January 28, 2010 -
Tested under Debian Lenny
This howto is basic, as in “no security involved”. I may come up with a second part to this guide about securing OpenLDAP with TLS, if I ever find the time.
Meanwhile see http://www.openldap.org/doc/admin23/security.html for the security aspect of things.
In this example, I’ll create a tree following this scheme : dc=my,dc=domain,dc=tld.
It’s really up to you how you organize your tree, it’s really for organizational purposes. You can limit your tree to a single root branch, for example dc=myname.
Install OpenLDAP server and some useful utilities :
# apt-get install slapd ldap-utils
You should be prompted for a password, if not create it from the command line :
# slappasswd
New password:
Re-enter new password:
{SSHA}vFk3EP4SSW0RDm4yEKD
Edit /etc/ldap/slapd.conf :
You should copy the password obtained with slappasswd under the rootpw option.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=my,dc=domain,dc=tld"
rootdn "cn=admin,dc=my,dc=domain,dc=tld"
rootpw "{SSHA}vFk3EP4SSW0RDm4yEKD"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=my,dc=domain,dc=tld" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=my,dc=domain,dc=tld" write
by * read
“cn=admin,dc=my,dc=domain,dc=tld” is the database admin. This is what you will use as credential when you need to modify something in the database.
Then edit /etc/ldap/ldap.conf :
This is the configuration for the LDAP client.
HOST 127.0.0.1
BASE dc=my,dc=domain,dc=tld
URI ldap://localhost
Now create a directory that will contain some initial configuration files.
# mkdir /etc/ldap/LDIF
In this directory create the following files :
1_base.ldif (the base of our LDAP tree) :
dn: dc=my,dc=domain,dc=tld
dc: my
objectClass: domain
2_group.ldif (this will be the branch that will host our groups) :
dn: ou=Groups,dc=my,dc=domain,dc=tld
ou: Groups
objectClass: organizationalUnit
3_dev.ldif (this is our first group) :
dn: cn=dev,ou=Groups,dc=my,dc=domain,dc=tld
cn: dev
gidNumber: 30000
memberUid: user1
objectClass: posixGroup
objectClass: top
description: developers
4_people.ldif (this is the branch hosting users) :
dn: ou=People,dc=my,dc=domain,dc=tld
ou: People
objectClass: organizationalUnit
5_user1.ldif (this is our first user) :
dn: uid=user1,ou=People,dc=my,dc=domain,dc=tld
uid: user1
cn: John Doe
displayName: John Doe
givenName: Doe
sn: Doe
objectClass: inetOrgPerson
userPassword: pass
mail: johndoe@domain.tld
When we are done, we can restart OpenLDAP and create the tree and import some data :
# /etc/init.d/slapd restart
# cd /etc/ldap/LDIF
# for i in `ls`; do ldapadd -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W -f $i ; done
You should be prompted for the admin password as much as you have LDIF files in the directory.
If you didn’t name your file 1_base.ldif, 2_group.ldif, etc. the command may fail as it may try to add a group or user before creating its branch.
Now you should be able to query the LDAP tree :
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain,dc=tld> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# my.domain.tld
dn: dc=my,dc=domain,dc=tld
dc: my
objectClass: domain
# Groups, my.domain.tld
dn: ou=Groups,dc=my,dc=domain,dc=tld
ou: Groups
objectClass: organizationalUnit
# People, my.domain.tld
dn: ou=People,dc=my,dc=domain,dc=tld
ou: People
objectClass: organizationalUnit
# user1, People, my.domain.tld
dn: uid=user1,ou=People,dc=my,dc=domain,dc=tld
uid: user1
cn: John Doe
displayName: John Doe
givenName: Doe
sn: Doe
objectClass: inetOrgPerson
mail: johndoe@domain.tld
# dev, Groups, my.domain.tld
dn: cn=dev,ou=Groups,dc=my,dc=domain,dc=tld
cn: dev
gidNumber: 30000
memberUid: user1
objectClass: posixGroup
objectClass: top
description: developers
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
This command requires /etc/ldap/ldap.conf. If you don’t have ldap.conf configured you’d have to type the whole command :
# ldapsearch -x -b "dc=my,dc=domain,dc=tld" -H ldap://server
Now, you can authenticate several services against your new LDAP server.
