Saturday, October 27, 2012
Friday, October 26, 2012
SSH Passwordless Authentication by expect system call
#!/bin/bash
HOSTS="192.168.0.1"
PASSWORD=Passw0rd@1
for HOST in $HOSTS
do
expect -c "
spawn /usr/bin/scp -rvpv -c blowfish /oracle/test/ oragsd@$HOST:/oracle/
expect {
"*password:*" { send $PASSWORD\r;interact }
}
exit
"
done
Wednesday, October 19, 2011
mod_geoip2 with Apache2
Step 1:
Download the GeoIP C Library from MaxMind
Download http://geolite.maxmind.com/
Name : GeoIP.tar.gz
Extract the library:
#tar zxvf GeoIP.tar.gz
#cd GeoIP-1.4.6/
#./configure
# make
# make install
Step 2:
Download the GeoIP Apache2 API from the below URL
http://geolite.maxmind.com/download/geoip/api/mod_geoip2/mod_geoip2_1.2.5.tar.gz
# tar zxvf mod_geoip2_1.2.5.tar.gz
# cd mod_geoip2_1.2.5
Install the API
#apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c
# chmod 755 /usr/lib/httpd/modules/mod_geoip.so
[activating module `geoip' in /etc/httpd/conf/httpd.conf]
Step : 3
Download the latest GeoLite country database in binary format
# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
# gunzip GeoIP.dat.gz
# mkdir /usr/src/geo
# mv GeoIP.dat /usr/src/geo/
Step : 4
# vi /etc/httpd/conf/httpd.conf
Go all the way down to the end of file and add the following lines:
GeoIPEnable On
GeoIPDBFile /usr/src/geo/GeoIP.dat
Save it and exit
#service httpd restart
Now, its your mod_rewrite skills which can save you :)
Good Luck
or (If you are lazy)
wget http://203.130.201.244/centos/extras/5/i386/GeoIP-1.4.2-1.el5.i386.rpm
wget http://203.130.201.244/centos/extras/5/i386/mod_geoip-1.1.8-2.el5.i386.rpm
rpm -ivh GeoIP-1.4.2-1.el5.i386.rpm
rpm -ivh mod_geoip-1.1.8-2.el5.i386.rpm
/Pradyumna
Download the GeoIP C Library from MaxMind
Download http://geolite.maxmind.com/
Name : GeoIP.tar.gz
Extract the library:
#tar zxvf GeoIP.tar.gz
#cd GeoIP-1.4.6/
#./configure
# make
# make install
Step 2:
Download the GeoIP Apache2 API from the below URL
http://geolite.maxmind.com/download/geoip/api/mod_geoip2/mod_geoip2_1.2.5.tar.gz
# tar zxvf mod_geoip2_1.2.5.tar.gz
# cd mod_geoip2_1.2.5
Install the API
#apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c
# chmod 755 /usr/lib/httpd/modules/mod_geoip.so
[activating module `geoip' in /etc/httpd/conf/httpd.conf]
Step : 3
Download the latest GeoLite country database in binary format
# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
# gunzip GeoIP.dat.gz
# mkdir /usr/src/geo
# mv GeoIP.dat /usr/src/geo/
Step : 4
# vi /etc/httpd/conf/httpd.conf
Go all the way down to the end of file and add the following lines:
GeoIPEnable On
GeoIPDBFile /usr/src/geo/GeoIP.dat
Save it and exit
#service httpd restart
Now, its your mod_rewrite skills which can save you :)
Good Luck
or (If you are lazy)
wget http://203.130.201.244/centos/extras/5/i386/GeoIP-1.4.2-1.el5.i386.rpm
wget http://203.130.201.244/centos/extras/5/i386/mod_geoip-1.1.8-2.el5.i386.rpm
rpm -ivh GeoIP-1.4.2-1.el5.i386.rpm
rpm -ivh mod_geoip-1.1.8-2.el5.i386.rpm
/Pradyumna
Thursday, September 29, 2011
YUM configuration
I. Mount the ISO file using following command
#mount –o loop –t iso9660 /location/of/iso /var/ftp
Or
#mount –o loop /location/of/iso /var/ftp
II. Verify the mounting using following command
#df –h
III. Move *.repo files from the /etc/yum.repos.d
#mv /etc/yum.repos.d/* /root/Desktop
IV. Edit the /etc/yum.conf file put the following lines at the end.
#vi /etc/yum.conf
[My Repo]
name= My Local Repository
baseurl=ftp://youripaddress ----> for Centos 5
baseurl=ftp://youripaddress/Server ----> for RHEL 5
enable=1
gpgcheck=0
V. Clean up previous caching by following command. This is very
important when you are changing repo files or rpm on your repository.
#yum clean all
VI. Install rpm with the following command
#yum install httpd
#mount –o loop –t iso9660 /location/of/iso /var/ftp
Or
#mount –o loop /location/of/iso /var/ftp
II. Verify the mounting using following command
#df –h
III. Move *.repo files from the /etc/yum.repos.d
#mv /etc/yum.repos.d/* /root/Desktop
IV. Edit the /etc/yum.conf file put the following lines at the end.
#vi /etc/yum.conf
[My Repo]
name= My Local Repository
baseurl=ftp://youripaddress ----> for Centos 5
baseurl=ftp://youripaddress/Server ----> for RHEL 5
enable=1
gpgcheck=0
V. Clean up previous caching by following command. This is very
important when you are changing repo files or rpm on your repository.
#yum clean all
VI. Install rpm with the following command
#yum install httpd
Thursday, September 22, 2011
# Scripting
1. Hello World Bash Shell Script
First you need to find out where is your bash interpreter located. Enter the following into your command line:
$ which bash
Open up you favorite text editor and a create file called hello_world.sh. Insert the following lines to a file:
NOTE:Every bash shell script in this tutorial starts with shebang:"#!" which is not read as a comment. First line is also a place where you put your interpreter which is in this case: /bin/bash.
Here is our first bash shell script example:
#!/bin/bash
# declare STRING variable
STRING="Hello World"
#print variable on a screen
echo $STRING
Navigate to a directory where your hello_world.sh is located and make the file executable:
$ chmod +x hello_world.sh
Now you are ready to execute your first bash script:
./hello_world.sh
2. Simple Backup bash shell script
#!/bin/bash
tar -czf myhome_directory.tar.gz /home/linuxconfig
3. Variables
In this example we declare simple bash variable and print it on the screen ( stdout ) with echo command.
#!/bin/bash
STRING="HELLO WORLD!!!"
echo $STRING
Your backup script and variables:
#!/bin/bash
OF=myhome_directory_$(date +%Y%m%d).tar.gz
tar -czf $OF /home/linuxconfig
3.1. Global vs. Local variables
#!/bin/bash
#Define bash global variable
#This variable is global and can be used anywhere in this bash script
VAR="global variable"
function bash {
#Define bash local variable
#This variable is local to bash function only
local VAR="local variable"
echo $VAR
}
echo $VAR
bash
# Note the bash global variable did not change
# "local" is bash reserved word
echo $VAR
4. Passing arguments to the bash script
#!/bin/bash
# use predefined variables to access passed arguments
#echo arguments to the shell
echo $1 $2 $3 ' -> echo $1 $2 $3'
# We can also store arguments from bash command line in special array
args=("$@")
#echo arguments to the shell
echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]} ${args[1]} ${args[2]}'
#use $@ to print out all arguments at once
echo $@ ' -> echo $@'
# use $# variable to print out
# number of arguments passed to the bash script
echo Number of arguments passed: $# ' -> echo Number of arguments passed: $#'
/arguments.sh Bash Scripting Tutorial
5. Executing shell commands with bash
#!/bin/bash
# use backticks " ` ` " to execute shell command
echo `uname -o`
# executing bash command without backticks
echo uname -o
6. Reading User Input
#!/bin/bash
echo -e "Hi, please type the word: \c "
read word
echo "The word you entered is: $word"
echo -e "Can you please enter two words? "
read word1 word2
echo "Here is your input: \"$word1\" \"$word2\""
echo -e "How do you feel about bash scripting? "
# read command now stores a reply into the default build-in variable $REPLY
read
echo "You said $REPLY, I'm glad to hear that! "
echo -e "What are your favorite colours ? "
# -a makes read command to read into an array
read -a colours
echo "My favorite colours are also ${colours[0]}, ${colours[1]} and ${colours[2]}:-)"
7. Bash Trap Command
#!/bin/bash
# bash trap command
trap bashtrap INT
# bash clear screen command
clear;
# bash trap function is executed when CTRL-C is pressed:
# bash prints message => Executing bash trap subrutine !
bashtrap()
{
echo "CTRL+C Detected !...executing bash trap !"
