Install and Configure an Open Source Identity Server Lab

Transcription

1 Install and Configure an Open Source Identity Server Lab SUS05/SUS06 Novell Training Services ATT LIVE 2012 LAS VEGAS

2 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page ( for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page ( and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA U.S.A. Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page ( Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list ( Third-Party Materials All third-party trademarks are the property of their respective owners. 2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES.

3 Contents Section 1 Exercise 1.1 Exercise 1.2 Exercise 1.3 Exercise 1.4 Exercise 1.5 Exercise 1.6 Exercise 1.7 Exercise 1.8 Exercise 1.9 Exercise 1.10 Exercise 1.11 Section 2 Exercise 2.1 Configure an Open Source Identity Server...11 Configure an NTP Server on the LDAP Servers...12 Task I: Configure the NTP Server on DS Task II: Configure the NTP Server on DS Configure csync2 for the CA/LDAP/Kerberos Servers (Optional)...14 Task I: Configure csync Configure a Certificate Authority with YaST...16 Task I: Create a Root CA...16 Task II: Replicate the Root CA to another Server...17 Generate a Common Server Certificate with YaST...18 Task I: Generate a Server Certificate...18 Task II: Set a Certificate as the Common Server Certificate...19 Task III: Replicate the Changes to the CA to another Server...19 Generate an SSL Server Certificate for the 2nd LDAP Server (Optional)...20 Task I: Generate a Server Certificate...20 Task II: Replicate the Changes to the CA to the other Server...21 Task III: Set a Certificate as the Common Server Certificate...21 Create a Synchronized Exported Key Store...23 Task I: Create a Synchronized Exported Key Store...23 Task II: Replicate the Changes to the CA to another Server...23 Configure an OpenLDAP Master Server...24 Task I: Configure the LDAP Server...24 Task II: Configure the LDAP Client on the LDAP Server...25 Task III: Browse the LDAP Database...26 Configure an OpenLDAP Slave Server (Optional)...27 Task I: Configure the LDAP Slave Server...27 Task II: Configure the LDAP Client on the LDAP Server...27 Task III: Browse the LDAP Database...28 Configure a Multi-master LDAP Replication (Optional)...29 Task I: Configure LDAP Multi-master Database Replication...29 Configure a Kerberos Server with a LDAP Back End...31 Task I: Configure LDAP to Store the Kerberos Database...31 Task II: Configure a Kerberos Server...31 Configure a Secondary Kerberos with a LDAP Back End (Optional)...33 Task I: Configure LDAP to Store the Kerberos Database...33 Task II: Configure a Kerberos Server...33 Task III: Configure the Kerberos Client...34 Configure a LDAP Client...37 Generate an SSL Server Certificate for Another Server...38 Task I: Generate a Server Certificate...38 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 3

4 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services Exercise 2.2 Exercise 2.3 Exercise 2.4 Section 3 Exercise 3.1 Exercise 3.2 Exercise 3.3 Exercise 3.4 Exercise 3.5 Section 4 Exercise 4.1 Exercise 4.2 Exercise 4.3 Exercise 4.4 Section 5 Exercise 5.1 Exercise 5.2 Task II: Export the Server Certificate in PKCS12 Format...39 Task III: Export the Server Certificate in PEM Format...39 Task IV: Copy the Cert and Key Files to the Other Server...40 Task V: Replicate the Changes to the CA to another Server...40 Import a Common Server Certificate for a Server...42 Task I: Generate a Server Certificate...42 Create LDAP Groups and Users...43 Task I: Create LDAP Groups...43 Task II: Create LDAP Users...43 Configure an LDAP Client with YaST...45 Task I: Configure an LDAP Client...45 Configure a Kerberos Client...47 Configure an NTP Client...48 Task I: Configure the NTP Clients...48 Create LDAP Group and Users for Kerberos...49 Task I: Create an LDAP Group for Kerberos Users...49 Task II: Create LDAP Users for Kerberos...49 Create Kerberos User Principals...51 Task I: Create Kerberos User Principals...51 Configure a Kerberos Client with YaST...52 Task I: Configure the Kerberos Client...52 Configure pam to Use Both Kerberos and LDAP...53 Option I: Configure pam with pam-config...53 Option II: Edit the pam Configuration Files...53 Configure SSH to Use Kerberos...55 Generate Host Principals and Keytabs for the Kerberos Servers...56 Task I: Create the Kerberos Host Principals...56 Task II: Generate the Kerberos Keytabs...56 Generate Host Principals and Keytabs for a SSH Server...58 Task I: Generate the Kerberos Host Principal...58 Task II: Generate the Kerberos Keytabs...58 Task III: Copy the Keytab to the SSH Server...58 Configure a SSH on the Kerberos Server to Use Kerberos Authentication...60 Task I: Configure the SSH Daemon for Kerberos...60 Task II: Test SSH Kerberos Authentication...60 Configure SSH to Use Kerberos Authentication...61 Task I: Configure the SSH Daemon for Kerberos...61 Task II: Test SSH Kerberos Authentication...61 Configure NFSv Configure an NTP Client on the NFS Server...64 Task I: Configure the NTP Clients...64 Generate an SSL Server Certificate for Another Server...65 Task I: Generate a Server Certificate Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

