Install & Configure OpenLDAP in Linux

I’m doing this only because I’ve done this multiple times and never documented it and had to go through and do multiple google searches each time. Hopefully this is the last time.

First off, install the OpenLDAP server and clients. I’ll install the client on the server too so that I could easily troubleshoot. If you’re using IPtables, you’ll need to open up ports 389 and 636 as well.

yum -y install openldap-clients openldap-servers

Next, I want to do some logging so that I could get messages if I need to troubleshoot. Here’s how to enable the syslog side of logging. Configuring the details of logging from the LDAP server side comes from the cn=config information.

mkdir /var/log/openldap
echo "local4.* /var/log/openldap/openldap.log" >> /etc/rsyslog.conf
systemctl restart rsyslog

Configuring TLS for openldap. This just edits the /etc/sysconfig/slapd file and adds ldaps to it so that it will listen on that port.

sed -i "s,ldap:///,ldap:/// ldaps:///," /etc/sysconfig/slapd

Restart the LDAP server for ldaps to take effect.

systemctl start slapd
systemctl enable slapd

Extending schema of openldap so that it accepts a bunch of the common attributes that typical directory servers have. The adschema attached is to support the MemberOf attribute, commonly used by AD servers. You can put the file anywhere you want. I happened to do this in Vagrant, so my file was in /vagrant.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /vagrant/adschema.ldif

I’m also extending the schema using some of the schema files provided by OpenLDAP itself.

Now it’s time to configuring rootdn. This is basically the top of the LDAP tree. You should download the file and edit it. Change your directory manager password and the rootdn to whatever you like. You can use dc=xxx or o=xxx.

ldapmodify -Y EXTERNAL -H ldapi:/// -f /vagrant/config.ldif

Now we can add the users. Here’s a sample ldif for the users. Obviously, you’ll need to change the directory to match your rootdn.

ldapadd -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -f /vagrant/directory.ldif

Congratulations! Your LDAP server is now running. You can test by running this:

ldapsearch -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -w password

It should return your entire directory that you uploaded in directory.ldif.

I enabled SSL earlier, but if you try an ldapsearch with SSL, you’ll get this:

[[email protected] certs]# ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate

If you want to ignore this and move forward, the setting is on the client side. You can change it in /etc/openldap/ldap.conf. Just put in there:

TLS_REQCERT never

If you get a message like this:

[[email protected] certs]# ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ
ldap_start_tls: Operations error (1)
additional info: TLS already started

The issue is that you’re trying to run StartTLS in 2 places. You can omit the -ZZ and run like this:

ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=*

or run with the -ZZ like this:

ldapsearch -H ldap://192.168.0.117:389 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ

That’s just using the default certificate that comes with OpenLDAP. If you want to use your own certificate, you can put them in

ldapmodify -Y EXTERNAL -H ldapi:/// -f tls7.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
SV-LT-1361:Downloads altonyu$ openssl s_client -connect 192.168.0.117:636
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Francisco, O = ShocKNetworK, CN = ldap.poc.segmentationpov.com, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = ShocKNetworK, CN = ldap.poc.segmentationpov.com, emailAddress = [email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/ST=CA/L=San Francisco/O=ShocKNetworK/CN=ldap.poc.segmentationpov.com/[email protected]
i:/C=US/ST=California/O=ShocKNetworK/OU=Security/CN=zangief.shocknetwork.com/[email protected]
Server certificate
-----BEGIN CERTIFICATE-----
MIIEqzCCA5MCCQCsXDM+kPyf+DANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMC

Freeze your credit file!

I’m not one of those crazy fear mongers that like to talk about the end of the world, etc. I am an pessimist most of the time though. There’s been tons of blog posts and even the media has told people to do this. It used to cost money to freeze your credit file. Because of security breaches, the government made this free. You should take advantage of this. The reason I’m posting this is because there are still many people I know that haven’t done this and very few people that I talk to have. You’ll hear about a new data breach once every few months or so and sometimes it’s big, sometimes it’s not. Regardless, your information is probably out there for purchase on the dark web. Back when Scott McNealy was CEO of Sun Microsystems, he said “You have zero privacy anyway … Get over it.” I think it’s truer today than ever.

That said, even if you data isn’t out there, you should protect yourself. One important way is to freeze your credit report. The links are below, but they can change at any time.

