Zentyal as a firewall (gateway).

Zentyal is the Linux Small Business Server, it lets you manage all your network services through one single platform. It's a Network Gateway, as well as an Infrastructure, UTM (Unified Threat Manager), Office and Communications Server. All these features are fully integrated and easy to configure, it truly helps to save system administrators time.

In this LINK(tutorial), you will see how to set up a Zentyal Server to act as a gateway in a very common scenario. Zentyal will provide basic network infrastructure, load balancing between two Internet providers, firewall and HTTP proxy caching and content filtering. All these steps are well explained in the Zentyal Documentation, which is a really recommended reading.

How to install an IRC server on Fedora 20 (ngircd)

Below instructions are steps to install ngircd(IRC) server on Fedora 20.

ngIRCd is a free, portable and lightweight Internet Relay Chat server for small or private networks, developed under the GNU General Public License (GPL). It is easy to configure, can cope with dynamic IP addresses, and supports IPv6, SSL-protected connections as well as PAM for authentication. It is written from scratch and not based on the original IRCd. The steps:

Install server:

[root@localhost ~]# yum install ngircd

Edit config file:

[root@localhost ~]# vi /etc/ngircd.conf

# $Id$

#
# This is a sample configuration file for the ngIRCd, which must be adepted
# to the local preferences and needs.
#
# Comments are started with "#" or ";".
#
# A lot of configuration options in this file start with a ";". You have
# to remove the ";" in front of each variable to actually set a value!
# The disabled variables are shown with example values for completeness.
#
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
# server interprets the configuration file as expected!
#

[Global]
        # The [Global] section of this file is used to define the main
        # configuration of the server, like the server name and the ports
        # on which the server should be listening.

        # Server name in the IRC network, must contain at least one dot
        # (".") and be unique in the IRC network. Required!
        Name = irc.the.net

        # Info text of the server. This will be shown by WHOIS and
        # LINKS requests for example.
        Info = Server Info Text

        # Global password for all users needed to connect to the server
        ;Password = abc

        # Information about the server and the administrator, used by the
        # ADMIN command. Not required by server but by RFC!
        ;AdminInfo1 = Description
        ;AdminInfo2 = Location
        ;AdminEMail = admin@irc.server

        # Ports on which the server should listen. There may be more than
        # one port, separated with ",". (Default: 6667)
        ;Ports = 6667, 6668, 6669

        # comma seperated list of IP addresses on which the server should
        # listen. Default values are:
        # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
        # so the server listens on all IP addresses of the system by default.
        Listen = 127.0.0.1,192.168.5.51

        # Text file with the "message of the day" (MOTD). This message will
        # be shown to all users connecting to the server:
        ;MotdFile = /etc/ngircd.motd

        # A simple Phrase (<256 chars) if you don't want to use a motd file.
        # If it is set no MotdFile will be read at all.
        MotdPhrase = "Hello world!"

        # User ID under which the server should run; you can use the name
        # of the user or the numerical ID. ATTENTION: For this to work the
        # server must have been started with root privileges! In addition,
        # the configuration and MOTD files must be readable by this user,
        # otherwise RESTART and REHASH won't work!
        ServerUID = ngircd

        # Group ID under which the ngircd should run; you can use the name
        # of the group or the numerical ID. ATTENTION: For this to work the
        # server must have been started with root privileges!
        ServerGID = ngircd

        # A directory to chroot in when everything is initialized. It
        # doesn't need to be populated if ngIRCd is compiled as a static
        # binary. By default ngIRCd won't use the chroot() feature.
        # ATTENTION: For this to work the server must have been started
        # with root privileges!
        ;ChrootDir = /var/empty

        # This tells ngircd to write its current process id to a file.
        # Note that the pidfile is written AFTER chroot and switching uid,
        # i. e. the Directory the pidfile resides in must be writeable by
        # the ngircd user and exist in the chroot directory.
        PidFile = /var/run/ngircd/ngircd.pid

        # After  seconds of inactivity the server will send a
        # PING to the peer to test whether it is alive or not.
        ;PingTimeout = 120

        # If a client fails to answer a PING with a PONG within 
        # seconds, it will be disconnected by the server.
        ;PongTimeout = 20

        # The server tries every  seconds to establish a link
        # to not yet (or no longer) connected servers.
        ;ConnectRetry = 60

        # Should IRC Operators be allowed to use the MODE command even if
        # they are not(!) channel-operators?
        ;OperCanUseMode = no

