OpenLDAP Server Configuration (CentOS 7)

OpenLDAP is a directory Server and is configured by using LDAP Data Interchange Format files (.ldif). 
Manually Editing config files results in checksum error
Space is considered as a junk character and causes error while importing .ldif files

A. Server Configuration

1. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
    192.168.100.195  ldapserver.geekonline.in
    192.168.100.196  client1.geekonline.in

    

2. Install necessary packages
     #yum -y install strace net-tools
     #yum install openldap* migrationtools
     #systemctl enable slapd
     #systemctl start slapd

3. Change log settings
     #echo "####Custom Logs for LDAP###" >> /etc/rsyslog.conf
     #echo "local4.* /var/log/slapd/ldap.log" >> /etc/rsyslog.conf
     #tail -n2 /etc/rsyslog.conf
     #systemctl restart rsyslog   or # systemctl reload rsyslog
     It will automatically create directory and files and LDAP logs will be redirected to /var/log/slapd/ldap.log
     

4. Open ports in firewall
     #firewall-cmd --permanent --add-port=389/tcp
     #firewall-cmd --permanent --add-port=636/tcp
     #firewall-cmd --permanent --add-port=9830/tcp
     #firewall-cmd --reload


5.  list the config files
     #cd /etc/openldap/slapd.d/cn\=config
     #ls
     

6.  #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
     

7   Create a admin password in SSHA hash algorithm and copy the output to notepad for further configuration. 
     # slappasswd
     

8.  Create ldif to modify olcDatabase={2}hdb.ldif
      #vi /opt/ldap/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ULNvNmPZNyCNqlU5E/9DftThZzF4aAEE

     

9. Make sure no extra spaces are present in the file and Import the DB file
     #cd /opt/ldap/
    #ls
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
    #slaptest -u
    

10. Note the change in file
     #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
    
11. Now check the file 
    #cat olcDatabase={1}monitor,cn=config
    


12. Create monitor.ldif file
     #vi monitor.ldif
     
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=geekonline,dc=in" read by * none

    


13.Make sure no extra spaces are present in the file and Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
    #slatptest -u
    

14  Now check file olcDatabase={1}monitor,cn=config for changes
   #cat olcDatabase={1}monitor,cn=config
    

15. Crease SSL Certificates for 10 years
   #openssl req -nodes -new -x509 -keyout /etc/openldap/certs/ldapkey.pem -out /etc/openldap/certs/ldapcert.pem -days 3650
    

16. Create certs.ldif file
      #vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
 
    

 17. Make sure no extra spaces are present in the file and  Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    #slaptest -u
   

18. Verify the changes
    #cd /etc/openldap/slapd.d
    #cat cn=config.ldif
   

19. Copy DB_CONFIG file and add external schemas (used for storing data)
    #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    #chown ldap:ldap /var/lib/ldap/DB_CONFIG
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  
    

20.create a base.ldif file
     #vi base.ldif

dn: dc=geekonline,dc=in
dc: geekonline
objectClass: top
objectClass: domain

dn: cn=admin,dc=geekonline,dc=in
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: Group

   

21. Add base ldif to LDAP Configuration
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f base.ldif
   #slaptest -u
   


22.Check ldap object classes
    #ldapsearch -xb "dc=geekonline,dc=in" "(objectClass=*)"
   

23. check password 
   #ldapsearch -H ldap://127.0.0.1 -D "cn=admin,dc=geekonline,dc=in" -w "pass"
   
 
24.Create OS Users.
   #useradd osuser1
   #useradd osuser2
   #echo "pass1" | passwd --stdin osuser1
   #echo "pass2" | passwd --stdin osuser2

   #mkdir /opt/ldap/migrated_users
   #grep "osuser" /etc/passwd >> /opt/ldap/migrated_users/users
   #grep "osuser" /etc/group >> /opt/ldap/migrated_users/groups
   verify the files

   #cat /opt/ldap/migrated_users/users 
   #cat /opt/ldap/migrated_users/groups

  

25. Using migration tool
     #cd /usr/share/migrationtools/
     #cp migrate_common.ph migrate_common.ph.orig
     #vi migrate_common.ph
     #search and change below entries

     $DEFAULT_MAIL_DOMAIN = "geekonline.in";
     $DEFAULT_BASE = "dc=geekonline,dc=in"; 
     $EXTENDED_SCHEMA = 1;



