OpenLDAP is a directory Server and is configured by using LDAP Data Interchange Format files (.ldif).
Manually Editing config files results in checksum error
Space is considered as a junk character and causes error while importing .ldif files
A. Server Configuration
1. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
192.168.100.195 ldapserver.geekonline.in
192.168.100.196 client1.geekonline.in
2. Install necessary packages
#yum -y install strace net-tools
#yum install openldap* migrationtools
#systemctl enable slapd
#systemctl start slapd
3. Change log settings
#echo "####Custom Logs for LDAP###" >> /etc/rsyslog.conf
#echo "local4.* /var/log/slapd/ldap.log" >> /etc/rsyslog.conf
#tail -n2 /etc/rsyslog.conf
#systemctl restart rsyslog or # systemctl reload rsyslog
It will automatically create directory and files and LDAP logs will be redirected to /var/log/slapd/ldap.log
4. Open ports in firewall
#firewall-cmd --permanent --add-port=389/tcp
#firewall-cmd --permanent --add-port=636/tcp
#firewall-cmd --permanent --add-port=9830/tcp
#firewall-cmd --reload
5. list the config files
#cd /etc/openldap/slapd.d/cn\=config
#ls
6. #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
7 Create a admin password in SSHA hash algorithm and copy the output to notepad for further configuration.
# slappasswd
8. Create ldif to modify olcDatabase={2}hdb.ldif
#vi /opt/ldap/db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=geekonline,dc=in
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=geekonline,dc=in
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ULNvNmPZNyCNqlU5E/9DftThZzF4aAEE
9. Make sure no extra spaces are present in the file and Import the DB file
#cd /opt/ldap/
#ls
#ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
#slaptest -u
10. Note the change in file
#cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
11. Now check the file
#cat olcDatabase={1}monitor,cn=config
12. Create monitor.ldif file
#vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=geekonline,dc=in" read by * none
13.Make sure no extra spaces are present in the file and Import the DB file
#ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
#slatptest -u
14 Now check file olcDatabase={1}monitor,cn=config for changes
#cat olcDatabase={1}monitor,cn=config
15. Crease SSL Certificates for 10 years
#openssl req -nodes -new -x509 -keyout /etc/openldap/certs/ldapkey.pem -out /etc/openldap/certs/ldapcert.pem -days 3650
16. Create certs.ldif file
#vi certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
17. Make sure no extra spaces are present in the file and Import the DB file
#ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
#slaptest -u
18. Verify the changes
#cd /etc/openldap/slapd.d
#cat cn=config.ldif
19. Copy DB_CONFIG file and add external schemas (used for storing data)
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown ldap:ldap /var/lib/ldap/DB_CONFIG
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
20.create a base.ldif file
#vi base.ldif
dn: dc=geekonline,dc=in
dc: geekonline
objectClass: top
objectClass: domain
dn: cn=admin,dc=geekonline,dc=in
objectClass: organizationalRole
cn: admin
description: LDAP Manager
dn: ou=People,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: Group
21. Add base ldif to LDAP Configuration
#ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f base.ldif
#slaptest -u
22.Check ldap object classes
#ldapsearch -xb "dc=geekonline,dc=in" "(objectClass=*)"
23. check password
#ldapsearch -H ldap://127.0.0.1 -D "cn=admin,dc=geekonline,dc=in" -w "pass"
24.Create OS Users.
