This repository contains documentation and config files to set up a test enviroment for RDMO. In particular services for LDAP and Shibboleth authentication.
Important: These instructions are not meant for a production system. We will use a weak passwords and a non save workflow for certificate signing.
Currently, the setup consists of virtual machines, with no automatic setup, but this might change (i.e. using ansible, docker, vagrant).
This setup need 3 virtual machines and uses 5 hostnames. Somehow name resulution has to work, e.g. by manipulationg /etc/hosts:
192.168.0.111 ldap.test.rdmo.org ldap
192.168.0.112 idp.test.rdmo.org idp
192.168.0.113 app.test.rdmo.org app
192.168.0.113 sp.test.rdmo.org
192.168.0.113 sp2.test.rdmo.org
We setup a private CA to sign valid certificate (for our test setup). See ssl/Makefile and ssl/ca.cnf for the fun part.
cd ssl
make
Answer all questions correctly. This is the first test...
Import ssl/ca/test.rdmo.org.crt into your browser.
This is the master VM from which all other VM are cloned.
HD: 20 Gb Network: Bridged Image: ubuntu-18.04.2-live-server-amd64.iso
Install with standard options.
After Install set preserve_hostname: true in /etc/cloud/cloud.cfg
This is the VM for the LDAP holding the user accounts.
Clone bionic VM.
hostnamectl set-hostname ldap.test.rdmo.org
rebootapt install slapd ldap-utils
dpkg-reconfigure slapd
with
Omit OpenLDAP server configuration? No
DNS domain name?
This option will determine the base structure of your directory path. Read the message to understand exactly how this will be implemented. You can actually select whatever value you'd like, even if you don't own the actual domain. However, this tutorial assumes you have a proper domain name for the server, so you should use that. We'll use example.com throughout the tutorial.
Organization name?
For this guide, we will be using example as the name of our organization. You may choose anything you feel is appropriate.
Administrator password? enter a secure password twice
Database backend? MDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
ufw allow ldapldapwhoami -H ldap:// -xReturns anonymous.
usermod -aG ssl-cert openldap
systemctl restart slapdCopy:
ssl/ca/test.rdmo.org.crttoldap.test.rdmo.org:/usr/local/share/ca-certificates/ssl/ldap.test.rdmo.org.crttoldap.test.rdmo.org:/etc/ssl/certs/ssl/ldap.test.rdmo.org.keytoldap.test.rdmo.org:/etc/ssl/private/
update-ca-certificates
chgrp ssl-cert /etc/ssl/private
chgrp ssl-cert /etc/ssl/private/ldap.test.rdmo.org.key
chmod 750 /etc/ssl/private/
chmod 640 /etc/ssl/private/ldap.test.rdmo.org.keyCopy ldap to /root/ldap on ldap.test.rdmo.org.
ldapmodify -H ldapi:// -Y EXTERNAL -f /root/ldap/ssl.ldif -vldapadd -x -D "cn=admin,dc=ldap,dc=test,dc=rdmo,dc=org" -w admin -f /root/ldap/users.ldif
ldapadd -x -D "cn=admin,dc=ldap,dc=test,dc=rdmo,dc=org" -w admin -f /root/ldap/groups.ldif
Check:
ldapsearch -v -x -D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'
ldapsearch -v -x -D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'objectClass=groupOfNames'
## rdmo-idp
This is the VM acting as identity provider for Shibboleth.
Clone `bionic` VM.
Copy:
* `ssl/ca/test.rdmo.org.crt` to `idp.test.rdmo.org:/usr/local/share/ca-certificates/`
* `ssl/idp.test.rdmo.org.crt` to `idp.test.rdmo.org:/etc/ssl/certs/` on `idp.test.rdmo.org`
* `ssl/idp.test.rdmo.org.key` to `idp.test.rdmo.org:/etc/ssl/private/` on `idp.test.rdmo.org`
```bash
# as root
hostnamectl set-hostname idp.test.rdmo.org
update-ca-certificates
reboot
chgrp tomcat8 /etc/ssl/private
chgrp tomcat8 /etc/ssl/private/idp.test.rdmo.org.key
chmod 750 /etc/ssl/private/
chmod 640 /etc/ssl/private/idp.test.rdmo.org.keyCheck if ldap works (with the idp user):
apt install ldap-utils
ldapsearch -v -x -ZZ -H ldap://ldap.test.rdmo.org \
-D "uid=idp,dc=ldap,dc=test,dc=rdmo,dc=org" -w idp \
-b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'
Install Java dependencies:
apt install openjdk-8-jdk
echo "JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64" >> /etc/environment
Then log out and log in.