5 Exercise 5.3 Exercise 5.4 Exercise 5.5 Exercise 5.6 Exercise 5.7 Exercise 5.8 Exercise 5.9 Exercise 5.10 Exercise 5.11 Task II: Export the Server Certificate in PKCS12 Format...66 Task III: Export the Server Certificate in PEM Format...66 Task IV: Copy the Cert and Key Files to the Other Server...67 Task V: Replicate the Changes to the CA to another Server...67 Import a Common Server Certificate for a Server...69 Task I: Generate a Server Certificate...69 Configure an LDAP Client with YaST...70 Task I: Configure an LDAP Client...70 Configure a Kerberos Client with YaST...72 Task I: Configure the Kerberos Client...72 Configure pam to Use Both Kerberos and LDAP...73 Option I: Configure pam with pam-config...73 Option II: Edit the pam Configuration Files...73 Generate a Host Principal and Keytab for a NFS Server...75 Task I: Generate the Kerberos Keytabs...75 Configure SSH to Use Kerberos Authentication...77 Task I: Configure the SSH Daemon for Kerberos on the NFS Server...77 Task II: Test SSH Kerberos Authentication...77 Configure an NFSv4 Server with GSSAPI...78 Task I: Configure the NFS Server...78 Configure an NFSv4 Client with GSSAPI Security...80 Task I: Configure an NFS Client for GSSAPI Security...80 Task II: Enable GSS Security for the NFS Client...81 Export Home Directories with NFSv4 and GSSAPI Security...82 Task I: Export /home via NFSv Task II: Verify the Exported File System...83 Task III: Configure a NFS Client to Mount the /home Share...83 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 5

6 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services List of Figures Lab Network Environment...7 Machine Roles...7 Node1 Network Configuration...8 Node2 Network Configuration...8 Node3 Network Configuration...9 Storage1 Network Configuration...9 DS1 Network Configuration...10 DS2 Network Configuration Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

7 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 7

8 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

9 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 9

10 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

11 Configure an Open Source Identity Server Section 1 Configure an Open Source Identity Server In this section you configure OpenSSL, OpenLDAP and Kerberos to create an identity server based on open source software. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 11

12 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.1 Configure an NTP Server on the LDAP Servers In this exercise, you use the YaST NTP module to configure an NTP server. Objectives: Task I: Configure the NTP Server on DS1 Task II: Configure the NTP Server on DS2 Special Instructions and Notes: You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled. NTP_SERVER_IP= Task I: Configure the NTP Server on DS1 1. On the DS1 server, launch the NTP YaST module on the NTP server: YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot Click Continue if a warning window appears 3. Ensure that Undisciplined Local Clock (Local) is listed 4. Highlight Undisciplined Local Clock(LOCAL) and click Edit 5. Click Driver Calibration 6. Change the Stratum to be 5 7. Click Next, then OK and then OK 8. Restart the NTP daemon on the NTP server by entering the following at the command line of that server: killall ntpd rcntp restart Task II: Configure the NTP Server on DS2 1. On the DS2 server, launch the NTP YaST module on the NTP server: YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot Click Continue if a warning window appears 3. Ensure that Undisciplined Local Clock (Local) is listed 4. Click Add and then Next 5. On the New Synchronization screen select Server and then click Next 12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

