rootninja

The food and restaurant industry might be down across the board, but some areas seem to be doing quite fine. Amazon is reporting record sales this year. http://usnews.rankingsandreviews.com/cars-trucks/daily-news/081230-Amazon-Reports-Record-Holiday-Sales/

I was in a mall today and saw a line 20 deep in the food court for Taco Bell. People gotta eat, and they need their latest and greatest software too. I’m sure the net is lagging behind the economy, but in some regards I guess it might not turn out to be a bad year for Linux. I’m sure the usual suspects will be feeling a nasty bite soon and although they might not really have their hearts behind anything that has to do with free, according to Bruce Byfield, “when the talk turns to free and open source software (FOSS), suddenly the mood brightens. Whether their concern is the business opportunities in open source or the promotion of free software idealism, experts see FOSS as starting from a strong base and actually benefiting from the hard times expected next year.” http://itmanagement.earthweb.com/osrc/article.php/3793286/Linux+in+2009:+Recession+vs.+GNU.htm

Economy, Linux 2009, Economy, foss, free, gloomy, GNU, Linux, recession

Lets get a running start… Make sure KeepAlive is set to ‘On’, HostnameLookups is ‘Off’ and comment out most of the modules loaded in your default Fedora, Ubuntu, Suse, other bloated distribution’s choice for default modules. Most of them you won’t need or want to have available. You’ll probably need rewrite and php, but depending on what kind of site you’re running, you might not need all those auth modules, etc.  If you’re hosting some apps that handle their own authentication and permissions and you dont want to allow directory browsing, statistics generation, ldap authentication, or apache statistics then by all means get rid of all those modules! In Fedora you’ll find they throw in the kitchen sink to start you off.

Putting your apache on a diet and then restarting might be all the oomph you need, but you’ll probably see only a slight difference. Also, don’t just look at the memory usage right after a restart. Until your servers are actually called upon for battle, they’re just going to allocate the minimum requirements, so you might have a bunch of httpd’s running using say 10 meg each, but once they’re stressed, you might see them jump to to 20-30 meg and not let go. You’re probably going to get the most mileage out of tuning the number of servers running, maximum clients, minimum and maximum spare’s, etc. If you’re not expecting a lot of traffic and your memory is limited, you probably shouldn’t run a boat load of servers. Keep your MaxClients low so you don’t spawn so many that you start swapping right from the word go.

Your site, your traffic, and the type of content being loaded is going to affect your optimal settings. So just dive in and play around with the numbers.  Stress test your site and let it run a little while. If it gets better, then you’re probably pushing the numbers in the right direction! I’m sorry if you were looking for a “type 123 at prompt xyz” type of tutorial here. What’s working for me with 128 meg of memory is probably a little slim for the next guy.

I just hate to see people jump ship from apache to something like lighty just because they hear apache is bloated or experience that from their distribution’s default setup. Switching to another web server may just give yourself more headaches in the long run because you’re probably going to have to tweak lighty to work with the apps you’d like to run — apps that are already set up to work with apache right out of the box.

Linux apache, bloat, diet, lighttpd, lighty, memory, modules, requirements, server, tune, web

When you get to the first prompt when installing, instead of just letting the default continue by itself, type:

linux selinux=0 reiserfs

Replace the ‘reiserfs’ with ‘jfs’ if you want that file system.  You’ll have to include the selinux=0 because you can’t use SELinux with ReiserFS or JFS.

All too easy…

Linux fc10, fedora, howto, jfs, reiserfs, selinux

Get rid of this line in all your WordPress php files

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /><!– leave this for stats please –>

When wordpress comes out with a new version, part of the update is usually fixing an exploitable bug.  The bug may allow a hacker to access your wp-admin directory or delete your files, or worse.  If the bug is only in version xyz, and that’s the version you’re running, you don’t want anyone googling that version to run into your pages and exploit your code.

You can use the “leave this for stats please” to find and replace that line in all your php files at once.  If you don’t have shell access, well I guess you’ll have to use whatever interface your site provider overlords have thrust upon you.

[admica@host]$  sudo for x in `grep ” leave this for stats please” /path/to/myblog -R | awk ‘{print $1}’ | grep -o -e “.*php”`; do sed -e ’s/.*leave this for stats please.*//g’ $x > $x.temp; mv $x.temp $x; done

This will find all the files that contain that line and delete it from each one.