}
# for loop from 1/10 to 10/10
for a in `seq 1 10`; do
echo "$a/10 to Exit."
sleep 1;
done
echo "Exit Bash Trap Example!!!"
8. Arrays
8.1. Declare simple bash array
#!/bin/bash
#Declare array with 4 elements
ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux )
# get number of elements in the array
ELEMENTS=${#ARRAY[@]}
# echo each element in array
# for loop
for (( i=0;i<$ELEMENTS;i++)); do
echo ${ARRAY[${i}]}
done
8.2. Read file into bash array
#!/bin/bash
# Declare array
declare -a ARRAY
# Link filedescriptor 10 with stdin
exec 10<&0
# stdin replaced with a file supplied as a first argument
exec < $1
let count=0
while read LINE; do
ARRAY[$count]=$LINE
((count++))
done
echo Number of elements: ${#ARRAY[@]}
# echo array's content
echo ${ARRAY[@]}
# restore stdin from filedescriptor 10
# and close filedescriptor 10
exec 0<&10 10<&-
Bash script execution with an output:
linuxconfig.org $ cat bash.txt
Bash
Scripting
Tutorial
Guide
linuxconfig.org $ ./bash-script.sh bash.txt
Number of elements: 4
Bash Scripting Tutorial Guide
linuxconfig.org $
9. Bash if / else / fi statements
9.1. Simple Bash if/else statement
Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work!
#!/bin/bash
directory="./BashScripting"
# bash check if directory exists
if [ -d $directory ]; then
echo "Directory exists"
else
echo "Directory does not exists"
fi
9.2. Nested if/else
#!/bin/bash
# Declare variable choice and assign value 4
choice=4
# Print to stdout
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
# Loop while the variable choice is equal 4
# bash while loop
while [ $choice -eq 4 ]; do
# read user input
read choice
# bash nested if/else
if [ $choice -eq 1 ] ; then
echo "You have chosen word: Bash"
else
if [ $choice -eq 2 ] ; then
echo "You have chosen word: Scripting"
else
if [ $choice -eq 3 ] ; then
echo "You have chosen word: Tutorial"
else
echo "Please make a choice between 1-3 !"
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
choice=4
fi
fi
fi
done
10. Bash Comparisons
10.1. Arithmetic Comparisons
-lt <
-gt >
-le <=
-ge >=
-eq ==
-ne !=
#!/bin/bash
# declare integers
NUM1=2
NUM2=2
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi
#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi
#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
elif [ $NUM1 -gt $NUM2 ]; then
echo "NUM1 is greater then NUM2"
else
echo "NUM2 is greater then NUM1"
fi
10.2. String Comparisons
= equal
!= not equal
< less then
> greater then
-n s1 string s1 is not empty
-z s1 string s1 is empty
#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Scripting"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi
#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Bash"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi
11. Bash File Testing
-b filename Block special file
-c filename Special character file
-d directoryname Check for directory existence
-e filename Check for file existence
-f filename Check for regular file existence not a directory
-G filename Check if file exists and is owned by effective group ID.
-g filename true if file exists and is set-group-id.
-k filename Sticky bit
-L filename Symbolic link
-O filename True if file exists and is owned by the effective user id.
-r filename Check if file is a readable
-S filename Check if file is socket
-s filename Check if file is nonzero size
-u filename Check if file set-ser-id bit is set
-w filename Check if file is writable
-x filename Check if file is executable
#!/bin/bash
file="./file"
if [ -e $file ]; then
echo "File exists"
else
echo "File does not exists"
fi
Similarly for example we can use while loop to check if file does not exists. This script will sleep until file does exists. Note bash negator "!" which negates the -e option.
#!/bin/bash
while [ ! -e myfile ]; do
# Sleep until file does exists/is created
sleep 1
done
12. Loops
12.1. Bash for loop
#!/bin/bash
# bash for loop
for f in $( ls /var/ ); do
echo $f
done
Running for loop from bash shell command line:
$ for f in $( ls /var/ ); do echo $f; done
12.2. Bash while loop
#!/bin/bash
COUNT=6
# bash while loop
while [ $COUNT -gt 0 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT-1
done
12.3. Bash until loop
#!/bin/bash
COUNT=0
# bash until loop
until [ $COUNT -gt 5 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT+1
done
12.4. Control bash loop with
Here is a example of while loop controlled by standard input. Until the redirection chain from STDOUT to STDIN to the read command exists the while loop continues.
#!/bin/bash
# This bash script will locate and replace spaces
# in the filenames
DIR="."
# Controlling a loop with bash read command by redirecting STDOUT as
# a STDIN to while loop
# find will not truncate filenames containing spaces
find $DIR -type f | while read file; do
# using POSIX class [:space:] to find space in the filename
if [[ "$file" = *[[:space:]]* ]]; then
# substitute space with "_" character and consequently rename the file
mv "$file" `echo $file | tr ' ' '_'`
fi;
# end of while loop
done
13. Bash Functions
!/bin/bash
# BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER
function function_B {
echo Function B.
}
function function_A {
echo $1
}
function function_D {
echo Function D.
}
function function_C {
echo $1
}
# FUNCTION CALLS
# Pass parameter to function A
function_A "Function A."
function_B
# Pass parameter to function C
function_C "Function C."
function_D
14. Bash Select
#!/bin/bash
PS3='Choose one word: '
# bash select
select word in "linux" "bash" "scripting" "tutorial"
do
echo "The word you have selected is: $word"
# Break, otherwise endless loop
break
done
exit 0
15. Case statement conditional
#!/bin/bash
echo "What is your preferred programming / scripting language"
echo "1) bash"
echo "2) perl"
echo "3) phyton"
echo "4) c++"
echo "5) I do not know !"
read case;
#simple case bash structure
# note in this case $case is variable and does not have to
# be named case this is just an example
case $case in
1) echo "You selected bash";;
2) echo "You selected perl";;
3) echo "You selected phyton";;
4) echo "You selected c++";;
5) exit
esac
16. Bash quotes and quotations
Quotations and quotes are important part of bash and bash scripting. Here are some bash quotes and quotations basics.
16.1. Escaping Meta characters
Before we start with quotes and quotations we should know something about escaping meta characters. Escaping will suppress a special meaning of meta characters and therefore meta characters will be read by bash literally. To do this we need to use backslash "\" character. Example:
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
#when meta character such us "$" is escaped with "\" it will be read literally
echo \$BASH_VAR
# backslash has also special meaning and it can be suppressed with yet another "\"
echo "\\"
16.2. Single quotes
Single quotes in bash will suppress special meaning of every meta characters. Therefore meta characters will be read literally. It is not possible to use another single quote within two single quotes not even if the single quote is escaped by backslash.
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
# meta characters special meaning in bash is suppressed when using single quotes
echo '$BASH_VAR "$BASH_VAR"'
16.3. Double Quotes
Double quotes in bash will suppress special meaning of every meta characters except "$", "\" and "`". Any other meta characters will be read literally. It is also possible to use single quote within double quotes. If we need to use double quotes within double quotes bash can read them literally when escaping them with "\". Example:
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
# meta characters and its special meaning in bash is
# suppressed when using double quotes except "$", "\" and "`"
echo "It's $BASH_VAR and \"$BASH_VAR\" using backticks: `date`"
16.4. Bash quoting with ANSI-C style
There is also another type of quoting and that is ANSI-C. In this type of quoting characters escaped with "\" will gain special meaning according to the ANSI-C standard.