26. Migrate OS users and groups using migration tool
   #/usr/share/migrationtools/migrate_passwd.pl /opt/ldap/migrated_users/users /opt/ldap/migrated_users/users.ldif
   #/usr/share/migrationtools/migrate_group.pl /opt/ldap/migrated_users/groups /opt/ldap/migrated_users/groups.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/users.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/groups.ldif

   

27.  Search that added user in ldap also check for 
   #ldapsearch -x cn=osuser1 -b dc=geekonline,dc=in
    
  
    #  ldapsearch -x cn=osuser2 -b dc=geekonline,dc=in
  

28 Create password for LDAP users which we are going to create using openssl
    #openssl passwd -crypt pass1
    uSMQbmjkzJzBw
    #openssl passwd -crypt pass2
    195EbQnuDDzcA
    note down the  output
   

29 create ldif file for user ldapuser1
   #vi ldapuser1.ldif

dn: cn=ldapuser1,ou=People,dc=geekonline,dc=in
cn: ldapuser1
gidnumber: 100
givenname: ldapuser1
homedirectory: /home/users/ldapuser1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser1
uidnumber: 5001
userpassword: {CRYPT}uSMQbmjkzJzBw
   
   

30 create ldif file for user ldapuser2
   #vi ldapuser1.ldif
 
dn: cn=ldapuser2,ou=People,dc=geekonline,dc=in
cn: ldapuser2
gidnumber: 100
givenname: ldapuser2
homedirectory: /home/users/ldapuser2
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser2
uidnumber: 5002
userpassword: {CRYPT}195EbQnuDDzcA

   

31. Import both users in LDAP using ldif files
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser1.ldif
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser2.ldif
   

32. Verify the users in  LDAP
  #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
   
  
  #ldapsearch -x cn=ldapuser2 -b dc=geekonline,dc=in
   

B. Client Configuration 
  
     
1. Install the necessary packages
  #yum install openldap-clients nss-pam-ldapd

2. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems 
    192.168.100.195 ldapserver.geekonline.in 
    192.168.100.196 client1.geekonline.in

   

3. Enter below command on the client
    #authconfig --enableldap --enableldapauth --ldapserver=ldapserver.geekonline.in --ldapbasedn="dc=geekonline,dc=in" --enablemkhomedir --update
    
    This will automatically create home directory on client machine at first login

    

   Above command automatically configures ldap client,nsswitch file and PAM  
   #cat /etc/nslcd.conf |grep -v \#
   
  
   #cat /etc/nsswitch.conf |grep -i ldap
   

   #grep -ir home /etc/pam.d/*
   

  

Thus We can Configure LDAP server

C: Deleting LDAP user
   1. Gather the required information from LDAP using below command
   #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in

  2. Delete the user using below command
  #ldapdelete -v -c -D "cn=admin,dc=geekonline,dc=in" -w pass "cn=ldapuser1,ou=People,dc=geekonline,dc=in"



Summary
1. Never edit configuration files manually. 
2. LDAP configuration is easy if you avoid copy paste/typing mistakes (unnecessary spaces are considered as junk characters)
3. You can import existing OS users to LDAP
4. You can create LDAP user directly without creating it on OS
5. Client configuration can be done using fqdn instead of IPs
6. You can Create/modify/delete users easily






 
         

Install and configure webmin with SSL (debian)

1. Create repository for webmin  
        #echo "deb https://download.webmin.com/download/repository sarge contrib" >> webmin.list      
   
2. Fech and install the GPG key for the repository
       #cd /root
       #wget https://download.webmin.com/jcameron-key.asc
       #apt-key add jcameron-key.asc

3. Install webmin
       #apt-get install apt-transport-https
       #apt-get update
       #apt-get install webmin
       If Debian complains about missing dependencies, you can install them with the command
       #apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

4. Manage SSL certificate for webmin (by using existing SSL certifcates)
      #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /etc/webmin/miniserv.pem
      #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/webmin/miniserv.pem
      #systemctl restart webmin

5. Configure apache2 for SSL certificate and redirection
      Create a file /etc/apache2/sites-available/webmin.conf and and put the entries given below

