ldapsearch using shell script

Shell script to serach data in LDAP

Below shell script can be used to search data in ldap. Modify the script accordingly for your needs.
 Have fun !

#!/bin/bash

case "$1" in
# Searching LDAP name from full name 
ln)
LN=
# Group search
gs)
GID=`ldapsearch -x -b "dc=test,dc=com" "(cn=$2)" | sed -n -e '/^gid/p' | cut -d: -f2`;
if [  "$GID" = "" ]; then
echo " The "$2" LDAP group does not  exist"
else
echo "GID OF the $2 group is $GID"
MEM=`ldapsearch -x -b "dc=test,dc=com" "(cn=$2)" | sed -n -e '/^member/p' | cut -d: -f2`;
if [ "$MEM"  = "" ]; then
echo " No users belong to this group "
else
echo "Following are the members of the $2 LDAP GROUP"
echo "$MEM"
fi
fi
;;
# User Search
us)
USER1=`ldapsearch -x -b "dc=test,dc=com" "(uid=$2)" | sed -n -e '/^dn/p' | cut -d: -f2`;
if [ "$USER1" = "" ]; then
echo "User does not exist"
else
echo $USER1
MEM1=`ldapsearch -x -b "dc=test,dc=com" "(memberUid=$2)" | sed -n -e '/^dn/p' | cut -d: -f2`;
echo "$MEM1"
fi
;;
*)
echo "lquery.sh  "
echo "lquery.sh  "
;;
esac

SED- Stream Editor

1. How to Print all the lines in a file using sed

# sed 'p' test.txt

To print the Second line in a file

# sed -n '2 p' test.txt

To print from line 1 to line 4

# sed -n '2 p' test.txt

To Print from line 2 through the last line

# sed -n '2,$ p' test.txt

To Print lines matching the pattern “vasanth”

# sed -n '/vasanth/ p' test.txt

To Print lines starting from the 1st match of "Vasanth" until the 4th

# sed -n '/vasanth/,4 p' test.txt

To Print lines starting from the 1st match of "vasanth" until the last line

# sed -n '/vasanth/,$ p' test.txt

To Print lines starting from the line matching "Vasanth" until the line matching "Hemanth":

# sed -n '/Vasanth/,/Hemanth/ p' test.txt

To Print the line matching "Jason" and 2 lines immediately after that

# sed -n '/Vasanth/,+2 p' test.txt

DELETE LINES
To delete all the lines in a file

# sed 'd' test.txt

To delete only the two lines

# sed '2 d' test.txt

To Delete from line 1 through 4

# sed '1,4 d' test.txt

To Delete from line 2 through the last line

# sed '2,$ d' employee.txt

To delete only odd number of lines

# sed '1~2 d' test.txt

To delete lines matching the pattern "Sysadmin"

# sed '/Sysadmin/ d' test.txt

To delete lines starting from the 1st match of "Vasanth" until the 4th line

# sed '/Vasanth/,4 d' test.txt

To delete lines starting from the 1st match of "Vasanth" until the 4th line

# sed '/Vasanth/,4 d' test.txt

To delete lines starting from the 1st match of "Vasanth" until the last line

# sed '/Vasanth/,$ d' test.txt

To delete lines starting from the line matching "Vasanth" until the line matching "Hemanth":

# sed '/Vasanth/,/Hemanth/ d' test.txt

To delete lines starting from the line matching "Vasanth" and 2 lines immediately after that:

# sed '/Vasanth/,+2 d' test.txt

Useful Delete Examples
To delete all the empty lines from a file:

# sed '/^$/ d' test.txt

To delete all comment lines (assuming the comment starts with

1. ):

# sed '/^#/ d' test.txt

To write the content of text.txt file to file test.txt (and display on screen):

# sed 'w test.txt' text.txt

To write the content of employee.txt file to output.txt file but not to screen:

# sed -n 'w output.txt' /etc/passwd

To write only the 2nd line:

# sed -n '2 w output.txt' /etc/passwd

Write lines 1 through 4:

# sed -n '1,4 w output.txt' /etc/passwd

To write from line 2 through the last line:

# sed -n '2,$ w output.txt' /etc/passwd

To write only odd numbered lines:

# sed -n '1~2 w output.txt' /etc/passwd

To Write lines matching the pattern "Vasanth":

# sed -n '/Vasanth/ w output.txt' /etc/passwd

To write lines starting from the 1st match of "root" until the 4th line:

# sed -n '/root/,4 w output.txt' /etc/passwd

To write lines starting from the 1st match of "Raj" until the last line:

# sed -n '/vasanth/,$ w output.txt' /etc/passwd 

To write lines starting from the line matching "vasanth" until the line matching "hemanth":

# sed -n '/vasanth/,/hemanth/ w output.txt' /etc/passwd

To write the line matching "vasanth" and the next 2 lines immediately after that:

# sed -n '/vasanth/,+2 w output.txt' /etc/passwd

Creating network bond in linux

ETHERNET CHANNEL BONDING CONFIGURATION IN LINUX ?

