User:Sfiggins/RH-TACACS with LDAP Backend
From Labrats.us
Jump to navigationJump to searchInstall and Setup New CentOS 7 Server
Create base Centos 7 server, as documented below
New CentOS 7 Server Setup Commands
Edit /etc/ssh/sshd_config to enable X11 forwarding
edit /etc/ssh/sshd_config and replace:
X11Forwarding no X11UseLocalhost yes
with:
X11Forwarding yes X11UseLocalhost no
And add:
AddressFamily inet
Restart sshd
# service sshd restart
Setup CPAN
Instal GCC
# yum install gcc Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package gcc.x86_64 0:4.4.7-16.el6 will be installed --> Processing Dependency: libgomp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: cpp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: libgcc >= 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-16.el6.x86_64 --> Running transaction check ---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed --> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 --> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 ---> Package cpp.x86_64 0:4.4.7-16.el6 will be installed --> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-16.el6.x86_64 ---> Package glibc-devel.x86_64 0:2.12-1.166.el6_7.1 will be installed --> Processing Dependency: glibc-headers = 2.12-1.166.el6_7.1 for package: glibc-devel-2.12-1.166.el6_7.1.x86_64 --> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.166.el6_7.1.x86_64 ---> Package libgcc.x86_64 0:4.4.6-3.el6 will be updated ---> Package libgcc.x86_64 0:4.4.7-16.el6 will be an update ---> Package libgomp.x86_64 0:4.4.6-3.el6 will be updated ---> Package libgomp.x86_64 0:4.4.7-16.el6 will be an update --> Running transaction check ---> Package glibc-headers.x86_64 0:2.12-1.166.el6_7.1 will be installed --> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.166.el6_7.1.x86_64 --> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.166.el6_7.1.x86_64 ---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed ---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed --> Running transaction check ---> Package kernel-headers.x86_64 0:2.6.32-573.1.1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================ Package Arch Version Repository Size ============================================================================================================================ Installing: gcc x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 10 M Installing for dependencies: cloog-ppl x86_64 0.15.7-1.2.el6 twtc-rhel-i386_64-server-6 93 k cpp x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 3.7 M glibc-devel x86_64 2.12-1.166.el6_7.1 twtc-rhel-i386_64-server-6 985 k glibc-headers x86_64 2.12-1.166.el6_7.1 twtc-rhel-i386_64-server-6 614 k kernel-headers x86_64 2.6.32-573.1.1.el6 twtc-rhel-i386_64-server-6 3.9 M mpfr x86_64 2.4.1-6.el6 twtc-rhel-i386_64-server-6 156 k ppl x86_64 0.10.2-11.el6 twtc-rhel-i386_64-server-6 1.3 M Updating for dependencies: libgcc x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 103 k libgomp x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 134 k Transaction Summary ============================================================================================================================ Install 8 Package(s) Upgrade 2 Package(s) Total download size: 21 M Is this ok [y/N]: y Downloading Packages: (1/10): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm | 93 kB 00:00 (2/10): cpp-4.4.7-16.el6.x86_64.rpm | 3.7 MB 00:00 (3/10): gcc-4.4.7-16.el6.x86_64.rpm | 10 MB 00:00 (4/10): glibc-devel-2.12-1.166.el6_7.1.x86_64.rpm | 985 kB 00:00 (5/10): glibc-headers-2.12-1.166.el6_7.1.x86_64.rpm | 614 kB 00:00 (6/10): kernel-headers-2.6.32-573.1.1.el6.x86_64.rpm | 3.9 MB 00:00 (7/10): libgcc-4.4.7-16.el6.x86_64.rpm | 103 kB 00:00 (8/10): libgomp-4.4.7-16.el6.x86_64.rpm | 134 kB 00:00 (9/10): mpfr-2.4.1-6.el6.x86_64.rpm | 156 kB 00:00 (10/10): ppl-0.10.2-11.el6.x86_64.rpm | 1.3 MB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 9.0 MB/s | 21 MB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : libgcc-4.4.7-16.el6.x86_64 1/12 Installing : ppl-0.10.2-11.el6.x86_64 2/12 Installing : cloog-ppl-0.15.7-1.2.el6.x86_64 3/12 Installing : kernel-headers-2.6.32-573.1.1.el6.x86_64 4/12 Installing : glibc-headers-2.12-1.166.el6_7.1.x86_64 5/12 Installing : glibc-devel-2.12-1.166.el6_7.1.x86_64 6/12 Installing : mpfr-2.4.1-6.el6.x86_64 7/12 Installing : cpp-4.4.7-16.el6.x86_64 8/12 Updating : libgomp-4.4.7-16.el6.x86_64 9/12 Installing : gcc-4.4.7-16.el6.x86_64 10/12 Cleanup : libgcc-4.4.6-3.el6.x86_64 11/12 Cleanup : libgomp-4.4.6-3.el6.x86_64 12/12 Installed: gcc.x86_64 0:4.4.7-16.el6 Dependency Installed: cloog-ppl.x86_64 0:0.15.7-1.2.el6 cpp.x86_64 0:4.4.7-16.el6 glibc-devel.x86_64 0:2.12-1.166.el6_7.1 glibc-headers.x86_64 0:2.12-1.166.el6_7.1 kernel-headers.x86_64 0:2.6.32-573.1.1.el6 mpfr.x86_64 0:2.4.1-6.el6 ppl.x86_64 0:0.10.2-11.el6 Dependency Updated: libgcc.x86_64 0:4.4.7-16.el6 libgomp.x86_64 0:4.4.7-16.el6 Complete!
Install CPAN
# yum install cpan Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cs.uwp.edu * extras: mirror.cs.uwp.edu * updates: sjc.edge.kernel.org Resolving Dependencies --> Running transaction check ---> Package perl-CPAN.noarch 0:1.9800-293.el7 will be installed --> Processing Dependency: perl(local::lib) for package: perl-CPAN-1.9800-293.el7.noarch --> Processing Dependency: perl(ExtUtils::MakeMaker) for package: perl-CPAN-1.9800-293.el7.noarch --> Processing Dependency: perl(Digest::SHA) for package: perl-CPAN-1.9800-293.el7.noarch --> Running transaction check ---> Package perl-Digest-SHA.x86_64 1:5.85-4.el7 will be installed --> Processing Dependency: perl(Digest::base) for package: 1:perl-Digest-SHA-5.85-4.el7.x86_64 ---> Package perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7 will be installed --> Processing Dependency: perl(Test::Harness) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch --> Processing Dependency: perl(ExtUtils::Packlist) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch --> Processing Dependency: perl(ExtUtils::Manifest) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch --> Processing Dependency: perl(ExtUtils::Installed) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch --> Processing Dependency: perl(ExtUtils::Install) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch ---> Package perl-local-lib.noarch 0:1.008010-4.el7 will be installed --> Running transaction check ---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed ---> Package perl-ExtUtils-Install.noarch 0:1.58-293.el7 will be installed --> Processing Dependency: perl-devel for package: perl-ExtUtils-Install-1.58-293.el7.noarch ---> Package perl-ExtUtils-Manifest.noarch 0:1.61-244.el7 will be installed ---> Package perl-Test-Harness.noarch 0:3.28-3.el7 will be installed --> Running transaction check ---> Package perl-devel.x86_64 4:5.16.3-293.el7 will be installed --> Processing Dependency: systemtap-sdt-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64 --> Processing Dependency: perl(ExtUtils::ParseXS) for package: 4:perl-devel-5.16.3-293.el7.x86_64 --> Processing Dependency: libdb-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64 --> Processing Dependency: gdbm-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64 --> Running transaction check ---> Package gdbm-devel.x86_64 0:1.10-8.el7 will be installed ---> Package libdb-devel.x86_64 0:5.3.21-24.el7 will be installed --> Processing Dependency: libdb(x86-64) = 5.3.21-24.el7 for package: libdb-devel-5.3.21-24.el7.x86_64 ---> Package perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7 will be installed ---> Package systemtap-sdt-devel.x86_64 0:3.3-3.el7 will be installed --> Processing Dependency: pyparsing for package: systemtap-sdt-devel-3.3-3.el7.x86_64 --> Running transaction check ---> Package libdb.x86_64 0:5.3.21-17.el7_0.1 will be updated --> Processing Dependency: libdb(x86-64) = 5.3.21-17.el7_0.1 for package: libdb-utils-5.3.21-17.el7_0.1.x86_64 ---> Package libdb.x86_64 0:5.3.21-24.el7 will be an update ---> Package pyparsing.noarch 0:1.5.6-9.el7 will be installed --> Running transaction check ---> Package libdb-utils.x86_64 0:5.3.21-17.el7_0.1 will be updated ---> Package libdb-utils.x86_64 0:5.3.21-24.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved =================================================================================================== Package Arch Version Repository Size =================================================================================================== Installing: perl-CPAN noarch 1.9800-293.el7 base 293 k Installing for dependencies: gdbm-devel x86_64 1.10-8.el7 base 47 k libdb-devel x86_64 5.3.21-24.el7 base 38 k perl-Digest noarch 1.17-245.el7 base 23 k perl-Digest-SHA x86_64 1:5.85-4.el7 base 58 k perl-ExtUtils-Install noarch 1.58-293.el7 base 74 k perl-ExtUtils-MakeMaker noarch 6.68-3.el7 base 275 k perl-ExtUtils-Manifest noarch 1.61-244.el7 base 31 k perl-ExtUtils-ParseXS noarch 1:3.18-3.el7 base 77 k perl-Test-Harness noarch 3.28-3.el7 base 302 k perl-devel x86_64 4:5.16.3-293.el7 base 453 k perl-local-lib noarch 1.008010-4.el7 base 64 k pyparsing noarch 1.5.6-9.el7 base 94 k systemtap-sdt-devel x86_64 3.3-3.el7 base 74 k Updating for dependencies: libdb x86_64 5.3.21-24.el7 base 720 k libdb-utils x86_64 5.3.21-24.el7 base 132 k Transaction Summary =================================================================================================== Install 1 Package (+13 Dependent packages) Upgrade ( 2 Dependent packages) Total download size: 2.7 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/16): gdbm-devel-1.10-8.el7.x86_64.rpm | 47 kB 00:00:00 (2/16): libdb-devel-5.3.21-24.el7.x86_64.rpm | 38 kB 00:00:00 (3/16): libdb-5.3.21-24.el7.x86_64.rpm | 720 kB 00:00:00 (4/16): libdb-utils-5.3.21-24.el7.x86_64.rpm | 132 kB 00:00:00 (5/16): perl-CPAN-1.9800-293.el7.noarch.rpm | 293 kB 00:00:00 (6/16): perl-Digest-1.17-245.el7.noarch.rpm | 23 kB 00:00:00 (7/16): perl-Digest-SHA-5.85-4.el7.x86_64.rpm | 58 kB 00:00:00 (8/16): perl-ExtUtils-Install-1.58-293.el7.noarch.rpm | 74 kB 00:00:00 (9/16): perl-ExtUtils-MakeMaker-6.68-3.el7.noarch.rpm | 275 kB 00:00:00 (10/16): perl-ExtUtils-Manifest-1.61-244.el7.noarch.rpm | 31 kB 00:00:00 (11/16): perl-ExtUtils-ParseXS-3.18-3.el7.noarch.rpm | 77 kB 00:00:00 (12/16): perl-Test-Harness-3.28-3.el7.noarch.rpm | 302 kB 00:00:00 (13/16): perl-devel-5.16.3-293.el7.x86_64.rpm | 453 kB 00:00:00 (14/16): perl-local-lib-1.008010-4.el7.noarch.rpm | 64 kB 00:00:00 (15/16): systemtap-sdt-devel-3.3-3.el7.x86_64.rpm | 74 kB 00:00:00 (16/16): pyparsing-1.5.6-9.el7.noarch.rpm | 94 kB 00:00:00 --------------------------------------------------------------------------------------------------- Total 2.9 MB/s | 2.7 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : libdb-5.3.21-24.el7.x86_64 1/18 Installing : libdb-devel-5.3.21-24.el7.x86_64 2/18 Installing : pyparsing-1.5.6-9.el7.noarch 3/18 Installing : systemtap-sdt-devel-3.3-3.el7.x86_64 4/18 Installing : perl-Digest-1.17-245.el7.noarch 5/18 Installing : 1:perl-Digest-SHA-5.85-4.el7.x86_64 6/18 Installing : perl-ExtUtils-Manifest-1.61-244.el7.noarch 7/18 Installing : perl-Test-Harness-3.28-3.el7.noarch 8/18 Installing : perl-local-lib-1.008010-4.el7.noarch 9/18 Installing : gdbm-devel-1.10-8.el7.x86_64 10/18 Installing : 1:perl-ExtUtils-ParseXS-3.18-3.el7.noarch 11/18 Installing : perl-ExtUtils-MakeMaker-6.68-3.el7.noarch 12/18 Installing : perl-ExtUtils-Install-1.58-293.el7.noarch 13/18 Installing : 4:perl-devel-5.16.3-293.el7.x86_64 14/18 Installing : perl-CPAN-1.9800-293.el7.noarch 15/18 Updating : libdb-utils-5.3.21-24.el7.x86_64 16/18 Cleanup : libdb-utils-5.3.21-17.el7_0.1.x86_64 17/18 Cleanup : libdb-5.3.21-17.el7_0.1.x86_64 18/18 Verifying : libdb-5.3.21-24.el7.x86_64 1/18 Verifying : gdbm-devel-1.10-8.el7.x86_64 2/18 Verifying : 1:perl-ExtUtils-ParseXS-3.18-3.el7.noarch 3/18 Verifying : perl-local-lib-1.008010-4.el7.noarch 4/18 Verifying : perl-CPAN-1.9800-293.el7.noarch 5/18 Verifying : perl-Test-Harness-3.28-3.el7.noarch 6/18 Verifying : 1:perl-Digest-SHA-5.85-4.el7.x86_64 7/18 Verifying : perl-ExtUtils-Install-1.58-293.el7.noarch 8/18 Verifying : perl-ExtUtils-Manifest-1.61-244.el7.noarch 9/18 Verifying : libdb-utils-5.3.21-24.el7.x86_64 10/18 Verifying : perl-Digest-1.17-245.el7.noarch 11/18 Verifying : pyparsing-1.5.6-9.el7.noarch 12/18 Verifying : libdb-devel-5.3.21-24.el7.x86_64 13/18 Verifying : perl-ExtUtils-MakeMaker-6.68-3.el7.noarch 14/18 Verifying : systemtap-sdt-devel-3.3-3.el7.x86_64 15/18 Verifying : 4:perl-devel-5.16.3-293.el7.x86_64 16/18 Verifying : libdb-utils-5.3.21-17.el7_0.1.x86_64 17/18 Verifying : libdb-5.3.21-17.el7_0.1.x86_64 18/18 Installed: perl-CPAN.noarch 0:1.9800-293.el7 Dependency Installed: gdbm-devel.x86_64 0:1.10-8.el7 libdb-devel.x86_64 0:5.3.21-24.el7 perl-Digest.noarch 0:1.17-245.el7 perl-Digest-SHA.x86_64 1:5.85-4.el7 perl-ExtUtils-Install.noarch 0:1.58-293.el7 perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7 perl-ExtUtils-Manifest.noarch 0:1.61-244.el7 perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7 perl-Test-Harness.noarch 0:3.28-3.el7 perl-devel.x86_64 4:5.16.3-293.el7 perl-local-lib.noarch 0:1.008010-4.el7 pyparsing.noarch 0:1.5.6-9.el7 systemtap-sdt-devel.x86_64 0:3.3-3.el7 Dependency Updated: libdb.x86_64 0:5.3.21-24.el7 libdb-utils.x86_64 0:5.3.21-24.el7 Complete!