For example, web authentication in Apache.. Take a look at http://www.wains.be/index.php/2010/01/26/apache-simple-authentication-and-ldap-authentication-examples/
You also may want to install PHP LDAP Admin for managing your LDAP database through a web GUI :
# apt-get install phpldapadmin
Then go to http://server/phpldapadmin and authentify with cn=admin,dc=my,dc=domain,dc=tld and your rootpw.
January 25, 2010 -
This one is a bit less complex than http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/
This is actually the most basic RADIUS configuration ever, useful for quick tests. I can only recommend checking the post mentioned above if you want to do something serious.
# apt-get install freeradius
# vim /etc/freeradius/users
login Cleartext-Password := "password"
login2 Cleartext-Password := "password2"
#vim /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = radiuspassword
}
client router {
ipaddr = 10.0.0.1
secret = radiuspassword
}
# /etc/init.d/freeradius restart
Check if RADIUS is working :
# radtest login password localhost 1812 radiuspassword
Sending Access-Request of id 222 to 127.0.0.1 port 1812
User-Name = "login"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20
# radtest login2 password2 localhost 1812 radiuspassword
Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "login2"
User-Password = "password2"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20
We expect Access-Accept from the server, not Access-Reject…
Configure your wireless access point :
Usually found under Security tab (or RADIUS, 802.1X, etc.)
Configure your device at 10.0.0.1 to authenticate against the Radius server with password radiuspassword.
Try to connect to your wireless access point using login and password.
-
This will just explain the configuration files needed for Postfix to check against the LDAP server.
We want to be able to send emails to username@domain.tld
We also want to have aliases for our users, for example : firstname.lastname@domain.tld pointing to username@domain.tld
Finally, we want groups to act as a mailing list, forwarding emails to members of the group, for example : support@domain.tld
LDAP tree
dc=domain,dc=tld
|-------ou=Aliases,dc=domain,dc=tld
|---------------cn=support,ou=Aliases,dc=domain,dc=tld
|
| cn : support
| description : alias support
| gidNumber : 50000
| mailRoutingAddress : support@domain.tld
| memberUid : it (this is a group with a inetLocalMailRecipient class and a mailRoutingAddress field defined)
| memberUid : username3 (this is a user account)
|
|-------ou=Groups,dc=domain,dc=tld
|---------------cn=it,ou=Groups,dc=domain,dc=tld
|
| cn : it
| description : IT dept group
| gidNumber : 40000
| mailRoutingAddress : it@domain.tld
| memberUid : username1
| memberUid : username2
|
|-------ou=Users,dc=domain,dc=tld
|---------------uid=username1,ou=Users,dc=domain,dc=tld
cn : username1
gecos : John Doe
gidNumber : 10000
homeDirectory : /home/username1
mail : john.doe@domain.tld
mailLocalAddress : john.doe
uid : username1
[...]
Postfix configuration
For this to work, we must define “append_at_myorigin = yes” in main.cf
For group/alias emails to work, the group must have the inetLocalMailRecipient class and mailRoutingAddress defined
So we basically add in main.cf :
virtual_alias_maps = ldap:/etc/postfix/ldap-account.cf, ldap:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-alias.cf
It means that Postfix will check ldap-account.cf first, then ldap-group.cf and finally ldap-alias.cf.
So we create those files :
ldap-account.cf (for virtual users) :
server_host = localhost
port = 389
version = 3
search_base = ou=Users,dc=domain,dc=tld
scope = sub
# we search through the Users base for the recipient email address (%s)
query_filter = (mail=%s)
# if we find anything under ou=Users,dc=domain,dc=tld, we deliver to the account specified under "uid"
# so basically, if we send an email to john.doe@domain.tld, we will find an entry, finally delivering the email to uid username1
result_attribute = uid
ldap-alias.cf (for virtual aliases) :
server_host = localhost
port = 389
version = 3
scope = sub
# we search through the Aliases base...
search_base = ou=Aliases,dc=domain,dc=tld
# ...for the recipient email address (%s) specified under mailRoutingAddress field
query_filter = mailRoutingAddress=%s
# If we find anything, return memberUid, that can be accounts, groups, or aliases
result_attribute = memberUid
ldap-group.cf (for virtual groups) :
server_host = localhost
port = 389
version = 3
scope = sub
# Same as aliases, but in a different base
search_base = ou=Groups,dc=domain,dc=tld
query_filter = mailRoutingAddress=%s
result_attribute = memberUid
January 20, 2010 -
Tester under Asterisk 1.4.21.
