FreeRADIUS+OpenLDAP Step By Step

1. Install needed packages.



yum install openldap*


yum install freeradius*


2. Set the services to automatically start of system startup


chkconfig --level 2345 slapd on


chkconfig --level 2345 radiusd on


Configure and start LDAP



1. Copy the needed ladp schemas for radius. Your path may vary a bit



cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema


2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file


slappasswd








3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created


useradd ldap


groupadd ldap


4. Create the directory and assign permissions for the database files


mkdir /var/lib/ldap


chmod 700 /var/lib/ldap


chown ldap:ldap /var/lib/ldap



5. Edit the slapd.conf file.


cd /etc/openldap


vi slapd.conf


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw #
{SSHA#}

 

cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none



6. Remove the slapd.d directory


cd /etc/openldap


rm -rf slapd.d



7. Hopefully if everything is correct, should be able to start up slapd with no problem


service slapd start


8. Create the initial database in a text file called /tmp/initial.ldif



dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user John
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg



9. Add the file to the database


ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif





10. Issue a basic query to the ldap db, makes sure that we can request and receive results back


ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"


Configure and Start FreeRadius



1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses



cd /etc/raddb


vi ldap.attrmap


For dynamic vlan assignments, verify the follow lines exist:


replyItem Tunnel-Type radiusTunnelType


replyItem Tunnel-Medium-Type radiusTunnelMediumType


replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId


Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:


checkItem Cleartext-Password userPassword



2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.



eap
{ default_eap_type = peap ..... }

 



tls {


#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.



}



peap {


default_eap_type = mschapv2


#you will have to set this to allowed the inner tls tunnel attributes into the final accept message


use_tunneled_reply = yes



......



}


3. Change the authenication and authorization modules and order.


cd /etc/raddb/sites-enabled


vi default


For the authorize section, uncomment the ldap module.


For the authenicate section, uncomment the ldap module


vi inner-tunnel


Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:


authorize
{ ldap mschap ...... }

 


4. Configure ldap module


cd /etc/raddb/modules


ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }

 

5. Start up radius in debug mode on another console


radiusd -X


6. radtest localhost 12 testing123


You should get a Access-Accept back


7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test


First install openssl support libraries, required to compile



yum install openssl*


yum install gcc



wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 


tar xvf wpa_supplicant-0.6.10.tar.gz


cd wpa_supplicant-0.6.10/wpa_supplicant


vi defconfig


Uncomment CONFIG_EAPOL_TEST = y and save/exit



cp defconfig .config



make eapol_test


cp eapol_test /usr/local/bin


chmod 755 /usr/local/bin/eapol_test


8. Create a test config file named eapol_test.conf.peap



network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" #If you want to verify the Server certificate the below would be needed #ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }

 



}


9. Run the test


eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

FreeRADIUS+OpenLDAP Step By Step

1. Install needed packages.



yum install openldap*


yum install freeradius*


2. Set the services to automatically start of system startup


chkconfig --level 2345 slapd on


chkconfig --level 2345 radiusd on


Configure and start LDAP



1. Copy the needed ladp schemas for radius. Your path may vary a bit



cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema


2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file


slappasswd








3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created


useradd ldap


groupadd ldap


4. Create the directory and assign permissions for the database files


mkdir /var/lib/ldap


chmod 700 /var/lib/ldap


chown ldap:ldap /var/lib/ldap



5. Edit the slapd.conf file.


cd /etc/openldap


vi slapd.conf


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw #
{SSHA#}

 

cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none



6. Remove the slapd.d directory


cd /etc/openldap


rm -rf slapd.d



7. Hopefully if everything is correct, should be able to start up slapd with no problem


service slapd start


8. Create the initial database in a text file called /tmp/initial.ldif



dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user John
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg



9. Add the file to the database


ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif





10. Issue a basic query to the ldap db, makes sure that we can request and receive results back


ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"


Configure and Start FreeRadius



1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses



cd /etc/raddb


vi ldap.attrmap


For dynamic vlan assignments, verify the follow lines exist:


replyItem Tunnel-Type radiusTunnelType


replyItem Tunnel-Medium-Type radiusTunnelMediumType


replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId


Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:


checkItem Cleartext-Password userPassword



2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.



eap
{ default_eap_type = peap ..... }

 



tls {


#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.



}



peap {


default_eap_type = mschapv2


#you will have to set this to allowed the inner tls tunnel attributes into the final accept message


use_tunneled_reply = yes



......



}


3. Change the authenication and authorization modules and order.


cd /etc/raddb/sites-enabled


vi default


For the authorize section, uncomment the ldap module.


