Changeset - 54e3820a872e
Parent rev.
Child rev.
[Not reviewed]
0 1 0
Branko Majic (branko) - 10 days ago 2024-09-09 15:03:53
branko@majic.rs
MAR-218: Update to non-deprecated ldap_attrs module in usage instructions.
1 file changed with 6 insertions and 5 deletions:
docs/usage.rst
6
5
0 comments (0 inline, 0 general)
docs/usage.rst
Show inline comments
 
@@ -925,53 +925,53 @@ role.
 
      :file:`~/mysite/tls/comms.example.com_imap.cfg`
 
      ::
 

			




	
	
	
		
 
         organization = "Example Inc."

			




	
	
	
		
 
         country = SE

			




	
	
	
		
 
         cn = "Exampe Inc. IMAP Server"

			




	
	
	
		
 
         expiration_days = 365

			




	
	
	
		
 
         dns_name = "comms.example.com"

			




	
	
	
		
 
         tls_www_server

			




	
	
	
		
 
         signing_key

			




	
	
	
		
 
         encryption_key

			




	
	
	
		
 

			




	
	
	
		
 
   2. Create the keys and certificates for SMTP/IMAP services based on the templates::

			




	
	
	
		
 

			




	
	
	
		
 
        certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_smtp.key

			




	
	
	
		
 
        certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_smtp.cfg --load-privkey ~/mysite/tls/comms.example.com_smtp.key --outfile ~/mysite/tls/comms.example.com_smtp.pem

			




	
	
	
		
 
        certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_imap.key

			




	
	
	
		
 
        certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_imap.cfg --load-privkey ~/mysite/tls/comms.example.com_imap.key --outfile ~/mysite/tls/comms.example.com_imap.pem

			




	
	
	
		
 

			




	
	
	
		
 
6. Configuration and TLS keys have ben set-up, so it is time to apply the changes::

			




	
	
	
		
 

			




	
	
	
		
 
     workon mysite && ansible-playbook playbooks/site.yml

			




	
	
	
		
 

			




	
	
	
		
 
7. Let's add the two users to the mail group (otherwise, the mail

			




	
	
	
		
 
   server will ignore them). We'll use the ``ldap_attr`` module

			




	
	
	
		
 
   server will ignore them). We'll use the ``ldap_attrs`` module

			




	
	
	
		
 
   directly to make our life a bit easier::

			




	
	
	
		
 

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attr -a "dn=cn=mail,ou=groups,dc=example,dc=com state=present name=uniqueMember values=uid=johndoe,ou=people,dc=example,dc=com" communications

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attr -a "dn=cn=mail,ou=groups,dc=example,dc=com state=present name=uniqueMember values=uid=janedoe,ou=people,dc=example,dc=com" communications

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attrs -a '{"dn": "cn=mail,ou=groups,dc=example,dc=com", "state": "present", "attributes": {"uniqueMember": "uid=johndoe,ou=people,dc=example,dc=com"}}' communications

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attrs -a '{"dn": "cn=mail,ou=groups,dc=example,dc=com", "state": "present", "attributes": {"uniqueMember": "uid=janedoe,ou=people,dc=example,dc=com"}}' communications

			




	
	
	
		
 

			




	
	
	
		
 
8. If no errors have been reported, at this point you should have two mail

			




	
	
	
		
 
   accounts - ``john.doe@example.com``, with password ``johndoe``, and

			




	
	
	
		
 
   ``jane.doe@example.com``, with password ``janedoe``. In this particular

			




	
	
	
		
 
   set-up, the mail addresses are used as usernames. If you want to test it out,

			




	
	
	
		
 
   simply install ``swaks`` on your Ansible machine, and run something along the

			




	
	
	
		
 
   lines of

			




	
	
	
		
 

			




	
	
	
		
 
   ::

			




	
	
	
		
 

			




	
	
	
		
 
     swaks --to john.doe@example.com --server comms.example.com

			




	
	
	
		
 
     swaks --to jane.doe@example.com --server comms.example.com

			




	
	
	
		
 

			




	
	
	
		
 
  Of course, free feel to also test out the mail server using any mail client of

			




	
	
	
		
 
  your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for

			




	
	
	
		
 
  unauthenticated server-to-server mail deliveries.

			




	
	
	
		
 

			




	
	
	
		
 
  If you face issues with ISPs or hotels blocking the two ports listed above,

			




	
	
	
		
 
  you can also use alternative ports 26 (redirected to port 587) and 27

			




	
	
	
		
 
  (redirected to port 25).

