LDAP client connection

I have the DNS name : server.exemple.com
I have top domain: .com
I have subdomain: exemple
I have a leave object: server
In LDAP can have something like:
lisa.example.com
In LDAP is not write that way. This is DNS way. In LDAP.
the domain will be dc (domain container)
dc=com
dc=example
For leave objects will use “common name”: cn=server
cn=lisa,dc=example,dc=com
Is not using “.”, is using “,”.
When setup the connection to LDAP must setup the “base context”. This is like search domain in DNS. Is the starting point where the client should look for objects.
The base content must be setup before and then the user will use it to login.
Steps to login to LDAP:
1. find the binary for login:
# which login
Those binaries are used by user to connect to anything.
Those binaries is using library files. Find the library files:
# ldd /bin/login
The libpam.so library is a plugin to login which add functionality to login command.
PAM is from Pluggable Authentication Modules.
The authentication module is in /etc/pam.d/ directory. Here are configuration files for any kind on authentication. Here is the configuration file for login:
# /etc/pam.d/login
Here is defined what is happening when system is starting. “auth” is the common definition for login procedure of any process which is related to user authentication.
Check the system-auth file:
# vi /etc/pam.d/system-auth
The line with pam.unix.so is telling Linux to check local login mechanism. If that is not successful the user will go to pam_ldap.so. This will search the user to LDAP. This is how internal programs know about LDAP.

Use:
# authconfig
or
# authconfig-tui
graphical interface configuration:
# yum install authconfig-gtk -y
Need additional packages (Name Server Cache Daemon). Is caching the information on local server during working with Authentication.
Also we need nss-pam-ldap. This will resolve local name resolution and send to LDAP. Also we need the libraries for make local authentication: pam_ldap. I need all of these.
# yum install nscd nss-pam-ldap pam_ldap -y
Now I can lunch the graphical authconfig:
# authconfig-gtk
or can use authconfig-gui but on exam is easy with gtk.
I have to setup the user account to use LDAP database.
The error with /lib64/security/pam_krb5.so is related to kerberos and since we are not using, is OK. But in order to have the package complete, is ok to be installed.
Kerberos is in RHCE course.
Authentication method to LDAP password.
LDAP Search Base DN: dc=example,dc=com
LDAP server name. IP addresses is not working: ldap://server.example.com. Is not working with name because the name should match the name from certificate and the certificate is for name not the IP.
Check TLS to encrypt connection, download certificate from ftp://server.example.com/pub/certification.pem. Click Apply.

Modifying nslcd Configuration
Many things happening when connecting using LDAP process. Those are related to nslcd process:
# systemctl status nslcd
The file /etc/nsswitch.conf is the configuration file used by client in order to connect to LDAP server.

Is show that first is loking in file system and after that in sss (is not used anymore) and after that in ldap.
pam – pluggable authntication modules – is using also nslcd.
The directory /etc/pam.d/ have configuration files for LDAP.
the file /etc/pam.d/login have the definition on what should happen when user will login. The most important is system-auth
To find the LDAP server we need the nslcd.
# less /etc/nslcd.conf
There is an nscd file which is not related to LDAP.
Here is the URI and base context of LDAP server.
Also there are information about downloaded certificate.
Check also /var/log/messages

useradd

# useradd –help
-e wait an expiration date but not say the format.
# man useradd
/-e YYYY-MM-DD
Since the user is a C programmer want the C shell:
# useradd -c myuser -e 2015-12-05 -s /bin/tcsh laura
Add people to group
# usermod –help
-g – is for primarry group
-G – is a new list of secondary should not be use because will OVERWRITE the current groups.
-a should be used because is appending.
# id laura
# usermod -aG account laura
/etc/passwd – every user account have his own account.
/etc/shadow – is for passwords. Password is hash
/etc/group
/etc/login.defs – definitions for creating users.
/etc/default/useradd – this is the default for useradd.
skeleton from home directory.
/etc/skel – is used for copy files into new users directory.
Can add files here which will be used for creating users.
# passwd –help
-d delete, -l lock,, -e expire, -w warning, etc.
# chage -E 2015-07-01 laura
# /etc/shadow – have the details about the account of user.
4. expire password in 40 days. Not the account to expire
# passwd -x 90 lisa