        # Mask IRC Operator mode requests as if they were coming from the
        # server? (This is a compatibility hack for ircd-irc2 servers)
        ;OperServerMode = no

        # Allow Pre-Defined Channels only (see Section [Channels])
        PredefChannelsOnly = yes

        # Don't do any DNS lookups when a client connects to the server.
        ;NoDNS = no

        # try to connect to other irc servers using ipv4 and ipv6, if possible
        ;ConnectIPv6 = yes
        ConnectIPv4 = yes

        # Maximum number of simultaneous connection the server is allowed
        # to accept (0: unlimited):
        MaxConnections = 0

        # Maximum number of simultaneous connections from a single IP address
        # the server will accept (0: unlimited):
        ;MaxConnectionsIP = 5

        # Maximum number of channels a user can be member of (0: no limit):
        MaxJoins = 10

        # Maximum length of an user nick name (Default: 9, as in RFC 2812).
        # Please note that all servers in an IRC network MUST use the same
        # maximum nick name length!
        ;MaxNickLength = 9

[Operator]
        # [Operator] sections are used to define IRC Operators. There may be
        # more than one [Operator] block, one for each local operator.

        # ID of the operator (may be different of the nick name)
        ;Name = TheOper

        # Password of the IRC operator
        ;Password = ThePwd

        # Optional Mask from which /OPER will be accepted
        ;Mask = *!ident@somewhere.example.com

[Operator]
        # More [Operator] sections, if you like ...

[Server]
        # Other servers are configured in [Server] sections. If you
        # configure a port for the connection, then this ngircd tries to
        # connect to to the other server on the given port; if not it waits
        # for the other server to connect.
        # There may be more than one server block, one for each server.
        #
        # Server Groups:
        # The ngIRCd allows "server groups": You can assign an "ID" to every
        # server with which you want this ngIRCd to link. If a server of a
        # group won't answer, the ngIRCd tries to connect to the next server
        # in the given group. But the ngircd never tries to connect to two
        # servers with the same group ID.

        # IRC name of the remote server, must match the "Name" variable in
        # the [Global] section of the other server (when using ngIRCd).
        Name = irc2.the.net

        # Internet host name or IP address of the peer (only required when
        # this server should establish the connection).
        ;Host = connect-to-host.the.net

        # IP address to use as _source_ address for the connection. if unspecified,
        # ngircd will let the operating system pick an address.
        Bind = 192.168.5.51

        # Port of the server to which the ngIRCd should connect. If you
        # assign no port the ngIRCd waits for incoming connections.
        Port = 6667

        # Own password for the connection. This password has to be configured
        # as "PeerPassword" on the other server.
        ;MyPassword = def

        # Foreign password for this connection. This password has to be
        # configured as "MyPassword" on the other server.
        ;PeerPassword = ghi

        # Group of this server (optional)
        ;Group = 123

        # Set the "Passive" option to "yes" if you don't want this ngIRCd to
        # connect to the configured peer (same as leaving the "Port" variable
        # empty). The advantage of this option is that you can actually configure
        # a port an use the IRC command CONNECT more easily to manually connect
        # this specific server later.
        ;Passive = no

[Server]
        # More [Server] sections, if you like ...

[Channel]
        # Pre-defined channels can be configured in [Channel] sections.
        # Such channels are created by the server when starting up and even
        # persist when there are no more members left.
        # Persistent channels are marked with the mode 'P', which can be set
        # and unset by IRC operators like other modes on the fly.
        # There may be more than one [Channel] block, one for each channel.

        # Name of the channel
        Name = #TheName

        # Topic for this channel
        Topic = a great topic

        # Initial channel modes
        Modes = tn

        # initial channel password (mode k)
        Key =

        # maximum users per channel (mode l)
        MaxUsers = 23

[Channel]
        # More [Channel] sections, if you like ...

Enable Server on boot:

[root@localhost ~]# systemctl enable ngircd

Start irc service:

[root@localhost ~]# service ngircd start

As for IRC client to use, I am using Nettalk. It is a free (open source) IRC-client. Cheers...

How To Install MySQL On CENTOS 7

Below instructions are steps to install mysql server on CentOS 7.

The default replacement for mysql server is MariaDB. MariaDB is a community-developed fork of the MySQL relational database management system. For whatever reasons you might like to install the previous MySQL server, this guide walk you through the process of the installation. The steps:

Setup MySQL repository

[root@localhost ~]# sudo rpm -Uvh http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm

Install Server:

[root@localhost ~]# yum install mysql-server

Start Server:

[root@localhost ~]# systemctl start mysqld

Enable Server on boot:

[root@localhost ~]# systemctl enable mysqld

Change root password:

[root@localhost ~]# mysqladmin -u root password

Install Keepalived on CentOS 7

Keepalived is a solution that provides a strong & robust health-check framework, and also implementing a Hot Standby protocol. It allows load balancing services to have HA and prevent Single Point of Failure.