Linux bash, php, security, wordpress

This is how-to-Install 3D desktop effects on a vanilla Fedora 10 installation (I tried this on a freshly installed Fedora 10, installed from DVD).  Basically all you need to do is get 3d hardware acceleration enabled for your video card and then install the fusion-icon package and reboot. In the past this was easier said than done.

First Install the new rpmfusion non-free repositories.  Rpmfusion is a new set of repositories that’s putting all the free and non-free repos like livna and freshrpms together in one place.  Install your video driver kernel module, install fusion-icon, and reboot.  YUM will handle all the compiz dependencies for you.  Here’s the three steps along with their output.

[admica@myhost ~]$ sudo rpm -Uvh \
http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm

rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
Retrieving http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
warning: /var/tmp/rpm-tmp.PIcyrO: Header V3 DSA signature: NOKEY, key ID b1981b68
Preparing…                ########################################### [100%]
1:rpmfusion-nonfree-relea########################################### [100%]

[admica@myhost ~]$ sudo yum install kmod-nvidia

yum install kmod-nvidia
Loaded plugins: fedorakmod, refresh-packagekit
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
–> Running transaction check
—> Package kmod-nvidia.x86_64 0:177.82-1.fc10.4 set to be updated
–> Processing Dependency: kmod-nvidia-2.6.27.5-117.fc10.x86_64 = 177.82-1.fc10.4 for package: kmod-nvidia
–> Running transaction check
—> Package kmod-nvidia-2.6.27.5-117.fc10.x86_64.x86_64 0:177.82-1.fc10.4 set to be updated
–> Processing Dependency: nvidia-kmod-common >= 177.82 for package: kmod-nvidia-2.6.27.5-117.fc10.x86_64
–> Running transaction check
—> Package xorg-x11-drv-nvidia.x86_64 0:177.82-1.fc10 set to be updated
–> Processing Dependency: xorg-x11-drv-nvidia-libs-x86_64 = 177.82-1.fc10 for package: xorg-x11-drv-nvidia
–> Processing Dependency: livna-config-display >= 0.0.21 for package: xorg-x11-drv-nvidia
–> Processing Dependency: livna-config-display for package: xorg-x11-drv-nvidia
–> Running transaction check
—> Package xorg-x11-drv-nvidia-libs.x86_64 0:177.82-1.fc10 set to be updated
—> Package livna-config-display.noarch 0:0.0.22-1.fc10 set to be updated
–> Processing Dependency: system-config-display for package: livna-config-display
–> Running transaction check
—> Package system-config-display.noarch 0:1.1.1-1.fc10 set to be updated
–> Processing Dependency: rhpxl >= 0.34-1 for package: system-config-display
–> Running transaction check
—> Package rhpxl.x86_64 0:1.9-3.fc10 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package                                                Arch                     Version                           Repository                           Size
=============================================================================================================================================================
Installing:
kmod-nvidia                                            x86_64                   177.82-1.fc10.4                   rpmfusion-nonfree                    23 k
Installing for dependencies:

kmod-nvidia-2.6.27.5-117.fc10.x86_64                   x86_64                   177.82-1.fc10.4                   rpmfusion-nonfree                   2.5 M
livna-config-display                                   noarch                   0.0.22-1.fc10                     rpmfusion-nonfree                    65 k
rhpxl                                                  x86_64                   1.9-3.fc10                        fedora                               98 k
system-config-display                                  noarch                   1.1.1-1.fc10                      fedora                              193 k
xorg-x11-drv-nvidia                                    x86_64                   177.82-1.fc10                     rpmfusion-nonfree                   3.5 M
xorg-x11-drv-nvidia-libs                               x86_64                   177.82-1.fc10                     rpmfusion-nonfree                   6.2 M