Auto Configure CPAN
When you first run CPAN, it will offer to automatically configure. Go ahead and let it do this, and we will fix it later.
Change some defaults
# cpan
Terminal does not support AddHistory.
cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.
cpan[1]> o conf urllist
urllist
Type 'o conf' to view all configuration items
cpan[4]> o conf commit
commit: wrote '/root/.cpan/CPAN/MyConfig.pm'
# perl -npe 's/root\/.cpan/var\/spool\/cpan/g' -i /root/.cpan/CPAN/MyConfig.pm # mkdir -p /var/spool/cpan
Update CPAN
# cpan Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v1.9402) Enter 'h' for help. cpan[1]> install CPAN cpan[2]> reload cpan
Install Perl Modules (via yum)
Install the perm modules that are possible via yum
# yum install perl-Capture-Tiny perl-DBD-MySQL perl-DBI perl-Net-DNS perl-Time-Piece
Install Perl Modules (via CPAN)
Install the following modules via CPAN:
Array::Compare Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select MIME::Lite Net::LDAP::Constant Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util
Command looks like this:
# cpan Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v2.10) Enter 'h' for help. cpan[1]> install Array::Compare Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select MIME::Lite Net::LDAP::Constant \ Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util
Follow through the install process, hitting a million "Y".
Install 389-ds
Set your server fully qualified domain in /etc/hosts file
Edit file /etc/hosts/
# vi /etc/hosts
Add an entry for the local hostname and network IP address
10.255.7.37 centos-auth.home.labrats.us centos-auth
Firewall Configuration
Allow the following ldap ports to your iptables
# firewall-cmd --permanent --add-port=389/tcp # firewall-cmd --permanent --add-port=636/tcp # firewall-cmd --permanent --add-port=9830/tcp
Restart firewall
# firewall-cmd --reload
Add EPEL and REMI Repository
EPEL is required, but I don't think that REMI is.
Install and Enable EPEL Repository on CentOS 7
# yum install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cs.uwp.edu * extras: mirror.cs.uwp.edu * updates: sjc.edge.kernel.org Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================== Package Arch Version Repository Size =================================================================================================== Installing: epel-release noarch 7-11 extras 15 k Transaction Summary =================================================================================================== Install 1 Package Total download size: 15 k Installed size: 24 k Is this ok [y/d/N]: y Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete!
Install and enable REMI repository On CentOS 7
# yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
Enable REMI repository
# vi /etc/yum.repos.d/remi.repo
Change enabled to 1
[...] enabled=1 [...]
Performance and Security tuning for LDAP server
Before installing LDAP server, we have to adjust some files for performance and security.
Edit file “/etc/sysctl.conf”
# vi /etc/sysctl.conf
Add the following lines at the end
net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
Load the new value
# sysctl -p
Edit file “/etc/security/limits.conf”
# vi /etc/security/limits.conf
Add the following lines at the end
* soft nofile 8192 * hard nofile 8192
Edit file “/etc/profile”
vi /etc/profile
Add the line at the end
ulimit -n 8192
Edit file “/etc/pam.d/login”
vi /etc/pam.d/login
Add the line at the end
session required pam_limits.so
Now Restart the server.
# shutdown -r now
Install 389 Directory Server
Install 389-ds-base package using command
# yum install 389-ds-base openldap-clients idm-console-framework 389-admin 389-adminutil \
389-admin-console 389-console 389-ds-console
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.cs.uwp.edu
* epel: mirror.colorado.edu
* extras: mirror.cs.uwp.edu
* updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package 389-admin.x86_64 0:1.1.46-1.el7 will be installed
--> Processing Dependency: policycoreutils-python for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl-Mozilla-LDAP for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::Utils) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::LDIF) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::Conn) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::API) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(CGI) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: mod_nss for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicuuc.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicui18n.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicudata.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
---> Package 389-admin-console.noarch 0:1.1.12-1.el7 will be installed
---> Package 389-adminutil.x86_64 0:1.1.21-2.el7 will be installed
---> Package 389-console.noarch 0:1.1.18-1.el7 will be installed
--> Processing Dependency: java-headless >= 1.8.0 for package: 389-console-1.1.18-1.el7.noarch
--> Processing Dependency: jpackage-utils for package: 389-console-1.1.18-1.el7.noarch
---> Package 389-ds-base.x86_64 0:1.3.8.4-18.el7_6 will be installed
--> Processing Dependency: 389-ds-base-libs = 1.3.8.4-18.el7_6 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: svrcore >= 4.1.3 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: python-ldap for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl-NetAddr-IP for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(NetAddr::IP::Util) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(DB_File) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(Archive::Tar) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsemanage-python for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: gperftools-libs for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: cyrus-sasl-plain for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: cyrus-sasl-md5 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libtcmalloc.so.4()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsvrcore.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libslapd.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsds.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libnunc-stans.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libns-dshttpd-1.3.8.4.so()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libldaputil.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libevent-2.0.so.5()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
---> Package 389-ds-console.noarch 0:1.2.16-1.el7 will be installed
---> Package idm-console-framework.noarch 0:1.1.17-4.el7 will be installed
--> Processing Dependency: jss >= 4.2.6-35 for package: idm-console-framework-1.1.17-4.el7.noarch
--> Processing Dependency: java >= 1:1.6.0 for package: idm-console-framework-1.1.17-4.el7.noarch
--> Processing Dependency: ldapjdk for package: idm-console-framework-1.1.17-4.el7.noarch
---> Package openldap-clients.x86_64 0:2.4.44-20.el7 will be installed
--> Processing Dependency: openldap(x86-64) = 2.4.44-20.el7 for package: openldap-clients-2.4.44-20.el7.x86_64
--> Running transaction check
---> Package 389-ds-base-libs.x86_64 0:1.3.8.4-18.el7_6 will be installed
---> Package cyrus-sasl-md5.x86_64 0:2.1.26-23.el7 will be installed
---> Package cyrus-sasl-plain.x86_64 0:2.1.26-23.el7 will be installed
---> Package gperftools-libs.x86_64 0:2.6.1-1.el7 will be installed
---> Package java-1.8.0-openjdk.x86_64 1:1.8.0.191.b12-1.el7_6 will be installed
--> Processing Dependency: xorg-x11-fonts-Type1 for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: fontconfig(x86-64) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libpng15.so.15()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libgif.so.4()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXtst.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXrender.so.1()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXi.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXext.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXcomposite.so.1()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libX11.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-1.el7_6 will be installed
--> Processing Dependency: tzdata-java >= 2015d for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: copy-jdk-configs >= 2.2 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: chkconfig >= 1.7 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: chkconfig >= 1.7 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: lksctp-tools(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be installed
--> Processing Dependency: python-javapackages = 3.4.1-11.el7 for package: javapackages-tools-3.4.1-11.el7.noarch
--> Processing Dependency: libxslt for package: javapackages-tools-3.4.1-11.el7.noarch
---> Package jss.x86_64 0:4.4.4-3.el7 will be installed
--> Processing Dependency: apache-commons-lang for package: jss-4.4.4-3.el7.x86_64
--> Processing Dependency: apache-commons-codec for package: jss-4.4.4-3.el7.x86_64
