OpenLDAP Server Configuration (CentOS 7)

OpenLDAP is a directory Server and is configured by using LDAP Data Interchange Format files (.ldif). 
Manually Editing config files results in checksum error
Space is considered as a junk character and causes error while importing .ldif files

A. Server Configuration

1. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
    192.168.100.195  ldapserver.geekonline.in
    192.168.100.196  client1.geekonline.in

    

2. Install necessary packages
     #yum -y install strace net-tools
     #yum install openldap* migrationtools
     #systemctl enable slapd
     #systemctl start slapd

3. Change log settings
     #echo "####Custom Logs for LDAP###" >> /etc/rsyslog.conf
     #echo "local4.* /var/log/slapd/ldap.log" >> /etc/rsyslog.conf
     #tail -n2 /etc/rsyslog.conf
     #systemctl restart rsyslog   or # systemctl reload rsyslog
     It will automatically create directory and files and LDAP logs will be redirected to /var/log/slapd/ldap.log
     

4. Open ports in firewall
     #firewall-cmd --permanent --add-port=389/tcp
     #firewall-cmd --permanent --add-port=636/tcp
     #firewall-cmd --permanent --add-port=9830/tcp
     #firewall-cmd --reload


5.  list the config files
     #cd /etc/openldap/slapd.d/cn\=config
     #ls
     

6.  #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
     

7   Create a admin password in SSHA hash algorithm and copy the output to notepad for further configuration. 
     # slappasswd
     

8.  Create ldif to modify olcDatabase={2}hdb.ldif
      #vi /opt/ldap/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ULNvNmPZNyCNqlU5E/9DftThZzF4aAEE

     

9. Make sure no extra spaces are present in the file and Import the DB file
     #cd /opt/ldap/
    #ls
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
    #slaptest -u
    

10. Note the change in file
     #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
    
11. Now check the file 
    #cat olcDatabase={1}monitor,cn=config
    


12. Create monitor.ldif file
     #vi monitor.ldif
     
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=geekonline,dc=in" read by * none

    


13.Make sure no extra spaces are present in the file and Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
    #slatptest -u
    

14  Now check file olcDatabase={1}monitor,cn=config for changes
   #cat olcDatabase={1}monitor,cn=config
    

15. Crease SSL Certificates for 10 years
   #openssl req -nodes -new -x509 -keyout /etc/openldap/certs/ldapkey.pem -out /etc/openldap/certs/ldapcert.pem -days 3650
    

16. Create certs.ldif file
      #vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
 
    

 17. Make sure no extra spaces are present in the file and  Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    #slaptest -u
   

18. Verify the changes
    #cd /etc/openldap/slapd.d
    #cat cn=config.ldif
   

19. Copy DB_CONFIG file and add external schemas (used for storing data)
    #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    #chown ldap:ldap /var/lib/ldap/DB_CONFIG
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  
    

20.create a base.ldif file
     #vi base.ldif

dn: dc=geekonline,dc=in
dc: geekonline
objectClass: top
objectClass: domain

dn: cn=admin,dc=geekonline,dc=in
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: Group

   

21. Add base ldif to LDAP Configuration
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f base.ldif
   #slaptest -u
   


22.Check ldap object classes
    #ldapsearch -xb "dc=geekonline,dc=in" "(objectClass=*)"
   

23. check password 
   #ldapsearch -H ldap://127.0.0.1 -D "cn=admin,dc=geekonline,dc=in" -w "pass"
   
 
24.Create OS Users.
   #useradd osuser1
   #useradd osuser2
   #echo "pass1" | passwd --stdin osuser1
   #echo "pass2" | passwd --stdin osuser2

   #mkdir /opt/ldap/migrated_users
   #grep "osuser" /etc/passwd >> /opt/ldap/migrated_users/users
   #grep "osuser" /etc/group >> /opt/ldap/migrated_users/groups
   verify the files

   #cat /opt/ldap/migrated_users/users 
   #cat /opt/ldap/migrated_users/groups

  

25. Using migration tool
     #cd /usr/share/migrationtools/
     #cp migrate_common.ph migrate_common.ph.orig
     #vi migrate_common.ph
     #search and change below entries

     $DEFAULT_MAIL_DOMAIN = "geekonline.in";
     $DEFAULT_BASE = "dc=geekonline,dc=in"; 
     $EXTENDED_SCHEMA = 1;



26. Migrate OS users and groups using migration tool
   #/usr/share/migrationtools/migrate_passwd.pl /opt/ldap/migrated_users/users /opt/ldap/migrated_users/users.ldif
   #/usr/share/migrationtools/migrate_group.pl /opt/ldap/migrated_users/groups /opt/ldap/migrated_users/groups.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/users.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/groups.ldif

