Installation

  1. Prerequisites
  2. Installation

Prerequisites

  1. Make yourself familiar with the system architecture.
  2. Install Æ-DIR servers with one of the supported operating systems. Currently the ansible playbooks support fully automated installation/configuration on… If you want to tweak the ansible roles to install on another OS make sure a recent OpenLDAP 2.4.44+ with overlay slapo-deref is available for your OS platform. Older releases are explicitly not recommended!
  3. The ansible roles needs the following software packages on all target machines to be installed:
    • Python 2.x
    • python-xml
    • lsb_release command (package lsb-release)
  4. Install on your admin workstation (the ansible controller): Simple approach:
          # virtualenv-2.7 /opt/ansible
          # /opt/ansible/bin/pip2 install --upgrade ansible==2.2.3.0 Jinja2==2.8.1 dnspython
        
  5. Create DNS entries for all your Æ-DIR servers:
    • Don't forget to add correct reverse DNS entries (PTR RRs).
    • While not strictly required it's a good idea to choose a separate DNS subdomain especially not matched by any wild-card certificate you might use.
    • The DNS should at least contain one dot. Otherwise Chrome web browser won't accept/return cookies.
  6. Prepare to have SSH access to all Æ-DIR servers as user root (via su or sudo)
  7. Make yourself familiar with how to use command-line options for ansible become.
  8. Check whether you can access the hosts with ansible setup:
    /opt/ansible/bin/ansible all -i 'hostname.example.com,' -m setup
    The trailing comma after the FQDN is needed when using a hostname!
  9. Get the ansible playbooks:
    git clone https://ae-dir.com/git/ae-dir.git
  10. Issue X.509 TLS server certificates with appropriate CN and subjectAltName values for all replicas with your existing PKI's certificate authority.
    The anti-security concept of wild-card certificates is not compatible with Æ-DIR's security concept! Therefore these cannot be used!
    If you don't have a PKI yet you can setup a test certificate authority (CA) with shell scripts found in tools/pki-scripts/.

Installation

  1. Create ansible inventory file named hosts to match your environment (see file hosts-example for details).
  2. Read comments in file ansible/roles/ae-dir-server/defaults/main.yml and adjust ansible group and host vars to match your environment.
  3. Invoke ansible play in sub-directory ansible/ (here using command su):
    /opt/ansible/bin/ansible-playbook ae-dir-servers.yml -i hosts --become -K --become-method=su --extra-vars='{"aedir_init":True, "openldap_keygen":True}'
    • At first run this will generate TLS server key and signed CSR file and stops with a message where to find the CSR files on your local ansible controller.
    • After signing the CSRs with your CA place the server certificate file(s) into directory ae-dir/ansible/files/.
    • Invoke ansible-playbook command above again to proceed with installation.
  4. Log into one provider system become user root and run the following commands to fully initialize your directory:
    1. Add the basic Æ-DIR entries with OpenLDAP command-line tool:
      • On SUSE / openSUSE:
        ldapmodify -f /opt/ae-dir/etc/ae-dir-base.ldif
      • On Debian:
        /usr/local/openldap/bin/ldapmodify -f /opt/ae-dir/etc/ae-dir-base.ldif
    2. Set the user password of an initial Æ admin (here msin):
      /opt/ae-dir/bin/ae-passwd.py msin
  5. Check the systems' health by invoking as root the monitoring script on all Æ-DIR servers. By default it is installed to:
    /opt/ae-dir/sbin/slapd_checkmk.sh