---> Package ldapjdk.noarch 0:4.19-5.el7 will be installed
---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
---> Package libicu.x86_64 0:50.1.2-17.el7 will be installed
---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be installed
---> Package mod_nss.x86_64 0:1.0.14-12.el7 will be installed
epel/x86_64/filelists | 10 MB 00:00:00
base/7/x86_64/filelists_db | 7.1 MB 00:00:03
updates/7/x86_64/filelists_db | 1.3 MB 00:00:00
--> Processing Dependency: httpd-mmn = 20120211x8664 for package: mod_nss-1.0.14-12.el7.x86_64
--> Processing Dependency: httpd for package: mod_nss-1.0.14-12.el7.x86_64
---> Package openldap.x86_64 0:2.4.39-6.el7 will be updated
---> Package openldap.x86_64 0:2.4.44-20.el7 will be an update
---> Package perl-Archive-Tar.noarch 0:1.92-2.el7 will be installed
--> Processing Dependency: perl(IO::Zlib) >= 1.01 for package: perl-Archive-Tar-1.92-2.el7.noarch
--> Processing Dependency: perl(Package::Constants) for package: perl-Archive-Tar-1.92-2.el7.noarch
--> Processing Dependency: perl(IO::Zlib) for package: perl-Archive-Tar-1.92-2.el7.noarch
---> Package perl-CGI.noarch 0:3.63-4.el7 will be installed
--> Processing Dependency: perl(FCGI) >= 0.67 for package: perl-CGI-3.63-4.el7.noarch
---> Package perl-DB_File.x86_64 0:1.830-6.el7 will be installed
---> Package perl-Mozilla-LDAP.x86_64 0:1.5.3-12.el7 will be installed
---> Package perl-NetAddr-IP.x86_64 0:4.069-3.el7 will be installed
---> Package policycoreutils-python.x86_64 0:2.5-29.el7 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-4 for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
---> Package python-ldap.x86_64 0:2.4.15-2.el7 will be installed
---> Package svrcore.x86_64 0:4.1.3-2.el7 will be installed
--> Running transaction check
---> Package apache-commons-codec.noarch 0:1.8-7.el7 will be installed
---> Package apache-commons-lang.noarch 0:2.6-15.el7 will be installed
---> Package audit-libs-python.x86_64 0:2.8.4-4.el7 will be installed
--> Processing Dependency: audit-libs(x86-64) = 2.8.4-4.el7 for package: audit-libs-python-2.8.4-4.el7.x86_64
---> Package checkpolicy.x86_64 0:2.5-8.el7 will be installed
---> Package chkconfig.x86_64 0:1.3.61-4.el7 will be updated
---> Package chkconfig.x86_64 0:1.7.4-1.el7 will be an update
---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be installed
---> Package fontconfig.x86_64 0:2.13.0-4.3.el7 will be installed
--> Processing Dependency: freetype >= 2.8-7 for package: fontconfig-2.13.0-4.3.el7.x86_64
--> Processing Dependency: fontpackages-filesystem for package: fontconfig-2.13.0-4.3.el7.x86_64
--> Processing Dependency: dejavu-sans-fonts for package: fontconfig-2.13.0-4.3.el7.x86_64
---> Package giflib.x86_64 0:4.1.6-9.el7 will be installed
--> Processing Dependency: libSM.so.6()(64bit) for package: giflib-4.1.6-9.el7.x86_64
--> Processing Dependency: libICE.so.6()(64bit) for package: giflib-4.1.6-9.el7.x86_64
---> Package httpd.x86_64 0:2.4.6-88.el7.centos will be installed
--> Processing Dependency: httpd-tools = 2.4.6-88.el7.centos for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-88.el7.centos.x86_64
---> Package libX11.x86_64 0:1.6.5-2.el7 will be installed
--> Processing Dependency: libX11-common >= 1.6.5-2.el7 for package: libX11-1.6.5-2.el7.x86_64
--> Processing Dependency: libxcb.so.1()(64bit) for package: libX11-1.6.5-2.el7.x86_64
---> Package libXcomposite.x86_64 0:0.4.4-4.1.el7 will be installed
---> Package libXext.x86_64 0:1.3.3-3.el7 will be installed
---> Package libXi.x86_64 0:1.7.9-1.el7 will be installed
---> Package libXrender.x86_64 0:0.9.10-1.el7 will be installed
---> Package libXtst.x86_64 0:1.2.3-1.el7 will be installed
---> Package libcgroup.x86_64 0:0.41-20.el7 will be installed
---> Package libjpeg-turbo.x86_64 0:1.2.90-6.el7 will be installed
---> Package libpng.x86_64 2:1.5.13-7.el7_2 will be installed
---> Package libxslt.x86_64 0:1.1.28-5.el7 will be installed
---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be installed
---> Package perl-FCGI.x86_64 1:0.74-8.el7 will be installed
---> Package perl-IO-Zlib.noarch 1:1.10-293.el7 will be installed
---> Package perl-Package-Constants.noarch 1:0.02-293.el7 will be installed
---> Package python-IPy.noarch 0:0.75-6.el7 will be installed
---> Package python-javapackages.noarch 0:3.4.1-11.el7 will be installed
--> Processing Dependency: python-lxml for package: python-javapackages-3.4.1-11.el7.noarch
---> Package setools-libs.x86_64 0:3.3.8-4.el7 will be installed
---> Package tzdata-java.noarch 0:2018g-1.el7 will be installed
---> Package xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 will be installed
--> Processing Dependency: ttmkfdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: ttmkfdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: mkfontdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: mkfontdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7_4.1 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package audit-libs.x86_64 0:2.4.1-5.el7 will be updated
--> Processing Dependency: audit-libs = 2.4.1-5.el7 for package: audit-2.4.1-5.el7.x86_64
---> Package audit-libs.x86_64 0:2.8.4-4.el7 will be an update
---> Package dejavu-sans-fonts.noarch 0:2.33-6.el7 will be installed
--> Processing Dependency: dejavu-fonts-common = 2.33-6.el7 for package: dejavu-sans-fonts-2.33-6.el7.noarch
---> Package fontpackages-filesystem.noarch 0:1.44-8.el7 will be installed
---> Package freetype.x86_64 0:2.4.11-9.el7 will be updated
---> Package freetype.x86_64 0:2.8-12.el7 will be an update
---> Package httpd-tools.x86_64 0:2.4.6-88.el7.centos will be installed
---> Package libICE.x86_64 0:1.0.9-9.el7 will be installed
---> Package libSM.x86_64 0:1.2.2-2.el7 will be installed
---> Package libX11-common.noarch 0:1.6.5-2.el7 will be installed
---> Package libxcb.x86_64 0:1.13-1.el7 will be installed
--> Processing Dependency: libXau.so.6()(64bit) for package: libxcb-1.13-1.el7.x86_64
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
---> Package python-lxml.x86_64 0:3.2.1-4.el7 will be installed
---> Package ttmkfdir.x86_64 0:3.0.9-42.el7 will be installed
---> Package xorg-x11-font-utils.x86_64 1:7.5-21.el7 will be installed
--> Processing Dependency: libfontenc.so.1()(64bit) for package: 1:xorg-x11-font-utils-7.5-21.el7.x86_64
--> Running transaction check
---> Package audit.x86_64 0:2.4.1-5.el7 will be updated
---> Package audit.x86_64 0:2.8.4-4.el7 will be an update
---> Package dejavu-fonts-common.noarch 0:2.33-6.el7 will be installed
---> Package libXau.x86_64 0:1.0.8-2.1.el7 will be installed
---> Package libfontenc.x86_64 0:1.1.3-3.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================================================
Installing:
389-admin x86_64 1.1.46-1.el7 epel 391 k
389-admin-console noarch 1.1.12-1.el7 epel 204 k
389-adminutil x86_64 1.1.21-2.el7 epel 73 k
389-console noarch 1.1.18-1.el7 epel 75 k
389-ds-base x86_64 1.3.8.4-18.el7_6 updates 1.7 M
389-ds-console noarch 1.2.16-1.el7 epel 1.4 M
idm-console-framework noarch 1.1.17-4.el7 epel 1.1 M
openldap-clients x86_64 2.4.44-20.el7 base 190 k
Installing for dependencies:
389-ds-base-libs x86_64 1.3.8.4-18.el7_6 updates 699 k
apache-commons-codec noarch 1.8-7.el7 base 223 k
apache-commons-lang noarch 2.6-15.el7 base 276 k
apr x86_64 1.4.8-3.el7_4.1 base 103 k
apr-util x86_64 1.5.2-6.el7 base 92 k
audit-libs-python x86_64 2.8.4-4.el7 base 76 k
checkpolicy x86_64 2.5-8.el7 base 295 k
copy-jdk-configs noarch 3.3-10.el7_5 base 21 k
cyrus-sasl-md5 x86_64 2.1.26-23.el7 base 57 k
cyrus-sasl-plain x86_64 2.1.26-23.el7 base 39 k
dejavu-fonts-common noarch 2.33-6.el7 base 64 k
dejavu-sans-fonts noarch 2.33-6.el7 base 1.4 M
fontconfig x86_64 2.13.0-4.3.el7 base 254 k
fontpackages-filesystem noarch 1.44-8.el7 base 9.9 k
giflib x86_64 4.1.6-9.el7 base 40 k
gperftools-libs x86_64 2.6.1-1.el7 base 272 k
httpd x86_64 2.4.6-88.el7.centos base 2.7 M
httpd-tools x86_64 2.4.6-88.el7.centos base 90 k
java-1.8.0-openjdk x86_64 1:1.8.0.191.b12-1.el7_6 updates 254 k
java-1.8.0-openjdk-headless x86_64 1:1.8.0.191.b12-1.el7_6 updates 32 M
javapackages-tools noarch 3.4.1-11.el7 base 73 k
jss x86_64 4.4.4-3.el7 base 1.1 M
ldapjdk noarch 4.19-5.el7 base 317 k
libICE x86_64 1.0.9-9.el7 base 66 k
libSM x86_64 1.2.2-2.el7 base 39 k
libX11 x86_64 1.6.5-2.el7 base 606 k
libX11-common noarch 1.6.5-2.el7 base 164 k
libXau x86_64 1.0.8-2.1.el7 base 29 k
libXcomposite x86_64 0.4.4-4.1.el7 base 22 k
libXext x86_64 1.3.3-3.el7 base 39 k
libXi x86_64 1.7.9-1.el7 base 40 k
libXrender x86_64 0.9.10-1.el7 base 26 k
libXtst x86_64 1.2.3-1.el7 base 20 k
libcgroup x86_64 0.41-20.el7 base 66 k
libevent x86_64 2.0.21-4.el7 base 214 k
libfontenc x86_64 1.1.3-3.el7 base 31 k
libicu x86_64 50.1.2-17.el7 base 6.9 M
libjpeg-turbo x86_64 1.2.90-6.el7 base 134 k
libpng x86_64 2:1.5.13-7.el7_2 base 213 k
libsemanage-python x86_64 2.5-14.el7 base 113 k
libxcb x86_64 1.13-1.el7 base 214 k
libxslt x86_64 1.1.28-5.el7 base 242 k
lksctp-tools x86_64 1.0.17-2.el7 base 88 k
mailcap noarch 2.1.41-2.el7 base 31 k