         <VirtualHost *:80>
         ServerName webmin.mydomain.com
         Redirect permanent / https://webmin.mydomain.com/
         </VirtualHost>

         <IfModule mod_ssl.c>
         <VirtualHost *:443>
         ServerName webmin.mydomain.com
         SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
         SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
         Include /etc/letsencrypt/options-ssl-apache.conf
         ProxyPreserveHost On
         ProxyRequests Off
         SSLProxyEngine On

         # allow for upgrading to websockets
         RewriteEngine On
         RewriteCond %{HTTP:Upgrade} =websocket [NC]
         RewriteRule /(.*) ws://127.0.0.1:10000/$1 [P,L]
         RewriteCond %{HTTP:Upgrade} !=websocket [NC]
         RewriteRule /(.*) https://127.0.0.1:10000/$1 [P,L]

         # Proxy to your local webmin instance
         ProxyPass / https://127.0.0.1:10000/
         ProxyPassReverse / https://127.0.0.1:10000/

         </VirtualHost>
         </IfModule>

6. Configure IPTables to drop requests on 4200 from world
      #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 10000 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 10000 -j DROP

7.  Enable Apache Configuration         
     #ln -s /etc/apache2/sites-available/webmin.conf /etc/apache2/sites-enabled/webmin.conf        
     #systemctl reload apache2

 

Summary:
After this setup webmin will be available only on https://wembin.mydomain.com and https://webmin.mydomain.com:10000 will not work

 

 

 

Install and configure shellinabox (web terminal) with SSL (debian)

1. Install the package shellinabox which is present in repository
         #sudo apt-get install shellinabox

2. Check settings 
         #cat /etc/default/shellinabox (For RHEL it will be /etc/sysconfig/shellinaboxd)

3. Manage SSL certificate for shellinabox (by using existing SSL certifcates)
        #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /var/lib/shellinabox/certificate.pem
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /var/lib/shellinabox/certificate.pem
        #systemctl restart shellinabox

4. Configure  apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/shellinabox.conf and and put the entries given below
  

          <VirtualHost *:80>
          ServerName terminal.mydomain.com
          Redirect permanent / https://terminal.mydomain.com/
          </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
          ServerName terminal.mydomain.com
          SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
          SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
          Include /etc/letsencrypt/options-ssl-apache.conf
          ProxyPreserveHost On
          ProxyRequests Off

          # allow for upgrading to websockets
          RewriteEngine On
          RewriteCond %{HTTP:Upgrade} =websocket [NC]
          RewriteRule /(.*) ws://127.0.0.1:4200/$1 [P,L]
          RewriteCond %{HTTP:Upgrade} !=websocket [NC]
          RewriteRule /(.*) http://127.0.0.1:4200/$1 [P,L]

          # Proxy to your local bash instance
          ProxyPass / http://127.0.0.1:4200/
          ProxyPassReverse / http://127.0.0.1:4200/

          </VirtualHost>
          </IfModule>

5.  Configure IPTables to drop requests on 4200 from world
        iptables -A INPUT -p tcp -s 127.0.0.1 --dport 4200 -j ACCEPT
        iptables -A INPUT -p tcp --dport 4200 -j DROP
  

6.  Enable Apache Configuration 
       #ln -s /etc/apache2/sites-available/shellinabox.conf /etc/apache2/sites-enabled/shellinabox.conf
       #systemctl reload apache2

Summary:
After this setup web terminal (shellinabox) will be available only on https://terminal.mydomain.com and https://terminal.mydomain.com:4200 will not work

 


					

Install and configure cockpit with SSL (debian)

1. Edit /etc/apt/sources.list file or create new file /etc/apt/sources.list.d/Backports.list and add below lines

        #deb http://ftp.debian.org/debian/ stretch-backports main contrib non-free
        #deb http://packages.prosody.im/debian stretch main
        #deb https://apt.dockerproject.org/repo debian-stretch main

2.  Install cockpit package
        #sudo apt-get update
        #sudo apt-get install cockpit

3. Manage SSL certificate for cockpit (by using existing SSL certifcates) 
        #cat /etc/cockpit/ws-certs.d/cockpit.base.cert > /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #systemctl reload cockpit

