Watch out for Apparmor!

I’ve been hit by Apparmor a couple of times now. First with Samba, then with Openldap. AppArmor is a mandatory access control (MAC) system that restricts the capabilities of applications on a Linux system. While it can enhance the security of a Linux system, it can also cause issues with certain applications. Here are some apps that AppArmor can break and workarounds for each.

  1. Docker

Docker is a popular containerization technology that allows users to package and run applications in isolated environments. AppArmor can cause issues with Docker by blocking access to certain system resources required by Docker containers. To work around this issue, you can create a custom AppArmor profile for Docker that allows it to access the necessary resources.

To create a custom AppArmor profile for Docker, you can create a new profile file in the /etc/apparmor.d/ directory with the following contents:

# Profile for Docker
profile docker-container {
  # Allow access to necessary system resources
  /var/lib/docker/** rw,
  /var/run/docker.sock rw,
  /sys/fs/cgroup/** rw,
  /proc/sys/** rw,
  /etc/hostname r,
  /etc/hosts r,
  /etc/resolv.conf r,
  /etc/passwd r,
  /etc/group r,
  /etc/shadow r,
  /etc/gshadow r,
}

After creating the profile file, you can load it into the AppArmor kernel by running the following command:

sudo apparmor_parser -r /etc/apparmor.d/docker-container
  1. Apache

Apache is a widely used web server that can also be affected by AppArmor. If Apache is running in a restricted environment, it may not be able to access certain files or directories. To resolve this issue, you can modify the AppArmor profile for Apache to allow access to the necessary resources.

To modify the AppArmor profile for Apache, you can edit the existing profile file located in /etc/apparmor.d/usr.sbin.apache2 and add the necessary permissions. For example, to allow Apache to access the /var/www/html/ directory, you can add the following line to the profile:

/var/www/html/** r,

After making the necessary changes, you can reload the AppArmor profile by running the following command:

sudo service apparmor reload
  1. MySQL

MySQL is a popular open-source relational database management system that can be affected by AppArmor. If AppArmor is blocking access to MySQL, you may experience issues with database connectivity. To work around this issue, you can modify the AppArmor profile for MySQL to allow access to the necessary resources.

To modify the AppArmor profile for MySQL, you can edit the existing profile file located in /etc/apparmor.d/usr.sbin.mysqld and add the necessary permissions. For example, to allow MySQL to access the /var/lib/mysql/ directory, you can add the following line to the profile:

/var/lib/mysql/** rwk,

After making the necessary changes, you can reload the AppArmor profile by running the following command:

sudo service apparmor reload
  1. Nginx

Nginx is a high-performance web server that can also be affected by AppArmor. If Nginx is running in a restricted environment, it may not be able to access certain files or directories required for its operation. To resolve this issue, you can modify the AppArmor profile for Nginx to allow access to the necessary resources.

To modify the AppArmor profile for Nginx, you can edit the existing profile file located in /etc/apparmor.d/usr.sbin.nginx and add the necessary permissions. For example, to allow Nginx to access the /var/www/html/ directory, you can add the following line to the profile:

/var/www/html/** r,

After making the necessary changes, you can reload the AppArmor profile by running the following command:

sudo service apparmor reload
  1. OpenSSH

OpenSSH is a widely used remote access tool that can also be affected by AppArmor. If AppArmor is blocking access to OpenSSH, you may not be able to establish a remote connection to your Linux system. To work around this issue, you can modify the AppArmor profile for OpenSSH to allow access to the necessary resources.

To modify the AppArmor profile for OpenSSH, you can edit the existing profile file located in /etc/apparmor.d/usr.sbin.sshd and add the necessary permissions. For example, to allow OpenSSH to access the /var/log/auth.log file, you can add the following line to the profile:

/var/log/auth.log rw,

After making the necessary changes, you can reload the AppArmor profile by running the following command:

sudo service apparmor reload
  1. Samba

To modify the AppArmor profile for Samba, you can edit the existing profile file located in /etc/apparmor.d/usr.sbin.smbd and add the necessary permissions. For example, to allow Samba to access the /mnt/share/ directory, you can add the following line to the profile:

/mnt/share/** rw,

After making the necessary changes, you can reload the AppArmor profile by running the following command:

sudo service apparmor reload
  1. OpenLDAP

To modify the AppArmor profile for OpenLDAP, you can create a new profile file in the /etc/apparmor.d/ directory with the following contents:

# Profile for OpenLDAP
profile slapd {
  # Allow access to necessary system resources
  /var/lib/ldap/ r,
  /var/lib/ldap/** rw,
  /var/run/slapd/** rw,
  /etc/ldap/slapd.conf r,
  /etc/ldap/slapd.d/ r,
  /etc/ldap/slapd.d/** r,
  /usr/sbin/slapd mr,
  /usr/sbin/slapd.debug mr,
  /usr/sbin/slapd-{slave,monitor} ix,
  /usr/sbin/slapd.dbg mr,
  /usr/sbin/slapd-sock rw,
  /usr/sbin/slapd-sock-debug rw,
  /usr/sbin/slaptest mr,
}

After creating the profile file, you can load it into the AppArmor kernel by running the following command:

sudo apparmor_parser -r /etc/apparmor.d/slapd

By modifying AppArmor profiles for specific applications in this way, you can ensure that your applications have the necessary permissions to function correctly while still maintaining the security benefits of AppArmor.