   

27.  Search that added user in ldap also check for 
   #ldapsearch -x cn=osuser1 -b dc=geekonline,dc=in
    
  
    #  ldapsearch -x cn=osuser2 -b dc=geekonline,dc=in
  

28 Create password for LDAP users which we are going to create using openssl
    #openssl passwd -crypt pass1
    uSMQbmjkzJzBw
    #openssl passwd -crypt pass2
    195EbQnuDDzcA
    note down the  output
   

29 create ldif file for user ldapuser1
   #vi ldapuser1.ldif

dn: cn=ldapuser1,ou=People,dc=geekonline,dc=in
cn: ldapuser1
gidnumber: 100
givenname: ldapuser1
homedirectory: /home/users/ldapuser1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser1
uidnumber: 5001
userpassword: {CRYPT}uSMQbmjkzJzBw
   
   

30 create ldif file for user ldapuser2
   #vi ldapuser1.ldif
 
dn: cn=ldapuser2,ou=People,dc=geekonline,dc=in
cn: ldapuser2
gidnumber: 100
givenname: ldapuser2
homedirectory: /home/users/ldapuser2
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser2
uidnumber: 5002
userpassword: {CRYPT}195EbQnuDDzcA

   

31. Import both users in LDAP using ldif files
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser1.ldif
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser2.ldif
   

32. Verify the users in  LDAP
  #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
   
  
  #ldapsearch -x cn=ldapuser2 -b dc=geekonline,dc=in
   

B. Client Configuration 
  
     
1. Install the necessary packages
  #yum install openldap-clients nss-pam-ldapd

2. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems 
    192.168.100.195 ldapserver.geekonline.in 
    192.168.100.196 client1.geekonline.in

   

3. Enter below command on the client
    #authconfig --enableldap --enableldapauth --ldapserver=ldapserver.geekonline.in --ldapbasedn="dc=geekonline,dc=in" --enablemkhomedir --update
    
    This will automatically create home directory on client machine at first login

    

   Above command automatically configures ldap client,nsswitch file and PAM  
   #cat /etc/nslcd.conf |grep -v \#
   
  
   #cat /etc/nsswitch.conf |grep -i ldap
   

   #grep -ir home /etc/pam.d/*
   

  

Thus We can Configure LDAP server

C: Deleting LDAP user
   1. Gather the required information from LDAP using below command
   #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in

  2. Delete the user using below command
  #ldapdelete -v -c -D "cn=admin,dc=geekonline,dc=in" -w pass "cn=ldapuser1,ou=People,dc=geekonline,dc=in"



Summary
1. Never edit configuration files manually. 
2. LDAP configuration is easy if you avoid copy paste/typing mistakes (unnecessary spaces are considered as junk characters)
3. You can import existing OS users to LDAP
4. You can create LDAP user directly without creating it on OS
5. Client configuration can be done using fqdn instead of IPs
6. You can Create/modify/delete users easily






 
         

Install and configure webmin with SSL (debian)

1. Create repository for webmin  
        #echo "deb https://download.webmin.com/download/repository sarge contrib" >> webmin.list      
   
2. Fech and install the GPG key for the repository
       #cd /root
       #wget https://download.webmin.com/jcameron-key.asc
       #apt-key add jcameron-key.asc

3. Install webmin
       #apt-get install apt-transport-https
       #apt-get update
       #apt-get install webmin
       If Debian complains about missing dependencies, you can install them with the command
       #apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

4. Manage SSL certificate for webmin (by using existing SSL certifcates)
      #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /etc/webmin/miniserv.pem
      #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/webmin/miniserv.pem
      #systemctl restart webmin

5. Configure apache2 for SSL certificate and redirection
      Create a file /etc/apache2/sites-available/webmin.conf and and put the entries given below

         <VirtualHost *:80>
         ServerName webmin.mydomain.com
         Redirect permanent / https://webmin.mydomain.com/
         </VirtualHost>

         <IfModule mod_ssl.c>
         <VirtualHost *:443>
         ServerName webmin.mydomain.com
         SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
         SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
         Include /etc/letsencrypt/options-ssl-apache.conf
         ProxyPreserveHost On
         ProxyRequests Off
         SSLProxyEngine On

         # allow for upgrading to websockets
         RewriteEngine On
         RewriteCond %{HTTP:Upgrade} =websocket [NC]
         RewriteRule /(.*) ws://127.0.0.1:10000/$1 [P,L]
         RewriteCond %{HTTP:Upgrade} !=websocket [NC]
         RewriteRule /(.*) https://127.0.0.1:10000/$1 [P,L]

