Skip to content

Latest commit

 

History

History
505 lines (348 loc) · 12.1 KB

README.md

File metadata and controls

505 lines (348 loc) · 12.1 KB

RDMO test environment

This repository contains documentation and config files to set up a test enviroment for RDMO. In particular services for LDAP and Shibboleth authentication.

Important: These instructions are not meant for a production system. We will use a weak passwords and a non save workflow for certificate signing.

Currently, the setup consists of virtual machines, with no automatic setup, but this might change (i.e. using ansible, docker, vagrant).

DNS

This setup need 3 virtual machines and uses 5 hostnames. Somehow name resulution has to work, e.g. by manipulationg /etc/hosts:

192.168.0.111  ldap.test.rdmo.org ldap
192.168.0.112  idp.test.rdmo.org idp
192.168.0.113  app.test.rdmo.org app
192.168.0.113  sp.test.rdmo.org
192.168.0.113  sp2.test.rdmo.org

Certificate authority

We setup a private CA to sign valid certificate (for our test setup). See ssl/Makefile and ssl/ca.cnf for the fun part.

cd ssl
make

Answer all questions correctly. This is the first test...

Import ssl/ca/test.rdmo.org.crt into your browser.

bionic

This is the master VM from which all other VM are cloned.

HD: 20 Gb Network: Bridged Image: ubuntu-18.04.2-live-server-amd64.iso

Install with standard options. After Install set preserve_hostname: true in /etc/cloud/cloud.cfg

rdmo-ldap

This is the VM for the LDAP holding the user accounts.

Clone bionic VM.

hostnamectl set-hostname ldap.test.rdmo.org
reboot

LDAP

apt install slapd ldap-utils
dpkg-reconfigure slapd

with


    Omit OpenLDAP server configuration? No
    DNS domain name?
        This option will determine the base structure of your directory path. Read the message to understand exactly how this will be implemented. You can actually select whatever value you'd like, even if you don't own the actual domain. However, this tutorial assumes you have a proper domain name for the server, so you should use that. We'll use example.com throughout the tutorial.
    Organization name?
        For this guide, we will be using example as the name of our organization. You may choose anything you feel is appropriate.
    Administrator password? enter a secure password twice
    Database backend? MDB
    Remove the database when slapd is purged? No
    Move old database? Yes
    Allow LDAPv2 protocol? No

ufw allow ldap
ldapwhoami -H ldap:// -x

Returns anonymous.

SSL

usermod -aG ssl-cert openldap
systemctl restart slapd

Copy:

  • ssl/ca/test.rdmo.org.crt to ldap.test.rdmo.org:/usr/local/share/ca-certificates/
  • ssl/ldap.test.rdmo.org.crt to ldap.test.rdmo.org:/etc/ssl/certs/
  • ssl/ldap.test.rdmo.org.key to ldap.test.rdmo.org:/etc/ssl/private/
update-ca-certificates
chgrp ssl-cert /etc/ssl/private
chgrp ssl-cert /etc/ssl/private/ldap.test.rdmo.org.key
chmod 750 /etc/ssl/private/
chmod 640 /etc/ssl/private/ldap.test.rdmo.org.key

Copy ldap to /root/ldap on ldap.test.rdmo.org.

ldapmodify -H ldapi:// -Y EXTERNAL -f /root/ldap/ssl.ldif -v

Users and Groups

ldapadd -x -D "cn=admin,dc=ldap,dc=test,dc=rdmo,dc=org" -w admin -f /root/ldap/users.ldif
ldapadd -x -D "cn=admin,dc=ldap,dc=test,dc=rdmo,dc=org" -w admin -f /root/ldap/groups.ldif

Check:

ldapsearch -v -x -D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'
ldapsearch -v -x -D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'objectClass=groupOfNames'


## rdmo-idp

This is the VM acting as identity provider for Shibboleth.

Clone `bionic` VM.

Copy:

* `ssl/ca/test.rdmo.org.crt` to `idp.test.rdmo.org:/usr/local/share/ca-certificates/`
* `ssl/idp.test.rdmo.org.crt` to `idp.test.rdmo.org:/etc/ssl/certs/` on `idp.test.rdmo.org`
* `ssl/idp.test.rdmo.org.key` to `idp.test.rdmo.org:/etc/ssl/private/` on `idp.test.rdmo.org`

```bash
# as root
hostnamectl set-hostname idp.test.rdmo.org
update-ca-certificates
reboot
chgrp tomcat8 /etc/ssl/private
chgrp tomcat8 /etc/ssl/private/idp.test.rdmo.org.key
chmod 750 /etc/ssl/private/
chmod 640 /etc/ssl/private/idp.test.rdmo.org.key

Check if ldap works (with the idp user):

apt install ldap-utils
ldapsearch -v -x -ZZ -H ldap://ldap.test.rdmo.org \
    -D "uid=idp,dc=ldap,dc=test,dc=rdmo,dc=org" -w idp \
    -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'

Install IdP

Install Java dependencies:

apt install openjdk-8-jdk
echo "JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64" >> /etc/environment

Then log out and log in.

Get Shibboleth from https://shibboleth.net/downloads/identity-provider/latest/. We will use https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.4.tar.gz.

# as root
cd /opt
wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.4.tar.gz
tar xzvf shibboleth-identity-provider-3.4.4.tar.gz
cd shibboleth-identity-provider-3.4.4/bin
./install.sh

Accept default values and enter new passwords.

Update validUntil in /opt/shibboleth-idp/metadata/idp-metadata.xml to something in the future.

Deploy IdP with tomcat

ap install apache2 tomcat8 tomcat8-admin
usermod -aG ssl-cert tomcat8

In /etc/tomcat7/server.xml uncomment:

    <Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/etc/ssl/certs/idp.test.rdmo.org.crt"
           SSLCertificateKeyFile="/etc/ssl/private/idp.test.rdmo.org.key"
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Add a admin user for tomcat. In /etc/tomcat8/tomcat-users.xml add:

<user username="tomcat" password="tomcat" roles="manager-gui, admin-gui"/>

Download jstl-1.2.jar from https://mvnrepository.com/artifact/javax.servlet/jstl/1.2 and move it to /var/lib/tomcat8/lib/ (this prevents a NestedServletException later).

Restart tomcat:

systemctl restart tomcat8

http://idp.test.rdmo.org:8080 and http://idp.test.rdmo.org:8443 should work now.

For debugging, you want to look at /var/log/tomcat8/catalina.out.

Change the permissions for /opt/shibboleth-idp:

chown -R tomcat8:tomcat8 /opt/shibboleth-idp

Go to http://idp.test.rdmo.org:8080/manager and add to "Deploy directory or WAR file located on server"::

Context Path (required): /idp
XML Configuration file URL:
WAR or Directory URL: /opt/shibboleth-idp/war/idp.war

Start the container. http://idp.test.rdmo.org:8080/idp/ should show a page now.

Configure IdP

Copy:

  • idp/access-control.xml (really insecure, do not use in production)
  • idp/attribute-resolver.xml
  • idp/attribute-filter.xml
  • idp/ldap.properties
  • idp/metadata-providers.xml

to /opt/shibboleth-idp/conf/ on idp.test.rdmo.org.

Restart tomcat:

systemctl restart tomcat8

Proxy IdP with apache

Copy apache2/idp.conf to idp.test.rdmo.org:/etc/apache2/sites-available/000-default.conf.

a2enmod ssl rewrite proxy_ajp
systemctl restart apache2

Go to:

rdmo-app

This is the VM for the different rdmo apps.

Clone bionic VM.

hostnamectl set-hostname app.test.rdmo.org
reboot

Copy:

  • ssl/ca/test.rdmo.org.crt to app.test.rdmo.org:/usr/local/share/ca-certificates/
  • ssl/app.test.rdmo.org.crt to app.test.rdmo.org:/etc/ssl/certs/
  • ssl/sp.test.rdmo.org.crt to app.test.rdmo.org:/etc/ssl/certs/
  • ssl/sp2.test.rdmo.org.crt to app.test.rdmo.org:/etc/ssl/certs/
  • ssl/app.test.rdmo.org.key to app.test.rdmo.org:/etc/ssl/private/
  • ssl/sp.test.rdmo.org.key to app.test.rdmo.org:/etc/ssl/private/
  • ssl/sp2.test.rdmo.org.key to app.test.rdmo.org:/etc/ssl/private/
# as root
update-ca-certificates

Check if ldap works (with the rdmo user):

# as root
apt install ldap-utils
ldapsearch -v -x -ZZ -H ldap://ldap.test.rdmo.org \
    -D "uid=rdmo,dc=ldap,dc=test,dc=rdmo,dc=org" -w rdmo \
    -b "dc=ldap,dc=test,dc=rdmo,dc=org" -s sub 'uid=user'

Setup rdmo prerequisites and user

# as root
apt install build-essential libxml2-dev libxslt-dev zlib1g-dev \
    python3-dev python3-pip python3-venv \
    git pandoc texlive texlive-xetex \
    apache2 libapache2-mod-wsgi-py3

adduser rdmo --home /srv/rdmo

# as rdmo
python3 -m venv env
echo "source ~/env/bin/activate" >> ~/.bashrc
. ~/.bashrc

Install app

This is the app we will use with LDAP.

# as rdmo
git clone https://github.com/rdmorganiser/rdmo-app
cd rdmo-app

pip install --upgrade pip setuptools
pip install git+https://github.com/rdmorganiser/rdmo
pip install -r requirements/shibboleth.txt  # we need that later

Copy rdmo/app.local.py to app.test.rdmo.org:/srv/rdmo/rdmo-app/config/settings.

# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic

### Deploy with Apache

Copy `apache2/app.conf` to `app.test.rdmo.org:/etc/apache2/sites-available/app.conf`.

```bash
# as root
a2enmod ssl rewrite
a2ensite app
systemctl restart apache2

RDMO with LDAP should work now on https://app.test.rdmo.org.

Install first SP

Clone rdmo-app to /srv/rdmo/rdmo-sp (in the same env, so no pip install required).


Copy `rdmo/sp.local.py` to `sp.test.rdmo.org:/srv/rdmo/rdmo-sp/config/settings`.

```bash
# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic

Install service provider

Get the package from https://www.switch.ch/aai/guides/sp/installation/?os=ubuntu (the Ubuntu package is broken).

cd /opt
curl --fail --remote-name https://pkg.switch.ch/switchaai/ubuntu/dists/bionic/main/binary-all/misc/switchaai-apt-source_1.0.0ubuntu1_all.deb
apt install /opt/switchaai-apt-source_1.0.0ubuntu1_all.deb
apt update
apt install --install-recommends shibboleth
apt autoremove

Configure service provider

Copy:

  • sp/attribute-map.xml to sp.test.rdmo.org:/etc/shibboleth
  • sp/shibboleth2.xml to sp.test.rdmo.org:/etc/shibboleth

Fetch IdP Metadata:

wget https://idp.test.rdmo.org/idp/shibboleth -O /etc/shibboleth/idp-metadata.xml

Generate keys and restart shibd:

shib-keygen
systemctl restart shibd

Deploy first SP with Apache

Copy apache2/sp.conf to /etc/apache2/sites-available/sp.conf.

# as root
a2ensite sp
systemctl restart apache2

Configure metadata on IdP

Log in on idp.test.rdmo.org.

Uncomment the first MetadataProvider in /opt/shibboleth-idp/conf/metadata-provider.xml.

Fetch metadata and restart tomcat:

wget https://sp.test.rdmo.org/Shibboleth.sso/Metadata -O /opt/shibboleth-idp/metadata/sp-metadata.xml
systemctl restart tomcat8

Now it should work on https://sp.test.rdmo.org (but probably won't).

Install second SP

Log in back on sp.test.rdmo.org.

Clone rdmo-app to /srv/rdmo/rdmo-sp2 (again, in the same env, so no pip install required).


Copy `rdmo/sp2.local.py` to `sp.test.rdmo.org:/srv/rdmo/rdmo-sp/config/settings/local.py`.

```bash
# as rdmo
./manage.py check
./manage.py migrate
./manage.py download_vendor_files
./manage.py collectstatic

Deploy second SP with Apache

Copy apache2/sp2.conf to sp.test.rdmo.org:/etc/apache2/sites-available/sp2.conf.

# as root
a2ensite sp2
systemctl restart apache2

Generate keys and restart shibd:

shib-keygen -h sp2.test.rdmo.org -n sp2
systemctl restart shibd

Configure metadata on IdP

Log in on idp.test.rdmo.org.

Uncomment the second MetadataProvider in /opt/shibboleth-idp/conf/metadata-provider.xml.

Fetch metadata and restart tomcat:

wget https://sp2.test.rdmo.org/Shibboleth.sso/Metadata -O /opt/shibboleth-idp/metadata/sp2-metadata.xml
systemctl restart tomcat8

Now things should work on https://sp2.test.rdmo.org as well.