AppArmor can cause issues with various applications on a Linux system, but these issues can usually be resolved by modifying the AppArmor profile for the affected application. By following the steps outlined above, you can ensure that your applications are functioning correctly while still maintaining the security benefits of AppArmor.

Loading up Active Directory with lots of groups

Loading up Active Directory with lots of groups can be a tedious task, but it can be made easier by following some steps. I recently had to do this to test a product to make sure that it can handle a large amount of data. I started with a list of job titles. Found that those titles were not enough groups and so ended up using a list of animals as the groups input to provide the script to automate the process of creating groups in Active Directory.

First, let’s assume that you already have Active Directory set up and that you have the necessary permissions to create groups. We will use the ldif template provided in the question to create groups in Active Directory.

Here is the step-by-step process to load up Active Directory with lots of groups:

  1. Prepare the list of groups: In our example, the list of animals is provided in the question. You can create your own list of groups based on your requirements.
  2. Create an ldif file: Use the ldif template provided in the question to create an ldif file that contains the group details. Make sure to replace {groupname} in the template with the actual name of the group.
  3. Run a for loop: To automate the process of creating groups, we can use a while loop that reads the list of groups and creates the groups in Active Directory using the ldif file. Here’s an example script:
#!/bin/bash

# Read the list of groups from a file
while read -r group; do
  # Replace {groupname} in the ldif file with the actual group name
  sed "s/{groupname}/$group/" group.ldif >> temp.ldif
  # Create the group in Active Directory using ldapadd command
  ldapadd -x -D "CN=Administrator,CN=Users,DC=mydomain,DC=com" -w password -f temp.ldif
done < groups.txt

In the above script, replace the following:

  • group.ldif with the name of the ldif file that you created in step 2.
  • groups.txt with the name of the file that contains the list of groups.
  • CN=Administrator,CN=Users,DC=mydomain,DC=com with the actual Distinguished Name (DN) of the user account that you want to use to create the groups.
  • password with the password for the user account.
  1. Run the script: Save the script to a file (e.g., create-groups.sh) and make it executable using the command chmod +x create-groups.sh. Then run the script using the command ./create-groups.sh.

That’s it! The script will create all the groups in the list and add them to Active Directory. You can modify the ldif template and the script as per your requirements to create groups with different attributes and properties.

Help! OpenLDAP won’t start

slapd[5472]: main: TLS init def ctx failed: -1

I borrowed some information from here: https://apple.stackexchange.com/questions/107130/slapd-daemon-cant-start-tls-init-def-ctx-failed-1. Basically, just run slapd -d1 and see where the certificate is having trouble.

Crazily, before I bothered to check that, I just wiped my entire ldap server and rebuilt it. What’s even crazier is that after reinstalling, it never started either! Using CentOS 7, I removed the openldap-servers package and deleted the /var/lib/ldap and /etc/openldap directories. Installing the rpms recreated those directories, but did not rebuild the self-signed certificates in /etc/openldap/certs. I ended up finding this: 0006945: CentOS 6.5: /etc/openldap/certs/* missing – CentOS Bug Tracker. I guess there’s a post-script that should be running when the openssl-servers package gets installed, /usr/libexec/openldap/create-certdb.sh. By running it, it did create some certificates, but those didn’t allow the ldap server to start either.

Finally, I disabled SSL to fix it. These were the steps.

  1. Edit the /etc/openldap/slapd.d/cn/=config.ldif file. Remove anything that starts with olcTLS. There should be only a couple of lines.
  2. Then stop the server from starting in TLS. You may or may not need to do this. In /etc/sysconfig/slapd, if you have ldaps:///, you can remove that part so that the server won’t start in TLS.
  3. Finally, when you’re done with that, the LDAP server will start.

If you want to re-enable the TLS, you can follow these instructions to do it. Configure OpenLDAP over SSL/TLS [Step-by-Step] Rocky Linux 8 | GoLinuxCloud

You can also potentially run into this problem with SELinux or AppArmor. With Ubuntu and AppArmor, here’s how to get around it. https://askubuntu.com/questions/499164/slapd-tls-not-working-apparmor-errors

Hope this helps you!

Install & Configure OpenLDAP in Linux

I’m doing this only because I’ve done this multiple times and never documented it and had to go through and do multiple google searches each time. Hopefully this is the last time.

First off, install the OpenLDAP server and clients. I’ll install the client on the server too so that I could easily troubleshoot. If you’re using IPtables, you’ll need to open up ports 389 and 636 as well.

yum -y install openldap-clients openldap-servers

Next, I want to do some logging so that I could get messages if I need to troubleshoot. Here’s how to enable the syslog side of logging. Configuring the details of logging from the LDAP server side comes from the cn=config information.

mkdir /var/log/openldap
echo "local4.* /var/log/openldap/openldap.log" >> /etc/rsyslog.conf
systemctl restart rsyslog

Configuring TLS for openldap. This just edits the /etc/sysconfig/slapd file and adds ldaps to it so that it will listen on that port.

sed -i "s,ldap:///,ldap:/// ldaps:///," /etc/sysconfig/slapd

Restart the LDAP server for ldaps to take effect.

systemctl start slapd
systemctl enable slapd

Extending schema of openldap so that it accepts a bunch of the common attributes that typical directory servers have. The adschema attached is to support the MemberOf attribute, commonly used by AD servers. You can put the file anywhere you want. I happened to do this in Vagrant, so my file was in /vagrant.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /vagrant/adschema.ldif

I’m also extending the schema using some of the schema files provided by OpenLDAP itself.

