General instructions for installation on CentOS and RHEL#

The Blitz Identity Provider installation generally proceeds in the following order:

  1. Install JDK.

  2. Install memcached memory manager.

  3. Install and configure the DBMS.

  4. Install and configure the RabbitMQ Queue server Optional.

  5. Install the admin console and other Blitz Identity Provider services.

  6. Set up synchronization of configuration files Only for cluster installation.

  7. Configure the web server.

  8. Configure external account repository Optional.

Tip

Depending on the operating system used, there are specifics on how to install the required environment. Follow the express instructions for Rocky Linux, AlmaLinux, Oracle Linux, and RHEL.

Important

Before getting started with deployment, learn the Blitz Identity Provider deployment architecture.

JDK#

On the servers designated to install the Blitz Identity Provider server software and the Blitz Identity Provider administrative console, you must install and configure JDK 8 by using one of the following products:

  • OpenJDK 8;

  • Oracle JDK 8.

Install OpenJDK 8

Run the command:

sudo yum install java-1.8.0-openjdk-devel
Install and configure Oracle JDK 8
  1. Download the Oracle JDK 8 distribution as a tar archive.

  2. Copy the downloaded distribution to the servers (for example, to the /tmp directory).

  3. Create a directory for installing Oracle JDK 8:

    mkdir -p /opt/oracle/jdk/
    
  4. Unpack the Oracle JDK 8 distribution into the created directory:

    tar xf /tmp/jdk-8uXXX-linux-x64.tar.gz -C /opt/oracle/jdk/
    

If Oracle JDK version is 1.8.0_151 or higher:

  1. Open the java.security file in the /opt/oracle/jdk/jdk1.8.0_XXX/jre/lib/security directory for editing.

  2. Uncomment (or add) the line:

    crypto.policy=unlimited
    

If Oracle JDK version is 1.8.0_144 or lower:

  1. Download distribution Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.

  2. Copy the downloaded distribution to the servers (for example, to the /tmp directory).

  3. Unpack the archive and copy the contents to the directory with Oracle JDK 8 installed:

    cd /tmp
    unzip jce_policy-8.zip
    cp UnlimitedJCEPolicyJDK8/*.jar /opt/oracle/jdk/jdk1.8.0_XXX/jre/lib/security/
    

Memcached#

Attention

The memcached version must be 1.4.15 or higher. The memcached service must be installed on the servers intended for installing Blitz Identity Provider services: blitz-console, blitz-idp, blitz-registration, blitz-recovery. The memcached service is not required for the blitz-keeper service.

  1. Run the command:

    yum -y install memcached
    
  2. After installation is complete, add the memcached service to the autorun and start the service:

    systemctl enable memcached
    systemctl start memcached
    

Important

The memcached service runs on port 11211. Make sure that this port is open on firewalls and can be used to connect between servers with Blitz Identity Provider services.

DBMS#

Couchbase Server installation

The Couchbase Server installation instructions are tailored to CentOS 7 and RHEL 7.

  1. You must install Couchbase Server on each of the servers allocated for DBMS installation according to the instructions. The Couchbase Server distribution is available for download.

    Important

    In DEV/TEST environments, it is acceptable to install Couchbase Server on existing servers with Blitz Identity Provider, but in this case you have to take into account that Couchbase Server uses its own built-in memcached service, and to avoid a conflict you need to adjust the memcached ports used in Blitz Identity Provider and Couchbase Server.

  2. Add the Couchbase Server service to the autorun and start the service:

    systemctl enable couchbase-server
    systemctl start couchbase-server
    
  3. Check if the service is running by executing the command:

    systemctl status couchbase-server
    
  4. Initialize Couchbase Server cluster on each server according to instructions (the first server initializes the cluster, other servers are included in the cluster). All settings can be set as suggested by default, only you need to set the full server name for each server in hostname. It is not recommended to use the IP address of the server as the server name.

