1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Update README

This commit is contained in:
Lauri Võsandi 2017-04-14 01:47:28 +03:00
parent d91e12942d
commit c5a0b34b0a

View File

@ -109,15 +109,14 @@ System dependencies for Ubuntu 16.04:
.. code:: bash .. code:: bash
apt install -y python python-pip python-dev cython \ apt install -y python python-cffi python-click python-configparser \
python-cffi python-configparser python-dateutil \ python-cryptography python-falcon python-humanize \
python-pysqlite2 python-mysql.connector python-ldap \ python-ipaddress python-jinja2 python-ldap python-markdown \
build-essential libffi-dev libssl-dev libkrb5-dev \ python-mimeparse python-mysql.connector python-openssl python-pip \
ldap-utils krb5-user \ python-pyasn1 python-pysqlite2 python-requests \
libsasl2-modules-gssapi-mit \ python-setproctitle python-xattr
libsasl2-dev libldap2-dev
System dependencies for Fedora 24+: System dependencies for Fedora 25+:
.. code:: bash .. code:: bash
@ -193,7 +192,7 @@ Setting up Active Directory authentication
Following assumes you have already set up Kerberos infrastructure and Following assumes you have already set up Kerberos infrastructure and
Certidude is simply one of the servers making use of that infrastructure. Certidude is simply one of the servers making use of that infrastructure.
Install dependencies: Install additional dependencies:
.. code:: bash .. code:: bash
@ -211,7 +210,7 @@ workgroup and realm accordingly:
realm = EXAMPLE.COM realm = EXAMPLE.COM
kerberos method = system keytab kerberos method = system keytab
Reset Kerberos configuration in ``/etc/krb5.conf``: Reset Kerberos client configuration in ``/etc/krb5.conf``:
.. code:: ini .. code:: ini
@ -220,13 +219,6 @@ Reset Kerberos configuration in ``/etc/krb5.conf``:
dns_lookup_realm = true dns_lookup_realm = true
dns_lookup_kdc = true dns_lookup_kdc = true
Reset LDAP configuration in /etc/ldap/ldap.conf:
.. code:: bash
BASE dc=example,dc=com
URI ldap://dc1.example.com
Initialize Kerberos credentials: Initialize Kerberos credentials:
.. code:: bash .. code:: bash
@ -247,23 +239,9 @@ Set up Kerberos keytab for the web service:
chown root:certidude /etc/certidude/server.keytab chown root:certidude /etc/certidude/server.keytab
chmod 640 /etc/certidude/server.keytab chmod 640 /etc/certidude/server.keytab
Reconfigure /etc/certidude/server.conf: Reconfigure /etc/certidude/server.conf so ``kerberos`` backend is used for authentication,
and ``ldap`` backend is used for accoutns and authorization.
.. code:: ini Adjust related options as necessary.
[authentication]
backends = kerberos
[authorization]
backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,dc=example,dc=com)(samaccountname=%s))
User filter here specified which users can log in to Certidude web interface
at all eg. for generating user certificates for HTTPS.
Admin filter specifies which users are allowed to sign and revoke certificates.
Adjust admin filter according to your setup.
Also make sure there is cron.hourly job for creating GSSAPI credential cache - Also make sure there is cron.hourly job for creating GSSAPI credential cache -
that's necessary for querying LDAP using Certidude machine's credentials. that's necessary for querying LDAP using Certidude machine's credentials.
@ -330,6 +308,16 @@ The VPN connection should immideately become available under network connections
Development Development
----------- -----------
To use dependencies from pip:
.. code:: bash
apt install \
build-essential python-dev cython libffi-dev libssl-dev libkrb5-dev \
ldap-utils krb5-user \
libsasl2-modules-gssapi-mit \
libsasl2-dev libldap2-dev
Clone the repository: Clone the repository:
.. code:: bash .. code:: bash
@ -367,6 +355,8 @@ To install the package from the source:
To uninstall: To uninstall:
.. code:: bash
pip uninstall certidude pip uninstall certidude