Transaction Summary
=============================================================================================================================================================
Install      7 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 13 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): kmod-nvidia-177.82-1.fc10.4.x86_64.rpm                                                                                         |  23 kB     00:00
(2/7): livna-config-display-0.0.22-1.fc10.noarch.rpm                                                                                  |  65 kB     00:01
(3/7): rhpxl-1.9-3.fc10.x86_64.rpm                                                                                                    |  98 kB     00:00
(4/7): system-config-display-1.1.1-1.fc10.noarch.rpm                                                                                  | 193 kB     00:00
(5/7): kmod-nvidia-2.6.27.5-117.fc10.x86_64-177.82-1.fc10.4.x86_64.rpm                                                                | 2.5 MB     00:52
(6/7): xorg-x11-drv-nvidia-177.82-1.fc10.x86_64.rpm                                                                                   | 3.5 MB     01:07
(7/7): xorg-x11-drv-nvidia-libs-177.82-1.fc10.x86_64.rpm                                                                              | 6.2 MB     02:01
————————————————————————————————————————————————————-
Total                                                                                                                         53 kB/s |  13 MB     04:04
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID b1981b68
rpmfusion-nonfree/gpgkey                                                                                                              | 1.7 kB     00:00
Importing GPG key 0xB1981B68 “RPM Fusion repository (Fedora - nonfree) <rpmfusion-buildsys@lists.rpmfusion.org>” from /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : rhpxl                                                                                                                                 1/7
Installing     : system-config-display                                                                                                                 2/7
Installing     : livna-config-display                                                                                                                  3/7
Installing     : kmod-nvidia                                                                                                                           4/7
Installing     : kmod-nvidia-2.6.27.5-117.fc10.x86_64                                                                                                  5/7
Installing     : xorg-x11-drv-nvidia                                                                                                                   6/7
Installing     : xorg-x11-drv-nvidia-libs                                                                                                              7/7

Installed:
kmod-nvidia.x86_64 0:177.82-1.fc10.4

Dependency Installed:
kmod-nvidia-2.6.27.5-117.fc10.x86_64.x86_64 0:177.82-1.fc10.4 livna-config-display.noarch 0:0.0.22-1.fc10 rhpxl.x86_64 0:1.9-3.fc10
system-config-display.noarch 0:1.1.1-1.fc10                   xorg-x11-drv-nvidia.x86_64 0:177.82-1.fc10  xorg-x11-drv-nvidia-libs.x86_64 0:177.82-1.fc10

Complete!

[admica@myhost ~]$ sudo yum install fusion-icon

Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
–> Running transaction check
—> Package fusion-icon.noarch 0:0.1.0-0.3.5e2dc9git.fc10 set to be updated
–> Processing Dependency: fusion-icon-ui=0.1.0-0.3.5e2dc9git.fc10 for package: fusion-icon
–> Processing Dependency: ccsm for package: fusion-icon
–> Running transaction check
—> Package fusion-icon-qt.noarch 0:0.1.0-0.3.5e2dc9git.fc10 set to be updated
–> Processing Dependency: PyQt4 for package: fusion-icon-qt
—> Package ccsm.noarch 0:0.7.6-2.fc10 set to be updated
–> Processing Dependency: compizconfig-python >= 0.7.6 for package: ccsm
–> Processing Dependency: libcompizconfig >= 0.7.6 for package: ccsm
–> Processing Dependency: python-sexy for package: ccsm
–> Running transaction check
—> Package PyQt4.x86_64 0:4.4.3-1.fc10 set to be updated
–> Processing Dependency: sip >= 4.7.7 for package: PyQt4
—> Package compizconfig-python.x86_64 0:0.7.6-1.fc10 set to be updated
—> Package libcompizconfig.x86_64 0:0.7.6-2.fc10 set to be updated
—> Package python-sexy.x86_64 0:0.1.9-6.fc10 set to be updated
–> Running transaction check
—> Package sip.x86_64 0:4.7.7-3.fc10 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================
Package                         Arch               Version                                 Repository          Size
=====================================================================================================================
Installing:
fusion-icon                     noarch             0.1.0-0.3.5e2dc9git.fc10                fedora              43 k
Installing for dependencies:
PyQt4                           x86_64             4.4.3-1.fc10                            fedora             3.1 M
ccsm                            noarch             0.7.6-2.fc10                            fedora             679 k
compizconfig-python             x86_64             0.7.6-1.fc10                            fedora              43 k
fusion-icon-qt                  noarch             0.1.0-0.3.5e2dc9git.fc10                fedora             6.7 k
libcompizconfig                 x86_64             0.7.6-2.fc10                            fedora              63 k
python-sexy                     x86_64             0.1.9-6.fc10                            fedora              24 k
sip                             x86_64             4.7.7-3.fc10                            fedora             237 k