  5. On any of the hosts in the Couchbase Server cluster, run the script to prepare Couchbase Server to use Blitz Identity Provider. The script is located in the couchbase directory in the resources.zip archive as part of the Blitz Identity Provider distribution kit. Copy the script to any server in the Couchbase Server cluster, go to the directory, and execute the script to create buckets that will store Blitz Identity Provider information and indexes for executing Blitz Identity Provider search queries in the database:

    ./cb_init.sh
    

    The script will need to be entered during execution:

    • Couchbase Server URL name - enter a string like http://<hostname>:8091, where hostname is the host name of the server from which the script is executed;

    • Couchbase Server administrator account login - set during cluster initialization when you perform the previous step of the instructions;

    • Couchbase Server administrator account password - set during cluster initialization when you perform the previous step of the instructions;

    • Couchbase Server account login - set during the running of Blitz Identity Provider service connection script;

      Tip

      It is recommended to name it blitz.

    • Couchbase Server account password for Blitz Identity Provider application connection.

  6. After running the script, make the following settings:

    1. In the Couchbase Server administration console, edit the settings for the number of data copies on different Couchbase instances. To do this, select each bucket in turn in the Buckets menu, click Edit on it and set the Enable setting in the Replicas block and set the number of replicas. For a cluster of 3 servers it is recommended to set 1 for the number of replicas. Then, it is recommended to enable the Enable auto-failover setting in the Settings menu and set the Timeout value to 30 seconds (auto-failover will work only if the DBMS cluster has at least 3 servers and bucket replication is configured).

    2. Set up a database backup.

PostgreSQL installation and configuration

Attention

PostgreSQL must be 9.6 or a later version.

PostgreSQL must be installed according to the instructions.

After installing PostgreSQL, run scripts to prepare PostgreSQL to use Blitz Identity Provider. The scripts are located in the postgres directory in the resources.zip archive as part of the Blitz Identity Provider distribution kit. Copy the scripts to the PostgreSQL server, go to the directory, and execute the following commands one by one:

su - postgres

createdb blitzdb

psql
CREATE USER blitz WITH ENCRYPTED PASSWORD 'set-your-pwd';
GRANT ALL PRIVILEGES ON DATABASE blitzdb TO blitz;
GRANT ALL ON ALL TABLES IN SCHEMA public TO blitz;

psql -d blitzdb -U blitz -f 000-SCRIPT000.sql
…
psql -d blitzdb -U blitz -f NNN-SCRIPTNNN.sql

Instead of set-your-pwd you should insert the password that will be used to connect to PostgreSQL.

Instead of 000-SCRIPT000.sql NNN-SCRIPTNNN.sql you should insert the names of scripts from the postgres/ddl directory from the resources.zip archive. For example:

psql -d blitzdb -U blitz -f 000-service-tasks.sql
psql -d blitzdb -U blitz -f 001-init-database.sql
psql -d blitzdb -U blitz -f 002-new_pp_columns.sql
psql -d blitzdb -U blitz -f 003-usd_id_table.sql
psql -d blitzdb -U blitz -f 004-usr_auth_table.sql
psql -d blitzdb -U blitz -f 005-usr_agt_table.sql
psql -d blitzdb -U blitz -f 006-usr_htp_hmc_alg.sql
psql -d blitzdb -U blitz -f 007-usr_atr_cfm.sql
psql -d blitzdb -U blitz -f 008-wak.sql
psql -d blitzdb -U blitz -f 009-fix_pp_column.sql
psql -d blitzdb -U blitz -f 010-add_usr_prp.sql
psql -d blitzdb -U blitz -f 011-pp_audit.sql
psql -d blitzdb -U blitz -f 012-geo_to_audit.sql
psql -d blitzdb -U blitz -f 013-tasks.sql
psql -d blitzdb -U blitz -f 014-sec_ch_ua.sql
psql -d blitzdb -U blitz -f 015-5.12.0.sql
psql -d blitzdb -U blitz -f 016-5.13.0.sql
psql -d blitzdb -U blitz -f 017-5.15.0.sql
psql -d blitzdb -U blitz -f 018-5.17.0.sql
psql -d blitzdb -U blitz -f 019-5.18.0.sql

After running the script, set up a database backup.

RabbitMQ queue server#

Installation of the RabbitMQ Queue server is optional and is required if the Queue server is to be used to pass events to adjacent systems or as a message broker.