How to create Ethernet channel bonding in Linux ?

1. vi /etc/modprobe.conf

 alias bond0 bonding 
 options bond0 mode=1 miimon=100 use_carrier=0

Save the file

mode=0|balanced_rr provides load balancing and fault tolerance
mode=1|active-ackup provides fault tolerance
primary= Specify which NIC is primary (eg:eth0)
use_carrier= How to dittermine link status 
miimon - Link monitoring frquency in milliseconds

BONDING INTERFACE CONFIGURATIONS FILE ( /etc/sysconfig/network-scripts )

# cd /etc/sysconfig/network-scripts

# vi ifcfg-bond0
DEVICE=bond0
IPADDR=192.168.56.3
BOOTPROTO=none
NETMASK=255.255.255.0
GATEWAY=192.168.56.1
ONBOOT=yes
TYPE=Ethernet 

# cat /etc/sysconfig/network-scripts/ifcg-eth0

 
DEVICE=eth0
MASTER=bond0
SLAVE=yes
BOOTPRO=static
ONBOOT=yes 

 # cat /etc/sysconfig/network-scripts/ifcg-eth1  
DEVICE=eth1
MASTER=bond0
SLAVE=yes
BOOTPRO=static
ONBOOT=yes    

AD-Linux authentication

This article explains the steps to needed to add a Linux server or work stations as a domain member in Windows Active directory (2008) server.


I am using centos5x as linux client.


SYNC THE DATE AND TIME WITH THE PDC

# /ect/init.d/ntpd stop

# ntpdate ip.address.of.yourPDC

# /etc/init.d/ntpd start

# chkconfig ntpd on 

Install kerberos in the local server/machine

CONFIGURE THE KERBEROS

NOTE: Please follow the exact syntax of the krb5.conf file given here.

# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 
dns_lookup_realm = yes
dns_lookup_kdc = yes

[realms]
EXAMPLE = {
kdc = server.example.com
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
mydomain.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
} 

Install SAMABA and wind bind

# yum install samba-*

# yum install winbind

# service smb start
#chkconfig smb on 

# service winbind start 
# chkconfig winbind on

Enter the following entries in /etc/samba/smb.conf

# /etc/smmba/smb.conf

[global]
# NT Workgroup Settings
netbios name = CENTOS1
workgroup = EXAMPLE.COM
server string = Centos Server

# Samba Performance Settings
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client schannel = no

# Network Browsing Settings
local master = no
domain master = no
preferred master = no
wins support = no
dns proxy = no
wins proxy = no

# Active Directory Member
realm = EXAMPLE.COM
security = ads
ads server = X.X.X.X (Ip address of your seerver)
password server = server.example.com

# Winbind Settings
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10

#winbind gid = 10000-20000
#winbind trusted domains only = no

# Defaults for local accounts created by winbind
#template shell = /bin/bash
template shell = /usr/local/bin/bash-wrapper
template homedir = /home/%U

# Logging Settings
max log size = 50
log file = /var/log/samba/%m.log

Save and exit the smb.conf file

Edit /etc/nsswitch.conf and add the following lines
passwd: compat winbind files shadow: compat winbind files group: compat winbind files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases: files nisplus


INITIALIZE KERBEROS

# kinit administrator@EXAMPLE.COM 

The exist status of the above command should be 0

NOW RUN THE FOLLOWING COMMAND IN SHELL

# system-config-authentication 

Please follow the screen shots given below
After these steps your machine will be added in to the DOMIAN and you ca ping the system using the machine name

To list all the users

# wbinfo -u

To list all the groups

# wbinfo -g

Check RPC communication

# # wbinfo -t

Change the PAM settings for login and ssh

1. cat /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

1. cat /etc/pam.d/login

#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open

LDAP server with Kerberos

OpenLDAP server: krbserver1.fireblade.com
Kerberos Server: krbserver1.fireblade.com
DNS Server: krbserver1.fireblade.com
Client machine: station13.fireblade.com

INITIAL SETUP

Setup DNS using bind in krbserver1.fireblade.com. Both forward and reverse record should be set up properly. Kerberos need both forward and reverse dns record to work properly.