If someone calls and hangs up before leaving a voicemail (that means while the phone is ringing or during voicemail message), Asterisk will send a “missed call” notification by XMPP/Jabber.
/etc/asterisk/jabber.conf :
This file contains the info for Asterisk to connect to the Jabber server.
When restarting Asterisk, it will connect automatically and add contacts specified under buddy fields to its contact list.
You can specify several accounts in this file, and use different accounts for different notifications, for example.
From Asterisk CLI, there’s a command “jabber test” which would display the status of your contacts, this command only works with the account specified in the [asterisk] context.
[general]
debug=no
autoprune=no ; this is important to set this to no, if set to yes and you don't specify any "buddy=" it will delete contacts from your buddy list
autoregister=yes
[asterisk] ; must be called "asterisk" if we want the command "jabber test" to work
type=client
serverhost=jabber.example.org
username=pbx@example.org/pbx
secret=PASSWORD
port=5222
usetls=yes
usesasl=yes
buddy=youraccountreceivingnotifications@gmail.com
buddy=anotheraccountthatmayreceivenotifications@gmail.com
statusmessage=Asterisk XMPP bot. Don't talk to me, your messages would be lost forever.
timeout=100
[account2]
type=client
serverhost=jabber.example.org
username=anotheraccount@example.org/pbx
secret=PASSWORD
port=5222
usetls=yes
usesasl=yes
buddy=someoneelse@gmail.com
statusmessage=Asterisk XMPP bot. Don't talk to me, your messages would be lost forever.
timeout=100
/etc/asterisk/extensions.conf :
When you pass the option “g” to the Dial() command, when the user hangs up, Asterisk exits the Dial() command and continue by jumping to the special “h” extension in the current context. From the console you should expect something like “Spawn extension (macro-DialVM, h, 5) exited” when the whole thing has been processed.
If you don’t specify the option, Asterisk will exit at the Dial() command. You would then see “Spawn extension (macro-DialVM, s, 1) exited” right after the user hangs up.
In this bit of dialplan, we enable XMPP notifications for calls made on extension 555 in the context named Local.
Dialing is made through a macro called macro-DialVM.
XMPP notifications are sent through macro-XMPPSend.
[macro-XMPPSend]
;;; Description : sends XMPP messages only if user is online and not away
;;; ARG1 = Jabber ID to be notified
;;; ARG2 = Message
;;; Jabberstatus and Jabbersend take the account name to user to send notifications as first argument ([asterisk] or [account2] under jabber.conf)
; getting user's status
; Status can be in order : 1)Online, 2)Chatty, 3)Away, 4)XAway, 5)DND, 6)Offline, 7)Not in roster
exten => s,1,Jabberstatus(asterisk,${ARG1},STATUS)
; If the value of STATUS is anything under 3 (or Away), in other words if user is Online or in Chatty mode
exten => s,n,GotoIf($["${STATUS}" < "3"]?available:unavailable)
; then we send a message
exten => s,n(available),NoOp(${ARG1} is available)
exten => s,n,Jabbersend(asterisk,${ARG1},${ARG2})
exten => s,n,MacroExit()
; if the user is not available, we don't send anything
exten => s,n(unavailable),NoOp(${ARG1} is not available in at least one location.. Do not send notification)
exten => s,n,MacroExit()
[macro-DialVM]
;;; Description : dials (option g enabled, jumps to h extension) and goes to voicemail if reaching timeout.
;;; ARG1 = extension to be dialed
;;; ARG2 = timeout
;;; XMPP notification if call missed
exten => s,1,Dial(SIP/${ARG1},${ARG2},wg)
exten => s,n,Voicemail(${ARG1})
; option g must be passed to Dial() to jump to h extension or it would spawn at "macro-DialVM,s,1"
; if user doesn't leave a voicemail, VMSTATUS = FAILED
; if user hangs up before reaching the voicemail app, DIALSTATUS = CANCEL
exten => h,1,NoOp(Did user hang up before leaving a voicemail ?)
exten => h,n,GotoIf($["${VMSTATUS}" = "FAILED"]?missed:nextcheck)
exten => h,n(nextcheck),GotoIf($["${DIALSTATUS}" = "CANCEL"]?missed:notmissed)
exten => h,n(missed),Macro(XMPPSend,youraccountreceivingnotifications@gmail.com,${CALLERID(all)} just tried to call ${ARG1})
exten => h,n(notmissed),Hangup()
[Local]
;;; Description : Local calls context
; My extension is 555, with a timeout of 30 seconds
exten => 555,1,Macro(DialVM,${EXTEN},30)
-
This is based on a fresh install.