Now it’s time to configuring rootdn. This is basically the top of the LDAP tree. You should download the file and edit it. Change your directory manager password and the rootdn to whatever you like. You can use dc=xxx or o=xxx.

ldapmodify -Y EXTERNAL -H ldapi:/// -f /vagrant/config.ldif

Now we can add the users. Here’s a sample ldif for the users. Obviously, you’ll need to change the directory to match your rootdn.

ldapadd -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -f /vagrant/directory.ldif

Congratulations! Your LDAP server is now running. You can test by running this:

ldapsearch -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -w password

It should return your entire directory that you uploaded in directory.ldif.

I enabled SSL earlier, but if you try an ldapsearch with SSL, you’ll get this:

[root@centos7 certs]# ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate

If you want to ignore this and move forward, the setting is on the client side. You can change it in /etc/openldap/ldap.conf. Just put in there:

TLS_REQCERT never

If you get a message like this:

[root@centos7 certs]# ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ
ldap_start_tls: Operations error (1)
additional info: TLS already started

The issue is that you’re trying to run StartTLS in 2 places. You can omit the -ZZ and run like this:

ldapsearch -H ldaps://192.168.0.117:636 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=*

or run with the -ZZ like this:

ldapsearch -H ldap://192.168.0.117:389 -x -D cn=ldapadm,dc=poc,dc=segmentationpov,dc=com -w password -b 'dc=poc,dc=segmentationpov,dc=com' objectclass=* -ZZ

That’s just using the default certificate that comes with OpenLDAP. If you want to use your own certificate, you can put them in

ldapmodify -Y EXTERNAL -H ldapi:/// -f tls7.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
SV-LT-1361:Downloads altonyu$ openssl s_client -connect 192.168.0.117:636
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Francisco, O = ShocKNetworK, CN = ldap.poc.segmentationpov.com, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = ShocKNetworK, CN = ldap.poc.segmentationpov.com, emailAddress = [email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/ST=CA/L=San Francisco/O=ShocKNetworK/CN=ldap.poc.segmentationpov.com/[email protected]
i:/C=US/ST=California/O=ShocKNetworK/OU=Security/CN=zangief.shocknetwork.com/[email protected]
Server certificate
-----BEGIN CERTIFICATE-----
MIIEqzCCA5MCCQCsXDM+kPyf+DANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMC

Zimbra 4.5.6 to 5.0.10 upgrade notes

Things I needed to do for Zimbra to work – 4.5.6 to 5.0.10 upgrade.

1) Mysql root/user passwords need to match what’s in /opt/zimbra/conf/localconfig.xml. I played around with mine and managed to screw this up.
2) Since I changed the hostname, ldap wouldn’t start. To fix this, I had to rebuild the SSL certificates. You can do this here: http://wiki.zimbra.com/index.php?title=SSL_Certificate_Problems – I had some trouble following directions – note the version numbers – they’re important. 🙂
3) Make sure that 127.0.0.1 is in zimbraMtaMyNetworks. Ref: http://wiki.zimbra.com/index.php?title=ZimbraMtaMyNetworks – if not, you won’t be able to send mail out – it will say relaying denied.

Sendmail Routing with LDAP

Sendmail Routing with LDAP

One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you’re running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.

Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an ‘su – uid’ command. Otherwise, you will probably get the message, “User unknown”.

You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.

You will need a version of sendmail that has ldap capabilities

compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.10+Sun

Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all

work. Patches are available for those that don’t.

In this example, we will use the ldap data from a SunONE Messaging server.

We first do a search to find a user so that we know what we will need.

Here, I pull the user’s ldif data with this command:

/usr/sbin/ldapsearch -b ‘o=isp’ -p 4389 -h flash.atac.ebay.sun.com [email protected]

In this case, I’m looking for alton’s user entry and using the mail attribute.

Here are my results:

uid=alton, ou=people, o=atac.ebay.sun.com, o=isp

objectClass=top

objectClass=person

objectClass=organizationalPerson

objectClass=inetOrgPerson

objectClass=inetUser

objectClass=ipUser

objectClass=nsManagedPerson

objectClass=userPresenceProfile

objectClass=inetMailUser

objectClass=inetLocalMailRecipient

[email protected]

mailUserStatus=active

mailHost=flash.atac.ebay.sun.com

givenName=alton

cn=alton yu

uid=alton

nsdaCapability=mailListCreate

sn=yu

inetUserStatus=active

mailDeliveryOption=mailbox

preferredLanguage=en

nswmExtendedUserPrefs=meDraftFolder=Drafts

nswmExtendedUserPrefs=meSentFolder=Sent

nswmExtendedUserPrefs=meTrashFolder=Trash

nswmExtendedUserPrefs=meInitialized=true

pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab

So now we know what kind of information to set up sendmail with, we will start tinkering with it.