\a alert (bell) \b backspace
\e an escape character \f form feed
\n newline \r carriage return
\t horizontal tab \v vertical tab
\\ backslash \` single quote
\nnn octal value of characters ( see [http://www.asciitable.com/ ASCII table] ) \xnn hexadecimal value of characters ( see [http://www.asciitable.com/ ASCII table] )
The syntax fo ansi-c bash quoting is: $'' . Here is an example:
#!/bin/bash
# as a example we have used \n as a new line, \x40 is hex value for @
# and \56 is octal value for .
echo $'web: www.linuxconfig.org\nemail: web\x40linuxconfig\56org'
17. Arithmetic Operations
17.1. Bash Addition Calculator Example
#!/bin/bash
let RESULT1=$1+$2
echo $1+$2=$RESULT1 ' -> # let RESULT1=$1+$2'
declare -i RESULT2
RESULT2=$1+$2
echo $1+$2=$RESULT2 ' -> # declare -i RESULT2; RESULT2=$1+$2'
echo $1+$2=$(($1 + $2)) ' -> # $(($1 + $2))'
17.2. Bash Arithmetics
#!/bin/bash
echo '### let ###'
# bash addition
let ADDITION=3+5
echo "3 + 5 =" $ADDITION
# bash subtraction
let SUBTRACTION=7-8
echo "7 - 8 =" $SUBTRACTION
# bash multiplication
let MULTIPLICATION=5*8
echo "5 * 8 =" $MULTIPLICATION
# bash division
let DIVISION=4/2
echo "4 / 2 =" $DIVISION
# bash modulus
let MODULUS=9%4
echo "9 % 4 =" $MODULUS
# bash power of two
let POWEROFTWO=2**2
echo "2 ^ 2 =" $POWEROFTWO
echo '### Bash Arithmetic Expansion ###'
# There are two formats for arithmetic expansion: $[ expression ]
# and $(( expression #)) its your choice which you use
echo 4 + 5 = $((4 + 5))
echo 7 - 7 = $[ 7 - 7 ]
echo 4 x 6 = $((3 * 2))
echo 6 / 3 = $((6 / 3))
echo 8 % 7 = $((8 % 7))
echo 2 ^ 8 = $[ 2 ** 8 ]
echo '### Declare ###'
echo -e "Please enter two numbers \c"
# read user input
read num1 num2
declare -i result
result=$num1+$num2
echo "Result is:$result "
# bash convert binary number 10001
result=2#10001
echo $result
# bash convert octal number 16
result=8#16
echo $result
# bash convert hex number 0xE6A
result=16#E6A
echo $result
17.3. Round floating point number
#!/bin/bash
# get floating point number
floating_point_number=3.3446
echo $floating_point_number
# round floating point number with bash
for bash_rounded_number in $(printf %.0f $floating_point_number); do
echo "Rounded number with bash:" $bash_rounded_number
done
17.4. Bash floating point calculations
#!/bin/bash
# Simple linux bash calculator
echo "Enter input:"
read userinput
echo "Result with 2 digits after decimal point:"
echo "scale=2; ${userinput}" | bc
echo "Result with 10 digits after decimal point:"
echo "scale=10; ${userinput}" | bc
echo "Result as rounded integer:"
echo $userinput | bc
18. Redirections
18.1. STDOUT from bash script to STDERR
#!/bin/bash
echo "Redirect this STDOUT to STDERR" 1>&2
To proof that STDOUT is redirected to STDERR we can redirect script's output to file:
18.2. STDERR from bash script to STDOUT
#!/bin/bash
cat $1 2>&1
To proof that STDERR is redirected to STDOUT we can redirect script's output to file:
18.3. stdout to screen
The simple way to redirect a standard output ( stdout ) is to simply use any command, because by default stdout is automatically redirected to screen. First create a file "file1":
$ touch file1
$ ls file1
file1
As you can see from the example above execution of ls command produces STDOUT which by default is redirected to screen.
18.4. stdout to file
The override the default behavior of STDOUT we can use ">" to redirect this output to file:
$ ls file1 > STDOUT
$ cat STDOUT
file1
18.5. stderr to file
By default STDERR is displayed on the screen:
$ ls
file1 STDOUT
$ ls file2
ls: cannot access file2: No such file or directory
In the following example we will redirect the standard error ( stderr ) to a file and stdout to a screen as default. Please note that STDOUT is displayed on the screen, however STDERR is redirected to a file called STDERR:
$ ls
file1 STDOUT
$ ls file1 file2 2> STDERR
file1
$ cat STDERR
ls: cannot access file2: No such file or directory
18.6. stdout to stderr
It is also possible to redirect STDOUT and STDERR to the same file. In the next example we will redirect STDOUT to the same descriptor as STDERR. Both STDOUT and STDERR will be redirected to file "STDERR_STDOUT".
$ ls
file1 STDERR STDOUT
$ ls file1 file2 2> STDERR_STDOUT 1>&2
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
File STDERR_STDOUT now contains STDOUT and STDERR.
18.7. stderr to stdout
The above example can be reversed by redirecting STDERR to the same descriptor as SDTOUT:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 > STDERR_STDOUT 2>&1
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
18.8. stderr and stdout to file
Previous two examples redirected both STDOUT and STDERR to a file. Another way to achieve the same effect is illustrated below:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 &> STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
or
ls file1 file2 >& STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
First you need to find out where is your bash interpreter located. Enter the following into your command line:
$ which bash
Open up you favorite text editor and a create file called hello_world.sh. Insert the following lines to a file:
NOTE:Every bash shell script in this tutorial starts with shebang:"#!" which is not read as a comment. First line is also a place where you put your interpreter which is in this case: /bin/bash.
Here is our first bash shell script example:
#!/bin/bash
# declare STRING variable
STRING="Hello World"
#print variable on a screen
echo $STRING
Navigate to a directory where your hello_world.sh is located and make the file executable:
$ chmod +x hello_world.sh
Now you are ready to execute your first bash script:
./hello_world.sh
2. Simple Backup bash shell script
#!/bin/bash
tar -czf myhome_directory.tar.gz /home/linuxconfig
3. Variables
In this example we declare simple bash variable and print it on the screen ( stdout ) with echo command.
#!/bin/bash
STRING="HELLO WORLD!!!"
echo $STRING
Your backup script and variables:
#!/bin/bash
OF=myhome_directory_$(date +%Y%m%d).tar.gz
tar -czf $OF /home/linuxconfig
3.1. Global vs. Local variables
#!/bin/bash
#Define bash global variable
#This variable is global and can be used anywhere in this bash script
VAR="global variable"
function bash {
#Define bash local variable
#This variable is local to bash function only
local VAR="local variable"
echo $VAR
}
echo $VAR
bash
# Note the bash global variable did not change
# "local" is bash reserved word
echo $VAR
4. Passing arguments to the bash script
#!/bin/bash
# use predefined variables to access passed arguments
#echo arguments to the shell
echo $1 $2 $3 ' -> echo $1 $2 $3'
# We can also store arguments from bash command line in special array
args=("$@")
#echo arguments to the shell
echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]} ${args[1]} ${args[2]}'
#use $@ to print out all arguments at once
echo $@ ' -> echo $@'
# use $# variable to print out
# number of arguments passed to the bash script
echo Number of arguments passed: $# ' -> echo Number of arguments passed: $#'
/arguments.sh Bash Scripting Tutorial
5. Executing shell commands with bash
#!/bin/bash
# use backticks " ` ` " to execute shell command
echo `uname -o`
# executing bash command without backticks
echo uname -o
6. Reading User Input
#!/bin/bash
echo -e "Hi, please type the word: \c "
read word
echo "The word you entered is: $word"
echo -e "Can you please enter two words? "
read word1 word2
echo "Here is your input: \"$word1\" \"$word2\""
echo -e "How do you feel about bash scripting? "
# read command now stores a reply into the default build-in variable $REPLY
read
echo "You said $REPLY, I'm glad to hear that! "
echo -e "What are your favorite colours ? "
# -a makes read command to read into an array
read -a colours
echo "My favorite colours are also ${colours[0]}, ${colours[1]} and ${colours[2]}:-)"
7. Bash Trap Command
#!/bin/bash
# bash trap command
trap bashtrap INT
# bash clear screen command
clear;
# bash trap function is executed when CTRL-C is pressed:
# bash prints message => Executing bash trap subrutine !
bashtrap()
{
echo "CTRL+C Detected !...executing bash trap !"
}
# for loop from 1/10 to 10/10
for a in `seq 1 10`; do
echo "$a/10 to Exit."
sleep 1;
done
echo "Exit Bash Trap Example!!!"
8. Arrays
8.1. Declare simple bash array
#!/bin/bash
#Declare array with 4 elements
ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux )
# get number of elements in the array
ELEMENTS=${#ARRAY[@]}
# echo each element in array
# for loop
for (( i=0;i<$ELEMENTS;i++)); do
echo ${ARRAY[${i}]}
done
8.2. Read file into bash array
#!/bin/bash
# Declare array
declare -a ARRAY
# Link filedescriptor 10 with stdin
exec 10<&0
# stdin replaced with a file supplied as a first argument
exec < $1
let count=0
while read LINE; do
ARRAY[$count]=$LINE
((count++))
done
echo Number of elements: ${#ARRAY[@]}
# echo array's content
echo ${ARRAY[@]}
# restore stdin from filedescriptor 10
# and close filedescriptor 10
exec 0<&10 10<&-
Bash script execution with an output:
linuxconfig.org $ cat bash.txt
Bash
Scripting
Tutorial
Guide
linuxconfig.org $ ./bash-script.sh bash.txt
Number of elements: 4
Bash Scripting Tutorial Guide
linuxconfig.org $
9. Bash if / else / fi statements
9.1. Simple Bash if/else statement
Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work!