Note: You can unfreeze anytime for free and it’s instantaneous, but if you’re looking to get a bank loan, mortgage, credit card or something else that will require your credit to be checked, you might want to do that before freezing your credit files. If you have already frozen your credit files and need credit cards, etc, just ask them which credit bureau they’ll be running. Most banks will tell you. When they do, you can do temporary lifts and it’s a pretty simple process.

https://www.experian.com/freeze/center.html

Experian was hacked a few years ago and gave up a bunch of T-Mobile customer data.

https://www.equifax.com/personal/credit-report-services/credit-freeze/

Oops. I couldn’t freeze on Equifax’ website. Ended up having to call them. 888-298-0045. At least you can do it through the automated system. No need to talk to a person.

https://www.transunion.com/credit-freeze

TransUnion was hacked in 2019 and shared a bunch of data on Canadians.

All credit bureaus have been breached at some point. They will be hit again. Please, freeze your credit files.

Some additional things to do are to keep an eye on your finances and monitor your personal credit report and financial activity. Nearly every bank now will also do credit monitoring for free. Sign up if you need to. If your bank doesn’t do it, find one that does.

Some travel tips you must know and some you probably already know.

Some of these things are a little redundant with travel packing list post.

Install the travel apps. I use TripIt, Hopper, and a bunch of different airline apps. I’ve been told that Synchronize, Currency, and Speak&Translate are also quite useful. I also have Uber and Lyft. Different places will have other taxi apps e.g. Grab Taxi is Singapore’s best taxi app. Just check and install them before you go. I can tell you that Uber works in France and Australia.

Download streaming content into your phone or tablet. Many places in the world now, including planes have wifi, but you’ll be surprised how many places don’t have them. I recommend if you’re using Netflix or whatever you’re using, download whatever your entertainment is just in case so you’re not too bored on a plane or airport or somewhere else.

Download offline maps. Google maps allows you to download offline maps of wherever you’re going onto your phone. Just in case you don’t have good service where you go, I recommend downloading the maps.

Find a good phone carrier. I think T-Mobile is probably the best carrier for travel considering the unlimited (slow) data in almost any country you go to. I also never need to change my number when visiting other countries. One trick my wife and I use is that we tether our phones to each other so that we can make regular phone calls for free while moving.

Carry a travel adapter. This is redundant with my travel packing list. Most plugs on airplanes are universal and European adapters tend to stay in much better than U.S prongs.

Drink lots of liquids on the airplane. It’s very easy to get dehydrated on planes. It’s tempting to drink alcohol when it’s free, but I don’t drink alcohol often on planes and wouldn’t suggest it. Staying hydrated might help get over jet lag as well.

Be careful with the local water. Talking about you staying hydrated, find out if the local water is drinkable. Even if the local water is drinkable, it may not taste good or it might be safe enough for locals, but not you. You might consider buying bottled water. You might also consider boiling the local water if you have a kettle in your hotel room. Sometimes, I drink boiled water when I run out of bottled water and the room’s mini bar is out.

Take down your hotel address. I love Google maps. Put your hotel address in your locations or favorites. Also take down the room number and put it in notes or something.

Beware of Free Public WIFI. You’re not sure who’s snooping on wifi. You might want to avoid using it or just using it for unimportant things like directions and stuff. You don’t know how safe it is. Consider using a VPN for surfing. It’ll slow you down, but might be more secure. I have lifetime subscriptions with VPNSecure.me and KeepSolid.

Subscribe to a VPN service. That’s one way to be able to view some of the content you’re used to watching at home, be it YouTube TV or something else.

Alert Your Bank and Credit Card Company of Your Travel Plans. This can help you avoid some embarrassment in some places. You don’t want to be on hold with your bank while far away.

Withdraw money from ATMs – Do not exchange currency at counters. Exchange currency counters, especially at airports are a total ripoff! I use ATMs at airports all the time though. First Republic bank reimburses all of my ATM fees and seems to give me the best rates.

Get a credit card without exchange / foreign transaction fees. Those exchange/foreign transaction fees could be quite expensive! There are plenty of credit cards out there now without the fees and that also give you some great travel rewards. Consider those. There might be an annual fee, but some annual fees are worth it. Some banks will waive or credit annual fees if you just spend some more money.

Spend money in their currency if your credit card does not have exchange fees. If they ask what currency you want to pay in, always pay in their currency if you have one of those no-fee credit cards. The rates are always better.

Use the hotel safe if possible. Prior to doing so though, check if the administrative code has been changed on the safe. You can find some videos on how to do that on YouTube, like in the one below.