In the sendmail.mc file, I add:

First, I go to /usr/lib/mail/cf

I make a backup of my old main.mc to create sendmail.mc

cp main.mc sendmail.mc

and then I open the file and add:

define(`confLDAP_DEFAULT_SPEC’,`-h flash.atac.ebay.sun.com -b o=isp -p 4389′)

LDAPROUTE_DOMAIN(`atac.ebay.sun.com’)

FEATURE(`ldap_routing’)

I then build the cf file with:

make sendmail.cf

and now I do my test.

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… User unknown

Hmmm…. I wonder why …

I go to the ldap server access logs and find:

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base=”” scope=0 filter=”(objectClass=*)” attrs=ALL

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed – U1

Okay. It looks like it’s looking for maillocaladdress and mailRoutingAddress. I don’t have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.

I change just

FEATURE(`ldap_routing’)

to:

FEATURE(`ldap_routing’,`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))’)

So now instead of searching for maillocaladdress, I’m now searching for mail.

By doing that and rebuilding my sendmail.cf file, I now get:

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… deliverable: mailer relay, host flash.atac.ebay.sun.com, user [email protected]

Now this looks better. How’s the ldap access log look?

[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetorgperson)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed – U1

Okay. Good enough.

Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.

How to upgrade from NIS+ to LDAP

This is from Arup Mitra.

1. Installing nisplus server

/usr/lib/nis/nisserver -v -r -d atac.ebay.sun.com.

******** ******** WARNING ******** ********

NIS+ might not be supported in a future release. Tools to aid

the migration from NIS+ to LDAP are available in the Solaris 9

operating environment. For more information, visit

http://www.sun.com/directory/nisplus/transition.html

******** ******** ******* ******** ********

This script sets up this machine “native9” as an NIS+

root master server for domain atac.ebay.sun.com..

Domain name : atac.ebay.sun.com.

NIS+ group : admin.atac.ebay.sun.com.

NIS (YP) compatibility : OFF

Security level : 2=DES

Is this information correct? (type ‘y’ to accept, ‘n’ to change) y

This script will set up your machine as a root master server for

domain atac.ebay.sun.com. without NIS compatibility at security level 2.

Use “nisclient -r” to restore your current network service environment.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

setting up domain information “atac.ebay.sun.com.” …

setting up switch information …

killing process keyserv …

restarting process keyserv …

killing NIS and NIS+ processes …

killing process ypbind …

killing process rpc.nisd …

killing process rpc.nispasswdd …

killing process nis_cachemgr …

stopping nscd …

setup NIS_GROUP environment variable …

rm /var/nis files …

running nisinit …

This machine is in the “atac.ebay.sun.com.” NIS+ domain.

Setting up root server …

All done.

starting root server at security level 0 to create credentials…

running nissetup to create standard directories and tables …

org_dir.atac.ebay.sun.com. created

groups_dir.atac.ebay.sun.com. created

passwd.org_dir.atac.ebay.sun.com. created

group.org_dir.atac.ebay.sun.com. created

auto_master.org_dir.atac.ebay.sun.com. created

auto_home.org_dir.atac.ebay.sun.com. created

bootparams.org_dir.atac.ebay.sun.com. created

cred.org_dir.atac.ebay.sun.com. created

ethers.org_dir.atac.ebay.sun.com. created

hosts.org_dir.atac.ebay.sun.com. created

ipnodes.org_dir.atac.ebay.sun.com. created

mail_aliases.org_dir.atac.ebay.sun.com. created

sendmailvars.org_dir.atac.ebay.sun.com. created

netmasks.org_dir.atac.ebay.sun.com. created

netgroup.org_dir.atac.ebay.sun.com. created

networks.org_dir.atac.ebay.sun.com. created

protocols.org_dir.atac.ebay.sun.com. created

rpc.org_dir.atac.ebay.sun.com. created

services.org_dir.atac.ebay.sun.com. created

timezone.org_dir.atac.ebay.sun.com. created

client_info.org_dir.atac.ebay.sun.com. created

auth_attr.org_dir.atac.ebay.sun.com. created

exec_attr.org_dir.atac.ebay.sun.com. created

prof_attr.org_dir.atac.ebay.sun.com. created

user_attr.org_dir.atac.ebay.sun.com. created

audit_user.org_dir.atac.ebay.sun.com. created

adding credential for native9.atac.ebay.sun.com…

Enter login password:

creating NIS+ administration group: admin.atac.ebay.sun.com. …

adding principal native9.atac.ebay.sun.com. to admin.atac.ebay.sun.com. …

updating the keys for directories …

restarting NIS+ root master server at security level 2 …

killing process rpc.nisd …

restarting process rpc.nisd …

starting NIS+ password daemon …

starting NIS+ cache manager …

modifying the /etc/init.d/rpc file …

starting Name Service Cache Daemon nscd …

This system is now configured as a root server for domain atac.ebay.sun.com.

You can now populate the standard NIS+ tables by using the

nispopulate script or /usr/lib/nis/nisaddent command.

2. Populating NIS+ tables

# cd /source

# ls -al

total 32

drwxr-xr-x 2 root other 512 Apr 16 16:02 .

drwxr-xr-x 27 root root 512 Apr 14 19:49 ..