Install the necessary stuff :
# apt-get install apache2 subversion trac
# apt-get install libapache2-svn
libapache2-svn will enable dav and dav_fs modules.
More stuff :
# apt-get install libapache2-mod-python
Create your directories for TRAC environments (/home/trac/), projects source files (/home/dev/) and SVN repositories (/home/svn/) :
# mkdir /home/{trac,dev,svn}
Create your first project :
# mkdir /home/dev/project1
# echo "<?php phpinfo() ?>" > /home/dev/project1/index.php
Create the SVN repository for the project :
# svnadmin create /home/svn/project1
Import the project into the SVN repository :
# svn import -m "Initial import" /home/dev/project1/ file:///home/svn/project1/
Adding /home/dev/project1/index.php
Committed revision 1.
Move your sources to a safe place, while we checkout the project :
# mv /home/dev/project1 /home/dev/project1-orig
Checkout the project :
# svn checkout file:///home/svn/project1 /home/dev/project1
A /home/dev/project1/index.php
Checked out revision 1.
Make sure the project is now under revision, you should see a “.svn” directory :
# ls -lah /home/dev/project1
total 16K
drwxr-xr-x 3 root root 4.0K Jan 20 12:42 .
drwxr-xr-x 4 root root 4.0K Jan 20 12:42 ..
drwxr-xr-x 6 root root 4.0K Jan 20 12:42 .svn
-rw-r--r-- 1 root root 19 Jan 20 12:42 index.php
It’s now safe to delete the copy not under revision :
# rm -fr /home/dev/project1-orig/
Set up TRAC for your first project, in bold what you need to specify :
# trac-admin /home/trac/project1 initenv
Creating a new Trac environment at /home/trac/project1
Trac will first ask a few questions about your environment
in order to initialize and prepare the project database.
Please enter the name of your project.
This name will be used in page titles and descriptions.
Project Name [My Project]> Project1
Please specify the connection string for the database to use.
By default, a local SQLite database is created in the environment
directory. It is also possible to use an already existing
PostgreSQL database (check the Trac documentation for the exact
connection string syntax).
Database connection string [sqlite:db/trac.db]> PRESS ENTER
Please specify the type of version control system,
By default, it will be svn.
If you don't want to use Trac with version control integration,
choose the default here and don't specify a repository directory.
in the next question.
Repository type [svn]> svn
Please specify the absolute path to the version control
repository, or leave it blank to use Trac without a repository.
You can also set the repository location later.
Path to repository [/path/to/repos]> /home/svn/project1
Creating and Initializing Project
Installing default wiki pages
TracSyntaxColoring imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSyntaxColoring
TracChangeset imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracChangeset
TracWiki imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracWiki
WikiHtml imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiHtml
TracRevisionLog imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRevisionLog
TracFastCgi imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracFastCgi
TracTicketsCustomFields imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTicketsCustomFields
SandBox imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/SandBox
WikiMacros imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiMacros
TracUpgrade imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracUpgrade
TracBackup imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracBackup
TracAccessibility imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracAccessibility
RecentChanges imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/RecentChanges
WikiDeletePage imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiDeletePage
TracNavigation imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracNavigation
TracImport imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracImport
TracModPython imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracModPython
TracEnvironment imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracEnvironment
TracBrowser imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracBrowser
WikiFormatting imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiFormatting
TracPlugins imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracPlugins
WikiPageNames imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiPageNames
TracNotification imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracNotification
TracInstall imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracInstall
TracIni imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracIni
TracAdmin imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracAdmin
TracRss imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRss
TracLogging imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracLogging
TracGuide imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracGuide
WikiStart imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiStart
TracQuery imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracQuery
WikiNewPage imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiNewPage
CamelCase imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/CamelCase
TracRoadmap imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRoadmap
TracLinks imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracLinks
TracStandalone imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracStandalone
TracInterfaceCustomization imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracInterfaceCustomization
TracUnicode imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracUnicode
InterMapTxt imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterMapTxt
TracPermissions imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracPermissions
TitleIndex imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TitleIndex
WikiProcessors imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiProcessors
InterWiki imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterWiki
TracCgi imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracCgi
TracTimeline imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTimeline
InterTrac imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterTrac
PageTemplates imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/PageTemplates
TracTickets imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTickets
TracSupport imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSupport
TracWorkflow imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracWorkflow
TracSearch imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSearch
TracFineGrainedPermissions imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracFineGrainedPermissions
WikiRestructuredTextLinks imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiRestructuredTextLinks
TracReports imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracReports
WikiRestructuredText imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiRestructuredText
Indexing repository
[1]
---------------------------------------------------------------------
Project environment for 'Project1' created.