Get Shibboleth from https://shibboleth.net/downloads/identity-provider/latest/. We will use https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.4.tar.gz.
# as root
cd /opt
wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.4.tar.gz
tar xzvf shibboleth-identity-provider-3.4.4.tar.gz
cd shibboleth-identity-provider-3.4.4/bin
./install.sh
Accept default values and enter new passwords.
Update validUntil in /opt/shibboleth-idp/metadata/idp-metadata.xml to something in the future.
ap install apache2 tomcat8 tomcat8-admin
usermod -aG ssl-cert tomcat8In /etc/tomcat7/server.xml uncomment:
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/etc/ssl/certs/idp.test.rdmo.org.crt"
SSLCertificateKeyFile="/etc/ssl/private/idp.test.rdmo.org.key"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Add a admin user for tomcat. In /etc/tomcat8/tomcat-users.xml add:
<user username="tomcat" password="tomcat" roles="manager-gui, admin-gui"/>
Download jstl-1.2.jar from https://mvnrepository.com/artifact/javax.servlet/jstl/1.2 and move it to /var/lib/tomcat8/lib/ (this prevents a NestedServletException later).
Restart tomcat:
systemctl restart tomcat8http://idp.test.rdmo.org:8080 and http://idp.test.rdmo.org:8443 should work now.
For debugging, you want to look at /var/log/tomcat8/catalina.out.
Change the permissions for /opt/shibboleth-idp:
chown -R tomcat8:tomcat8 /opt/shibboleth-idp
Go to http://idp.test.rdmo.org:8080/manager and add to "Deploy directory or WAR file located on server"::
Context Path (required): /idp
XML Configuration file URL:
WAR or Directory URL: /opt/shibboleth-idp/war/idp.war
Start the container. http://idp.test.rdmo.org:8080/idp/ should show a page now.
Copy:
idp/access-control.xml(really insecure, do not use in production)idp/attribute-resolver.xmlidp/attribute-filter.xmlidp/ldap.propertiesidp/metadata-providers.xml
to /opt/shibboleth-idp/conf/ on idp.test.rdmo.org.
Restart tomcat:
systemctl restart tomcat8
Copy apache2/idp.conf to idp.test.rdmo.org:/etc/apache2/sites-available/000-default.conf.
a2enmod ssl rewrite proxy_ajp
systemctl restart apache2
Go to:
- https://idp.test.rdmo.org/idp/status
- https://idp.test.rdmo.org/idp/shibboleth
- https://idp.test.rdmo.org/idp/profile/admin/resolvertest?requester=https%3A%2F%2Fsp.test.rdmo.org%2Fshibboleth&principal=test
This is the VM for the different rdmo apps.
Clone bionic VM.
hostnamectl set-hostname app.test.rdmo.org
rebootCopy:
ssl/ca/test.rdmo.org.crttoapp.test.rdmo.org:/usr/local/share/ca-certificates/ssl/app.test.rdmo.org.crttoapp.test.rdmo.org:/etc/ssl/certs/ssl/sp.test.rdmo.org.crttoapp.test.rdmo.org:/etc/ssl/certs/ssl/sp2.test.rdmo.org.crttoapp.test.rdmo.org:/etc/ssl/certs/ssl/app.test.rdmo.org.keytoapp.test.rdmo.org:/etc/ssl/private/ssl/sp.test.rdmo.org.keytoapp.test.rdmo.org:/etc/ssl/private/ssl/sp2.test.rdmo.org.keytoapp.test.rdmo.org:/etc/ssl/private/
# as root
update-ca-certificatesCheck if ldap works (with the rdmo user):
# as root
apt install ldap-utils
ldapsearch -v -x -ZZ -H ldap://ldap.test.rdmo.org \
-D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo \
-b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'
# as root
apt install build-essential libxml2-dev libxslt-dev zlib1g-dev \
python3-dev python3-pip python3-venv \
git pandoc texlive texlive-xetex \
apache2 libapache2-mod-wsgi-py3
adduser rdmo --home /srv/rdmo
# as rdmo
python3 -m venv env
echo "source ~/env/bin/activate" >> ~/.bashrc
. ~/.bashrcThis is the app we will use with LDAP.
# as rdmo
git clone https://github.com/rdmorganiser/rdmo-app
cd rdmo-app
pip install --upgrade pip setuptools
pip install git+https://github.com/rdmorganiser/rdmo
pip install -r requirements/shibboleth.txt # we need that later
Copy rdmo/app.local.py to app.test.rdmo.org:/srv/rdmo/rdmo-app/config/settings.
# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic
### Deploy with Apache
Copy `apache2/app.conf` to `app.test.rdmo.org:/etc/apache2/sites-available/app.conf`.
```bash
# as root
a2enmod ssl rewrite
a2ensite app
systemctl restart apache2
RDMO with LDAP should work now on https://app.test.rdmo.org.
Clone rdmo-app to /srv/rdmo/rdmo-sp (in the same env, so no pip install required).
Copy `rdmo/sp.local.py` to `sp.test.rdmo.org:/srv/rdmo/rdmo-sp/config/settings`.
```bash
# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic
Get the package from https://www.switch.ch/aai/guides/sp/installation/?os=ubuntu (the Ubuntu package is broken).
cd /opt
curl --fail --remote-name https://pkg.switch.ch/switchaai/ubuntu/dists/bionic/main/binary-all/misc/switchaai-apt-source_1.0.0ubuntu1_all.deb
apt install /opt/switchaai-apt-source_1.0.0ubuntu1_all.deb
apt update
apt install --install-recommends shibboleth
apt autoremoveCopy:
sp/attribute-map.xmltosp.test.rdmo.org:/etc/shibbolethsp/shibboleth2.xmltosp.test.rdmo.org:/etc/shibboleth
Fetch IdP Metadata:
wget https://idp.test.rdmo.org/idp/shibboleth -O /etc/shibboleth/idp-metadata.xmlGenerate keys and restart shibd:
shib-keygen
systemctl restart shibdCopy apache2/sp.conf to /etc/apache2/sites-available/sp.conf.
# as root
a2ensite sp
systemctl restart apache2Log in on idp.test.rdmo.org.
Uncomment the first MetadataProvider in /opt/shibboleth-idp/conf/metadata-provider.xml.
Fetch metadata and restart tomcat:
wget https://sp.test.rdmo.org/Shibboleth.sso/Metadata -O /opt/shibboleth-idp/metadata/sp-metadata.xml
systemctl restart tomcat8Now it should work on https://sp.test.rdmo.org (but probably won't).
Log in back on sp.test.rdmo.org.
Clone rdmo-app to /srv/rdmo/rdmo-sp2 (again, in the same env, so no pip install required).
Copy `rdmo/sp2.local.py` to `sp.test.rdmo.org:/srv/rdmo/rdmo-sp/config/settings/local.py`.
```bash
# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic
Copy apache2/sp2.conf to sp.test.rdmo.org:/etc/apache2/sites-available/sp2.conf.
# as root
a2ensite sp2
systemctl restart apache2Generate keys and restart shibd:
shib-keygen -h sp2.test.rdmo.org -n sp2
systemctl restart shibdLog in on idp.test.rdmo.org.
Uncomment the second MetadataProvider in /opt/shibboleth-idp/conf/metadata-provider.xml.
Fetch metadata and restart tomcat:
wget https://sp2.test.rdmo.org/Shibboleth.sso/Metadata -O /opt/shibboleth-idp/metadata/sp2-metadata.xml
systemctl restart tomcat8Now things should work on https://sp2.test.rdmo.org as well.