389-ds/Fedora/RHDS Integration
938 views
Skip to first unread message
Justin Mercier
Jan 31, 2013, 2:34:41 AM1/31/13
to pwm-g...@googlegroups.com
Menno,
Here are my current notes for setting up a basic PWM on top of an SSL-secured CentOS 6.3 389-ds server, which I plan to port to RHDS and should also be usable with Fedora.
Create the file /etc/dirsrv/slapd-<instance>/schema/99-zPWM-schema.ldif (change with your directory values as necessary):
Reboot the directory server when complete: # service dirsrv restart
Create the PWM Users
Create a temp file called /tmp/pwmusers.ldif and load it using ldapadd (again, change your OUs and DCs and necessary):
Delete the file after it is loaded unless you use CRYPT passwords.
Create the PWM ACI
Create a temp file called /tmp/pwmaci.ldif and load it using ldapadd (again, change your OUs and DCs and necessary):
dn: ou=People,dc=zen,dc=local
changetype: modify
replace: aci
aci: (targetattr = "*") (version 3.0; acl "Proxy Search"; allow (all,proxy) userdn = "ldap:///uid=pwmproxy,ou=People,dc=zen,dc=local";)
dn: ou=People,dc=zen,dc=local
changetype: modify
replace: aci
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
Here are my current notes for setting up a basic PWM on top of an SSL-secured CentOS 6.3 389-ds server, which I plan to port to RHDS and should also be usable with Fedora.
- The following uses the ou=People,dc=zen,dc=local bind DN; change the examples below to math your environment.
- My server is CentOS 6.3 64-bit running 389-ds from the EPEL repository. Default install locations are assumed.
- The server is secured using Fedora's setupssl2.sh script.
- SElinux is enforced in targeted mode and iptables is running with ports 389,636, and 9830 open but tailored.
- I use some custom SElinux code to reverse proxy my PWM but this is not required or covered unless anyone asks.
- FIPS modes are not enabled as it will break PWM, but TLS and SSLv3 are enabled; unauthenticated connections are disabled.
- The Java keytool was used to import my CA certificate as detailed in the admin guide.
- PWM is deployed via tomcat6 but unconfigured.
- My time is limited but I will respond when I can.
Create the file /etc/dirsrv/slapd-<instance>/schema/99-zPWM-schema.ldif (change with your directory values as necessary):
dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-tao,cn=389 Directory Server,cn=Server Group,cn=tao.jfm.local,ou=tao.jfm.local,o=NetscapeRoot";)
attributetypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'user defined' )
objectclasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' DESC '' SUP top STRUCTURAL MAY ( pwmEventLog $ pwmGUID $ pwmLastPwdUpdate $ pwmResponseSet ) X-ORIGIN 'user defined' )
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-tao,cn=389 Directory Server,cn=Server Group,cn=tao.jfm.local,ou=tao.jfm.local,o=NetscapeRoot";)
attributetypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'user defined' )
objectclasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' DESC '' SUP top STRUCTURAL MAY ( pwmEventLog $ pwmGUID $ pwmLastPwdUpdate $ pwmResponseSet ) X-ORIGIN 'user defined' )
Reboot the directory server when complete: # service dirsrv restart
Create the PWM Users
Create a temp file called /tmp/pwmusers.ldif and load it using ldapadd (again, change your OUs and DCs and necessary):
dn: uid=pwmproxy,ou=People,dc=zen,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pwmproxy
sn: Proxy
givenName: PWM
cn: pwmproxy
displayName: PWM Proxy
userPassword: yourpassword
dn: uid=pwmtest,ou=People,dc=zen,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pwmtest
sn: Test
givenName: PWM
cn: PWM Test
displayName: PWM Test
userPassword: yourpassword
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pwmproxy
sn: Proxy
givenName: PWM
cn: pwmproxy
displayName: PWM Proxy
userPassword: yourpassword
dn: uid=pwmtest,ou=People,dc=zen,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pwmtest
sn: Test
givenName: PWM
cn: PWM Test
displayName: PWM Test
userPassword: yourpassword
Delete the file after it is loaded unless you use CRYPT passwords.
Create the PWM ACI
Create a temp file called /tmp/pwmaci.ldif and load it using ldapadd (again, change your OUs and DCs and necessary):
dn: ou=People,dc=zen,dc=local
changetype: modify
replace: aci
aci: (targetattr = "*") (version 3.0; acl "Proxy Search"; allow (all,proxy) userdn = "ldap:///uid=pwmproxy,ou=People,dc=zen,dc=local";)
dn: ou=People,dc=zen,dc=local
changetype: modify
replace: aci
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
Configure PWM WebApp
389-based directory servers use UID as the naming context so this will need to be specified in a few areas.