-rw-r–r– 1 root other 18 Apr 16 15:59 auto_home

-rw-r–r– 1 root other 69 Apr 16 16:00 auto_master

-rw-r–r– 1 root other 290 Apr 14 19:51 group

-r–r–r– 1 root other 128 Apr 14 19:52 hosts

-r–r–r– 1 root other 380 Apr 16 16:02 netmasks

-r–r–r– 1 root other 372 Apr 16 16:01 networks

-rw-r–r– 1 root other 109 Apr 15 14:49 passwd

-r–r–r– 1 root other 1807 Apr 16 16:02 protocols

-r–r–r– 1 root other 3869 Apr 16 16:02 services

-rw-r–r– 1 root other 80 Apr 15 14:48 shadow

# /usr/lib/nis/nispopulate -v -F

NIS+ domain name : atac.ebay.sun.com.

Directory Path : (current directory)

Is this information correct? (type ‘y’ to accept, ‘n’ to change) y

This script will populate the standard NIS+ tables for domain

atac.ebay.sun.com. from the files in current directory:

auto_master auto_home ethers group hosts ipnodes networks passwd protocols services rpc netmasks bootparams netgroup aliases timezone auth_attr exec_attr prof_attr user_attr audit_user shadow

**WARNING: Interrupting this script after choosing to continue

may leave the tables only partially populated. This script does

not do any automatic recovery or cleanup.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

auto_master.org_dir.atac.ebay.sun.com. OK…

populating auto_master table from file ./auto_master…

adding standard key-value table auto_master…

adding ./auto_master to table auto_master.org_dir.atac.ebay.sun.com.

adding/updating “/net”

adding/updating “/home”

adding/updating “/xfn”

3 entries added/updated

auto_master table done.

auto_home.org_dir.atac.ebay.sun.com. OK…

populating auto_home table from file ./auto_home…

adding standard key-value table auto_home…

adding ./auto_home to table auto_home.org_dir.atac.ebay.sun.com.

adding/updating “*”

1 entries added/updated

auto_home table done.

ethers.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./ethers does not exist!

ethers table will not be loaded.

group.org_dir.atac.ebay.sun.com. OK…

populating group table from file ./group…

adding standard table group…

adding ./group to table group.org_dir.atac.ebay.sun.com.

adding/updating “root”

adding/updating “other”

adding/updating “bin”

adding/updating “sys”

adding/updating “adm”

adding/updating “uucp”

adding/updating “mail”

adding/updating “tty”

adding/updating “lp”

adding/updating “nuucp”

adding/updating “staff”

adding/updating “daemon”

adding/updating “sysadmin”

adding/updating “smmsp”

adding/updating “nobody”

adding/updating “noaccess”

adding/updating “nogroup”

17 entries added/updated

group table done.

hosts.org_dir.atac.ebay.sun.com. OK…

populating hosts table from file ./hosts…

adding standard table hosts…

adding ./hosts to table hosts.org_dir.atac.ebay.sun.com.

adding/updating “localhost”

adding/updating “native9”

adding/updating “igs”

adding/updating “arup”

adding/updating “daredevil”

5 entries added/updated

hosts table done.

Populating the NIS+ credential table for domain atac.ebay.sun.com.

from hosts table.

dumping hosts table…

loading credential table…

Adding key pair for [email protected] (arup.atac.ebay.sun.com.).

…added arup

Adding key pair for [email protected] (daredevil.atac.ebay.sun.com.).

…added daredevil

Adding key pair for [email protected] (igs.atac.ebay.sun.com.).

…added igs

Adding key pair for [email protected] (localhost.atac.ebay.sun.com.).

…added localhost

…native9 already exists

The credential table for domain atac.ebay.sun.com. has been populated.

The password used will be nisplus.

ipnodes.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./ipnodes does not exist!

ipnodes table will not be loaded.

networks.org_dir.atac.ebay.sun.com. OK…

populating networks table from file ./networks…

adding standard table networks…

adding ./networks to table networks.org_dir.atac.ebay.sun.com.

adding/updating “loopback”

adding/updating “arpanet”

adding/updating “arpanet (arpa)”

3 entries added/updated

networks table done.

passwd.org_dir.atac.ebay.sun.com. OK…

populating passwd table from file ./passwd…

adding standard table passwd…

adding ./passwd to table passwd.org_dir.atac.ebay.sun.com.

adding/updating “test1”

adding/updating “arup”

adding/updating “test2”

3 entries added/updated

passwd table done.

Populating the NIS+ credential table for domain atac.ebay.sun.com.

from passwd table.

dumping passwd table…

loading credential table…

Adding key pair for [email protected] (test1.atac.ebay.sun.com.).

…added test1

…arup already exists

Adding key pair for [email protected] (test2.atac.ebay.sun.com.).

…added test2

The credential table for domain atac.ebay.sun.com. has been populated.