For the authenicate section, uncomment the ldap module


vi inner-tunnel


Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:


authorize
{ ldap mschap ...... }

 


4. Configure ldap module


cd /etc/raddb/modules


ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }

 

5. Start up radius in debug mode on another console


radiusd -X


6. radtest localhost 12 testing123


You should get a Access-Accept back


7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test


First install openssl support libraries, required to compile



yum install openssl*


yum install gcc



wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 


tar xvf wpa_supplicant-0.6.10.tar.gz


cd wpa_supplicant-0.6.10/wpa_supplicant


vi defconfig


Uncomment CONFIG_EAPOL_TEST = y and save/exit



cp defconfig .config



make eapol_test


cp eapol_test /usr/local/bin


chmod 755 /usr/local/bin/eapol_test


8. Create a test config file named eapol_test.conf.peap



network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" #If you want to verify the Server certificate the below would be needed #ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }

 



}


9. Run the test


eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

What to do in oracle after installation to install SOA server

After oracle installation the there should be the same directory structure mentioned in dbcreate file.
Then set .bash_profile for oracle user .
Then keep init file[initPHNXTEST.ora] in location : /u02/app/oracle/product/11.2.0/db_1/dbs
And listener file[listener.ora/tnsnames.ora] in : /u02/app/oracle/product/11.2.0/db_1/network/admin
Then shoot the below commands

export ORACLE_SID=PHNXTEST
$ sqlplus 'sys as sysdba'
password - sysora11

SQL>create spfile from pfile='/u02/app/oracle/product/11.2.0/db_1/dbs/initPHNXTEST.ora';

then run dbcreate_phnxtest_7.18.sql

SQL>dbcreate_phnxtest_7.18.sql

then run

@$ORACLE_HOME/rdbms/admin/catalog.sql

@$ORACLE_HOME/rdbms/admin/catproc.sql

@$ORACLE_HOME/sqlplus/admin/pupbld.sql

$lsnrctl start

$sqlplus 'sys as sysdba' [ password sysora11]
SQL> startup

The above command will start the DB.

dbcreate_phnxtest_7.18.sql
==========================
CREATE DATABASE PHNXTEST
USER SYS IDENTIFIED BY sysora11
USER SYSTEM IDENTIFIED BY mgrora11
DATAFILE '/u02/oradata/ora11/phnxtest/SYSTEM01.DBF' SIZE 325M REUSE AUTOEXTEND ON NEXT 10240K MAXSIZE UNLIMITED
SYSAUX DATAFILE '/u02/oradata/ora11/phnxtest/SYSAUX01.DAT' SIZE 120M REUSE AUTOEXTEND ON NEXT 5M MAXSIZE 2048M
DEFAULT TABLESPACE USERS DATAFILE '/u02/oradata/ora11/phnxtest/USERS01.DBF' SIZE 50M REUSE AUTOEXTEND ON MAXSIZE UNLIMITED
DEFAULT TEMPORARY TABLESPACE TEMP TEMPFILE '/u02/oradata/ora11/phnxtest/TEMP01.DBF' SIZE 40M REUSE AUTOEXTEND ON NEXT 640K MAXSIZE UNLIMITED
UNDO TABLESPACE "UNDOTBS1" DATAFILE '/u02/oradata/ora11/phnxtest/UNDOTBS01.DBF'SIZE 200M REUSE AUTOEXTEND ON NEXT 5120K MAXSIZE UNLIMITED
CHARACTER SET AL32UTF8
LOGFILE '/u02/oradata/ora11/phnxtest/REDO01.LOG' SIZE 100M REUSE,
'/u02/oradata/ora11/phnxtest/REDO02.LOG' SIZE 100M REUSE,
'/u02/oradata/ora11/phnxtest/REDO03.LOG' SIZE 100M REUSE
EXTENT MANAGEMENT LOCAL
MAXLOGFILES 32
MAXLOGMEMBERS 4
MAXLOGHISTORY 100
MAXDATAFILES 254
MAXINSTANCES 1;

initPHNXTEST.ora
================
db_name='PHNXTEST'
memory_target=1G
processes = 150
audit_file_dest='/u02/app/oracle/admin/phnxtest/adump'
audit_trail ='db'
db_block_size=8192
db_domain=''
db_recovery_file_dest='/u02/app/oracle/flash_recovery_area'
db_recovery_file_dest_size=2G
diagnostic_dest='/u02/app/oracle/diagnostic_dest'
dispatchers='(PROTOCOL=TCP) (SERVICE=ORCLXDB)'
open_cursors=300
remote_login_passwordfile='EXCLUSIVE'
undo_tablespace='UNDOTBS1'
# You may want to ensure that control files are created on separate physical
# devices
control_files = (/u02/oradata/ora11/phnxtest/CONTROL1.ora, /u02/oradata/ora11/phnxtest/CONTROL2.ora, /u02/oradata/ora11/phnxtest/CONTROL3.ora)
compatible ='11.2.0'
sessions=512

listener.ora
============
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_PHNXTEST=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=PHNXTEST)
(ORACLE_HOME=/u02/app/oracle/product/11.2.0/db_1)
(SID_NAME=PHNXTEST))

tnsnames.ora
============
#DEMO1 =
# (DESCRIPTION =
# (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.27.128)(PORT=1521))
# (CONNECT_DATA=(SERVICE_NAME=DEMO1)(SID=DEMO1)))