mod_nss x86_64 1.0.14-12.el7 base 113 k
perl-Archive-Tar noarch 1.92-2.el7 base 73 k
perl-CGI noarch 3.63-4.el7 base 250 k
perl-DB_File x86_64 1.830-6.el7 base 74 k
perl-FCGI x86_64 1:0.74-8.el7 base 42 k
perl-IO-Zlib noarch 1:1.10-293.el7 base 51 k
perl-Mozilla-LDAP x86_64 1.5.3-12.el7 base 147 k
perl-NetAddr-IP x86_64 4.069-3.el7 base 125 k
perl-Package-Constants noarch 1:0.02-293.el7 base 45 k
policycoreutils-python x86_64 2.5-29.el7 base 456 k
python-IPy noarch 0.75-6.el7 base 32 k
python-javapackages noarch 3.4.1-11.el7 base 31 k
python-ldap x86_64 2.4.15-2.el7 base 159 k
python-lxml x86_64 3.2.1-4.el7 base 758 k
setools-libs x86_64 3.3.8-4.el7 base 620 k
svrcore x86_64 4.1.3-2.el7 base 19 k
ttmkfdir x86_64 3.0.9-42.el7 base 48 k
tzdata-java noarch 2018g-1.el7 updates 185 k
xorg-x11-font-utils x86_64 1:7.5-21.el7 base 104 k
xorg-x11-fonts-Type1 noarch 7.5-9.el7 base 521 k
Updating for dependencies:
audit x86_64 2.8.4-4.el7 base 250 k
audit-libs x86_64 2.8.4-4.el7 base 100 k
chkconfig x86_64 1.7.4-1.el7 base 181 k
freetype x86_64 2.8-12.el7 base 380 k
openldap x86_64 2.4.44-20.el7 base 355 k
Transaction Summary
=========================================================================================================================================================================================
Install 8 Packages (+64 Dependent packages)
Upgrade ( 5 Dependent packages)
Total download size: 59 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/epel/packages/389-admin-1.1.46-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY ] 0.0 B/s | 0 B --:--:-- ETA
Public key for 389-admin-1.1.46-1.el7.x86_64.rpm is not installed
(1/77): 389-admin-1.1.46-1.el7.x86_64.rpm | 391 kB 00:00:00
(2/77): 389-admin-console-1.1.12-1.el7.noarch.rpm | 204 kB 00:00:00
(3/77): 389-adminutil-1.1.21-2.el7.x86_64.rpm | 73 kB 00:00:00
(4/77): 389-console-1.1.18-1.el7.noarch.rpm | 75 kB 00:00:00
(5/77): 389-ds-console-1.2.16-1.el7.noarch.rpm | 1.4 MB 00:00:00
(6/77): 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64.rpm | 699 kB 00:00:00
(7/77): 389-ds-base-1.3.8.4-18.el7_6.x86_64.rpm | 1.7 MB 00:00:00
(8/77): apache-commons-lang-2.6-15.el7.noarch.rpm | 276 kB 00:00:00
(9/77): apache-commons-codec-1.8-7.el7.noarch.rpm | 223 kB 00:00:00
(10/77): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00
(11/77): audit-2.8.4-4.el7.x86_64.rpm | 250 kB 00:00:00
(12/77): audit-libs-python-2.8.4-4.el7.x86_64.rpm | 76 kB 00:00:00
(13/77): checkpolicy-2.5-8.el7.x86_64.rpm | 295 kB 00:00:00
(14/77): chkconfig-1.7.4-1.el7.x86_64.rpm | 181 kB 00:00:00
(15/77): copy-jdk-configs-3.3-10.el7_5.noarch.rpm | 21 kB 00:00:00
(16/77): cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm | 57 kB 00:00:00
(17/77): dejavu-fonts-common-2.33-6.el7.noarch.rpm | 64 kB 00:00:00
(18/77): cyrus-sasl-plain-2.1.26-23.el7.x86_64.rpm | 39 kB 00:00:00
(19/77): fontconfig-2.13.0-4.3.el7.x86_64.rpm | 254 kB 00:00:00
(20/77): apr-1.4.8-3.el7_4.1.x86_64.rpm | 103 kB 00:00:00
(21/77): fontpackages-filesystem-1.44-8.el7.noarch.rpm | 9.9 kB 00:00:00
(22/77): dejavu-sans-fonts-2.33-6.el7.noarch.rpm | 1.4 MB 00:00:00
(23/77): freetype-2.8-12.el7.x86_64.rpm | 380 kB 00:00:00
(24/77): gperftools-libs-2.6.1-1.el7.x86_64.rpm | 272 kB 00:00:00
(25/77): audit-libs-2.8.4-4.el7.x86_64.rpm | 100 kB 00:00:00
(26/77): httpd-tools-2.4.6-88.el7.centos.x86_64.rpm | 90 kB 00:00:00
(27/77): giflib-4.1.6-9.el7.x86_64.rpm | 40 kB 00:00:00
(28/77): java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64.rpm | 254 kB 00:00:00
(29/77): httpd-2.4.6-88.el7.centos.x86_64.rpm | 2.7 MB 00:00:00
(30/77): javapackages-tools-3.4.1-11.el7.noarch.rpm | 73 kB 00:00:00
(31/77): ldapjdk-4.19-5.el7.noarch.rpm | 317 kB 00:00:00
(32/77): libICE-1.0.9-9.el7.x86_64.rpm | 66 kB 00:00:00
(33/77): libSM-1.2.2-2.el7.x86_64.rpm | 39 kB 00:00:00
(34/77): libX11-1.6.5-2.el7.x86_64.rpm | 606 kB 00:00:00
(35/77): libXau-1.0.8-2.1.el7.x86_64.rpm | 29 kB 00:00:00
(36/77): libX11-common-1.6.5-2.el7.noarch.rpm | 164 kB 00:00:00
(37/77): libXcomposite-0.4.4-4.1.el7.x86_64.rpm | 22 kB 00:00:00
(38/77): libXext-1.3.3-3.el7.x86_64.rpm | 39 kB 00:00:00
(39/77): libXi-1.7.9-1.el7.x86_64.rpm | 40 kB 00:00:00
(40/77): libXrender-0.9.10-1.el7.x86_64.rpm | 26 kB 00:00:00
(41/77): libXtst-1.2.3-1.el7.x86_64.rpm | 20 kB 00:00:00
(42/77): libcgroup-0.41-20.el7.x86_64.rpm | 66 kB 00:00:00
(43/77): libevent-2.0.21-4.el7.x86_64.rpm | 214 kB 00:00:00
(44/77): jss-4.4.4-3.el7.x86_64.rpm | 1.1 MB 00:00:00
(45/77): libicu-50.1.2-17.el7.x86_64.rpm | 6.9 MB 00:00:00
(46/77): libpng-1.5.13-7.el7_2.x86_64.rpm | 213 kB 00:00:00
(47/77): libsemanage-python-2.5-14.el7.x86_64.rpm | 113 kB 00:00:00
(48/77): libxcb-1.13-1.el7.x86_64.rpm | 214 kB 00:00:00
(49/77): libxslt-1.1.28-5.el7.x86_64.rpm | 242 kB 00:00:00
(50/77): libfontenc-1.1.3-3.el7.x86_64.rpm | 31 kB 00:00:00
(51/77): libjpeg-turbo-1.2.90-6.el7.x86_64.rpm | 134 kB 00:00:00
(52/77): lksctp-tools-1.0.17-2.el7.x86_64.rpm | 88 kB 00:00:00
(53/77): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00
(54/77): openldap-2.4.44-20.el7.x86_64.rpm | 355 kB 00:00:00
(55/77): mod_nss-1.0.14-12.el7.x86_64.rpm | 113 kB 00:00:00
(56/77): perl-Archive-Tar-1.92-2.el7.noarch.rpm | 73 kB 00:00:00
(57/77): openldap-clients-2.4.44-20.el7.x86_64.rpm | 190 kB 00:00:00
(58/77): perl-DB_File-1.830-6.el7.x86_64.rpm | 74 kB 00:00:00
(59/77): perl-FCGI-0.74-8.el7.x86_64.rpm | 42 kB 00:00:00
(60/77): perl-CGI-3.63-4.el7.noarch.rpm | 250 kB 00:00:00
(61/77): idm-console-framework-1.1.17-4.el7.noarch.rpm | 1.1 MB 00:00:00
(62/77): perl-IO-Zlib-1.10-293.el7.noarch.rpm | 51 kB 00:00:00
(63/77): perl-Mozilla-LDAP-1.5.3-12.el7.x86_64.rpm | 147 kB 00:00:00
(64/77): perl-Package-Constants-0.02-293.el7.noarch.rpm | 45 kB 00:00:00
(65/77): java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64.rpm | 32 MB 00:00:00
(66/77): policycoreutils-python-2.5-29.el7.x86_64.rpm | 456 kB 00:00:00
(67/77): python-IPy-0.75-6.el7.noarch.rpm | 32 kB 00:00:00
(68/77): perl-NetAddr-IP-4.069-3.el7.x86_64.rpm | 125 kB 00:00:00
(69/77): python-javapackages-3.4.1-11.el7.noarch.rpm | 31 kB 00:00:00
(70/77): setools-libs-3.3.8-4.el7.x86_64.rpm | 620 kB 00:00:00
(71/77): python-lxml-3.2.1-4.el7.x86_64.rpm | 758 kB 00:00:00
(72/77): svrcore-4.1.3-2.el7.x86_64.rpm | 19 kB 00:00:00
(73/77): ttmkfdir-3.0.9-42.el7.x86_64.rpm | 48 kB 00:00:00
(74/77): tzdata-java-2018g-1.el7.noarch.rpm | 185 kB 00:00:00
(75/77): xorg-x11-fonts-Type1-7.5-9.el7.noarch.rpm | 521 kB 00:00:00
(76/77): xorg-x11-font-utils-7.5-21.el7.x86_64.rpm | 104 kB 00:00:00
(77/77): python-ldap-2.4.15-2.el7.x86_64.rpm | 159 kB 00:00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 18 MB/s | 59 MB 00:00:03
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : openldap-2.4.44-20.el7.x86_64 1/82
Installing : apr-1.4.8-3.el7_4.1.x86_64 2/82
Installing : libicu-50.1.2-17.el7.x86_64 3/82
Installing : apr-util-1.5.2-6.el7.x86_64 4/82
Installing : perl-Mozilla-LDAP-1.5.3-12.el7.x86_64 5/82
Updating : chkconfig-1.7.4-1.el7.x86_64 6/82
Installing : gperftools-libs-2.6.1-1.el7.x86_64 7/82
Updating : audit-libs-2.8.4-4.el7.x86_64 8/82
Installing : libxslt-1.1.28-5.el7.x86_64 9/82
Installing : libevent-2.0.21-4.el7.x86_64 10/82
Installing : libsemanage-python-2.5-14.el7.x86_64 11/82
Installing : libICE-1.0.9-9.el7.x86_64 12/82
Installing : svrcore-4.1.3-2.el7.x86_64 13/82
Installing : libjpeg-turbo-1.2.90-6.el7.x86_64 14/82
Installing : fontpackages-filesystem-1.44-8.el7.noarch 15/82
Installing : 2:libpng-1.5.13-7.el7_2.x86_64 16/82
Updating : freetype-2.8-12.el7.x86_64 17/82
Installing : ttmkfdir-3.0.9-42.el7.x86_64 18/82
Installing : dejavu-fonts-common-2.33-6.el7.noarch 19/82
Installing : dejavu-sans-fonts-2.33-6.el7.noarch 20/82
Installing : fontconfig-2.13.0-4.3.el7.x86_64 21/82
Installing : 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64 22/82
Installing : libSM-1.2.2-2.el7.x86_64 23/82
Installing : python-lxml-3.2.1-4.el7.x86_64 24/82
Installing : python-javapackages-3.4.1-11.el7.noarch 25/82
Installing : javapackages-tools-3.4.1-11.el7.noarch 26/82
Installing : audit-libs-python-2.8.4-4.el7.x86_64 27/82
Installing : httpd-tools-2.4.6-88.el7.centos.x86_64 28/82
Installing : 389-adminutil-1.1.21-2.el7.x86_64 29/82
Installing : python-ldap-2.4.15-2.el7.x86_64 30/82
Installing : openldap-clients-2.4.44-20.el7.x86_64 31/82
Installing : libfontenc-1.1.3-3.el7.x86_64 32/82
Installing : 1:xorg-x11-font-utils-7.5-21.el7.x86_64 33/82
Installing : xorg-x11-fonts-Type1-7.5-9.el7.noarch 34/82
Installing : libcgroup-0.41-20.el7.x86_64 35/82
Installing : tzdata-java-2018g-1.el7.noarch 36/82
Installing : libX11-common-1.6.5-2.el7.noarch 37/82
Installing : lksctp-tools-1.0.17-2.el7.x86_64 38/82
Installing : python-IPy-0.75-6.el7.noarch 39/82
Installing : perl-DB_File-1.830-6.el7.x86_64 40/82
Installing : 1:perl-IO-Zlib-1.10-293.el7.noarch 41/82
Installing : setools-libs-3.3.8-4.el7.x86_64 42/82
Installing : mailcap-2.1.41-2.el7.noarch 43/82
Installing : httpd-2.4.6-88.el7.centos.x86_64 44/82
Installing : mod_nss-1.0.14-12.el7.x86_64 45/82
mod_nss certificate database generated.
