Security Service - Installation

Installation

This document describes how to install the OpenLDAP software package. This package serve as the Security Service for the PDS 2010 system. The following topics can be found in this section:

System Requirements
Software Installation
Populate the Directory

System Requirements

The software that makes up this project consists of the OpenLDAP open source package that is available for download and installation. This release requires version 2.4.44 of OpenLDAP. This package requires Java to be installed in the target environment.

Java Runtime Environment

The Security Service was developed using Java and will run on any platform with a supported Java Runtime Environment (JRE). The software was specifically compiled for Java version 1.7 and has been tested with this version and version 1.8. The following commands test the local Java installation in a UNIX-based environment:

% which java
/usr/bin/java

% java -version
java version "1.7.0_72"
Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.72-b04, mixed mode)

The first command above checks whether the java executable is in the environment's path and the second command reports the version. If Java is not installed or the version is not at least 1.7, Java will need to be downloaded and installed in the current environment. Consult the local system administrator for installation of this software. For the do-it-yourself crowd, the Java software can be downloaded from the Oracle Java Download page. The suggested software package is the Java Standard Edition (SE) 7, either the JDK or the JRE package. The JDK package is not necessary to run the software but could be useful if development and compilation of Java software will also occur in the current environment.

Software Installation

We are choosing to install a directory server (OpenLDAP) so that it is accessible from other applications that require a standard LDAP interface.

Download the package from http://www.openldap.org/software/download/.
Install the package so that it operates on the standard LDAP port 389. The distribution package provides installation documentation. Additional documentation is available at http://www.openldap.org/doc/admin24/.
Startup the server.

Unpack the distribution

Change directory to a directory for the source to live under and unpack the distribution using the following commands.

% gunzip -c openldap-VERSION.tgz | tar xvfB -

Then relocate yourself into the distribution directory:

cd openldap-VERSION

Run configure

You will need to run the provided configure script to configure the distribution for building on your system. The configure script accepts many command line options that enable or disable optional software features. Usually the defaults are okay, but you may want to change them. To get a complete list of options that configure accepts, use the --help option.

./configure --help

However, we'll assume you are okay to just let configure determine what's best.

./configure

By default, it will install the package's files in /usr/local/bin. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PATH'. For example,

./configure --prefix=YOUR_PATH

Build the software

The next step is to build the software. This step has two parts, first we construct dependencies and then we compile the software. Both makes should complete without error.

make depend
make

Test the build

To ensure a correct build, you should run the test suite (it only takes a few minutes):

make test

Tests which apply to your configuration will run and they should pass.

Install the software

You are now ready to install the software; this usually requires super-user privileges:

su root -c 'make install'

Everything should now be installed under /usr/local (or whatever installation prefix was used by configure).

Edit the configuration file

1. Use your favorite editor to edit the provided slapd.ldif example (usually installed as /usr/local/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:

dn: cn=config
objectClass: olcGlobal
cn: config
olcReferral: ldap://pdsdev.jpl.nasa.gov:1636
olcSizeLimit: 10000

olcSuffix: dc=pdsdev,dc=jpl,dc=nasa,dc=gov
olcRootDN: cn=config,dc=pdsdev,dc=jpl,dc=nasa,dc=gov
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: {password}

# Define global ACLs to disable default read access.
#
olcArgsFile: /home/hyunlee/openldap/var/run/slapd.args
olcPidFile: /home/hyunlee/openldap/var/run/slapd.pid
olcLogFile: /home/hyunlee/openldap/var/run/slapd.log
olcLogLevel: stats2 stats ACL config filter conns

...
...
...

#######################################################################
# LMDB database definitions
#######################################################################
dn: olcDatabase=mdb,cn=config
objectClass: olcMdbConfig
olcDatabase: mdb
objectClass: olcDatabaseConfig

olcSuffix: "dc=pdsdev,dc=jpl,dc=nasa,dc=gov"
olcRootDN: "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: {password}

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /home/hyunlee/openldap/var/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq 
olcDbIndex: cn,sn,uid pres,eq,approx,sub

2. Copy PDSPerson.schema file to the $OPENLDAP_HOME/etc/openldap/schema. This configuration file specifies the schema for the directory server.

3. Edit slapd.conf file to contain following information.

include         /home/hyunlee/openldap/etc/openldap/schema/core.schema
include         /home/hyunlee/openldap/etc/openldap/schema/cosine.schema
include         /home/hyunlee/openldap/etc/openldap/schema/inetorgperson.schema
include         /home/hyunlee/openldap/etc/openldap/schema/PDSPerson.schema

pidfile         /home/hyunlee/openldap/var/run/slapd.pid
argsfile        /home/hyunlee/openldap/var/run/slapd.args
logfile         /home/hyunlee/openldap/var/run/slapd.log

...
...
...

#######################################################################
# MDB database definitions
#######################################################################
database        mdb
maxsize         1073741824
suffix          "dc=pdsdev,dc=jpl,dc=nasa,dc=gov"
rootdn          "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov"
rootpw          {password}

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /home/hyunlee/openldap/var/openldap-data
# Indices to maintain
index   objectClass     eq

# allow users to change their password
access to attrs=userPassword
        by self write
        by anonymous auth
        by users none
access to * by * read

Import the configuration database

You are now ready to import your configration database for use by slapd, by running the commands.

% setenv LDAPCONF $OPENLDAP_HOME/etc/openldap/slapd.d
% setenv LDAPRC $OPENLDAP_HOME/etc/openldap/slapd.d     
% mkdir $OPENLDAP_HOME/etc/openldap/slapd.d

% $OPENLDAP_HOME/sbin/slaptest -F $OPENLDAP_HOME/etc/openldap/slapd.d -f $OPENLDAP_HOME/etc/openldap/slapd.conf -n 0

Start the SLAPD

You are now ready to start the Standalone LDAP Daemon, slapd, by running the command.

% su root -c $OPENLDAP_HOME/libexec/slapd -F $OPENLDAP_HOME/etc/openldap/slapd.d -h ldap://pdsdev.jpl.nasa.gov:389 -d -1 &

To check to see if the server is running and configured correctly, you can run a search against it with ldapsearch. By default, ldapsearch is installed as /usr/local/bin/ldapsearch:

% $OPENLDAP_HOME/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Populate the Directory

Generate LDIF file(s)

Once OpenLDAP is installed and function, we can populate the information. The following command generates two LDIF file(s) for your LDAP directory.

pds_personnel.ldif is for adding the PDS personnel entries into the direcotry server. pds_personnel_delete.ldif is for deleting the personnel entries from the directory server.

% java gov.nasa.pds.security.LDIFGenerator -t {directory of personnel files reside} \
   -s {host name} -n {port number} -p {password}

Directory Server Configuration

With the software configuration complete, it is time to add groups and users to the directory server. The following configuration files, in the LDAP Data Interchange Format (LDIF), are available for configuring the directory server:

pds_groups.ldif
This configuration file specifies the PDS group entries for the directory server.
pds_personnel.ldif
This configuration file specifies PDS person entries for the directory server. The actual PDS person entries have been removed from this example configuration file since it contains clear text passwords. This file contains an example person entry for the pdsmc account.

Execute the commands with the configuration files as follows:

% $OPENLDAP_HOME/bin/ldapadd -x -D "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" -w {password} \
    -f /home/hyunlee/openldap/pds_groups.ldif
    
% $OPENLDAP_HOME/bin/ldapadd -x -D "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" -w {password} \
    -f /home/hyunlee/openldap/pds_personnel.ldif

Software Documentation

Project Documentation