Beta-setup

From DISI
Revision as of 11:38, 20 March 2019 by Frodo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

If this makes any sense to you, congratulations.

#!/bin/sh

#INSTALL REPOS

HOST=`hostname -i`
DOMAIN='ucsf.bkslab.org'

sed -i 's/# ulimit -n 8192/ulimit -n 8192/' /etc/sysconfig/dirsrv
echo >> /etc/sysctl.conf <<EOF

# Allow more file handles for 389
fs.file-max = 8192
EOF

yum -y install 389-ds

useradd ds -c "389 Directory Server User" -d /var/lib/dirsrv -M -s /sbin/nologin

echo "Running 389 Configuration"
echo <<EOF
- Use default setup mode
- Set user to 'ds'
- Set server name to ds-1
- Set hostname to 'ds.cluster.<DOMAIN>'
- Set cn to "dc=DOMAIN,dc=ORG" or similar
- Set passwords
EOF

setup-ds-admin.pl

# Update certificates with CNAMES
mv /var/lib/puppet/ssl /var/lib/puppet/ssl~
echo "dns_alt_names    = ds,ds.cluster.$DOMAIN,ds.$DOMAIN,$HOST.$DOMAIN" >> /etc/puppet/puppet.conf
puppet agent -t --report --pluginsync --waitforcert=60
ssh puppetmaster "puppet cert $( hostname )"
ssh puppetmaster "puppet cert sign $( hostname ) --allow-dns-alt-names"

# Convert cert for 389 use
certutil -d /etc/dirsrv/slapd-ds-1 -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/slapd-ds-1

certutil -d /etc/dirsrv/admin-serv -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/admin-dirsrv

# Fix annoying TLS bug
echo "export NSS_STRICT_NOFORK=DISABLED" >> /etc/sysconfig/dirsrv-admin

# Connect to 389 directory server
# Username: cn=Directory Manager
# Password: PASSWORD
# URL: http://ds:9830
# TODO:
# - Enable encryption in Directory Server
# - Enable encryption in Administration Server
# - Ensure encrypted connections are used (port 636)
# - Exit
389-console
service dirsrv restart
service dirsrv-admin restart

# Connect to encrypted 389 directory server
# Username: cn=Directory Manager
# Password: PASSWORD
# URL: https://ds:9830
# TODO (Under "Users and Groups")
# - Create Group(s)
#   Create -> Group (Under "Groups" subtree). Add Group Info AND Posix group info
# - Create Users
#   Create -> User (add to "People" subtree). Add User info AND Posix user info
# - Add users to groups
# - Create Special Directory Reader Group
#   Create -> User (add to "Special Users" subtree). Name:"LDAP Browser" Password:<SOMETHING SIMPLE>
# - Exit
389-console