The password used will be nisplus.

protocols.org_dir.atac.ebay.sun.com. OK…

populating protocols table from file ./protocols…

adding standard table protocols…

adding ./protocols to table protocols.org_dir.atac.ebay.sun.com.

adding/updating “ip”

adding/updating “icmp”

adding/updating “igmp”

adding/updating “ggp”

adding/updating “ipip”

adding/updating “ipip (IP-IP)”

adding/updating “tcp”

adding/updating “cbt”

adding/updating “egp”

adding/updating “igp”

adding/updating “pup”

adding/updating “udp”

adding/updating “mux”

adding/updating “hmp”

adding/updating “xns-idp”

adding/updating “rdp”

adding/updating “idpr”

adding/updating “idpr-cmtp”

adding/updating “sdrp”

adding/updating “idrp”

adding/updating “rsvp”

adding/updating “gre”

adding/updating “mobile”

adding/updating “ospf”

adding/updating “ospf (OSPFIGP)”

adding/updating “pim”

adding/updating “ipcomp”

adding/updating “vrrp”

adding/updating “sctp”

adding/updating “hopopt”

adding/updating “ipv6”

adding/updating “ipv6-route”

adding/updating “ipv6-frag”

adding/updating “esp”

adding/updating “ah”

adding/updating “ipv6-icmp”

adding/updating “ipv6-nonxt”

adding/updating “ipv6-opts”

38 entries added/updated

protocols table done.

services.org_dir.atac.ebay.sun.com. OK…

populating services table from file ./services…

adding standard table services…

adding ./services to table services.org_dir.atac.ebay.sun.com.

adding/updating “tcpmux 1/tcp”

adding/updating “echo 7/tcp”

adding/updating “echo 7/udp”

adding/updating “discard 9/tcp”

adding/updating “discard 9/tcp (sink)”

adding/updating “discard 9/tcp (null)”

adding/updating “discard 9/udp”

adding/updating “discard 9/udp (sink)”

adding/updating “discard 9/udp (null)”

adding/updating “systat 11/tcp”

adding/updating “systat 11/tcp (users)”

adding/updating “daytime 13/tcp”

adding/updating “daytime 13/udp”

adding/updating “netstat 15/tcp”

adding/updating “chargen 19/tcp”

adding/updating “chargen 19/tcp (ttytst)”

adding/updating “chargen 19/tcp (source)”

adding/updating “chargen 19/udp”

adding/updating “chargen 19/udp (ttytst)”

adding/updating “chargen 19/udp (source)”

adding/updating “ftp-data 20/tcp”

adding/updating “ftp 21/tcp”

adding/updating “ssh 22/tcp”

adding/updating “telnet 23/tcp”

adding/updating “smtp 25/tcp”

adding/updating “smtp 25/tcp (mail)”

adding/updating “time 37/tcp”

adding/updating “time 37/tcp (timserver)”

adding/updating “time 37/udp”

adding/updating “time 37/udp (timserver)”

adding/updating “name 42/udp”

adding/updating “name 42/udp (nameserver)”

adding/updating “whois 43/tcp”

adding/updating “whois 43/tcp (nicname)”

adding/updating “domain 53/udp”

adding/updating “domain 53/tcp”

adding/updating “bootps 67/udp”

adding/updating “bootpc 68/udp”

adding/updating “kerberos 88/udp”

adding/updating “kerberos 88/udp (kdc)”

adding/updating “kerberos 88/tcp”

adding/updating “kerberos 88/tcp (kdc)”

adding/updating “hostnames 101/tcp”

adding/updating “hostnames 101/tcp (hostname)”

adding/updating “pop2 109/tcp”

adding/updating “pop2 109/tcp (pop-2)”

adding/updating “pop3 110/tcp”

adding/updating “sunrpc 111/udp”

adding/updating “sunrpc 111/udp (rpcbind)”

adding/updating “sunrpc 111/tcp”

adding/updating “sunrpc 111/tcp (rpcbind)”

adding/updating “imap 143/tcp”

adding/updating “imap 143/tcp (imap2)”

adding/updating “ldap 389/tcp”

adding/updating “ldap 389/udp”

adding/updating “submission 587/tcp”

adding/updating “submission 587/udp”

adding/updating “ldaps 636/tcp”

adding/updating “ldaps 636/udp”

adding/updating “tftp 69/udp”

adding/updating “rje 77/tcp”

adding/updating “finger 79/tcp”

adding/updating “link 87/tcp”

adding/updating “link 87/tcp (ttylink)”

adding/updating “supdup 95/tcp”

adding/updating “iso-tsap 102/tcp”

adding/updating “x400 103/tcp”

adding/updating “x400-snd 104/tcp”

adding/updating “csnet-ns 105/tcp”

adding/updating “pop-2 109/tcp”

adding/updating “uucp-path 117/tcp”

adding/updating “nntp 119/tcp”

adding/updating “nntp 119/tcp (usenet)”

adding/updating “ntp 123/tcp”

adding/updating “ntp 123/udp”

adding/updating “netbios-ns 137/tcp”

adding/updating “netbios-ns 137/udp”

adding/updating “netbios-dgm 138/tcp”

adding/updating “netbios-dgm 138/udp”

adding/updating “netbios-ssn 139/tcp”

adding/updating “netbios-ssn 139/udp”

adding/updating “NeWS 144/tcp”

adding/updating “slp 427/tcp”

adding/updating “slp 427/udp”

adding/updating “mobile-ip 434/udp”

adding/updating “cvc_hostd 442/tcp”

adding/updating “ike 500/udp”

adding/updating “uuidgen 697/tcp”

adding/updating “uuidgen 697/udp”

adding/updating “exec 512/tcp”

adding/updating “login 513/tcp”