connection using ssh

# ssh localhost – connect to localhost
accept keyFingerprint. This is because the key cannot be verified.
# exit – exit from ssh connection
# ssh -p 2022 user@server.com
Key fingerprint is stored into:
# ~/.ssh/known_hosts
If the key fingerprint is wrong, there will be: Add correct host key in …… this is happening because the server has been installed on same IP address and key fingerprint from computer don’t match the key fingerprint from server. In order to restore the error, delete the key fingerprint from client. Identify the line from
# ~/.ssh/known_hosts
and delete it using dd from vim.
On server check the settings from:
# vim /etc/ssh/sshd_config

Create public/private key pair.
# ssh-keygen
The private key /home/user/.ssh/id_rsa will be created. Enter the passphrase in order to use this key.
The public key is created:
/home/user/.ssh/id_rsa.pub.
Copy public key to server:
# ssh-copy-id localhost
Use the password for remote user.
In order to copy to a remote host:
# ssh-copy-id -p 9822 user@domain.com
The option -i is useful when the file.pub is not located and have to manually insert the path to that file.
Test it:
# ssh -p 9822 user@domain.com
scp is for secure copy. Is used for copy files:
# scp -P 9822 /local/filename nameOfServer:/path/to/file
Is using “P” for port and not “p” because “p” is used for preserve the files attributes

test it:
1. Open a console and login as root.
ctrl+alt+F2 and login as root.
ctrl+alt+F1 – return to console.
2. from console login to localhost.
# ssh localhost
3. exit to close the session
# exit
4. create a ssh key pair.
# ssh-keygen > file for private > password (could be none)
5. use the key pair in order to login.
# ssh-copy-id localhost

working with cut, translate, sed, awk

# cut -f 1 filename – filter a file.
Cut is using a separator for fields.
# cut -f 1 -d : /etc/passwd

# tr – translate is replace characters. It works with pipe | in order to work with the output from other command.
# echo hello | tr a-z A-Z
This command is show all uppercase.
This is working ok if there are not different letters.
# echo hello | tr [:lower:] [:upper:]
# man tr
and awk was for file processing. Now there are not used anymore.
# sed 2q /etc/passwd
show the first 2 lines from file
# sed -n /^root/p /etc/passwd
Sed is not using anymore because there are other commands which are nice: grep.
# cp /etc/passwd ~
Replace an user with something else:
# sed -i ‘s/linda/julia/g’ passwd
awk is doing many things which can be done with other tools. Cutting information:
# ps aux | grep apache
# ps aux | grep apache | cut -f 2
or
# ps aux | grep apache | awk ‘{ print $2 }’

1. Use head and tail to display the 5th line of file /etc/passwd
# head -n 5 /etc/passwd | tail -n 1
2. use sed to do the same.
# sed -n ‘5p’ /etc/passwd
3. use awk to filter the first column out of the results of command ps aux
# ps aux | awk ‘{ print $1 }’
4. use grep to show the names of all files in /etc that have lines starting with the text ‘root’
# cd /etc
# grep ^root * 2> /dev/null

work with tar

tar is tape archive
c- create
v – verbose
f – name of file
# tar cvf /home/user.tar /directoryToBeCreated
# file fileName (show shich kind of file is)
z is for compression to tgz
# tar czf /home/user.tar /directoryToBeCreated
Before check what is in side:
# tar tvf filename
The directory names are relative.
Extract:
# tar xvf
Ordering is important !!!!
-C switch to specific directory:
# tar xvf archiveName.tar -C /tmp
I’m backup the configuration files and after that If I’m removing a configuration file, I can restore it like this:
# tar xvf /root/etc.tar -C / etc/wgetrc
(I’m using etc/wgetrc in order to extract only a file from archive).

links

# ls -il /etc/hosts
-l long listing and -i is inode
# ln sourceFile destinationFile
# ln /etc/hosts computers
symbolic:
# ls -s sourceFile destinationFile
# ls -s /etc/hosts computers
On soft links the permissions are differents and in pointing to another inode.
Normal user cannot create hard links for /etc/shadow.
Can link to files where you have at least READ permissions.