LDAP SERVER SETUP
Setup a LDAP server with the domain fireblade.com in krbserver1.fireblade.com.

# yum install openldap-*

Setup LDAP directory manager password

# slapasswd

Open the configuration file and make the following changes.

# vim /etc/openldap/slapd.conf

database        bdb
suffix          "dc=fireblade,dc=com"
rootdn          "cn=Manager,dc=fireblade,dc=com"
rootpw          {SSHA}1j20X9NC+axyGp2IzcS086C7MZ6dyCQj

Save the configuration file and restart start the service.

# service ldap start

# chkconfig ldap on

Create LDAP entries by using the following ldif file.

# cat initial.ldif

dn: dc=fireblade,dc=com
objectclass: dcObject
objectclass: organization
o: fireblade.com
dc: fireblade

dn: ou=People,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

Add the intial OU with People and Groups

# ldapadd -x -W -D "cn=Manager,dc=fireblade,dc=com" -f initial.ldif

Create some test users using the following ldif file

# cat firstuser.ldif

dn: uid=vasanth,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Tammy Something
uid: tammysomething
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/vasanth
loginShell: /bin/bash
gecos: Tammy Something,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Add the test user to ldap

 # ldapadd -x -D "cn=manager,dc=fireblade,dc=com" -w redhat -f firestuser.ldif

Configuring KDC

# yum install -y krb5-server krb5-workstation

# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = FIREBLADE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
FIREBLADE.COM = {
 kdc = server1.fireblade.com:88
 admin_server = server1.fireblade.com:749
 default_domain = fireblade.com
}

EXAMPLE.COM = {
 kdc = server.example.com
}

[domain_realm]

.fireblade.com = FIREBLADE.COM
 fireblade.com = FIREBLADE.COM
 station13.fireblade.com = FIREBLADE.COM

[appdefaults]

pam = {
  validate = true
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

Save the save file.
Edit /var/kerberos/krb5kdc/kdc.conf

# vi  /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
FIREBLADE.COM = {
#  master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  default_principal_flags = +preauth
}

# vi /var/kerberos/krb5kdc/kadm5.acl

*/admin@FIREBLADE.COM   *

Making the KDC to hold the kerberos data

# kdb5_util create -r FIREBLADE.COM -s

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'FIREBLADE.COM',
master key name 'K/M@FIREBLADE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@krb-kdc1 ~]# ls /var/kerberos/krb5kdc/*
/var/kerberos/krb5kdc/kadm5.acl  /var/kerberos/krb5kdc/principal        /var/kerberos/krb5kdc/principal.kadm5.lock
/var/kerberos/krb5kdc/kdc.conf   /var/kerberos/krb5kdc/principal.kadm5  /var/kerberos/krb5kdc/principal.ok

Create a principal for the admin user as well as vasanth. Export the admin details to the kadmind key tab

Authenticating as principal root/admin@FIREBLADE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@FIREBLADE.COM; defaulting to no policy
Enter password for principal "root/admin@FIREBLADE.COM": 
Re-enter password for principal "root/admin@FIREBLADE.COM": 
Principal "root/admin@FIREBLADE.COM" created.
kadmin.local:  addprinc vasanth
WARNING: no policy specified for vasanth@FIREBLADE.COM; defaulting to no policy
Enter password for principal "vasanth@FIREBLADE.COM": 
Re-enter password for principal "vasanth@FIREBLADE.COM": 
Principal "vasanth@FIREBLADE.COM" created.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  exit

# /etc/init.d/krb5kdc start; /etc/init.d/kadmin start ; chkconfig krb5kdc on; chkconfig kadmin on

Copy krb5.conf file to the client machine station13.fireblade.com

# scp -r /etc/krb5.conf root@station13.fireblade.com:/etc

Add host pricipals on KDC and on the client.