You need to install RabbitMQ according to instructions.

Blitz Identity Provider services#

To install the blitz-console, blitz-idp, blitz-registration, and blitz-recovery services, use the unified blitz-5.X.X.bin installer. To install the blitz-keeper service, use a standalone installer blitz-keeper-5.X.X.bin.

Important

You can install the admin console on any server where the Blitz Identity Provider server is installed, but it is recommended that a separate administrative server be dedicated to the installation of the Admin console. The JDK and memcached must be installed on the server beforehand.

To install the blitz-console, blitz-idp, blitz-registration, blitz-recovery services, do the following:

  1. Copy blitz-5.X.X.X.bin from the Blitz Identity Provider distribution to the servers intended for installation.

  2. Run the blitz-5.X.X.bin installer with the following start options:

    • -i – list of services to be installed, separated by a space;

    • -j – the JAVA_HOME value is the directory of JDK installation:

      /usr/lib/jvm/java-1.8.0-openjdk

      /opt/oracle/jdk

    The installation will be performed in the /usr/share/identityblitz directory.

    Installer launch example#
    cd /tmp
    chmod +x blitz-5.X.X.bin
    ./blitz-5.X.X.bin -- -j /usr/lib/jvm/bellsoft-java8.x86_64 -i "idp console recovery registration"
    
    Console during the installation process#
    Verifying archive integrity...  100%   MD5 checksums are OK. All good.
    Uncompressing Blitz IDP  100%
    ****************************************************************
    Application blitz-registration installed
    Application blitz-recovery installed
    Application blitz-console installed
    Application blitz-idp installed
    ****************************************************************
    
  3. Create the blitz_param.txt file with initial Blitz Identity Provider settings:

    • DOMAIN – external domain name where Blitz Identity Provider will be running on;

    • ROOT_CONTEXT – URL path where Blitz Identity Provider will be running on;

      Note

      If not specified, it will be /blitz.

    • ADMIN_USER_NAME – administrator account in Blitz Identity Provider;

      Note

      If not specified, it will be admin.

    • ADMIN_PASSWORD – password for the administrator account in Blitz Identity Provider;

    • KEYSTORE_PASSWORD – password for a key container that will be created during the installation;

      Note

      If the ADMIN_PASSWORD and KEYSTORE_PASSWORD parameters are not specified, these passwords will automatically be generated and displayed as a result of the configuration script execution.

    • MEMCACHED_SERVERSmemcached servers addresses;

    • DB_MODE – DBMS in use: CB for Couchbase Server;

    • CB_NODES – addresses of nodes in the Couchbase Server DBMS;

    • CB_USERNAME – account name in the Couchbase Server DBMS (blitz by default);

    • CB_ PASSWORD – account password in the Couchbase Server DBMS.

      Example of the configuration file#
      DOMAIN=test
      MEMCACHED_SERVERS="192.168.122.10 127.0.0.1"
      DB_MODE=CB
      CB_NODES="192.168.122.20 192.168.122.21 192.168.122.22"
      CB_USERNAME=blitz
      CB_PASSWORD=12ABcd45
      
    • DOMAIN – external domain name where Blitz Identity Provider will be running on;

    • ROOT_CONTEXT – URL path where Blitz Identity Provider will be running on;

      Note

      If not specified, it will be /blitz.

    • ADMIN_USER_NAME – administrator account in Blitz Identity Provider;

      Note

      If not specified, it will be admin.

    • ADMIN_PASSWORD – password for the administrator account in Blitz Identity Provider;

    • KEYSTORE_PASSWORD – password for a key container that will be created during the installation;

      Note

      If the ADMIN_PASSWORD and KEYSTORE_PASSWORD parameters are not specified, these passwords will automatically be generated and displayed as a result of the configuration script execution.

    • MEMCACHED_SERVERSmemcached servers addresses;

    • DB_MODE – DBMS in use: PG for PostgreSQL;

    • PG_HOSTNAME – PostgreSQL server address;

    • PG_DB_NAME – database name in the PostgreSQL DBMS;

      Tip

      It is recommended to set blitzdb.

