Operativa

Notes on building Hackerspace public and member services.

Common

1. Install basic stuff.

# yum install -y epel-release
# yum install -y vim bash-completion wget

LDAP

Installation

# yum install -y openldap openldap-clients openldap-servers

Service

1. Enable and start service.

# systemctl enable slapd.service
# systemctl start slapd.service

2. Check it actually works.

# systemctl status -l slapd.service

Configuration

1. Copy default DB_CONFIG.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2. Create a new admin password.

# slappasswd

3. Create an initial config in a file.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

4. And use it.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif

Schema

By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.



# find /etc/openldap/schema/*.schema

/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.schema



The most common schemas are:

cosine.schema
nis.schema
inetorgperson.schema



To load them to our ldap configuration:

# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif 



Organizational Unit

1. Create an ldif file with the schema.

# example.org
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.org

# People
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

2. And use it.

# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif

Users

1. Create a new user.

dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test

Status

1. Display entire config.

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Nginx

Installation

# yum -y install nginx certbot

Initial Configuration

1. Edit nginx.conf. Remove server block and turn access logs off.

access_log off;

2. Create ssl.conf under conf.d.

# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000";

3. Create dhparam.

openssl dhparam -out /etc/ssl/dhparam.pem 2048

4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org conf.example.org;
    
    root /var/www/default/;
    index index.html;
}

Service

1. Test the configuration.

# nginx -t

2. Enable and start service.

# systemctl enable nginx.service
# systemctl start nginx.service

Certificates

1. Create certificates, including all subdomains

certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly

Final configuration

1. Edit default.conf to make it https-only.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.example.org;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name example.org;

    root /var/www/default/;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

2. Test the configuration.

# nginx -t

3. Reload nginx.

# nginx -s reload

Jabber

Installation

# yum -y install prosody

Configuration