Transaction Summary
=====================================================================================================================
Install      8 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 4.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): fusion-icon-qt-0.1.0-0.3.5e2dc9git.fc10.noarch.rpm                                     | 6.7 kB     00:00
(2/8): python-sexy-0.1.9-6.fc10.x86_64.rpm                                                    |  24 kB     00:00
(3/8): fusion-icon-0.1.0-0.3.5e2dc9git.fc10.noarch.rpm                                        |  43 kB     00:00
(4/8): compizconfig-python-0.7.6-1.fc10.x86_64.rpm                                            |  43 kB     00:00
(5/8): libcompizconfig-0.7.6-2.fc10.x86_64.rpm                                                |  63 kB     00:00
(6/8): sip-4.7.7-3.fc10.x86_64.rpm                                                            | 237 kB     00:00
(7/8): ccsm-0.7.6-2.fc10.noarch.rpm                                                           | 679 kB     00:01
(8/8): PyQt4-4.4.3-1.fc10.x86_64.rpm                                                          | 3.1 MB     00:05
———————————————————————————————————————
Total                                                                                475 kB/s | 4.2 MB     00:09
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : libcompizconfig                                                                               1/8
Installing     : compizconfig-python                                                                           2/8
Installing     : python-sexy                                                                                   3/8
Installing     : sip                                                                                           4/8
Installing     : PyQt4                                                                                         5/8
Installing     : ccsm                                                                                          6/8
Installing     : fusion-icon                                                                                   7/8
Installing     : fusion-icon-qt                                                                                8/8

Installed:
fusion-icon.noarch 0:0.1.0-0.3.5e2dc9git.fc10

Dependency Installed:
PyQt4.x86_64 0:4.4.3-1.fc10                           ccsm.noarch 0:0.7.6-2.fc10
compizconfig-python.x86_64 0:0.7.6-1.fc10             fusion-icon-qt.noarch 0:0.1.0-0.3.5e2dc9git.fc10
libcompizconfig.x86_64 0:0.7.6-2.fc10                 python-sexy.x86_64 0:0.1.9-6.fc10
sip.x86_64 0:4.7.7-3.fc10

Complete!

Now reboot and the next time gnome/kde/xfce/whatever runs, you can open a terminal and run fusion-icon and it will handle loading the 3d environment for you.

[admica@myhost ~]$ fusion-icon &

* Detected Session: unknown
* Searching for installed applications…
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING
* Using the GTK Interface
* Interface not installed
… Trying another interface

blah blah blah, and it works…  To get better looking themes, try installing emerald and emerald-themes.

Linux, ooo! Shiny... compiz, fusion-icon, howto, install, kmod-nvidia, nvidia, rpmfusion, x11, yum

Cron is so simple yet so useful I think it’s often unappreciated! Being able to toss a command into a cron, or execute a script at specific times of the day, days of the week, etc. That’s good stuff!

You could call a script that checks your mail once an hour, cleans out a temporary directory, or archives a special directory where you dump files to get saved without ever having to visit the server manually and tar/gzip the files yourself.

My latest use for cron is a nightly build script for building code checked out of subversion.  I’m doing this on my system for personal use, but also at work along with a python script i’m writing that also runs from a cron a few hours later.  It parses the build log looking for errors.  If it sees errors, it sends them out in email.  Python is wonderful… /off topic.

# +———— minute (0 - 59)
# | +———- hour (0 - 23)
# | | +——– day of month (1 - 31)
# | | | +—— month (1 - 12)
# | | | | +—- day of week (0 - 6) (Sunday=0 or 7)
# | | | | |
* * * * * command to be executed

If you want to run a script called check-for-rootkits.sh every 10 minutes, its as easy as:

*/10 * * * * /root/check-for-rootkits.sh

You could also get fancy and use “run as” to run crons as specific users.  Users can do this on their own (”crontab -e”), but you could force things to happen for them with your root crons if you wanted.  Fedora makes use of this for running hourly and nightly cron directories.  If you want anything to run along with the standard Fedora cron jobs, you just drop your script into those directories and they fire off alongside the defaults.

Linux cron, fedora, Linux, subversion

You want to install a special version of openssl that’s not the latest release, but some other app requires that specific one — how do you do it?

