Installation

Intended Audience: System administrators

1. Support
2. Prerequisites
3. Installation
4. Copyright & License
5. Software / technology used

Support

• Subscribe to ae-dir-users and get informed about news.
• If you need more help please consider commercial support.

Prerequisites

1. Make yourself familiar with the system architecture.
2. Install Æ-DIR servers with one of the supported operating systems. Currently the ansible playbooks support fully automated installation/configuration on…
   • openSUSE Tumbleweed
   • SLES 12SP2
   • Debian Jessie with OpenLDAP packages from Debian APT repository of LTB project
   • CentOS 7.3 with OpenLDAP packages from YUM repository of LTB project
   If you want to tweak the ansible roles to install on another OS make sure a recent OpenLDAP 2.4.44+ with overlay slapo-deref is available for your OS platform. Older releases are explicitly not recommended!
3. The ansible roles needs the following software packages on all target machines to be installed:
   • Python 2.x
   • python-xml
   • lsb_release command (package lsb-release)
4. Install on your admin workstation (the ansible controller):
   • ansible 2.2.0.0+ (Use Jinja2 2.8.x! ansible does not work with 2.9.x yet! (see issue 20063)
   • git
   • dnspython
   Simple approach:

         # virtualenv-2.7 /opt/ansible
         # /opt/ansible/bin/pip2 install --upgrade ansible==2.2.3.0 Jinja2==2.8.1 dnspython
       

5. Create DNS entries for all your Æ-DIR servers:
   • Don't forget to add correct reverse DNS entries (PTR RRs).
   • While not strictly required it's a good idea to choose a separate DNS subdomain especially not matched by any wild-card certificate you might use.
   • The DNS should at least contain one dot. Otherwise Chrome web browser won't accept/return cookies.
6. Prepare to have SSH access to all Æ-DIR servers as user root (via su or sudo)
7. Make yourself familiar with how to use command-line options for ansible become.
8. Check whether you can access the hosts with ansible setup:

   /opt/ansible/bin/ansible all -i 'hostname.example.com,' -m setup

   The trailing comma after the FQDN is needed when using a hostname!
9. Get the ansible playbooks:

   git clone https://ae-dir.com/git/ae-dir.git

10. Issue X.509 TLS server certificates with appropriate CN and subjectAltName values for all replicas with your existing PKI's certificate authority.
    The anti-security concept of wild-card certificates is not compatible with Æ-DIR's security concept! Therefore these cannot be used!
    If you don't have a PKI yet you can setup a test certificate authority (CA) with shell scripts found in tools/pki-scripts/.

Installation

1. Create environment directory structure (e.g. copy directory example/): cp -av example myenv.
2. Edit ansible inventory file myenv/hosts to match your hosts/VMs/containers of your installation environment.
3. Read comments in file ansible/roles/ae-dir-server/defaults/main.yml and adjust ansible group and host vars to match your environment.
4. Invoke ansible play in sub-directory ansible/ (here using command su):

   /opt/ansible/bin/ansible-playbook ae-dir-servers.yml -i myenv/hosts --become -K --become-method=su --extra-vars='{"aedir_init":True, "openldap_keygen":True}'

   • At first run this will generate TLS server key and signed CSR file and stops with a message where to find the CSR files on your local ansible controller.
   • After signing the CSRs with your CA place the server certificate file(s) into directory ae-dir/ansible/myenv/files/.
   • Invoke ansible-playbook command above again to proceed with installation.
5. Log into one provider system become user root and run the following commands to fully initialize your directory:
   1. Add the basic Æ-DIR entries with OpenLDAP command-line tool:
      • On SUSE / openSUSE:

        ldapmodify -f /opt/ae-dir/etc/ae-dir-base.ldif

      • On Debian:

        /usr/local/openldap/bin/ldapmodify -f /opt/ae-dir/etc/ae-dir-base.ldif

   2. Set the user password of an initial Æ admin (here msin):

      /opt/ae-dir/bin/ae-passwd.py msin

6. Check the systems' health by invoking as root the monitoring script on all Æ-DIR servers. By default it is installed to:

   /opt/ae-dir/sbin/slapd_checkmk.sh

Copyright & License

© 2015-2017 by Michael Ströder

  Licensed under the Apache License, Version 2.0 (the "License"); you may
  not use files and content provided on this web site except in compliance
  with the License. You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.

Software / technology used

Æ-DIR serves as a good example for standing on the shoulders of giants:

• Linux
• OpenLDAP 2.4.x server and client libs
• Python 2.x
• git
• ansible
• Apache 2.4.x
• web2ldap
• python-ldap
• slapdsock
• OATH-LDAP