The following is a set of instructions on setting up Keepalived service on CentOS7.

Assume network as below:
LB1:Loadbalancer 1:192.168.1.80
LB2:Loadbalancer 2:192.168.1.81
Vip1:Virtual IP:192.168.1.82

We want to use LB1 as the master LB, LB2 as standby. If LB1 fails, LB2 will take over as master. Whoever is the master will take over the Vip of 192.168.1.82.

To configure LB1:192.168.1.80, ssh into LB1:

[root@LB1 ~]# yum install keepalived

To allow kernel binding non-local IP into the hosts and apply the changes:

[root@LB1 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB1 ~]# sysctl -p

[root@LB1 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.80" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 101 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 

[root@LB1 ~]# service keepalived start

Next configure LB2:192.168.1.81, ssh into LB2:

[root@LB2 ~]# yum install keepalived

To allow kernel binding non-local IP into the hosts and apply the changes:

[root@LB2 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB2 ~]# sysctl -p

[root@LB2 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.81" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 100 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 

[root@LB2 ~]# service keepalived start

chk_curl is a checking script, in above is to check if the httpd service is functioning. 192.168.1.80 is having higher piority(101),1.80 will be master while 1.81 will be backup. If the curl fails, eg httpd down, the vip(192.168.1.82) will swing to 192.168.1.81.

This custom checking script is useful, if you have other checking criteria, you script it in. Basically vrrp_script will check the return value of the script.(eg $? in bash)

Centos 7 firewall (firewalld)

Centos 7 is using firewalld instead of iptables. Below are the steps to enable/disable firewalld.

To check the status of the firewall:

#  service firewalld status 

To disable the firewall:

#  service firewalld stop 

To start the firewall:

#  service firewalld start 

To enable firewall on boot:

#  systemctl enable firewalld

To disable firewall on boot:

#  systemctl disable firewalld

To check on how to configure firewall:

#  man firewall-cmd

To get the default zone:

#  firewall-cmd --get-default-zone

To list all services in public zone:

#  firewall-cmd --zone=public --list-all

To accept http service in public zone permanently:

#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --add-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml

To deny http service in public zone permanently:

#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --remove-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml

The GUI screen to control the firewall is available from the menu.

To install using yum:

# yum install firewall-config

To get to Firewall GUI:

Fedora : System > Administration > Firewall
RHEL7/OL7 : Applications > Sundry > Firewall

CentOS 7: "-bash: ifconfig: command not found"

After new installed Centos 7, entering network command "ifconfig", caused this error "-bash: ifconfig: command not found". This was due to "net-tools" not installed by default. Install "net-tools" will solve the problem.

# yum install net-tools
# ifconfig

Apache http server ldap authentication (by group)

To setup the apache server to use 389 Directory Server as access manager you will need to make sure the mod_ldap was setup with the apache server:

yum install mod_ldap

vi /etc/httpd/conf.modules.d/01-ldap.conf

# This file configures the LDAP modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

And that these lines are in the httpd.conf file:

AuthType Basic
AuthName "Protected Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://r65-1.local/dc=local"
Require ldap-group cn=Managers,ou=Groups,dc=local

Apache http server ldap authentication (by uid)

To setup the apache server to use 389 Directory Server as access manager you will need to make sure the mod_ldap was setup with the apache server:

yum install mod_ldap

vi /etc/httpd/conf.modules.d/01-ldap.conf

# This file configures the LDAP modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

And that these lines are in the httpd.conf file:

AuthType Basic
AuthName "Protected Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://r65-1.local/dc=local"
Require ldap-user john

Static IP network configuration on CentOS 6

Below are the templates to configure CentOS for static ip:

# cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
192.168.1.41    r65-1.local     r65-1

# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=r65-1
GATEWAY=192.168.1.1

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=192.168.1.41
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
PREFIX=24
GATEWAY=192.168.1.1
DNS1=192.168.1.1
DOMAIN=local
DEFROUTE=no
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"

# cat /etc/resolv.conf
search local
nameserver 192.168.1.1

Setup LDAP authentication on CentOS 6 with SSSD

To install LDAP authentication on CentOS 6 (with SSSD)

yum install sssd

To get the TLS/SSL cert:

cd /etc/sssd
sftp *389 directory server/cert directory*
mget cacert.asc
chown nobody:nobody cacert.asc

Configuring NSS Services to Use SSSD

# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:

# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.

