[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Instructions to configure Fortress with existing OpenLDAP instance
On 07/03/2014 08:32 AM, Shawn McKinney wrote:
> On 07/03/2014 08:25 AM, Shawn McKinney wrote:
>> > For installing Fortress to use an existing OpenLDAP instance, follow the excerpt below:
>> >
Added instructions to setup default and audit DB's in slapd.conf...
___________________________________________________________________________________
###################################################################################
# SECTION 6. Instructions for using pre-existing or native OpenLDAP installation.
###################################################################################
a. Install OpenLDAP using your existing package management system.
For example:
+ On Debian systems: http://wiki.debian.org/LDAP/OpenLDAPSetup
+ Ubuntu: https://help.ubuntu.com/community/OpenLDAPServer
+ etc.
b. Copy fortress schema to openldap schema folder:
cp FORTRESS_HOME/ldap/schema/fortress.schema OPENLDAP_HOME/etc/openldap/schema
c. Enable Fortress schema in slapd.conf:
include OPENLDAP_HOME/etc/openldap/schema/fortress.schema
note: for steps b & c above substitute FORTRESS_HOME for root of your Fortress installation.
note: for steps b above substitute OPENLDAP_HOME for root of your OPENLDAP installation.
d. For password policy support, enable pwpolicy overlay in slapd.conf:
moduleload ppolicy.la
e. For Fortress audit support, enable slapoaccesslog in slapd.conf:
moduleload accesslog.la
f. Add Fortress audit log settings to slapd.conf:
# History DB Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "cn=log"
rootdn "cn=Manager,cn=log"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
directory "/var/openldap/hist"
access to *
by dn.base="cn=Manager,cn=log" write
dbnosync
checkpoint 64 5
g. Add Fortress default DB settings to slapd.conf:
# Default DB Settings
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
directory "/var/openldap/dflt"
overlay accesslog
logdb "cn=log"
dbnosync
checkpoint 64 5
h. More Fortress audit log settings in slapd.conf:
# Audit Log Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
logops bind writes compare
logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
logpurge 5+00:00 1+00:00
# Instructions to configure Fortress to work with your customized OpenLDAP instance
i. Gather the following information about your OpenLDAP instance:
i. suffix
ii. host
iii. port
iv. ldap user account that has read/write priv for default DIT (root works)
v. pw for above
vi. ldap user account that has read/write priv for access log DIT (log root works)
vii. pw for above
j. Example OpenLDAP instance:
i. dc=example, dc=com
ii. myhostname
iii. 389
iv. "cn=Manager,dc=example,dc=com"
v. secret
vi. "cn=Manager,cn=log"
vii. secret
h. Modify the build.properties file with settings
k.
suffix.name=example
suffix.dc=com
ii. ldap.host=myhostname
iii. ldap.port=389
iv. root.dn=cn=Manager,${suffix}
v. root.pw=secret
note: the above may be hased using slappasswd
vi. log.root.dn=cn=Manager,${log.suffix}
vii. secret
l. Create the Fortress DIT:
from the FORTRESS_HOME root folder, enter the following:
>$ANT_HOME/bin/ant load-slapd
m. Skip to SECTION 8 to regression test Fortress and OpenLDAP
_______________________________________________________________________________
###############################################################################
# SECTION 8. Instructions to test openldap-fortress-core using regression tests
###############################################################################
a. from FORTRESS_HOME enter the following command:
>$ANT_HOME/bin/ant test-full
Notes:
- These tests load tens of thousands of ldap records into your newly installed directory.
- The 'init-slapd' and/or 'test-full' targets may be re-run as often as necessary.
- After regressions testing has completed. you may run the 'init-slapd' target to remove all test data from the directory.
- if you followed steps in, SECTION 6 (existing OpenLDAP server), do NOT run the init-slapd target
- WARNING log messages in test output are good as these are negative tests in action:
- If these test completes without junit or ant ERRORS, Fortress is certified to run on your target ldap server machine.
--
Shawn McKinney
shawn.mckinney@jts.us