LDAP » Historique » Version 2
Matthieu Herrb, 07/02/2021 21:32
lien SI
1 | 1 | Matthieu Herrb | h1. LDAP |
---|---|---|---|
2 | 1 | Matthieu Herrb | |
3 | 1 | Matthieu Herrb | Cette page décrit l'installation du serveur LDAP de Tetaneutral.net |
4 | 1 | Matthieu Herrb | |
5 | 1 | Matthieu Herrb | On utilise 389 ds: https://directory.fedoraproject.org/index.html + cockpit |
6 | 1 | Matthieu Herrb | |
7 | 1 | Matthieu Herrb | XXX A compléter |
8 | 1 | Matthieu Herrb | |
9 | 2 | Matthieu Herrb | h2. Mise à jour à partir de djadhere |
10 | 2 | Matthieu Herrb | |
11 | 2 | Matthieu Herrb | Un script tourne toutes les 15mn sur adherents.tetaneutral.net pour mettre à jour les comptres à partir du SI. |
12 | 2 | Matthieu Herrb | |
13 | 2 | Matthieu Herrb | Le mot de passe dans le SI est encodé au bon format pour être réutilisé pour LDAP. |
14 | 1 | Matthieu Herrb | |
15 | 1 | Matthieu Herrb | h2. Certificats |
16 | 1 | Matthieu Herrb | |
17 | 1 | Matthieu Herrb | Installation de nginx + certbot-nginx |
18 | 1 | Matthieu Herrb | |
19 | 1 | Matthieu Herrb | Script pour convertir le certificat Let's Encrypt aux formats utilisés par Cockpit et 389DS: @/root/update-letsencrypt.sh@ |
20 | 1 | Matthieu Herrb | <pre> |
21 | 1 | Matthieu Herrb | #! /bin/bash |
22 | 1 | Matthieu Herrb | # update the 389ds certificates from Let's encrypt |
23 | 1 | Matthieu Herrb | # Source : http://delatbabel.blogspot.com/2017/03/lets-encrypt-ssl-recipes-389-directory.html |
24 | 1 | Matthieu Herrb | |
25 | 1 | Matthieu Herrb | TMPDIR=$(mktemp -d /root/keys-XXXXXXXXXX) |
26 | 1 | Matthieu Herrb | SITE=ldap.tetaneutral.net |
27 | 1 | Matthieu Herrb | LDAPINSTANCE=ldap |
28 | 1 | Matthieu Herrb | trap 'rm -rf $TMPDIR' 0 |
29 | 1 | Matthieu Herrb | # |
30 | 1 | Matthieu Herrb | # Make the temporary directory to store the PKCS12 file |
31 | 1 | Matthieu Herrb | # |
32 | 1 | Matthieu Herrb | mkdir -p $TMPDIR |
33 | 1 | Matthieu Herrb | chmod 700 $TMPDIR |
34 | 1 | Matthieu Herrb | |
35 | 1 | Matthieu Herrb | # |
36 | 1 | Matthieu Herrb | # Make the PKCS12 file from the letsencrypt PEM files |
37 | 1 | Matthieu Herrb | # |
38 | 1 | Matthieu Herrb | rm -f $TMPDIR/$SITE.p12 |
39 | 1 | Matthieu Herrb | openssl pkcs12 -export -in /etc/letsencrypt/live/$SITE/cert.pem \ |
40 | 1 | Matthieu Herrb | -inkey /etc/letsencrypt/live/$SITE/privkey.pem \ |
41 | 1 | Matthieu Herrb | -nodes -passout pass: -name Server-Cert -out $TMPDIR/$SITE.p12 |
42 | 1 | Matthieu Herrb | |
43 | 1 | Matthieu Herrb | # Prepare the password files |
44 | 1 | Matthieu Herrb | cut -d: -f2 < /etc/dirsrv/slapd-ldap/pin.txt > $TMPDIR/nss-pass.txt |
45 | 1 | Matthieu Herrb | echo "" > $TMPDIR/p12-pass.txt |
46 | 1 | Matthieu Herrb | |
47 | 1 | Matthieu Herrb | # |
48 | 1 | Matthieu Herrb | # Import the CA certs separately with standard certificate nicknames |
49 | 1 | Matthieu Herrb | # |
50 | 1 | Matthieu Herrb | certutil -f $TMPDIR/nss-pass.txt -A -d /etc/dirsrv/slapd-$LDAPINSTANCE/ -n "ca_cert" -t "CT,," -i /etc/letsencrypt/live/$SITE/chain.pem |
51 | 1 | Matthieu Herrb | |
52 | 1 | Matthieu Herrb | # |
53 | 1 | Matthieu Herrb | # Import the PKCS12 file into 389DS |
54 | 1 | Matthieu Herrb | # |
55 | 1 | Matthieu Herrb | |
56 | 1 | Matthieu Herrb | pk12util -d /etc/dirsrv/slapd-$LDAPINSTANCE -i $TMPDIR/$SITE.p12 -k $TMPDIR/nss-pass.txt -w $TMPDIR/p12-pass.txt |
57 | 1 | Matthieu Herrb | |
58 | 1 | Matthieu Herrb | # Restart dirsrv |
59 | 1 | Matthieu Herrb | systemctl restart dirsrv@$LDAPINSTANCE |
60 | 1 | Matthieu Herrb | |
61 | 1 | Matthieu Herrb | # |
62 | 1 | Matthieu Herrb | # Recreate the Cockpit SSL certificate |
63 | 1 | Matthieu Herrb | # |
64 | 1 | Matthieu Herrb | cat /etc/letsencrypt/live/$SITE/fullchain.pem /etc/letsencrypt/live/$SITE/privkey.pem > /etc/cockpit/ws-certs.d/1-my-cert.cert |
65 | 1 | Matthieu Herrb | |
66 | 1 | Matthieu Herrb | # Restart Cockpit |
67 | 1 | Matthieu Herrb | systemctl restart cockpit.socket |
68 | 1 | Matthieu Herrb | |
69 | 1 | Matthieu Herrb | exit 0 |
70 | 1 | Matthieu Herrb | </pre> |
71 | 1 | Matthieu Herrb | |
72 | 1 | Matthieu Herrb | Installation comme hook lors du renouvellement. Ajout dans @/etc/letsencrypt/renewal/ldap.tetaneutral.net.conf@ : |
73 | 1 | Matthieu Herrb | <pre> |
74 | 1 | Matthieu Herrb | post_hook = /root/update-letsencrypt.sh |
75 | 1 | Matthieu Herrb | </pre> |