Friday, January 30, 2015

How to configure qmail E-Mail Server on RHEL(Redhat)/CentOS


QMAIL INSTALLATION :-
Packages needed for Qmail Installation
1. The Apache Web Server
2. PHP
3. Perl
4. GCC
5. OpenSSL
6. OpenSSL-devel
7. wget
8. patch & patchutils


Login to the server where you are going to install qmail and do the following settings.
# vi /etc/sysconfig/selinux and set
selinux=disabled
Part I – Downloading Qmail
#mkdir /downloads
#cd /downloads
Dowload the qmailrocks package from the following site,
#wget ftp://10.1.30.120/pub/qmailrocks.tar.gz
#tar zxvf qmailrocks.tar.gz
Part 2 - Installing Qmail Itself
This shell script takes care of the first portion of getting qmail, ucspi-tcp and daemontools intalled:
So Run this script.
#/downloads/qmailrocks/scripts/install/qmr_install_linux-s1.script
#/downloads/qmailrocks/scripts/util/qmail_big_patches.script
#cd /usr/src/qmail/qmail-1.03
#make man && make setup check
#./config-fast dev02.newindia.com(ex: ./config-fast mail.mydomain.com)
#make cert
make cert will ask some options, fill it up:
#chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
Installing ucspi-tcp-0.88:
#cd /usr/src/qmail/ucspi-tcp-0.88/
#patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch
#make && make setup check
Installing Daemontools:
#cd /package/admin/daemontools-0.76
#cd /package/admin/daemontools-0.76/src
#patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch
#cd /package/admin/daemontools-0.76
#package/install
Part 3 – Ezmlm
When we install Qmailadmin later on, the EZmlm integrates seamlessly into Qmailadmin to provide a very user friendly mailing list management interface:
#cd /downloads/qmailrocks/
#tar zxvf ezmlm-0.53-idx-0.41.tar.gz
#cd ezmlm-0.53-idx-0.41
#make && make setup
Part 4 – Autoresponder
It allows to set up autoresponders for mailboxes and so forth:
#cd /downloads/qmailrocks
#tar zxvf autorespond-2.0.5.tar.gz
#cd autorespond-2.0.5
#make && make install


Part 5 – Vpopmail
Vpopmail is one of the major components of this installation. Vpopmail allow to do virtual domain mail hosting:
#cd /downloads/qmailrocks
#tar zxvf vpopmail-5.4.13.tar.gz
#cd vpopmail-5.4.13
#./configure --enable-logging=p
#make && make install-strip
Part 6 – Vqadmin
Vqadmin is simply a nice web based interface that will used to manage Vpopmail. Through the interface we can create new domains, new users, net quotas, enable services and much more:
#cd /downloads/qmailrocks
#tar zxvf vqadmin-2.3.6.tar.gz
#cd vqadmin-2.3.6
#./configure --enable-cgibindir=/var/www/cgi-bin --enable- htmldir=/var/www/html
#make && make install-strip
Add the following to the server's Apache configuration file:
#vi /etc/httpd/conf/httpd.conf
<Directory "/var/www/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
Create a .htaccess file to password protect the Vqadmin interface at the vqadmin directory and configure the following:
#cd /var/www/cgi-bin/vqadmin/
#vi .htacess
AuthType Basic
AuthUserFile /var/www/cgi-bin/vqadmin/.htpasswd
AuthName vQadmin
quire valid-user
stisfy any
#chown apache .htaccess
#chmod 644 .htaccess
Create a corresponding .htpasswd file that's going to contain the username and encrypted password for the Vqadmin administrator...
#htpasswd -bc /var/www/cgi-bin/vqadmin/.htpasswd admin qmailctl(password)
#chmod 644 /var/www/cgi-bin/vqadmin/.htpasswd
Now restart Apache...
#apachectl stop
#apachectl start
Access vqadmin in this following page,
http://10.1.30.103/cgi-bin/vqadmin/vqadmin.cgi
username /password – As given above to .htpasswd
Part 7- Maildrop
Maildrop is a mail filtering agent which can be used to filter messages as they arrive on the server:
#cd /downloads/qmailrocks
#tar zxvf maildrop-1.6.3.tar.gz
#cd maildrop-1.6.3
#./configure --prefix=/usr/local --exec-prefix=/usr/local --enable-maildrop-uid=root --enable- maildrop-gid=vchkpw --enable-maildirquota
#make && make install-strip && make install-man
Part 8 – Qmailadmin
Qmailadmin provides nice web based interface for administering mail accounts once they are setup through Vpopmail (or Vqadmin). From Qmailadmin we can create mailboxes, aliases, fowards, mail robots, mailing lists:
#cd /downloads/qmailrocks
#tar zxvf qmailadmin-1.2.9.tar.gz
#cd qmailadmin-1.2.9
#./configure --enable-cgibindir=/var/www/cgi-bin --enable-htmldir=/var/www/html
#make && make install-strip
Open the browser, http://10.1.30.103/cgi-bin/qmailadmin and login as ,
user – postmaster
domain – newindia.com
password – as given to .htpasswd
Part 9 - Finalizing Qmail
Run the script, after that change the files to following:
#/downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script
#vi /var/qmail/supervise/qmail-pop3d/run
Find "mail.example.com" and change it to your server's hostname.
For example: linux0103.dev02.newindia.com
# /var/qmail/supervise/qmail-smtpd/run
Find "mail.example.com" and change it to your server's hostname
Stop the Qmail process..
#qmailctl stop
Setting up selective relaying for localhost...
#echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
#qmailctl cdb
Create the common system aliases. These aliases are going to tell Qmail what to do with common server-generated mails.
#echo sysadmin-india > /var/qmail/alias/.qmail-root
#echo sysadmin-india > /var/qmail/alias/.qmail-postmaster
#echo sysadmin-india > /var/qmail/alias/.qmail-mailer-daemon
#ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
#chmod 644 /var/qmail/alias/.qmail*
Part 10 - Uninstalling Sendmail
Removing Sendmail:
#/etc/rc.d/init.d/sendmail stop (to stop Sendmail)
#mv /usr/lib/sendmail /usr/lib/sendmail.old
#mv /usr/sbin/sendmail /usr/sbin/sendmail.old
#chmod 0 /usr/lib/sendmail.old /usr/sbin/sendmail.old
Establishing an "artificial" Sendmail path:
#ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
#ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
Part 11 - Starting qmail
Run this script that will check the key components of the installation and make sure everything is alright. If its not right it will show the options to check:
#/downloads/qmailrocks/scripts/util/qmr_inst_check
If the result is "congratulations" type of message, everything is fine
Restart the Qmail services.
#qmailctl stop
#qmailctl start
#qmailctl stat
/service/qmail-send: up (pid 29956) 2 seconds
/service/qmail-send/log: up (pid 29960) 2 seconds
/service/qmail-smtpd: up (pid 29963) 2 seconds
/service/qmail-smtpd/log: up (pid 29968) 2 seconds
/service/qmail-pop3d: up (pid 29971) 2 seconds
/service/qmail-pop3d/log: up (pid 29972) 2 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0