# authconfig --update --enablesssd --enablesssdauth

Configure sssd.conf:

vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/sssd/cacert.asc
debug_level = 9
access_provider = ldap
ldap_access_filter = host=r65-2.local

The last 2 sentences are for Host-Based Access Control (eg old config=>pam_check_host_attr), if you are not using this feature, you can omit these.

Restart sssd and the machine can login using LDAP:

chmod 600 /etc/sssd/sssd.conf
service sssd restart

Setup 389 Directory Server on CentOS 6 (with TLS/SSL/SSSD)

To setup 389 server, we first setup the hostname and domain.

Edit file /etc/sysconfig/network,

# vi /etc/sysconfig/network

HOSTNAME=r65-1

Edit file /etc/hosts/,

# vi /etc/hosts

Add your hostname as shown below.

192.168.1.1   r65-1.local r65-1

To open ports for iptables

vi /etc/sysconfig/iptables

Add the following lines.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

Restart firewall.

# service iptables restart

Performance and Security tuning for LDAP server Open “/etc/sysctl.conf” file and add the lines.

# vi /etc/sysctl.conf 
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

# sysctl -p

Open “/etc/security/limits.conf” and these lines as shown below

# vi /etc/security/limits.conf 
*               soft     nofile          8192   
*               hard     nofile          8192

Open “/etc/profile” file and add the lines

# vi /etc/profile
ulimit -n 8192

Add the lines at “/etc/pam.d/system-auth” file.

# vi /etc/pam.d/system-auth
session    required     pam_limits.so

Disable selinux

# setenforce 0
# vi /etc/selinux/config

SELINUX=disabled

Reboot the server

Setup EPEL repository

# wget http://mirror.nus.edu.sg/Fedora/epel/6/i386/epel-release-6-8.noarch.rpm

# rpm -ivh epel-release-6-8.noarch.rpm

Now install 389 directory server using command:

# yum install sssd httpd
# chkconfig sssd on
# chkconfig httpd on
# service httpd restart
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
# yum install 389-ds

After download, lets do a reboot

# reboot

Configure LDAP server

# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.


It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: ## Press Enter ##

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.11.10-301.x86_64 (2 processors).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes  ## Type Yes and Press Enter ##

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: ## Press Enter ##

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [r65-1.local]: r65-1.local

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: ## Press Enter ##
System Group [nobody]: ## Press Enter ##

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: ## Press Enter ##

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: ## Press Enter ##
Password:
Password (confirm):

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [local]: ## Press Enter ##

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: ## Press Enter ##

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [r65-1]: ## Press Enter ##

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=local]: dc=local

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: ## Press Enter ##
Password:
Password (confirm):

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: ## Press Enter ##
==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: ## Press Enter ##

Creating directory server . . .
Your new DS instance 'r65-1' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output:                                                    [  OK  ]

The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupxozWF8.log'

Make the LDAP server daemon to start automatically on every reboot.

# chkconfig dirsrv on
# chkconfig dirsrv-admin on
# chkconfig httpd on

# service dirsrv restart
# service dirsrv-admin restart
# service httpd restart

To test the setup

# ldapsearch -x -b "dc=local"

# extended LDIF
#
# LDAPv3
# base <dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local
dn: dc=local
objectClass: top
objectClass: domain
dc: local

# Directory Administrators, local
dn: cn=Directory Administrators,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager

# Groups, local
dn: ou=Groups,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups

# People, local
dn: ou=People,dc=local
objectClass: top
objectClass: organizationalunit
ou: People

# Special Users, local
dn: ou=Special Users,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users

description: Special Administrative Accounts

# Accounting Managers, Groups, local
dn: cn=Accounting Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# HR Managers, Groups, local
dn: cn=HR Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager

# QA Managers, Groups, local
dn: cn=QA Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager

# PD Managers, Groups, local
dn: cn=PD Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

To create user and group,goto server gui(eg gnome)

At gnome>application>terminal>

# 389-console

cn=Directory Manager
**directory manager password**
http://192.168.1.31:9830/

(or)

admin
**admin password**
http://192.168.1.31:9830/

local>r65-1.local>Server Group>Directory Server>Open
Directory>


(To create 1 user)
local>People>*right click*>New>User
enter person's information,userid,passwd
click on, enable posix user attributes,enter the attributes


