How to configure ldap in fedora & rhel -5

How to configure ldap in fedora & rhel -5

$  yum install openldap-clients$  yum install openldap-servers
$  yum install openldap*

$rpm -qa | grep ldapTake backup for slapd.conf
$ /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
Edit the file /etc/openldap/slapd.conf

     we need to change some lines suffix,
     rootdn and the two rootpw lines.
  

     Suffix is the high level descriptor you selected above.  The
     rootdn is who (the user) that owns the server and should start with
     cn=. The first root password (rootpw) line should be set to
     secret.  You can generate an encrypted password for the second
     rootpw line using the command:
    $ slappasswdJust cut and paste the output of the slappasswd command into the
     second rootpw line in slapd.conf
$ vim /etc/openldap/slapd.conf
suffix          "dc=bloger,dc=com"

bloger is a your domain name

rootdn          "cn=Manager,dc=bloger,dc=com"
rootpw          secret
rootpw          {SSHA}MRNBda83kd9f7d7did902mLA1x0AVOWMRBua

save & exit this file.
open ldap.conf file.
$ vim /etc/openldap/ldap.conf
change 2 line in this file
HOST 127.0.0.1
BASE dc=bloger,dc=com

save & exit this file.
LDAP Migration tools-:These tools are located
     in /usr/share/openldap/migration. If
     you don't find them in your distribution you can download these tools
     from:
http://www.padl.com/OSS/MigrationTools.html

     

Install is simple.
untar zxf MigrationTools.tgz
cd MigrationTools-47You then must edit migrate_common.ph and change the following site-specific variables to reflect your installation:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "bloger.com";

# Default base
$DEFAULT_BASE = "dc=blger,dc=com

Now we need to add the base entries into the LDAP. Here is an example of a new base org. units you may need and a user new user. The file we will create in out example is bloger.com.ldif.

Create a data file (bloger.ldif) & copy following content.$ tuch bloger.ldifdn: dc=bloger,dc=com

objectclass: top
objectclass: organization
o: bloger
description: Top level LDAP for bloger.com
dn: ou=Group,dc=bloger,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=bloger,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=bloger,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit

save this file.
$ /usr/share/openldap/migration/migrate_base.pl > bloger.ldif
Import first record
$ ldapadd -a -W -x -D "cn=Manager,dc=bloger,dc=com" -f bloger.ldif
$ ldapsearch -x -b 'dc=bloger,dc=com' 'objectclass=*
Create test user-:create file newrec.ldif for test user & add some content in this file.

$ touch bloger.ldif
note- You need an empty line before each line starting with "dn:"
$ vim bloger.ldif

# test1, < style="font-weight: bold;">bloger, com

dn: uid=test,ou=People,dc=bloger,dc=com
cn: test
sn: test
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$!Z0ksiAKjsKLAsjuwyuAK!jksX
uid: test
uidNumber: 501
gidNumber: 501
loginShell: /bin/bash
homeDirectory: /home/test
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowInactive: -1
shadowWarning: 7
shadowFlag: 0
shadowExpire: -1

save & exit this file.
The dn: record must be uniqe and should include the include your suffix.

Add the record to your LDAP
To add a record to the ldap database we use the command ldapadd

$ ldapadd -W -x -D "cn=Manager,dc=bloger,dc=com" -W -f newrec.ldif

$ ldapsearch -x -b 'cn=test,dc=bloger,dc=com'

will display this record if it is added correctly.

Client Side Authentication-:1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button
3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.
4. Click the Authentications tab and check Enable LDAP Support.

To test this, create a user in your LDAP directory that is not in
     your machine. Then check the account by fingering the
     user.  For example, if you add the test record for you
     should be able to essue the command:

$ getent passwd
$ finger test1

Apache server load balancing with Multiple Tomcat Clustering-

Apache server load balancing with Multiple Tomcat Clustering-

Apache server load balancing with Multiple Tomcat Clustering- :





Load Balancing -: Load balancer accept request from external client and forward them to one of the available Backend servers according to a scheduling algorithm.
We can use dedicated hardware and any load balancing software for load balancing
Mod_proxy_balancer- : Apache web server’s module of mod_proxy_balancer the apache module developed to provide to load balancing over a set of web server. Load balancer it can keep track of session
Sticky Session- A single user always deals with the same backend server.