13 Configure an Open Source Identity Server 6. On the NTP Server screen enter the following values in the corresponding fields: Address: Options: iburst 7. Click the Test button If the test is unsuccessful, the NTP server on DS1 may not be finished starting. Wait a minute or two and try again. When the test is successful, click OK 8. Click Next, then OK and then OK 9. Restart the NTP daemon on the NTP server by entering the following at the command line of that server: killall ntpd rcntp restart (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 13

14 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.2 Configure csync2 for the CA/LDAP/Kerberos Servers (Optional) In this exercise you configure csync2 to keep the common certificate authority, LDAP and Kerberos configuration files in sync. Objectives: Task I: Configure csync2 Special Instructions and Notes: The csync2 package must be installed for this exercise to be performed successfully. The csync2 package can be found in the SLE-HA Extension and on Task I: Configure csync2 1. On the first LDAP server (DS1) open a terminal window and if not already logged in as the root user enter su to become root 2. Enter the following command to create the csync2 key for the CA/LDAP/Kerberos servers: csync2 -k /etc/csync2/key_cagroup 3. In the text editor of your choice (as root) open the /etc/csync2/csync2.cfg file to be edited 4. Add the following to the end of the file: group ca_group { } host ds1 ds2; key /etc/csync2/key_cagroup; include /etc/csync2/csync2.cfg; include /var/lib/cam; include /etc/ldap/ldap-pw; include /var/lib/kerberos/krb5kdc/.k5.site; include /var/lib/kerberos/krb5kdc/kadm5.keytab; 5. Save the file and close the text editor 6. Enter the following command(s) to copy the initial file to the other LDAP server(s): 14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

15 Configure an Open Source Identity Server scp /etc/csync2/key_cagroup ds2:/etc/csync2/ scp /etc/csync2/csync2.cfg 7. Enter the following command to enable csync2: chkconfig csync2 on insserv xinetd rcxinetd restart 8. Repeat the previous step on the other LDAP servers 9. On the first LDAP server (DS1) enter the following command(s) to perform the initial file synchronization: csync2 -xv (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 15

16 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.3 Configure a Certificate Authority with YaST In this exercise, you use the YaST CA Management module to configure an SSL certificate authority. Objectives: Task I: Create a Root CA Task II: Replicate the Root CA to another Server Special Instructions and Notes: This is a special instruction needed to complete the exercise. CA_NAME= CA_COMMON_NAME= CA_ = CA_PASSWD= DS2_IP= Task I: Create a Root CA 1. On the first LDAP server (DS1)Launch the YaST CA module: YaST > Security and Users > CA Management 2. On the CA Selection screen click Create Root CA 3. Use the following values to fill in the fields on the Create Root CA (step 1/3) screen. If a value is not provided for a field, leave the default value in the field. CA Name = CA_NAME Common Name = CA_COMMON_NAME Addresses = CA_ TIP: For the address, enter the value in the field below the addresses list and click Add 4. When the values have been entered, click Next 5. On the Create New Root CA (step 2/3) screen, fill in the fields using the following values: Password = CA_PASSWD Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next 7. On the Create New CA (step 3/3) screen, verify that all values are correct and then click Create 16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

17 Configure an Open Source Identity Server You should see your newly created CA in the CA Tree list on the CA Selection screen. If the YaST CA Management module is closed, launch it again. 8. To view the contents of the CA, select the CA from the CA Tree list and click Enter CA 9. When prompted for the CA password, enter the CA password used above and click OK You should see information about your CA Task II: Replicate the Root CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ When prompted, enter the root password 2. On the second LDAP server (DS2), verify that the CA directory was copied to /var/lib/cam/ 3. On the second LDAP server (DS2)Launch the YaST CA module: 4. YaST > Security and Users > CA Management You should see the new CA listed her as well. (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 17