         # Proxy to your local webmin instance
         ProxyPass / https://127.0.0.1:10000/
         ProxyPassReverse / https://127.0.0.1:10000/

         </VirtualHost>
         </IfModule>

6. Configure IPTables to drop requests on 4200 from world
      #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 10000 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 10000 -j DROP

7.  Enable Apache Configuration         
     #ln -s /etc/apache2/sites-available/webmin.conf /etc/apache2/sites-enabled/webmin.conf        
     #systemctl reload apache2

 

Summary:
After this setup webmin will be available only on https://wembin.mydomain.com and https://webmin.mydomain.com:10000 will not work

 

 

 

Install and configure shellinabox (web terminal) with SSL (debian)

1. Install the package shellinabox which is present in repository
         #sudo apt-get install shellinabox

2. Check settings 
         #cat /etc/default/shellinabox (For RHEL it will be /etc/sysconfig/shellinaboxd)

3. Manage SSL certificate for shellinabox (by using existing SSL certifcates)
        #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /var/lib/shellinabox/certificate.pem
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /var/lib/shellinabox/certificate.pem
        #systemctl restart shellinabox

4. Configure  apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/shellinabox.conf and and put the entries given below
  

          <VirtualHost *:80>
          ServerName terminal.mydomain.com
          Redirect permanent / https://terminal.mydomain.com/
          </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
          ServerName terminal.mydomain.com
          SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
          SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
          Include /etc/letsencrypt/options-ssl-apache.conf
          ProxyPreserveHost On
          ProxyRequests Off

          # allow for upgrading to websockets
          RewriteEngine On
          RewriteCond %{HTTP:Upgrade} =websocket [NC]
          RewriteRule /(.*) ws://127.0.0.1:4200/$1 [P,L]
          RewriteCond %{HTTP:Upgrade} !=websocket [NC]
          RewriteRule /(.*) http://127.0.0.1:4200/$1 [P,L]

          # Proxy to your local bash instance
          ProxyPass / http://127.0.0.1:4200/
          ProxyPassReverse / http://127.0.0.1:4200/

          </VirtualHost>
          </IfModule>

5.  Configure IPTables to drop requests on 4200 from world
        iptables -A INPUT -p tcp -s 127.0.0.1 --dport 4200 -j ACCEPT
        iptables -A INPUT -p tcp --dport 4200 -j DROP
  

6.  Enable Apache Configuration 
       #ln -s /etc/apache2/sites-available/shellinabox.conf /etc/apache2/sites-enabled/shellinabox.conf
       #systemctl reload apache2

Summary:
After this setup web terminal (shellinabox) will be available only on https://terminal.mydomain.com and https://terminal.mydomain.com:4200 will not work

 


					

create swap partition using swapfile

  1. On the server there is 4GB memory and 4GB swap file on TEST server which is not enough.
  2. Now the existing swap partition is created in lvm and there is no scope to increase the size
    
    
  3. To overcome this problem create a swapfile using dd command with permission 0600
    
  4. Change the file permission to 0600
  5. Set the file as swap area
  6. Test by enabling the swap on swapfile
  7. Make this boot persistent by adding the entry in fstab
  8. Always run mount -a command to check if any error in fstab file
  9. Now disable swap on /swapfile which we have enabled manually and check swap partitions
    
    
  10. Now check boot persistence by swapon command 

Enabling rc.local in debian9

rc.local is deprecated in debian 9 by default

To enable it

  1. create file /etc/systemd/system/multi-user.target.wants/rc.local.service

vi /etc/systemd/system/multi-user.target.wants/rc.local.service

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target

2. #systemctl daemon-reload

3. #systemcl restart rc.local.service

 

Enabling usb wifi on CentOS 7

Enabling usb wifi  on Centos is really a difficult job. most of the times it requires drivers compilation and adding /removing modules which may be time consuming.

Its better to upgrade kernel to the latest release

To upgrade the kernel without kernel compilation follow below steps

Step 1: Install elrepo to your CentOS 7 system

# rpm –import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

# rpm -ivh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm

# yum –enablerepo=elrepo-kernel list available |grep kernel

# yum –enablerepo=elrepo-kernel install kernel-ml*  (select kernel-ml as they are the stable release kernels)

# grub2-set-default “CentOS Linux (4.18.1-1.el7.elrepo.x86_64) 7 (Core)”

reboot your system and configure network to the wireless usb card.

 

Hello world!

Hi I am Akash and this is my website for Linux.

Please let me know if any mistakes or improvement.