You may now configure the environment by editing the file:
/home/trac/project1/conf/trac.ini
If you'd like to take this new project environment for a test drive,
try running the Trac standalone web server `tracd`:
tracd --port 8000 /home/trac/project1
Then point your browser to http://localhost:8000/project1.
There you can also browse the documentation for your installed
version of Trac, including information on further setup (such as
deploying Trac to a real web server).
The latest documentation can also always be found on the project
website:
http://trac.edgewall.org/
Congratulations
The configuration is stored under /home/trac/project1/conf/trac.ini.
Create the password files for web authentication :
# htpasswd -c /etc/apache2/passwd-trac yourusername
Set up Apache :
# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/projects
# vim /etc/apache2/sites-available/projects
<VirtualHost *:80>
DocumentRoot /var/www/
<Directory /var/www/>
Order allow,deny
Allow from all
</Directory>
### TRAC Root : http://server/trac or http://server/trac/
# Rewrite ./trac to ./trac/
RewriteEngine on
RewriteRule ^(.*)\/trac$ $1/ [NC]
<Location /trac/>
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonInterpreter main
PythonOption TracEnvParentDir /home/trac
PythonOption TracUriRoot /trac/
SetEnv PYTHON_EGG_CACHE /tmp
</Location>
### TRAC Login : http://server/trac/*/login
<LocationMatch ^(/trac/[^/]+)?/login>
AuthType Basic
AuthName "TRAC Login"
AuthUserFile /etc/apache2/passwd-trac
Require valid-user
</LocationMatch>
### SVN repository : http://server/svn
<Location /svn>
DAV svn
SVNParentPath /home/svn
SVNListParentPath on
AuthType Basic
AuthName "SVN Repository"
AuthUserFile /etc/apache2/passwd-trac
Require valid-user
</Location>
</VirtualHost>
Enable rewrite module :
# a2enmod rewrite
Enabling module rewrite.
Run '/etc/init.d/apache2 restart' to activate new configuration!
Disable the default website :
# a2dissite default
Site default disabled.
Run '/etc/init.d/apache2 reload' to activate new configuration!
Enable the newly configured website :
# a2ensite projects
Enabling site projects.
Run '/etc/init.d/apache2 reload' to activate new configuration!
Restart Apache :
# /etc/init.d/apache2 restart
Make sure Apache can read and write TRAC configuration files.
This is a basic working example but you may want to do something more elaborate involving Set-GID or POSIX ACL.
# chown -R www-data. /home/trac
Now go to http://server/trac, it should rewrite the URL to http://server/trac/ and display a list of available projects.
WALLA 
Please let me know if it works for you. Thanks.
Partially based on http://www.willamaze.eu/?p=732
January 14, 2010 -
Tested under Debian Lenny 32 bits.
This howto is based on http://www.kremalicious.com/2008/06/ubuntu-as-mac-file-server-and-time-machine-volume/
Matthias’ post is very comprehensive. This post is basically a raw copy paste of commands, if you want more information, go see Matthias post.
If you find this useful, please give credit to Matthias 
Why AFP (Apple Filing Protocol) ?
I wanted to see if AFP was faster than SMB.
A quick test showed my Macbook (running OS 10.6.2) is transfering files 20 % faster on AFP than SMB.
Build netatalk to support encryption
Starting with Netatalk version 2.0.4 (and Debian Squeeze) you won’t need to rebuild to support SSL (see Frank’s comment).
Lenny comes with version 2.0.3 so we still need to go through recompilation (which I recommend doing on another box).
