Friday, April 30, 2010

RHCE OpenLDAP Server / Client Setup (30/04/2010)

OpenLDAP Server

compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E
ou can install them using the command:
yum install *openldap* -y

-----------------------------------------------------------
vi /etc/openldap/sldap.conf

openssl passwd

add in /etc/openldap/sldap.conf

suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {crypt}BreLcru48OqmA
-------------------------------------------------------------------------
service ldap restart
tail -f /var/log/messages


useradd -d /home/users/system1-user01 system1-user01
useradd -d /home/users/system2-user02 system2-user02
useradd -d /home/users/system3-user03 system3-user03
useradd -d /home/users/system4-user04 system4-user04
useradd -d /home/users/system5-user05 system5-user05
useradd -d /home/users/system6-user06 system6-user06
useradd -d /home/users/system7-user07 system7-user07
useradd -d /home/users/system8-user08 system8-user08
useradd -d /home/users/system9-user09 system9-user09
useradd -d /home/users/system10-user10 system10-user10

passwd system1-user01

passwd system2-user02

passwd system3-user03

passwd system4-user04

passwd system5-user05

passwd system6-user06

passwd system7-user07

passwd system8-user08

passwd system9-user09

passwd system10-user10

groupadd -g 10000 system01

groupadd -g 10001 system02

usermod -G 10000 system1-user01

usermod -G 10000 system2-user02

usermod -G 10001 system3-user03

--------------------------------------------------------------------------------------

vi /etc/exports

/home/users 192.168.0.0/255.255.255.0(rw,sync)

----------------------------------------------------------------------------------

vi /etc/openldap/init.ldif

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

o: example

dc: example

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

dn: ou=Account,dc=example,dc=com

objectClass: organizationalUnit

ou: Account

dn: ou=Group,dc=example,dc=com

objectClass: organizationalUnit

ou: Group

#ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f init.ldif

#ldapsearch -x -LLL -b "dc=example, dc=com" "(objectClass=*)"

----------------------------------------------------------------------------------------

vi /etc/openldap/group.ldif

dn: cn=system01,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: system01

gidNumber: 10000

dn: cn=system02,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: system02

gidNumber: 10001

ldapadd -x -D "cn=Manager, dc=example, dc=com" -W -f group.ldif

before create user.ldif

su - system1-user01

id <-- check user id

openssl passwd

copy and paste on

---------------------------------------------------------------

vi /etc/openldap/user.ldif

dn: uid=system1-user01,ou=Account,dc=example,dc=com

uid: system1-user01

cn: test user 01

objectClass: account

objectClass: posixAccount

objectClass: top

userPassword: {crypt}FLVvKA5gz4RUk

loginShell: /bin/bash

uidNumber: 511

gidNumber: 10000

homeDirectory: /home/users/system1-user01


dn: uid=system2-user02,ou=Account,dc=example,dc=com

uid: system2-user02

cn: test user 02

objectClass: account

objectClass: posixAccount

objectClass: top

userPassword: {crypt}9oB/59btUGpGM

loginShell: /bin/bash

uidNumber: 512

gidNumber: 10000

homeDirectory: /home/users/system2-user02

dn: uid=system3-user03,ou=Account,dc=example,dc=com

uid: system3-user03

cn: test user 03

objectClass: account

objectClass: posixAccount

objectClass: top

userPassword: {crypt}xopW7X41D.w/6

loginShell: /bin/bash

uidNumber: 513

gidNumber: 10001

homeDirectory: /home/users/system3-user03

ldapadd -x -D "cn=Manager, dc=example, dc=com" -W -f user.ldif

---------------------------------------------------------------------

export home directory on server1.example.com

/home/users 192.168.0.0/255.255.255.0(rw,sync)

--------------------------------------------------------------------

### LDAP Clients ###

authconfig-tui

- Use LDAP

- Use LDAP Authentication

ldap://server1.example.com

dc=example,dc=com

---------------------------------------------------------------------

vi /etc/auto.master

/home/users /etc/auto.users --timeout=60

vi /etc/auto.users

* -fstype=nfs,rw,soft,intr server1.example.com:/home/users/&


Thursday, April 29, 2010

Linux DNS Server - RHCE Notes (29/04/2010)