			




	
	
	
		
 

			




	
	
	
		
 
  TLS has also been hardened on port 587 to allow only TLSv1.2 and PFS ciphers

			




	
	
	
		
 
  (you can override TLS versions/ciphers via role configuration). TLS

			




	
	
	
		
 
  configuration on port 25 has been left unchanged for maximum

			




	
	
		
 
@@ -1166,50 +1166,51 @@ role.

			




	
	
	
		
 
         encryption_key

			




	
	
	
		
 

			




	
	
	
		
 
   2. Create the keys and certificates for XMPP service based on the template::

			




	
	
	
		
 

			




	
	
	
		
 
        certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_xmpp.key

			




	
	
	
		
 
        certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_xmpp.cfg --load-privkey ~/mysite/tls/comms.example.com_xmpp.key --outfile ~/mysite/tls/comms.example.com_xmpp.pem

			




	
	
	
		
 

			




	
	
	
		
 
5. Apply the changes::

			




	
	
	
		
 

			




	
	
	
		
 
     workon mysite && ansible-playbook playbooks/site.yml

			




	
	
	
		
 

			




	
	
	
		
 
6. Ok, configuration of the role is complete. You may have noticed

			




	
	
	
		
 
   that we still haven't added any users to the new LDAP group called

			




	
	
	
		
 
   "xmpp". So let us correct this in similar way as we did for the

			




	
	
	
		
 
   mail server. Since we have the user entries already, no need to

			




	
	
	
		
 
   recreate them here. We will just update the group membership

			




	
	
	
		
 
   instead.

			




	
	
	
		
 

			




	
	
	
		
 
   .. warning::

			




	
	
	
		
 
      Same warning applies here as for mail server role for managing the

			




	
	
	
		
 
      user/group entries! Scroll up and re-read it if you missed it!

			




	
	
	
		
 

			




	
	
	
		
 
   ::

			




	
	
	
		
 

			




	
	
	
		
 
      workon mysite && ansible --become -m ldap_attr -a "dn=cn=xmpp,ou=groups,dc=example,dc=com state=present name=uniqueMember values=uid=johndoe,ou=people,dc=example,dc=com" communications

			




	
	
	
		
 
      workon mysite && ansible --become -m ldap_attr -a "dn=cn=xmpp,ou=groups,dc=example,dc=com state=present name=uniqueMember values=uid=janedoe,ou=people,dc=example,dc=com" communications

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attrs -a '{"dn": "cn=xmpp,ou=groups,dc=example,dc=com", "state": "present", "attributes": {"uniqueMember": "uid=johndoe,ou=people,dc=example,dc=com"}}' communications

			




	
	
	
		
 
     workon mysite && ansible --become -m ldap_attrs -a '{"dn": "cn=xmpp,ou=groups,dc=example,dc=com", "state": "present", "attributes": {"uniqueMember": "uid=janedoe,ou=people,dc=example,dc=com"}}' communications

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
7. If no errors have been reported, at this point you should have two users

			




	
	
	
		
 
   capable of using the XMPP service - one with username

			




	
	
	
		
 
   ``john.doe@example.com`` and one with username ``jane.doe@example.com``. Same

			




	
	
	
		
 
   passwords are used as for when you were creating the two users for mail

			




	
	
	
		
 
   server. For testing you can turn to your favourite XMPP client (I don't know

			




	
	
	
		
 
   of any quick CLI-based tools to test the XMPP server functionality,

			




	
	
	
		
 
   unfortunately, but you could try using `mcabber <https://mcabber.com/>`_).

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Taking a step back - preparing for web server

			




	
	
	
		
 
---------------------------------------------

			




	
	
	
		
 

			




	
	
	
		
 
Up until now the usage instructions have dealt almost exclusively with the

			




	
	
	
		
 
communications server. That is, we haven't done anything beyond the basic set-up

			




	
	
	
		
 
of the other servers.

			




	
	
	
		
 

			




	
	
	
		
 
Let us first define what we want to deploy on the web server. Here is the plan:

			




	
	
	
		
 

			




	
	
	
		
 
1. First off, we will set-up the web server. This will be necessary no matter

			




	
	
	
		
 
   what web application we decide to deploy later on.

			




	
	
	
		
 

			




	
	
	
		
 
2. Next, we will set-up a database server. Why? Well, most web applications

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.