MXLinux Desktop as an SSO-Provider.Are you kidding me???
Posted: Thu Dec 26, 2019 5:38 pm
Hi Guys,
Expanding om my previouss thread viewtopic.php?f=23&t=55007&p=549125#p549125 about installing a Bind DNS name server on MXLinux,
I wrote a script that installs and configures the following:
Bind
Openldap server over SSL
Kerberos KDC, Kerberos Admin Server and
Kerberized Nfs-server.
If anyone feels geeky enough to try this in A VM and give me their feedback I would be much obliged.
As always FIRST you need to assign an FQDN and Static IP to your machine.
Please look the above thread about DNS.
This step is CRITICAL and the script will NOT WORK without this prerequisite.
Before you run the script these commands should work:
hostname
hostname -d OR dnsdomainname and
and the /etc/hosts file only contain "127.0.0.1 localhost"
Else the script will refuse to run.
The script first installs and configures a BIND Dns server,creating forward and reverse lookup zones for you.
Then It will install and configure an Openldap server and it will add the OUs People Group and sudoers.
Then It will install self-signed certificates for your machine and also add ldaps(ldap over SSL) functionality to your server.
Next it will install Kerberos (both KDC and Kadmin), initialize your REALM and add two principals:
host/FQDN
nfs/FQDN
and their respective keys in /etc/krb5.keytab.
Next it will install an Nfs-Server, create the "/srv/nfs/private directory" and export it with sec=krb5p option.
It works perfectly for me both in MXLinux and Debian.
The script contains 4 functions:
dnsinstall
openldapinstall
krb5install
and nfsinstall
Currently they are all commented out.
You can choose what to uncomment and install.
NOTE for nfsinstall you need also krb5install
You can rerun it as many times as you like either with all oprtons or parts of it.
ONE CAVEAT:If you rerun dnsinstall after you have modified your machine to listen only to 127.0.0.1 as the sole DNS nameserver,you WILL temporarily loose name resolution because this script FIRST PURGES all config and then REINSTALLs it each time you run it.
SOLUTION in "/etc/resolv.conf" temporarily add a clause "nameserver <your router-ip>" and then feel free to RERUN it.
I am a little proud of this script.
Took me a long time to tune.
It needs a lot of work and additional functionality to move towards SSO but its a start..
You know the drill:rename it "ssoinstall" make it executable and run it by "sudo bash ssoinstall"
Please have a look,play around, enjoy and let me know...
Expanding om my previouss thread viewtopic.php?f=23&t=55007&p=549125#p549125 about installing a Bind DNS name server on MXLinux,
I wrote a script that installs and configures the following:
Bind
Openldap server over SSL
Kerberos KDC, Kerberos Admin Server and
Kerberized Nfs-server.
If anyone feels geeky enough to try this in A VM and give me their feedback I would be much obliged.
As always FIRST you need to assign an FQDN and Static IP to your machine.
Please look the above thread about DNS.
This step is CRITICAL and the script will NOT WORK without this prerequisite.
Before you run the script these commands should work:
hostname
hostname -d OR dnsdomainname and
and the /etc/hosts file only contain "127.0.0.1 localhost"
Else the script will refuse to run.
The script first installs and configures a BIND Dns server,creating forward and reverse lookup zones for you.
Then It will install and configure an Openldap server and it will add the OUs People Group and sudoers.
Then It will install self-signed certificates for your machine and also add ldaps(ldap over SSL) functionality to your server.
Next it will install Kerberos (both KDC and Kadmin), initialize your REALM and add two principals:
host/FQDN
nfs/FQDN
and their respective keys in /etc/krb5.keytab.
Next it will install an Nfs-Server, create the "/srv/nfs/private directory" and export it with sec=krb5p option.
It works perfectly for me both in MXLinux and Debian.
The script contains 4 functions:
dnsinstall
openldapinstall
krb5install
and nfsinstall
Currently they are all commented out.
You can choose what to uncomment and install.
NOTE for nfsinstall you need also krb5install
You can rerun it as many times as you like either with all oprtons or parts of it.
ONE CAVEAT:If you rerun dnsinstall after you have modified your machine to listen only to 127.0.0.1 as the sole DNS nameserver,you WILL temporarily loose name resolution because this script FIRST PURGES all config and then REINSTALLs it each time you run it.
SOLUTION in "/etc/resolv.conf" temporarily add a clause "nameserver <your router-ip>" and then feel free to RERUN it.
I am a little proud of this script.
Took me a long time to tune.
It needs a lot of work and additional functionality to move towards SSO but its a start..
You know the drill:rename it "ssoinstall" make it executable and run it by "sudo bash ssoinstall"
Please have a look,play around, enjoy and let me know...