#!/bin/bash
directory="./BashScripting"
# bash check if directory exists
if [ -d $directory ]; then
echo "Directory exists"
else
echo "Directory does not exists"
fi
9.2. Nested if/else
#!/bin/bash
# Declare variable choice and assign value 4
choice=4
# Print to stdout
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
# Loop while the variable choice is equal 4
# bash while loop
while [ $choice -eq 4 ]; do
# read user input
read choice
# bash nested if/else
if [ $choice -eq 1 ] ; then
echo "You have chosen word: Bash"
else
if [ $choice -eq 2 ] ; then
echo "You have chosen word: Scripting"
else
if [ $choice -eq 3 ] ; then
echo "You have chosen word: Tutorial"
else
echo "Please make a choice between 1-3 !"
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
choice=4
fi
fi
fi
done
10. Bash Comparisons
10.1. Arithmetic Comparisons
-lt <
-gt >
-le <=
-ge >=
-eq ==
-ne !=
#!/bin/bash
# declare integers
NUM1=2
NUM2=2
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi
#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi
#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
elif [ $NUM1 -gt $NUM2 ]; then
echo "NUM1 is greater then NUM2"
else
echo "NUM2 is greater then NUM1"
fi
10.2. String Comparisons
= equal
!= not equal
< less then
> greater then
-n s1 string s1 is not empty
-z s1 string s1 is empty
#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Scripting"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi
#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Bash"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi
11. Bash File Testing
-b filename Block special file
-c filename Special character file
-d directoryname Check for directory existence
-e filename Check for file existence
-f filename Check for regular file existence not a directory
-G filename Check if file exists and is owned by effective group ID.
-g filename true if file exists and is set-group-id.
-k filename Sticky bit
-L filename Symbolic link
-O filename True if file exists and is owned by the effective user id.
-r filename Check if file is a readable
-S filename Check if file is socket
-s filename Check if file is nonzero size
-u filename Check if file set-ser-id bit is set
-w filename Check if file is writable
-x filename Check if file is executable
#!/bin/bash
file="./file"
if [ -e $file ]; then
echo "File exists"
else
echo "File does not exists"
fi
Similarly for example we can use while loop to check if file does not exists. This script will sleep until file does exists. Note bash negator "!" which negates the -e option.
#!/bin/bash
while [ ! -e myfile ]; do
# Sleep until file does exists/is created
sleep 1
done
12. Loops
12.1. Bash for loop
#!/bin/bash
# bash for loop
for f in $( ls /var/ ); do
echo $f
done
Running for loop from bash shell command line:
$ for f in $( ls /var/ ); do echo $f; done
12.2. Bash while loop
#!/bin/bash
COUNT=6
# bash while loop
while [ $COUNT -gt 0 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT-1
done
12.3. Bash until loop
#!/bin/bash
COUNT=0
# bash until loop
until [ $COUNT -gt 5 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT+1
done
12.4. Control bash loop with
Here is a example of while loop controlled by standard input. Until the redirection chain from STDOUT to STDIN to the read command exists the while loop continues.
#!/bin/bash
# This bash script will locate and replace spaces
# in the filenames
DIR="."
# Controlling a loop with bash read command by redirecting STDOUT as
# a STDIN to while loop
# find will not truncate filenames containing spaces
find $DIR -type f | while read file; do
# using POSIX class [:space:] to find space in the filename
if [[ "$file" = *[[:space:]]* ]]; then
# substitute space with "_" character and consequently rename the file
mv "$file" `echo $file | tr ' ' '_'`
fi;
# end of while loop
done
13. Bash Functions
!/bin/bash
# BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER
function function_B {
echo Function B.
}
function function_A {
echo $1
}
function function_D {
echo Function D.
}
function function_C {
echo $1
}
# FUNCTION CALLS
# Pass parameter to function A
function_A "Function A."
function_B
# Pass parameter to function C
function_C "Function C."
function_D
14. Bash Select
#!/bin/bash
PS3='Choose one word: '
# bash select
select word in "linux" "bash" "scripting" "tutorial"
do
echo "The word you have selected is: $word"
# Break, otherwise endless loop
break
done
exit 0
15. Case statement conditional
#!/bin/bash
echo "What is your preferred programming / scripting language"
echo "1) bash"
echo "2) perl"
echo "3) phyton"
echo "4) c++"
echo "5) I do not know !"
read case;
#simple case bash structure
# note in this case $case is variable and does not have to
# be named case this is just an example
case $case in
1) echo "You selected bash";;
2) echo "You selected perl";;
3) echo "You selected phyton";;
4) echo "You selected c++";;
5) exit
esac
16. Bash quotes and quotations
Quotations and quotes are important part of bash and bash scripting. Here are some bash quotes and quotations basics.
16.1. Escaping Meta characters
Before we start with quotes and quotations we should know something about escaping meta characters. Escaping will suppress a special meaning of meta characters and therefore meta characters will be read by bash literally. To do this we need to use backslash "\" character. Example:
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
#when meta character such us "$" is escaped with "\" it will be read literally
echo \$BASH_VAR
# backslash has also special meaning and it can be suppressed with yet another "\"
echo "\\"
16.2. Single quotes
Single quotes in bash will suppress special meaning of every meta characters. Therefore meta characters will be read literally. It is not possible to use another single quote within two single quotes not even if the single quote is escaped by backslash.
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
# meta characters special meaning in bash is suppressed when using single quotes
echo '$BASH_VAR "$BASH_VAR"'
16.3. Double Quotes
Double quotes in bash will suppress special meaning of every meta characters except "$", "\" and "`". Any other meta characters will be read literally. It is also possible to use single quote within double quotes. If we need to use double quotes within double quotes bash can read them literally when escaping them with "\". Example:
#!/bin/bash
#Declare bash string variable
BASH_VAR="Bash Script"
# echo variable BASH_VAR
echo $BASH_VAR
# meta characters and its special meaning in bash is
# suppressed when using double quotes except "$", "\" and "`"
echo "It's $BASH_VAR and \"$BASH_VAR\" using backticks: `date`"
16.4. Bash quoting with ANSI-C style
There is also another type of quoting and that is ANSI-C. In this type of quoting characters escaped with "\" will gain special meaning according to the ANSI-C standard.
\a alert (bell) \b backspace
\e an escape character \f form feed
\n newline \r carriage return
\t horizontal tab \v vertical tab
\\ backslash \` single quote
\nnn octal value of characters ( see [http://www.asciitable.com/ ASCII table] ) \xnn hexadecimal value of characters ( see [http://www.asciitable.com/ ASCII table] )
The syntax fo ansi-c bash quoting is: $'' . Here is an example:
#!/bin/bash
# as a example we have used \n as a new line, \x40 is hex value for @
# and \56 is octal value for .
echo $'web: www.linuxconfig.org\nemail: web\x40linuxconfig\56org'
17. Arithmetic Operations
17.1. Bash Addition Calculator Example
#!/bin/bash
let RESULT1=$1+$2
echo $1+$2=$RESULT1 ' -> # let RESULT1=$1+$2'
declare -i RESULT2
RESULT2=$1+$2
echo $1+$2=$RESULT2 ' -> # declare -i RESULT2; RESULT2=$1+$2'
echo $1+$2=$(($1 + $2)) ' -> # $(($1 + $2))'
17.2. Bash Arithmetics
#!/bin/bash
echo '### let ###'
# bash addition
let ADDITION=3+5
echo "3 + 5 =" $ADDITION
# bash subtraction
let SUBTRACTION=7-8
echo "7 - 8 =" $SUBTRACTION
# bash multiplication
let MULTIPLICATION=5*8
echo "5 * 8 =" $MULTIPLICATION
# bash division
let DIVISION=4/2
echo "4 / 2 =" $DIVISION
# bash modulus
let MODULUS=9%4
echo "9 % 4 =" $MODULUS
# bash power of two
let POWEROFTWO=2**2
echo "2 ^ 2 =" $POWEROFTWO
echo '### Bash Arithmetic Expansion ###'
# There are two formats for arithmetic expansion: $[ expression ]
# and $(( expression #)) its your choice which you use
echo 4 + 5 = $((4 + 5))
echo 7 - 7 = $[ 7 - 7 ]
echo 4 x 6 = $((3 * 2))
echo 6 / 3 = $((6 / 3))
echo 8 % 7 = $((8 % 7))
echo 2 ^ 8 = $[ 2 ** 8 ]
echo '### Declare ###'
echo -e "Please enter two numbers \c"
# read user input
read num1 num2
declare -i result
result=$num1+$num2
echo "Result is:$result "
# bash convert binary number 10001
result=2#10001
echo $result
# bash convert octal number 16
result=8#16
echo $result
# bash convert hex number 0xE6A
result=16#E6A
echo $result
17.3. Round floating point number
#!/bin/bash
# get floating point number
floating_point_number=3.3446
echo $floating_point_number
# round floating point number with bash
for bash_rounded_number in $(printf %.0f $floating_point_number); do
echo "Rounded number with bash:" $bash_rounded_number
done
17.4. Bash floating point calculations
#!/bin/bash
# Simple linux bash calculator
echo "Enter input:"
read userinput
echo "Result with 2 digits after decimal point:"
echo "scale=2; ${userinput}" | bc
echo "Result with 10 digits after decimal point:"
echo "scale=10; ${userinput}" | bc
echo "Result as rounded integer:"
echo $userinput | bc
18. Redirections
18.1. STDOUT from bash script to STDERR
#!/bin/bash
echo "Redirect this STDOUT to STDERR" 1>&2
To proof that STDOUT is redirected to STDERR we can redirect script's output to file:
18.2. STDERR from bash script to STDOUT
#!/bin/bash
cat $1 2>&1
To proof that STDERR is redirected to STDOUT we can redirect script's output to file:
18.3. stdout to screen
The simple way to redirect a standard output ( stdout ) is to simply use any command, because by default stdout is automatically redirected to screen. First create a file "file1":
$ touch file1
$ ls file1
file1
As you can see from the example above execution of ls command produces STDOUT which by default is redirected to screen.
18.4. stdout to file
The override the default behavior of STDOUT we can use ">" to redirect this output to file:
$ ls file1 > STDOUT
$ cat STDOUT
file1
18.5. stderr to file
By default STDERR is displayed on the screen:
$ ls
file1 STDOUT
$ ls file2
ls: cannot access file2: No such file or directory
In the following example we will redirect the standard error ( stderr ) to a file and stdout to a screen as default. Please note that STDOUT is displayed on the screen, however STDERR is redirected to a file called STDERR:
$ ls
file1 STDOUT
$ ls file1 file2 2> STDERR
file1
$ cat STDERR
ls: cannot access file2: No such file or directory
18.6. stdout to stderr
It is also possible to redirect STDOUT and STDERR to the same file. In the next example we will redirect STDOUT to the same descriptor as STDERR. Both STDOUT and STDERR will be redirected to file "STDERR_STDOUT".
$ ls
file1 STDERR STDOUT
$ ls file1 file2 2> STDERR_STDOUT 1>&2
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
File STDERR_STDOUT now contains STDOUT and STDERR.
18.7. stderr to stdout
The above example can be reversed by redirecting STDERR to the same descriptor as SDTOUT:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 > STDERR_STDOUT 2>&1
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
18.8. stderr and stdout to file
Previous two examples redirected both STDOUT and STDERR to a file. Another way to achieve the same effect is illustrated below:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 &> STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
or
ls file1 file2 >& STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
OpenLDAP configuration On CentOS
OpenLDAP – Centos5 – Server Configuration
****
Usage: A quick and dirty guide for an OpenLDAP Server Configuration on Centos 5.5 64-bit Environment
****
1. install the software
[root@ldap ~]# yum install openldap-servers openldap-servers-overlays openldap-clients
****
2. make proper directories for your setup
[root@ldap openldap]# pwd
/etc/openldap
[root@ldap openldap]# mkdir /var/lib/ldap/bar.com
[root@ldap openldap]# ls -la
total 72
drwxr-xr-x 4 root root 4096 Mar 8 12:30 .
drwxr-xr-x 79 root root 4096 Mar 7 17:35 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/bar.com/DB_CONFIG
****
3. configure your slapd.conf
[root@ldap openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# loglevel
#loglevel 768
loglevel stats acl
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
#allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
TLSVerifyClient allow
# Access restricted for normal users
defaultaccess none
access to attrs=userPassword
by self write
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by anonymous auth
by * none
access to *
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by self write
by * read
# enable monitoring
database monitor
# allow only rootdn to read the monitor
access to *
by dn.exact=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” read
by * none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix “dc=bar,dc=com”
rootdn “uid=LDAPMaster,dc=foo,dc=bar,dc=com”
rootpw {SSHA}Ai+3urKCuCoWgg/KPV
directory /var/lib/ldap/bar.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index sudoUser eq
#index nisMapName,nisMapEntry eq,pres,sub
###
#
modulepath /usr/lib64/openldap
# required if the overlay is built dynamically
#
# for dnylist by muda
moduleload dynlist.la
# for ppolicy by muda
moduleload ppolicy.la
#moduleload refint.la
#moduleload unique.la
# other overlay directives
#
# for dnylist by muda
overlay dynlist
# for ppolicy by muda
overlay ppolicy
#overlay refint
#overlay unique
# define the default policy – by muda
ppolicy_default “cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com”
#This would not return account locked in case the account is locked, for securty puppose – by muda
ppolicy_use_lockout
dynlist-attrset extensibleObject labeledURI member
#refint_attributes member
#refint_nothing “uid=muda,o=auth_user,dc=foo,dc=bar,dc=com”
****
4. install a http server with ssl support (not really needed but helpful)
[root@ldap private]# yum install httpd mod_ssl
****
5. create the proper directories which are needed for our CA
[root@ldap CA]# pwd
/etc/pki/CA
[root@ldap CA]# mkdir certs
[root@ldap CA]# mkdir crl
[root@ldap CA]# mkdir newcerts
[root@ldap CA]# touch index.txt
[root@ldap CA]# ls -la
total 52
drwx—— 6 root root 4096 Mar 8 13:28 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
drwx—— 2 root root 4096 Mar 8 13:28 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Dec 15 16:31 private
****
6. create the proper keys for the CA which is needed for our LDAP configuration
[root@ldap CA]# openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 1024 bit RSA private key
….++++++
………….++++++
writing new private key to ‘private/ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:
[root@ldap private]# ln -s ca.key cakey.pem
[root@ldap private]# ls -la
total 28
drwx—— 2 root root 4096 Mar 8 13:36 .
drwx—— 6 root root 4096 Mar 8 13:28 ..
-rw——- 1 root root 963 Mar 8 13:31 ca.key
lrwxrwxrwx 1 root root 6 Mar 8 13:36 cakey.pem -> ca.key
[root@ldap CA]# ln -s certs/ca.crt cacert.pem
[root@ldap CA]# ls -la
total 56
drwx—— 6 root root 4096 Mar 8 13:38 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private
[root@ldap CA]# touch serial
[root@ldap CA]# ls -la
total 60
drwx—— 6 root root 4096 Mar 8 13:39 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private
[root@ldap workspace.muda]# vi ../../CA/serial
insert ’00′
****
7. create the proper keys for TLS support which is needed for our LDAP configuration
[root@ldap workspace.muda]# openssl req -newkey rsa:2048 -keyout key.pem -keyform PEM -out req.pem -outform PEM -nodes
Generating a 2048 bit RSA private key
………………………………………………….+++
…………………………………………………………….+++
writing new private key to ‘key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:webmaster@bar.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
****
8. sign the key with your CA
[root@ldap workspace.muda]# openssl ca -in req.pem -notext -out cert.pem -config ../openssl.cnf
Using configuration from ../openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0×2)
Validity
Not Before: Mar 8 14:07:44 2011 GMT
Not After : Mar 5 14:07:44 2021 GMT
Subject:
countryName = UK
stateOrProvinceName = London
organizationName = bar LTD
commonName = ldap1.foo.bar.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
Certificate is to be certified until Mar 5 14:07:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ldap workspace.muda]# ls -la
total 48
drwx—— 3 root root 4096 Mar 8 15:07 .
drwxr-xr-x 6 root root 4096 Mar 8 12:57 ..
drwx—— 2 root root 4096 Mar 8 13:58 backup
-rw——- 1 root root 1233 Mar 8 15:07 cert.pem
-rw——- 1 root root 1679 Mar 8 15:07 key.pem
-rw——- 1 root root 1017 Mar 8 15:07 req.pem
****
9. copy the keys to the proper locations
[root@ldap workspace.muda]# cp cert.pem /etc/openldap/slapdcert.pem
[root@ldap workspace.muda]# cp key.pem /etc/openldap/slapdkey.pem
[root@ldap workspace.muda]# chmod 400 /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# chown ldap /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# ls -la /etc/openldap/
total 88
drwxr-xr-x 4 root root 4096 Mar 8 15:10 .
drwxr-xr-x 81 root root 4096 Mar 8 12:53 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-r——– 1 ldap root 1233 Mar 8 15:10 slapdcert.pem
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
-r——– 1 ldap root 1679 Mar 8 15:11 slapdkey.pem
[root@ldap workspace.muda]# cd ../../CA/certs/
[root@ldap certs]# ls -la
total 24
drwx—— 2 root root 4096 Mar 8 13:31 .
drwx—— 6 root root 4096 Mar 8 15:07 ..