18 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.4 Generate a Common Server Certificate with YaST In this exercise, you use the YaST CA Management module to generate an SSL server certificate. You then set that certificate as the common server certificate for the machine. Objectives: Task I: Generate a Server Certificate Task II: Set a Certificate as the Common Server Certificate Task III: Replicate the Changes to the CA to another Server Special Instructions and Notes: A certificate Authority must be configured to perform this exercise. CA_PASSWD= CRT_COMMON_NAME= CRT_ = DS2_IP= Task I: Generate a Server Certificate 1. On the first LDAP server (DS1),launch the YaST CA Management module: YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = CRT_COMMON_NAME Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: 18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

19 Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next Configure an Open Source Identity Server 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Set a Certificate as the Common Server Certificate 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export as Common Server Certificate 3. When prompted for the Certificate password, enter CA_PASSWD and click OK 4. When the export confirmation window appears, click OK 5. To verify that the certificate was exported, open a terminal window and enter the following command: ls -l /etc/ssl/servercerts/ You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate. Task III: Replicate the Changes to the CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ When prompted, enter the root password 2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/cam/ (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 19

20 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.5 Generate an SSL Server Certificate for the 2nd LDAP Server (Optional) In this exercise, you use YaST to generate a server certificate for the 2nd LDAP server. You then import the certificate on the DS2 server as the common server certificate Objectives: Task I: Generate a Server Certificate Task II: Replicate the Changes to the CA to the other Server Task III: Set a Certificate as the Common Server Certificate Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= DS2_FQDN= DS2_IP= CRT_ = Task I: Generate a Server Certificate 1. On the first LDAP server (DS1), launch the YaST CA Management module: YaST > Security and Users > CA Management If prompted for the root user's password, enter novell 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = DS2_FQDN Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA 20 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

21 Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next Configure an Open Source Identity Server 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Replicate the Changes to the CA to the other Server 1. On the DS1 server, while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ When prompted, enter the root password 2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/cam/ Task III: Set a Certificate as the Common Server Certificate 1. On the DS2 server, launch the YaST CA Management module: YaST > Security and Users > CA Management If prompted for the root user's password, enter novell 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificates tab of the Certificate Authority (CA) screen, select the ds2 certificate from the list of certificates 5. From the Export drop-down list, select Export as Common Server Certificate 6. When prompted for the Certificate password, enter CA_PASSWD and click OK 7. When the export confirmation window appears, click OK 8. To verify that the certificate was exported, open a terminal window and enter the following command: Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 21

22 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services ls -l /etc/ssl/servercerts/ You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate. (End of Exercise) 22 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

23 Configure an Open Source Identity Server 1.6 Create a Synchronized Exported Key Store In this exercise, you create a directory to hold the exported certificates and keys that can be replicated to the other CA server. Objectives: Task I: Create a Synchronized Exported Key Store Task II: Replicate the Changes to the CA to another Server Special Instructions and Notes: (none) Task I: Create a Synchronized Exported Key Store 1. On the first CA server (DS1), enter the following command to create a directory to store exported server certificates: mkdir -p /var/lib/serverkeys/ 2. If you have not configured csync2, skip to the next task. If you have configured csync2, do the following In the text editor of your choice, as the root user, open the /etc/csync2/csync2.cfg file to be edited 3. Add the following to the end of the group ca_group section before its closing } : include /var/lib/serverkeys; 4. Save the file and close the text editor Task II: Replicate the Changes to the CA to another Server 1. On the first CA server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/serverkeys/ root@ds2_ip:/var/lib/ When prompted, enter the root password (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 23

24 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.7 Configure an OpenLDAP Master Server In this exercise, you use the YaST LDAP Server module to configure a Master LDAP server. You then use the YaST LDAP Client module to create the default objects in the directory and then use the YaST LDAP Browser to browse the LDAP database. Objectives: Task I: Configure the LDAP Server Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure the LDAP Server 1. On the first LDAP server (DS1), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server 2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next 3. On the Please Select Server Type screen, select This server can act as a master server in a replication setup and click Next 4. On the TLS Settings screen, under Basic Settings, ensure that all of the check boxed are selected and click Next NOTE: If a common server certificate has not been generated, you will need to specify that paths to the CA certificate, sever certificate, and server key files. If these have not been generated you can click the Launch CA Management Module button and use YaST to generate these certificates. 5. On the Basic Database Settings screen, fill in the fields using the following values. If a value is not provided, leave the default value in the field: Database Type: hdb Base DN = BASE_DN Administrator DN = ADMIN_DN Append Base DN = (checked) LDAP Administrator Password = ADMIN_DN_PASSWD Database Directory = /var/lib/ldap 24 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

