Month: August 2017

vi editor in linux

In vi editor we have below two modes.

1. Insert mode

2. Command mode

Insert Mode:

In this mode we can insert the required content for the file.

Command Mode:

In this mode we can do maximum operations like searching a word, copy, delete, paste, undo changes, etc…

Creating file using vi editor:

[root@server ~]# vi testfile

Once executed above command press  in keyboard to move insert mode. You will find –INSERT–  line bottom of the file once you moved to insert mode.

~
~
~
~
~
~
~
-- INSERT --

Type the content for this file.  Once provided the content press esc key in keyboard to go back to command mode and  use  :wq  to save and exit from the file

[root@server ~]# vi testfile
This is my test file
~
~
~
:wq

 

Find the below more options in vi editor which will be executed in command mode.

:q    Simple q will help us to exit from the file without saving file.

:u    undo operation

/     to search any word inside of this file

example:   /test

yy   to copy a line

<n>yy     to copy n number of lines eg: 5yy

dd    to delete a line

<n>dd   to delete n number of lines  eg: 10dd

p        to paste the copied lines. it will paste the copied lines next line of the                        cursor placed.

:set nu    to set line numbers inside the files.

 

 

Configuring LDAP based authentication in RHEL7

WHat is LDAP?

LDAP: Light weight Directory Access Protocol

This authentication will allow client machine to access any centralized   data/service from different places.

Keeping services/data centralized is very simple to maintain and Grant/Deny permission centrally.

 

Installing Openldap:

[root@server ~]# yum -y install openldap*

 

Make sure that SELinux should not deny LDAP. So for that we have to enable the below Boolean values in both server and client.

[root@server ~]# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Now enable ldap permanently in this session and start the ldap service

[root@server ~]# systemctl enable slapd
[root@server ~]# systemctl start slapd

Since ldap service is running ldap user should be the owner for /var/lib/ldap directory. By default this will be modified by root user as its administrator.
So, we have to change owner and group as ldap user. Before that make a copy of configuration file for slapd into /var/lib/ldap with the DB_CONFIG name.

Note: slapd configuration file will be available under /usr/share/openldap-servers/DB_CONFIG.example

 

[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’? y

Now change the owenr as ldap user recursively to that directory.

 

[root@server ~]# chown -R ldap:ldap /var/lib/ldap

 

Now set password for ldap admin use and take a copy of create password for future use.

[root@server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

 

LDAP configuration files are available under /etc/openldap/slapd.d/.
We need to update the “olcSuffix” and “olcRootDN” varialbles.

olcSuffix: Its domain for the LDAP Server to provided the information.
olcRootDN: This is administrator user entry who has all the permission to do operation like root (Root Distinguished Name)

olcRootPW: Password of above user.

 

Above entries should be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file.
Note: Updating the entries manually is nont adviseable. So, we are going to create a ldif file and update it using ldapmodify command.

 

Now creare ldaprootpasswd.ldif file with following contents:

[root@server cn=config]# vi db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

save and exit.

once file created with above content execute the below command

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@server cn=config]#

 

Do changes in /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file to restrict monitor access to only ldap root user.

 

[root@server ~]# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=lbcdomain,dc=com" read by * none

 

save and exit from the file.

once created file with above content send configuration to ldap server by usinf ldapmodify command.

 

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

[root@server cn=config]#

 

Creating LDAP Certificate:

now will create certifiate and private key with ldap server self signed by using below command in /etc/openldap/certs/ directory

[root@server cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lbcdomainldapcert.pem -keyout /etc/openldap/certs/lbcdomainldapkey.pem -days 365
Generating a 2048 bit RSA private key
..........................................................................................................................................................................................................................+++
................+++
writing new private key to '/etc/openldap/certs/lbcdomainldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Chennai
Organization Name (eg, company) [Default Company Ltd]:Linux Book Center
Organizational Unit Name (eg, section) []:Linux Book Center
Common Name (eg, your name or your server's hostname) []:Server
Email Address []:[email protected]

 

Now change the ownership and group to key files.

[root@server cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

[root@server certs]# ll | grep pem
-rw-r--r--. 1 ldap ldap 1480 Aug 15 11:32 lbcdomainldapcert.pem
-rw-r--r--. 1 ldap ldap 1708 Aug 15 11:32 lbcdomainldapkey.pem

 

Create certs.ldif file to configure LDAP to use secure communication using self signed certificates.

[root@server certs]# vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lbcdomainldapcert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lbcdomainldapkey.pem

oncefile created import the certificate configuration by usging below ldapmodify command

[root@server certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

[root@server certs]#

 

Use the below command to verify the configuration:

[root@server certs]# slaptest -u
5992a281 UNKNOWN attributeDescription "CHANGETYPE" inserted.
5992a281 UNKNOWN attributeDescription "REPLACE" inserted.
5992a281 is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
5992a281 is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded

LDAP Database creation:

Sample configuration file will be available in /var/lib/ldap  file. Copy the sample file and change the file permission.