adding/updating “shell 514/tcp”

adding/updating “shell 514/tcp (cmd)”

adding/updating “printer 515/tcp”

adding/updating “printer 515/tcp (spooler)”

adding/updating “courier 530/tcp”

adding/updating “courier 530/tcp (rpc)”

adding/updating “uucp 540/tcp”

adding/updating “uucp 540/tcp (uucpd)”

adding/updating “biff 512/udp”

adding/updating “biff 512/udp (comsat)”

adding/updating “who 513/udp”

adding/updating “who 513/udp (whod)”

adding/updating “syslog 514/udp”

adding/updating “talk 517/udp”

adding/updating “route 520/udp”

adding/updating “route 520/udp (router)”

adding/updating “route 520/udp (routed)”

adding/updating “ripng 521/udp”

adding/updating “klogin 543/tcp”

adding/updating “kshell 544/tcp”

adding/updating “kshell 544/tcp (cmd)”

adding/updating “new-rwho 550/udp”

adding/updating “new-rwho 550/udp (new-who)”

adding/updating “rmonitor 560/udp”

adding/updating “rmonitor 560/udp (rmonitord)”

adding/updating “monitor 561/udp”

adding/updating “pcserver 600/tcp”

adding/updating “sun-dr 665/tcp”

adding/updating “kerberos-adm 749/tcp”

adding/updating “kerberos-adm 749/udp”

adding/updating “kerberos-iv 750/udp”

adding/updating “krb5_prop 754/tcp”

adding/updating “ufsd 1008/tcp”

adding/updating “ufsd 1008/udp”

adding/updating “cvc 1495/tcp”

adding/updating “ingreslock 1524/tcp”

adding/updating “www-ldap-gw 1760/tcp”

adding/updating “www-ldap-gw 1760/udp”

adding/updating “listen 2766/tcp”

adding/updating “nfsd 2049/udp”

adding/updating “nfsd 2049/udp (nfs)”

adding/updating “nfsd 2049/tcp”

adding/updating “nfsd 2049/tcp (nfs)”

adding/updating “eklogin 2105/tcp”

adding/updating “lockd 4045/udp”

adding/updating “lockd 4045/tcp”

adding/updating “dtspc 6112/tcp”

adding/updating “fs 7100/tcp”

139 entries added/updated

services table done.

rpc.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./rpc does not exist!

rpc table will not be loaded.

netmasks.org_dir.atac.ebay.sun.com. OK…

populating netmasks table from file ./netmasks…

adding standard table netmasks…

adding ./netmasks to table netmasks.org_dir.atac.ebay.sun.com.

adding/updating “10.4.17.0”

1 entries added/updated

netmasks table done.

bootparams.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./bootparams does not exist!

bootparams table will not be loaded.

netgroup.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./netgroup does not exist!

netgroup table will not be loaded.

mail_aliases.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./aliases does not exist!

mail_aliases table will not be loaded.

timezone.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./timezone does not exist!

timezone table will not be loaded.

auth_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./auth_attr does not exist!

auth_attr table will not be loaded.

exec_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./exec_attr does not exist!

exec_attr table will not be loaded.

prof_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./prof_attr does not exist!

prof_attr table will not be loaded.

user_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./user_attr does not exist!

user_attr table will not be loaded.

audit_user.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./audit_user does not exist!

audit_user table will not be loaded.

passwd.org_dir.atac.ebay.sun.com. OK…

populating passwd table from file ./shadow…

adding standard table passwd…

adding ./shadow to table passwd.org_dir.atac.ebay.sun.com.

adding/updating “test1”

adding/updating “arup”

adding/updating “test2”

3 entries added/updated

passwd table done.

Credentials have been added for the entries in the

hosts and passwd table(s). Each entry was given a default

network password (also known as a Secure-RPC password).

This password is:

nisplus

Use this password when the nisclient script requests the

network password.

nispopulate failed to populate the following tables:

ethers ipnodes rpc bootparams netgroup mail_aliases timezone auth_attr exec_attr prof_attr user_attr audit_user

3. Testing that NIS+ master is operational

# ps -ef | grep rpc.nisd

root 509 1 0 16:05:14 ? 0:02 rpc.nisd

# /usr/bin/nisls

atac.ebay.sun.com.:

org_dir

groups_dir

# /usr/bin/niscat passwd.org_dir

test1:7l7c7hBNh8gCc:1001:10::/home/test1:/bin/sh:::::::

arup:gl.r/Ug8qln4c:1002:10::/home/arup:/bin/sh:::::::

test2:B3Tg5MA6FSu3c:1003:10::/home/test2:/bin/sh:::::::

4. Adding a NIS+ client

a) On the master server:

# /usr/lib/nis/nisclient -v -d atac.ebay.sun.com -c igs

******** ******** WARNING ******** ********

NIS+ might not be supported in a future release. Tools to aid

the migration from NIS+ to LDAP are available in the Solaris 9

operating environment. For more information, visit

http://www.sun.com/directory/nisplus/transition.html

******** ******** ******* ******** ********

You will be adding DES credentials in domain atac.ebay.sun.com. for

igs

** nisclient will not overwrite any existing entries in the

** credential table.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

checking atac.ebay.sun.com. domain…

checking cred.org_dir.atac.ebay.sun.com. permission…

checking info type for igs…

… principal igs already exist — skipped!

b) On the client host called igs:

#/usr/lib/nis/nisclient -v -i -h native9 -a 10.4.17.106 -d atac.ebay.sun.com

initializing client machine…

Initializing client igs for domain “atac.ebay.sun.com.”.