Checking the connections:
#telnet localhost 110
Trying 10.1.30.103...
Connected to 10.1.30.103.
Escape character is '^]'.
+OK <16658.1054485137@yourserver.com>
user postmaster@newindia.com
+OK
pass <password>
+OK
quit
+OK
Connection closed by foreign host.



#telnet localhost 110
Trying 10.1.30.103...
Connected to 10.1.30.103.
Escape character is '^]'.
+OK <16658.1054485137@yourserver.comt>
user postmaster@newindia.com
+OK
pass <password>
+OK
list
+OK
1 323 (there's your message!)
quit
+OK
Connection closed by foreign host.



And now let's test SMTP service to make sure the TLS functionaltiy is there...
#telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 somewhere.anywhere.com ESMTP
ehlo localhost
250-somewhere.anywhere.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
starttls
220 ready for tls
quit
quit
Connection closed by foreign host.
#chown vpopmail:qmail /var/qmail/control/servercert.pem
Part 12 - Installing Courier IMAP & IMAP SSL
#cd /downloads/qmailrocks/
#tar jxvf courier-authlib-0.55.tar.bz2
#cd courier-authlib-0.55
#./configure --prefix=/usr/local --exec-prefix=/usr/local --with-authvchkpw --without-authldap -- without-authmysql --disable-root-check --with-ssl --with- authchangepwdir=/usr/local/libexec/authlib --with-redhat
#make && make check
#make install-strip && make install-configure
Adding services to start automatically when the system starts up.
#vi /etc/rc.local
Add the following line:
#/usr/local/sbin/authdaemond start
INSTALLING COURIER-IMAP:
#cd /downloads/qmailrocks/
#tar jxvf courier-imap-4.0.2.tar.bz2
#useradd courier
#chown -R courier:wheel courier-imap-4.0.2
#cd /downloads/qmailrocks/courier-imap-4.0.2
#su courier
#./configure --prefix=/usr/local --exec-prefix=/usr/local --with-authvchkpw –without- authldap -- without-authmysql --disable-root-check --with-ssl –with- authchangepwdir=/usr/local/libexec/authlib --with-redhat
Note: the configure process will take a few minutes..
#make && make check
#exit
#make install-strip && make install-configure
Now let's create an SSL certificate for the IMAP-SSL server...
#/usr/local/sbin/mkimapdcert
#vi /usr/local/etc/imapd.cnf
change postmaser@example.com an administrative email address
Save and exit
Changing the setting for imap
#vi /usr/local/etc/imapd
Make sure that the following configuration exists: IMAPDSTART=YES
#vi /usr/local/etc/imapd-ssl
Make sure that the following configuration exists: IMAPDSSLSTART=YES
Make sure that the following configuration exists: TLS_CERTFILE=/usr/local/share/imapd.pem
Save and exit the file.
Changing the options for authdaemonrc
#vi /usr/local/etc/authlib/authdaemonrc
Find authmodulelist and delete other than the folowing,
authmodulelist="authvchkpw"
Save and exit the file.
Now we create the startup scripts...
#cp /usr/local/libexec/imapd.rc /etc/rc.d/init.d/imap
#cp /usr/local/libexec/imapd-ssl.rc /etc/rc.d/init.d/imaps
Now start Authdaemond, IMAP and IMAPS. To be safe we'll stop each service before starting it...
#/usr/local/sbin/authdaemond stop
#/usr/local/sbin/authdaemond start
#/etc/rc.d/init.d/imap stop
#/etc/rc.d/init.d/imaps stop
#/etc/rc.d/init.d/imap start
#/etc/rc.d/init.d/imaps start
Run "nmap localhost", to see both 143 and 993 is now open and listening.
Now test imap connection....
#telnet localhost 143
Trying 10.1.30.103...
Connected to 10.1.30.103.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE STARTTLS] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.
a login postmaster@mydomain.com my_password
a OK LOGIN Ok. (successful login!)
a logout (logs you out)
* BYE Courier-IMAP server shutting down
a OK LOGOUT completed
Connection closed by foreign host.
Part 13 - Installing Squirrelmail
Download the squirrelmail version and copy it to /var/www/html
#tar zxvf /path/to/squirrelmail-x.x.x.tar.gz
Now rename the untarred folder
#mv squirrelmail-x.x.x webmail
Configuring Squirrelmail...
#mkdir /var/sqattachements
#chown -R apache:apache /var/sqattachements (or whatever user apache runs as)
#cd webmail
#chown -R apache:apache data (or whatever user apache runs as)
#cd config
#./conf.pl
For our Setup we can download webmail on following:
link: ftp://10.1.30.120/pub/webmail.tar.gz
We need to change “ data “ folder to
#chown apache.apache data/ -R