Open the configuration web app and set:
- LDAP Proxy User: uid=pwmproxy,ou=People,dc=zen,dc=local
- : ou=People,dc=zen,dc=local
- LDAP Test User: uid=pwmtest,ou=People,dc=zen,dc=local
- Username search filter (Advanced): (&(objectClass=Person)(|(cn=%USERNAME%)(uid=%USERNAME%)))
- LDAP Naming Attribute (Advanced): uid
Configure PWM Password Policy
Attempts to merge the PWM password policy with the directory will fail spectacularly. So set your PWM password to meet or exceed your LDAP password poloicy. Therefore go to Settings » Password Policy and set View » Advanced Settings:
- Password Policy Source (Advanced): PWM
- Minimum Length: 8
- Maximum Sequential Repeat: 2
- Minimum numeric: 1
- Minimum Special: 1
- Minimum Alpha: 1
- Min Non-alpha: 1
- Min upper: 1
- Min lower: 1
- Min strength: 45
- Set corresponding maximums to 0
Failure to set the above in my experience will yield strange results. I welcome feedback on the topic.
Menno Pieters
Jan 31, 2013, 2:44:54 AM1/31/13
to pwm-g...@googlegroups.com
Thanks! I'll add this as soon as I have time to update the manual!
Regards,
Menno
Regards,
Menno
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/kUx2fbj86C4J.
For more options, visit https://groups.google.com/groups/opt_out.
Justin Mercier
Jan 31, 2013, 2:49:50 AM1/31/13
to pwm-g...@googlegroups.com
I'll have revisions within a month, so you may want to wait until I have time to clean it up and also add sections for user self-registration, email verification (if available?) and RECAPTCHA.
But now that I have the UID/CN stuff worked out, thanks to you, I have high expectations and hope to deliver it as part of a new IdM soon!
But now that I have the UID/CN stuff worked out, thanks to you, I have high expectations and hope to deliver it as part of a new IdM soon!
Justin Mercier
Feb 10, 2013, 7:39:27 PM2/10/13
to pwm-g...@googlegroups.com
Menno,
I just wanted to give you and perhaps any Red Hat/Fedora users out there that I have updated the development snapshot of the admin guide with integration steps for 389 Directory Server (aka Fedora Directory Server). It can probably use a little peer review and editing QC. I did not overwrite the preexisting schema instructions which use the graphical console, and I also added a summary of considerations (such as uid vs cn, and memberof vs. groupmembership) that apply to 389DS versus OpenLDAP.
I have a bunch of extra documentation that applies to my particular installation that is out of scope but may be of use to other users. These deal with configuration of the various modules, reverse proxy and iptables configuration, and SELinux. If any users need any assistance with these topics I am happy to help.
Justin
I just wanted to give you and perhaps any Red Hat/Fedora users out there that I have updated the development snapshot of the admin guide with integration steps for 389 Directory Server (aka Fedora Directory Server). It can probably use a little peer review and editing QC. I did not overwrite the preexisting schema instructions which use the graphical console, and I also added a summary of considerations (such as uid vs cn, and memberof vs. groupmembership) that apply to 389DS versus OpenLDAP.
I have a bunch of extra documentation that applies to my particular installation that is out of scope but may be of use to other users. These deal with configuration of the various modules, reverse proxy and iptables configuration, and SELinux. If any users need any assistance with these topics I am happy to help.
Justin
Justin Mercier
Feb 10, 2013, 7:40:52 PM2/10/13
to pwm-g...@googlegroups.com
FYI to Red Hat users: the development snapshot of the Admin Guide with the draft updates is available at https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo2gGZyAapc/edit#
Menno Pieters
Feb 11, 2013, 2:03:10 AM2/11/13
to pwm-g...@googlegroups.com
Hi Justin,
Thanks for your effort. I'll have a look, perhaps make a couple of changes and inform Jason to update the main document.
Regards,
Menno
I just wanted to give you and perhaps any Red Hat/Fedora users out there that I have updated the development snapshot of the admin guide with integration steps for 389 Directory Server (aka Fedora Directory Server). It can probably use a little peer review and editing QC. I did not overwrite the preexisting schema instructions which use the graphical console, and I also added a summary of considerations (such as uid vs cn, and memberof vs. groupmembership) that apply to 389DS versus OpenLDAP.
I have a bunch of extra documentation that applies to my particular installation that is out of scope but may be of use to other users. These deal with configuration of the various modules, reverse proxy and iptables configuration, and SELinux. If any users need any assistance with these topics I am happy to help.
Thanks for your effort. I'll have a look, perhaps make a couple of changes and inform Jason to update the main document.
Regards,
Menno
Reply all
Reply to author
Forward
0 new messages