4.  Configure apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/cockpit.conf and and put the entries given below

           <VirtualHost *:80>
           ServerName cockpit.mydomain.com
           Redirect permanent / https://cockpit.mydomain.com/
           </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
           ServerName cockpit.mydomain.com
           SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
           SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
           Include /etc/letsencrypt/options-ssl-apache.conf
           ProxyPreserveHost On
           ProxyRequests Off

          # allow for upgrading to websockets
           RewriteEngine On
           RewriteCond %{HTTP:Upgrade} =websocket [NC]
           RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
           RewriteCond %{HTTP:Upgrade} !=websocket [NC]
           RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]

           # Proxy to your local cockpit instance
           ProxyPass / http://127.0.0.1:9090/
           ProxyPassReverse / http://127.0.0.1:9090/

           </VirtualHost>
           </IfModule>

 



5. Configure IPTables to drop requests on 9090 from world
        #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9090 -j ACCEPT
        #iptables -A INPUT -p tcp --dport 9090 -j DROP

 6. Enable Apache Configuration 
        #ln -s /etc/apache2/sites-available/cockpit.conf /etc/apache2/sites-enabled/cockpit.conf
        #systemctl reload apache2

          

Summary:
After this setup web terminal cockpit will be available only on https://cockpit.mydomain.com and https://cockpit.mydomain.com:9090 will not work                          

SUSE Enterprise Service Pack Migration

SUSE supports two different upgrade and migration methods one is online and the other is offline. We will go through both the methods. 

A. Take snapper snapshot.
  1. Take snapper snapshot before proceeding to service pack migration using below command #sanpper create --description “Before Service Pack Migration”
B. Method 1: Offline Upgrade and migration
  1. Offline methods usually boot another operating system from which the installed SLES version is upgraded. Examples are: DVD, flash disk & ISO image                                                                              
  2. Download the latest ISO of the respective SUSE Service pack from here.                                                                 
  3. Insert DVD or Attach the ISO through ILO/IDRAC of the SUSE Linux Enterprise 12 SP3 installation medium and boot your machine. A Welcome screen is displayed, followed by the boot screen                                                                                                                                                                    
  4. Press F11 to enter in boot menu.                                                                                                                                                        
  5. Boot system by selecting Upgrade in the boot menu.                                                                     
  6. Accept the license agreement and Proceed with Next                                                                    
  7. It will start updating installer
  8. On the Select for Upgrade screen, select the partition to upgrade and click Next. System mounts the selected partition and displays all repositories that have been found on the partition that you want to upgrade
  9. On the Previously Used Repositories screen, adjust the status of the repositories: enable those you want to include in the upgrade process and disable any repositories that are no longer needed. Proceed with Next.                                                                                                                                  
  10. On the Registration screen, select whether to register the upgraded system now (by entering your registration data and clicking Next) or if to Skip Registration.
  11. Select the add-on product according to the requirement                                                                
  12. Review the Installation Settings for the upgrade, especially the Update Options.                          
  13. Start the installation and removal procedure by clicking Update.                                                   
  14. The system will start upgrading.                                                                                                      
  15. Once the update is completed, system will reboot to the updated service pack.

C. Method 2: Online upgrade and migration

  1. SUSE offers an intuitive graphical and a simple command line tool to upgrade a running system to a new service pack. Before you can start a service pack migration, your system must be registered at the SUSE Customer Center.                                                                                                                                                                                                                                                                                  
  2. Check the system version before upgrade.                                                                                                                                                                                                                                                           
  3. #SUSEConnect -r <REGISTRATION_CODE> -e <EMAILID>                                                        
  4. Install the latest updates:
    #zypper patch                                                                                                                                     
  5. Check the available repositories.
    #zypper repos                                                                                                                                                      
  6. Install the zypper-migration-plugin package and its dependencies:
    #zypper in zypper-migration-plugin                                                                                                 
  7. Run zypper migration.
    #zypper migration                                                                                                                                                         
  8. Review all the changes, especially the packages that are going to be removed. Proceed by typing “y”.                                                                                                                                                        
  9. Select the service pack which you want to install, in my case I have selected service pack 3.                                                                                                                                                              
                                                                                                                                                                                                                                                                                                     
  10. Select yes to continue                                                                                                                                                                                                                                                                             
  11. After successful migration restart your system and check using following commands.
    #cat /etc/Suse-release or lsb-release -d

    #uname -a