[fedfs-utils] [PATCH] FedFS - simple setup howto

Fri Oct 5 16:52:30 PDT 2012

On Sep 24, 2012, at 7:05 PM, Ian Kent wrote:

> On Mon, 2012-09-24 at 13:40 -0400, Chuck Lever wrote:
>> Hi-
>> 
>> On Aug 27, 2012, at 5:28 AM, Ian Kent wrote:
>> 
>>> +Setup an NSDB (NameSpace DataBase)
>>> +==================================
>>> +
>>> +1. Set parameters for NSDB connections:
>>> +	# nsdbparams(8) is used to set NSDB connection parameters
>>> +	nsdbparams update -e "dc=fedfs,dc=org" \
>>> +			  -D "cn=Manager,dc=fedfs,dc=org" \
>>> +			  zeus.fedfs.org
>>> +
>>> +2. Setup an OpenLDAP instance for fedfs.org:
>>> +	service slapd stop
>>> +or
>>> +	systemctl stop slapd.service
>>> +
>>> +Create /etc/openldap/slapd.conf as:
>>> +        include         /etc/openldap/schema/core.schema
>>> +        include         /etc/openldap/schema/cosine.schema
>>> +        include         /etc/openldap/schema/inetorgperson.schema
>>> +        include         /etc/openldap/schema/nis.schema
>>> +	# Get this from the FedFS distribution
>>> +        include         /etc/openldap/schema/fedfs.schema
>>> +
>>> +        pidfile         /var/run/openldap/slapd.pid
>>> +        argsfile        /var/run/openldap/slapd.args
>>> +
>>> +        database        bdb
>>> +        suffix          "dc=fedfs,dc=org"
>>> +        rootdn          "cn=Manager,dc=fedfs,dc=org"
>>> +        rootpw          secret
>>> +        directory       /var/lib/ldap
>>> +
>>> +        index objectClass                       eq,pres
>>> +        index ou,cn,mail,surname,givenname      eq,pres,sub
>>> +        index uidNumber,gidNumber,loginShell    eq,pres
>>> +        index uid,memberUid                     eq,pres,sub
>>> +        index nisMapName,nisMapEntry            eq,pres,sub
>>> +
>>> +Create fedfs.org-naming-context.ldif as:
>>> +	dn: dc=fedfs,dc=org
>>> +	objectClass: domain
>>> +	dc: fedfs
>>> +	description: naming context
>>> +
>>> +Create an OpenLDAP instance for fedfs.org:
>>> +	# Ensure that /etc/openldap/ldap.conf is setup to use fedfs.org
>>> +	# by commenting out any other URI and BASE directives and then
>>> +	# add definitions to the end of the configuration.
>>> +	echo "URI ldap://zeus.fedfs.org/" >> /etc/openldap/ldap.conf
>>> +	echo "BASE dc=fedfs,dc=org" >> /etc/openldap/ldap.conf
>>> +
>>> +	# Setup OpenLDAP for fedfs.org
>>> +	cd /etc/openldap
>>> +	restorecon -v slapd.conf
>>> +
>>> +	rm -f /var/lib/ldap/*
>>> +	# supress warnings that this file does not exist
>>> +	touch /var/lib/ldap/DB_CONFIG
>>> +
>>> +	rm -rf slapd.d
>>> +	slaptest -F slapd.d -f slapd.conf
>>> +	# I think this will restore the correct ownership
>>> +	# of the configuration directory tree but it may
>>> +	# be necessary to chmod -R ldap.ldap slapd.d also.
>>> +	restorecon -R -v slapd.d
>>> +
>>> +	slapadd -l fedfs.org-naming-context.ldif
>>> +	chown ldap.ldap /var/lib/ldap/*
>>> +	restorecon -v /var/lib/ldap/*
>>> +
>>> +	service slapd start
>>> +or
>>> +	systemctl start slapd.service
>>> +
>>> +4. Add NCI (NSDB Container information) attributes to the
>>> +   naming context LDAP entry:
>>> +	nsdb-update-nci -l zeus.fedfs.org \
>>> +		-D "cn=Manager,dc=fedfs,dc=org" \
>>> +		-e "dc=fedfs,dc=org"
>> 
>> I'm new to OpenLDAP, but you have inspired me to try it out as an NSDB.
>>  I used your instructions.
>> 
>> It looks like OpenLDAP is in the middle of a major conversion from the
>> old-school slapd.conf way of configuration to a new "OnLine Config"
>> thingie.  I think our instructions and tools should take advantage of
>> the new method.
> 
> Yep, and has been for quite a while.
> 
>> 
>> We can build some simple tools that operate against a generic OpenLDAP
>> install:
>> 
>> 1.  Add the FedFS schema via an ldapmodify command
> 
> I think I also had an example of that in one of the two things I wrote.
> 
>> 
>> 2.  Set up either an "o=fedfs" suffix and database, or add an
>> "ou=fedfs" domain entry
> 
> Yeah, if you want to define a new suffix and database for an example
> LDAP database I found it less problematic to blow away the existing
> database and recreate the directory based configuration from a
> slapd.conf. You can use ldapadd (offline add) or ldapmodify (online add)
> to make changes as you wish.
> 
> Adding an additional domain to an existing tree with ldapmodify should
> work fine too.
> 
>> 
>> 3.  We already have the nsdb-update-nci tool that can take it from
>> there
> 
> Yep.
> 
>> 
>> That might make all of this a lot easier.  1. and 2. would reside under
>> the contrib/ directory in the fedfs-utils source tree.
> 
> Yep, it would be good to capture this in the source tree.
> 
>> 
>> What do you think?
> 
> It all sound good to me.
> I've got a bit of work on for a while now so the FedFS documentation
> task hasn't reached the top of the push down task stack quite yet.

There are benefits to putting this kind of documentation on a wiki, rather than including it in the fedfs-utils distribution itself.  Inspired by your documentation post on this list, I've started playing with some stuff here:

  http://wiki.linux-nfs.org/wiki/index.php/FedFsInstallationGuides

I've also worked out some scripts to go in contrib/ldap, which can be added to over time.  I'm going to start posting patches for 0.9 very soon, hopefully next week.

Again, some of this is going to boil down to picking one way out of the several ways of doing things.  The "ou=fedfs,dc=example,dc=net" way has some interesting advantages over "o=fedfs":

  o Your FedFS domain name and the "dc=" suffix can match, making it easy for humans to find the NCE
  o You can have as many NCEs on an LDAP server as you have "dc=" suffixes
  o A "dc=" suffix is created by default by most LDAP server installation procedures, which makes NSDB set up a little simpler

We're also going to have to start wrestling with ACIs and database index configuration on the NCE DIT.

There was a Free IPA KDC/LDAP server at the NFS bake-a-thon this week.  Soon we should start looking at similar scripts and documentation for setting up an NSDB on that server.

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com