Installation -:

Apache modules- Download from apache’s web site, mod_proxy module for load balancing

Windows-: Download mod_proxy modules and copy in modules directory.
Linux- Download mod_proxy modules and run following command for compile.

#./configure --enable-proxy --enable-proxy-balancer [run ./configure –h
# make
# make install

Configuration-:

Windows-: Enable following load modules in and add require modules in httpd.conf file

C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Now we can add following lines for proxy-balancer (Cluster name is domain.abc.net with two member)

ProxyRequests Off
ProxyPass / balancer://domain.abc.net/ lbmethod=byrequests stickysession=jsessionid nofailover=On maxattempts=15

ProxyPreserveHost On

BalancerMember http://192.168.10.10:84
BalancerMember http://192.168.100.10:85


Linux-

We need three servers one is load balancer and other two workers nodes
Http Server configuration file “/etc/httpd/conf/httpd.conf” add following lines

Include conf/extra/httpd-proxy-balancer.conf

Now create the httpd-proxy-balancer.conf file in the “/etc/httpd/conf/httpd.conf” and add the following lines.

ProxyRequests Off
ProxyPass / balancer://domain.abc.net/ lbmethod=byrequests stickysession=jsessionid nofailover=On maxattempts=15

ProxyPreserveHost On

BalancerMember http://192.168.10.10:84
BalancerMember http://192.168.100.10:85


Load balancing method-:

There are three type of load balancing method used in mod_prxy
Byrequests-:Weighted request count balancing
Bytraffic-: Weighted traffic byte count balancing
Bybusyiness-: Pending request balancing

Where method is one of the three listed before. Default is byrequests



BalancerMember http://192.168.10.10:84 loadfactor=4
BalancerMember http://192.168.100.10:85 loadfactor=6

A load factor will be applied member of the cluster, in order to define and sharing load balancing between members of cluster.

In the following example 40% of the requests will be forwarded to the first and reaming 60% will be forward to second cluster.



ProxyPass / balancer://domain.abc.net/ lbmethod=byrequests stickysession=jsessionid

SESSION_ID is the name of the variable at the application level storing the session identifier.

installation & configuration backuppc in fedora 9/10

installation & configuration backuppc in fedora 9/10

Installing backuppc in fedora9/10

I have been given the task of setting up one backuppc server, and below are the steps on how I did it :)

Server setup

                         #yum install backuppc          

                         the perl module needed using yum

• # yum install perl-Compress-Zlib perl-Archive-Zip perl-File-RsyncP perl-XML-RSS httpd
  
• # rpm -Uvh backuppc-3.1.0-1%{dist}.i386.rpm
1. User backuppc will be created upon installation. Change apache user to backuppc.
   • # vi /etc/httpd/conf/httpd.conf
   • Change 'User apache' to 'User backuppc'
   • Save
2. Edit file /etc/httpd/conf.d/backuppc.conf
   • # vi /etc/httpd/conf.d/backuppc.conf
   • change 'Allow from 127.0.0.1' to 'Allow from all'
   • Save
3. Create password for cgi-bin admin user
   
   • # htpasswd -c /var/lib/backuppc/passwd/htpasswd admin
4. Edit backuppc config file
   • # vi /etc/BackupPC/config.pl
   • Find and change accordingly
     
     • $Conf{ServerHost} = 'localhost';
     • $Conf{SplitPath} = '/usr/bin/split';
       $Conf{CatPath} = '/bin/cat';
       $Conf{GzipPath} = '/bin/gzip';
       $Conf{Bzip2Path} = '/usr/bin/bzip2';
     • $Conf{BackupPCUser} = 'backuppc';
     • $Conf{TopDir} = '/var/lib/backuppc';
       $Conf{ConfDir} = '/etc/BackupPC';
       $Conf{LogDir} = '/var/log/BackupPC';
       $Conf{InstallDir} = '/usr';
       $Conf{CgiDir} = '/usr/share/backuppc/cgi-bin';
       
     • $Conf{ServerInitdPath} = '/etc/init.d/backuppc';
       $Conf{ServerInitdStartCmd} = '$sshPath -q -x -l root $serverHost$serverInitdPath start';
       
     • $Conf{SshPath} = '/usr/bin/ssh';
       
     • $Conf{NmbLookupPath} = '/usr/bin/nmblookup';
       
