Setup LDAP authentication in CentOS (openldap+sssd)


1) Install openldap server in CentOS 6.5

yum install -y openldap*

2) Copy the sample slapd.conf configuration

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

3) Generate encrypted password for later use

slappasswd

4) Modify /etc/openldap/slapd.conf, use the encrypted password created in above step.

#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password

database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=mylab,dc=local” read
by * none

database bdb
suffix “dc=mylab,dc=local”
checkpoint 1024 15
rootdn “cn=Manager,dc=mylab,dc=local”
rootpw {SSHA}TgnKeaT3EArzI1xqW/CpzmCRFa88xPS0
loglevel 256
sizelimit unlimited

5) Copy the sample DB_CONFIG file

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
chmod 600 /var/lib/ldap/DB_CONFIG

6) Start service

service slapd start
chkconfig slapd on

7) Use the following two commands to verify. (The default LDAP port is 389)

netstat -ntlup | grep slapd
ps -ef | grep slapd

8) Generate a certificate pair for secured LDAP connection

openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem

chown ldap. /etc/openldap/certs/ldap*

9) Configure the olcDatabase={0}config.ldif file

cd /etc/openldap/slapd.d/cn=config

Add the following two lines into: olcDatabase\=\{0\}config.ldif

olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem

10) Modify /etc/sysconfig/ldap to only allow secure ldap (ldaps)

SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes

11) Restart the slapd.

service slapd restart

12) Verify it (secure ldap port is 636, and ldaps only in the ‘ps -ef’ command results)

netstat -ntlup | grep slapd
ps -ef | grep slapd

13) Add OU, users to your ldap database.

create /etc/openldap/base.ldif, then run the ldapadd command. The password is created in step 3).

ldapadd -x -D “cn=Manager,dc=mylab,dc=local” -f base.ldif -H ldaps://ldap.mylab.local -W

14) Use ldapsearch to query the ldap database.

ldapsearch -x -D “cn=Manager,dc=mylab,dc=local” -H ldaps://ldap.mylab.local -W

15) Use ldapmodify to modify the exisiting value in ldap database. I include a sample here:

ldapmodify -D “cn=Manager,dc=mylab,dc=local” -f modify.ldif -H ldaps://ldap -W

16) Set up the openldap client

yum install -y openldap-clients sssd

17) Copy the the public certificat that generated in step 8) to /etc/openldap/cacerts in the client machine.

cp the ldap-pub.pem to /etc/openldap/cacerts

18) Modify /etc/openldap/ldap.conf to add the following entries:

TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=mylab,dc=local
URI ldaps://ldap.mylab.local/
HOST 192.168.56.11

19) Define your ldap URI in the sssd.conf

chmod 600 /etc/sssd/sssd.conf

Sample:  /etc/sssd/sssd.conf

20) Set up the ldap authentication

authconfig –enablesssd –enablesssdauth –enableldap –enableldapauth –enablemkhomedir –ldapserver=ldaps://ldap.mylab.local –ldapbasedn=dc=mylab,dc=local –enablelocauthorize –enableldaptls –update

21) Test by looking for the ldap user

getent passwd jchen
id jchen

Update puppet tags


This script allow you to apply the specified puppet tags to the listed hosts. It will do a dry run against the first host, if you are happy with the results then you can kick off the changes to all hosts.

Selection_003

The script can be downloaded from here.

Fix duplicated package ID in red hat satellite


Our red hat satellite stops to sync from the subscribed red hat channel. We turned the debug on and found out it is caused by the duplicated package ID in the self-managed oracle database. Here is how to fix it:

1) Turn on debug to find out the duplicated package ID.

echo “debug=7″ >> /etc/rhn/rhn.conf

2) Run the sync, and monitor the log.

satellite-sync

tail -f /var/log/rhn/rhn_server_satellite.log

{\’package_id\': [97018, 97018, 97018, 97018, 97018, 97018, 97018…
SYNC ERROR: unhandled exception occurred: SYNC ERROR: unhandled exception occurred:

3) As above, we can see the ID is 97018. Backup the database before making any changes.

rhn-satellite stop
db-control backup /var/satellite/DBBAK/2014-07-28
rhn-satellite start

4) Connect to Oracle, then remove the duplicated package.

(Optional, in case the ORACLE_SID has not been setup)
sudo su – oracle
. oraenv
ORACLE_SID = [/usr/bin/logname] ? rhnsat

Run sqlplus and execute the following sql statements.

set feedback on;
delete from rhnChannelPackage where package_id=97018;
select count(*) from rhnChannelPackage where package_id=97018;
delete from rhnPackage where id=97018;
select count(*) from rhnPackage where id=97018;
commit;

5) Run the sync again to confirm it fixed the issue.

satellite-sync or  satellite-sync -c channel_name

Apache Rewrite Rule Flags – NE


I was working on an Apache URL redirection request this morning. The task is to redirect the URL ‘^/example/1’ to ‘/#example1’. My first configuration is something like below. When I test it, the redirected URL becomes …/%23example1 instead of …/#example1.

RewriteRule ^/example/1(/)?$ %{HTTP_HOST}/#example1 [R,L,NC]

As you see the problem is that the redirection automatically convert the special character (#) to hexicode (%23). To avoid the conversion, the flag NE has to be applied to the rewrite rule.

RewriteRule ^/example/1(/)?$ %{HTTP_HOST}/#example1 [R,L,NC,NE]

BTW, curl is a better testing tool than browser due to the the history may be cached in the browser. Check the Location value in the output of this comand curl –I –L http://…/example/1

Reference:

http://www.ascii.cl/htmlcodes.htm
https://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_ne