    • PG_USER_NAME – account name in the PostgreSQL DBMS;

      Tip

      It is recommended to set blitz.

    • PG_USER_PASSWORD – account password in the PostgreSQL DBMS;

      Example of the configuration file#
      DOMAIN=test.loc
      MEMCACHED_SERVERS="192.168.122.10 127.0.0.1"
      DB_MODE=PG
      PG_HOSTNAME=127.0.0.1
      PG_DB_NAME=blitzdb
      PG_USER_NAME=blitz
      PG_USER_PASSWORD=12ABcd45
      
  4. Run the Blitz Identity Provider initial setup script with the right path to the blitz_param.txt file:

    /usr/share/identityblitz/blitz-console/bin/configure -f blitz_param.txt
    

    The script will prepare the configuration files, generate and display the Blitz Identity Provider administrator login and password, and generate a password for the key container:

    ****************************************************************
    Your Blitz Identity Provider configured on domain: test.loc
    Your Blitz Identity Provider Console available on addresses:
      http://test.loc:9001/blitz/console
    
    Administration user credentials of Blitz Console:
      username - admin
      password - 98aAB0D3f2
    Your can change user credentials at file - /usr/share/identityblitz/blitz-config/credentials
    
    Create keystore /usr/share/identityblitz/blitz-config/blitz-keystore.bks and generate:
     - JWS(RSA256) keypair - jws_rs256_rsa_default
     - AES(AES128) security key - jdbc
    
    Generated password for keystore: BeEBcd2239
    ****************************************************************
    

    Tip

    If input errors were made when running the installer, so that the installation was performed with incorrect parameters, you can use the following command to delete the files that the installer created so that you can perform a clean installation again:

    rm -rf /usr/share/identityblitz /etc/default/blitz-* /etc/blitz-* /var/log/identityblitz/ /lib/systemd/system/blitz-*
    
  5. Edit the blitz.prod.local.idp.net block by adding the subnet addresses of the Blitz Identity Provider servers to the trustedServers setting:

    "net" : {
        "domain" : "blitz-domain.com",
        "trustedServers" : [
          "192.168.1.0/24"
        ]
    }
    
  6. If you plan to use the REST services protection function with Blitz Identity Provider, copy the blitz-keeper-5.X.X.X.bin file from the Blitz Identity Provider distribution package to the servers intended for installation of the Security Gateway (for example, to the /tmp directory).

  7. Run the blitz-keeper-5.X.X.bin installer:

    cd /tmp
    chmod +x blitz-keeper-5.X.X.bin
    ./blitz-keeper-5.X.X.bin
    

    In response to the installer’s request, specify the directory of JDK installation in JAVA_HOME:

    /usr/lib/jvm/java-1.8.0-openjdk

    /opt/oracle/jdk

    The installation will be performed in the /usr/share/identityblitz directory.

  8. Add services to autorun on their respective servers and run them:

    systemctl enable blitz-console
    systemctl start blitz-console
    systemctl enable blitz-idp
    systemctl start blitz-idp
    systemctl enable blitz-registration
    systemctl start blitz-registration
    systemctl enable blitz-recovery
    systemctl start blitz-recovery
    systemctl enable blitz-keeper
    systemctl start blitz-keeper
    

Configuration files synchronization#

When you deploy Blitz Identity Provider in a cluster, you must configure synchronization of the Blitz Identity Provider configuration between Blitz Identity Provider cluster servers:

Actions to take on the Bitz Identity Provider admin console server
  1. Install rsync and incron:

    sudo yum install rsync incron
    
  2. Switch to user blitz:

    sudo su - blitz
    
  3. Generate an ssh key with the command (it is recommended to choose the default answers for all the prompts by the utility):

    ssh-keygen
    
  4. Read and save the public ssh key for future use:

    cat /usr/share/identityblitz/.ssh/id_rsa.pub
    
  5. Open the incrontab settings:

    incrontab -e
    

    In the opened editor window, insert the following:

    /usr/share/identityblitz/blitz-config IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh ./ $# $%
    /usr/share/identityblitz/blitz-config/assets IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
    /usr/share/identityblitz/blitz-config/assets/services IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
    /usr/share/identityblitz/blitz-config/assets/themes IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
    /usr/share/identityblitz/blitz-config/apps IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh apps $# $%
    /usr/share/identityblitz/blitz-config/saml IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
    /usr/share/identityblitz/blitz-config/saml/conf IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
    /usr/share/identityblitz/blitz-config/saml/credentials IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
    /usr/share/identityblitz/blitz-config/saml/metadata IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
    /usr/share/identityblitz/blitz-config/custom_messages IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh custom_messages $# $%
    /usr/share/identityblitz/blitz-config/custom_messages/dics IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh custom_messages $# $%
    /usr/share/identityblitz/blitz-config/devices IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh devices $# $%
    /usr/share/identityblitz/blitz-config/simple IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh simple $# $%
    /usr/share/identityblitz/blitz-config/certs IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh certs $# $%
    /usr/share/identityblitz/blitz-config/flows/login IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
    /usr/share/identityblitz/blitz-config/flows/reg IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
    /usr/share/identityblitz/blitz-config/flows/extIdps IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
    /usr/share/identityblitz/blitz-config/token_exchange IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh token_exchange $# $%
    /usr/share/identityblitz/blitz-config/token_exchange/rules IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh token_exchange $# $%
    
  6. Create a file /usr/share/identityblitz/scripts/config_sync.sh and paste the script into it:

    #!/bin/bash
    app_dir=/usr/share/identityblitz/blitz-config
    node_list="NODES_LIST"
    for node in $(echo "${node_list}"); do
    rsync -r -a --delete ${app_dir}/${1} ${USER}@${node}:${app_dir};
    done
    
  7. Enter the list of hostnames of the Blitz cluster nodes (except for the Admin Console node) as the node_list value, instead of NODES_LIST. The values should be entered with a space. For example:

    node_list="app1.local app2.local"
    
  8. Make the file /usr/share/identityblitz/scripts/config_sync.sh executable:

    chmod +x /usr/share/identityblitz/scripts/config_sync.sh
    
  9. Run incrontab by executing the following command as root:

    systemctl enable incrond
    systemctl start incrond
    
Actions to take on the other Blitz Identity Provider servers
  1. Install rsync:

    sudo yum install rsync
    
  2. Switch to user blitz:

    sudo su - blitz
    
  3. Run the following script:

    mkdir .ssh
    touch .ssh/authorized_keys
    chmod 700 .ssh
    chmod 640 .ssh/authorized_keys
    
  4. Open the .ssh/authorized_keys file with any editor, such as vim, and paste the public ssh key previously obtained from the Blitz Admin Console server.

Web Server configuration#

It is recommended to use nginx as a web server. A sample configuration file for nginx is included in the Blitz Identity Provider distribution - it is the blitz-idp.conf file from the nginx directory in the resources.zip archive. You need to adjust the following configuration blocks, then upload the file to the server with nginx (/etc/nginx/conf.d directory):

  1. Adjust the balancing settings block:

    upstream blitz-idp {
        server [BLITZ-IDP-NODE-01]:9000 max_fails=3 fail_timeout=120;
        server [BLITZ-IDP-NODE-02]:9000 max_fails=3 fail_timeout=120;
    }
    upstream blitz-reg {
        server [BLITZ-REG-NODE-01]:9002 max_fails=3 fail_timeout=120;
        server [BLITZ-REG-NODE-02]:9002 max_fails=3 fail_timeout=120;
    }
    upstream blitz-rec {
        server [BLITZ-REC-NODE-01]:9003 max_fails=3 fail_timeout=120;
        server [BLITZ-REC-NODE-02]:9003 max_fails=3 fail_timeout=120;
    }
    upstream blitz-keeper {
        server [BLITZ-KPR-NODE-01]:9012 max_fails=3 fail_timeout=120;
        server [BLITZ-KPR-NODE-02]:9012 max_fails=3 fail_timeout=120;
    }
    upstream blitz-console {
        server [BLITZ-CONSOLE-NODE-01]:9001 max_fails=3 fail_timeout=120;
    }
    

    The parameters have the following designations:

    • [BLITZ-%%%-NODE-XX] - names (hostname) of servers with Blitz Identity Provider services (blitz-idp, blitz-registration, blitz-recovery, blitz-keeper);

    • [BLITZ-CONSOLE-NODE-01] is the name (hostname) of the Blitz Admin Console server.