25 Configure an Open Source Identity Server Use this database as the default = (checked) 6. When the values have been entered, click Next 7. On the Replication Master setup screen, enter the following for the password and then click Next: Password = linux Prepare for MirrorMode replication = (unchecked) Note: MirrorMode will optionally be configured in a later exercise. 8. On the LDAP Server Configuration Summary screen, verify that the values are correct and click Finish 9. Open a terminal window and if not already logged in as the root user, enter su to become root. 10. Enter the following commands to copy the kerberos schema files into the openldap schema directory: cd /usr/share/doc/packages/krb5/ cp kerberos.* /etc/openldap/schema/ 11. Launch the YaST LDAP Server module again: 12. In the left panes select Schema Files 13. In the right pane click Add, select kerberos.schema and then click Open 14. Click Add again select samba3.schema and then click Open 15. Click Add again select dhcp.schema and then click Open 16. Click Add again select dnszone.schema and then click Open 17. If this is the first LDAP server, make a list of the schema files listed here (the order doesn't matter): 18. Click OK to close the YaST module Task II: Configure the LDAP Client on the LDAP Server 1. On the first LDAP server, launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 25

26 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter ds1 and click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK 5. Ensure that only the following check box(es) are selected: Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Create Default Configuration Objects Home Directories on This Machine 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 12. Click OK to finish 13. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK Task III: Browse the LDAP Database 1. On the first LDAP server, launch YaST LDAP Browser module: YaST > Network Services > LDAP Browser 2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings LDAP Server: Administrator DN: ADMIN_DN LDAP Server Password: ADMIN_DN_PASSWD LDAP TLS: (checked) 3. In the left pane, select BASE_DN You should see the currently configured objects in the directory (End of Exercise) 26 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

27 Configure an Open Source Identity Server 1.8 Configure an OpenLDAP Slave Server (Optional) In this exercise, you use the YaST LDAP Server module to configure a LDAP slave server. You then use the YaST LDAP Browser module to view the objects in the directory. Objectives: Task I: Configure the LDAP Slave Server Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure the LDAP Slave Server 1. On the second LDAP server (DS2), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server 2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next 3. On the Please Select Server Type screen, select This will be a replica (slave)server.... and click Next 4. On the Slave server setup screen, enter/select the following values. Protocol: ldap Provider Hostname = ds1 Port: 389 Administrator Password... = ADMIN_DN_PASSWD Note: On SLES11-SP2 you must also change the following value: CA Certificate = /var/lib/cam/site/cacert.pem 5. When the values have been entered, click Next 6. If you get a TLS error due to a self signed certificate, just clisk Continue Task II: Configure the LDAP Client on the LDAP Server 1. On the second LDAP server (DS2), launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 27

28 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter and click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK 5. Ensure that only the following check boxe(s) are selected: Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Home Directories on This Machine 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 12. Click OK to finish 13. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK Task III: Browse the LDAP Database 1. On the second LDAP server (DS2), launch YaST LDAP Browser module: YaST > Network Services > LDAP Browser 2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings LDAP Server: Administrator DN: ADMIN_DN LDAP Server Password: ADMIN_DN_PASSWD LDAP TLS: (checked) 3. In the left pane, select BASE_DN You should see the currently configured objects in the directory (End of Exercise) 28 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