Installing : 1:perl-Package-Constants-0.02-293.el7.noarch 46/82
Installing : perl-Archive-Tar-1.92-2.el7.noarch 47/82
Installing : cyrus-sasl-plain-2.1.26-23.el7.x86_64 48/82
Installing : copy-jdk-configs-3.3-10.el7_5.noarch 49/82
Installing : 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 50/82
Installing : checkpolicy-2.5-8.el7.x86_64 51/82
Installing : policycoreutils-python-2.5-29.el7.x86_64 52/82
Installing : perl-NetAddr-IP-4.069-3.el7.x86_64 53/82
Installing : libXau-1.0.8-2.1.el7.x86_64 54/82
Installing : libxcb-1.13-1.el7.x86_64 55/82
Installing : libX11-1.6.5-2.el7.x86_64 56/82
Installing : libXext-1.3.3-3.el7.x86_64 57/82
Installing : libXi-1.7.9-1.el7.x86_64 58/82
Installing : libXtst-1.2.3-1.el7.x86_64 59/82
Installing : giflib-4.1.6-9.el7.x86_64 60/82
Installing : libXrender-0.9.10-1.el7.x86_64 61/82
Installing : libXcomposite-0.4.4-4.1.el7.x86_64 62/82
Installing : 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 63/82
Installing : apache-commons-codec-1.8-7.el7.noarch 64/82
Installing : apache-commons-lang-2.6-15.el7.noarch 65/82
Installing : ldapjdk-4.19-5.el7.noarch 66/82
Installing : jss-4.4.4-3.el7.x86_64 67/82
Installing : idm-console-framework-1.1.17-4.el7.noarch 68/82
Installing : 1:perl-FCGI-0.74-8.el7.x86_64 69/82
Installing : perl-CGI-3.63-4.el7.noarch 70/82
Installing : cyrus-sasl-md5-2.1.26-23.el7.x86_64 71/82
Installing : 389-ds-base-1.3.8.4-18.el7_6.x86_64 72/82
Installing : 389-admin-1.1.46-1.el7.x86_64 73/82
Installing : 389-ds-console-1.2.16-1.el7.noarch 74/82
Installing : 389-admin-console-1.1.12-1.el7.noarch 75/82
Installing : 389-console-1.1.18-1.el7.noarch 76/82
Updating : audit-2.8.4-4.el7.x86_64 77/82
Cleanup : audit-2.4.1-5.el7.x86_64 78/82
Cleanup : audit-libs-2.4.1-5.el7.x86_64 79/82
Cleanup : chkconfig-1.3.61-4.el7.x86_64 80/82
Cleanup : freetype-2.4.11-9.el7.x86_64 81/82
Cleanup : openldap-2.4.39-6.el7.x86_64 82/82
Verifying : libXext-1.3.3-3.el7.x86_64 1/82
Verifying : cyrus-sasl-md5-2.1.26-23.el7.x86_64 2/82
Verifying : dejavu-sans-fonts-2.33-6.el7.noarch 3/82
Verifying : fontconfig-2.13.0-4.3.el7.x86_64 4/82
Verifying : 1:perl-FCGI-0.74-8.el7.x86_64 5/82
Verifying : giflib-4.1.6-9.el7.x86_64 6/82
Verifying : libXau-1.0.8-2.1.el7.x86_64 7/82
Verifying : libXrender-0.9.10-1.el7.x86_64 8/82
Verifying : python-ldap-2.4.15-2.el7.x86_64 9/82
Verifying : libXi-1.7.9-1.el7.x86_64 10/82
Verifying : python-lxml-3.2.1-4.el7.x86_64 11/82
Verifying : 2:libpng-1.5.13-7.el7_2.x86_64 12/82
Verifying : 389-ds-console-1.2.16-1.el7.noarch 13/82
Verifying : apache-commons-codec-1.8-7.el7.noarch 14/82
Verifying : 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64 15/82
Verifying : perl-NetAddr-IP-4.069-3.el7.x86_64 16/82
Verifying : dejavu-fonts-common-2.33-6.el7.noarch 17/82
Verifying : fontpackages-filesystem-1.44-8.el7.noarch 18/82
Verifying : ttmkfdir-3.0.9-42.el7.x86_64 19/82
Verifying : openldap-2.4.44-20.el7.x86_64 20/82
Verifying : libjpeg-turbo-1.2.90-6.el7.x86_64 21/82
Verifying : checkpolicy-2.5-8.el7.x86_64 22/82
Verifying : 389-admin-1.1.46-1.el7.x86_64 23/82
Verifying : apache-commons-lang-2.6-15.el7.noarch 24/82
Verifying : 389-ds-base-1.3.8.4-18.el7_6.x86_64 25/82
Verifying : openldap-clients-2.4.44-20.el7.x86_64 26/82
Verifying : copy-jdk-configs-3.3-10.el7_5.noarch 27/82
Verifying : python-javapackages-3.4.1-11.el7.noarch 28/82
Verifying : svrcore-4.1.3-2.el7.x86_64 29/82
Verifying : 389-admin-console-1.1.12-1.el7.noarch 30/82
Verifying : freetype-2.8-12.el7.x86_64 31/82
Verifying : libICE-1.0.9-9.el7.x86_64 32/82
Verifying : jss-4.4.4-3.el7.x86_64 33/82
Verifying : httpd-tools-2.4.6-88.el7.centos.x86_64 34/82
Verifying : libXtst-1.2.3-1.el7.x86_64 35/82
Verifying : cyrus-sasl-plain-2.1.26-23.el7.x86_64 36/82
Verifying : libxcb-1.13-1.el7.x86_64 37/82
Verifying : 1:perl-Package-Constants-0.02-293.el7.noarch 38/82
Verifying : 389-console-1.1.18-1.el7.noarch 39/82
Verifying : perl-Mozilla-LDAP-1.5.3-12.el7.x86_64 40/82
Verifying : mailcap-2.1.41-2.el7.noarch 41/82
Verifying : setools-libs-3.3.8-4.el7.x86_64 42/82
Verifying : idm-console-framework-1.1.17-4.el7.noarch 43/82
Verifying : mod_nss-1.0.14-12.el7.x86_64 44/82
Verifying : xorg-x11-fonts-Type1-7.5-9.el7.noarch 45/82
Verifying : libicu-50.1.2-17.el7.x86_64 46/82
Verifying : libsemanage-python-2.5-14.el7.x86_64 47/82
Verifying : libevent-2.0.21-4.el7.x86_64 48/82
Verifying : apr-util-1.5.2-6.el7.x86_64 49/82
Verifying : libX11-1.6.5-2.el7.x86_64 50/82
Verifying : 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 51/82
Verifying : 389-adminutil-1.1.21-2.el7.x86_64 52/82
Verifying : 1:perl-IO-Zlib-1.10-293.el7.noarch 53/82
Verifying : libXcomposite-0.4.4-4.1.el7.x86_64 54/82
Verifying : httpd-2.4.6-88.el7.centos.x86_64 55/82
Verifying : javapackages-tools-3.4.1-11.el7.noarch 56/82
Verifying : libxslt-1.1.28-5.el7.x86_64 57/82
Verifying : apr-1.4.8-3.el7_4.1.x86_64 58/82
Verifying : 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 59/82
Verifying : audit-libs-python-2.8.4-4.el7.x86_64 60/82
Verifying : perl-DB_File-1.830-6.el7.x86_64 61/82
Verifying : perl-CGI-3.63-4.el7.noarch 62/82
Verifying : python-IPy-0.75-6.el7.noarch 63/82
Verifying : lksctp-tools-1.0.17-2.el7.x86_64 64/82
Verifying : libSM-1.2.2-2.el7.x86_64 65/82
Verifying : audit-libs-2.8.4-4.el7.x86_64 66/82
Verifying : policycoreutils-python-2.5-29.el7.x86_64 67/82
Verifying : gperftools-libs-2.6.1-1.el7.x86_64 68/82
Verifying : libX11-common-1.6.5-2.el7.noarch 69/82
Verifying : 1:xorg-x11-font-utils-7.5-21.el7.x86_64 70/82
Verifying : tzdata-java-2018g-1.el7.noarch 71/82
Verifying : perl-Archive-Tar-1.92-2.el7.noarch 72/82
Verifying : chkconfig-1.7.4-1.el7.x86_64 73/82
Verifying : libcgroup-0.41-20.el7.x86_64 74/82
Verifying : libfontenc-1.1.3-3.el7.x86_64 75/82
Verifying : ldapjdk-4.19-5.el7.noarch 76/82
Verifying : audit-2.8.4-4.el7.x86_64 77/82
Verifying : openldap-2.4.39-6.el7.x86_64 78/82
Verifying : freetype-2.4.11-9.el7.x86_64 79/82
Verifying : audit-libs-2.4.1-5.el7.x86_64 80/82
Verifying : chkconfig-1.3.61-4.el7.x86_64 81/82
Verifying : audit-2.4.1-5.el7.x86_64 82/82
Installed:
389-admin.x86_64 0:1.1.46-1.el7 389-admin-console.noarch 0:1.1.12-1.el7 389-adminutil.x86_64 0:1.1.21-2.el7 389-console.noarch 0:1.1.18-1.el7
389-ds-base.x86_64 0:1.3.8.4-18.el7_6 389-ds-console.noarch 0:1.2.16-1.el7 idm-console-framework.noarch 0:1.1.17-4.el7 openldap-clients.x86_64 0:2.4.44-20.el7
Dependency Installed:
389-ds-base-libs.x86_64 0:1.3.8.4-18.el7_6 apache-commons-codec.noarch 0:1.8-7.el7 apache-commons-lang.noarch 0:2.6-15.el7
apr.x86_64 0:1.4.8-3.el7_4.1 apr-util.x86_64 0:1.5.2-6.el7 audit-libs-python.x86_64 0:2.8.4-4.el7
checkpolicy.x86_64 0:2.5-8.el7 copy-jdk-configs.noarch 0:3.3-10.el7_5 cyrus-sasl-md5.x86_64 0:2.1.26-23.el7
cyrus-sasl-plain.x86_64 0:2.1.26-23.el7 dejavu-fonts-common.noarch 0:2.33-6.el7 dejavu-sans-fonts.noarch 0:2.33-6.el7
fontconfig.x86_64 0:2.13.0-4.3.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 giflib.x86_64 0:4.1.6-9.el7
gperftools-libs.x86_64 0:2.6.1-1.el7 httpd.x86_64 0:2.4.6-88.el7.centos httpd-tools.x86_64 0:2.4.6-88.el7.centos
java-1.8.0-openjdk.x86_64 1:1.8.0.191.b12-1.el7_6 java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-1.el7_6 javapackages-tools.noarch 0:3.4.1-11.el7
jss.x86_64 0:4.4.4-3.el7 ldapjdk.noarch 0:4.19-5.el7 libICE.x86_64 0:1.0.9-9.el7
libSM.x86_64 0:1.2.2-2.el7 libX11.x86_64 0:1.6.5-2.el7 libX11-common.noarch 0:1.6.5-2.el7
libXau.x86_64 0:1.0.8-2.1.el7 libXcomposite.x86_64 0:0.4.4-4.1.el7 libXext.x86_64 0:1.3.3-3.el7
libXi.x86_64 0:1.7.9-1.el7 libXrender.x86_64 0:0.9.10-1.el7 libXtst.x86_64 0:1.2.3-1.el7
libcgroup.x86_64 0:0.41-20.el7 libevent.x86_64 0:2.0.21-4.el7 libfontenc.x86_64 0:1.1.3-3.el7
libicu.x86_64 0:50.1.2-17.el7 libjpeg-turbo.x86_64 0:1.2.90-6.el7 libpng.x86_64 2:1.5.13-7.el7_2
libsemanage-python.x86_64 0:2.5-14.el7 libxcb.x86_64 0:1.13-1.el7 libxslt.x86_64 0:1.1.28-5.el7
lksctp-tools.x86_64 0:1.0.17-2.el7 mailcap.noarch 0:2.1.41-2.el7 mod_nss.x86_64 0:1.0.14-12.el7
perl-Archive-Tar.noarch 0:1.92-2.el7 perl-CGI.noarch 0:3.63-4.el7 perl-DB_File.x86_64 0:1.830-6.el7
perl-FCGI.x86_64 1:0.74-8.el7 perl-IO-Zlib.noarch 1:1.10-293.el7 perl-Mozilla-LDAP.x86_64 0:1.5.3-12.el7
perl-NetAddr-IP.x86_64 0:4.069-3.el7 perl-Package-Constants.noarch 1:0.02-293.el7 policycoreutils-python.x86_64 0:2.5-29.el7
python-IPy.noarch 0:0.75-6.el7 python-javapackages.noarch 0:3.4.1-11.el7 python-ldap.x86_64 0:2.4.15-2.el7
python-lxml.x86_64 0:3.2.1-4.el7 setools-libs.x86_64 0:3.3.8-4.el7 svrcore.x86_64 0:4.1.3-2.el7
ttmkfdir.x86_64 0:3.0.9-42.el7 tzdata-java.noarch 0:2018g-1.el7 xorg-x11-font-utils.x86_64 1:7.5-21.el7
xorg-x11-fonts-Type1.noarch 0:7.5-9.el7
Dependency Updated:
audit.x86_64 0:2.8.4-4.el7 audit-libs.x86_64 0:2.8.4-4.el7 chkconfig.x86_64 0:1.7.4-1.el7 freetype.x86_64 0:2.8-12.el7 openldap.x86_64 0:2.4.44-20.el7
Complete!
Configure LDAP server
# ulimit -n 8192 # setup-ds-admin.pl
Example looks like this:
# setup-ds-admin.pl
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 14-JULY-2016.
NOTICE : System is x86_64-unknown-linux3.10.0-957.1.3.el7.x86_64 (1 processor).
Would you like to continue? [yes]:
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [centos-auth.home.labrats.us]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [dirsrv]:
System Group [dirsrv]:
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [home.labrats.us]: home.labrats.us
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [den1-it-tacacs-01]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=home, dc=labrats, dc=us]: dc=home, dc=labrats, dc=us
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'den1-it-tacacs-01' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupsHaXM4.log'
Obtain SSL Certificate and Key
This may be a publicly signed certificate, but we will use a private / self-signed CA and certificate.
Follow instructions below to setup and deploy a self-signed CA and certificate.
User:Sfiggins/Self Signed CA Instructions
Convert Certificate to P12 Format
Convert your new certificate to the p12 format using the following command
(Passwords are likely blank, unless you setup a password when creating the key.)
# openssl pkcs12 -export -inkey private_key.pem -in signed-cert.pem -name my_name \
-out imported-certificate.p12
Enter Export Password:
Verifying - Enter Export Password:
If you followed the self-signed certificate instructions from above, it would look like this:
# openssl pkcs12 -export -inkey /CA/certs/newserver.pem -in /CA/certs/newserver-cert.pem \
-name newserver -out /CA/certs/newserver.p12
Enter Export Password:
Verifying - Enter Export Password:
Setup SSL
Process is obstracted from the following web page
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
!!! NOTE: Make sure you update for the correct directory instance !!!
Copy CA Certitifate
Copy your CA Certificate file to /etc/openldap/certs/cacerts/. You will need to get this from your certificate authority, or from your self-signed certificte authority. Be sure to change the filename to match your CA certificate file!
# mkdir -p /etc/openldap/certs/cacerts/ # cp private_ca.pem /etc/openldap/certs/cacerts/
using certutil
We'll use certutil to create and import certificates into the keystore.
# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Create the pin.txt file:
# echo "Internal (Software) Token:<password>" > /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt # chown nobody.nobody /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt # chmod 400 /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt
Import the key files:
# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01 -A -n "CA Certificate" -t CT,, -a -i /etc/openldap/cacerts/private_ca.pem
# pk12util -i /root/den1-it-tacacs-01.p12 -d /etc/dirsrv/slapd-den1-it-tacacs-01/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Certificate CT,,
den1-it-tacacs-01 u,u,u
Turning on SSL
Turning on SSL will require that we write the following config. You need to change hte hostname int he config!
# cat > /tmp/ssl_enable.ldif << 'EOF' dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: off - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes_256_sha - add: nsKeyfile nsKeyfile: alias/den1-it-tacacs-01-key3.db - add: nsCertfile nsCertfile: alias/den1-it-tacacs-01-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ssl_enable.ldif
Create the following config file: You need to change hte hostname int he config!