This will run the Squirrelmail setup script which will allow to customize the installation as well as server settings.
General
-----------
1. Domain : newindia.com
2. Invert Time : false
3. Sendmail or SMTP : SMTP
IMAP Settings
-------------------
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : other
9. Delimiter : detect
SMTP Settings
--------------------
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : login (with IMAP username and password)
8. Secure SMTP (TLS) : false
9. Header encryption key :



There are probably about a million ways to do this, but here's what I do. I edit the httpd.conf Apache configuration file and add the following block:
<VirtualHost 10.1.30.103:80>
ServerName linux0103.dev02.newindia.com
ServerAlias mail.*
ServerAdmin sysadmin-india@newindia.com
DocumentRoot /var/www/html/webmail
</VirtualHost>
To open the link, follow this,
Part 13 - Installing Fastforward
Download Fastforward to /var/qmail and install it.
To install fastforward follow these steps,
#cd /var/qmail
#tar -zxvf fastforward-x.xx.tar.gz
#cd fastforward-x.xx
#vi error.h
Remove the line extern int errno; and insert #include<errno.h> and save it.
#make setup check
or
#vi error.h
Only to add into file conf-cc.
-include /usr/include errno.h
Like follows.
cc -O2 -include /usr/include/errno.h
ALIASES:
#vi /etc/aliases
Update the aliases in this file and run,
#/var/qmail/fastforward-x.xx/newaliases


Posted by at No comments:

How to install MySQL Database using binary source on RHEL(Redhat)/CentOS

MYSQL INSTALLATION AND CONFIGURATION
The following stable production release of mysql should be downloaded from mysql.org mysql-standard-5.0.37-linux-1686-glibc23.tar.gz

Select a machine on which you want to install mysql.
Create a separate partition on the machine named /mysql-db
Copy the tar file and untar into /mysql-db.
After untaring the binary, you may get a directory named mysql-standard-5.0.15-linux-1686-glibc23.
Create a soft link for the same as follows:
#ln -s mysql-standard-5.0.15-linux-1686-glibc23 mysql
#cd /mysql-db/mysql
#cp scripts/mysql_install_db /mysql-db/mysql
#groupadd mysql
#useradd -g mysql -c “MySQL DB User” mysql
#./mysql_install_db –user=mysql

#vi data/my.cnf and make the following changes or copy the my.cnf (backup) file into the following location - /mysql-db/mysql/data/,

[client]
#password = your_password
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
port = 3306
socket = /tmp/mysql.sock
# Uncomment the following if you are using InnoDB tables
datadir = /mysql-db/mysql/data
innodb_data_home_dir = /mysql-db/mysql/data
innodb_file_per_table
innodb_data_file_path = ibdata1:100M:autoextend
innodb_log_group_home_dir = /mysql-db/mysql/data/
innodb_log_arch_dir = /mysql-db/mysql/data/
   
Change the user permission for /mysql-db
chown -R mysql.mysql /mysql-db
#vim /etc/init.d/mysql and change the base directory and data directory according to our mysql structure.

Start MySQL
#/etc/ini.d/mysql start

Open the log err-log file present in /mysql-db/mysql/data directory if mysql doesn't started or if error message shown.
If no errors, Mysql have started successfully.
Thast it. we have configured MySQL from binary.
Posted by at No comments:

How to configure OpenLDAP on RHEL(redhat)/CentOS Server

OPENLDAP

Pre-requisites:

The first things you need to do is ensure that OpenLDAP is properly installed, along with a few optional packages that will tie our system together. Obviously, the first step is to install OpenLDAP. The packages we need to have installed (on a RedHat system) are:
  • openldap
  • openldap-clients
  • openldap-devel
  • openldap-servers
  • nss_ldap

[root@linux0120 ~]# rpm -qa | grep openldap
openldap-devel-2.2.13-2
openldap-2.2.13-2
openldap-clients-2.2.13-2
[root@linux0120 ~]#

Since the openldap-server rpms is not currently with us, the same is upgraded to newer version.
Installing the required rpms:
[root@linux0120 ~]# mount lnxdev0001:/usr/local/src/ /mnt

[root@linux0120 ~]# rpm -Uvh /mnt/redhat/es4/RedHat/RPMS/openldap-*
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
error: Failed dependencies:
libodbc.so.1 is needed by openldap-servers-sql-2.2.13-3.i386
Suggested resolutions:
unixODBC-2.2.9-1.i386.rpm

[root@linux0120 ~]# rpm -e openldap-clients-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-devel-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-2.2.13-2 --nodeps

[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-clients-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-clients-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-clients ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-devel-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-devel-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-devel ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-servers-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-servers-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-servers ########################################### [100%]


[root@linux0120 ~]# rpm -qa | grep openldap
openldap-clients-2.2.13-3
openldap-devel-2.2.13-3
openldap-servers-2.2.13-3
openldap-2.2.13-3
[root@linux0120 ~]# rpm -qa | grep nss_ldap
nss_ldap-226-1
[root@linux0120 ~]# rpm -Uvh /mnt/redhat/es4/RedHat/RPMS/nss_ldap-226-6.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/nss_ldap-226-6.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:nss_ldap ########################################### [100%]
The openldap-servers and openldap-devel packages are only required on the system that will be your authentication server. They are not required on the "client" systems.
The nss_ldap package is required for PAM authentication and for NSS information (ie. retrieving group, user, host, etc. information from the LDAP server). Once you have all of these packages installed, you can begin to configure your LDAP server.



