Secure Boot Or hate for Linux?

Secure boot is method to boot the operating system by checking the cryptography signature using UEFI(http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) framework. Secure boot is boot level security which dis allow bypassing signature verification process in booting process.

Above explanation of Secure boot sounds good, but what about those users who need dual booting?

With the release of Windows 8, Microsoft decided that all Windows 8 ready machine will have

• Have secure boot enabled by default.
• Ships Microsoft keys in firmware.

If above is the case, then what about OS which does not support secure boot. Moreover if Microsoft keys is present in firmware then what about Linux boot loader obviously not signed by Microsoft key ?

Let us stand for freedom http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement. The Big corporate houses forcing us to use certain product and services

LDAP SSL : Part 2

In the last post http://www.linuxmantra.com/2013/05/ldap-ssl-part-1.html, I discussed about accessing ldap server via socket. In this post I am going to configure SSL for ldap.

Step1. Create  a self signed certificate using openssl command. The path of SSL certificate file will be /etc/pki/tls/certs/linuxmantra.crt and SSL key file will be  /etc/pki/tls/certs/linuxmantra.key

root# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/linuxmantra.crt -keyout /etc/pki/tls/certs/linuxmantra.key

Step2. After creating self signed certificate, verify that if there any TLS certificate is already configured

root# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base|grep tls

Above given command verifying if there is any entry for tlsCertificate in config. From openldap 2.4 version, configuration of ldap also available in ldap format, so here cn=config storing configuration for ldap server.

Step3.  Set SSL certificate for your server by importing .ldif file. 

     Step3.1  Create a file addsslcert.ldif with following content

   
     Step3.2  Import this addsslcert.ldif file into ldap server with following command

     root#ldapmodify -Y EXTERNAL -H ldapi:/// -f addsslcert.ldif

Step4. Verify if TLS certificate has been configured properly

root# ldapsearch -Y EXTERNAL ldapi:/// -b "cn=config" -s base|grep tls

Step5. Edit /etc/sysconfig/ldap file and set "SLAPD_LDAPS=yes" to enable LDAP over TLS

Save the /etc/sysconfig/ldap file and restart slapd daemon

root# /etc/init.d/slapd restat


Enjoy you have TLS (SSL) in place for ldap server access.

LDAP SSL : Part 1

In the series of openldap implementation on CentOS6, In next post I am going to discuss ldap TLS (ssl) configuration. 

LDAP data communication over TLS will be safe and encrypted. Encrypted data can't be decoded even though get intercept by network sniffer tools such as Wireshark or tcpdump.

Before going in the implementation part of SSL, 

Let me configure LDAP server to listen over socket 

Normally ldap server run on tcp port 389 and can be accessed over this port from local or remote client. Socket based access can't work for remote access, for remote access use network port 389.

Let me make clear that network port based access option remain available even though we go for socket based access. 

There is one big advantage of using Socket based access. In socket based access we can map even a linux user (not a ldap user) to access ldap directory content. 

Let me explain this through an example. Please note that this example has been covered on centos6 distribution of linux.

Suppose we have a domain "linuxmantra.local", and we want to perform search 

root# ldapsearch -x -H ldap://localhost -b "dc=linuxmantra,dc=local"

Here search operation performed using access method "ldap"

In place of "ldap we can also use "ldaps" if we have ssl configuration in place for our ldap server "localhost" 

Now to perform Socket based access we should use "ldapi".

In our example to search in base "dc=linuxmantra,dc=local"

 root# ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=linuxmantra,dc=local"

So here you can notice that SASL/External authentication mechanism is in use  and mapped to gidNumber=0+uidNumber=0

You may have question in mind 

 Where did this mapping has been configured ?

The answer is file,

 /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif

In this file there is ACL entry for mapping 

"olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa

 l,cn=auth" manage  by * none"

samba ldap setup

Below questions encountered by most of the Linux admin

Is there any options in Linux to implement windows Active Directory concept?

The answer is yes, You can implement windows AD logic on Linux servers. Suppose as a linux admin, you get the task to migrate windows Active Directory server to Linux platform. 