Use the “Do Not Disturb” door hanger if there’s a physical one. Some now have a button for you to press so it may not make a difference. The reason I do is because first off, I don’t want to be disturbed when I’m in the room. Secondly, it’s easier for someone to think the room is there’s if all doors look alike. If yours has the door hanger, they’ll know the room isn’t there’s unless they used it also. The downside of this is that you will need to remove it if you want the room cleaned. Some hotels will give you more points if you don’t have the room cleaned. I don’t want people seeing my things so I often will leave the door hanger on the door and skip the cleaning service regardless of whether or not I get the additional points.

Have a backup! Keep some cash, identification (or copy of it), and a credit card with your luggage. Of course, keep some with you also.

Keep medication/contacts/toiletries on you! If you take any regular medication, always keep some in your carry-on, backpack, purse, or whatever you carry with you in case your luggage is lost. A set of extra contact lenses would help as well. A comb, toothpaste and toothbrush can come in handy in airport/airplane bathrooms. Some airlines are nice enough to provide you these things. Others may only do it in first class. I also like to have earplugs that I sometimes put under my headset.

Bring Clothes, just in case – Hopefully, you’ll never have to deal with lost luggage, but it never hurts to be prepared. I usually keep a shirt, pair of socks, and underwear in a ziplock bag in my backpack just in case.

Use your downtime. You can check into your hotel room well in advance nowadays with most hotels. I usually have Uber open immediately after landing. If you’re traveling for business, you can do your expense reports while waiting for a flight or in an Uber back to the hotel. It beats having to look for all of your receipts. I usually snap a photo immediately after getting it and just throw it away.

Carry a water filter bottle. I often bring my Brita bottle. If you’re not drinking bottled water, you can boil water and drink it as is. I like to use the Brita bottle because I always feel it makes my water taste a little better. Also with a straw, I drink way more water for some reason.

Keep some hand sanitizer with you! Considering that there are germs everywhere and that there’s a nasty Coronavirus around, carry a small bottle of hand sanitizer and spray it or rub some regularly. I dry out my hands every once in a while, but I fear getting sick on a trip more than anything!

Steal hotel laundry bags – for division of clean and dirty clothes, they come pretty handy. If I didn’t use some clothes, I just leave them in the bottom of the suitcase and then just use the bag on top of it and throw the dirty clothes on top of that. That way, when you get home, you could just throw the dirty clothes right into the washer and put the clean clothes away.

Steal the hotel shampoo, conditioner, lotion, etc, but only if it’s good quality and you’re going to multiple cities. You never know if the hotel in the next city will have comparable ones unless you’re staying at the same hotels all the time.

What are your tips? Please share in the comments below! Thanks for reading!

My travel packing checklist

I wrote this list mainly for myself, but thought maybe others could benefit from this. No matter how much experience you have traveling, I think you’ll always run into something you forget. Hopefully this list can help you minimize those things and allow you to enjoy your trip more rather than you needing to get out and get something because of an emergency.

Medicine – obvious #1 on my list. It’s not always easy to get medications, especially in foreign countries. Bring the ones you need – anything that you’re prescribed. For me, luckily, I don’t take any prescription medicines except for Montelukast (Singulair) if I have an allergy. I guess you can’t predict allergies. For that reason, I carry Loratadine (Claritin) as well. At my last doctor’s visit, he asked me to try Zyrtec instead of the combination of the two, so I will do that next time. Aside from the allergy medications, I would recommend some of the common ones. These include Tylenol or Ibuprofen, NyQuil, etc. If you need pills for motion sickness, sleep aid, caffeine, etc., you probably want to bring some of those as well. Don’t assume that you’ll be able to buy medications abroad. Some over the counter medications in the US are not sold over the counter in other countries. I was shocked to hear that Ibuprofen was considered a strong medication in another country. I also carry stomach medication just in case I eat something bad. I use the Japanese one pictured below. If you have asthma, even if you haven’t had an attack in a long time, be sure to keep an inhaler and if you use a nasal rinse, you might want to bring a bottle and some salt packets. I usually just mix mine with cold bottled water, but most hotels have water kettles to boil water.

Glasses/contacts – I recommend having an extra set of each just in case. What can you do if you can’t see?

Toiletries – toothbrush, toothpaste, floss, maybe a small bottle of mouthwash. Unless you’re staying in Asia, your hotel will not likely have these available for you. They may have some available for sale, but I like to carry my own.