# cat > /tmp/addRSA.ldif << 'EOF' dn: cn=RSA,cn=encryption,cn=config changetype: add objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: den1-it-tacacs-01 nsSSLToken: internal (software) nsSSLActivation: on EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addRSA.ldif
Restart the Directory Server
# systemctl restart dirsrv.target # systemctl status dirsrv.target ● dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled) Active: active since Thu 2018-12-13 13:33:26 MST; 9s ago Dec 13 13:33:26 centos-auth.home.labrats.us systemd[1]: Reached target 389 Directory Server.
Validate the server is listening on SSL
# netstat -lntup | grep slap tcp 0 0 :::389 :::* LISTEN 26518/ns-slapd tcp 0 0 :::636 :::* LISTEN 26518/ns-slapd
Testing LDAP
Test LDAP with the following command
# ldapsearch -x -b "dc=home,dc=labrats,dc=us"
Example output
# extended LDIF # # LDAPv3 # base <dc=home,dc=labrats,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL # # labrats.us dn: dc=home,dc=labrats,dc=us objectClass: top objectClass: domain dc: labrats # Directory Administrators, labrats.us dn: cn=Directory Administrators,dc=home,dc=labrats,dc=us objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager # Groups, labrats.us dn: ou=Groups,dc=home,dc=labrats,dc=us objectClass: top objectClass: organizationalunit ou: Groups # People, labrats.us dn: ou=People,dc=home,dc=labrats,dc=us objectClass: top objectClass: organizationalunit ou: People # Special Users, labrats.us dn: ou=Special Users,dc=home,dc=labrats,dc=us objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, Groups, labrats.us dn: cn=Accounting Managers,ou=Groups,dc=home,dc=labrats,dc=us objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager # HR Managers, Groups, labrats.us dn: cn=HR Managers,ou=Groups,dc=home,dc=labrats,dc=us objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=Directory Manager # QA Managers, Groups, labrats.us dn: cn=QA Managers,ou=Groups,dc=home,dc=labrats,dc=us objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager # PD Managers, Groups, labrats.us dn: cn=PD Managers,ou=Groups,dc=home,dc=labrats,dc=us objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=Directory Manager # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9
Create Search Role Account
cat > /tmp/serviceadd.ldif << 'EOF'
dn: cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: tuser
userPassword: {crypt}x
gidNumber: 65000
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/serviceadd.ldif
Change user password
# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" "cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us" New password: Re-enter new password: Enter LDAP Password: - or - # LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" "cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us" Enter LDAP Password: New password: <new password>
Create Test Account
cat > /tmp/groupadd.ldif << 'EOF'
dn: cn=tuser,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: tuser
userPassword: {crypt}x
gidNumber: 2014
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/groupadd.ldif
cat > /tmp/useradd.ldif << 'EOF'
dn: uid=tuser,ou=People,dc=home,dc=labrats,dc=us
uid: tuser
cn: tuser
sn: user
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$1$QLoEkVTC$RHrUQKYbqtRi4cfoPtusT.
loginShell: /bin/bash
uidNumber: 2014
gidNumber: 2014
homeDirectory: /home/tuser
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/useradd.ldif
Change user password
# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" \ "uid=tuser,ou=People,dc=home,dc=labrats,dc=us" New password: Re-enter new password: Enter LDAP Password: - or - # LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" \ "uid=tuser,ou=People,dc=home,dc=labrats,dc=us" Enter LDAP Password: New password: <new password>
Test binding with new test user
# LDAPTLS_REQCERT=never ldapsearch -ZZ -D "uid=tuser,ou=People,dc=home,dc=labrats,dc=us" \
-W -x -b "uid=tuser,ou=People,dc=home,dc=labrats,dc=us"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=tuser,ou=People,dc=home,dc=labrats,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# tuser, People, home.labrats.us
dn: uid=tuser,ou=People,dc=home,dc=labrats,dc=us
uid: tuser
cn: tuser
sn: user
objectClass: account
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
uidNumber: 2014
gidNumber: 2014
homeDirectory: /home/tuser
shadowLastChange: 17878
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Starting and Enabling Directory Server
To enable the Directory Server
# systemctl enable dirsrv.target Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv.target to /usr/lib/systemd/system/dirsrv.target.
To enable the Admin Server
# systemctl enable dirsrv-admin Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv-admin.service to /usr/lib/systemd/system/dirsrv-admin.service.
To start the Directory Server
# systemctl start dirsrv.target
To start the Admin Server
# systemctl start dirsrv-admin
NSS PAM and NSCD configuration
This section details how to setup PAM for TACACS and RADIUS authentication.
It is not needed unless the server you are installing TACACS or RADIUS on the server.
Install NSS-PAM-LDAP and NSCD.
For passing TACACS to LDAP via PAM, we need some packages. If we are not authenticating the entire system to LDAP, we will use the nss-pam-ldap and nscd packages, which will need to be installed.
# yum install nss-pam-ldapd nscd Loaded plugins: fastestmirror base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * base: mirror.cs.uwp.edu * epel: d2lzkl7pfhq30w.cloudfront.net * extras: mirror.cs.uwp.edu * updates: sjc.edge.kernel.org Resolving Dependencies --> Running transaction check ---> Package nscd.x86_64 0:2.17-260.el7 will be installed ---> Package nss-pam-ldapd.x86_64 0:0.8.13-16.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================== Installing: nscd x86_64 2.17-260.el7 base 281 k nss-pam-ldapd x86_64 0.8.13-16.el7 base 160 k Transaction Summary ======================================================================================================================================== Install 2 Packages Total download size: 441 k Installed size: 590 k Is this ok [y/d/N]: y Downloading packages: (1/2): nss-pam-ldapd-0.8.13-16.el7.x86_64.rpm | 160 kB 00:00:00 (2/2): nscd-2.17-260.el7.x86_64.rpm | 281 kB 00:00:00 ---------------------------------------------------------------------------------------------------------------------------------------- Total 1.1 MB/s | 441 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : nscd-2.17-260.el7.x86_64 1/2 Installing : nss-pam-ldapd-0.8.13-16.el7.x86_64 2/2 Verifying : nss-pam-ldapd-0.8.13-16.el7.x86_64 1/2 Verifying : nscd-2.17-260.el7.x86_64 2/2 Installed: nscd.x86_64 0:2.17-260.el7 nss-pam-ldapd.x86_64 0:0.8.13-16.el7 Complete!
Configure NSLCD
NSLCD will use a service account to search the directory and locate the account to bind to authenticate, then switch to do a simple bind of the user to validate the password.
Be sure to copy your CA certificate file to /etc/openldap/certs/cacerts.
Configure for 389 Directory Server
Configure /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. uid nslcd gid ldap # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # uri ldap://127.0.0.1/ # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. # base dc=example,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. #bindpw secret # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSFUHomeDirectory #filter shadow (objectClass=User) #map shadow uid msSFU30Name #map shadow userPassword msSFU30Password #filter group (objectClass=Group) #map group member msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #map passwd uid msSFUName #map passwd userPassword msSFUPassword #map passwd homeDirectory msSFUHomeDirectory #map passwd gecos msSFUName #filter shadow (objectClass=User) #map shadow uid msSFUName #map shadow userPassword msSFUPassword #map shadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #map group member posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map passwd uid sAMAccountName #map passwd homeDirectory unixHomeDirectory #map passwd gecos displayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map shadow uid sAMAccountName #map shadow shadowLastChange pwdLastSet #filter group (objectClass=group) # Alternative mappings for Active Directory # (replace the SIDs in the objectSid mappings with the value for your domain) #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) #map passwd uid cn #map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd homeDirectory "/home/$cn" #map passwd gecos displayName #map passwd loginShell "/bin/bash" #filter group (|(objectClass=group)(objectClass=person)) #map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #map passwd uid userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group gidNumber gid # This comment prevents repeated auto-migration of settings. # uri ldaps://centos-auth.home.labrats.us base dc=home,dc=labrats,dc=us binddn cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us bindpw <bindpasswd> ssl on tls_cacert /etc/openldap/cacerts/labrats_ca.pem tls_cacertdir /etc/openldap/cacerts #tls_checkpeer yes tls_reqcert demand timelimit 3 bind_timelimit 3
Configure for Microsoft Active Directory Server
If you did not want to have the TACACS+ server authenticate against 389-DS, but want it to authenticate to Active Directory instead, you merely need to configure nslcd with the correct mapping. Many Active Directory Domain Controllers have self-signed certificates, so you can tell nslcd to ignore the certificate. If you have signed certificates, you should use the correct CA certificate.
Configure /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. uid nslcd gid ldap # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # uri ldap://127.0.0.1/ # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. # base dc=example,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. #bindpw secret # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSFUHomeDirectory #filter shadow (objectClass=User) #map shadow uid msSFU30Name #map shadow userPassword msSFU30Password #filter group (objectClass=Group) #map group member msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #map passwd uid msSFUName #map passwd userPassword msSFUPassword #map passwd homeDirectory msSFUHomeDirectory #map passwd gecos msSFUName #filter shadow (objectClass=User) #map shadow uid msSFUName #map shadow userPassword msSFUPassword #map shadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #map group member posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map passwd uid sAMAccountName #map passwd homeDirectory unixHomeDirectory #map passwd gecos displayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map shadow uid sAMAccountName #map shadow shadowLastChange pwdLastSet #filter group (objectClass=group) # Alternative mappings for Active Directory # (replace the SIDs in the objectSid mappings with the value for your domain) #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) #map passwd uid cn #map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd homeDirectory "/home/$cn" #map passwd gecos displayName #map passwd loginShell "/bin/bash" #filter group (|(objectClass=group)(objectClass=person)) #map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #map passwd uid userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group gidNumber gid # This comment prevents repeated auto-migration of settings. # filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName # uri ldaps://dc1.home.labrats.us ldaps://dc2.home.labrats.us base ou=People,dc=home,dc=labrats,dc=us binddn CN=LDAP Query,OU=Service Accounts,DC=home,DC=labrats,DC=us bindpw <bind password> ssl on tls_cacert /etc/openldap/cacerts/labrats_ca.pem tls_cacertdir /etc/openldap/cacerts #tls_checkpeer yes tls_reqcert never timelimit 3 bind_timelimit 3
Enable NSLCD
# systemctl enable nscd Created symlink from /etc/systemd/system/multi-user.target.wants/nscd.service to /usr/lib/systemd/system/nscd.service. Created symlink from /etc/systemd/system/sockets.target.wants/nscd.socket to /usr/lib/systemd/system/nscd.socket.
Start NSLCD
# systemctl start nscd
Installing TACACS
Download TACACS_PLUS
Download the TACACS package and source package
# wget https://github.com/abn/tac_plus-rpm/releases/download/vF4.0.4.28-2/tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm # wget https://github.com/abn/tac_plus-rpm/releases/download/vF4.0.4.28-2/tac_plus-F4.0.4.28-2.el7.centos.src.rpm
Install TAC_PLUS
# yum install tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm Loaded plugins: fastestmirror Examining tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm: tac_plus-F4.0.4.28-2.el7.centos.x86_64 Marking tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package tac_plus.x86_64 0:F4.0.4.28-2.el7.centos will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================================================================= Installing: tac_plus x86_64 F4.0.4.28-2.el7.centos /tac_plus-F4.0.4.28-2.el7.centos.x86_64 1.0 M Transaction Summary ========================================================================================================================================================================================= Install 1 Package Total size: 1.0 M Installed size: 1.0 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : tac_plus-F4.0.4.28-2.el7.centos.x86_64 1/1 Verifying : tac_plus-F4.0.4.28-2.el7.centos.x86_64 1/1 Installed: tac_plus.x86_64 0:F4.0.4.28-2.el7.centos Complete!
Reconfiguring for PAM
PAM support is enabled on a per-user basis by adding "login = PAM" for each "user = " definition.
Configure PAM service for TACACS
Add one of the following to the /etc/pam.d/tac_plus file:
If system login is also going to ldap
# cat > /etc/pam.d/tac_plus << 'EOF' auth include password-auth # account required pam_access.so accessfile=/etc/security/access.cron.conf # account include password-auth account required pam_unix.so broken_shadow account required pam_access.so accessfile=/etc/security/access.cron.conf account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so EOF
If TACACS is going directly to LDAP
# cat > /etc/pam.d/tac_plus << 'EOF' #%PAM-1.0 auth sufficient /usr/lib64/security/pam_unix.so likeauth nullok auth sufficient /usr/lib64/security/pam_ldap.so use_first_pass auth required /usr/lib64/security/pam_deny.so account [default=bad success=ok user_unknown=ignore] /usr/lib64/security/pam_ldap.so account required /usr/lib64/security/pam_permit.so EOF
Firewall Configuration
Allow the following TACACS ports to your iptables
# firewall-cmd --permanent --add-port=49/tcp
Restart firewall
# firewall-cmd --reload
Enabling and Starting TACACS
To enable the TACACS daemon
# systemctl enable tac_plus Created symlink from /etc/systemd/system/multi-user.target.wants/tac_plus.service to /usr/lib/systemd/system/tac_plus.service.