Windows AD is integrated implementation of ldap and kerberos for centralized authentication server and single sign on.

In my last articles, I already covered ldap installation and configuration 

http://www.linuxmantra.com/2013/04/openldap-on-centos.html

http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html

After successfull installation and configuration of ldap. We need to configure samba. Below is the samba configuration file (/etc/samba/smb.conf) for running samba+ldap server

++++++++++++++++++++++++++++++++++++++++++++++
[global]
workgroup = linuxmantra
server string = host1
netbios name = host1
ldap passwd sync = yes
security = user
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=linuxmantra,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn= "uid=root,ou=People,dc=linuxmantra,dc=com"
domain master = yes
domain logons = yes
logon path =     
add user script = /usr/sbin/smbldap-useradd "%u"
add group script = /usr/sbin/smbldap-groupadd "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
local master =  yes
os level =  254
preferred master = yes
wins support = yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

As you can notice in samba configuration file, there is given ldap tree structure. 

We also need to create this ldap structure, before starting samba. There are certain tools that populate ldap tree structure, so that require structure can be created without much manual intervention. Following link will help you to install smbldap-tool and populate ldap tree structure.

http://gna.org/projects/smbldap-tools

http://wiki.samba.org/index.php/4.1_smbldap-tools

ldap authentication

In my last two posts http://www.linuxmantra.com/2013/04/openldap-on-centos.html and http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html, I discussed ldap basics and its setup on centos server. 

As we know User account verification and authentication are two different thing. I already discussed account verification using ldap in my last post http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html.

User Authentication  is a independent process. There are multiple authentication method in Linux. Have a look on below image

In authentication section there are a number of option. Generally we use "Use Shadow Passwords" option. Shadow passwords option use /etc/shadow file. You can continue to use Shadow Password option for ldap user as well. If you use shadow password for ldap user, then user account information getting stored on ldap server and password get stored in /etc/shadow

Other than using method "Use Shadow Passwords" we can go for "Use LDAP Authentication". In LDAP authentication scenario password will be stored in ldap format in the ldap server. 

Let us understand this by an example, 

Suppose there is a user "uid=ldapuser1,dc=linuxmantra,dc=com" and we want to set password of this user. Following commad will set password of this user to 'Passw0rd'

root# ldappasswd -x -D"cn=Manager,dc=linuxmantra,dc=com" -W "uid=ldapuser1,dc=linuxmantra,dc=com"  -s 'Passw0rd'

Above given command will set userPassword attribute of given DN to whatever value you set as password. You can notice this value in output of slapcat command

Now you have a ldap user "uid=ldapuser1,dc=linuxmantra,dc=com" and more importantly user password is stored inside ldap server.

Finally issue command authconfig-tui and enable the option "Use LDAP Authentication" 

ldap on linux : Part 2

In my last post http://www.linuxmantra.com/2013/04/openldap-on-centos.html, I discussed installation and basic configuration of openldap. Here in this article, I am going to discuss user account creation and its usage in account verification and authentication. 

As we know, Linux users information getting stored inside file /etc/passwd but users stored inside /etc/passwd can't perform network logon. For network logon either you can use NIS or LDAP. LDAP has advantage over NIS as LDAP is a very popular directory service and almost all application like oracle,apache,sendmail etc understand LDAP format and can use ldap service. 

In this article, I will elaborate the steps to use ldap as storage of account information. In other words using ldap in place of /etc/passwd 

Step1. Create a normal user using useradd command. In given below example, I created a user named ldapuser1

root# useradd ldapuser1

Once user get created, store that users information in a separate file, In my example root.passwd in that file

root# grep ldapuser1 /etc/passwd>root.passwd

Step2. Convert user information into ldif format

          Step2.1 Install package  migrationtools on your system 

                          root# yum install migrationtools

          Step2.2 . Convert user information into ldif format

  

                     root#/usr/share/migrationtools/migrate_passwd.pl root.passwd>root.ldif

        Step2.3. Edit root.ldif, and set replace padl.com with your domain name, In my example, I replaced          padl with linuxmantra so domain become linuxmantra.com. As you see in below image, to replace padl with linuxmantra, I used following command in vi editor

:s/padl/linuxmantra/g

Step3. Import root.ldif file into ldap server 

    root# ldapadd -x -D"cn=Manager,dc=linuxmantra,dc=com" -W -f root.ldif

 Now user get created, You can verify user using slapcat command.