# apt-get build-dep netatalk
# apt-get install cracklib2-dev fakeroot libssl-dev
# apt-get source netatalk
# cd netatalk-2*
# DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot
Install modified version of netatalk
# dpkg -i ../netatalk_2*.deb
# echo "netatalk hold" | dpkg --set-selections
/etc/default/netatalk
ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no
/etc/netatalk/afpd.conf
- -transall -uamlist uams_dhx.so -nosavepassword
/etc/netatalk/AppleVolumes.default
/home/seb "Seb's share" allow:seb
Start netatalk
/etc/init.d/netatalk start
Advertise the service with Avahi
You can skip this step, but it’d mean the server doesn’t magically appear as a Shared drive in your Finder.
apt-get install avahi-daemon
/etc/avahi/services/afpd.service
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h AFP</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>
# /etc/init.d/avahi-daemon restart
Firewall :
Allow tcp/548 (netatalk) and tcp/5353 (avahi)
January 5, 2010 -
What you need :
- a working Nagios
- a GSM modem (this has been tested with a Siemens MC35i) or a cellphone with modem capabilities supported by Linux (I don’t have that)
- Gammu
Set up the modem :
Connect the GSM modem to the Nagios machine through the serial port and make sure it receives signal from the carrier (LED blinking slowly means everything is OK, if not it blinks fast)
Install and configure Gammu :
# apt-get install gammu
The modem should be accessible through /dev/ttyS0
# vim /etc/gammurc
[gammu]
port = /dev/ttyS0
connection = at19200
startinfo = no
name = Siemens
synchronizetime = no
use_locking = no
Test the modem
# gammu --identify
Manufacturer : Siemens
Model : unknown (MC35i)
Firmware : REVISION 02.00
IMEI : 3515590XXXXXX
Product code : MC35i
SIM IMSI : 2061021XXXXXX
# gammu --networkinfo
Network state : home network
Network : 206 10 (Mobistar, Belgium), LAC 6B08, CID 19EC
Name in phone : "B mobistar"
# gammu --monitor 1
Press Ctrl+C to break...
Entering monitor mode...
Enabling info about incoming SMS : No error.
Enabling info about incoming CB : No error.
Enabling info about calls : No error.
Enabling info about USSD : No error.
SIM phonebook : 59 used, 41 free
Dialled numbers : 7 used, 3 free
Received numbers : 0 used, 10 free
Missed numbers : 0 used, 10 free
Own numbers : 1 used, 2 free
Phone phonebook : 0 used, 250 free
Leaving monitor mode...
Everything looks fine !
Before we continue, let’s check permissions on /dev/ttyS0
# ls -l /dev/ttyS0
crw-rw---- 1 root dialout 4, 64 jan 5 16:14 /dev/ttyS0
Nagios is usually running as user “nagios”, so any notification command would be executed as “nagios”. We can see user nagios wouldn’t have permissions to access devices connected to /dev/ttyS0.
We’ll apply the SUID bit (set-UID) on the command in charge of sending SMS notifications, this will execute gammu on behalf of user root.
# chmod 4755 /usr/bin/gammu
We could put nagios in the dialout group as well. I didn’t as Nagios is running on an isolated box in the LAN.
If someone is able to mess up with gammu executed as SUID on that box, that would mean I’m already in a lot of troubles anyway
Before we continue, we’ll try to send a SMS to the belgian cell number 0475123456
# echo "test" | gammu --sendsms TEXT 0475123456
If you want break, press Ctrl+C...
Sending SMS 1/1....waiting for network answer..OK, message reference=181
It worked.