Configuring the OpenLDAP Server

The first step in configuring your server is to edit the /etc/openldap/slapd.conf file. There are a few fields you will need to configure. In this topic, we will assume that your domain name to use on the LAN is "newindia.com" and will illustrate our configuration accordingly.
[root@linux0120 ~]# vi /etc/openldap/slapd.conf
database ldbm
suffix "dc=newindia,dc=com"
rootdn "cn=root,dc=newindia,dc=com"
rootpw {MD5}/39oNhuzZDdBZnzCjxM5TA==
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"



Get the MD5 crypt password as follows:
[root@linux0120 ~]# slappasswd -h{MD5}
New password:
Re-enter new password:
{MD5}/39oNhuzZDdBZnzCjxM5TA==



Before configuring your basic ACLs, let's start slapd and make sure it works.
[root@linux0120 ~]# /etc/init.d/ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [ OK ]



Once you have started the slapd server, you can test it by executing the following query:
[root@linux0120 ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=newindia,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1



This ensures that ldap is configured and working properly.

Enable the daemon to start at boot time itself:
[root@linux0120 ~]# chkconfig ldap on

Configuring Server ACLs

The final step on the server before we begin migrating data is to set the basic ACLs (Access Control Lists) for the LDAP server. This will ensure that people only have access to what they need to have access to, and will allow users to update their passwords, see their passwords, but prevent others from seeing the same.
Once again you need to edit the /etc/openldap/slapd.conf file. If you look in your slapd.conf file, you will see the following near the beginning:
# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
The /etc/openldap/slapd.access.conf
file is as good as any to place your ACLs in. You can either append your ACL rules to the end of the slapd.conf file, or insert them into slapd.access.conf. The choice is entirely up to you. If you do choose to use the access file, remove the example ACLs at the end of the slapd.conf file. Let's begin with some basic ACLs:



#This is a good place to put the access-control directives
olcAccess to dn=".*,dc=newindia,dc=com" attr=userPassword
by dn.base="cn=root,dc=newindia,dc=com" write
# by self write
by * auth
olcAccess to dn=".*,dc=newindia,dc=com" attr=mail
by dn="cn=root,dc=newindia,dc=com" write
# by self write
by * read
olcAccess to *
by * read
olcAccess to dn=".*,dc=newindia,dc=com"
# by self write
by read



What this does is restrict access to the userPassword attribute of any entry; that is, any dn in dc=newindia,dc=com. The owner of the entry can modify it, and the owner is defined by someone binding to the server using that dn and it's associated password. Otherwise, it can only be accessed for authentication/binding purposes, but cannot be viewed. The second entry allows the user to modify their mail attribute (ie. email address). The third entry specifies that any dn in ou=People,dc=newindia,dc=com must be read-only. This is where we protect the system from users deciding to change their username, gid or uid numbers, home directory, and so forth. Because the ACLs are read top down in a "first match wins" order, we have effectively given users access to change their own password and their own email address, but they are unable to touch any other information on their account. Everything else is read-only... to the world, and the user. Finally, the last entry is a catch-all for other parts of the database. This will allow users to make changes to their own address books, for example. If you will not be allowing users to use their own address books on this LDAP server, feel free to remove the "by self write" ACL of the last entry. This will still allow users to read group and hosts information. If you like, you can duplicate the second entry to allow users to modify their loginShell attribute so they can select what shell they wish to use, but I wouldn't recommend it.
To have the server use the new ACLs, be sure to restart it (service ldap restart on most Linux systems).
[root@linux0120 ~]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
Starting slapd: [ OK ]



In our environment the self write is disabled to all attributes.
Creating the LDAP entries:
To create the entry create an ldif file (LDAP inerchage fomat) and add to the database as follows:

o:

[bharath@linux0120 LDAP]$ cat domain.ldif
dn: dc=newindia,dc=com
dc: newindia
objectClass: top
objectClass: domain
objectClass:domainRelatedObject
associatedDomain: newindia.com
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f domain.ldif
Enter LDAP Password:
adding new entry “dc=newindia,dc=com”
[bharath@linux0120 LDAP]

ou:

[bharath@linux0120 LDAP]$ cat ou.ldif
dn: ou=Group,dc=newindia,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
asscociatedDomain: newindia.com

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f ou.ldif
Enter LDAP Password:
adding new entry "ou=Group,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

nisMapName:

[bharath@linux0120 LDAP]$ cat nisMapName.ldif
dn: nisMapName=netgroup.byhost,dc=newindia,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nismap
objectClass: domainRelatedObject
associatedDomain: newindia.com

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f nisMapName.ldif
Enter LDAP Password:
adding new entry "nisMapName=netgroup.byhost,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

cn:
(Simple Group)
[bharath@linux0120 LDAP]$ cat cn.ldif
dn: cn=users,ou=Group,dc=newindia,dc=com
cn: users
objectClass: top
objectClass: posixGroup
objectClass: domainRelatedObject
associatedDomain: newindia.com
gidNumber: 100
userPassword:

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f cn.ldif
Enter LDAP Password:
adding new entry "cn=users,ou=Group,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

(Shared Group)
[bharath@linux0120 LDAP]$ cat scn.ldif
dn: cn=java,ou=Group,dc=newindia,dc=com
cn: java
objectClass: top
objectClass: posixGroup
objectClass: domainRelatedObject
associatedDomain: newindia.com
gidNumber: 900
userPassword:
memberUid: kishore
memberUid: karthik
[bharath@linux0120 LDAP]$

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f scn.ldif
Enter LDAP Password:
adding new entry "cn=java,ou=Group,dc=newindia,dc=com"

[bharath@linux0120 LDAP]$

uid:

dn: uid=bharath,ou=People,dc=newindia,dc=com
uid: bharath
cn: bharath
givenName: bharath
sn: I
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
#objectClass: kerberosSecurityObject
objectClass: shadowAccount
mail: bharath@newindia.com
uidNumber: 678
gidNumber: 100
homeDirectory: /home/bharath
loginShell: /bin/bash
gecos: bharath I - SA
userPassword: {CRYPT}Fd4pwcZ.ncH6Q
shadowLastChange: 13200
shadowMax: 99999
shadowWarning: 7

The objectClass kerberosSecurityObject is not defined. Need to fix this.