#useradd osuser1
#useradd osuser2
#echo "pass1" | passwd --stdin osuser1
#echo "pass2" | passwd --stdin osuser2
#mkdir /opt/ldap/migrated_users
#grep "osuser" /etc/passwd >> /opt/ldap/migrated_users/users
#grep "osuser" /etc/group >> /opt/ldap/migrated_users/groups
verify the files
#cat /opt/ldap/migrated_users/users
#cat /opt/ldap/migrated_users/groups
25. Using migration tool
#cd /usr/share/migrationtools/
#cp migrate_common.ph migrate_common.ph.orig
#vi migrate_common.ph
#search and change below entries
$DEFAULT_MAIL_DOMAIN = "geekonline.in";
$DEFAULT_BASE = "dc=geekonline,dc=in";
$EXTENDED_SCHEMA = 1;
26. Migrate OS users and groups using migration tool
#/usr/share/migrationtools/migrate_passwd.pl /opt/ldap/migrated_users/users /opt/ldap/migrated_users/users.ldif
#/usr/share/migrationtools/migrate_group.pl /opt/ldap/migrated_users/groups /opt/ldap/migrated_users/groups.ldif
#ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/users.ldif
#ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/groups.ldif
27. Search that added user in ldap also check for
#ldapsearch -x cn=osuser1 -b dc=geekonline,dc=in
# ldapsearch -x cn=osuser2 -b dc=geekonline,dc=in
28 Create password for LDAP users which we are going to create using openssl
#openssl passwd -crypt pass1
uSMQbmjkzJzBw
#openssl passwd -crypt pass2
195EbQnuDDzcA
note down the output
29 create ldif file for user ldapuser1
#vi ldapuser1.ldif
dn: cn=ldapuser1,ou=People,dc=geekonline,dc=in
cn: ldapuser1
gidnumber: 100
givenname: ldapuser1
homedirectory: /home/users/ldapuser1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser1
uidnumber: 5001
userpassword: {CRYPT}uSMQbmjkzJzBw
30 create ldif file for user ldapuser2
#vi ldapuser1.ldif
dn: cn=ldapuser2,ou=People,dc=geekonline,dc=in
cn: ldapuser2
gidnumber: 100
givenname: ldapuser2
homedirectory: /home/users/ldapuser2
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser2
uidnumber: 5002
userpassword: {CRYPT}195EbQnuDDzcA
31. Import both users in LDAP using ldif files
#ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser1.ldif
#ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser2.ldif
32. Verify the users in LDAP
#ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
#ldapsearch -x cn=ldapuser2 -b dc=geekonline,dc=in
B. Client Configuration
1. Install the necessary packages
#yum install openldap-clients nss-pam-ldapd
2. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
192.168.100.195 ldapserver.geekonline.in
192.168.100.196 client1.geekonline.in
3. Enter below command on the client
#authconfig --enableldap --enableldapauth --ldapserver=ldapserver.geekonline.in --ldapbasedn="dc=geekonline,dc=in" --enablemkhomedir --update
This will automatically create home directory on client machine at first login
Above command automatically configures ldap client,nsswitch file and PAM
#cat /etc/nslcd.conf |grep -v \#
#cat /etc/nsswitch.conf |grep -i ldap
#grep -ir home /etc/pam.d/*
Thus We can Configure LDAP server
C: Deleting LDAP user
1. Gather the required information from LDAP using below command
#ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
2. Delete the user using below command
#ldapdelete -v -c -D "cn=admin,dc=geekonline,dc=in" -w pass "cn=ldapuser1,ou=People,dc=geekonline,dc=in"