-rw——- 1 root root 1289 Mar 8 13:31 ca.crt
[root@ldap certs]# cp ca.crt /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chown ldap /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chmod 400 /etc/openldap/cacerts/cacert.pem
****
10. create the sudoers ldap schema
[root@ldap schema]# cat sudo.schema
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME ‘sudoUser’
DESC ‘User(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME ‘sudoHost’
DESC ‘Host(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME ‘sudoCommand’
DESC ‘Command(s) to be executed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME ‘sudoRunAs’
DESC ‘User(s) impersonated by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME ‘sudoOption’
DESC ‘Options(s) followed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME ‘sudoRole’ SUP top STRUCTURAL
DESC ‘Sudoer Entries’
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
description )
)
[root@ldap schema]# ls -la
total 292
drwxr-xr-x 3 root root 4096 Mar 8 15:16 .
drwxr-xr-x 4 root root 4096 Mar 8 15:10 ..
-rw-r–r– 1 root root 8231 Nov 29 09:49 corba.schema
-rw-r–r– 1 root root 20591 Nov 29 09:49 core.ldif
-rw-r–r– 1 root root 19762 Nov 29 09:49 core.schema
-rw-r–r– 1 root root 74080 Nov 29 09:49 cosine.schema
-rw-r–r– 1 root root 1553 Nov 29 09:49 dyngroup.schema
-rw-r–r– 1 root root 6360 Nov 29 09:49 inetorgperson.schema
-rw-r–r– 1 root root 13984 Nov 29 09:49 java.schema
-rw-r–r– 1 root root 2471 Nov 29 09:49 misc.schema
-rw-r–r– 1 root root 7723 Nov 29 09:49 nis.schema
-rw-r–r– 1 root root 3391 Nov 29 09:49 openldap.ldif
-rw-r–r– 1 root root 1601 Nov 29 09:49 openldap.schema
-rw-r–r– 1 root root 19689 Nov 29 09:49 ppolicy.schema
-rw-r–r– 1 root root 2968 Nov 29 09:49 README
drwxr-xr-x 2 root root 4096 Mar 7 17:26 redhat
-rw——- 1 root root 1255 Mar 8 15:16 sudo.schema
[root@ldap schema]# chmod 644 sudo.schema
****
11. made some sanity work for proper user rights
[root@ldap bar.com]# pwd
/var/lib/ldap/bar.com
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 root root 921 Mar 8 15:22 DB_CONFIG
[root@ldap bar.com]# chown ldap *
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 ldap root 921 Mar 8 15:22 DB_CONFIG
****
12. start the ldap service for the first config issues
[root@ldap schema]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
****
13. start with the initial load setup
[root@ldap schema]# pwd
/etc/openldap/schema
[root@ldap schema]# cat sd_initial.ldif
dn: dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: bar AG
dc: bar
dn: dc=foo,dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: Hosting bar AG
dc: foo
dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
****
14. load the initial with slapadd
[root@ldap schema]# slapadd -v -l sd_initial.ldif -b dc=foo,dc=bar,dc=com
added: “dc=bar,dc=com” (00000001)
added: “dc=foo,dc=bar,dc=com” (00000002)
added: “cn=LDAPMaster,dc=foo,dc=bar,dc=com” (00000003)
****
15. check for it with slapcat
[root@ldap schema]# slapcat -f /etc/openldap/slapd.conf -b “dc=bar,dc=com”
dn: dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: bar LTD
dc: bar
structuralObjectClass: organization
entryUUID: ef58d566-dddc-102f-8722-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000000#00#000000
dn: dc=foo,dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: Hosting bar LTD
dc: foo
structuralObjectClass: organization
entryUUID: ef59994c-dddc-102f-8723-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000001#00#000000
dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
structuralObjectClass: organizationalRole
entryUUID: ef59ce1c-dddc-102f-8724-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000002#00#000000
****
15. check the ‘/etc/openldap/ldap.conf’
[root@ldap openldap]# cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=foo,dc=bar,dc=com
URI ldap://ldap1.foo.bar.com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
****
16. check again for proper user rights (ldap) and fix it if necessary
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 root root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 root root 1024 Mar 8 15:34 bar.com
[root@ldap ldap]# chown -R ldap *
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 ldap root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 ldap root 1024 Mar 8 15:34 bar.com
[root@ldap ldap]# cd bar.com/
[root@ldap bar.com]# ls -la
total 88278
drwx—— 2 ldap root 1024 Mar 8 15:34 .
drwx—— 3 ldap ldap 1024 Mar 8 12:34 ..
-rw——- 1 ldap root 8192 Mar 8 15:34 cn.bdb
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.001
-rw——- 1 ldap root 104857600 Mar 8 15:35 __db.002
-rw——- 1 ldap root 335552512 Mar 8 15:35 __db.003
-rw——- 1 ldap root 2359296 Mar 8 15:35 __db.004
-rw——- 1 ldap root 557056 Mar 8 15:35 __db.005
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.006
-rw——- 1 ldap root 921 Mar 8 15:31 DB_CONFIG
-rw——- 1 ldap root 8192 Mar 8 15:34 dn2id.bdb
-rw——- 1 ldap root 32768 Mar 8 15:34 id2entry.bdb
-rw——- 1 ldap root 10485760 Mar 8 15:34 log.0000000001
-rw——- 1 ldap root 8192 Mar 8 15:34 objectClass.bdb
****
17. config the ldap base for our tree and load it
[root@ldap schema]# cat sd_base.ldif
# hostgroup
dn: ou=hosts,dc=foo,dc=bar,dc=com
ou: hosts
objectClass: organizationalunit
# sudoers group
dn: ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
# authenticated groups
dn: o=auth_group,dc=foo,dc=bar,dc=com
o: auth_group
objectclass: organization
# authenticated users
dn: o=auth_user,dc=foo,dc=bar,dc=com
o: auth_user
objectclass: organization
# pw policy group
dn: ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: pwpolicies
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_base.ldif -vv
****
18. config the ldap group base for our tree and load it
[root@ldap schema]# cat sd_auth_group.ldif
dn: cn=testXusergrp,o=auth_group,dc=foo,dc=bar,dc=com
objectClass: posixGroup
objectClass: top
cn: testXusergrp
gidNumber: 5500
userPassword:: e2NyeXg=
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_group.ldif -vv
****
19. config the ldap user base for our tree and load it
[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=
19.1 alternative config the ldap user base for our tree and load it
I had a problem with the ‘objectClass:account’ because i need a entry for ‘mail’ to run a script for check if a account pwd came to expiration. So i changed the structural ‘objectClass’ to ‘inetOrgPerson’ which gives me the possibility to work with that (sn is a must, mail is a option).
Check: http://www.zytrax.com/books/ldap/ape/#inetorgperson
[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
sn: checkit
mail: checkit@foo.bar.com
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_user.ldif -vv
HINT: You can do this with existing entries in your tree this should work:
You just have to write the LDIF in such a way that the removal and adding of account and inetOrgPerson happens in one go.