Migrating Data

The next step is to begin migrating your data into your LDAP server.
The openldap servers rpm provides the migration perl scripts to generate the LDIF file from the existing files.

[root@linux0120 redhat]# cd /usr/share/openldap/migration/
Set the following in the migrate_common.ph file.
[root@linux0120 migration]# vi migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "dev02.newindia.com";
$DEFAULT_BASE = "dc=newindia,dc=com";
$DEFAULT_MAIL_HOST = "mail.dev02.newindia.com";
$EXTENDED_SCHEMA = 1;

Use the migrate_all_online.pl for all the data's like hosts, services, groups, protocols etc to be generated in the ldif file. Since the essential entries required are group and password files, the required ldif files are generated as follows:

[root@linux0120 migration]# ./migrate_base.pl > base.ldif
[root@linux0120 migration]# ./migrate_group.pl /etc/group group.ldif
[root@linux0120 migration]# ETC_SHADOW=/etc/shadow- ./migrate_passwd.pl /etc/passwd passwd.ldif

Add the data to the ldap database as follows:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f base.ldif
Enter LDAP Password:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f group.ldif
Enter LDAP Password:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f passwd.ldif

Creating the AUTOMOUNT MAPS for the shared directories on the LDAP Server:
The NIS MAPS which are created are as follows:
/etc/auto.master
/etc/auto.home
/etc/auto.home2
/etc/auto.data
/etc/nb_apps
/etc/nb_apps-7.2
/etc/nb_apps-es4
/etc/auto.clearcase-data

Let us consider all the above maps as organization units of the LDAP Directory structure.

Create the Organizational units as follows:
dn: ou=auto.master,dc=newindia,dc=com
ou: auto.master
objectClass: top
objectClass: autoMountMap

Create the share map for each of the shares with the corresponding map files. For example for /home share, the map file is auto.home and the same is created as follows:
dn: cn=/home,ou=auto.master,dc=newindia,dc=com
cn: /home
objectClass: autoMount
autoMountInformation: ldap:ou=auto.home,dc=newindia,dc=com

The above autoMountInformation instructs the LDAP server for mounting this share, check with the corresponding ou entry. (ou=auto.home).

Create the auto.home map as follows:
dn: ou=auto.home,dc=newindia,dc=com
ou: auto.home
objectClass: top
objectClass: autoMountMap

Create the map details for the above share as follows for each entry. For example,
bharath fileserv:/export/home/bharath
dn: cn=bharath,ou=auto.home,dc=newindia,dc=com
cn: bharath
objectClass: autoMount
autoMountInformation: fileserv.dev02.newindia.com:/export/home/bharath

Like this for each and every entry, the LDAP entry needs to be created for the same.

Create the ldif file as stated above and add to the LDAP database as follows:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.ldif
Enter LDAP Password:

Note:
Instead of each and every entry for the user login accounts, a single account can be created and added to the LDAP database as follows:
dn: cn=*,ou=auto.home,dc=newindia,dc=com
cn: *
objectClass: autoMount
autoMountInformation: fileserv.dev02.newindia.com:/export/home/&

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.ldif
Enter LDAP Password:


To migrate all the required file use the following scripts, to create the ldif files.

[bharath@linux0120 LDAP]$ cat auto.master.pl
#!/usr/bin/perl
use strict;
use warnings;

my $subdomain="dev02";
my $domain="newindia";
my $dom="com";
my $infile;
my $outfile;
my $mount;
my $mapfile;
my $configdir="/home/bharath/LDAP/";
my @data;

print "Enter the Master Map file\n";
$infile = <STDIN>;
chomp $infile;

$outfile = "$infile.ldif";

open FHO,">$outfile";

print FHO "dn: ou=$infile,dc=$domain,dc=$dom\n";
print FHO "ou: $infile\n";
print FHO "objectClass: top\n";
print FHO "objectClass: autoMountMap\n\n\n";

if (open FHI, "$configdir$infile")
{
while (<FHI>)
{
if(/^(\/)/)
{
@data = split;
$mount = $data[0];
$mapfile = $data[1];
print FHO "dn: cn=$mount,ou=$infile,dc=$domain,dc=$dom\n";
print FHO "cn: $mount\n";
print FHO "objectClass: autoMount\n";
print FHO "autoMountInformation: ldap:ou=$mapfile,dc=$domain,dc=$dom\n\n\n";
}
}
}
close FHI;
close FHO;



For all other files other than auto.master, use the following script and provide the file name when prompted.

[bharath@linux0120 LDAP]$ cat auto.all.pl
#!/usr/bin/perl
use warnings;
use strict;

my $subdomain="dev02";
my $domain="newindia";
my $dom="com";
my $infile;
my $outfile;
my @data;
my $words;
my $cn;
my $server;
my $share;
my $configdir="/home/bharath/LDAP/";

print "Enter the NIS map file\n";
$infile=<STDIN>;
chomp($infile);
$outfile="$infile.ldif";

open FHO, ">$outfile";
print FHO "dn: ou=$infile,dc=$domain,dc=$dom\n";
print FHO "ou: $infile\n";
print FHO "objectClass: top\n";
print FHO "objectClass: autoMountMap\n\n\n";

if (open FHI, "$configdir$infile")
{
while (<FHI>)
{
chomp($_);
if(/^(\w+)/)
{
s/(\s+)/ /g;
s/[:,&]/ /g;
@data = split(/\s+/,$_);
$words = scalar(@data);
if ($words eq 3)
{
$cn = $data[0];
$server = $data[1];
$share = $data[2];
print FHO "dn: cn=$cn,ou=$infile,dc=$domain,dc=$dom\n";
print FHO "cn: $cn\n";
print FHO "objectClass: autoMount\n";
print FHO "autoMountInformation: $server.$subdomain.$domain.$dom:$share\n\n\n";

}
else
{
print "The file conatins more than two words ($words). So skipped\n";
}
}
}
close FHI;
close FHO;
}
else
{
print "The \"",$infile, "\" does not exist in the \"" ,$configdir,"\" directory\n";
}

After creating the required ldif files, add the same to the LDAP Database.