(To create 1 group,link to above user)
local>Groups>*right click*>New>Group
enter group name,include above user as member,enable posix group attributes

close gui, exit 389-console

Creating Directory Server Certificates through the Command Line
Open the directory where the Directory Server certificate databases are stored.

cd /etc/dirsrv/slapd-*instance_name*

Make a backup copy of all of the filed in the directory as a precaution.

tar -cf /tmp/db-backup.tar *

Create a password file for the security token password.( PIN for Internal (Software) Token):

vi /tmp/pwdfile

secretpw

Create the key and certificate databases databases.

certutil -N -d . -f /tmp/pwdfile

Generate the self-signed CA certificate. certutil creates the required key pairs and the certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients.

certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=local" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile

Generate the Directory Server client certificate. Take note,you must specify the resolvable FQDN, eg r65-1.local

certutil -S -n "Server-Cert" -s "cn=r65-1.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile

Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection. Use certutil to export the CA certificate in ASCII/PEM format:

certutil -d . -L -n "CA certificate" -a > cacert.asc

The way that the CA certificate is imported is different for every client. For example, certutil can import a CA certificate into another Directory Server certificate database:

cd /etc/dirsrv/slapd-otherserver
certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc

Use pk12util to export other server certificates and keys created with certutil so that they can be used on a remote server.

pk12util -d . -o ldap1.p12 -n Server-Cert -w /tmp/pwdfile -k /tmp/pwdfile

The -w argument is the password used to encrypt the .p12 file for transport. The -k argument specifies the password for the key database containing the server certificate being exported to .p12. If the Directory Server will run with TLS/SSL enabled, then create a password file (pin.txt) for the server to use so it will not prompt you for a password every time it restarts. Configuring NSS Services to Use SSSD

# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:

# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.

# authconfig --update --enablesssd --enablesssdauth

Below is an example for SSSD config file:

 
vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/dirsrv/slapd-r65-1/cacert.asc
debug_level = 9

Restart SSSD

chmod 600 /etc/sssd/sssd.conf
service sssd restart

To enable TLS/SSL,goto server gui(eg gnome)

At gnome>application>terminal>

# 389-console

cn=Directory Manager
**directory manager password**
http://192.168.1.31:9830/

(or)

admin
**admin password**
http://192.168.1.31:9830/

local>r65-1.local>Server Group>Directory Server>Open
Configuration>Encryption>
Enable SSL for this server
Use this cipher family:RSA internal(software) Server-Cert (save and exit)

Restart dirsrv

service dirsrv restart

It is possible to store the certificate password in a password file. By placing the certificate database password in a file, the server can be started from the Directory Server Console and also restarted automatically when running unattended. The password file must be in the same directory where the other key and certificate databases for Directory Server are stored. This is usually the main configuration directory, /etc/dirsrv/slapd-instance_name. The file should be named pin.txt. The PIN file should be owned by the Directory Server user and set to read-only by the Directory Server user, with no access to anyone other user (mode 0400).

vi /etc/dirsrv/slapd-*instance_name*/pin.txt

Internal (Software) Token:secretpw

chown nobody:nobody /etc/dirsrv/slapd-*instance_name*/pin.txt
chmod 400 /etc/dirsrv/slapd-*instance_name*/pin.txt
service dirsrv restart

Restart SSSD

service sssd restart

==> now you can login to server using the ldap user.

ssh userid@r65-1.local

Setup 389 Directory Server in CentOS 6

To setup 389 server, we first setup the hostname and domain.

Edit file /etc/sysconfig/network,

# vi /etc/sysconfig/network

HOSTNAME=r65-1

Edit file /etc/hosts/,

# vi /etc/hosts

Add your hostname as shown below.

192.168.1.1   r65-1.local r65-1

To open ports for iptables

vi /etc/sysconfig/iptables

Add the following lines.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

Restart firewall.

# service iptables restart

Disable selinux

# setenforce 0

# vi /etc/selinux/config

SELINUX=disabled

Setup EPEL repository

# wget http://mirror.nus.edu.sg/Fedora/epel/6/i386/epel-release-6-8.noarch.rpm

# rpm -ivh epel-release-6-8.noarch.rpm

Now install 389 directory server using command:

# yum install pam_ldap nss-pam-ldapd

# yum install -y 389-ds

Configure LDAP server

# setup-ds-admin.pl

==============================================================================

This program will set up the 389 Directory and Administration Servers.