Now, an example of Nagios config for SMS notifications :
define command{
command_name host-notify-by-sms
command_line /usr/bin/printf "%b" "NAGIOS / Host: "$HOSTNAME$" / State: $HOSTSTATE$ / Info:$HOSTOUTPUT$ / Date:$SHORTDATETIME$" | /usr/bin/gammu --sendsms TEXT $CONTACTPAGER$
}
define command{
command_name notify-by-sms
command_line /usr/bin/printf "%b" "NAGIOS / Host: "$HOSTALIAS$" / State: $SERVICESTATE$ / Info:$SERVICEOUTPUT$ / Date:$SHORTDATETIME$" | /usr/bin/gammu --sendsms TEXT $CONTACTPAGER$
}
define contact{
contact_name email
alias email
service_notification_period 24x7
host_notification_period 24x7
service_notification_options c,r
host_notification_options d,r
service_notification_commands notify-by-email
host_notification_commands host-notify-by-email
email nagios@example.org
}
define contact{
contact_name sms
alias sms
service_notification_period smshours
host_notification_period smshours
service_notification_options c,r
host_notification_options d,r
service_notification_commands notify-by-sms
host_notification_commands host-notify-by-sms
pager 0475123456
}
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members email, sms
}
define timeperiod{
timeperiod_name smshours
alias SMS Hours
sunday 00:00-24:00
monday 00:00-07:00,18:00-24:00
tuesday 00:00-07:00,18:00-24:00
wednesday 00:00-07:00,18:00-24:00
thursday 00:00-07:00,18:00-24:00
friday 00:00-07:00,18:00-24:00
saturday 00:00-24:00
}
September 13, 2009 -
Tested under Debian Lenny
BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT
Install the necessary packages :
apt-get install dpkg-dev fakeroot
Download the source :
cd /root
mkdir freeradius-tls
cd freeradius-tls
apt-get source freeradius
Make the changes :
Edit /root/freeradius-tls/debian/rules :
and change
--with
by
--without
for eap_tls, eap_ttls, eap_peap and openssl
Just as :
--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \
--without-rlm_eap_tnc \
--without-rlm_otp \
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`\
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
--with-openssl \
--without-rlm_eap_ikev2 \
--without-rlm_sql_oracle \
--without-rlm_sql_unixodbc \
Then, comment the following :
for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done
Edit /root/freeradius-tls/debian/control :
On the line beginning by “Build-Depends”
Add the folowing :
", libssl-dev"
at the end of the line (without the quotes)
Install dev libraries :
apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev
Build freeradius :
dpkg-buildpackage -rfakeroot
Building will end by a warning message, this is not important.
Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :
echo “freeradius hold” | dpkg --set-selections
echo "libfreeradius2 hold" | dpkg --set-selections
echo "freeradius-common hold" | dpkg --set-selections
Install the packages we’ve just built :
dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb
CERTIFICATES
Creating the CA
apt-get install openssl
Edit /etc/ssl/openssl.cnf
[ CA_default ]
dir = ./PKI
Edit /usr/lib/ssl/misc/CA.sh
CATOP=./PKI
Then type :
cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca
Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.
Optional : if you have Windows XP clients
Create /etc/openssl/PKI/xpextensions
[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1
Server certificate signing request :
cd /etc/ssl
openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf
Set a challenge password
Sign the server certificate request (if winxp clients) :
cd /etc/ssl
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -extensions xpserver_ext -extfile PKI/xpextensions -infiles PKI/server_req.pem
Mac clients :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem
Then :
cp server_cert.pem server_cert.pem-backup
Edit server_cert.pem
Remove everything before the line —–BEGIN CERTIFICATE—– (this is needed for winxp clients)
Next :
cat server_key.pem server_cert.pem > server_keycert.pem
Create a client certificate signing request :
cd /etc/ssl
openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf
Sign client cert request :
cd /etc/ssl
Windows xp client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem
Mac OS X client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem
Export P12 certs (Windows and Mac clients ) :
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
FREERADIUS CONFIG
FreeRadius
Do :
cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem
Then :
cd /etc/freeradius/certs
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chown freerad dh
chmod o-w dh
Next :
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default
/etc/freeradius/eap.conf :
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server_keycert.pem
certificate_file = ${certdir}/server_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
}
Edit /etc/freeradius/clients.conf
We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
client 192.168.7.45 {
secret = suchasecurepassword
shortname = linksys
}
Start FreeRADIUS :
freeradius -X -f
Set up wifi access point for authentication against our new RADIUS server
It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword)
Configure clients
This will be the subject of a separate post as I will try to publish the method for all majors OSes (Linux, Mac and Windows) but don’t have much time for now.
Stay tuned !
This post is a stripped down version of the following howto by my colleague Jérôme :
http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html
August 20, 2009 -
Edit Jan 2010 : you can also run Time Machine backups on an AFP drive, which is faster (at least for me), see http://www.wains.be/index.php/2010/01/14/afp-server-in-under-15-minutes-debian/ for more info on installing Netatalk on your server.