Useful LDAP Commands:

ldapadd:
-x Simple authentication
-D bindn
-W prompt for bind password
-f ldif file
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.data.ldif

ldapmodify:
Same as that of ldapadd.

ldapsearch:

-b basedn
[bharath@linux0120 LDAP]$ ldapsearch -x -b "ou=auto.home,dc=newindia,dc=com" "(cn=*)"

ldapdelete:
-r recursive
If the specified dn is a tree containing several leaves, then -r should be used, else only the specified dn will be deleted.
[bharath@linux0120 LDAP]$ ldapdelete -x -r -D "cn=root,dc=newindia,dc=com" "ou=auto.nb_apps-7.2,dc=newindia,dc=com" -W

ldappasswd:
-S prompt for newpassword
[bharath@linux0120 LDAP]$ ldappasswd -x -S -D "cn=root,dc=newindia,dc=com" -W "uid=bharath,ou=people,dc=newindia,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
Result: Success (0)


Configuring Client:

[root@www ~]# rpm -qa | grep ldap
nss_ldap-226-6
openldap-2.2.13-3
compat-openldap-2.1.30-3

The packages nss_ldap-226-6

Posted by at 1 comment:

How to install Jabber/XMPP Server on CentOS / RHEL (redhat)

Jabber Chat Server:
This Documentation is to setup the jabber Chat server:
Pre-Installation Steps:


Check for the UID existance in the /etc/passwd file

#grep 400 /etc/passwd


Create a user for jabber process with UID < 500, without new home directory for the user and setting the installed directory of the jabber server as the home directory


#useradd -u 400 -M -d /usr/local/jabber jabber


#passwd jabber


Changing password for user jabber.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.


Check for the following prerequisites:


1. OpenSSL (version 0.9.6b or higher)
#rpm -qa | grep openssl
openssl-devel-0.9.7a-43.1
openssl-0.9.7a-43.1
xmlsec1-openssl-1.2.6-3


2. Libidn (version 0.3.0 or higher)
#rpm -qa | grep libidn
libidn-0.5.6-1
libidn-devel-0.5.6-1


3. Data Storage Package ( Any Datbase mysql, postgresql, etc.,)
# rpm -qa | grep mysql-server


Preparing... ########################################### [100%]
1:MySQL-standard-debuginf########################################### [ 20%]
2:MySQL-client-standard ########################################### [ 40%]
3:MySQL-devel-standard ########################################### [ 60%]
4:MySQL-server-standard ########################################### [ 80%]
5:MySQL-shared-standard ########################################### [100%]
start the mysql daemon:

[root@linux0120 jabberd-2.0s8]# /etc/init.d/mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]


Setting password for mysql server database:
#/usr/bin/mysqladmin -u root password 'mysql4dm1n'


4. Authentication Package ( Database or LDAP as of required )
# rpm -qa | grep ldap
(or)
# rpm -qa | grep mysql-server


Download the source from the following URL:
http://jabberd.jabberstudio.org/2/


Unpack the distribution
#tar -zxvf tar -zxvf jabberd-2.0s8.tar.gz
OUTPUT TRUNCATED..................


#cd jabberd-2.0s8


#./configure --help


#./configure --prefix=/usr/local/jabber –enable- ssl=/usr/include/openssl/ --enable-idn --enable-mysql=/usr/include/mysql --enable-ldap --enable-debug


#make


#make install


Create pid and log files:
#mkdir -p /usr/local/jabber/pid


#mkdir -p /usr/local/jabber/log


#chown -R jabber:jabber /usr/local/jabber


======================================================
Set Ownership of Configuration Files
Jabberd configuration files contain passwords; therefore, you should set ownership and permissions on these files so that they are only readable by your jabber user and writable by root only. Using the location of your configuration files and your jabber user, set ownership of these files:


#chown -R root:jabber /usr/local/jabber/etc/jabberd/*


#chmod -R 770 /usr/local/jabber/etc/jabberd/*
=======================================================


4. Basic Configuration
Jabberd 2 is configured via its six XML files.
# su - jabber


#cd etc/jabberd/
-bash-3.00$ cp sm.xml sm.xml_orig
-bash-3.00$ cp c2s.xml c2s.xml_orig
-bash-3.00$ cp s2s.xml s2s.xml_orig
-bash-3.00$ cp router.xml router.xml_orig
-bash-3.00$ cp resolver.xml resolver.xml_orig


4.1. Set Host Name in sm.xml and c2s.xml
Your server hostname (network ID) must be set in both c2s.xml and sm.xml so that the ID provides a network resolvable reference for your server.


