From Hackerspace.gr
Revision as of 19:24, 27 November 2016 by Ebal (Talk | contribs)

Jump to: navigation, search

Notes on building Hackerspace public and member services.


1. Install basic stuff.

# yum install -y epel-release
# yum install -y vim bash-completion wget



# yum install -y openldap openldap-clients openldap-servers


1. Enable and start service.

# systemctl enable slapd.service
# systemctl start slapd.service

2. Check it actually works.

# systemctl status -l slapd.service


1. Copy default DB_CONFIG.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2. Create a new admin password.

# slappasswd

3. Create an initial config in a file.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

4. And use it.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif


By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.

# find /etc/openldap/schema/*.schema


The most common schemas are:


To load them to our ldap configuration:

# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif 

Organizational Unit

1. Create an ldif file with the schema.

# example.org
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.org

# People
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

2. And use it.

# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif


1. Create a new user.

dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test


1. Display entire config.

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"



# yum -y install nginx certbot

Initial Configuration

1. Edit nginx.conf. Remove server block and turn access logs off.

access_log off;

2. Create ssl.conf under conf.d.

# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000";

3. Create dhparam.

openssl dhparam -out /etc/ssl/dhparam.pem 2048

4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org conf.example.org;
    root /var/www/default/;
    index index.html;


1. Test the configuration.

# nginx -t

2. Enable and start service.

# systemctl enable nginx.service
# systemctl start nginx.service


1. Create certificates, including all subdomains

certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly

Final configuration

1. Edit default.conf to make it https-only.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.example.org;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name example.org;

    root /var/www/default/;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;

2. Test the configuration.

# nginx -t

3. Reload nginx.

# nginx -s reload



# yum -y install prosody