Go to krbserver1.fireblade.com and kadmin.local

on krbserver1

  # kadmin.local
  Authenticating as principal root/admin@FIREBLADE.COM with password.
  kadmin.local:  addprinc -randkey host/krbserver1.fireblade.com
  WARNING: no policy specified for host/krbserver1.fireblade.com@FIREBLADE.COM; defaulting to no policy
  Principal "host/krbserver1.fireblade.com@FIREBLADE.COM" created.
  kadmin.local:  ktadd host/krbserver1.fireblade.com

  kadmin.local:  exit

on station13

   # kadmin

NAMP

To list all open ports in our local machine

# nmap -v localhost

Namp database of ports to the service

# /usr/share/namp/nmap-service

To save nmap scan to a file

# nmap -V -oN namp.scan.1 localhost

Nmap usually scans TCP ports to scan UDP based ports

# namp -v -sU localhost

To check a purticular port is listening or not

# namp -v -p 631 localhost

To get OS finger print of a remote system

# nmap -v -o remoteserver

To scan an ip range in a file

# namp iL filename 

To list all the machine that are up and running in the current networl

# namp -iL uu

SYSLOG(Print system messages to console and /var/logmessages)

To print system messages to both /var/log/messgaes and to console do the following

# vi /etc/syslog.conf

Add the following lines

kern.*                                                  /dev/console 

*.info;mail,authpriv,cron,kern.none                     /dev/console

save the file and restart the service

# /etc/init.d/syslogd restart

Configuring VNC Server

Install the vnc server package in the server (192.168.56.2)

# yum install vnc-server

Open the configuration file and enter the following

# vi /etc/sysconfig/vncservers
  VNCSERVERS="1:root"
  
 :wq

The Xdisplay session will run as root.
For security just put a password.

# vncpasswd 

From the client machine test the connection using the following

# vncviewer 192.168.56.2:1

CCD - FreeBSD - CCD1 - How to

Configuring ccd1 on freeBSD with fourdisks

1. To remove the existing configuration. run the below command.

 # ccdconfig -v -U

2. Configure the Mirroring using the below command

# ccdconfig ccd0 32 CCDF_MIRROR  /dev/ada2 /dev/ada3 /dev/ada4 /dev/ada5

3. Construct the file system using the below command

# newfs /dev/ccd0

4 .Mount our mirrored disk and make it persistent

/dev/ccd0     /work0            ufs      rw     2   

5. Run # mount -a

Configuring CCD in FreeBSD - How to

In this how to I am explaining briefly about CCD ( Concatenated Disk Driver)


  1. To Configure CCD I am adding  4 new disks. System should be shutdown before adding to the disks

2. To confirm the detection of new disk check the kernel messages using dmesg command

 # dmesg

From the above output it's clear that 4 new disk has been added to the system with the names ada2,ada3,ada4;ada5.

3. Label the disks using the bsdlabel command

#  bsdlabel -w ada2

# bsdlabel -w ada3

# bsdlabel -w ada4

# bsdlabel -w ada5


4. Further label the disks using the bsdlabel -e


#  bsdlabel -e ada2

When you run the above command a file will be open in your default editor(Defined in the Editor Variable)

Add a new line starts with e: at the end of the file







Save the file( If it ask for the y/n question while saving please give 'n' and continue).


Repeat the same steps for all the disk ad3,ada4,ad5.


 5. Configure the CCD by running the below command.

# ccdconfig ccd0 32 0 ada2 ada3 ada4 ada5

Stripe size: Stripe size is the number defined x 512 bytes. In our case 32x512 =  16384 Bytes = 16KB

0 indicate the CCD level. level 0 is stripping and level 1 is mirroring


6. Generating UFS in the /dev/ccd0

# newfs /dev/ccd0


7. Create a mount point /work0 and mount our new ccd devise.

# mkdir /work0

# mount /dev/ccd0 /work0

4. To make the configuration become persistent across the reboot run

# ccdconfig -g  > /etc/ccd.conf


5. To make the mounting persistent across the reboot add line like shown below to /etc/fstab.

Run mount command

# mount -a


To test the I/O run the below command. The command create a 1 GB file in /work0 directory which is already mounted by /dev/ccd0.


dd if=/dev/zero bs=1M count=1024 of=/work0/testfile.text


Enjoy !

Openldap Replication- Multimaster

Below are the LDAP server participating in multimaster configuration. Operating System used is Centos6.3
masterldap1.fireblade.com - 192.168.56.191
masterldap2.fireblade.com - 192.168.56.192
masterldap3.fireblade.com - 192.168.56.193


Install Openldap in all the Machines(192.168.56.191.192.168.56.192,192.168.56,193)

# yum install openldap-*

Setup Openldap configuration environment

# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# chown ldap.ldap /var/lib/ldap/DB_CONFIG

# rm -rf /etc/openldap/slapd.d/*

Configure the Domain and set Manager password in all the systems.