# vi sm.xml
In sm.xml file:
Under <sm> tag:


<id>linux0120.dev02.newindia.com</id>
<pidfile>/usr/local/jabber/pid/sm.pid</pidfile>


========================================================
Enable the following certificate tag
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>
========================================================
Change the log type to file, disable the facility tag and enable the file tag:
<log type='file'>
<!-- <ident>jabberd/sm</ident> -->
<!-- <facility>local3</facility> -->
<file>/usr/local/jabber/log/sm.log</file>


# vi c2s.xml
In c2s.xml file:


<pidfile>/usr/local/jabber/pid/c2s.pid</pidfile>
======================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>
======================================================
Change the log type to file, disable the facility tag and enable the file tag:
<log type='file'>
<!-- <ident>jabberd/sm</ident> -->
<!-- <facility>local3</facility> -->
<file>/usr/local/jabber/log/c2s.log</file>


Set the id in the Local Network Configuration as follows:
<id>lnux0120.dev02.newindia.com</id>


======================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>
<cachain>/usr/local/jabber/etc/jabberd/cachain.pem</cachain>
<require-starttls/>
<ssl-port>5223</ssl-port>
=======================================================


4.2. Provision and Configure for Storage and Authentication Package(s)


4.4. Provision and Configure for MySQL
Getting Jabberd 2 to work with your choice of external storage and authentication packages involves these steps:
1. Provision external package(s) to work with Jabberd 2
2. Configure sm.xml for your choice of storage package
3. Configure c2s.xml for your choice of authentication package


Most Jabberd 2 installations rely on a single package, such as MySQL, to provide both storage and authentication services. If your installation relies
on a single package, you will need to configure this package for Jabberd 2 and then enter similar connection details in both sm.xml and c2s.xml.


Storage Package : ( Mysql )
In order to set up MySQL for Jabberd, you must run the setup script included in the Jabberd 2 distribution. After the script is run, you should create a user and then grant that user access to the database.


4.4.1. Provision for mysql:
First, run the MySQL setup script. This script is located in '[Jabberd SourceFiles]/tools'. Switch to the tools directory and start the MySQL console (the
MySQL server should already be running). Then, run the db-setup.mysql script
from the MySQL console:


mysql -u root -p
mysql>\. db-setup.mysql


Now that a database for Jabberd exists in the MySQL data directory, create a MySQL user that Jabberd can use to connect to the MySQL server.

#cd /usr/local/src/jabberd-2.0s8/tools/
#ls db-setup.mysql
#mysql -u root -p
mysql>\. db-setup.mysql


MySQL User and Password:
GRANT select,insert,delete,update ON jabberd2.* to jabberd2@linux0120.dev02.newindia.com IDENTIFIED by 'j4bb3r4dm1n';


Check the mysql login for jabberd2:
[root@linux0120 jabberd]# mysql -u jabberd2 -p -h linux0120.dev02.newindia.com
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15 to server version: 4.1.12


Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


mysql> exit
Bye
MySQL is now ready to be used with Jabberd.


Note: Default MySQL Socket
Jabberd 2 stable 3 connects to the MySQL server socket at /tmp/mysql.sock.
The default socket when installing MySQL from source is
/var/lib/mysql/mysql.sock. You will need to create a symlink to /tmp/mysql.sock if it does not exist:
# ls -l /tmp/mysql.sock
ls: /tmp/mysql.sock: No such file or directory
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock


If you are unsure as to where your MySQL server socket is, consult your MySQL configuration file (usually located in /etc/my.cnf or /etc/mysql/my.cnf).


Default MySQL Socket:
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock


4.4.2 Configure Storage using MySQL:

Most installations using MySQL for storage will require only the setting of the driver, user and password.


In sm.xml under the section labeled Storage database configuration, make sure that the driver is to use mysql. (The driver should be set to mysql by default.):
# vi sm.xml


<driver>mysql</driver>


In sm.xml under the section labeled MySQL driver configuration, replace secret with your MySQL password. Change the user if you are not using the
default user (jabberd2):


<host>linux0120.dev02.newindia.com</host>
<pass>jabberadmin</pass>


Note that you should change the host setting only if your MySQL server is running on a different host. You should change the port setting only if your MySQL server is running on a non-standard port (port 3306 is the default for MySQL installations). The transaction support section is self-explanatory.


Jabberd 2 is now configured to use MySQL for storage.


4.7. Provision and Configure for OpenLDAP ( For Authentication )


4.7.2. Configure for Authentication using OpenLDAP (c2s.xml)


OpenLDAP configuration is more detailed because configuration requires host and connection settings in addition to query settings.


In c2s.xml under the section labeled Authentication/registration database configuration, edit the driver to use ldap (OpenLDAP):
# vi c2s.xml


<module>ldap<module>


Users cannot create their own accounts when using OpenLDAP for authentication. Therefore, public account registration should be disabled, while auto-create should be enabled so that the session manager can create
accounts the first time users log on.
Commenting the enable tag as below will disable public registration:
Disable the account Registration:
<!-- <enable/> -->


The first part of the LDAP module configuration in c2s.xml deals with the settings required to connect to your OpenLDAP server. The host must either be a hostname resolvable by the server or the IP address of the OpenLDAP server. Port 389 is the default port for OpenLDAP servers, so in most cases, port
should be left as is. The v3 tag specifies whether your OpenLDAP server is v3. Uncomment this tag if it is. Leave the v3 tag commented for OpenLDAP v2
servers. Lastly, uncomment either the starttls or ssl tag if your server supports encryption (see notes below):


<host>linux0120.dev02.newindia.com</host>


Enable and set the bindn as follows:
<binddn>cn=root,dc=newindia,dc=com</binddn>
<bindpw>ld4p4dm1n</bindpw>


Set the basedn tag as follows:
<!-- <basedn realm='company'>o=Company.com</basedn> -->
<basedn>dc=newindia,dc=com</basedn>


In sm.xml under the section labeled User options (near the bottom of the file), uncomment the auto-create tag as below so that the session manager will create a new Jabberd2 account the first time a user logs on:
#vi sm.xml


<auto-create/>


To have the default buddylist to be exported to the client when logs for the first time, enable the following tag:
<roster>/usr/local/jabber/etc/jabberd/templates/roster.xml</roster>