Now ldapuser1 is a POSIX user which can log onto any linux machine.

Step4. Configure Linux client to use ldap server for account verfication.

root# authconfig-tui

As you can notice in above image, In User Information section, Use Ldap is selected . So you should also select "Use LDAP" and click Next button.

Clicking Next button will bring LDAP Settings box, Mention IP/Name of your server in Server section and ldap base dn entry in Base dn section. In my example ldap server IP is 192.168.1.1 and base dn is dc=linuxmantra,dc=com

Step5. Now you can use ldap user to verify User, but remember authentication part is still not configured. If you want to verify if your LDAP Server is configured properly or not, just do su from root or use getent command

You can use getent command in following way

You can notice, there is no user ldapuser1 in /etc/passwd but getent command showing that user exist.

Great, User existing in LDAP so everything worked fine so far.

ldap on linux : Part 1

In this article, I am going to cover installation and basic configuration part of openldap. This article is covered on CentOS6.  This article is for the Linux Admins who have following question in mind 

Where and how to start with LDAP?

OpenLDAP in open source software to implement LDAP server in your environment.

1. Installation 

To work with OpenLDAP servers you need to install openldap-servers package on your system. To install openldap-servers in your system use following command.

root# yum install openldap-servers

After installation, you can see that following folder layout get created on your system

You can notice that /etc/openldap/slapd.d get created after installation of openldap-servers and will work as configuration folder for openldap.

2. Configuration 

To configure openldap-server, edit the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

There are a number of configurable parameter in this file, but I am concentrating only on those parameter which initially need to be changed 

Here there are three parameter which need to be taken care of. I edited parameter olcSuffix and olcRootDN. olcSuffix  set it to dc-=linuxmantra,dc=com and olcRootDN set to the value "cn=Manager,dc=linuxmantra.com"

RootDN works as administrator for ldap, we set RootDN to "cn=Manager,dc=linuxmantra,dc=com" now also have to set password for this user. Setting password in plain text format in configuration file will be not a good idea, so We will generate encrypted password outside configuration file and add that encrypted password into configuration file using parameter olcRootPW. Remember that I added this parameter in configuration file.

To generate encrypted password outside configuration file, issue following command from shell (command prompt)

root# slappasswd

Copy generated encrypted password in put that in openldap server configuration file  /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif through the parameter olcRootPW

Your configuration file is now in configured, so close the configuration file and start slapd service on your system.

root# /etc/init.d/slapd start

LDAP service started on your system and port 389 is open to accept ldap request.

3. Populate 

So now your openldap server is ready but there are no ldap data and records in the server. To view data present in ldap, you can use slapcat command

root# slapcat

You can see there are some warning like "no DB_CONFIG file found in directory /var/lib/ldap". You can ignore such warning at this point of time.

There are certain command to populate ldap server with data, to search data in ldap, to delete ldap data etc. To get command to operate ldap server with ldap data, you need to install openldap-clients package on your system.

root# yum install openldap-clients

Create a ldif file that hold description of ldap entry. You can consider ldap entry as simply a record that represent an object. The first entry that one create will be root domain entry. Here I created a file /root/base.ldif with following content

root# vi base.ldif

+++++++++++++++++++

dn: dc=linuxmantra,dc=com

ObjectClass: dcObject

ObjectClass: organization

dc: linuxmantra

o: linuxmantra

++++++++++++++++++++

After creation of this file, I imported base.ldif into ldap server. 

root# ldapadd -x -D"cn=Manager,dc=linuxmantra,dc=com" -f base.ldif -W 

Above command will ask for password, enter the password you generated using slappasswd and putted in conf file.

To verify the entry, use can use slapcat command 

As you can see, ldap entry imported and appearing in ldap server. Everything is setup now. Through comments, let me know if you face any issue in whole process.