It is recommended that you have "root" privilege to set up the software.

Tips for using this program:

  - Press "Enter" to choose the default and go to the next screen

  - Type "Control-B" then "Enter" to go back to the previous screen

  - Type "Control-C" to cancel the setup program



Would you like to continue with set up? [yes]: ## Press Enter ##



==============================================================================

Your system has been scanned for potential problems, missing patches,

etc.  The following output is a report of the items found that need to

be addressed before running this software in a production

environment.



389 Directory Server system tuning analysis version 23-FEBRUARY-2012.



NOTICE : System is x86_64-unknown-linux3.11.10-301.x86_64 (2 processors).



NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds

(120 minutes).  This may cause temporary server congestion from lost

client connections.



WARNING: There are only 1024 file descriptors (soft limit) available, which

limit the number of simultaneous connections.



WARNING  : The warning messages above should be reviewed before proceeding.



Would you like to continue? [no]: yes  ## Type Yes and Press Enter ##



==============================================================================

Choose a setup type:



   1. Express

       Allows you to quickly set up the servers using the most

       common options and pre-defined defaults. Useful for quick

       evaluation of the products.



   2. Typical

       Allows you to specify common defaults and options.



   3. Custom

       Allows you to specify more advanced options. This is

       recommended for experienced server administrators only.



To accept the default shown in brackets, press the Enter key.



Choose a setup type [2]: ## Press Enter ##



==============================================================================

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: eros.example.com.



To accept the default shown in brackets, press the Enter key.



Warning: This step may take a few minutes if your DNS servers

can not be reached or if DNS is not configured correctly.  If

you would rather not wait, hit Ctrl-C and run this program again

with the following command line option to specify the hostname:



    General.FullMachineName=your.hostname.domain.name



Computer name [r65-1.local]: r65-1.local



==============================================================================

The servers must run as a specific user in a specific group.

It is strongly recommended that this user should have no privileges

on the computer (i.e. a non-root user).  The setup procedure

will give this user/group some permissions in specific paths/files

to perform server-specific operations.



If you have not yet created a user and group for the servers,

create this user and group using your native operating

system utilities.



System User [nobody]: ## Press Enter ##

System Group [nobody]: ## Press Enter ##



==============================================================================

Server information is stored in the configuration directory server.

This information is used by the console and administration server to

configure and manage your servers.  If you have already set up a

configuration directory server, you should register any servers you

set up or create with the configuration server.  To do so, the

following information about the configuration server is required: the

fully qualified host name of the form

<hostname>.<domainname>(e.g. hostname.example.com), the port number

(default 389), the suffix, the DN and password of a user having

permission to write the configuration information, usually the

configuration directory administrator, and if you are using security

(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port

number (default 636) instead of the regular LDAP port number, and

provide the CA certificate (in PEM/ASCII format).



If you do not yet have a configuration directory server, enter 'No' to

be prompted to set up one.



Do you want to register this software with an existing

configuration directory server? [no]: ## Press Enter ##



==============================================================================

Please enter the administrator ID for the configuration directory

server.  This is the ID typically used to log in to the console.  You

will also be prompted for the password.



Configuration directory server

administrator ID [admin]: ## Press Enter ##

Password:

Password (confirm):



==============================================================================

The information stored in the configuration directory server can be

separated into different Administration Domains.  If you are managing

multiple software releases at the same time, or managing information

about multiple domains, you may use the Administration Domain to keep

them separate.



If you are not using administrative domains, press Enter to select the

default.  Otherwise, enter some descriptive, unique name for the

administration domain, such as the name of the organization

responsible for managing the domain.



Administration Domain [local]: ## Press Enter ##



==============================================================================

The standard directory server network port number is 389.  However, if

you are not logged as the superuser, or port 389 is in use, the

default value will be a random unused port number greater than 1024.

If you want to use port 389, make sure that you are logged in as the

superuser, that port 389 is not in use.



Directory server network port [389]: ## Press Enter ##



==============================================================================

Each instance of a directory server requires a unique identifier.

This identifier is used to name the various

instance specific files and directories in the file system,

as well as for other uses as a server instance identifier.



Directory server identifier [r65-1]: ## Press Enter ##



==============================================================================

The suffix is the root of your directory tree.  The suffix must be a valid DN.

It is recommended that you use the dc=domaincomponent suffix convention.

For example, if your domain is example.com,

you should use dc=example,dc=com for your suffix.

Setup will create this initial suffix for you,

but you may have more than one suffix.