Once initialization is done, you will need to reboot your

machine.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

killing NIS and/or NIS+ processes…

killing process ypbind…

killing process nis_cachemgr…

killing process rpc.nispasswdd…

stopping nscd …

setting up backup files…

setting up NIS+ server information…

setting up domain information “atac.ebay.sun.com.”…

setting up the name service switch information…

killing process keyserv…

running nisinit command …

nisinit -c -H 10.4.17.106 …

credential exists for setting up security…

setting up security information for root…

At the prompt below, type the network password (also known

as the Secure-RPC password) that you obtained either

from your administrator or from running the nispopulate script.

Please enter the Secure-RPC password for root: nisplus

Please enter the login password for root: root_passwd_for_this_client_machine

Your network password has been changed to your login one.

Your network and login passwords are now the same.

killing process nis_cachemgr…

starting nscd …

removing the temporary backup file for /etc/nsswitch.conf…

Client initialization completed!!

Please reboot your machine for changes to take effect.

5. Change /etc/nsswicth.conf appropriately and reboot client machine

passwd: files nisplus

group: files nisplus

hosts: files nisplus

services: nisplus files

networks: nisplus files

protocols: nisplus files

rpc: nisplus files

ethers: nisplus files

netmasks: nisplus files

bootparams: nisplus files

publickey: nisplus

netgroup: files nisplus

automount: files nisplus

aliases: files nisplus

sendmailvars: files nisplus

6. Test from client_machine that you can login as a NIS+ user with proper home

directory

7. Now install the built-in IDS 5.1 on solaris 9 server

/usr/sbin/directoryserver setup

8. Then run idsconfig

# /usr/lib/ldap/idsconfig

and follow instructions from URL:

http://docs.sun.com/db/doc/816-7511/6md … dssetup-33

9. stop-slapd

10. Do the vlvindexing for six fields:

# /usr/sbin/directoryserver -s native9 vlvindex -n userRoot -T

atac.ebay.sun.com.getgrent

and similarly for atac.ebay.sun.com.gethostent , atac.ebay.sun.com.getnetent ..

and so on

11 start-slapd

12. From the cosole of the IDS, we have to create a ou=nisPlus underneath

dc=atac.ebay.sun.com , and again ou=nisPlus underneath the earlier

ou=nisPlus

13. We need to look for a file called /var/nis/NIS+LDAPmapping.template and, if

present , we need to copy it to /var/nis/NIS+LDAPmapping

14. We need to look for a file called /etc/default/rpc.nisd , and we need to do

a few changes there. But before that we backup /etc/default/rpc.nisd

The four main changes are:

line 117, make sure authentication is simple

line 123, defaultsearchbase=dc=atac.ebay.sun.com

line 146, needs to read nisPlusLDAPproxyuser=cn=directory manager

line 154 is your directory manager password, you need to change that

15. We manually update the schema in IDS 5.1 for attribute nisPlusObject

a) Pease have a copy of 99user.ldif file first

b) Please add these lines in

/slapd-instance/config/schema/99user.ldif

objectClasses: ( 1.3.6.1.4.1.42.2.27.5.42.42.2.0 NAME ‘nisplusObjectContainer’

DESC ‘Abstraction of an NIS+ object’ STRUCTURAL MUST ( cn $ nisplusObject )

X-ORIGIN ‘user defined’ )

attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.1.0 NAME ‘nisplusObject’ DESC

‘An opaque representation of an NIS+ object’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5

SINGLE-VALUE X-ORIGIN ‘user defined’ )

16. pkill -9 rpc.nisd

17. In order to automatically dump all data from nis+ to ldap and then exit out:

# rpc.nisd -D -x nisplusLDAPinitialUpdateAction=to_ldap

-x nisplusLDAPinitialUpdateOnly=yes

It is also advisable to :

tail -f access

tail -f errors

on two separate consoles to look for possible errors and problems. These are

our only clues as to what is going wrong

PS: Thing to note is that if those tables possibly not proper in NIS+, they

might give different errors in access log, but otherwise all data come

across fine, and then rpc.nisd exits out.

18. Check in ldap that all data have come across by appropriate ldapsearch

19. We may also build a native ldap client on a different solaris 9 client

and test the ldap data on server by logging in with home directories

20. Now, to keep both NIS+ & LDAP always in synch , start rpc.nisd normally:

/usr/sbin/rpc.nisd

21. In order to test if they are really in synch:

a) Modify NIS+ hosts table by:

/usr/lib/nis/nisaddent -d hosts > /tmp/hosts

vi /tmp/hosts and insert an additional host entry there

/usr/lib/nis/nisaddent -rvf /tmp/hosts hosts

b) # niscat hosts.org_dir , and check if that entry came into nis+

b) Check the access log that immediately the new nis+ entries are pushed to

ldap

c) ldapsearch for the appropriate hosts entry by:

ldapsearch -b “dc=atac.ebay.sun.com” ipHostNumber=*

and observe that it appeared into ldap automatically