4.8 Configure the router.xml as follows:
#vi router.xml


<pidfile>/usr/local/jabber/pid/router.pid</pidfile>


Change the log type to file, disable the facility tag and enable the file tag:
<log type='file'>
<!-- <ident>jabberd/sm</ident> -->
<!-- <facility>local3</facility> -->
<file>/usr/local/jabber/log/router.log</file>


=======================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>



4.9 Configure the resolver.xml as follows:
# vi resolver.xml


<pidfile>/usr/local/jabber/pid/resolver.pid</pidfile>


=====================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>
=====================================================
Change the log type to file, disable the facility tag and enable the file tag:
<log type='file'>
<!-- <ident>jabberd/sm</ident> -->
<!-- <facility>local3</facility> -->
<file>/usr/local/jabber/log/resolver.log</file>


4.10 Configure the s2s.xml as follows:
# vi s2s.xml


<pidfile>/usr/local/jabber/pid/s2s.pid</pidfile>


==================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>
======================================================
Change the log type to file, disable the facility tag and enable the file tag:
<log type='file'>
<!-- <ident>jabberd/sm</ident> -->
<!-- <facility>local3</facility> -->
<file>/usr/local/jabber/log/resolver.log</file>


======================================================
Enable the certificate to use to set up an encrypted channel:
<pemfile>/usr/local/jabber/etc/jabberd/jabberd-cert.pem</pemfile>


Set the Permissions as follows:
#chmod 750 /usr/local/jabber/etc/ -R
#chmod 750 /usr/local/jabber/bin/ -R
#chmod 750 /usr/local/jabber


Your Jabberd 2 configuration for storage and authentication is now complete.


4.8. Test Server


Checkpoint: Start Your Server
You should be able to start and test your Jabberd 2 server by using the Jabberd 2 startup script (as your jabber user):


su – jabber
./bin/jabberd &
A.6. Generating a Self-Signed SSL Certificate
A.6.1. Generate Key Pair


From a working directory, enter the command below to begin an interactive key
generation process:


#cd
#mkdir KEYS
#cd KEYS
[root@linux0135 KEYS]# openssl req -new -x509 -newkey rsa:1024 -days 3650
-keyout privkey.pem -out server.pem
Generating a 1024 bit RSA private key
........................................++++++
................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Tamilnadu
Locality Name (eg, city) [Newbury]:Chennai
Organization Name (eg, company) [My Company Ltd]:newindia India Pvt Ltd
Organizational Unit Name (eg, section) []:Chennai
Common Name (eg, your name or your server's hostname) []:newindia.com
Email Address []:sysadmin-india@newindia.com


[root@linux0135 KEYS]# openssl rsa -in privkey.pem -out privkey.pem
Enter pass phrase for privkey.pem:
writing RSA key


[root@linux0135 KEYS]#


Generate the key pair and the csr as follows:
Create the key pair and the csr on the JABBER SERVER as follows:
Modify the openssl.cnf file:


[root@sysadminbox root]# find / -name openssl.cnf
/usr/share/ssl/openssl.cnf
/usr/local/src/openssl-0.9.7b/apps/openssl.cnf
/usr/ssl/openssl.cnf


[root@sysadminbox root]# cd /usr/share/ssl/
[root@lnxdev0003 ssl]# vi openssl.cnf
dir = ./CA/
countryName_default = IN
stateOrProvinceName_default = TamilNadu
localityName_default = Chennai
0.organizationName_default = New India Pvt Ltd
organizationalUnitName_default = Development
emailAddress = bharath@newindia.com


[root@linux0120 ssl]# openssl req -new -nodes -config openssl.cnf -keyout /usr/local/jabber/etc/jabberd/jabberd-key.pem -out /usr/local/jabber/etc/jabberd/jabberd.csr
Generating a 1024 bit RSA private key
..................++++++
.........................++++++
writing new private key to '/usr/local/jabber/etc/jabberd/jabberd-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [TamilNadu]:
Locality Name (eg, city) [Chennai]:
Organization Name (eg, company) [New India Pvt Ltd]:
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your name or your server's hostname) []:linux0120.dev02.newindia.com
logarajan@newindia.com []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Send the File to the CA for signing:


[root@linux0120 ssl]# openssl ca -config openssl.cnf -out CA/newcerts/jabberd-cert.pem -in /usr/local/jabber/etc/jabberd/jabberd.csr
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Apr 13 05:10:27 2006 GMT
Not After : Apr 13 05:10:27 2007 GMT
Subject:
countryName = IN
stateOrProvinceName = TamilNadu
organizationName = New India Pvt Ltd
organizationalUnitName = Development
commonName = linux0120.dev02.newindia.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
74:52:75:5B:7C:2F:73:BB:7F:1D:8F:9E:49:5D:74:B7:C8:6E:4F:17
X509v3 Authority Key Identifier:
keyid:3B:8B:3A:75:A0:F7:2E:36:C9:21:F9:9D:59:25:6B:00:4F:CD:D6:F3
DirName:/C=IN/ST=TamilNadu/L=Chennai/O=New Break India Pvt Ltd/OU=Development/CN=linux0120.dev02.newindia.com
serial:00


Certificate is to be certified until Apr 13 05:10:27 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Send the Signed file and the ca file to the client:


[root@linux0120 ssl]# cp CA/newcerts/jabberd-cert.pem /usr/local/jabber/etc/jabberd/


[root@linux0120 ssl]# cp CA/cacert.pem /usr/local/jabber/etc/jabberd/


Set the following ownerships and permissions:


[root@linux0120 jabberd]# chown root:jabber jabberd-cert.pem cacert.pem


[root@linux0120 jabberd]# chmod 640 jabberd-cert.pem cacert.pem

Posted by at 2 comments:
Subscribe to: Posts (Atom)