Scott… Sit down and shut up!

This could be bad in so many ways…

Archive for August, 2005

Some LDAP Work

August 30th, 2005

Building a new LDAP server today… lots of fun. I decided to put together some docs of what I was doing. So here they are:

Configuring OpenLDAP on Suse Linux

The purpose of this document is to describe how to use OpenLDAP is to use LDAP as a back-end database, or user information repository, for IEEE 802.1x port authentication. In an IEEE 802.1x-enabled environment, user credential information is validated against a user-database by the authentication-server, which runs RADIUS. The authentication-server receives authentication attempts from the end-user via the authenticator (a LAN switch or wireless AP).

Note � it is best practice to ensure that a good copy of any system configuration file is saves before starting. Make backup copies of all system configuration files!
Once the system is installed, updated, and normalized, start by editing /etc/openldap/ldap.conf. Add the following entries:

HOST 127.0.0.1
BASE dc=company,dc=com

Save this file, and open slapd.conf in the same directory. Edit the following:

#######################################################################
# bdb database definitions
#######################################################################

database bdb
checkpoint 1024 5
cachesize 10000
suffix “dc=company,dc=com”
rootdn “cn=Manager,dc=company,dc=com”
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq

The rootpw can be generated by using the slappasswd command.

linuxhost:~ # slappasswd -h {MD5}
New password:
Re-enter new password:
{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
linuxhost:~ #

Start the Server

From the command shell, initialize the LDAP server.
linuxhost:~ # /etc/rc.d/ldap start
Starting ldap-server done
linuxhost:~ #

Populating the LDAP Database

PADL Software Ltd. has a collection of Perl tools that can be used to convert configuration files to LDIF format. Some distributions (such as Redhat/Fedora) include these tools, but apparently Suse does not. These tools are normally located in /usr/share/openldap/migration. If these tools were not included in the distribution being used, they can be downloaded from:

http://www.padl.com/OSS/MigrationTools.html

Installation is simple.

untar zxf MigrationTools.tgz
cd MigrationTools-44

Open the migrate_common.ph file and change the following site-specific variables to reflect the installation:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “company.com”;
# Default base
$DEFAULT_BASE = “dc=company,dc=com

Once this is complete, use the migrate_base.pl script to create an LDIF file with the base entries needed to start LDAP:

linuxhost:/usr/share/openldap/migration # ./migrate_base.pl > base.ldif
linuxhost:/usr/share/openldap/migration #

If all goes well, the command prompt should return with no messages. Once this is complete, check the base.ldif file to ensure the proper information is included before it is imported into the LDAP database. The file should look like this:

linuxhost:/usr/share/openldap/migration # more base.ldif
dn: dc=company,dc=com
dc: company
objectClass: top
objectClass: domain

dn: ou=Hosts,dc=company,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=Rpc,dc=company,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=company,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byuser,dc=company,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap

dn: ou=Mounts,dc=company,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit

dn: ou=Networks,dc=company,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=company,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=company,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=Netgroup,dc=company,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

dn: ou=Protocols,dc=company,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit

dn: ou=Aliases,dc=company,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byhost,dc=company,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap

linuxhost:/usr/share/openldap/migration #

Copy the base.ldif into root’s home directory.

Once the base.ldif file has been validated, import the file into the blank LDAP database using the ldapadd tool:

linuxhost:~ # ldapadd -x -D “cn=Manager,dc=company,dc=com” -W -f /root/base.ldif
Enter LDAP Password:
adding new entry “ou=Hosts,dc=company,dc=com”
adding new entry “ou=Rpc,dc=company,dc=com”
adding new entry “ou=Services,dc=company,dc=com”
adding new entry “nisMapName=netgroup.byuser,dc=company,dc=com”
adding new entry “ou=Mounts,dc=company,dc=com”
adding new entry “ou=Networks,dc=company,dc=com”
adding new entry “ou=People,dc=company,dc=com”
adding new entry “ou=Group,dc=company,dc=com”
adding new entry “ou=Netgroup,dc=company,dc=com”
adding new entry “ou=Protocols,dc=company,dc=com”
adding new entry “ou=Aliases,dc=company,dc=com”
adding new entry “nisMapName=netgroup.byhost,dc=company,dc=com”
linuxhost:~ #

Validating Database

Using the ldapsearch tool, the integrity of the data that was just imported can be validated.

linuxhost:/var/lib/ldap # ldapsearch -x -b ‘dc=company,dc=com’ ‘objectclass=*’

# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: objectclass=*
# requesting: ALL
#

# company.com
dn: dc=company,dc=com
dc: company
description: Root LDAP entry for LAB at company.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