Lets assume you don’t have the right repository installed, and you need to set that up first.  If you’re looking for some package that you know is in freshrpms or livna, then right out of the box, the default fedora installation won’t look in those repositories.  So import the GPG key and add the repo file.

rpm –import http://freshrpms.net/RPM-GPG-KEY-freshrpms
rpm -ivh http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/8/freshrpms-release/freshrpms-release-1.1-1.fc.noarch.rpm

The –import lets the gpg check pass, and will fail if someone tries to stick a bad package in their repo, unless they’ve gotten ahold of their key a-la the fedora fiasco a few months ago.  But don’t worry about any of that right now.  Just import the key or else yum will complain when you try to install anything.  The 2nd line “rpm -ivh”, that’s going to install a package.  The package will have the .repo file, and it will put it in /etc/yum.repos.d/  that’s what really enables you to search in freshrpms.

Here’s another one, installing livna this time (livna is great for nvidia and ati drivers.  They compile the video drivers for specific kernels and package them for you.)

rpm –import http://livna-dl.reloumirrors.net/RPM-LIVNA-GPG-KEY
rpm -ivh http://rpm.livna.org/livna-release-8.rpm

Now onto installing a specific version of something.  If you know what you’re looking for, say openssl for example, put the version after the package name when you install it from the command line.  You can also specify the architecture and distribution release version too.  But when that doesn’t work, try this:

• Open a browser and go to http://mirrors.fedoraproject.org/publiclist

• Find a mirror somewhat geographically close to you, or one that you know will serve your requests fast, and click on “http”.  I’ll choose mirrors.kernel.org.  At this point you’ll be in a basic directory browsing mode.

Name                    Last modified      Size
Parent Directory                             -
core/                   17-Oct-2006 12:46    -
development/            23-Nov-2008 06:30    -
extras/                 18-Jun-2007 21:00    -
releases/               18-Nov-2008 22:12    -
updates/                21-Nov-2008 19:16

• From here I clicked updates, then 9, then x86_64.newkey and ended up here: http://mirrors.kernel.org/fedora/updates/9/x86_64.newkey/  with a huge list of packages.

• Find the package you want, openssl-0.9.8g-9.fc9.i686.rpm for example, and download it.

• Find this file in a terminal.  It’s probably going to download to your home directory, or ~/Desktop but that all depends on how your browser is set up.  Once you’re there, here’s the line to install it properly.

$ sudo yum localinstall openssl-0.9.8g-9.fc9.i686.rpm

• The end result is exactly the same as if you installed from the repository.

Linux fedora, howto, install, repo, yum

Got a process that you want to restart in a script but it doesn’t respond nicely?  Use the sleep command in your script and check its status after you start, stop, or kill it.  After incrementally backing off a few times, waiting longer and longer, I give up and exit with an error.  But you could come back later, or basically raise an exception by saving the value of “$?”. You can do this as you start a process and want to make sure it’s fully up and running before moving on because it dies sometimes unexpectedly.  There’s a ton of uses for sleep.

DAEMON=myapp
sudo /etc/rc.d/init.d/$DAEMON start
sleep 1
if [ `sudo ps -ef | grep -c $DAEMON` == "1" ]; then
sleep 2
if [ `sudo ps -ef | grep -c $DAEMON` == "1" ]; then
sleep 3
if [ `sudo ps -ef | grep -c $DAEMON` == "1" ]; then
sleep 3
if [ `sudo ps -ef | grep -c $DAEMON` == "1" ]; then
echo
echo “ERROR: $DAEMON did not restart.”
echo “Quitting Early!…”
exit 1
fi
fi
fi
fi

Linux, Solaris howto, processes, scripting, shell, sleep

[user@localhost ~]$  cat ~/.ssh/id_rsa.pub ~/.ssh/id_dsa.pub | ssh user@remotehost ’sh -c “cat - >> ~/.ssh/authorized_keys”‘

You’ll be prompted for the password just this one last time.  This is perfect for running a script that runs several remote commands through ssh.  Here’s a script that checks for your keys and adds them if they’re not there.  You’ll get prompted for a password twice if the keys didn’t already exist, and then no more.