29 Configure an Open Source Identity Server 1.9 Configure a Multi-master LDAP Replication (Optional) In this exercise, you configure two LDAP servers for multi-master database replication. Objectives: Task I: Configure LDAP Multi-master Database Replication Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= Task I: Configure LDAP Multi-master Database Replication 1. On the first LDAP server (DS1), enter the following command to retrieve the syncrepl user credentials: ldapsearch -Y external -H ldapi:/// -b cn=config grep credentials Record the value in credentials ******* here: SYNCREPL_CREDS= 2. In the text editor of your choice, create and open the /tmp/add_mm.ldif file to be edited 3. Enter the following in the file: dn: cn=config changetype: modify replace: olcserverid olcserverid: 1 ldap://ds1 olcserverid: 2 ldap://ds2 dn: olcdatabase={1}hdb,cn=config changetype: modify replace: olcsyncrepl olcsyncrepl: rid=2 provider= ldap://ds1 searchbase= dc=site type= refreshandpersist retry= starttls=critical tls_reqcert=demand Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 29

30 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services bindmethod= simple binddn= uid=syncrepl,ou=system,base_dn credentials= SYNCREPL_CREDS olcsyncrepl: rid=4 provider= ldap://ds2 searchbase= dc=site type= refreshandpersist retry= starttls=critical tls_reqcert=demand bindmethod= simple binddn= uid=syncrepl,ou=system,base_dn credentials= SYNCREPL_CREDS dn: olcdatabase={1}hdb,cn=config changetype: modify add: olcmirrormode olcmirrormode: TRUE 4. Save the file and close the text editor 5. Enter the following command to update the LDAP sever configuration with the new LDIF file (as one command with no line breaks): ldapmodify -v -Y external -H ldapi:/// -f /tmp/add_mm.ldif 6. Enter the following command to verify that it worked: ldapsearch -LLL -Y external -H ldapi:/// -b cn=config olcdatabase=* Look for the section beginning with olcdatabase={1}hdb,cn=config. You should see olcmirrormode: TRUE (End of Exercise) 30 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

31 Configure an Open Source Identity Server 1.10 Configure a Kerberos Server with a LDAP Back End In this exercise, you use the YaST Kerberos Server module to configure a Kerberos KDC that uses LDAP as the back-end database. Objectives: Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server Special Instructions and Notes: An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the /usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise Use the following value(s) in this exercise: KRB5_REALM= KRB5_PASSWD= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure LDAP to Store the Kerberos Database 1. On the DS1 server, launch the YaST LDAP Server module: YaST > Network Services > LDAP Server If prompted for the root user's password, enter novell 2. In the left pane, select Schema Files 3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select /etc/openldal/schema/kerberos.schema, and then click Open 4. Click OK to close the LDAP Server YaST module Task II: Configure a Kerberos Server 1. Launch the YaST Kerberos Server module: YaST > Network Services > Kerberos Server If prompted for the root user's password, enter novell 2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next 3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 31

32 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services Password = KRB5_PASSWD 4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next 6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field. LDAP Server URI = ldap:// LDAP base DN = BASE_DN KDC_Bind DN = ADMIN_DN,BASE_DN Kadmin Bind DN = ADMIN_DN,BASE_DN (all password fields) = ADMIN_DN_PASSWD 7. When the values are entered, click Next (End of Exercise) 32 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

33 Configure an Open Source Identity Server 1.11 Configure a Secondary Kerberos with a LDAP Back End (Optional) In this exercise, you use the YaST Kerberos Server module to configure a secondary Kerberos KDC that uses an LDAP as the back-end database. Objectives: Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server Task III: Configure the Kerberos Client Special Instructions and Notes: An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the /usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise Use the following value(s) in this exercise: KRB5_REALM= KRB5_PASSWD= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= DNS_DOMAIN= DS2_IP= Task I: Configure LDAP to Store the Kerberos Database 1. On the second LDAP server (DS2), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server If prompted for the root user's password, enter novell 2. In the left pane, select Schema Files 3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select /etc/openldal/schema/kerberos.schema, and then click Open 4. Click OK to close the LDAP Server YaST module Task II: Configure a Kerberos Server 1. Launch the YaST Kerberos Server module: YaST > Network Services > Kerberos Server 2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 33