# Hosts, company.com
dn: ou=Hosts,dc=company,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit

# Rpc, company.com
dn: ou=Rpc,dc=company,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit

# Services, company.com
dn: ou=Services,dc=company,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit

# netgroup.byuser, company.com
dn: nisMapName=netgroup.byuser,dc=company,dc=com
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap

# Mounts, company.com
dn: ou=Mounts,dc=company,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit

# Networks, company.com
dn: ou=Networks,dc=company,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit

# People, company.com
dn: ou=People,dc=company,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, company.com
dn: ou=Group,dc=company,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# Netgroup, company.com
dn: ou=Netgroup,dc=company,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

# Protocols, company.com
dn: ou=Protocols,dc=company,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit

# Aliases, company.com
dn: ou=Aliases,dc=company,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit

# netgroup.byhost, company.com
dn: nisMapName=netgroup.byhost,dc=company,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap

# production, company.com
dn: ou=production,dc=company,dc=com
ou: production
objectClass: top
objectClass: organizationalUnit
objectClass: posixGroup
gidNumber: 3001

# search result
search: 2
result: 0 Success

# numResponses: 15
# numEntries: 14

linuxhost:/var/lib/ldap #

This output should roughly match the contents of the base.ldif file that was imported earlier.

Management

While the command-line tools included with the server are functional, LDAP lends itself well to a GUI environment because of its hierarchical nature. Several graphical interfaces are available, but many of them rely on java-capable or proprietary endpoint software clients to operate.

PHPLDAPAdmin is an open-source web-based tool used to administer an LDAP server. It is available to download from:

http://phpldapadmin.sourceforge.net/download.php

Simply untar the package and copy the directory into the root of the webserver to install. Once this is complete, copy the config.php.example file to config.php in the directory, and then make the following edits to the following variables:

$servers[$i]['name'] = ‘Test Lab Server’;
$servers[$i]['host'] = ‘localhost’;
$servers[$i]['base'] = ‘dc=company,dc=com’;
$servers[$i]['login_dn'] = ‘cn=Manager,dc=company,dc=com’;
$servers[$i]['login_pass'] = ‘secret’;

There are other variables to change, however, to get �up and running� with PHPLDAPAdmin, these are the minimum changes necessary. Once these changes are complete, simply open a web-browser and point it to the directory where PHPLDAPAdmin was installed.

Comments Off »

Posted in Applications, Technology

Another Linux Experiment… Part II

August 17th, 2005

Well, after my less-than-satisfactory experience with Fedora Core 4 on my Dell Inspiron 8600, I moved back to Windows… rebuilt XP, reinstalled my apps and my data, and moved on… I wasn’t happy, but at least my notebook worked and I was able to be productive.

Then my brother, apparently after reading my last article, told me about the new Suse Linux distribution from Novell available at OpenSuse.Org. I figured what the heck… I have a spare hard drive, so I have time to experiment. So I downloaded the .iso files, burned my CDs, and did a base install to see what I could see.

Big mistake… don’t do a Linux install on a notebook when it’s on the docking station. After the install, I wanted to move downstairs to be in front of the bigscreen and discovered that the machine wouldn’t boot past the activation of the built-in NIC. So, instead of wasting a boatload of time troubleshooting, I simply re-built the machine off the docking-station. Here’s where the fun started…

First, wireless… well, even though there is no native support for my Dell TrueMobile 1350 wireless card, NDISWrapper was installed during the build of the workstation. In addition, the card, once I simply added the correct drivers for it, the card appeared in Yast, and was configurable (WPA-PSK and all). The only thing I can see that’s really missing is an integrated 802.1x supplicant… no big tho. I am sure I can add it when I need to. Also, there is a really kewl applet called “Network Selector” built in that loads into the task-bar when you boot. This tool allows you to switch between wireless and wired configurations with two mouse-clicks. It rocks in comparison to the effort I had to make to get things active on FC4.

Second, multimedia… shy of native codecs for DVD play (apparently Novell is worried they’re gonna get sued if they include the dvdcss libs), all sound and video worked right out of the box. This is a vast improvement over FC4.

Third, Novell’s version of OpenOffice seems to be a lot more stable and a lot more professional. I am waiting to see if document import and/or export works better than before.

Fourth, X-Windows stability… I added the packaged version of the nVidia drivers, and KDE seems to work flawlessly so far. I am not constantly fighting with apps crashing, the interface seeming slow, or frozen toolbars.

BONUS – I was able to get my Treo 600 to sync with Kontact and Korganizer. I couldn’t even get the Treo to be recognized in FC4.

It looks like there’s some very nice integration points into Novell and Windows networking, including a network logon client for eDirectory, as well as a GUI-configured LDAP client, and some other nice tools for network access.