Linux Bind DNS Name Server Configuration

#rpm –qi bind / bind-chroot / caching-nameserver
#yum grouplist check group name
#yum groupinstall "DNS Name Server"
# that will install bind / bind-chroot
----------------------------------------------------------------------------------------------------------
Selinux for named
# setsebool -P named_write_master_zones 1
----------------------------------------------------------------------------------------------------------
Install Caching only Name Server
#yum -y install caching-nameserver
# cd /var/named/chroot/etc
#cp named.caching-nameserver.conf named.conf
#chgrp -R named named.conf
#vi named.conf
Change
listen-on port 53 { 127.0.0.1; 192.168.0.254; };
allow-query { 192.168.0.0/24; };
# vi /etc/resolv.conf
nameserver 127.0.0.1
Creating RNDC (Remote Name Daemon Control)
/etc/rndc.key
#rhdc-confgen
#rndc-confgen -a -b 512

Bind Commands to troubleshoot name resolution

#service named restart/reload/stop/start
#rndc start/stop/reload/status
#host –l example.com
#dig www.redhat.com

Domain example.com configuration

# vi /var/named/chroot/etc/named.conf

# chgrp -R named named.conf ßchange group to named for named.conf

# ln -s /var/named/chroot/etc/named.conf /etc/named.conf

------------------------------------------------------------------------------------------

named.conf (SAMPLE)

options {

listen-on port 53 { 127.0.0.1; 192.168.0.254; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { 192.168.0.0/24; };

forward only;

forwarders {

172.16.1.73;

};

};

zone "." IN {

type hint;

file "named.ca";

};

zone "example.com" IN {

type master;

file "example.com.zone";

allow-update { none; };

};

zone "0.168.192.in-addr.arpa" IN {

type master;

file "192.168.0.zone";

allow-update { none; };

};

include "/etc/rndc.key";

------------------------------------------------------------------------------------------------------------

vi /var/named/chroot/var/named/example.com.zone

chgrp -R named example.com.zone

------------------------------------------------------------------------------------------------------------

example.com.zone (SAMPLE)

$TTL 86400

example.com. IN SOA server1.example.com. root.server1.example.com. (

2010042900 ; serial number

1H ; refresh slave

5M ; retry query

1W ; expire

1M ; negative TTL

)

@ IN NS server1.example.com.

@ IN MX 10 server1.example.com.

example.com. IN A 192.168.0.254

mail.example.com. 3600 IN CNAME server1.example.com.

kerberos.example.com. 3600 IN CNAME server1.example.com.

station1.example.com. IN A 192.168.0.1

station2 IN A 192.168.0.2

station3 IN A 192.168.0.3

station4 IN A 192.168.0.4

station5 IN A 192.168.0.5

station6 IN A 192.168.0.6

station7 IN A 192.168.0.7

station8 IN A 192.168.0.8

station9 IN A 192.168.0.9

station10 IN A 192.168.0.10

www10 IN CNAME station10.example.com.

ssl IN CNAME station10.example.com.

gateway IN A 192.168.0.100

server1 IN A 192.168.0.254

------------------------------------------------------------------------------------------------------------

vi /var/named/chroot/var/named/192.168.0.zone

chgrp –R named 192.168.0.zone

----------------------------------------------------------------------------------------------------------

192.168.0.zone (SAMPLE)

$TTL 86400

0.168.192.IN-ADDR.ARPA. IN SOA server1.example.com. root.server1.example.com.(

2010042900 ; serial number

1H ; refresh slave

5M ; retry query

1W ; expire

1M ; negative TTL

)

@ IN NS server1.example.com.

1.0.168.192.IN-ADDR.ARPA. IN PTR station1.example.com.

2 IN PTR station2.example.com.

3 IN PTR station3.example.com.

4 IN PTR station4.example.com.

5 IN PTR station5.example.com.

6 IN PTR station6.example.com.

7 IN PTR station7.example.com.

8 IN PTR station8.example.com.

9 IN PTR station9.example.com.

10 IN PTR station10.example.com.

---------------------------------------------------------------------------------------------------------

Bind Slave zone Configuration on stationx (SAMPLE)

# vi /var/named/chroot/etc/named.conf

# chgrp -R named named.conf ßchange group to named for named.conf

# ln -s /var/named/chroot/etc/named.conf /etc/named.conf

------------------------------------------------------------------------------------------------------------

options {

listen-on port 53 { 127.0.0.1; 192.168.0.10; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { 192.168.0.0/24; };

};

zone "example.com" IN {

type slave;

file "slaves/example.com.zone";

masters {

192.168.0.254;

};

};

zone "0.168.192.in-addr.arpa" IN {

type slave;

file "slaves/192.168.0.zone";

masters {

192.168.0.254;

};

};

------------------------------------------------------------------------------------------------------------

# service named restart

After restart the server, example.com.zone / 192.168.0.zone files automatically create in

/var/named/chroot/var/named/example.com.zone (forward lookup)