Summary
1. Never edit configuration files manually.
2. LDAP configuration is easy if you avoid copy paste/typing mistakes (unnecessary spaces are considered as junk characters)
3. You can import existing OS users to LDAP
4. You can create LDAP user directly without creating it on OS
5. Client configuration can be done using fqdn instead of IPs
6. You can Create/modify/delete users easily
Uncategorized
Uncategorized stuff
Install and configure webmin with SSL (debian)
1. Create repository for webmin #echo "deb https://download.webmin.com/download/repository sarge contrib" >> webmin.list 2. Fech and install the GPG key for the repository #cd /root #wget https://download.webmin.com/jcameron-key.asc #apt-key add jcameron-key.asc 3. Install webmin #apt-get install apt-transport-https #apt-get update #apt-get install webmin If Debian complains about missing dependencies, you can install them with the command #apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python 4. Manage SSL certificate for webmin (by using existing SSL certifcates) #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /etc/webmin/miniserv.pem #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/webmin/miniserv.pem #systemctl restart webmin 5. Configure apache2 for SSL certificate and redirection Create a file /etc/apache2/sites-available/webmin.conf and and put the entries given below <VirtualHost *:80> ServerName webmin.mydomain.com Redirect permanent / https://webmin.mydomain.com/ </VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName webmin.mydomain.com
SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:10000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) https://127.0.0.1:10000/$1 [P,L]
# Proxy to your local webmin instance
ProxyPass / https://127.0.0.1:10000/
ProxyPassReverse / https://127.0.0.1:10000/
</VirtualHost>
</IfModule>
6. Configure IPTables to drop requests on 4200 from world #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 10000 -j ACCEPT #iptables -A INPUT -p tcp --dport 10000 -j DROP 7. Enable Apache Configuration #ln -s /etc/apache2/sites-available/webmin.conf /etc/apache2/sites-enabled/webmin.conf #systemctl reload apache2
Summary:
After this setup webmin will be available only on https://wembin.mydomain.com and https://webmin.mydomain.com:10000 will not work
Install and configure shellinabox (web terminal) with SSL (debian)
1. Install the package shellinabox which is present in repository
#sudo apt-get install shellinabox
2. Check settings
#cat /etc/default/shellinabox (For RHEL it will be /etc/sysconfig/shellinaboxd)
3. Manage SSL certificate for shellinabox (by using existing SSL certifcates)
#cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /var/lib/shellinabox/certificate.pem
#cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /var/lib/shellinabox/certificate.pem
#systemctl restart shellinabox
4. Configure apache2 for SSL certificate and redirection
Create a file /etc/apache2/sites-available/shellinabox.conf and and put the entries given below
<VirtualHost *:80>
ServerName terminal.mydomain.com
Redirect permanent / https://terminal.mydomain.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName terminal.mydomain.com
SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:4200/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:4200/$1 [P,L]
# Proxy to your local bash instance
ProxyPass / http://127.0.0.1:4200/
ProxyPassReverse / http://127.0.0.1:4200/
</VirtualHost>
</IfModule>
5. Configure IPTables to drop requests on 4200 from world
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 4200 -j ACCEPT
iptables -A INPUT -p tcp --dport 4200 -j DROP
6. Enable Apache Configuration
#ln -s /etc/apache2/sites-available/shellinabox.conf /etc/apache2/sites-enabled/shellinabox.conf
#systemctl reload apache2
Summary:
After this setup web terminal (shellinabox) will be available only on https://terminal.mydomain.com and https://terminal.mydomain.com:4200 will not work
create swap partition using swapfile
-
On the server there is 4GB memory and 4GB swap file on TEST server which is not enough.
-
Now the existing swap partition is created in lvm and there is no scope to increase the size
-
To overcome this problem create a swapfile using dd command with permission 0600
-
Change the file permission to 0600
-
Set the file as swap area
-
Test by enabling the swap on swapfile
-
Make this boot persistent by adding the entry in fstab
-
Always run mount -a command to check if any error in fstab file
-
Now disable swap on /swapfile which we have enabled manually and check swap partitions
-
Now check boot persistence by swapon command
Enabling rc.local in debian9
rc.local is deprecated in debian 9 by default
To enable it
- create file /etc/systemd/system/multi-user.target.wants/rc.local.service
vi /etc/systemd/system/multi-user.target.wants/rc.local.service
[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
2. #systemctl daemon-reload
3. #systemcl restart rc.local.service
Enabling usb wifi on CentOS 7
Enabling usb wifi on Centos is really a difficult job. most of the times it requires drivers compilation and adding /removing modules which may be time consuming.
Its better to upgrade kernel to the latest release
To upgrade the kernel without kernel compilation follow below steps
Step 1: Install elrepo to your CentOS 7 system
# rpm –import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
# rpm -ivh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
# yum –enablerepo=elrepo-kernel list available |grep kernel
# yum –enablerepo=elrepo-kernel install kernel-ml* (select kernel-ml as they are the stable release kernels)
# grub2-set-default “CentOS Linux (4.18.1-1.el7.elrepo.x86_64) 7 (Core)”
reboot your system and configure network to the wireless usb card.
Hello world!
Hi I am Akash and this is my website for Linux.
Please let me know if any mistakes or improvement.