Sunday, July 31, 2011

Passed 3/5 RHCA: EX333 Security Network Services

I would probably rate EX333 as the most difficult exam among the 3 exams I have passed, Why  is it so difficult?

1. The exam objectives are related: for example, Kerberos depends on NIS, without a working NIS, you are doomed.

2. The exam is broken into morning section and afternoon section, You won’t pass the exam  if either section fails. but  you are still allowed to sit for the afternoon section despite  the result of morning section.

My blog post for EX333 study notes:

Authenticate BIND zone transfer with TSIG key

Setup Postfix SMTP password authentication with SASL

Wednesday, July 6, 2011

CentOS Directory Server 8 Quickstart

CentOS Directory Server  is a rebuild of the Red Hat Directory Server.  Red Hat Directory Server, Fedora 389 Directory server,  and Sun One Directory Server are similar, because they  all originated from Netscape Directory Server (NDS).  OpenLDAP is also a member of the extended family , whose root is University of Michigan slapd project, the parent of Netscape Directory Server.  The obvious difference is that OpenLDAP doesn't have built-in management console.
image
Install CentOS Directory Server (CDS)  8.1.0  on Centos  5.5
#CDS requires Centos 5.3 or newer
#install openldap-clients, as CDS ldap clients are not very friendly
$yum install java-1.6.0-openjdk openldap-clients centos-ds
#Link /usr/bin/java to the java 1.6 binary
$alternatives --config java

Setup  CentOS Directory Server

#Create ldap user/group for ldap daemon
$groupadd ldap; useradd -g ldap -s /sbin/nologin ldap
#Start installation wizard 
$setup-ds-admin.pl
#start management console
$centos-idm-console

CentOS Directory Server directory structure

/etc/init.d/dirsrv    #server startup script
/etc/init.d/dirsrv-admin   #admin server startup script
/etc/dirsrv/slapd-$instance/   #server config
/etc/dirsrv/slapd-$instance/dse.ldif   #server config for "cn=config"
/etc/dirsrv/slapd-$instance/scheme/99user.ldif #user defined scheme
/etc/dirsrv/admin-serv     #admin server config
/usr/lib/dirsrv/slapd-$instance/    #useful scripts: start&stop; backup&restore ...
/var/lib/dirsrv/slapd-$instance/db/      #database 
/var/lib/dirsrv/slapd-$instance/bak    #default backup dir
/var/log/dirsrv/slapd-$instance/    #logs
$ldapsearch -x -s base -b ""  # Root DSE; Show version, supported plugin etc

CentOS Directory Server backup and restore

##Backup
#/etc/dirsrv/slapd-$instance/dse.ldif needs to be backup manually.
1) in GUI, select backup Directory Server
2) in CLI, /usr/lib/dirsrv/slapd-$instance/db2bak
##Restore
#stop ldap server
$service dirsrv stop
#Restore using CLI, Usage: bak2db archivedir [-n backendname]
$/usr/lib/dirsrv/slapd-station08/bak2db /var/lib/dirsrv/slapd-station08/bak/station08-2011_06_30_15_11_51 -n userRoot
#By default,  backend instance name is  userRoot or NetscapeRoot
$grep  nsslapd-backend /etc/dirsrv/slapd-station08/dse.ldif
nsslapd-backend: userRoot
nsslapd-backend: NetscapeRoot

CentOS Directory Server export and import
##---------------------Export to ldif
1) in GUI, tasks -> export databases. 
2) in CLI, db2ldif
#Find out instance name
$ /usr/lib/dirsrv/slapd-$instance/suffix2instance -s "dc=stationn08, dc=example, dc=com"
Suffix, Instance name pair(s) under "dc=stationn08,dc=example,dc=com":
suffix "dc=station08, dc=example, dc=com"; instance name "userRoot"
$grep  nsslapd-backend /etc/dirsrv/slapd-station08/dse.ldif
nsslapd-backend: userRoot
nsslapd-backend: NetscapeRoot
#Export using backend instance name
$/usr/lib/dirsrv/slapd-$instance/db2ldif -n userRoot -a /tmp/all-userroot.ldif
#Export using suffix name
$/usr/lib/dirsrv/slapd-$instance/db2ldif -s  'dc=example,dc=com'  -a /tmp/all.ldif
##---------------------Import from ldif
#if Server is live
in GUI, Tasks->Import databases; 
in CLI, ldif2db.pl (It is recommended to use GUI for import due to the complexity of the script).
#If server is offline, use ldif2db script
$service dirsrv stop
$/usr/lib/dirsrv/slapd-$instance/ldif2db -n userRoot -i /tmp/all.ldif
LDAP command lines
CDS has built-in “mozldap-tools”, which have similar commands suites to openldap-clients, but Openldap-clients is easier to use because it support client configuration.
OpenLDAP client configuration files and command line options
##OpenLDAP client configuration files
$/etc/openldap/ldap.conf    #Global client conf, but BINDDN (Authenticated user)  is ignored  in Global conf
$HOME/ldaprc, $HOME/.ldaprc       #user ldap configuration file, set BINDDN here
$CWD/ldaprc                #local ldap configuration file
#Typical configuration
$cat /etc/openldap/ldap.conf
BASE    dc=station08, dc=example, dc=com
URI  ldap://station08.example.com
$cat /root/.ldaprc
BINDDN  cn=Directory Manager
##common command line options
-x         Simple authentication, not SASL bind
-W         prompt for bind password
-w passwd  bind password (for simple authentication)
-D binddn  bind DN    #username to authenticate
-b basedn  base dn for search 
-h host    LDAP server
-H URI     LDAP Uniform Resource Identifier(s)  #ldap://station08.example.com:389
-c         continuous operation mode (do not stop on errors), useful for skipping entries already exist when importing from ldif.
-Z         try to start TLS request (-ZZ to require successful response)  or -H ldaps://

Command line Search  Operation

# by default, search filter is  (objectclass=*) and display  ALL attributes. search is allowed for anonymous user, no password prompted
$ldapsearch -x
#
$ldapsearch -x -LLL    #less verbose, -LLL stripeout all comments
$ldapsearch -x  -s base    #(search scope). one of base, one(one-level sub), sub (whole subtree) or children,  default is sub
#Search filters, RFC 2254
#NO  ">" or" < "operator
= Exact match; >= greater than or equal; <= less than or equal; ~= aproximate match   
*  wildcard
#Logical operators
NOT   !   #( ! (uidNumber=500) )
OR   |   # (| (uidNumber>=502)(uid~=jim))
AND   &  # (& (uidNumber>=502)(uid~=jim))
#Escaped chars 
Character       ASCII value
---------------------------
*               0x2a
(               0x28
)               0x29
\               0x5c
NUL             0x00
Escaped "(" can be expressed as  "\(" or "\28"
e.g search telephoneNumber: (02)98660000 use ldapsearch -x  '(telephonenumber=\(02\)98660000)'
Command line  change operation 
Change operation need admin privilege which is specified by  BINDDN in /$HOME/.ldaprc or  "-D" in CLI

##types of changing whole record, 
changetype: add
changetype: delete
changetype: moddn
changetype: modify
##----------------------changetype: add
#default change type is add, no need to declare changetype: add,  as long as “-a” is specified in ldapmodify 
$cat /tmp/f1.ldif
dn: uid=jsmith,ou=People, dc=station08, dc=example, dc=com
uid: jsmith
givenName: john
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: smith
cn: john smith
$ldapmodify -x -W -a -f /tmp/f1.ldif
Enter LDAP Password:
adding new entry "uid=jsmith,ou=People, dc=station08, dc=example, dc=com"
##----------------------changetype: delete
#Option 1, use ldapmodify command
$cat /tmp/f1.ldif
dn: uid=jsmith,ou=People, dc=station08, dc=example, dc=com
changetype: delete
$ldapmodify -x -W -f /tmp/f1.ldif
Enter LDAP Password:
deleting entry "uid=jsmith,ou=People, dc=station08, dc=example, dc=com"
#Option 2, use ldapdelete command, note the ldif format difference
#ldapdelete support recursive delete with "-r"
$cat /tmp/f1.ldif
uid=jsmith,ou=People, dc=station08, dc=example, dc=com
$ldapdelete -x -W -f /tmp/f1.ldif
##----------------------changetype: moddn
#change RDN relative distingished name, the first part of DN
#Option 1, use ldapmodify command
$cat /tmp/f1.ldif
dn: uid=jsmith,ou=People, dc=station08, dc=example, dc=com
changetype: modrdn
newrdn: uid=jsmith2
deleteoldrdn: 1
$ldapmodify -x -W -f /tmp/f1.ldif
Enter LDAP Password:
modifying rdn of entry "uid=jsmith,ou=People, dc=station08, dc=example, dc=com"
rename completed
#Option 2, use ldapmodrn to achive same result
$ cat /tmp/f1.ldif
uid=jsmith,ou=People, dc=station08, dc=example, dc=com
uid=jsmith2
$ldapmodrdn -x -r -W -f /tmp/f1.ldif
##----------------------changetype: modify
#add, replace,delete attributes of a record, not record itself
#multile actions separated by "-"
$cat /tmp/f1.ldif
dn: uid=jsmith,ou=People, dc=station08, dc=example, dc=com
changetype: modify
add: mail
mail: jsmith@example.com
-
delete: facsimileTelephoneNumber
-
replace: telephonenumber
telephonenumber: +1 408 555 1234
$ldapmodify -x -W -f /tmp/f1.ldif