     • $Conf{PingPath} = '/bin/ping';
     • $Conf{CgiAdminUsers} = 'admin';
   • Save
     
5. Grant passwordless sudo for user backuppc to run /bin/gtar and /bin/tar
   
   • # visudo
   • Add these entries
     
     • Defaults !lecture # to disable lecture
       
     • backuppc ALL=NOPASSWD:/bin/gtar,/bin/tar # enable user backuppc to run /bin/tar and /bin/gtar without authentication.
   • Comment this entry
     • #Defaults requiretty
   • Save
6. Restart apache and backuppc service
   • # /etc/init.d/http restart
   • # /etc/init.d/backuppc restart
7. Open your browser and point it to 'http://backuppc_server_ip/backuppc' and you should see the backuppc web interface 
8. After this, you have to do almost all the configuration through the web interface. To test, you can run localhost backup first. You have to create the host, fill up all the setting and you are ready to go. Record the host and ip in /etc/hosts.

Client setup

1. Create new user
   • # useradd backupuser
   • # passwd backupuser
2. Grant passwordless sudo for user backupuser
   • # visudo
   • Add these entries
     
     • Defaults !lecture # to disable lecture
       
     • backupuser ALL=NOPASSWD:/bin/gtar,/bin/tar # enable user backuppc to run /bin/tar and /bin/gtar without authentication.
   • Comment this entry
     • #Defaults requiretty 
   • Save
3. From the server using backuppc user, create ssh public key
   • # su -s /bin/bash backuppc
     
   • $ mkdir .ssh
   • $ chown backuppc.backuppc .ssh
   • $ chmod 700 .ssh
   • $ ssh-keygen -t rsa
   • $ ssh-copy-id -i .ssh/id_rsa.pub backupuser@client
4. To make sure that the 3rd step is a success, try to ssh to backupuser@client using backuppc user from the server. If no password is asked, then you are ready.
   • # su -s /bin/bash backuppc
   • $ ssh backupuser@client
5. You can start entering  the client to the list of host and start backing up .

Configure Squid with Dansguardian

Configure Squid with Dansguardian

Scenario-:
1. Configure squid Server
2. Configure Dan guardian
3. Configure Iptables
4. Configure Proxy server as a router.

Our purpose of proxy server is to sharing internet connection for web browsing performance & configures Dan guardian for content and site blocking.

A. Allow Internal to all user with restricted web site and content.
B. Allow limited user can access all site
C. Publish local server as a web server in different-different port.
D. All user can send receive mail from the Outlook but they can’t access restricted site.
E. Allow vnc, Sql server and Remote Desktop Connection access form to internet to External Network.
F. Allow company’s website access to all users




Process-:


External LAN Card- eth0 (10.10.10.1)
Internal LAN Card- eth1(192.168.10.1)

1. Configure and install Squid Server-:

# yum install squid*

Cp /etc/squid/squid.conf /etc/squid/squid.conf.bkp

Vim /etc/squid/squid.conf

visible hostname vsnl.com
http_port 3128

# Restrict Web access by IP address

Acl special_client src “/etc/squid/special_client_ip_txt” # allow all site access users ‘s ip list
Acl our_networks src 192.168.10.0/24 # allow network
Acl bed url_regex “ /etc/squid/squid/squid-block.acl” # list of block site ‘s name
http_access allow bed special_client # allow access all site to special client list
http_access deny bed our_networks # allow limited access
http_access allow our_networks # allow access to network

vim /etc/squid/special_client_ip_txt
192.168.10.126
192.168.10.200
192.168.10.251
vim /etc/squid/squid_block_acl
orkut.com
yahoo.com
gmial.com

Service squid start
# Service squid stop
# Service squid restart


Install and Configure Dansguardain -:
Yum install dans*

Cp /etc/dansguardain/dansguardian.conf /etc/dansguardain/dansguardian.conf.bkp

Vim /etc/dansguardian/dansguardain.conf

Filter ip = 192.168.10.1
Filter port = 8080
Proxy ip = 127.0.0.1
Proxy port = 3128

Vim /etc/dansguardian/list/bandsitelist
Gmail.com # list of block site
Yahoo.com
Facebook.com
Orkut.com
Vim /etc/dansguardain/list/bannedregexpurllist