I still like Fedora for a server OS better. Fedora’s update utility seems tighter, the layout of the filesystem seems more intuitive (Suse chroots EVERYTHING and it’s a pain sometimes), and the service management is way easier. However, if this is the direction of desktop operating systems outside of Windows, Microsoft had better watch out because Suse 9.3 rocks on my laptop!

–Scott A. Keoseyan – 17 AUGUST 2005

Comments Off »

Posted in Operating Systems, Technology

Another Linux Experiment

August 9th, 2005

So I went out and bought a new laptop harddrive for my Dell Inspiron 8600 thinking that I would install Fedora Core 4 on it. I picked up a 6oGB 7200rpm drive from Drive Solutions for a good price. I also got it with the tray caddy so I could simply switch drives between the new drive and my stock drive, running XP.

Well, the idea behind the action was pretty good… get away from Microsoft, use more OSS, and use a notebook that’s a little more secure. I mean, I am always travelling, and connecting to foreign networks, so having something with a little better inherent security, would (in theory at least) make my life easier.

Now, if you’ve read anything else I’ve written on this site, you know I like Linux a lot… I have 3 servers I run various stuff on (including this site) and all do exactly what I want. I have built a centralized LDAP-based authentication mechanism for Windows workstations, a web-based collaboration platform, web-mail system, and email system with anti-spam and anti-virus checking built in using Linux. After using Fedora for three weeks on my laptop, however, I am convinced that Linux is a server OS, and not really ready for primetime on a laptop or notebook computer.

Now before you go and slam me for not being technical enough or not knowing what I am doing… keep in mind what I just said… I am able to do all kinds of great stuff using Linux on the server-side, but I don’t have the time or patience to monkey around with my desktop for hours on end just to get basic stuff to work… Let me elucidate my point:

First, OpenOffice is a really great suite of office tools, but it’s interoperability with the rest of the world (Microsoft Office) leaves a lot to be desired. Formatting is lost between import and export functions, and this caused me a lot of grief because the rest of the consultant I work with use MS-Office. I rely on Visio to do a lot of work, and not having that was challenging enough… coupling that with formatting errors between copies of Powerpoint presentations was a show-stopper.

Second, sound and video support was immature. I am certain this had to do with the fact that I was running Dell hardware, but why is it so hard to get things to work right. Dual-head out of the Geoforce video card was a pain to get working (I never really got it working the way I was used to). The Twinview stuff seems like a kludge and the GUI interface for monitor setup didn’t work at all… this means I had to manually tweak the xorg.conf file over and over to test. Yeah, I know, that sounds whiney, but hey, I don’t have to do anything like that with XP… the video driver automatically detects the external monitor and I always have a dual-head config ready to go. Sound support was also tricky… sometimes the sound came out scratchy (this was not because I had the PCM volume all the way up either), and the volume control didn’t work correctly. Again, these seem like minor issues, but they impacted my productivity because they sucked up a lot of time while I was trying to fix them.

Third, boot time sucked… I had disabled all the servers and the thing still took forever to get up and running. This was worse when I didn’t have it plugged into a network. I have no explanation for this other than service timeouts, even though I wasn’t running any network services (besides NTP).

Fourth, wireless networking. Why, if Broadcom cards are SO prevalent is there no support in the Linux kernel for them??? I had to do the ndis-wrapper thing, which was actually kind of cool because when I did it, I was in a hacking-at-it mood, but a royal pain to get going overall. Again, every time I connected to a different secure network, I had to change the settings manually because the card was not natively supporting inside the O/S.

Fifth, X-Windows stability… I would be sitting there working, and suddenly the taskbar, and everything I had minimized onto it, would suddenly freeze up. Doing the old CTRL-ALT-BACKSPACE was the only way to recover. I was using the nVidia drivers from the website like everyone suggested, but this didn’t help.

Sixth, media… I spent hours installing mplayer just so I could watch a couple videos on the plane. Again, really basic stuff that should have worked out of the box, but took a long time to get right and put together.

The point here is, I know how to build stuff, and all of this was probably fixable over the long-haul… but I am on the go, travelling, seeing customers, and doing my job… I don’t have hours and hours to monkey around with my video configuration, or my system volume control, or other basic basic stuff that should work right out of the box. My productivity requirements outweigh any hobbist enthusiasm I might have for Linux… and this means I can’t spend the time it takes to make basic stuff work after I have installed it. I really want Linux to succeed and to take meaningful market-share away from Microsoft, who in my opinion, stifles development and growth… we’re all better off if Linux succeeds. But it’s never going to get there if simple and basic functionality doesn’t work straightaway.