Continued in http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html

Software RAID vs Fake RAID

Many of us already very much aware of Hardware and Software RAID. Keeping performance in mind , hardware RAID is always preferable over software RAID but budget become constraint sometimes. Generally we use software RAID to save the cost of hardware RAID. Why Hardware RAID are costlier than software RAID ? The answer is cost of special hardware known as RAID controller used in hardware RAID and makes hardware RAID costly.

How can we reduce hardware RAID cost? The answer is very simple , by removing RAID controller. Many of the hardware manufacturing companies are doing same, they are removing hardware raid controller and in place of that using a chip that through BIOS configuration seems to work as hardware RAID. None of these are true hardware RAID controller but simply supported by BIOS configuration and special driver within OS. Manufacturing  companies claims this hardware RAID since this can be configured via BIOS and OS can be booted from this RAID. 

In Linux, fake raid configuration supported by device mapping driver dm-raid. If you on Redhat Linux system then for fake raid , you will find device file in /dev/mapper not in /dev . The other logical block device such as LVM , software RAID  also appears in /dev/mapper, so this is clear that fake RAID is not a hardware RAID. You will find one more interesting fact in the case of fake RAID in Linux, suppose you have two hard disk in your RAID1 configuration, stup via fake RAID, then you will see three block device in Linux  /dev/sda , /dev/sdb and /dev/mapper/isw*.

The most interesting fact is there is no performance gain of using fake raid in place of software RAID. We can consider fake RAID as another marketing stunt, nothing more than this. Using fake raid is not less than a nightmare, Linux software RAID is recommended over fake raid for stability point of view.

One can argue that if he/she opt for Linux software RAID over fake RAID then in case of multi boot RAID configuration will not persist. Yes this is only a advantage of fake RAID over software RAID but we more most of cases we do not use multi boot for production environment.

In Linux environment dm-raid driver of kernel implement such RAID for Operating System. To manage this RAID device from Linux shell we can use dmraid command. Here , I am trying to explain dmraid command with a few examples 

root#  dmraid -r

Above output saying that there is two RAID devices on the system.

root# dmraid -b 

Above output saying that there is two block devices on the system in the raid /dev/sda and /dev/sdb

But the most important command is 

root# dmraid -s

Above command will show you status of RAID. This command will help you to find health of the RAID. 

You will get very useful status output using dmraid -s

Suppose you get status that one of your drive in RAID volume is not ok, In that case RAID downs into degraded status. You need to rebuild the RAID is RAID enter into degraded status. 

What you will do to rebuild the array?

To rebuild the RAID, first you have to replace faulty disk with new error free disk and then issue dmraid -R RAID_Volume_name replaced_device. For example, if /dev/sdb was the faulty disk then following command will rebuild RAID 

root# dmraid -R isw_abc /dev/sdb 

Here volume name assumed as isw_abc, You can find volume name using dmraid -s

RHCS Components Port

RHCS(Redhat Cluster Suite) consist multiple components such as luci,ricci,dlm, totem etc. RHCS component are network daemon and run on specific tcp/udp port.


Below is the detail of RHCS components.


dlm tcp port: 21064
luci tcp port: 8084
ricci tcp port: 11111
modclustered tcp port: 16851
totem udp port: 5404,5405

TCP Congestion Control

TCP Congestion control, shape TCP traffic so that receiver does not get over flooded by  sender high rate of TCP packet transfer. TCP Congestion get managed through a field in TCP header known as Window. You can notice , in the following image , windows field of tcp header is set to 8192

  

What does this value doing in TCP congestion control ?

The TCP sender use cwnd (Congestion Window) in controlling its transmission rate based on feedback it gets from the receiver. In simple words you can say tcp congestion window is estimate of how much maximum packet receiver can accept without losing any packet .

In Linux more than one algorithm exist for tcp congestion control. I issued following command to get list of algorithm exist on my CentOS6.3 system

So my my system there are two tcp congestion control method are present , as you can in above image there algorithms are cubic and reno

This is apparent that  that only one among these two is currently applicable and working as tcp congestion control method

So here cubic is in place .