Time Machine, the built-in backup utility of OS X is nice (in a “run and forget about it” way) but has a few limitations.
The major problem is it will only backup your data to a physically attached drive (through USB or Firewire) by default.
We will see how we can make it save your data to a Samba/Windows share (not that I like Samba, but OS X supports it well).
(On OS X) In a terminal type this :
defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1
(On the Samba server) Set up your share for Time Machine, here’s an example you can add to your smb.conf :
[timemachine]
path = /backup/timemachine
comment = Time Machine backup
browseable = yes
writable = yes
create mask = 0640
directory mask = 0750
valid users = user1
hosts allow = 172.16.27.111
Type this at the CLI :
mkdir /backup/timemachine
chown user1. /backup/timemachine
chmod 750 /backup/timemachine
Stay logged as we will need to check something in a minute, type :
cd /backup/timemachine
(On OS X) Make sure you can access the newly created share (and write to it).
Go into System Preferences > Time Machine :
Pick up the Samba share as destination
Wait for the first backup to start
(On Samba server) As soon as the backup starts, you should check the content of /backup/timemachine :
You should find a new directory named like this :
MacBook_002310d4c911.tmp.sparsebundle
The name is following this pattern :
<name of machine>_<en0 mac address>.tmp.sparsebundle
Write the name of the folder down, we will need that info in the next steps.
(On OS X) After a coupe minutes you should get an error from Time Machine :
“Time Machine Error – The backup disk image could not be created.”
This is supposed to happen, if it doesn’t I still recommend you to follow the next steps, or your backup could misbehave after a while.
Start the tool “Disk Utility”.
Click on “New Image”
Volume Name : Time Machine
Volume Size : whatever you want, I created a 100 GB volume (as I usually have around 50 GB or so on my machine). Do not worry, you don’t need 100 GB available on your drive.
Volume Format : Mac OS Extended (Journaled)
Encryption : none
Partitions : Single partition – Apple Partition Map
Image Format : sparse bundle disk image
Save the bundle disk image on your desktop as “MacBook_002310d4c911.sparsebundle” (this is the name we wrote down two steps earlier MINUS THE “.tmp” SECTION)
Copy that file to your Time Machine share on the samba server.
My supposedly 100 GB file was actually taking 86 MB. The file (which actually is a directory) will grow as backups are performed.
Now start Time Machine manually :
This should not produce errors anymore. The first backup will obviously take some time.
Voilà !
My suggestions :
- you may not want Time Machine to run when you are over Wi-Fi. This is why I limited access to the Samba share to my wired IP address only (option “hosts allow”).
- you can install Time Machine Editor which allows backup scheduling (fixing another lack of Time Machine)
- Time Machine Editor also allows to disable automatic backups when the Time Machine drive is connected, I highly recommend doing so : as we are using a network drive here, every time you wake your computer up, OS X automatically reconnects to the Samba share, and trigger Time Machine.
Last word :
- File Vault (built-in encryption system) and Time Machine do not get along very well, Google it up for details.
- Source : http://www.flokru.org/2008/02/29/time-machine-backups-on-network-shares-in-leopard/ and Apple forums.
July 17, 2009 -
Install
Install Apache2 and SSL
apt-get install apache2 openssl ssl-cert
Enable the Apache modules we’ll be using :
a2enmod ssl
a2enmod dav_fs
a2enmod dav
Make sure you find the line “listen 443″ somewhere in /etc/apache2/ports.conf
Create the SSL certificate
mkdir /etc/apache2/ssl
openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
Apache config
mkdir -p /var/www/ssl/webdav/
chown www-data. /var/www/ssl/webdav/
htpasswd -c /var/www/passwd.dav user
Edit /etc/apache2/sites-enabled/000-default like this :
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/ssl/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/ssl/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# WEBDAV DIRECTORY
<Directory /var/www/ssl/webdav/>
DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /var/www/passwd.dav
Require valid-user
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/non-ssl/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/non-ssl/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
Restart Apache :
/etc/init.d/apache2 restart
Access the webdav share :
The webdav share can be accessed by Windows, Linux or Mac machines out of the box.
Under Windows, you may need to have to change a key in the registry though.
Sources :
http://www.howtoforge.com/setting-up-webdav-with-apache2-on-debian-etch
http://longspine.com/node/10
Next Page »