/var/named/chroot/var/named/192.168.0.zone (reversed lookup)

# dig server1.example.com (forward lookup test)

# dig -x 192.168.0.254 (reversed lookup test)



RHCT / RHCE Notes- Apache / Squid (29/04/2010)

Apache configuration

Question:
- implement a web server for the site http://stationX.example.com, then perform the following steps:
- Download ftp://server1.example.com/pub/rhce/station.html
- Rename the download file to index.html
- Copy this index.html to the DocumentRoot of your web server
- Do Not make any modifications to the content of index.html
- Extend your webserver to include a virtual host for the site http://wwwx.example.com/, where x is your station number, then perform the following steps:
- Set the DocumentRoot to /var/www/virtual
- Download ftp://server1.example.com/pub/rhce/www.html
- Rename the download file to index.html
- Copy this index.html in the DocumentRoot of the virtual host
- Do Not make any modifications to the content of index.html
- Ensure that user1 is able to create content in /var/www/virtual
Note: The original web site http://stationx.example.com must still be accessible. DNS resolution for the hostname wwwx.example.com is already provided by the name server on server1.example.com.

Answer:

#netstat –ntlp / netstat –nulp
#check port 80 / 443 listening
# rpm -qi httpd
# yum grouplist | less
# yum groupinstall "Web Server"
# yum install mod_ssl ---- for port 443
# vi /etc/httpd/conf/httpd.conf - Main Webserver config
# vi /etc/httpd/conf.d/ssl.conf - SSL webpage
------------------------------------------------------------------------------------------------------
### Default website config ### (stationx.example.com) x = your station number
ftp://server1.example.com/pub/rhce/station.html
mv station.html /var/www/html/index.html
-------------------------------------------------------------------------------------------------------
#### VirtualHost #### (wwwx.example.com) x= your station number
mkdir /var/www/virtual
ftp://server1.example.com/pub/rhce/www.html
mv www.html /var/www/virtual/index.html
--------------------------------------------------------------------------------------------------------

## Create VirtualHost ##

/NameVirtual ß search in vi

NameVirtualHost 192.168.0.10:80

ServerName station10.example.com

ServerAlias station10

DocumentRoot /var/www/html

ServerName www10.example.com

ServerAlias www10

DocumentRoot /var/www/virtual

ErrorLog logs/www10.example.com-error_log

CustomLog logs/www10.example.com-access_log common

-----------------------------------------------------------------------------------------------------------

### HTTPS VirtualHost port 443 ### https://ssl.example.com

vi /etc/httpd/conf.d/ssl.conf

NameVirtualHost 192.168.0.10:443

ServerName ssl.example.com

ServerAlias ssl

DocumentRoot /var/www/virtual-ssl

----------------------------------------------------------------------------------------

SELinux Permission

chcon -R --reference=/var/www/html /var/www/virtual

OR

chcon -R –u system_u /var/www/virtual

chcon -R -t httpd_sys_content_t /var/www/virtual

---------------------------------------------------------------------------------------------------------

Basic text password Auth for Apache

vi /etc/httpd/conf/httpd.conf

/Directory çsearch in vi

###Default configuration for Apache###

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

>

###Create one for Basic text Auth###

Alias /virtual "/var/www/virtual/"

AuthType Basic

AuthName "Text Based Auth"

AuthUserFile /etc/httpd/passwords

Require user user1

>

----------------------------------------------------------------------------------------------------------

###Create user name and password file###

htpasswd -c /etc/httpd/passwords user1

###Next Time don need to add –c ###

htpasswd /etc/httpd/passwords user2

httpd -S (Virtualhost setting check)

httpd –t (Syntax Check) OR service httpd configtest

Question:

- Implement a web proxy server bound to port 8080

- Clients within example.com should have access to your proxy server

- Clients outside of example.com should NOT have access to your proxy server.

Answer:

RHCE squid proxy server configuration

#rpm –qi squid – check squid already install or not

#squid –v – check squid version

#if squid not installed

#yum –y install squid

#cp /etc/squid/squid.conf /tmp

vi /etc/squid/squid.conf

1. http_port 3128 à change to http_port 8080

2. acl our_networks src 192.168.0.0/24

3. http_access allow our_networks

4. visible_hostname stationx.example.com (x = your station name)

5. squid -z

6. service squid start

7. chkconfig squid on

8. chkconfig --list squid

Test on client side !!!

vi /etc/profile.d/proxy.sh

export http_proxy=http://192.168.0.10:8080/

export https_ proxy=http://192.168.0.10:8080/

export ftp_proxy=http://192.168.0.10:8080/

export no_proxy=.example.com