# Hard core phase ( for content blocking)

Orkut|youtube|sport|gmail|facebook|orkut|sex|video|virus|audio

Vim /etc/dansguardian/lists/exceptionsitelist
# following site will not be filter by dansguardain. Allow for all users.

www.online-linux.blogspot.com
www.xyz.com

vim/etc/dansguardian/exceptioniplist

# list of ip allow all fitler site.

192.168.10.126
192.168.10.200
192.168.10.251

Configure Iptables-:
# masquerade local lan(eth1)
# redirect all request 80 to 8080 from eth1(local lan)
# publish local website
# allow 80 and 8080 port
$ iptables –t nat –A POSTROUTING –I eth1 –j MASQUERADE
$ iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$ iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8080
$ iptables -t nat -A PREROUTING -p tcp -d 10.10.10.1 --dport 8090 -j DNAT --to-destination 192.168.10.10:8090
$ iptables –I INPUT –s 192.168.10.0/24 –p tcp –-dport 80 –J ACCEPT
$ iptables –I INPUT –s 192.168.10.0/24 –p tcp –dport 8080 –J ACCEPT





Client Site-

Lan setting- 192.168.100.1:8080

How to install and configure DHCP server on fedora

How to install and configure DHCP server on fedora

$ yum install dhcp*

$ chkconfig dhcpd on

Copy dhcp ‘s sample file and configure dhcp server

usr/share/doc/dhcp*/dhcpd.conf.sample

$ cp /usr/share/doc/dhcp/dhcpd.conf.sample /etc/dhcpd.conf

$ vim /etc/dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.10.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;

#option nis-domain "abc.com";
#option domain-name "abc.com";
option domain-name-servers 192.168.10.1;

option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
option netbios-name-servers 192.168.10.1;
# --- Selects point-to-point node (default is hybrid). Don't change this
unless
# -- you understand Netbios very well
# option netbios-node-type 2;

*#** range dynamic-bootp 192.168.1.100 192.168.1.100;*
default-lease-time 21600;
max-lease-time 43200;


#If you want to release IP for only your registered MAC address in your configuration

# we want the nameserver to appear at a fixed address

host COMPUTERNAME {
hardware ethernet 00:1A:64:A2:BB:88;
fixed-address 192.168.10.3;
}

host COMPUTERNAME2 {
hardware ethernet 00:1C:90:25:92:G1;
fixed-address 192.168.10.4;

}

How To Configure DNS Server On A Cisco Router

The DNS protocol is used to resolve FQDN (Fully Qualified Domain Names) to IP addresses around the world. This allows us to successfully find and connect to Internet websites and services no matter where they are. Its usefulness, however, doesn't stop there: local company and private networks also rely on DNS to operate efficiently and correctly.

In many cases, where a local DNS server is not available, we are forced to either use our ISP's DNS servers or some public DNS server, however, this can sometimes prove troublesome. Today, small low-end routers have the ability to integrate DNS functionality, making life easier, but so do Cisco routers - they simply have to be setup and you're done.

This article will show you how to configure your Cisco router to provide DNS services to your network, and make all clients use it as a DNS server. Our easy to follow step-by-step process ensures you'll understand the process and have it running within minutes.

Example Scenario

Consider the following network diagram. This is our example network, we'd like to enable the DNS Service so our workstations can properly resolve Internet domains but also local network names.

First step is to enable the DNS service on the router:

R1# configure terminal
R1(config)# ip dns server

Next, we need to configure the router with a public name-server, this will force the router to perform recursive DNS lookups, in other words, for every request it receives from our workstations the router will try to find the answer by asking as many DNS servers it needs, and finally return with an answer:

R1(config)# ip name-server 4.2.2.5
R1(config)# ip name-server 4.2.2.6

The Cisco IOS will allow you to enter up to 6 different name servers (essentially DNS servers). Usually you would use your ISP's DNS server to ensure you have quick responses, then place a few free public DNS servers such as the ones above. This will ensure that you'll get a DNS response from either your ISP or public DNS servers.

Next step is to configure your DNS server with the host names of your local network, this way when Alan's PC trys to ping or connect to Wayne, the router will successfully resolve its netbios name to the appropriate IP address:

R1(config)# ip host alan 192.168.1.10
R1(config)# ip host john 192.168.1.11
R1(config)# ip host wayne 192.168.1.12

If you now try to ping 'wayne' directly from your router's CLI prompt, you should receive an answer:

R1# ping wayne

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

At this point, you can configure your workstations to use your router's IP address as the primary DNS server:

VIRTUAL PRIVATE NETWORKS (VPN)

VIRTUAL PRIVATE NETWORKS (VPN)

What is VPN?