To start the TACACS daemon
# systemctl start tac_plus
Testing TACACS
Install Authen::TacacsPlus Perl Module
Install via CPAN:
# cpan Loading internal null logger. Install Log::Log4perl for logging messages Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v2.10) Enter 'h' for help. cpan[1]> install Authen::TacacsPlus
Create TACACS test script
Create this test file:
# cat > /root/tacacs-test.pl << 'EOF'
#!/usr/bin/perl
use Authen::TacacsPlus;
$username = "tuser";
$password = "JbUWP3TbwdHwNou";
$tac = new Authen::TacacsPlus(Host=>'localhost',Key=>'<tacacs key>');
unless ($tac){
print "Error: ",Authen::TacacsPlus::errmsg(),"\n";
exit(1);
}
if ($tac->authen($username,$password)){
print "Granted\n";
} else {
print "Denied: ",Authen::TacacsPlus::errmsg(),"\n";
}
$tac->close();
EOF
# chmod +x /root/tacacs-test.pl
Testing TACACAS
The following should test cleanly:
# /root/tacacs-test.pl Granted
It it fails, it will look like this:
# /root/tacacs-test.pl Denied: Authentication failed
Installing RADIUS
Install RADIUS from yum
# yum install freeradius freeradius-ldap freeradius-utils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.team-cymru.com * epel: d2lzkl7pfhq30w.cloudfront.net * extras: mirror.team-cymru.com * updates: mirror.dal10.us.leaseweb.net Resolving Dependencies --> Running transaction check ---> Package freeradius.x86_64 0:3.0.13-9.el7_5 will be installed ---> Package freeradius-ldap.x86_64 0:3.0.13-9.el7_5 will be installed ---> Package freeradius-utils.x86_64 0:3.0.13-9.el7_5 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: freeradius x86_64 3.0.13-9.el7_5 base 1.1 M freeradius-ldap x86_64 3.0.13-9.el7_5 base 109 k freeradius-utils x86_64 3.0.13-9.el7_5 base 221 k Transaction Summary ================================================================================ Install 3 Packages Total download size: 1.4 M Installed size: 4.0 M Is this ok [y/d/N]: y Downloading packages: (1/3): freeradius-ldap-3.0.13-9.el7_5.x86_64.rpm | 109 kB 00:00 (2/3): freeradius-utils-3.0.13-9.el7_5.x86_64.rpm | 221 kB 00:00 (3/3): freeradius-3.0.13-9.el7_5.x86_64.rpm | 1.1 MB 00:00 -------------------------------------------------------------------------------- Total 2.4 MB/s | 1.4 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : freeradius-3.0.13-9.el7_5.x86_64 1/3 Installing : freeradius-ldap-3.0.13-9.el7_5.x86_64 2/3 Installing : freeradius-utils-3.0.13-9.el7_5.x86_64 3/3 Verifying : freeradius-ldap-3.0.13-9.el7_5.x86_64 1/3 Verifying : freeradius-3.0.13-9.el7_5.x86_64 2/3 Verifying : freeradius-utils-3.0.13-9.el7_5.x86_64 3/3 Installed: freeradius.x86_64 0:3.0.13-9.el7_5 freeradius-ldap.x86_64 0:3.0.13-9.el7_5 freeradius-utils.x86_64 0:3.0.13-9.el7_5 Complete!
Reconfiguring for LDAP
LDAP Configuration consists of multiple file and configuration to be added.
First we enable the ldap module.
# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled
Edit /etc/raddb/sites-available/default. Add the following code to the authorize stansa in the LDAP section.
# The ldap module reads passwords from the LDAP database.
# -ldap
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
Also in /etc/raddb/sites-available/default, uncomment the following in the authenticate stanza.
Auth-Type LDAP {
ldap
}
Configure for 389 Directory Server
Configure the following options in /etc/raddb/mods-available/ldap. Leave all other attributes alone.
server = "centos-auth.home.labrats.us"
port = 389
identity = "cn=LDAP Query,ou=Special Users,dc,home,dc=labrats,dc=us"
password = mypass
base_dn = 'dc=home,dc=labrats,dc=us'
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
filter = '(objectClass=posixGroup)'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
}
For SSL, use the following:
server = "ldaps://centos-auth.home.labrats.us:636"
# port = 389
identity = "cn=LDAP Query,ou=Special Users,dc,home,dc=labrats,dc=us"
password = mypass
base_dn = 'dc=home,dc=labrats,dc=us'
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
filter = '(objectClass=posixGroup)'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
}
tls {
require_cert = 'never'
}
Configure for Microsoft Active Directory Server
Configure the following options in /etc/raddb/mods-available/ldap. Leave all other attributes alone.
server = 'dc1.home.labrats.us dc2.home.labrats.u'
port = 389
identity = 'cn=admin,dc=example,dc=org'
password = mypass
base_dn = 'dc=example,dc=org'
user {
filter = "(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
filter = '(objectClass=group)'
name_attribute = cn
membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
}
For SSL use:
server = 'ldaps://dc1.home.labrats.us:636 ldaps://dc2.home.labrats.us:636'
# port = 389
identity = 'cn=admin,dc=example,dc=org'
password = mypass
base_dn = 'dc=example,dc=org'
user {
filter = "(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
filter = '(objectClass=group)'
name_attribute = cn
membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
}
tls {
require_cert = 'never'
}
Reconfiguring for PAM Authentication
PAM Configuration consists of multiple file and configuration to be added.
First we enable the PAM module.
# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled
Edit /etc/raddb/sites-available/default. Add the following code to the end of the authorize stansa.
NOTE: THIS SUPLEMENTS WHAT WAS DONE FOR LDAP ABOVE.
if (&User-Password) {
update control {
Auth-Type := PAM
}
}
Also in /etc/raddb/sites-available/default, uncomment the following in the authenticate stanza.
# Pluggable Authentication Modules. pam
Configure PAM service for RADIUS
Add one of the following to the /etc/pam.d/radiusd file:
If system login is also going to ldap
# cat > /etc/pam.d/radiusd << 'EOF' auth include password-auth # account required pam_access.so accessfile=/etc/security/access.cron.conf # account include password-auth account required pam_unix.so broken_shadow account required pam_access.so accessfile=/etc/security/access.cron.conf account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so EOF
If RADIUS is going directly to LDAP
# cat > /etc/pam.d/radiusd << 'EOF' #%PAM-1.0 auth sufficient /usr/lib64/security/pam_unix.so likeauth nullok auth sufficient /usr/lib64/security/pam_ldap.so use_first_pass auth required /usr/lib64/security/pam_deny.so account [default=bad success=ok user_unknown=ignore] /usr/lib64/security/pam_ldap.so account required /usr/lib64/security/pam_permit.so EOF
Firewall Configuration
Allow the following RADIUS ports to your iptables
# firewall-cmd --permanent --add-port=1812/udp
Restart firewall
# firewall-cmd --reload
Testing RADIUS
Starting RADIUS in debug mode
You will want to start the RADIUS service in debug mode to determine if it starts clean, and is halpful for testing.
# radiusd -d /etc/raddb -X
This will load a display a lot of messages, but if successful, it will display the following.
Ready to process requests
Create RADIUS test file
Create this test file:
echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test
Testing RADIUS
If you are running the service in debug mode, in another window, run the following command.
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123
The following should test cleanly:
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 Sent Access-Request Id 162 from 0.0.0.0:44269 to 127.0.0.1:1812 length 44 Received Access-Accept Id 162 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
It it fails, it will look something like this:
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 Sent Access-Request Id 193 from 0.0.0.0:41662 to 127.0.0.1:1812 length 44 Received Access-Reject Id 193 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Enabling and Starting RADIUS
To enable the RADIUS daemon
# systemctl enable radiusd Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
To start the RADIUS daemon
# systemctl start radiusd
Advanced RADIUS Configuration
TLS Configuration
In /etc/raddb/mods-available/ldap, make the follosing configuration changes to enable TLS.
tls {
start_tls = yes
require_cert = 'allow'
}
Alternately, you can change to use SSL instead of TLS.
server = "ldaps://dc1.home.labrats.us:636 ldaps://dc2.home.labrats.us:636"
# port = 389
tls {
start_tls = no
require_cert = 'never'
}
LDAP Group Membership
You can configure group matches in the /etc/raddb/mods-config/files/authorize file. Membership in these groups will cause RADIUS to assign the reply items.
DEFAULT Ldap-Group == "radius-deviceaccess-admin"
Reply-Message = "Hello %{User-Name} (admin)",
Cisco-AVPair = "shell:priv-lvl=15",
Fall-Through = No,
Framed-Filter-Id=":group_name=admin"
DEFAULT Ldap-Group == "radius-deviceaccess-readonly"
Reply-Message = "Hello %{User-Name} (readonly)",
Cisco-AVPair = "shell:priv-lvl=1",
Fall-Through = No,
Framed-Filter-Id=":group_name=users"
LDAP Profiles
Extending the 389ds schema to include RADIUS attributes
Add the following to /etc/dirsrv/<instance>/schema/98radius.ldif file and restart the directory server.
# This is a LDAPv3 schema for RADIUS attributes. # # $Id: 98radius.ldif,v 1.1 2012/12/03 23:16:20 sfiggins Exp $ # # Tested on OpenLDAP 2.0.7 # Posted by Javier Fernandez-Sanguino Pena <jfernandez@sgi.es> # LDAP v3 version by Jochen Friedrich <jochen@scram.de> # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua> # # Ported to Red Hat DS by Sean W. Figgins, Manager, Security, tw telecom on 2008-11-25 # ############# # dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalkLink' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalkNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalkZone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompression' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATService' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DESC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAction' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignmentId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPassword' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPreference' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivateGroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerEndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientEndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess ) )
Adding Reply Items to users
Create the following config file:
# cat > /tmp/addattr.ldif << 'EOF' dn: uid=test,ou=People,dc=home,dc=labrats,dc=us changetype: modify add: ObjectClass ObjectClass: radiusprofile - add: radiusReplyItem radiusReplyItem: Cambium-Canopy-UserLevel="2" - add: radiusReplyItem radiusReplyItem: Cambium-Canopy-UserMode="0" EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addattr.ldif
Modify /etc/raddb/mods-enabled/ldap file
In the update section, change:
reply: += 'radiusReplyAttribute'
to:
reply: += 'radiusReplyItem'
In the profile section, uncomment filter and attribute:
profile {
# Filter for RADIUS profile objects
filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute
# reference.
# To get old v2.2.x style behaviour, or to use the
# &User-Profile attribute to specify the default profile,
# set this to &control:User-Profile.
# default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply
# in addition to the default profile above. These are
# retrieved from the user object, at the same time as the
# attributes from the update section, are are applied
# if authorization is successful.
attribute = 'radiusProfileDn'
}
Extending RADIUS
It may be required to extend RADIUS to add some custom attributes that are not otherwise part of the above deployment. An example would be to allow RADIUS authentication for the Cambium cnMaestro server that does not use a VSA. If at possible, you should push the vendor to create a VSA, as utilizing standard or extended RADIUS attributes can cause conflict between different platforms utilizing the RADIUS deployment.
This example, we will be adding the RADIUS attribute "Role" to the deployment.
Edit the LDAP Schema
Edit /etc/dirsrv/<instance>/schema/98radius.ldif to add the following:
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusRole' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
Also change the following line:
objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess ) )
to the below:
objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusRole ) )
Once complete, restart the directory server and verify that is is running.
Edit the RADIUS configuration
Edit /etc/raddb/mods-available/ldap. Find the below section:
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
Add the following configuration:
reply:Role += 'radiusRole'
Edit /etc/raddb/dictionary. Add the following line:
ATTRIBUTE Role 209 string
Adding the RADIUS attrribute to the LDAP user
Create the following config file:
# cat > /tmp/addattr2.ldif << 'EOF' dn: uid=test,ou=People,dc=home,dc=labrats,dc=us changetype: modify add: radiusRole radiusRole: super EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addattr2.ldif
Verifying that this worked
Start RADIUS server in debug mode"
# radiusd -d /etc/raddb -X
In another window, run the following command:
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123
You shoudl receive the following in the command window:
Sent Access-Request Id 51 from 0.0.0.0:20976 to 127.0.0.1:1812 length 44 Received Access-Accept Id 51 from 127.0.0.1:1812 to 0.0.0.0:0 length 51
In your debug window, you shoudl see the dollowing:
(0) Role += "super"
Directory Server Modifications
ACIs
Creating a user that can manage the the directory users.