# vim /etc/openldap/slapd.conf 

database        bdb
suffix          "dc=fireblade,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=fireblade,dc=com"
 

rootpw          redhat

Save and above in all the three servers.

Enable syncprov module by commenting it in /etc/openldap/slapd.conf in all the three servers

moduleload syncprov.la

Save the configuration file.

Go to masterldap1.fireblade,com(192.168.56.191) and enter the below configuration at the end of the file.

1. 1. 1. 1. 1. 1. 1. 1. 1. 1. 1. REPLICATION CONFIGURATION###################

serverID 001
syncrepl rid=000
 provider=ldap://192.168.56.192
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001
 provider=ldap://192.168.56.193
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq
index entryUUID eq

mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the configuration.

Go to second server masterldap2.fireblade.com (192.168.56.192) and write the below configuration in /etc/openldap/slapd.conf at the end of it.

serverID 002
syncrepl rid=000
 provider=ldap://192.168.56.191
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001
 provider=ldap://192.168.56.193
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq
index entryUUID eq

mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the above configuration.


Go to Third server and write the below configuration at the end of configuration file /etc/openldap/slapd.conf





serverID 003 syncrepl rid=000

 provider=ldap://192.168.56.191
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001

 provider=ldap://192.168.56.192
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq index entryUUID eq
mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the configuration.

Start LDAP in all the servers by running below command

# /etc/init.d/slapd start

Openldap Replication with syncrepl

Syncrepl RefreshOnly Style replication
Theory

In refreshOnly type of replication the consumer (1) initiates a connection (2) with the provider (2) - synchronization of DITs takes places and the connection is broken. Periodically the consumer (1) re-connects (2) with the provider (3) and re-synchronizes. refreshOnly synchronization may be viewed as operating in burst mode and the replication cycle time is the time between re-connections.

Master LDAP server - ldap-master.fireblade.com - Provider
Slave LDAP server - ldap1.fireblade.com - Consumer

In Provider LDAP ldap-master.fireblade.com configuration ile add the below configuration and save.

# NOTE: 
# the provider configuration contains no reference to any consumers

# define the provider to use the syncprov overlay
# (last directives in database section)
overlay syncprov
# allows contextCSN to saves to database every 100 updates or ten minutes
syncprov-ch
syncprov-checkpoint 100 10

In Consumer LDAP ldap1.fireblade.com configuration add the below configuration and save.

# provider is ldap://master-ldap.example.com:389, sync interval 
# every 1 hour, whole DIT (searchbase), all user attributes synchronized
# simple security with cleartext password
# NOTE: comments inside the syncrepl directive are rejected by OpenLDAP
#       and are included only to carry further explanation. They MUST NOT
#       appear in an operational file
syncrepl rid=000 
 provider=ldap://ldap-master.fireblade.com
 type=refreshOnly
 #re-connect/re-sync every hour
 interval=00:1:00:00
 retry="5 5 300 +" 
 searchbase="dc=example,dc=com"
 #both user (*) and operational (+) attributes required
 attrs="*,+"
 bindmethod=simple
 binddn="cn=Manager,dc=fireblade,dc=com"
 #Warning: password sent in clear - insecure
 credentials=dirtysecret

Restart ldap service in both Consumer and provider.

# service ldap restart 

Test the configuration by creating a new entry in the Provider.

Openldap Replication with Slurpd

Here I am using Master-Slave replication using Slurpd. Below are the participating systems

1. ldap-master.fireblade.com (Master Server)

2. ldap1.fireblade.com (client Server)

Replication to work properly Master and salve system initially should have exact number of entries. Take a dump of all the entries in the Master server using the below command and import it to the slave.

# slapcat > master.ldif 

Go to the salve ldap1.fireblade.com and import it using ldapadd.

#  ldapadd -D "cn=Manager,dc=dc1,dc=fireblade,dc=com" -W -x -f initial.ldif

At this point both master and slave has the exact amount of data. Let's start the replication configuration.

Open /etc/openldap/sldapd.conf in master server ldap-master.fireblade.com and add the below entries

1. Replication will happen in the every 5 minutes.

replicationinterval 300

# Keep the sapce in front of binddn as it is bbecause 
replica uri=ldap://ldap1.fireblade.com bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com" credentials=redhat

save the configuration and exit the file.