34 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM Password = KRB5_PASSWD 4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next 6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field. LDAP Server URI = ldap:// LDAP base DN = BASE_DN KDC_Bind DN = ADMIN_DN,BASE_DN Kadmin Bind DN = ADMIN_DN,BASE_DN (all password fields) = ADMIN_DN_PASSWD 7. When the values are entered, click Next 8. When you get an error (creating the Kerberos database (because the realm is already in LDAP)) click Cancel and then OK If asked if you want change the configuration click No 9. Relaunch the Kerberos Server YaST module 10. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and then click OK 11. Select Enable Kerberos and then click Finish 12. Enter one of the following sets of commands on the second Kerberos server (DS2) to copy the missing files from the first Kerberos server (DS1): -If csync2 IS configured: csync2 -xv -If csync2 is NOT configured: cd /etc/openldap/ scp ds1:/etc/openldap/ldap-pw./ cd /var/lib/kerberos/krb5kdc/ scp ds1:/var/lib/kerberos/krb5kdc/.k5.krb5_realm./ scp ds1:/var/lib/kerberos/krb5kdc/kadm5.keytab./ 13. Enter the following command to start the Kerberos server: rckrb5kdc start Task III: Configure the Kerberos Client 1. Launch the YaST Kerberos Client module: YaST > Network Servicse > Kerberos Client 34 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

35 Configure an Open Source Identity Server 2. Select Use Kerberos 3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field. Default Domain = DNS_DOMAIN Default Realm = KRB5_REALM KDC Server Address = DS2_IP 4. Click Advanced Settings 5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK 6. Back on the Kerberos Client Configuration screen click OK 7. To verify the configuration, enter the following command at the command line: less /etc/krb5.conf You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above. (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 35

36 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 36 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

37 Configure an Open Source Identity Server Section 2 Configure a LDAP Client In this section you configure a LDAP client. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 37

38 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 2.1 Generate an SSL Server Certificate for Another Server In this exercise, you use YaST to generate a server certificate for another server. You then export the certificate and key to a text file and then split the certificate and key into separate files. Objectives: Task I: Generate a Server Certificate Task II: Export the Server Certificate in PKCS12 Format Task III: Export the Server Certificate in PEM Format Task IV: Copy the Cert and Key Files to the Other Server Task V: Replicate the Changes to the CA to another Server Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= SERVER_FQDN= SERVER_IP= CRT_ = CRT_FILENAME= DS2_IP= Task I: Generate a Server Certificate 1. On the first LDAP server (DS1), launch the YaST CA Management module: YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = SERVER_FQDN Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 38 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

39 Configure a LDAP Client 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Export the Server Certificate in PKCS12 Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PKCS12 Format 4. In the Certificate Password field, type CA_PASSWD 5. In the New Password and Verify Password fields enter CA_PASSWD 6. In the File Name field, type /var/lib/serverkeys/server_fqdn.p12 7. Click OK to export the certificate to a file You should have a new text file named SERVER_FQDN.p12 in /var/lib/serverkeys that contains both the certificate and the key. Task III: Export the Server Certificate in PEM Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PEM Format 4. In the Certificate Password field, type CA_PASSWD 5. In the File Name field, type /var/lib/serverkeys/crt_filename 6. Click OK to export the certificate to a file You should have a new text file named CRT_FILENAME in /var/lib/serverkeys that contains both the certificate and the key. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 39

40 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 7. Often applications want to have the certificate and key in deferent files. To do this, in the text editor of your choice, open the /var/lib/serverkeys/crt_filename file. 8. Select the section of the file beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.crt 10. Save the SERVER_FQDN.crt file 11. Select the section of the file beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.key 13. Save the SERVER_FQDN.key file. 14. Close the text editor. 15. You should now have a file named CA_FILENAME that ends in a.pem extension that contains both the certificate and the key, a second file named SERVER_FQDN.crt that contains only the certificate, and a third file named SERVER_FQDN.key that contains only the key. Task IV: Copy the Cert and Key Files to the Other Server 1. Copy the server cert and key to the other server: scp /var/lib/serverkeys/server_fqdn.* root@server_ip:/tmp/ 2. Log into the other server as root and verify that the files were copied into /tmp/ Task V: Replicate the Changes to the CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ rsync -a /var/lib/serverkeys/ root@ds2_ip:/var/lib/serverkeys/ When prompted, enter the root password 40 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES