OpenLDAP Server Configuration on CentOS 7 / RHEL 7

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.

It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.

We will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.

Prerequisites:

Make sure both LDAP server “master.atlas.local” (192.168.xx.xx).

Make an entry for each machine in /etc/hosts for name resolution

vi /etc/hosts
192.168.12.10 master.atlas.local server

Here I will use IP address for all the configuration.

Install the following LDAP RPM packages to get started. Run below command on LDAP server (master.atlas.local).

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Start the LDAP service and enable it for the auto start of service on system boot.

#systemctl start slapd.service
#systemctl enable slapd.service

Verify the LDAP.

#netstat -antup | grep -i 389

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1520/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      1520/slapd

Setup LDAP root password:

Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.

[root@server ~]# slappasswd

New password:
Re-enter new password:
{SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3

[root@server ~]#
Configure OpenLDAP server:

OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.

olcSuffix –  Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain name.

olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.

olcRootPW – Password for the above RootDN.

Please create a .ldif file and add the below entries.

# vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=atlas,dc=local
dn: olcDatabase={2}hdb,cn=config

changetype: modify
replace: olcRootDN
olcRootDN: cn=atlas.com,dc=atlas,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}QF+jBFJ/RWGVwPuDzQI87YJfJtKOYGhK

Once you are done with the ldif file, send the configuration to the LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.

# vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth” read by dn.base=”cn=ldapadm,dc=atlas,dc=local” read by * none

Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

Create LDAP certificate:

Let’s create a self-signed certificate for our LDAP server, below command, generates both certificate and private key in /etc/openldap/certs/ directory.

openssl req -new -x509 -nodes -out /etc/openldap/certs/Filenamecert.pem -keyout /etc/openldap/certs/Filenamekey.pem -days 365

Generating a 2048 bit RSA private key
…+++
……………………………….+++

writing new private key to ‘/etc/openldap/certs/Filenamekey.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank

For some fields there will, be a default value,

If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]: XX
State or Province Name (full name) []: XX
Locality Name (eg, city) [Default City]: XXXXXX
Organization Name (eg, company) [Default Company Ltd]:MaddySystems
Organizational Unit Name (eg, section) []:IT Infra
Common Name (eg, your name or your server’s hostname) []:server.atlas.local
Email Address []:admin@maddy.co.in

Set the owner and group permissions to ldap.
chown -R ldap:ldap /etc/openldap/certs/*.pem

Verify the created LDAP certificate under /etc/openldap/certs/.

ll /etc/openldap/certs/*.pem

-rw-r–r–. 1 ldap ldap 1440 Oct 10 02:31 /etc/openldap/certs/Filenameert.pem
-rw-r–r–. 1 ldap ldap 1704 Oct 10 02:31 /etc/openldap/certs/Filenamekey.pem

Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.

# vi certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/Filenamecert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/Filenamekey.pem

Import the configurations to LDAP server.
ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

Verify the configuration:

slaptest -u
You should get the following message confirms the verification is complete.
config file testing succeeded

Set up LDAP database:

Copy the sample database configuration file to /var/lib/ldap and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

# vi base.ldif

dn: dc=atlas,dc=local
dc: atlas
objectClass: top
objectClass: domain
dn: cn=atlas.com ,dc=atlas,dc=local
objectClass: organizationalRole
cn: atlas.com
description: LDAP Manager

dn: ou=People,dc=atlas dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=atlas,dc=local
objectClass: organizationalUnit
ou: Group

Build the directory structure.

ldapadd -x -W -D “cn=atlas.com,dc=atlas,dc=local” -f base.ldif
ldapadd command will prompt you for the password of atlas.com (LDAP root user).
Enter LDAP Password:
Output

adding new entry “dc=atlas,dc=local”
adding new entry “cn=atlas.com,dc=atlas,dc=local”
adding new entry “ou=People,dc=atlas,dc=local”
adding new entry “ou=Group,dc=atlas,dc=local”

Let’s create an LDIF file for a new user called raj

vi raj.ldif

Paste the below lines to above LDIF file.

dn: uid=raj,ou=People,dc=atlas,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) AtlasSystems]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D “cn=atlas.com,dc=atlas,dc=local” -f raj.ldif
Enter LDAP Password:
adding new entry “uid=raj,ou=People,dc=atlas,dc=local”
Assign a password to the user.
ldappasswd -s password123 -W -D “cn=atlas.com,dc=atlas,dc=local” -x “uid=raj,ou=People,dc=atlas,dc=local”

Where,
-s specify the password for the username
-x username for which the password is changed
-D Distinguished name to authenticate to the LDAP server
Verify LDAP entries.

ldapsearch -x cn=raj -b dc=atlas,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=atlas,dc=local> with scope subtree
# filter: cn=raj
# requesting: ALL
# raj, People, atlas.local
dn: uid=raj,ou=People,dc=atlas,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) AtlasSystems]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY=

# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
To delete an entry from LDAP (Optional).

ldapdelete -W -D “cn=atlas.com,dc=atlas,dc=local” “uid=raj,ou=People,dc=atlas,dc=local”

Firewall:

firewall-cmd –permanent –add-service=ldap
firewall-cmd –reload

Enable LDAP logging:

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.
Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

Restart the rsyslog service.

systemctl restart rsyslog

LDAP client configuration to use LDAP Server:

Install the necessary LDAP client packages on the client machine.

# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.12.10” with your LDAP server’s IP address or hostname.

# authconfig –enableldap –enableldapauth –ldapserver=192.168.12.10 –ldapbasedn=”dc=atlas,dc=local” –enablemkhomedir –update

Restart the LDAP client service.

# systemctl restart  nslcd

Verify LDAP Login:

Use getent command to get the LDAP entries from the LDAP server

# getent passwd raj

raj:x:9999:100:Raj [Admin (at) AtasSystem]:/home/raj:/bin/bash

WE CAN CHECK CONFIGURATION WITH APACHE DIRECTORY STUDIO

Install Docker in CentOS and RHEL 7/6

Install Docker in CentOS and RHEL 7/6

We will discuss Docker, is an open-source lightweight virtualization tool which runs at top of Operating System level, allowing users to create, run and deploy applications, encapsulated into small containers.

This type of Linux containers is proven to be fast, portable and secure. The processes that run in a Docker container are always isolated from the main host, preventing outside tampering.

This tutorial provides a starting point on how to install Docker, create and run Docker containers on CentOS/RHEL 7/6, but barely scratches the surface of Docker.

Step 1: Install and Configure Docker

Docker binaries are incorporated into RHEL/CentOS 7 extras repositories, the installation process being pretty simple. Install Docker package by issuing the following command with root privileges:

Install Docker on RHEL and CentOS 7

yum install docker

Install Docker on RHEL and CentOS 6

# yum install epel-release

# yum install docker-io

After, Docker package has been installed, start the daemon, check its status and enable it system-wide using the below commands:

On RHEL/CentOS 7

# systemctl start docker

# systemctl status docker

# systemctl enable docker

On RHEL/CentOS 6

# service docker start

# service docker status

# chkconfig docker on

Finally, run a container test image to verify if Docker works properly, by issuing the following command

# docker run hello-world

If you can see the below message, then everything is in the right place.

“Hello from Docker. This message shows that your installation appears to be working correctly.”

Now, you can run a few basic Docker commands to get some info about Docker:

For system-wide information on Docker

# docker info

Apache Httpd Load Balancer Configuration using mod_jk

Why wew need Apache Load Balancer

We can use Apache Load Balancer module (mod_jk) to optimizes resource use, maximizes throughput, minimizes response time, and avoids overload as well as for auto failover.

How it can be utilized

Let us assume that you have two tomcat web applications running on two different servers. Now you want to make your application highly available and also want to distribute traffic across both tomcat application servers. So here we can configure one web server(apache) with mod_jk module, which will be act as a frontend server and two tomcat application servers will act as backend server.

Client request for your application will come to a Web server(apache). Based on mod_jk configuration, Apache will send the request to both tomcat applications. Cool!!!!

How to configure mod_jk on Apache Web server.

1. First download mod_jk source from below mentioned link. Please choose package according to your server architecture(32bit or x64).

For Linux:
http://apache.petsads.us//tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.37-src.tar.gz

For Windows:
http://apache.petsads.us//tomcat/tomcat-connectors/jk/binaries/windows/

 If you are using windows then you need to simply copy mod_jk.so file into your apache’s module directory.
If you are using linux then you will have to make mod_jk.so file using below steps.
Extract tomcat-connectors-1.2.37-src.tar.gz.
1.1  #”tar -zxvf tomcat-connectors-1.2.37-src.tar.gz”

1.2 Now configure it using below command.
#./configure –with-apxs=/usr/sbin/apxs

1.3 Now run make and then make install.
“make && make install”
Note: If you are getting any error, then please check if “httpd-devel” package is installed or not.

1.4 If above 3 commands run successfully, then it would have created mod_jk.so file into /etc/httpd/modules/ directory.

2. Now Load that module in apache’s httpd.conf file using string. You can copy that string at bottom of httpd.conf file.
#
# Load mod_jk
#
LoadModule jk_module modules/mod_jk.so

3. Now you need to specify workers.properties file path in httpd.conf file, so that apache can read the configuration of both tomcat applications.

JkWorkersFile conf/workers.properties

4. you can specify log file location, log level, log format too using string in httpd.conf file.

JkLogFile logs/mod_jk.log
JkLogLevel warn
JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”

5. Now create workers.properties file using the content.

worker.list=loadbalancer
worker.jvm1.port=8009
worker.jvm1.host=192.168.186.161
worker.jvm1.type=ajp13
worker.jvm1.lbfactor=1
worker.jvm1.max_packet_size=65536
#worker.jvm1.socket_timeout=60
#worker.jvm1.connection_pool_timeout=60
worker.jvm2.port=8009
worker.jvm2.host=192.168.186.162
worker.jvm2.type=ajp13
worker.jvm2.lbfactor=1
worker.jvm2.max_packet_size=65536
#worker.jvm2.socket_timeout=60
#worker.jvm2.connection_pool_timeout=60
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=jvm1,jvm2
worker.loadbalancer.sticky_session=1
worker.jvm1.socket_keepalive=1
worker.jvm2.socket_keepalive=1
worker.loadbalancer.method=B
Here
– worker.jvm1.port is ajp port of tomcat application server configured in server.xml file,
– worker.jvm1.host is IP address of tomcat application server,
– worker.jvm1.type is the ajp protocol version,
– worker.jvm1.lbfactor is to assign weight to tomcat application,
– worker.jvm1.max_packet_size is to specify maximum packet size.
Please note that here we have used jvm1 and jvm2. For tomcat server 1, we have used jvm1 and for another tomcat server, we have used jvm2.worker.loadbalancer.balance_workers is used to mention the name of tomcat application server’s worker name.
worker.loadbalancer.sticky_session – This will enable sticky session.
worker.loadbalancer.method – This will set load balancing method.

6. Now you need to mount Load Balancer in httpd.conf file. You can use below string in httpd.conf file to mount load balancer.

JkMount /* loadbalancer

If you want to exclude any directory then it can be specified before JkMount tag as shown below.

JkUnMount /balancer-manager loadbalancer
JkMount /* loadbalancer

7. Once all above-mentioned configuration is done, you can restart apache web server and test.

For Sticky Session testing:

If your application works on the session, then you may need to configure sticky session at Apache Load Balancer. In workers.properties we have already set worker.loadbalancer.sticky_session to 1. But we need configuration at tomcat too. In both application server edit tomcat/conf/server.xml file and change property as shown below.
Before:
<Engine name=”Catalina” defaultHost=”localhost” >
After:
<Engine name=”Catalina” defaultHost=”localhost” jvmRoute=”jvm1″>
In tomcat app server 1 you can use jvm1 and in second tomcat you can use jvm2.

Installing Java on Linux

Installing Java on Linux

Downloading

Download the latest version of JDK from http://www.java.sun.com. I have downloaded jdk-1_5_0_01-Linux-i586.bin for this tutorial.
Installing
Change to the directory where you downloaded the JDK ( I downloaded it in my home directory /home/maddy) and make the self-extracting binary executable:
chmod +x jdk-1_5_0_01-Linux-i586.bin

Run the self-extracting binary, this will display the License agreement text and will ask you to accept the agreement:
./jdk-1_5_0_01-Linux-i586.bin
Above command should create a directory called jdk1.5.0_01 in the /home/maddy directory. Move the JDK directory to /opt . Here is the command used:
mv jdk1.5.0_01 /opt
Set the JAVA_HOME environment variable, by modifying /etc/profile so it includes the following:

JAVA_HOME=”/opt/jdk1.5.0_01″
export JAVA_HOME

save /etc/profile file. Then run following command to take effect.
source /etc/profile
Check to make sure JAVA_HOME is defined correctly using the command below. You should see the path to your Java JDK.
echo $JAVA_HOME
Output should be
/opt/jdk1.5.0_01
Now need to set out new Java by default through the alternative utility. First, we will install alternative java then we will configure it make it as default java.
To install java using the alternative command:
alternatives –install /usr/bin/java java /opt/jdk1.5.0_01/bin/java 2
Now need to configure it to make it as default Java location:

alternatives -config java

Above command will given output. There we will have to select latest java location.
[root@alpeshpc opt]#alternatives –config java

There are 3 programs which provide ‘java’.

Selection Command
———————————————–
* 1 /usr/lib/jvm/jre-1.4.2-gcj/bin/java
2 /opt/jdk1.5.0_01/bin/java

Give there number 2, then press enter.

Thats it.