Changes between Version 44 and Version 45 of idpiam2018

Timestamp:

Sep 14, 2018, 6:01:44 AM (6 years ago)

Author:

admin

Comment:

--

idpiam2018

@@ -517 +517 @@
 }}}
 
+This will add additional security to your database engine. For the tutorial purposes we will use '''Iam@2018''' as passwords. Remember the capital '''I'''.
 
 {{{
@@ -539 +540 @@
 Please set the password for root here.
 
-New password:
-
-Re-enter new password:
+New password:Iam@2018
+
+Re-enter new password:Iam@2018
 
 Estimated strength of the password: 50
@@ -583 +584 @@
 All done!
 }}}
-* log in to your MySQL Server with `mysql -u root -p` and continue. Make sure to replace `##ROOT-DB-PASSWORD##`, `##USERNAME##`, `##PASSWORD##` with your own
+* log in to your MySQL Server with `mysql -u root -p` and continue.For your production servers,  Make sure to replace passwords `Iam@2018`. When creating passwords you should consider your password policy selected above.
 {{{#!mysql
     SET NAMES 'utf8';
@@ -591 +592 @@
     CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
 
-    GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY '##ROOT-DB-PASSWORD##';
-    GRANT ALL PRIVILEGES ON shibboleth.* TO ##USERNAME##@localhost IDENTIFIED BY '##PASSWORD##';
+    GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY 'Iam@2018';
+    GRANT ALL PRIVILEGES ON shibboleth.* TO shibbo@localhost IDENTIFIED BY 'Iam@2018';
 
     FLUSH PRIVILEGES;
@@ -627 +628 @@
 26. Enable the generation of the `persistent-id` :
 
-* Copy the output of the following for the next step.
+* First you need to generate a password salt. Keep a copy of the output of following as your '''idp.persistentId.salt''' 
 {{{
    openssl rand -base64 36
 }}}
 
-* 
+* Edit the following file and modify the lines containing below variables.
 {{{
    vim /opt/shibboleth-idp/conf/saml-nameid.properties
 }}}   
-   (the //sourceAttribute// MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated `persistent-id`. It MUST BE: '''Stable''', '''Permanent''' and '''Not-reassignable''')
+   (the //sourceAttribute// used in the configuration MUST BE an ldap attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated `persistent-id`. It MUST BE: '''Stable''', '''Permanent''' and '''Not-reassignable''')
 
 {{{
      idp.persistentId.sourceAttribute = uid
      ...
-     idp.persistentId.salt = ### result of 'openssl rand -base64 36'###
+     idp.persistentId.salt = Replace_these_with_your_salt_generated_earlier
      ...
      idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
@@ -674 +675 @@
            p:driverClassName="com.mysql.jdbc.Driver"
            p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
-           p:username="##USER_DB_NAME##"
-           p:password="##PASSWORD##"
+           p:username="shibbo"
+           p:password="Iam@2018"
            p:maxActive="10"
            p:maxIdle="5"
@@ -701 +702 @@
      </bean>
      }}}     
-(and modify the "'''USER_DB_NAME'''" and "'''PASSWORD'''" for your "'''shibboleth'''" DB)
+   > You may need to change the  '''password''' for your "'''shibboleth'''" DB in production servers)
 
 * Modify the IdP configuration file:
@@ -729 +730 @@
    vim /opt/shibboleth-idp/conf/ldap.properties
 }}}
-* Solution 1: LDAP + STARTTLS:
+* Solution 1: LDAP + STARTTLS: (We recommend continuing with this option)
 
 {{{
@@ -777 +778 @@
        </resolver:DataConnector>
 }}}
-'''UTILITY FOR OPENLDAP ADMINISTRATOR:''' 
-`ldapsearch -H ldap:// -x -b "dc=instXY,dc=ac,dc=lk" -LLL dn` 
+* utility to ldap searching: `ldapsearch -H ldap:// -x -b "dc=instXY,dc=ac,dc=lk" -LLL dn` 
 * the baseDN ==> `ou=people, dc=instXY,dc=ac,dc=lk` (branch containing the registered users)
 * the bindDN ==> `cn=admin,dc=instXY,dc=ac,dc=lk` (distinguished name for the user that can made queries on the LDAP)
@@ -808 +808 @@
       <value>%{idp.home}/conf/attribute-resolver-v1-LEARN.xml</value>
 }}}
-* Configure the LDAP Data Connector to be compliant to the values put on `ldap.properties`. (See above suggestions)
 
 * Restart Tomcat8: `service tomcat8 restart`
+
 31. Enable the SAML2 support by changing the `idp-metadata.xml` and disabling the SAML v1.x deprecated support:
 *