[root@server certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server certs]# chown ldap:ldap /var/lib/ldap/*

Add cosine ans nis LDAP schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"
[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"

 

Now create ldif file for our domain

[root@server certs]# vi base.ldif

dn: dc=lbcdomain,dc=com
dc: lbcdomain
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=lbcdomain,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: Group

Now build the directory structure

[root@server certs]# ldapadd -x -W -D "cn=ldapadm,dc=lbcdomain,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=lbcdomain,dc=com"
ldap_add: Already exists (68)

 

We configured LDAP server and now will use ldap credentials to access centralized data/ service like NFS share.

 

What is SELinux?

SELinux stands for Security-Enhanced Linux. Its set of security modules/policies are going to apply on machine to increase the overall security of the server.In this modules has been loaded into kernel
while accessing files/services which improves security. This was came with RHEL5 and its more secure comparing to PAM and initd.

Models in SELinux:

Enforcing:
In this model policy has been enforced. It will enforce the policy strictly.

Permissive:
In this model SELinux will give warning, if SELinux policy settings breached.

Disabled:
In this model SELinux totally is disabled.

Levels in SELinux:
SELinux uses two levels.
Targeted – Targeted processes/services are protected by SELinux
Mls – Multi level security protection

Command to check the SELinux status:

[root@server ~]#getenforce
permissive

Output will be “enabled” or “disbaled”

Command to check SELinux status in simplified way:

[root@server ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

 

Command to check SELinux status in detailed:

[root@server ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Policy booleans:
abrt_anon_write off
abrt_handle_event off
abrt_upload_watch_anon_write on
antivirus_can_scan_system off
antivirus_use_jit off
auditadm_exec_content on
authlogin_nsswitch_use_ldap off
authlogin_radius off
authlogin_yubikey off
awstats_purge_apache_log_files off
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cluster_manage_all_files off
cluster_use_execmem off
cobbler_anon_write off

How to disbale SELinux?

Using two ways will disable SELinux.

1. To disbale permanently will edit the /etc/selinux/config file and change the status from
enforce to disbaled

 

2. To disbale temporarily execute the below command

 #echo 0 > /selinux/enforce

or

 #setenforce 0

How to enable SELinux?

Same like above will enable SELinux using two ways

1. To enable permanently will edit the /etc/selinux/config file and change the status from
disbaled to enforce

2. To enable temporarily execute the below command

 #echo 1 > /selinux/enforce

or

 #setenforce 1

 

Command to list all the modules:

[root@server ~]# semodule -l
abrt
accountsd
acct
afs
aiccu
aide
ajaxterm
alsa
amanda
amtu
anaconda
antivirus
apache
apcupsd
apm
application

Command to enable a module:

in below command use -v  key to show what this command was doing.

[root@server ~]# semodule -v -e application
Attempting to enable module 'application':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.

Command to disable a module:

[root@server ~]# semodule -v -d application
Attempting to disable module 'application':
Ok: return value of 0.
Committing changes:

 

Linux Basic Commands: ls, mkdir, rm, cd, pwd, cat, touch

ls  command will list all files and directory.

[root@server ~]# ls
192.168.0.101 Downloads ks.cfg Pictures Templates
file25 localhost Public testscript1.sh
file26 mem.sh testscript.sh

ls -a will list all including hidden files.

[root@server ~]# ls -a
. chandu forloop1 Music sedfile
.. .config forloop2.sh numbers server
192.168.0.101 .cshrc hst.txt output .ssh
abu data .ICEauthority output1 tcp.txt

mkdir command will help us to create a directory.

[root@server ~]# mkdir test

To delete a directory use rm -rf command with directory name.

[root@server ~]# rm -rf test

cd <dir_name> command will change to named directory.

[root@server ~]# cd data

cd ~ command will change to home directory of current user.

[root@server ~]# cd ~
[root@server ~]# pwd
/root

cd .. command will change to parent directory of present working directory.

[root@server ~]# cd ..
[root@server /]# pwd
/

pwd command will print present working directory

[root@server etc]# pwd
/etc

rm  command will remove file and it will ask for user confirmation.

 

[root@server ~]# rm file1
rm: remove regular empty file ‘file1’? y

To delete a file without user confirmation will use  -f  option.

[root@server ~]# rm -f file1

will use vi editor, cat and touch to create files. touch command will create empty files.

[root@server ~]# touch file1

will explain about vi editor in next post, because we have multiple operation to explain in vi editor and now will see cat command operations.

creating and reading file using cat command:

After entering your content to the file, press enter to go next line and then press  ctrl+c  to save and exit from the file.

For reading a file use cat <filename> syntax like below mentioned.

[root@server ~]# cat > file2
This is a test file
^C
[root@server ~]# cat file2
This is a test file

use the below command to append one file content to another file. In this method it will not remove the existing contents from the file and it will just copy next to the last line.

Even if we doesn’t have file3, it will create automatically and copy the file2 content to the file3

[root@server ~]# cat file2 >> file3

using below command will copy the content from two file and will paste it in a single file. to paste the content in existing file use >> symbol instead of >, it will help to paste the two files content without deleting or modifying existing content.

[root@server ~]# cat file2 file3 > file4