mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Update README
This commit is contained in:
parent
d91e12942d
commit
c5a0b34b0a
58
README.rst
58
README.rst
@ -109,15 +109,14 @@ System dependencies for Ubuntu 16.04:
|
|||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
|
|
||||||
apt install -y python python-pip python-dev cython \
|
apt install -y python python-cffi python-click python-configparser \
|
||||||
python-cffi python-configparser python-dateutil \
|
python-cryptography python-falcon python-humanize \
|
||||||
python-pysqlite2 python-mysql.connector python-ldap \
|
python-ipaddress python-jinja2 python-ldap python-markdown \
|
||||||
build-essential libffi-dev libssl-dev libkrb5-dev \
|
python-mimeparse python-mysql.connector python-openssl python-pip \
|
||||||
ldap-utils krb5-user \
|
python-pyasn1 python-pysqlite2 python-requests \
|
||||||
libsasl2-modules-gssapi-mit \
|
python-setproctitle python-xattr
|
||||||
libsasl2-dev libldap2-dev
|
|
||||||
|
|
||||||
System dependencies for Fedora 24+:
|
System dependencies for Fedora 25+:
|
||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
|
|
||||||
@ -193,7 +192,7 @@ Setting up Active Directory authentication
|
|||||||
Following assumes you have already set up Kerberos infrastructure and
|
Following assumes you have already set up Kerberos infrastructure and
|
||||||
Certidude is simply one of the servers making use of that infrastructure.
|
Certidude is simply one of the servers making use of that infrastructure.
|
||||||
|
|
||||||
Install dependencies:
|
Install additional dependencies:
|
||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
|
|
||||||
@ -211,7 +210,7 @@ workgroup and realm accordingly:
|
|||||||
realm = EXAMPLE.COM
|
realm = EXAMPLE.COM
|
||||||
kerberos method = system keytab
|
kerberos method = system keytab
|
||||||
|
|
||||||
Reset Kerberos configuration in ``/etc/krb5.conf``:
|
Reset Kerberos client configuration in ``/etc/krb5.conf``:
|
||||||
|
|
||||||
.. code:: ini
|
.. code:: ini
|
||||||
|
|
||||||
@ -220,13 +219,6 @@ Reset Kerberos configuration in ``/etc/krb5.conf``:
|
|||||||
dns_lookup_realm = true
|
dns_lookup_realm = true
|
||||||
dns_lookup_kdc = true
|
dns_lookup_kdc = true
|
||||||
|
|
||||||
Reset LDAP configuration in /etc/ldap/ldap.conf:
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
BASE dc=example,dc=com
|
|
||||||
URI ldap://dc1.example.com
|
|
||||||
|
|
||||||
Initialize Kerberos credentials:
|
Initialize Kerberos credentials:
|
||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
@ -247,23 +239,9 @@ Set up Kerberos keytab for the web service:
|
|||||||
chown root:certidude /etc/certidude/server.keytab
|
chown root:certidude /etc/certidude/server.keytab
|
||||||
chmod 640 /etc/certidude/server.keytab
|
chmod 640 /etc/certidude/server.keytab
|
||||||
|
|
||||||
Reconfigure /etc/certidude/server.conf:
|
Reconfigure /etc/certidude/server.conf so ``kerberos`` backend is used for authentication,
|
||||||
|
and ``ldap`` backend is used for accoutns and authorization.
|
||||||
.. code:: ini
|
Adjust related options as necessary.
|
||||||
|
|
||||||
[authentication]
|
|
||||||
backends = kerberos
|
|
||||||
|
|
||||||
[authorization]
|
|
||||||
backend = ldap
|
|
||||||
ldap gssapi credential cache = /run/certidude/krb5cc
|
|
||||||
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
|
|
||||||
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,dc=example,dc=com)(samaccountname=%s))
|
|
||||||
|
|
||||||
User filter here specified which users can log in to Certidude web interface
|
|
||||||
at all eg. for generating user certificates for HTTPS.
|
|
||||||
Admin filter specifies which users are allowed to sign and revoke certificates.
|
|
||||||
Adjust admin filter according to your setup.
|
|
||||||
Also make sure there is cron.hourly job for creating GSSAPI credential cache -
|
Also make sure there is cron.hourly job for creating GSSAPI credential cache -
|
||||||
that's necessary for querying LDAP using Certidude machine's credentials.
|
that's necessary for querying LDAP using Certidude machine's credentials.
|
||||||
|
|
||||||
@ -330,6 +308,16 @@ The VPN connection should immideately become available under network connections
|
|||||||
Development
|
Development
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
|
To use dependencies from pip:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
apt install \
|
||||||
|
build-essential python-dev cython libffi-dev libssl-dev libkrb5-dev \
|
||||||
|
ldap-utils krb5-user \
|
||||||
|
libsasl2-modules-gssapi-mit \
|
||||||
|
libsasl2-dev libldap2-dev
|
||||||
|
|
||||||
Clone the repository:
|
Clone the repository:
|
||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
@ -367,6 +355,8 @@ To install the package from the source:
|
|||||||
|
|
||||||
To uninstall:
|
To uninstall:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
pip uninstall certidude
|
pip uninstall certidude
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user