Install Oracle Virtualbox Additions on Centos 7 Guest VM

Update and install dependencies
yum -y update kernel*
reboot -r now
yum install -y gcc kernel-devel kernel-headers dkms make bzip2 perl
export KERN_DIR=/usr/src/kernels/`uname -r`

or Install dependencies
# sudo yum groupinstall “Development Tools”
# sudo yum install kernel-devel

Mount the Virtualbox Additions CD ISO

# su –
# mkdir /media/cdrom/
# mount /dev/cdrom /media/cdrom/
# cd /media/cdrom/
# ./VBoxLinuxAdditions.run

# yum install VirtualBox-4.1

https://wiki.centos.org/HowTos/Virtualization/VirtualBox
https://www.gaggl.com/2014/07/install-virtualbox-additions-on-centos-7-guest-vm/

CentOS 7 VirtualBox Guest Additions Installation

To change or not to change…

2015-10-18_11-14-46
Once in a while I’m receiving notifications in order to approve the new therms and conditions of a well known search engine. This in not so bothering to me but what is bothering is the way they do it. Is so tricky and pervert. They don’t say what exactly they changed and they don’t say that they change it πŸ™‚ but they let you know that they change it. So…what is status? Have they changed something? There is an historical with all changes in past 10 years?
And what I like is that they call it a “privacy reminder”. This means that they have done something to my privacy rights but they don’t say what and they just remind me that something is not OK and I should read….

SSH without password using Putty

Those to links are useful:
http://www.howtoforge.com/how-to-configure-ssh-keys-authentication-with-putty-and-linux-server-in-5-quick-steps
http://www.tonido.com/blog/index.php/2009/02/20/ssh-without-password-using-putty/#.VcMLSvmqpn8

Force User to Change Password at First Login

Create user β€œuser”:
# useradd user

Create password for the user
# passwd user
Set the password to expiry:
#chage -d 0 user

Setting it default for all new Users:
#vi /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=0 #(need to add zero “0”)
SHELL=/bin/bash
SKEL=/etc/skel
GROUPS=video
CREATE_MAIL_SPOOL=no
UMASK=022
This file contains the details, what all settings will be applied to the new users created into the system with useradd command.
Just set the value of EXPIRE=0 in this file, and every time when a new user will be created, will be forced to change the password at first login.

password duration:
for new accounts default settings are in /etc/login.defs
settings for current accounts are in /etc/shadow but we edit by command chage
chage -l [user] #check settings for user
chage -E “YYYY-MM-DD” [user] #set date when account expire, -1 means never
chage -M [nr] [user] #set maximum number of days between password change from last password change, -1 means never expire
chage -d “YYYY-MM-DD” [user] #set last password change
chage -W [nr] [user] #number of days of warning before password expires
chage -i [nr] [user] #set password inactive, when account is blocked after password expire

Thanks to:
http://studyhat.blogspot.be/2011/12/force-user-to-change-password-at-first.html

another way:
# yum install chage
List the password and its related details for an user
# chage –-list username
(or)
# chage -l username
!!!Is not working for same user.

Set Password Expiry Date for an user using chage option -M
# chage -M number-of-days userName
# chage –list userName
Set the Account Expiry Date for an User:
# chage -E “2015-11-29” userName
# chage -l userName

Force the user account to be locked after X number of inactivity days:
# chage -I 10 userName
# chage -l userName

Disable password aging for an user account:
# chage -m 0 -M 99999 -I -1 -E -1 userName
# chage –list userName

Thanks to:
http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/
http://www.cyberciti.biz/faq/rhel-debian-force-users-to-change-passwords/