Creating the Special User:
# cat > /tmp/serviceadd.ldif << 'EOF'
dn: cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: adpdbadmin
userPassword: {crypt}x
gidNumber: 65000
EOF
Adding the user to the directory:
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/serviceadd.ldif Enter LDAP Password: adding new entry "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us"
Setting the user password:
# LDAPTLS_REQCERT=never ldappasswd -S -x -W -D "cn=directory manager" "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us" New password: Re-enter new password: Enter LDAP Password: - or - # LDAPTLS_REQCERT=never ldappasswd -W -D "cn=directory manager" "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us" Enter LDAP Password: New password: <new password>
Creating the ACI:
# cat > /tmp/aci.ldif << 'EOF' dn: ou=People,dc=home,dc=labrats,dc=us changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "give adpdbadmin full rights"; allow (all) userdn = "ldap:///cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us";) EOF
Applying the ACI:
# ldapmodify -D "cn=Directory Manager" -W -f /tmp/aci.ldif Processing MODIFY request for ou=People,dc=home,dc=labrats,dc=us MODIFY operation successful for DN ou=People,dc=home,dc=labrats,dc=us
Replication
For replication to work, you need to have at least two directory servers setup. One will be the supplier (master) and the other will be the consumer (replica). The supplier will keep a log of all changes and will push those changes to the consumer. Other designs have multiple suppliers, consumers and hubs. We will only discuss the single supplier and consumer setup.
Create Replication Users
On both the suppliers and consumers, you need to add a replication user.
cat > /tmp/replicationuser.ldif << 'EOF'
dn: cn=replication manager,cn=config
objectClass: posixGroup
objectClass: top
cn: replication manager
userPassword: {crypt}x
gidNumber: 65000
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replicationuser.ldif
Change user password
# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" "cn=replication manager,cn=config" New password: Re-enter new password: Enter LDAP Password: - or - # LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" "cn=replication manager,cn=config" Enter LDAP Password: New password: <new password>
Create ChangeLog on Supplier
Create the following on every supplier (in our case just the single master) Remember to change the instance name in the file!
cat > /tmp/changelog.ldif << EOF dn: cn=changelog5,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb nsslapd-changelogmaxage: 10d EOF
- nsslapd-changelogdir sets the directory where the changelog is kept.
- nsslapd-changelogmaxage sets how long the changelog is kept; since the changelog can get very large, this helps trim the changelog to prevent affecting server performance and using up disk space. If this parameter is not set, the default is for the changelog to be kept forever.
Add this to the server:
# ldapmodify -D "cn=Directory Manager" -W -f /tmp/changelog.ldif
Create the supplier replica
Create the following on every supplier (in our case just the single master) Remember to change the instance name and domain in the file!
cat > /tmp/supplier.ldif << EOF dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 7 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config EOF
- nsds5replicaroot sets the subtree (suffix) which is being replicated.
- nsds5replicatype sets what kind of replica this database is. For either a single master or a multi-master supplier, this value must be 3.
- nsds5replicaid sets the replica ID. The value must be unique among all suppliers and hubs; the valid range is 1 to 65534.
- nsds5ReplicaPurgeDelay sets how long an entry holds its status information or how long a tombstone entry is kept before deleting the information. The default value is 604800 (one week).
- nsds5flags sets whether the replica writes to the changelog. For a supplier, this value must be 1.
Add this to the server:
# ldapmodify -D "cn=Directory Manager" -W -f /tmp/supplier.ldif
Configuring Consumers
Create the following on every consumer (in our case just the single consumer) Remember to change the domain in the file!
cat > /tmp/consumer.ldif << EOF dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 65535 nsds5replicatype: 2 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 0 EOF
- nsds5replicaroot sets the subtree (suffix) which is being replicated.
- nsds5replicatype sets what kind of replica this database is. For a consumer, this value must be 2.
- nsds5ReplicaBindDN give the DN as which the supplier will bind to the consumer to make changes.
- nsds5flags sets whether the replica writes to the changelog. For a consumer, this value must be 0.
Add this to the server:
# ldapmodify -D "cn=Directory Manager" -W -f /tmp/consumer.ldif
Configuring Replication Agreements
When setting up replication agreements, first set them up between all suppliers, then between the suppliers and the hubs, and last between the hub and the consumers.
Create the following on every supplier (in our case just the single master) Remember to change the password, consumer name and domain in the file!
cat > /tmp/replication.ldif << EOF dn: cn=ExampleAgreement,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config objectclass: top objectclass: nsds5ReplicationAgreement cn: ExampleAgreement nsds5replicahost: consumer1 nsds5replicaport: 636 nsds5ReplicaTransportInfo: SSL nsds5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaCredentials: <password> nsds5replicabindmethod: SIMPLE nsds5replicaroot: dc=example,dc=com description: agreement between supplier1 and consumer1 nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime nsds5BeginReplicaRefresh: start EOF
The replication agreement has to define eight separate attributes:
- The consumer host (nsds5replicahost) and port (nsds5replicaport).
- The DN for the supplier to use to bind with the consumer (nsds5ReplicaBindDN).
- The way that the supplier binds (nsds5replicabindmethod).
- Any credentials required (nsDS5ReplicaCredentials) for that bind method and specified DN.
- The subtree being replicated (nsds5replicaroot).
- The replication schedule (nsds5replicaupdateschedule).
- Any attributes which will not be replicated (nsds5replicatedattributelist and nsDS5ReplicatedAttributeListTotal).
Add this to the server:
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication.ldif
Initializing Consumers Online
An online initialization can be initiated from the command line by adding the nsds5replicarefresh attribute to the replication agreement entry. If the attribute is included when the replication agreement is created, initialization begins immediately. It can be added later to initialize the consumer at any time. This attribute is absent by default, and it will be automatically deleted once the consumer initialization is complete.
Find the replication agreeemnt DN
ldapsearch -x -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"
Start the replication
Edit the replication agreement, and add the nsds5BeginReplicaRefresh attribute: Remember to change the DN to match the above result!
cat > /tmp/replication-start.ldif << EOF dn: cn=ExampleAgreement,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start EOF
Add this to the server:
# ldapmodify -D "cn=Directory Manager" -W -f /tmp/replication-start.ldif
When the initialization is complete, the nsds5BeginReplicaRefresh attribute is automatically deleted from the replication agreement entry.
Monitoring the replication
Top check the replication, you perform the following command on the supplier.
# ldapsearch -x -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"
You will want to look for the following entries:
nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20190625000337Z nsds5replicaLastUpdateEnd: 20190625000337Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme ntal update succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20190624235803Z nsds5replicaLastInitEnd: 20190624235806Z nsds5replicaLastInitStatus: Error (0) Total update succeeded
The nsds5replicaLastUpdateStart and nsds5replicaLastUpdateEnd dates should be updating.
Installing a RADIUS Rpoxy Server
This is along the same lines of authentication, but will be done on a separate server. It may be created in conjunction with the overall authentication deployment, or may be done afterwards to add RADIUS proxy to the deployment.
Create base Centos 7 server, as documented below
New CentOS 7 Server Setup Commands
Install RADIUS from yum
# yum install freeradius freeradius-ldap freeradius-utils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.team-cymru.com * epel: d2lzkl7pfhq30w.cloudfront.net * extras: mirror.team-cymru.com * updates: mirror.dal10.us.leaseweb.net Resolving Dependencies --> Running transaction check ---> Package freeradius.x86_64 0:3.0.13-9.el7_5 will be installed ---> Package freeradius-ldap.x86_64 0:3.0.13-9.el7_5 will be installed ---> Package freeradius-utils.x86_64 0:3.0.13-9.el7_5 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: freeradius x86_64 3.0.13-9.el7_5 base 1.1 M freeradius-ldap x86_64 3.0.13-9.el7_5 base 109 k freeradius-utils x86_64 3.0.13-9.el7_5 base 221 k Transaction Summary ================================================================================ Install 3 Packages Total download size: 1.4 M Installed size: 4.0 M Is this ok [y/d/N]: y Downloading packages: (1/3): freeradius-ldap-3.0.13-9.el7_5.x86_64.rpm | 109 kB 00:00 (2/3): freeradius-utils-3.0.13-9.el7_5.x86_64.rpm | 221 kB 00:00 (3/3): freeradius-3.0.13-9.el7_5.x86_64.rpm | 1.1 MB 00:00 -------------------------------------------------------------------------------- Total 2.4 MB/s | 1.4 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : freeradius-3.0.13-9.el7_5.x86_64 1/3 Installing : freeradius-ldap-3.0.13-9.el7_5.x86_64 2/3 Installing : freeradius-utils-3.0.13-9.el7_5.x86_64 3/3 Verifying : freeradius-ldap-3.0.13-9.el7_5.x86_64 1/3 Verifying : freeradius-3.0.13-9.el7_5.x86_64 2/3 Verifying : freeradius-utils-3.0.13-9.el7_5.x86_64 3/3 Installed: freeradius.x86_64 0:3.0.13-9.el7_5 freeradius-ldap.x86_64 0:3.0.13-9.el7_5 freeradius-utils.x86_64 0:3.0.13-9.el7_5 Complete!
Configure for Proxy
In /etc/raddb/proxy.conf file, configure as follows:
# Proxy server configuration
#
# This entry controls the servers behaviour towards ALL other servers
# to which it sends proxy requests.
#
proxy server {
# Setting this to "yes" may have issues for authentication.
# i.e. If you are proxying for two different ISP's, and then
# act as a general dial-up for Gric. If one of the first two
# ISP's has their RADIUS server go down, you do NOT want to
# proxy those requests to GRIC. Instead, you probably want
# to just drop the requests on the floor. In that case, set
# this value to 'no'.
#
# allowed values: {yes, no}
#
default_fallback = no
}
home_server den1-radius1 {
type = auth
ipaddr = 199.26.60.50
port = 1812
secret = motoPMP320
require_message_authenticator = yes
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server dal1-radius1 {
type = auth
ipaddr = 199.26.61.50
port = 1812
secret = motoPMP320
require_message_authenticator = yes
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server den1-radius1-acct {
type = acct
ipaddr = 199.26.60.50
port = 1813
secret = motoPMP320
require_message_authenticator = yes
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server dal1-radius1-acct {
type = acct
ipaddr = 199.26.61.50
port = 1813
secret = motoPMP320
require_message_authenticator = yes
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server_pool freeradius_auth_loadbalance {
#
# The type of this pool controls how home servers are chosen.
#
type = load-balance
# Next, a list of one or more home servers. The names
# of the home servers are NOT the hostnames, but the names
# of the sections. (e.g. home_server foo {...} has name "foo".
#
home_server = den1-radius1
home_server = dal1-radius1
# If ALL home servers are dead, then this "fallback" home server
# is used. If set, it takes precedence over any realm-based
# fallback, such as the DEFAULT realm.
#
#fallback = virtual.example.com
}
home_server_pool freeradius_acct_loadbalance {
#
# The type of this pool controls how home servers are chosen.
#
type = load-balance
# Next, a list of one or more home servers. The names
# of the home servers are NOT the hostnames, but the names
# of the sections. (e.g. home_server foo {...} has name "foo".
#
home_server = den1-radius1-acct
home_server = dal1-radius1-acct
# If ALL home servers are dead, then this "fallback" home server
# is used. If set, it takes precedence over any realm-based
# fallback, such as the DEFAULT realm.
#
#fallback = virtual.example.com
}
#
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
#
realm NULL {
auth_pool = freeradius_auth_loadbalance
acct_pool = freeradius_acct_loadbalance
nostrip
}
Configure the /etc/raddb/clients.conf file.
client remote-node-1 {
ipaddr = 10.1.2.3/32
secret = some-shared-secret
}
Add any VSAs and RADIUS extensions.
Copy any dictionary files to /etc/raddb:
# cp /tmp/dictionary.vendor1 /etc/raddb/ # echo '$INCLUDE /etc/raddb/dictionary.vendor1' >> /etc/raddb/dictionary
Also, add and RADIUS extensions (as detailed in an above section) to the /etc/raddb/dictionary file.
Start and Test
Start the RADIUS server in debug mode:
# radiusd -d /etc/raddb/ -X
In another window, run the following commands:
# echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123
If successful, we will see the following.
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 Sent Access-Request Id 162 from 0.0.0.0:44269 to 127.0.0.1:1812 length 44 Received Access-Accept Id 162 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
It it fails, it will look something like this:
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 Sent Access-Request Id 193 from 0.0.0.0:41662 to 127.0.0.1:1812 length 44 Received Access-Reject Id 193 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Adding Firewall Configuration
Allow the following RADIUS ports to your iptables
# firewall-cmd --permanent --add-port=1812/udp
Restart firewall
# firewall-cmd --reload
!!! If you are deploying a RADIUS proxy to an outside IP address, please secure it further with more granular firewall configuration !!!
Enabling and Starting RADIUS
To enable the RADIUS daemon
# systemctl enable radiusd Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
To start the RADIUS daemon
# systemctl start radiusd
