[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Instructions to configure Fortress with existing OpenLDAP instance

To: openldap-fortress@openldap.org
Subject: Re: Instructions to configure Fortress with existing OpenLDAP instance
From: Shawn McKinney <shawn.mckinney@jts.us>
Date: Thu, 03 Jul 2014 09:08:50 -0500
In-reply-to: <53B55B67.8030801@jts.us>
Organization: JoshuaTree Software
References: <53B559AD.9060703@jts.us> <53B55B67.8030801@jts.us>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0

On 07/03/2014 08:32 AM, Shawn McKinney wrote:
> On 07/03/2014 08:25 AM, Shawn McKinney wrote:
>> > For installing Fortress to use an existing OpenLDAP instance, follow the excerpt below:
>> >

Added instructions to setup default and audit DB's in slapd.conf...

___________________________________________________________________________________
###################################################################################
# SECTION 6. Instructions for using pre-existing or native OpenLDAP installation.
###################################################################################

a. Install OpenLDAP using your existing package management system.

For example:

+ On Debian systems: http://wiki.debian.org/LDAP/OpenLDAPSetup

+ Ubuntu: https://help.ubuntu.com/community/OpenLDAPServer

+ etc.

b. Copy fortress schema to openldap schema folder:

cp FORTRESS_HOME/ldap/schema/fortress.schema OPENLDAP_HOME/etc/openldap/schema

c. Enable Fortress schema in slapd.conf:

include OPENLDAP_HOME/etc/openldap/schema/fortress.schema

note: for steps b & c above substitute FORTRESS_HOME for root of your Fortress installation.
note: for steps b above substitute OPENLDAP_HOME for root of your OPENLDAP installation.

d. For password policy support, enable pwpolicy overlay in slapd.conf:

moduleload ppolicy.la

e. For Fortress audit support, enable slapoaccesslog in slapd.conf:

moduleload accesslog.la

f. Add Fortress audit log settings to slapd.conf:

# History DB Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "cn=log"
rootdn "cn=Manager,cn=log"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
directory "/var/openldap/hist"
access to *
by dn.base="cn=Manager,cn=log" write
dbnosync
checkpoint 64 5

g. Add Fortress default DB settings to slapd.conf:

# Default DB Settings
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"

index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq

directory "/var/openldap/dflt"
overlay accesslog
logdb "cn=log"
dbnosync
checkpoint 64 5

h. More Fortress audit log settings in slapd.conf:

# Audit Log Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
logops bind writes compare
logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
logpurge 5+00:00 1+00:00

# Instructions to configure Fortress to work with your customized OpenLDAP instance

i. Gather the following information about your OpenLDAP instance:

i. suffix
ii. host
iii. port
iv. ldap user account that has read/write priv for default DIT (root works)
v. pw for above
vi. ldap user account that has read/write priv for access log DIT (log root works)
vii. pw for above

j. Example OpenLDAP instance:

i. dc=example, dc=com
ii. myhostname
iii. 389
iv. "cn=Manager,dc=example,dc=com"
v. secret
vi. "cn=Manager,cn=log"
vii. secret

h. Modify the build.properties file with settings

k.
suffix.name=example
suffix.dc=com

ii. ldap.host=myhostname

iii. ldap.port=389

iv. root.dn=cn=Manager,${suffix}

v. root.pw=secret
note: the above may be hased using slappasswd

vi. log.root.dn=cn=Manager,${log.suffix}

vii. secret

l. Create the Fortress DIT:

from the FORTRESS_HOME root folder, enter the following:

>$ANT_HOME/bin/ant load-slapd

m. Skip to SECTION 8 to regression test Fortress and OpenLDAP

_______________________________________________________________________________
###############################################################################
# SECTION 8. Instructions to test openldap-fortress-core using regression tests
###############################################################################

a. from FORTRESS_HOME enter the following command:

>$ANT_HOME/bin/ant test-full

Notes:
- These tests load tens of thousands of ldap records into your newly installed directory.
- The 'init-slapd' and/or 'test-full' targets may be re-run as often as necessary.
- After regressions testing has completed. you may run the 'init-slapd' target to remove all test data from the directory.
- if you followed steps in, SECTION 6 (existing OpenLDAP server), do NOT run the init-slapd target
- WARNING log messages in test output are good as these are negative tests in action:
- If these test completes without junit or ant ERRORS, Fortress is certified to run on your target ldap server machine.

--
Shawn McKinney
shawn.mckinney@jts.us

References:
- Instructions to configure Fortress with existing OpenLDAP instance
  - From: Shawn McKinney <shawn.mckinney@jts.us>
- Re: Instructions to configure Fortress with existing OpenLDAP instance
  - From: Shawn McKinney <shawn.mckinney@jts.us>

Prev by Date: Re: Instructions to configure Fortress with existing OpenLDAP instance
Next by Date: announcing release of Fortress 1.0-RC38
Index(es):
- Chronological
- Thread