This document describes how to install the OpenLDAP software package. This package serve as the Security Service for the PDS 2010 system. The following topics can be found in this section:
The software that makes up this project consists of the OpenLDAP open source package that is available for download and installation. This release requires version 2.4.44 of OpenLDAP. This package requires Java to be installed in the target environment.
The Security Service was developed using Java and will run on any platform with a supported Java Runtime Environment (JRE). The software was specifically compiled for and tested in Java version 1.8. The following commands test the local Java installation in a UNIX-based environment:
% which java /usr/bin/java % java -version java version "1.8.0_101" Java(TM) SE Runtime Environment (build 1.8.0_101-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
The first command above checks whether the java executable is in the environment's path and the second command reports the version. If Java is not installed or the version is not at least 1.8, Java will need to be downloaded and installed in the current environment. Consult the local system administrator for installation of this software. For the do-it-yourself crowd, the Java software can be downloaded from the Oracle Java Download page. The suggested software package is the Java Standard Edition (SE) 8, either the JDK or the JRE package. The JDK package is not necessary to run the software but could be useful if development and compilation of Java software will also occur in the current environment.
We are choosing to install a directory server (OpenLDAP) so that it is accessible from other applications that require a standard LDAP interface.
Change directory to a directory for the source to live under and unpack the distribution using the following commands.
% gunzip -c openldap-VERSION.tgz | tar xvfB -
Then relocate yourself into the distribution directory:
cd openldap-VERSION
You will need to run the provided configure script to configure the distribution for building on your system. The configure script accepts many command line options that enable or disable optional software features. Usually the defaults are okay, but you may want to change them. To get a complete list of options that configure accepts, use the --help option.
./configure --help
However, we'll assume you are okay to just let configure determine what's best.
./configure
By default, it will install the package's files in /usr/local/bin. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PATH'. For example,
./configure --prefix=YOUR_PATH
The next step is to build the software. This step has two parts, first we construct dependencies and then we compile the software. Both makes should complete without error.
make depend make
To ensure a correct build, you should run the test suite (it only takes a few minutes):
make test
Tests which apply to your configuration will run and they should pass.
You are now ready to install the software; this usually requires super-user privileges:
su root -c 'make install'
Everything should now be installed under /usr/local (or whatever installation prefix was used by configure).
1. Use your favorite editor to edit the provided slapd.ldif example (usually installed as /usr/local/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:
dn: cn=config objectClass: olcGlobal cn: config olcReferral: ldap://pdsdev.jpl.nasa.gov:1636 olcSizeLimit: 10000 olcSuffix: dc=pdsdev,dc=jpl,dc=nasa,dc=gov olcRootDN: cn=config,dc=pdsdev,dc=jpl,dc=nasa,dc=gov # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: {password} # Define global ACLs to disable default read access. # olcArgsFile: /home/hyunlee/openldap/var/run/slapd.args olcPidFile: /home/hyunlee/openldap/var/run/slapd.pid olcLogFile: /home/hyunlee/openldap/var/run/slapd.log olcLogLevel: stats2 stats ACL config filter conns ... ... ... ####################################################################### # LMDB database definitions ####################################################################### dn: olcDatabase=mdb,cn=config objectClass: olcMdbConfig olcDatabase: mdb objectClass: olcDatabaseConfig olcSuffix: "dc=pdsdev,dc=jpl,dc=nasa,dc=gov" olcRootDN: "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: {password} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /home/hyunlee/openldap/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq olcDbIndex: cn,sn,uid pres,eq,approx,sub
2. Copy PDSPerson.schema file to the $OPENLDAP_HOME/etc/openldap/schema. This configuration file specifies the schema for the directory server.
3. Edit slapd.conf file to contain following information.
include /home/hyunlee/openldap/etc/openldap/schema/core.schema include /home/hyunlee/openldap/etc/openldap/schema/cosine.schema include /home/hyunlee/openldap/etc/openldap/schema/inetorgperson.schema include /home/hyunlee/openldap/etc/openldap/schema/PDSPerson.schema pidfile /home/hyunlee/openldap/var/run/slapd.pid argsfile /home/hyunlee/openldap/var/run/slapd.args logfile /home/hyunlee/openldap/var/run/slapd.log ... ... ... ####################################################################### # MDB database definitions ####################################################################### database mdb maxsize 1073741824 suffix "dc=pdsdev,dc=jpl,dc=nasa,dc=gov" rootdn "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" rootpw {password} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /home/hyunlee/openldap/var/openldap-data # Indices to maintain index objectClass eq # allow users to change their password access to attrs=userPassword by self write by anonymous auth by users none access to * by * read
You are now ready to import your configration database for use by slapd, by running the commands.
% setenv LDAPCONF $OPENLDAP_HOME/etc/openldap/slapd.d % setenv LDAPRC $OPENLDAP_HOME/etc/openldap/slapd.d % mkdir $OPENLDAP_HOME/etc/openldap/slapd.d % $OPENLDAP_HOME/sbin/slaptest -F $OPENLDAP_HOME/etc/openldap/slapd.d -f $OPENLDAP_HOME/etc/openldap/slapd.conf -n 0
You are now ready to start the Standalone LDAP Daemon, slapd, by running the command.
% su root -c $OPENLDAP_HOME/libexec/slapd -F $OPENLDAP_HOME/etc/openldap/slapd.d -h ldap://pdsdev.jpl.nasa.gov:389 -d -1 &
To check to see if the server is running and configured correctly, you can run a search against it with ldapsearch. By default, ldapsearch is installed as /usr/local/bin/ldapsearch:
% $OPENLDAP_HOME/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Once OpenLDAP is installed and function, we can populate the information. The following command generates two LDIF file(s) for your LDAP directory.
pds_personnel.ldif is for adding the PDS personnel entries into the direcotry server. pds_personnel_delete.ldif is for deleting the personnel entries from the directory server.
% java gov.nasa.pds.security.LDIFGenerator -t {directory of personnel files reside} \ -s {host name} -n {port number} -p {password}
With the software configuration complete, it is time to add groups and users to the directory server. The following configuration files, in the LDAP Data Interchange Format (LDIF), are available for configuring the directory server:
Execute the commands with the configuration files as follows:
% $OPENLDAP_HOME/bin/ldapadd -x -D "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" -w {password} \ -f /home/hyunlee/openldap/pds_groups.ldif % $OPENLDAP_HOME/bin/ldapadd -x -D "cn=Manager,dc=pdsdev,dc=jpl,dc=nasa,dc=gov" -w {password} \ -f /home/hyunlee/openldap/pds_personnel.ldif