PHNXTEST =
(DESCRIPTION =
(ADDRESS=(PROTOCOL=TCP)(HOST=10.23.7.18)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=PHNXTEST)(SID=PHNXTEST)))

.bash_profile[Oracle user profile]
==================================
if [ -f ~/.bashrc ]; then

. ~/.bashrc
fi
# User specific environment and startup programs
#PATH=$PATH:$HOME/bin
#export PATH
TMPDIR=$TMP; export TMPDIR
ORACLE_HOSTNAME=copfs-test-db; export ORACLE_HOSTNAME
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=PHNXTEST; export ORACLE_SID
ORACLE_TERM=xterm; export ORACLE_TERM
DISPLAY=localhost:0.0; export DISPLAY
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
export LD_LIBRARY_PATH=/u01/app/oracle/product/11.2.0/db_1/lib32

N.B : The paths,Hostname/IP and the home,listener name will be changed as per your requirement.

MySQL Backup Script

CHMOD="$(which chmod)"
GZIP="$(which gzip)"
SUDO="$(which sudo)"

# Backup Dest directory, change this if you have someother location
DEST="/backup"

# Main directory where backup will be stored
MBD="$DEST/mysql"

# Get hostname
HOST="$(hostname)"

# Get data in dd-mm-yyyy format
NOW="$(date +"%d-%m-%Y")"

# File to store current backup file
FILE=""
# Store list of databases
DBS=""

# DO NOT BACKUP these databases
IGGY="test first_test"

[ ! -d $MBD ] && $SUDO mkdir -p $MBD || :

# Only root can access it!
$SUDO $CHOWN copfsadmin:copfsadmin -R $DEST
$SUDO $CHMOD -R 0777 $DEST

# Get all database list first
DBS="$($MYSQL -u $MyUSER -h $MyHOST -p$MyPASS -Bse 'show databases')"

for db in $DBS
do
skipdb=-1
if [ "$IGGY" != "" ];
then
for i in $IGGY
do
[ "$db" == "$i" ] && skipdb=1 || :
done
fi

if [ "$skipdb" == "-1" ] ; then
FILE="$MBD/$db.$HOST.$NOW.gz"
$MYSQLDUMP -u $MyUSER -h $MyHOST -p$MyPASS $db | $GZIP -9 > $FILE
fi
done

How to Update PHP

For most, using RPM as a package manager, If you upgrade/install php you will see a lot of dependecy errors and all, which is quite annoying. So plese Follow the below steps to make it easy.

I. If PHP is installed in your system then remove it. Put this in a script or from shell.
# for i in `rpm -qa|grep -i php`; do rpm -e $i --nodeps; done

II. rpm -ivh php52-common-5.2.13-1.el5.x86_64.rpm php52-cli-5.2.13-1.el5.x86_64.rpm php52-5.2.13-1.el5.x86_64.rpm

Now if you do "php -v" you can see the version of PHP.

Hope it will be helpful to all of you.

How to prepare a custom Kickstart CD

Creating a custom Kickstart CD for Red Hat

This article explains how to create a custom boot CD for Red Hat Enterprise Linux containing a customized Kickstart file. When completed, the boot CD will contain all of the instructions necessary to create a custom Red Hat Linux system with little or no intervention.

Step By Step

1. Place Disk 1 of the Red Hat Enterprise Linux CD set into the CDROM drive.

2. Navigate to the /images directory on the CD.

3. Locate the boot.iso file and copy it to your hard drive.

4. Mount the boot.iso file using the following command:

mount -o loop -t iso9660 boot.iso /mnt/iso

If the /mnt/iso directory does not already exist you will need to create it. You also may need to be the root user to mount the boot.iso file.

5. Change to the /mnt/iso directory and copy the contents to another location (we are using /home/jeff in this example):

cd /mnt/iso
cp -R isolinux /home/jeff

6. Copy the Kickstart ks.cfg file to the new directory (this presumes ks.cfg is already located in /home/jeff):

cd /home/jeff
cp ks.cfg ./isolinux

7. Change to the /isolinux directory:

cd isolinux

8. Run the following command to create a new .iso file:

mkisofs -r -T -J -V "RedHatKSBoot" -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -v -o /home/jeff/redhat_ks_boot.iso .

This will create a file named redhat_ks_boot.iso located in /home/jeff. It will be the same as the original boot.iso file we started with, with the exception of the ks.cfg file that was added.

9. Burn the redhat_ks_boot.iso file to a CD.
Initiating Kickstart

Boot the box on which you wish to install this customized version of Red Hat Enterprise Linux. At the boot: prompt, type the following:

linux ks=cdrom:/ks.cfg

Red Hat should then begin its boot process. You will then be prompted with the following message:

The Red Hat Enterprise Linux CD was not found in any of your CDROM drives.
Please insert the Red Hat Enterprise Linux CD and press OK to retry.

Replace the custom boot CD with Disk 1 of the Red Hat Enterprise Linux disk set and press OK. The Kickstart process will now take over and install Red Hat as per the instructions contained in ks.cfg.

My Article in Linux For You Magazine May 2010