Open /etc/openldap/sldapd.conf in the salve server ldap1.fireblade.com and add the following entries.

updatedn "cn=manager,dc=fireblade,dc=com"

updateref ldap://ldap-master.fireblade.com:389

Save the configuration and restart the ldap service in both the server and client

# service ldap restart 

Test the configuration by create a new user in the master server and test whether it appears in the slave with in 5 minutes.

Debugging
Statrt slapd and slurpd in debug mode to troubleshoot the issues

# slapd -d 1 

# slurpd -d 1

Openldap referral

In Openldap we can delegate the responsibility to maintain a purticular part of directory to Other LDAP server. I am using two LDAP server hosting the domain dc=fireblade,dc=com.

1. master-ldap.fireblade.com - 192.168.56.10

2. ldap1.fireblade.com - 192.168.56.21

In this scenario we are going to delegate all the requests for ou=us,dc=fireblade,dc=com to the master-ldap.fireblade.com to ldap1.fireblade.com
Go to ou=us,dc=fireblade,dc=com create a new.ldif with below entries.

dn: ou=us,dc=fireblade,dc=com
ref: ldap://master-ldap.fireblade.com/ou=us,dc=fireblade,dc=com
ou: us
objectClass: referral
objectClass: extensibleObject
objectClass: top

Add the new entry to LDAP using the below command

# ldapadd -D "cn=Manager,dc=fireblade,dc=com" -W -x -f new.ldif

Go to Deligated server ldap1.fireblade.com and configure the domain fireblade.com in slapd.conf and create the ou us and user nagaraj under it.

1. vi /etc/openldap/slapd.conf

suffix          "dc=fireblade,dc=com"
rootdn          "cn=Manager,dc=fireblade,dc=com"
rootpw          {SSHA}U0DavqxmDkhcPK9qpaJzxRM7r/GFtptM

Create DIT using the following LDAP and add it using ldap add

# vim add.ldif

dn: dc=fireblade,dc=com
objectclass: dcObject
objectclass: organization
o: fireblade.com
dc: fireblade

dn: ou=us,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: us

 dn: cn=nagaraj,ou=People,dc=fireblade,dc=com
 objectClass: posixAccount
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: nagaraj
 gidNumber: 20001
 homeDirectory: /home/nagaraj
 sn: Sulthan Munaver
 uid: sulthan
 uidNumber: 20000
 manager: uid=suresh,ou=People,dc=fireblade,dc=com
 telephoneNumber: 666677777777
 userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

# ldapadd -D "cn=Manager,dc=fireblade,dc=com" -W -x -f add.ldif

Now the ldap1.fireblade.com server configured with cn=nagaraj,ou=us,dc=fireblade,dc=com

Please go to any other machine with Openldap client and search the nagaraj entry in master-ldap.fireblade.com using the below command.

# ldapsearch -C -h master-ldap.fireblade.com -x -b "ou=us,dc=fireblade,dc=com" "(uid=nagaraj)"

Even though the entry is not there in the master-ldap.fireblade.com due to referral, it will consult the ldap1.fireblade.com and returns the output.

# ngaraj, us, fireblade.com
dn: cn=ngaraj,ou=us,dc=fireblade,dc=com
uid: nagaraj
gidNumber: 5010
sn: Nagraj Nagmangala
cn: ngaraj
homeDirectory: /home/nagraj
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
uidNumber: 5010

Configuring Multiple DIT in a Single server

Let's say if we have one domain called fireblade.com and we need to configure fireblade.net in the same server please follow the following steps.

Note: fireblade.com domain already exist and we are configuring the fireblade.net domian in addition and adding a OU called people OU.
My LDAP server's hostname is

master-ldap1.fireblade.com - 192.168.56.22

Open the configuration file and define the second domain

# vim /etc/openldap/slapd.conf 

add the below lines.

database       bdb
suffix         dc=fireblade,dc=net"
rootdn         "cn=Manager,dc=fireblade,dc=net"
rootpw         redhat

directory       /var/lib/ldap/firenix-net

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

Save and restart LDAP

# /etc/init.d/ldap restart

Create ldif called test.ldif

1. vim test.ldif

dn: dc=fireblade,dc=net
dc: fireblade
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Firenix, Inc.

dn: ou=people, dc=fireblade,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit

Add the ldif to the DATABASE

#  ldapadd -D "cn=Manager,dc=fireblade,dc=net" -W -x -f test.ldif

Now the server contains two domains fireblade.com and fireblade.net



Enjoy !!!