Use the directory server utilities to create additional suffixes.



Suffix [dc=local]: dc=local



==============================================================================

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and typically has a

bind Distinguished Name (DN) of cn=Directory Manager.

You will also be prompted for the password for this user.  The password must

be at least 8 characters long, and contain no spaces.

Press Control-B or type the word "back", then Enter to back up and start over.



Directory Manager DN [cn=Directory Manager]: ## Press Enter ##

Password:

Password (confirm):



==============================================================================

The Administration Server is separate from any of your web or application

servers since it listens to a different port and access to it is

restricted.



Pick a port number between 1024 and 65535 to run your Administration

Server on. You should NOT use a port number which you plan to

run a web or application server on, rather, select a number which you

will remember and which will not be used for anything else.



Administration port [9830]: ## Press Enter ##

==============================================================================

The interactive phase is complete.  The script will now set up your

servers.  Enter No or go Back if you want to change something.



Are you ready to set up your servers? [yes]: ## Press Enter ##



Creating directory server . . .

Your new DS instance 'r65-1' was successfully created.

Creating the configuration directory server . . .

Beginning Admin Server creation . . .

Creating Admin Server files and directories . . .

Updating adm.conf . . .

Updating admpw . . .

Registering admin server with the configuration directory server . . .

Updating adm.conf with information from configuration directory server . . .

Updating the configuration for the httpd engine . . .

Starting admin server . . .

output: Starting dirsrv-admin:

output:                                                    [  OK  ]

The admin server was successfully started.

Admin server was successfully created, configured, and started.

Exiting . . .

Log file is '/tmp/setupxozWF8.log'

Make the LDAP server daemon to start automatically on every reboot.

# chkconfig dirsrv on

# chkconfig dirsrv-admin on

# chkconfig httpd on

# service dirsrv restart

# service dirsrv-admin restart

# service httpd restart

To test the setup

[root@r65-1 temp]# ldapsearch -x -b "dc=local"

# extended LDIF

# 

# LDAPv3

# base <dc=local> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

# 



# local

dn: dc=local

objectClass: top

objectClass: domain

dc: local



# Directory Administrators, local

dn: cn=Directory Administrators,dc=local

objectClass: top

objectClass: groupofuniquenames

cn: Directory Administrators

uniqueMember: cn=Directory Manager



# Groups, local

dn: ou=Groups,dc=local

objectClass: top

objectClass: organizationalunit

ou: Groups



# People, local

dn: ou=People,dc=local

objectClass: top

objectClass: organizationalunit

ou: People



# Special Users, local

dn: ou=Special Users,dc=local

objectClass: top

objectClass: organizationalUnit

ou: Special Users

description: Special Administrative Accounts



# Accounting Managers, Groups, local

dn: cn=Accounting Managers,ou=Groups,dc=local

objectClass: top

objectClass: groupOfUniqueNames

cn: Accounting Managers

ou: groups

description: People who can manage accounting entries

uniqueMember: cn=Directory Manager



# HR Managers, Groups, local

dn: cn=HR Managers,ou=Groups,dc=local

objectClass: top

objectClass: groupOfUniqueNames

cn: HR Managers

ou: groups

description: People who can manage HR entries

uniqueMember: cn=Directory Manager



# QA Managers, Groups, local

dn: cn=QA Managers,ou=Groups,dc=local

objectClass: top

objectClass: groupOfUniqueNames

cn: QA Managers

ou: groups

description: People who can manage QA entries

uniqueMember: cn=Directory Manager



# PD Managers, Groups, local

dn: cn=PD Managers,ou=Groups,dc=local

objectClass: top

objectClass: groupOfUniqueNames

cn: PD Managers

ou: groups

description: People who can manage engineer entries

uniqueMember: cn=Directory Manager



# search result

search: 2

result: 0 Success



# numResponses: 10

# numEntries: 9

To create user and group,goto server gui(eg gnome)

At gnome>application>terminal>

# 389-console

cn=Directory Manager

**password**

http://127.0.0.1:9830/

local>r65-1.local>Server Group>Directory Server>Open
Directory>


(To create 1 user)
local>People>*right click*>New>User
enter person's information,userid,passwd
click on, enable posix user attributes,enter the attributes


(To create 1 group,link to above user)
local>Groups>*right click*>New>Group
enter group name,include above user as member,enable posix group attributes

close gui, exit 389-console

authconfig-tui

click Use LDAP,Use Shadow Passwords,Use LDAP Authentication,Local authorization is sufficient



(ldap settings)

Server:ldap://192.168.1.31/

Base DN:dc=local

==> now you can login to server using the ldap user.

ssh userid@r65-1.local

Install opcache for php on Fedora

OPcache improves PHP performance by storing precompiled script bytecode in shared memory, thereby removing the need for PHP to load and parse scripts on each request #1. OpCode Caches are a performance enhancing extension for PHP. They do this by injecting themselves into the execution life-cycle of PHP and caching the results of the compilation phase for later reuse. It is not uncommon to see a 3x performance increase just by enabling an OpCode cache #2.

