the LDAP service initialization script. Note: This step removes the LDAP database and should only be done when initializing the database for the first time:
  modularit-ldap-init.rb
  • This script will create the basic LDAP objects
  • Container objects
  • SAMBA domain with the name and the SSID configured
  • Predefined groups
    • Users (10000) Domain Users
    • Administrators (10001) Domain Admins
    • Machines (10002) Domain Machines
    • Admin user: every ModularIT service administrator. By default this user account is disabled, the LDAP manager is required to activate it and set a password
  • Connect to the URL: http://ldap/lam/
  • Validate using the password configured in $ldappass
  • Create the required groups for the defined security configuration
  • The primary group for every user must be users. The applications that use LDAP only see the explicit ownership to one group (when it shows in a member list)
  • Create the required groups

Initializing AIDE

Once everything is functioning correctly, initialize the AIDE databases as described in the AIDE

Also available in: HTML TXT