Operativa
From Hackerspace.gr
Notes on building Hackerspace public and member services.
Contents
Common
1. Install basic stuff.
# yum install -y epel-release # yum install -y vim bash-completion wget
LDAP
Installation
# yum install -y openldap openldap-clients openldap-servers
Service
1. Enable and start service.
# systemctl enable slapd.service # systemctl start slapd.service
2. Check it actually works.
# systemctl status -l slapd.service
Configuration
1. Copy default DB_CONFIG.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2. Create a new admin password.
# slappasswd
3. Create an initial config in a file.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=admin,dc=example,dc=org" read by * none
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
4. And use it.
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Schema
By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.
# find /etc/openldap/schema/*.schema /etc/openldap/schema/collective.schema /etc/openldap/schema/corba.schema /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/duaconf.schema /etc/openldap/schema/dyngroup.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/java.schema /etc/openldap/schema/misc.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/openldap.schema /etc/openldap/schema/pmi.schema /etc/openldap/schema/ppolicy.schema
The most common schemas are:
cosine.schema nis.schema inetorgperson.schema
To load them to our ldap configuration:
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
Organizational Unit
1. Create an ldif file with the schema.
# example.org dn: dc=example,dc=org dc: example objectClass: dcObject objectClass: organizationalUnit ou: example.org # People dn: ou=People,dc=example,dc=org objectClass: organizationalUnit ou: People
2. And use it.
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Users
1. Create a new user.
dn: uid=test,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount mail: username@example.gr cn: username example sn: example givenName: username uid: test uidNumber: 99 gidNumber: 12 homeDirectory: /Maildir/test userPassword: test
Status
1. Display entire config.
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Nginx
Installation
# yum -y install nginx certbot
Initial Configuration
1. Edit nginx.conf. Remove server block and turn access logs off.
access_log off;
2. Create ssl.conf under conf.d.
# https://wiki.mozilla.org/Security/Server_Side_TLS ssl_dhparam /etc/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security "max-age=31536000";
3. Create dhparam.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
server {
listen [::]:80;
listen 80;
server_name example.org www.example.org conf.example.org;
root /var/www/default/;
index index.html;
}
Service
1. Test the configuration.
# nginx -t
2. Enable and start service.
# systemctl enable nginx.service # systemctl start nginx.service
Certificates
1. Create certificates, including all subdomains
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
Final configuration
1. Edit default.conf to make it https-only.
server {
listen [::]:80;
listen 80;
server_name example.org www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name www.example.org;
return 301 https://$server_name$request_uri;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name example.org;
root /var/www/default/;
index index.html;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}
2. Test the configuration.
# nginx -t
3. Reload nginx.
# nginx -s reload
Jabber
Installation
# yum -y install prosody