Charging cables – you don’t want to be desperate without a cable. Do whatever you can to avoid paying the tourist price for a crappy cable. In Las Vegas, they were trying to sell generic iPhone cables for $40! Bring your own cable. I like Anker cables, but will carry super cheap cables I get off Amazon as spares as I lose cables pretty often. I also have couple of cables that charge both, my watch and phone.

Nail clipper – I cut my nails almost every week and I’ve bought countless nail clippers abroad. I think it’s good to keep one with you just in case.

Shaving Razors – I’ve also bought many of these abroad. If you’re staying in Asia, most hotels will probably provide you some disposable ones. I would recommend that you have at least one set with you.

Noise-cancelling Headphones – Bose QC35II – I don’t travel without them. I turn them on while I’m on a plane even if I’m not listening to anything just to cancel out the noise. Like a friend said, “They’re expensive, but they’re worth it.”

Humidifier – I keep a little mini humidifier with me when I travel because hotels don’t usually have them. This one works great for me.

Travel power adapter – I keep one of these even if I’m traveling domestically. I recommend you get one of those that has usb charging. I use mine for a night light and usb charging. Additionally, most plugs on airplanes are universal and they tend to stay in much better than standard U.S prongs. The one I use is this one.

Shoes/Slippers – If I’m traveling for work, I always keep a pair of sneakers in the luggage or the dress shoes in the luggage if I’m not heading for business the same day. Always have a set of sneakers or slippers just to be comfortable. I might also bring a pair of flip flops if I plan on swimming.

Extra underwear/socks – I always bring a couple of extra just in case there’s a flight delay or you get dirty for some reason, etc.

Workout clothes/Bathing suit – if you know that where you’re going will have a gym/pool, you should bring a set even if you don’t think you’ll have time to use the facilities. Many times, I’ve gone and been up at 5 am wondering what I should do. The gym is a great way to help you get over jet-lag.

WiFi hotspot – I have one of these so that I can share WiFi among my multiple devices – laptop/iPhone/iPad, but it’s becoming less and less necessary. United airplanes allow you to switch devices as you wish.

First aid kit – if you’re going to be outdoors and not staying at a nice hotel, bringing a first-aid kid with you. Your first aid kit should have things like alcohol, Neosporin, itch cream, bandages, etc.

Portable battery – I don’t usually need/use it, but I carry a portable battery with me most of the time just in case. If you get one, get one that can charge with multiple interfaces – micro-USB and iPhone if you can find it. I use this one. It’s a bit heavy, but it has a high capacity and it charges very quickly.

Laundry detergent – I’m pretty cheap, so I almost never use the hotel laundry service. If I’m staying for more than a week or so, I would look for a laundromat and do the laundry myself if laundry machines are not available in the hotel. If they are, all the better. For this reason, I usually keep a couple of detergent pods in my suitcase as well.

Hope this helps! Please tell me about some of the things you pack in the comments. 🙂

Use yum to manage your packages and stop using rpm!

I hate seeing the RPMDB altered message when doing yum updates!

Transaction Summary
=======================================================================================================================
Install 1 Package
Upgrade 1 Package

Total size: 309 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.

For that reason, I tell sysadmins when installing or upgrading rpms to use:

yum -y install <rpm file>

and to use

yum -y remove <rpm name>

to remove the rpm you want.

Solaris pkg upgrade fails with “maximum number of instances of the package which may be supported at one time on the same system has already been met” message

This message is pretty awesome, isn’t it? You can get this message when trying to upgrade a package. At least that’s what happened to me.

username# pkgadd -d .

The following packages are available:

  1  pkgname          pkgname

                          (sparc) version.sol5.sparc

Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1

Processing package instance <pkgname> from </tmp/ven/solaris>

pkgname(sparc) version.sol5.sparc Illumio

Current administration requires that a unique instance of the <pkgname> package be created.  However, the maximum number of instances of the package which may be supported at one time on the same system has already been met.

 No changes were made to the system.

This issue is pretty easy to get around. You just need point your admin file that has the right options. In my case, my admin file needed the instance=overwrite:

mail=
instance=overwrite
partial=ask
runlevel=ask
Require that our dependencies are met when installing.
idepend=quit
However, if someone tries to uninstall us but another package depends on us,
we should just warn them & ask if they want to proceed anyway.
rdepend=ask
space=ask
setuid=ask
conflict=ask
action=nocheck
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=
basedir=default

If you’re using instance=ask, it works also. It’ll just ask you before overwriting.