To install on Fedora:

yum install php-opcache 

To turn on the opcache module, restart httpd service:

/bin/systemctl restart  httpd.service 

You will be able to see opcache running information in phpinfo.php.

"Network error: Connection refused" on Fedora

I have just installed Fedora. When I tried to putty(ssh) in, a PuTTY fatal Error was displayed, "Network error: Connection refused".

When I check the ssh status, it said not found.

[root@F20-64 ~]# service sshd status

Redirecting to /bin/systemctl status  sshd.service

sshd.service

   Loaded: not-found (Reason: No such file or directory)

   Active: inactive (dead)

The openssh server was not installed on fresh Fedora.
So I install the server.

[root@F20-64 ~]# yum install openssh-server

Checking the status again:

[root@F20-64 ~]# service sshd status

Redirecting to /bin/systemctl status  sshd.service

sshd.service - OpenSSH server daemon

   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled)

   Active: inactive (dead)

Enable ssh server upon restart.

[root@F20-64 ~]# chkconfig sshd on

Note: Forwarding request to 'systemctl enable sshd.service'.

ln -s '/usr/lib/systemd/system/sshd.service' '/etc/systemd/system/multi-user.target.wants/sshd.service'

Start the ssh server service.

[root@F20-64 ~]# service sshd start

Redirecting to /bin/systemctl start  sshd.service

Check disk drive for badblock,errors

badblocks is used to search for bad blocks on a device (usually a disk partition). Device is the special file corresponding to the device (e.g /dev/sda1). It can be a good idea to periodically check for bad blocks. This is done with the badblocks command. It outputs a list of the numbers of all bad blocks it can find. This list can be fed to fsck to be recorded in the filesystem data structures so that the operating system won’t try to use the bad blocks for storing data. The following example will show how this could be done. The command:

badblocks -v /dev/sda1 > badblocks.txt 

The above command will generate the file badblocks.txt. You can pass this file to the fsck command to record these bad blocks. Do make sure you type in the correct filesystem, etc ext3,ext4,xfs.

fsck -t ext3 -l badblocks.txt /dev/sda1

Reference: Link1

Setup SVN (Subversion) on Fedora / RHEL

Apache Subversion (often abbreviated SVN) is a software versioning and revision control system distributed as free software under the Apache License. Developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly compatible successor to the widely used Concurrent Versions System (CVS).

This instructions will help you installing SVN server.

Install PHP and Apache Packages

yum install httpd php php-devel php-cli php-pear

Start Apache web server and setup for it to autostart on system boot

yum install httpd php php-devel php-cli php-pear
service httpd restart
chkconfig httpd on

Install svn using yum

yum install mod_dav_svn subversion

Configure Subversion (subversion.conf)

vi /etc/httpd/conf.d/subversion.conf

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn>
DAV svn
SVNParentPath /svn/repos/projectX
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn-auth-file
Require valid-user
</Location>

Create SVN Repository

cd /svn/repos/projectX
svnadmin create svnrepo
chown -R apache:apache svnrepo

Create SVN Users
Following commands will create two users for svn.

htpasswd -cb /etc/svn-auth-file admin9 pass9
htpasswd -b /etc/svn-auth-file user8 pass8

If you are wondering why I display the password on commandline. I actually hit a bug. My httpd version is 2.4.4. See this Link1 Link2

If you have httpd 2.4.6 and above you can use below command.

htpasswd /etc/svn-auth-file user7

Access Your Repository in Browser

Open using a browser to access the repository.
http://192.168.0.5/svn/svnrepo/

Enter user name and password in browser.

Checkout Files to Your Repository

svn co http://192.168.0.5/svn/svnrepo/

Add and Checkin Files to Your Repository

cd svnrepo
vi fileA.txt 
vi fileB.txt
svn add fileA.txt fileB.txt
svn ci fileA.txt fileB.txt -m "First commit"

Access http://192.168.0.5/svn/svnrepo/ url in browser, you will see your new files there.