  2. Correct the block of TLS termination settings:

    ssl_certificate         [BLITZ-SSL-CERT-FILE];
    ssl_certificate_key     [BLITZ-SSL-PRIVATEKEY-FILE];
    

    The parameters have the following designations:

    • [BLITZ-SSL-CERT-FILE] - path (full name) to the file with TLS server certificate;

    • [BLITZ-IDP-CONSOLE-NODE-01] - path (full name) to the file with TLS server key.

  3. Note that the Blitz Identity Provider ignores the X-Forwarded-Proto https header if the nginx X-Forwarded-For contains more than one IP address, for example:

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    

    In this case, it is recommended to use the following directive value:

    proxy_set_header X-Forwarded-For $client_ip
    

    In this case, client_ip is calculated using map. The first value from the list will be taken:

    map $http_x_forwarded_for $client_ip {
        default $remote_addr;
        "~(?<IP>([0-9]{1,3}\.){3}[0-9]{1,3})*" $IP;
        "~(?<IP>([0-9]{1,3}\.){3}[0-9]{1,3}),.*" $IP;
    }
    
  4. Copy the static_errors folder with the server error page files to the /usr/share/nginx/html` folder on the nginx server. The files with examples of error pages can be found in the Blitz Identity Provider distribution - it is the ``static_errors folder in the resources.zip archive.

LDAP directory#

If you need to deploy a new LDAP directory, it is recommended that you install 389 Directory Server, which is included with the OS, as your LDAP directory:

  1. Execute the installation commands:

    yum install 389-ds-base 389-adminutil 389-admin 389-admin-console 389-console 389-ds-console
    yum install xauth
    
  2. Set limits according to the 389 Directory Server recommendations:

    echo "fs.file-max = 64000" >> /etc/sysctl.conf
    echo "* soft nofile 8192" >> /etc/security/limits.conf
    echo "* hard nofile 8192" >> /etc/security/limits.conf
    echo "ulimit -n 8192" >> /etc/profile
    
  3. Initialize the LDAP directory. Answer the installer’s questions:

    setup-ds-admin.pl
    
  4. After installation is complete, add the LDAP directory to the autorun and start the service:

    systemctl enable dirsrv.target
    systemctl start dirsrv.target
    

After installing 389 Directory Server, configure it to prepare it for use in conjunction with Blitz Identity Provider. To do this:

  1. Copy to the LDAP server the LDAP configuration scripts from the Blitz Identity Provider distribution (this is the ldap folder in the resources.zip archive).

  2. Execute the initial configuration script ldap_init.sh - the script will create the sub branch for storing users, service user reader, configure user access rights and password policy (perpetual password for service user), create the blitz-schema class with attributes uid, mail, mobile, n, name:

    chmod +x ldap_init.sh
    ./ldap_init.sh
    
  3. Run the TLS configuration script on the LDAP server (the script creates a copy of the current NSS DB, then creates a new NSS DB, certificates, and a pin.txt file to start the server without entering a password):

    chmod +x ldap_ssl.sh
    ./ldap_ssl.sh
    
  4. After running the script restart the LDAP directory:

    systemctl restart dirsrv.target
    
  5. If you need to configure and enable global password policies in LDAP, adjust and execute the ldap_pwdpolicy.sh script:

    chmod +x ldap_pwdpolicy.sh
    ./ldap_pwdpolicy.sh
    
  6. If you want to create additional attributes:

    1. prepare a text file in which, on each line, write the name of the attribute to be created (i.e. a text file with a column of attributes to be created);

    2. run the script to create additional attributes, answer its prompts:

      chmod +x ldap_add_attr.sh
      ./ldap_add_attr.sh
      
    3. edit the text file at /etc/dirsrv/slapd-<instance name>/schema/99user.ldif, add new attributes to objectclass named blitz-schema in the MAY section;

    4. restart the LDAP directory to apply the changes to the directory schema:

      systemctl restart dirsrv.target