Openldap ACL Key word examples

0: o=suffix
   1: cn=Manager,o=suffix
   2: ou=people,o=suffix
   3: uid=kdz,ou=people,o=suffix
   4: cn=addresses,uid=kdz,ou=people,o=suffix
   5: uid=hyc,ou=people,o=suffix

Then:

   dn.base="ou=people,o=suffix" match 2;
   dn.one="ou=people,o=suffix" match 3, and 5;
   dn.subtree="ou=people,o=suffix" match 2, 3, 4, and 5; and
   dn.children="ou=people,o=suffix" match 3, 4, and 5.

OpenLDAP group ACL

In this scenario all the members in a particular group can update the Directory server data.



Create group called administrators add suresh as user under "dc=fireblade,dc=com" usingthe


following LDIF

dn: cn=administrators,dc=fireblade,dc=com
objectClass: groupOfNames
cn: administrators
member: cn=suresh,ou=People,dc=fireblade,dc=com

LDIF for suresh is given below

dn: cn=suresh,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
cn: suresh
gidNumber: 3001
homeDirectory: /home/suresh
sn: suresh
uid: suresh
uidNumber: 3000
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

Open the openldap configuration file and add the following configuration

access to dn.children="dc=fireblade,dc=com"
       by self write
       by group.exact="cn=administrators,dc=fireblade,dc=com" write
       by * auth

Save and exit the configuration and restart the service.

/etc/init.d/ldap restart

Connect to LDAP as suresh and try to modify the filed. Now you can modify the fields.

Enjoy !!!!!

Openldap ACL Implimentation

Giving Permission to change password for the authenticated current user
 
By using this configuration only currently authenticated user can change the password themselves. He can't view or change the others passwords.

Open /etc/openldap/slapd.conf

# vim /etc/openldap/slapd.conf

After the line rootdn          "cn=Manager,dc=fireblade,dc=com" enter the below configurations.

access to attrs=userPassword
    by self write
    by * auth

access to *
      by * read

Save the configuration and restart the openldap

# /etc/init.d/openldap restart

Giving permission to the Manager to update the filed of his Employee

# vi /etc/openldap/slap.conf

After the line rootdn "cn=Manager,dc=fireblade,dc=com" enter the below configurations.

access to dn.exact="uid=sulthan,ou=People,dc=fireblade,dc=com"

   attrs=carLicense,homePhone,mobile,pager,telephoneNumber
   by self write
   by set="this/manager & user" write
   by * read

Save the configuration file and restart the ldap using th below command

# /etc/init.d/ldap restart

NOTE: Create user sulthan with objectClass: IntetOrgPerson and suresh as his manager using any of the LDAP client like Apache Directory Studio.

LDIF for both sulthan and suresh are given below.

dn: cn=sulthan,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sulthan
gidNumber: 20001
homeDirectory: /home/smunaver
sn: Sulthan Munaver
uid: sulthan
uidNumber: 20000
manager: uid=suresh,ou=People,dc=fireblade,dc=com
telephoneNumber: 666677777777
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

dn: cn=suresh,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
cn: suresh
gidNumber: 3001
homeDirectory: /home/suresh
sn: suresh
uid: suresh
uidNumber: 3000
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

Suresh is the Manager for Sulthan and he can update the fields such as carLicense,homePhone,mobile,pager,telephoneNumber.

Enabling logging in Openldap

To enable logging in the Openldap follow the steps given below.

# vim /etc/openldap/slapd.conf

Add the below line

 loglevel 256

Save the file
Restart ldap

# service ldap restart

Open /etc/syslogd.conf

# vi /etc/syslogd.conf

Add the lone at the end of the file
local4.*   /var/log/openldap.log

Create a file in /var/log/openldap.log

# touch /var/log/openldap.log

Save the file
Restart Syslog

#service syslog restart

Enjoy !!!!!

Directory Server Components

1. Main process of Directory server is ns-slapd

2. Made up of a front end which handles network communication and extensible which contain basic server functions.

3. Database is Sleepycat Berkrly DB.

4. Redhat management console.

To start Management console

# centos-idm-console 

5. Redhat administration server which can handle start,stop,restart and view logfiles. 

6. Httpd.worker is the process.