[[Install fresh Debian Net Install 20110611]]
Trace: » Debian NetInstall from USB stick » Some fun with XARGS » List of Books » apache » Migrate maildir mailboxes for Cyrus-Imap » Create and Manage Shared Mailboxes in Cyrus-Imap » cyrus » Installing Oracle on Centos 6 64 bits » Effectively fighting spam with DSPAM  » Install fresh Debian Net Install 20110611
Show pagesourceOld revisions
Recent changesSitemap
  • English
  • Français (French)

Feeds
Articles
Discussions

Root

Navigation

Table of Contents

Install fresh Debian Net Install 20110611

1 System preparation

# aptitude install ssh vim smartmontools screen sysstat hdparm

1.1 smartd

edit smartd default parameters 

# grep -v "^#" /etc/default/smartmontools |grep -v "^$"
enable_smart="/dev/sda /dev/sdb"
start_smartd=yes
smartd_opts="--interval=1800"

edit smartd.conf 

# grep -v "^#" /etc/smartd.conf |grep -v "^$"
/dev/sda -a -o on -S on -s (S/../.././02|L/../../6/03) -m root
/dev/sdb -a -o on -S on -s (S/../.././02|L/../../6/03) -m root

1.2 Disable write cache on both hard drives

hdparm -W 0 /dev/sda{a,b}

2 OpenLDAP

Install Slapd and the LDAP utils 

# aptitude install slapd ldap-utils

2.1 Activate syslog

Slapd logs in syslog facility 4. 

# vim /etc/rsyslog.conf

local4.*                -/var/log/slapd.log

2.2 Give a password to admin config

During the SlapD installation, the debian installer asks for a root password. This password is a Salted SHA and used for the admin user of the local ldap database. We can copy the password value to use it with the cn=config database. 

root@samchiel:/etc/ldap/slapd.d/cn=config# grep RootPW olcDatabase\=\{1\}hdb.ldif 
olcRootPW:: e1NTSEF9NFdZWlZ5MWpzTVMyTlA0a0pKa3M4bEV6NWJxeDdyNmQ=

Now we add this value into olcDatabase\=\{0\}config.ldif 

olcRootPW:: e1NTSEF9NFdZWlZ5MWpzTVMyTlA0a0pKa3M4bEV6NWJxeDdyNmQ=

2.3 Configuration using cn=config

Unlike previous version of OpenLDAP, 2.4 can use the cn=config database to manage configuration parameters. cn=config is a standard LDAP tree that can be accessed with any LDAP browser (I recommend Apache Directory Studio). Configure a connection to the local SlapD instance using : 

Bind DN: cn=admin,cn=config
Bind PW: the root password you specified during the slapd installation
Root DN: cn=config

2.3.1 Change the log level

Once connected, you can change any configuration parameter. For example, to change the Log Level, go to the CN=Config branch and edit the olcLogLevel value to “stats sync ACL config filter”; This is going to execute a ldapmodify command similar to the one below: 

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats sync ACL config filter
-

Now the huge advantage of cn=config is that it doesn't require a reload of slapd for the changes to take effect, unlike the configuration files.

2.3.2 Configure the linuxwall.info database

Via cn=config, we can change the internal parameters of the dc=linuxwall,dc=info database. For example, to increase the cache size from 2MB (the default on debian) to 20MB, edit the olcDbConfig inside olcDatabase={1}hdb as follow: 

{0}set_cachesize 0 20971520 0

This will generate the following LDAP query 

#!RESULT OK
#!CONNECTION ldap://192.168.1.153:389
#!DATE 2011-09-18T13:37:54.823
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbConfig
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {0}set_cachesize 0 20971520 0
-

We can also define more indexes on the “cn” and “uid” attributes (the default creates indexes for ObjectClass only). 

#!RESULT OK
#!CONNECTION ldap://192.168.1.153:389
#!DATE 2011-09-18T13:44:10.004
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn eq,sub,pres,approx
-

#!RESULT OK
#!CONNECTION ldap://192.168.1.153:389
#!DATE 2011-09-18T13:45:14.604
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
-

2.4 Postfix auth

In main.cf 

smtpd_sasl_auth_enable = yes 
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes

Postfix will use the socket located in /var/spool/postfix/private/auth to connect to dovecot, and dovecot will verify the authentication against ldap.

2.5 Dovecot auth

In dovecot.conf 

auth default {
  mechanisms = plain
  passdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }
  userdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }
  user = root
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

And then in dovecot-ldap.conf 

hosts = localhost:389
auth_bind = yes
ldap_version = 3
base = dc=linuxwall,dc=info
scope = subtree
user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))

Discussion

Enter your comment
If you can't read the letters on the image, download this .wav file to get them read to you.
 
en/ressources/dossiers/nectux.txt · Last modified: 2011/09/26 06:06 by julien
Show pagesourceOld revisions
Back to top
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0