Fooling around with pkgadd (Solaris packages)

I basically had a Solaris SVR4 package that I needed to install. I didn’t care if the package worked or not after it installed. This is what happened when it first failed.

pkgadd: ERROR: checkinstall script did not complete successfully

The installer said that I was missing a package, so I went into the pkgname/install/checkinstall script and just commented those lines out. After doing that, this happened.

[email protected]:/tmp# pkgadd -d .
The following packages are available:
1 pkgname pkgname
(i386) version
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance from
pkgname(i386) version
company
Executing checkinstall script.
OS Release = 11.4
Processing package information.
Processing system information.
pkgadd: ERROR: packaging file is corrupt
file cksum <26912> expected <26914> actual
Installation of failed (internal error).
No changes were made to the system.

Obviously, there’s some sort of check for integrity of the file. To get around that, I went in and edited the pkgname/pkgmap file to make the changes from 26912 to 26914.

After doing this, the package magically installed. Fun!

Changing root password on Solaris 11.3 x86

I’m posting this only because the process has changed a bit since I did it back in the days. Because I’m not using Solaris on SPARC, there’s no STOP-A, boot -s, etc.

Just like back in the days with Solaris 8, you would need to boot with a cdrom or PXE or jumpstart, whatever method you have. Afterwards, you take the shell option. Obviously, you’re not installing the OS.

Solaris 11 uses ZFS, not UFS so you can’t directly mount a partition. You need import a pool instead.

mkdir /b
zpool import -f -R /a rpool
zfs set mountpoint=legacy rpool/ROOT/solaris
mount -F zfs rpool/ROOT/solaris /b
vi /b/etc/shadow

Edit the shadow file

Find your username and remove the password hash

Change your user id
username:whateverthehashis:12345::::::23456
to
username::12345::::::23456

Then we will need to allow empty passwords at login

$ vi /b/etc/default/login
Change the line:
PASSREQ=YES
to
PASSREQ=NO

umount /b
zfs set mountpoint=/ rpool/ROOT/solaris
zpool export rpool
init 6

When the system boots, you should be able to log in as root and just press return for the password. If you’re logging in through SSH, you won’t need to enter a password.

Hope this saved you some time!

Install .NET 2.0 in Windows 10

What!? Why would you want to do that!? A friend of mine recently brought a computer to me for him to install some old software on. This happened to be some custom software that was written and required .NET 2.0. I tried installing the software and it wouldn’t install because it .NET 2.0 was required and if you go to Microsoft’s website, it looks like the only version you could get is .NET 4.8 and it already came with the OS that his laptop came with! What gives!?

I managed to find this command only that allowed me to continue the install:

DISM /Online /NoRestart /Enable-Feature:NetFx3

Turns out there are tons of YouTube videos and other posts about how to install it. I just didn’t think to look. You could actually just go to the control panel and install it from there as well.

image

Anyway, hope this post can save you some time!

FATAL: invalid value for parameter “TimeZone”: “America/Los_Angeles” with DBeaver

I got that message when trying to use DBeaver to connect to a PostgreSQL DB.

FATAL: invalid value for parameter "TimeZone": "America/Los_Angeles"

I found the fix here. The first thing to check is the timezone you have set on the Postgres db itself. You can do this by running “SELECT * FROM pg_timezone_names;”.

Here’s an example:

avenger_agent_prod=# SELECT * FROM pg_timezone_names;
name | abbrev | utc_offset | is_dst
------+--------+------------+--------
UTC | UTC | 00:00:00 | f
(1 row)

The fix is to make a small change the dbeaver.ini file in DBeaver root directory. If you installed this on a Mac, the file is in /Applications/DBeaver.app/Contents/Eclipse/

Just add:

-Duser.timezone=UTC
-startup
plugins/org.eclipse.equinox.launcher_1.4.0.v20161219-1356.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.551.v20171108-1834
-showsplash
# START: change jre version, not using the one in %JAVA_HOME%
-vm 
D:\ArPortable\Java\jdk1.8.0_171\jre\bin\server\jvm.dll
# END
# JVM settings
-vmargs
-XX:+IgnoreUnrecognizedVMOptions
--add-modules=ALL-SYSTEM
-Xms64m
-Xmx1024m
# time zone
-Duser.timezone=UTC
# language
-Duser.language=en

When you restart DBeaver, it should connect.