#!/bin/sh
MY_NAME=`hostname`
MY_IPADDR=`hostname -i`

CHECK_KEYS=`ssh user@remotehost “touch ~/.ssh/authorized_keys > /dev/null 2> /dev/null; \
chmod 700 ~/.ssh/authorized_keys; grep -e $MY_NAME ~/.ssh/authorized_keys”`

LENGTH=`expr $CHECK_KEYS” : ‘.*’`
if [ $LENGTH -lt 3 ]; then
# cat the keys
else
# they already exist
fi

Another way around the password prompting issue from running a bunch of ssh commands is to branch the script and have one branch check your hostname to make sure you’re not the remote host and then start running all your commands.  When you get to the stuff you want to do remotely, echo the script across your ssh tunnel and execute it.  Now in the script, go into the 2nd branch that only runs if the hostname check matches the remote host, and it will skip down to this part on the remote run.  This gets around having a 2nd script with all your remote commands in it.  It might not be elegant, but it works!

#!/bin/sh
if [ `hostname` != $1 ]; then
# you ran this script with the remote host as the 1st argument, so it’s not going to be equal, and it will run these commands
# do a bunch of local stuff here
cat $0 | ssh user@remotehost /bin/bash `hostname`

else

# i’m here because i’ve been called on the remote host
REMOTEHOST=$2
# now i can run commands as if they were local.  executing `hostname` now would now return the remotehost name.  So any variables you want to carry over to the remote host, such as where I was called from, just add them as additional arguments when you cat the script and grab them from $2, $3, … etc. when you enter this else clause!
fi

Linux authorized_keys, bash, ssh

I wouldn’t do it this way for a production network, but i’ve set up similar configurations for testing in vmware, in a research environment, and in a production environment.  So instead of a step by step, here’s a quick run through… It should clear up some of the missing pieces when you try to go from a basic ldap server to multiple servers with startTLS encryption.

If you haven’t done this before, you might want to break it into pieces like getting just the primary LDAP  server up with no encryption first.  But you can find those how-to’s anywhere.  Go big or go home right?

On the Server, become root and install OpenLDAP packages.

The machine you designate as the ’server’ will need “openldap-servers” and “openldap-clients” because you’ll want the server to be a client of itself. You’ll also need “nss_ldap” which, from yum info, allows LDAP to be used as a primary source of aliases, ethers, groups, hosts, networks, protocol, users, RPCs, services, and shadow passwords, and contains PAM support for password changes, V2 clients, Netscape’s SSL, ypldapd, Netscape Directory Server password policies, access authorization, and crypted hashes.

$ sudo su -
# yum install openldap-server openldap-clients nss_ldap

Generate a master password using slappasswd, copy and paste this password into slapd.conf

# /usr/sbin/slappasswd
New password:
Re-enter new password:
{SSHA}kc20D+e1Q25OXi39YnfVvj8zSrSto3TT

My LDAP primary server’s hostname is “server1″.  I’ll also set up a replica server named “server2″.  My network’s domain is “mydomain.com”.  So your /etc/openldap/slapd.conf.  I’m going to setup both servers and the encryption all at the same time.  If you run into issues after all this, you might not know which part you’ve messed up at, but starting ldap using lots of logging will let us figure out where it’s hung up.  This should all come out fine and work like a charm, so just go for it. But if you really don’t like that approach, feel free to skip the encyption and/or replica server parts (comment them out and delete the “tls_ssf=256″ parts iin slapd.conf) and come back to them later.  Only the last section stating with comment “Replica” will be different on your replica server2.  They’ll point to your primary server, server1, of course!

The finished version of /etc/openldap/slapd.conf should look like this:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile  /etc/openldap/cacerts/slapd1.pem
TLSCertificateFile    /etc/openldap/cacerts/slapd1.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd1.pem

access to attrs=shadowLastChange,userPassword,shadowMax,shadowWarning
by tls_ssf=256 ssf=256 self write
by tls_ssf=256 ssf=256 anonymous auth
by * none
access to *
by tls_ssf=256 ssf=256 users read
by tls_ssf=256 ssf=256 self write
by tls_ssf=256 ssf=256 * read
by * none

database        bdb
suffix          “dc=mydomain.com”
rootdn          “cn=Manager,dc=mydomain.com”
rootpw  {SSHA}kc20D+e1Q25OXi39YnfVvj8zSrSto3TT
directory       /var/lib/ldap

timeout 30
cachesize 2500
checkpoint 256 30
searchstack 8

# Indices to maintain
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas
replica uri=ldap://server2.mydomain.com:389
bindmethod=simple
binddn=”cn=Manager,dc=mydomain.com”
credentials=PlainTextPassword
replogfile /var/lib/ldap/master-replog

The replica’s slapd.conf will include this part instead of the last section:

updatedn "uid=Manager,dc=mydomiain.com"
updateref ldaps://server1.mydomain.com

Create a self signed certificate on server1 and do it again on server2.