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
changetype: modify
add: objectclass
objectclass: inetOrgPerson
-
delete: objectclass
objectclass: account
-
add: sn
sn: checkit
****
20. config the ldap sudoers base for our tree and load it
[root@ldap schema]# cat sd_sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOption’s
sudoOption: !lecture
sudoOption: log_host
sudoOption: log_year
sudoOption: ignore_dot
sudoOption: logfile=/var/log/sudolog
sudoOption: passwd_tries=3
sudoOption: timestamp_timeout=5
sudoOption: passwd_timeout=1
sudoOption: syslog=authpriv
sudoOption: root_sudo
sudoOption: authenticate
sudoOption: ignore_local_sudoers
dn: cn=administration,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: administration
description: Administration Role
sudoCommand: ALL
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/bin/more *sudoers
sudoCommand: !/bin/cp *sudoers
sudoCommand: !/bin/mv *sudoers
sudoCommand: !/bin/cat *sudoers
sudoCommand: !/bin/su “”
sudoCommand: !/bin/su * root
sudoCommand: !/bin/su -
sudoCommand: !/bin/su -[! ]*
sudoCommand: !/bin/su root
sudoCommand: !/bin/vi *sudoers
sudoOption: !authenticate
sudoHost: ldap1.foo.bar.com
sudoRunAs: root
sudoUser: checkit
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_sudoers.ldif -vv
****
21. config the ldap password policy base for our tree and load it
[root@ldap schema]# cat sd_ppolicy.ldif
dn: cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: device
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdInHistory: 7
pwdLockout: TRUE
pwdMaxAge: 2592000
pwdMaxFailure: 6
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_ppolicy.ldif -vv
****
22. Uncomment in the ppolicy.schema following section:
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME ‘pwdPolicySubentry’
DESC ‘The pwdPolicy subentry in effect for this object’
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation )
****
23. script to check the ldap pwd expiration (with password policy support)
https://ltb-project.org/svn/ldap-scripts/trunk/checkLdapPwdExpiration.sh
****
24. download apache directory studio for further config
****
Usage: A quick and dirty guide for an OpenLDAP Server Configuration on Centos 5.5 64-bit Environment
****
1. install the software
[root@ldap ~]# yum install openldap-servers openldap-servers-overlays openldap-clients
****
2. make proper directories for your setup
[root@ldap openldap]# pwd
/etc/openldap
[root@ldap openldap]# mkdir /var/lib/ldap/bar.com
[root@ldap openldap]# ls -la
total 72
drwxr-xr-x 4 root root 4096 Mar 8 12:30 .
drwxr-xr-x 79 root root 4096 Mar 7 17:35 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/bar.com/DB_CONFIG
****
3. configure your slapd.conf
[root@ldap openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# loglevel
#loglevel 768
loglevel stats acl
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
#allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
TLSVerifyClient allow
# Access restricted for normal users
defaultaccess none
access to attrs=userPassword
by self write
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by anonymous auth
by * none
access to *
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by self write
by * read
# enable monitoring
database monitor
# allow only rootdn to read the monitor
access to *
by dn.exact=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” read
by * none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix “dc=bar,dc=com”
rootdn “uid=LDAPMaster,dc=foo,dc=bar,dc=com”
rootpw {SSHA}Ai+3urKCuCoWgg/KPV
directory /var/lib/ldap/bar.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index sudoUser eq
#index nisMapName,nisMapEntry eq,pres,sub
###
#
modulepath /usr/lib64/openldap
# required if the overlay is built dynamically
#
# for dnylist by muda
moduleload dynlist.la
# for ppolicy by muda
moduleload ppolicy.la
#moduleload refint.la
#moduleload unique.la
# other overlay directives
#
# for dnylist by muda
overlay dynlist
# for ppolicy by muda
overlay ppolicy
#overlay refint
#overlay unique
# define the default policy – by muda
ppolicy_default “cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com”
#This would not return account locked in case the account is locked, for securty puppose – by muda
ppolicy_use_lockout
dynlist-attrset extensibleObject labeledURI member
#refint_attributes member
#refint_nothing “uid=muda,o=auth_user,dc=foo,dc=bar,dc=com”
****
4. install a http server with ssl support (not really needed but helpful)
[root@ldap private]# yum install httpd mod_ssl
****
5. create the proper directories which are needed for our CA
[root@ldap CA]# pwd
/etc/pki/CA
[root@ldap CA]# mkdir certs
[root@ldap CA]# mkdir crl
[root@ldap CA]# mkdir newcerts
[root@ldap CA]# touch index.txt
[root@ldap CA]# ls -la
total 52
drwx—— 6 root root 4096 Mar 8 13:28 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
drwx—— 2 root root 4096 Mar 8 13:28 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Dec 15 16:31 private
****
6. create the proper keys for the CA which is needed for our LDAP configuration
[root@ldap CA]# openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 1024 bit RSA private key
….++++++
………….++++++
writing new private key to ‘private/ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:
[root@ldap private]# ln -s ca.key cakey.pem
[root@ldap private]# ls -la
total 28
drwx—— 2 root root 4096 Mar 8 13:36 .
drwx—— 6 root root 4096 Mar 8 13:28 ..
-rw——- 1 root root 963 Mar 8 13:31 ca.key
lrwxrwxrwx 1 root root 6 Mar 8 13:36 cakey.pem -> ca.key
[root@ldap CA]# ln -s certs/ca.crt cacert.pem
[root@ldap CA]# ls -la
total 56
drwx—— 6 root root 4096 Mar 8 13:38 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private
[root@ldap CA]# touch serial
[root@ldap CA]# ls -la
total 60
drwx—— 6 root root 4096 Mar 8 13:39 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private
[root@ldap workspace.muda]# vi ../../CA/serial
insert ’00′
****
7. create the proper keys for TLS support which is needed for our LDAP configuration
[root@ldap workspace.muda]# openssl req -newkey rsa:2048 -keyout key.pem -keyform PEM -out req.pem -outform PEM -nodes
Generating a 2048 bit RSA private key
………………………………………………….+++
…………………………………………………………….+++
writing new private key to ‘key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:webmaster@bar.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
****
8. sign the key with your CA
[root@ldap workspace.muda]# openssl ca -in req.pem -notext -out cert.pem -config ../openssl.cnf
Using configuration from ../openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0×2)
Validity
Not Before: Mar 8 14:07:44 2011 GMT
Not After : Mar 5 14:07:44 2021 GMT
Subject:
countryName = UK
stateOrProvinceName = London
organizationName = bar LTD
commonName = ldap1.foo.bar.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
Certificate is to be certified until Mar 5 14:07:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ldap workspace.muda]# ls -la
total 48
drwx—— 3 root root 4096 Mar 8 15:07 .
drwxr-xr-x 6 root root 4096 Mar 8 12:57 ..
drwx—— 2 root root 4096 Mar 8 13:58 backup
-rw——- 1 root root 1233 Mar 8 15:07 cert.pem
-rw——- 1 root root 1679 Mar 8 15:07 key.pem
-rw——- 1 root root 1017 Mar 8 15:07 req.pem
****
9. copy the keys to the proper locations
[root@ldap workspace.muda]# cp cert.pem /etc/openldap/slapdcert.pem
[root@ldap workspace.muda]# cp key.pem /etc/openldap/slapdkey.pem
[root@ldap workspace.muda]# chmod 400 /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# chown ldap /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# ls -la /etc/openldap/
total 88
drwxr-xr-x 4 root root 4096 Mar 8 15:10 .
drwxr-xr-x 81 root root 4096 Mar 8 12:53 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-r——– 1 ldap root 1233 Mar 8 15:10 slapdcert.pem
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
-r——– 1 ldap root 1679 Mar 8 15:11 slapdkey.pem
[root@ldap workspace.muda]# cd ../../CA/certs/
[root@ldap certs]# ls -la
total 24
drwx—— 2 root root 4096 Mar 8 13:31 .
drwx—— 6 root root 4096 Mar 8 15:07 ..
-rw——- 1 root root 1289 Mar 8 13:31 ca.crt
[root@ldap certs]# cp ca.crt /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chown ldap /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chmod 400 /etc/openldap/cacerts/cacert.pem
****
10. create the sudoers ldap schema
[root@ldap schema]# cat sudo.schema
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME ‘sudoUser’
DESC ‘User(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME ‘sudoHost’
DESC ‘Host(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME ‘sudoCommand’
DESC ‘Command(s) to be executed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME ‘sudoRunAs’
DESC ‘User(s) impersonated by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME ‘sudoOption’
DESC ‘Options(s) followed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME ‘sudoRole’ SUP top STRUCTURAL
DESC ‘Sudoer Entries’
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
description )
)
[root@ldap schema]# ls -la
total 292
drwxr-xr-x 3 root root 4096 Mar 8 15:16 .
drwxr-xr-x 4 root root 4096 Mar 8 15:10 ..