• Virtual Private Network is a type of private network that uses public telecommunication,such as the Internet, instead of leased lines to communicate.
• Became popular as more employees worked in remote locations.
• Terminologies to understand how VPNs work. Private Networks vs.Virtual Private Networks
• Employees can access the network (Intranet)from remote locations.
• Secured networks.
• The Internet is used as the backbone for VPNs

Brief Overview of How it Works

• Two connections – one is made to the Internet and the second is made to the VPN.
• Datagrams – contains data, destination and source information.
• Firewalls – VPNs allow authorized users to pass through the firewalls.
• Protocols – protocols create the VPN tunnels. Four Critical Functions
• Authentication – validates that the data was sent from the sender.
• Access control – limiting unauthorized users from accessing the network.
• Confidentiality – preventing the data to be read or copied as the data is being transported.
• Data Integrity – ensuring that the data has not been altered

Encryption

• Encryption -- is a method of “scrambling”data before transmitting it onto the Internet.
• Public Key Encryption Technique
• Digital signature – for authentication

Tunneling

A virtual point-to-point connection made through a public network. It transports encapsulated datagrams.
Two types of end points:
 

• Remote Access
• Site-to-Site

Four Protocols used in VPN

• PPTP -- Point-to-Point Tunneling Protocol
• L2TP -- Layer 2 Tunneling Protocol
• IPsec -- Internet Protocol Security
• SOCKS – is not used as much as the ones above

Types of Implementations

What does “implementation” mean in VPNs
3 types

• Intranet – Within an organization
• Extranet – Outside an organization
• Remote Access – Employee to Business

Device Types

 3 types

•  Hardware
•  Firewall
• Software

Applications: Remote Access

• Encrypted connections between mobile or remote users and their corporate networks
• Remote user can make a local call to an ISP, as opposed to a long distance call to the corporate remote access server.
• Ideal for a telecommuter or mobile sales people.
• VPN allows mobile workers & telecommuters to take advantage of broadband connectivity.

        Healthcare: enables the transferring of confidential patient information within the medical facilities &     health care provider

• Manufacturing: allow suppliers to view inventory & allow clients to purchase online safely
• Retail: able to securely transfer sales data or customer info between stores & the headquarters
• Banking/Financial: enables account information to be transferred safely within departments & branches
• General Business: communication between remote employees can be securely exchanged

IPv6: The Internet for Generations to Come

Expert Video: How To Configure InterVLAN Routing On Layer 3 Switches

Five Most commonly used Networking Technologies

Five Most commonly used Networking Technologies

Thursday , May 03, 2012

A most frequently asked question I hear from CCNA & CCNP students is - What are the most used technologies in the enterprise ? Well, there could be no perfect answer to this question but I am sharing the list of most commonly used technologies from my ten years of experience. 

Lets start with the discussion of the day - 

1. Default Routing -  This is the most commonly used routing type in the industry. Every company with an Internet connection is bound to configure default routing. Even on simple broadband routers, we need to configure default gateway.

2. VLAN Trunking Protocol (VTP) -  Any customer who is using Cisco switches and have multiple VLANs running in his network, takes VTP as a mandated kind of protocol. They actually enjoy using automated system for VLAN propagation. 

3. Host Standby Router Protocol (HSRP) - This protocol never fails to create space for itself, whenever a network have more than one exit gateway. This is easiest to configure, works flawlessly & take no toll on performance of network equipments. (My personal favorite is GLBP). HSRP is the most widely used FHRP in the industry today.

4. IPSeC Remote Access VPN - Whether the mobile workforce is of hundred users or just of ten users. Every company wish to rise the bar of the productivity for their employees. IPSeC Remote Access VPN is the easiest way to extend the local resoureces connectivity to remote users desk available anywhere and also this is one feature most commonly available on the gateway level devices.

5. IP Service Level Agreement (IP SLA) - Have more than one internet line and cannot afford the downtime occuring due to manual switching of the ISP lines. IP SLA is the technology for you. This is most favored technology when it comes to automated link failover management and easy to configure as well.

Please suggest any other technology, which could be or should be the part of this list.