Put both pem files on both servers and on all clients.  Clients need the public part so they can talk to either server in case one goes kaboom! and a replica server has to take over for awhile.  Make sure you use the server’s hostname for “Common Name” when you’re creating them.  You can fill in the rest with whatever junk you want.

# cd /etc/openldap/cacerts/
# openssl req -newkey rsa:2048 -x509 -nodes \
-out server.pem -keyout server.pem -days 3650

You’ll get a server.pem file with the private key and certificate together.  The clients only need the certificate part in their /etc/openldap/cacerts/ directory in order to communicate with the servers.  If you want to save time and it’s just for demo installation, you can just leave the keys in there and copy the files to everyone.  NO I DO NOT RECOMMEND THIS FOR ANY TYPE OF PRODUCTION ENVIRONMENT!  I’m just saying that if you want to save time and you’re just testing this stuff out in virtual machines or a private network, then it will work!

Import the local accounts into the LDAP database.

It’s easiest if you just create all the local accounts you want to start with, using whatever method you normally use to make them.  I use useradd from the commandline.

# useradd -u 1234 -g 1234 -G wheel zerocool

Run the migration script to fill the ldap database with your accounts.

# /usr/share/openldap/migration/migrate_all_offline.sh
Creating naming context entries…
Migrating groups…
Migrating hosts…
…

Don’t panic!  They’re not actually migrating, they’re replicating.  Your local accounts will still be there and they’ll actually be looked at first on any machine because you’ll put “ldap” at the end of any lines in /etc/nsswitch.conf.  This means ldap will be considered after everything lese defined.  Think of it like how /etc/hosts supercedes DNS lookups.

Make sure the ldap user (automatically created by your openldap package installation) owns the files in your database directory and the certificates.

# chown -R ldap:ldap /var/lib/ldap
# chown ldap:ldap /etc/openldap/cacerts/*.pem

Edit /etc/sysconfig/ldap

You want to make it start LDAP and LDAPS so it will listen on ports 389 and 689.  It’s probably not necessary, but maybe you’ll run into a legacy application that uses encryption but doesn’t like StartTLS.

# cat /etc/sysconfig/ldap
…
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
#
# Run slapd with -h “… ldap:/// …”
#   yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h “… ldapi:/// …”
#   yes/no, default: no
SLAPD_LDAPI=no

# Run slapd with -h “… ldaps:/// …”
#   yes/no, default: no
SLAPD_LDAPS=yes

Copy DB_CONFIG.example to the database directory.

If you don’t have this file or something like it, renamed to “DB_CONFIG” in there, you will see warnings when you try to start the ldap service.  So just copy and forget about it.

# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/

At this point, the server side of things is done, however, you won’t be able to verify this until you set up the server as a client.  So continue on with server1.  Edit /etc/ldap.conf and tell it the server, where in the tree to start searching from, and where to get encryption info from.  Or you can just run /usr/bin/authconfig-tui which is provided by package “authconfig”.  This will prompt you for all the fields necessary to configure the machine for ldap.  I use “localhost” for the server, but the actual dns name or ip address for the server for the clients.

Configure /etc/ldap.conf on the clients (and the server so it can be a client of itself)

# cat /etc/ldap.conf
base dc=mydomain.com
uri ldap://localhost
timelimit 3
bind_timelimit 3
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/slapd.pem
tls_randfile /dev/random
tls_cacertdir /etc/openldap/cacerts
pam_password md5

Configure the OS to actually acknowledge LDAP’s existence

Add “ldap” to the passwd, shadow, and group lines in /etc/nsswitch.conf and edit PAM settings. If you used authconfig-tui, this will get added automagically for you. When you’re done nsswitch should include this:

# grep ldap /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

Start the ldap service on the primary and replica servers.  You should see the primary server start both slapd and slurpd while the replica just starts slapd.  That’s it.

Linux encryption, howto, ldap, replica, starttls