-rw-r–r– 1 root root 8231 Nov 29 09:49 corba.schema
-rw-r–r– 1 root root 20591 Nov 29 09:49 core.ldif
-rw-r–r– 1 root root 19762 Nov 29 09:49 core.schema
-rw-r–r– 1 root root 74080 Nov 29 09:49 cosine.schema
-rw-r–r– 1 root root 1553 Nov 29 09:49 dyngroup.schema
-rw-r–r– 1 root root 6360 Nov 29 09:49 inetorgperson.schema
-rw-r–r– 1 root root 13984 Nov 29 09:49 java.schema
-rw-r–r– 1 root root 2471 Nov 29 09:49 misc.schema
-rw-r–r– 1 root root 7723 Nov 29 09:49 nis.schema
-rw-r–r– 1 root root 3391 Nov 29 09:49 openldap.ldif
-rw-r–r– 1 root root 1601 Nov 29 09:49 openldap.schema
-rw-r–r– 1 root root 19689 Nov 29 09:49 ppolicy.schema
-rw-r–r– 1 root root 2968 Nov 29 09:49 README
drwxr-xr-x 2 root root 4096 Mar 7 17:26 redhat
-rw——- 1 root root 1255 Mar 8 15:16 sudo.schema
[root@ldap schema]# chmod 644 sudo.schema
****
11. made some sanity work for proper user rights
[root@ldap bar.com]# pwd
/var/lib/ldap/bar.com
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 root root 921 Mar 8 15:22 DB_CONFIG
[root@ldap bar.com]# chown ldap *
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 ldap root 921 Mar 8 15:22 DB_CONFIG
****
12. start the ldap service for the first config issues
[root@ldap schema]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
****
13. start with the initial load setup
[root@ldap schema]# pwd
/etc/openldap/schema
[root@ldap schema]# cat sd_initial.ldif
dn: dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: bar AG
dc: bar
dn: dc=foo,dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: Hosting bar AG
dc: foo
dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
****
14. load the initial with slapadd
[root@ldap schema]# slapadd -v -l sd_initial.ldif -b dc=foo,dc=bar,dc=com
added: “dc=bar,dc=com” (00000001)
added: “dc=foo,dc=bar,dc=com” (00000002)
added: “cn=LDAPMaster,dc=foo,dc=bar,dc=com” (00000003)
****
15. check for it with slapcat
[root@ldap schema]# slapcat -f /etc/openldap/slapd.conf -b “dc=bar,dc=com”
dn: dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: bar LTD
dc: bar
structuralObjectClass: organization
entryUUID: ef58d566-dddc-102f-8722-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000000#00#000000
dn: dc=foo,dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: Hosting bar LTD
dc: foo
structuralObjectClass: organization
entryUUID: ef59994c-dddc-102f-8723-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000001#00#000000
dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
structuralObjectClass: organizationalRole
entryUUID: ef59ce1c-dddc-102f-8724-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000002#00#000000
****
15. check the ‘/etc/openldap/ldap.conf’
[root@ldap openldap]# cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=foo,dc=bar,dc=com
URI ldap://ldap1.foo.bar.com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
****
16. check again for proper user rights (ldap) and fix it if necessary
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 root root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 root root 1024 Mar 8 15:34 bar.com
[root@ldap ldap]# chown -R ldap *
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 ldap root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 ldap root 1024 Mar 8 15:34 bar.com
[root@ldap ldap]# cd bar.com/
[root@ldap bar.com]# ls -la
total 88278
drwx—— 2 ldap root 1024 Mar 8 15:34 .
drwx—— 3 ldap ldap 1024 Mar 8 12:34 ..
-rw——- 1 ldap root 8192 Mar 8 15:34 cn.bdb
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.001
-rw——- 1 ldap root 104857600 Mar 8 15:35 __db.002
-rw——- 1 ldap root 335552512 Mar 8 15:35 __db.003
-rw——- 1 ldap root 2359296 Mar 8 15:35 __db.004
-rw——- 1 ldap root 557056 Mar 8 15:35 __db.005
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.006
-rw——- 1 ldap root 921 Mar 8 15:31 DB_CONFIG
-rw——- 1 ldap root 8192 Mar 8 15:34 dn2id.bdb
-rw——- 1 ldap root 32768 Mar 8 15:34 id2entry.bdb
-rw——- 1 ldap root 10485760 Mar 8 15:34 log.0000000001
-rw——- 1 ldap root 8192 Mar 8 15:34 objectClass.bdb
****
17. config the ldap base for our tree and load it
[root@ldap schema]# cat sd_base.ldif
# hostgroup
dn: ou=hosts,dc=foo,dc=bar,dc=com
ou: hosts
objectClass: organizationalunit
# sudoers group
dn: ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
# authenticated groups
dn: o=auth_group,dc=foo,dc=bar,dc=com
o: auth_group
objectclass: organization
# authenticated users
dn: o=auth_user,dc=foo,dc=bar,dc=com
o: auth_user
objectclass: organization
# pw policy group
dn: ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: pwpolicies
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_base.ldif -vv
****
18. config the ldap group base for our tree and load it
[root@ldap schema]# cat sd_auth_group.ldif
dn: cn=testXusergrp,o=auth_group,dc=foo,dc=bar,dc=com
objectClass: posixGroup
objectClass: top
cn: testXusergrp
gidNumber: 5500
userPassword:: e2NyeXg=
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_group.ldif -vv
****
19. config the ldap user base for our tree and load it
[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=
19.1 alternative config the ldap user base for our tree and load it
I had a problem with the ‘objectClass:account’ because i need a entry for ‘mail’ to run a script for check if a account pwd came to expiration. So i changed the structural ‘objectClass’ to ‘inetOrgPerson’ which gives me the possibility to work with that (sn is a must, mail is a option).
Check: http://www.zytrax.com/books/ldap/ape/#inetorgperson
[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
sn: checkit
mail: checkit@foo.bar.com
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_user.ldif -vv
HINT: You can do this with existing entries in your tree this should work:
You just have to write the LDIF in such a way that the removal and adding of account and inetOrgPerson happens in one go.
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
changetype: modify
add: objectclass
objectclass: inetOrgPerson
-
delete: objectclass
objectclass: account
-
add: sn
sn: checkit
****
20. config the ldap sudoers base for our tree and load it
[root@ldap schema]# cat sd_sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOption’s
sudoOption: !lecture
sudoOption: log_host
sudoOption: log_year
sudoOption: ignore_dot
sudoOption: logfile=/var/log/sudolog
sudoOption: passwd_tries=3
sudoOption: timestamp_timeout=5
sudoOption: passwd_timeout=1
sudoOption: syslog=authpriv
sudoOption: root_sudo
sudoOption: authenticate
sudoOption: ignore_local_sudoers
dn: cn=administration,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: administration
description: Administration Role
sudoCommand: ALL
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/bin/more *sudoers
sudoCommand: !/bin/cp *sudoers
sudoCommand: !/bin/mv *sudoers
sudoCommand: !/bin/cat *sudoers
sudoCommand: !/bin/su “”
sudoCommand: !/bin/su * root
sudoCommand: !/bin/su -
sudoCommand: !/bin/su -[! ]*
sudoCommand: !/bin/su root
sudoCommand: !/bin/vi *sudoers
sudoOption: !authenticate
sudoHost: ldap1.foo.bar.com
sudoRunAs: root
sudoUser: checkit
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_sudoers.ldif -vv
****
21. config the ldap password policy base for our tree and load it
[root@ldap schema]# cat sd_ppolicy.ldif
dn: cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: device
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdInHistory: 7
pwdLockout: TRUE
pwdMaxAge: 2592000
pwdMaxFailure: 6
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_ppolicy.ldif -vv
****
22. Uncomment in the ppolicy.schema following section:
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME ‘pwdPolicySubentry’
DESC ‘The pwdPolicy subentry in effect for this object’
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation )
****
23. script to check the ldap pwd expiration (with password policy support)
https://ltb-project.org/svn/ldap-scripts/trunk/checkLdapPwdExpiration.sh
****
24. download apache directory studio for further config
Friday, August 26, 2011
OpenLDAP TLS configuration !!
http://mindref.blogspot.com/2010/12/debian-openldap-ssl-tls-encryption.html
http://digiplan.eu.org/ldap-samba-howto-v4.html
http://edoceo.com/liber/network-openldap
http://digiplan.eu.org/ldap-samba-howto-v4.html
http://edoceo.com/liber/network-openldap
Subscribe to:
Posts (Atom)