Wednesday, 9 November 2011

Configure a system to authenticate using LDAP

system-config-authentication
Posted by at No comments:

install CA-signed server certificate

You will need to do the following so that the server starts without prompting for a password


#vim /etc/dirsrv/slapd-ds1/pin.txt
Internal (Software) Token:PASSWORD

#chmod 400 /etc/dirsrv/slapd-ds1/pin.txt

#chown nobody:nobody  /etc/dirsrv/slapd-ds1/pin.txt

for the admin server do the following

#vim /etc/dirsrv/admin-serv/password.conf
internal:PASSWORD

#chmod 400 /etc/dirsrv/admin-srv/password.conf

#chown nobody:nobody  /etc/dirsrv/admin-serv/password.conf

#vim /etc/dirsrv/admin-serv/nss.conf
NNSPassPhraseDialog file://///etc/dirsrv/admin-serv/password.conf

Install the Certificate

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Select the Server Certs tab, and click Install.
  3. Give the certificate location or paste the certificate text in the text box, then click Next.

    • In this file. Enter the absolute path to the certificate in this field.
    • In the following encoded text block. Copy the text from the CA's email or from the created text file, and paste it in this field.
  4. Check that the certificate information displayed is correct, and click Next.
  5. Give a name to the certificate, and click Next.
  6. Provide the password that protects the private key. This password is the same as the one provided in step 5 inSection 11.2.1, “Step 1: Generate a Certificate Request”.
After installing the server certificate, configure the Directory Server to trust the CA which issued the server's certificate.

Trust the Certificate Authority

Configuring the Directory Server to trust the certificate authority consists of obtaining the CA's certificate and installing it into the server's certificate database. This process differs depending on the certificate authority. Some commercial CAs provide a web site that allow users to automatically download the certificate. Others will email it back to users.
After receiving the CA certificate, use the Certificate Install Wizard to configure the Directory Server to trust the certificate authority.
  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Go to the CA Certs tab, and click Install.
  3. If the CA's certificate is saved to a file, enter the path in the field provided. Alternatively, copy and paste the certificate, including the headers, into the text box. Click Next.
  4. Check that the certificate information that opens is correct, and click Next.
  5. Name the certificate, and click Next.
  6. Select the purpose of trusting this certificate authority; it is possible to select both options:
    • Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted certificate authority.
    • Accepting connections to other servers (Server Authentication). This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted certificate authority.
  7. Click Done.
Once both the server and CA certificates are installed, it is possible to configure the Directory Server to run in TLS/SSL. However, Red Hat recommends verify ingthat the certificates have been installed correctly.

Confirm That The New Certificates Are Installed

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Select the Server Certs tab.
    A list of all the installed certificates for the server opens.
  3. Scroll through the list. The certificates installed previously should be listed.
It is now possible to set up the Directory Server to run in TLS/SSL
Posted by at No comments:

request a certificate from a certificate authority (CA)


 Generate a Certificate Request

Generate a certificate request, and send it to a CA. The Directory Server Console has a tool, theCertificate Request Wizard, which generates a valid certificate request to submit to any certificate authority (CA).
  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Select the Server Certs tab, and click the Request button. This opens the Certificate Request Wizard.
  3. Click Next.
  4. Enter the Requester Information in the blank text fields, then click Next.
    • Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS and reverse DNS lookups; for example, dir.example.com. The server name is critical for client-side validation to work, which prevents man-in-the-middle attacks.
    • Organization. Enter the legal name of the company or institution. Most CAs require this information to be verified with legal documents such as a copy of a business license.
    • Organizational Unit. Optional. Enter a descriptive name for the organization within the company.
    • Locality. Optional. Enter the company's city name.
    • State or Province. Enter the full name of the company's state or province (no abbreviations).
    • Country. Select the two-character abbreviation for the country's name (ISO format). The country code for the United States is US.
  5.  Enter the password that will be used to protect the private key, and click Next.
    The Next button is grayed out until a password is supplied.
  6. The Request Submission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. To submit the request manually, select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA.
  7. Click Done to dismiss the Certificate Request Wizard.
Send the Certificate Request
After generating the certificate request, send it to the CA.
After the certificate request is generated, send it to a certificate authority (CA); the CA will generate return a server certificate.
  1. Most certificate requests are emailed to the CA, so open a new message.
  2. Copy the certificate request information from the clipboard or the saved file into the body of the message.
    -----BEGIN NEW CERTIFICATE REQUEST----- 
MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J 
OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF 
0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI 
b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7 
ug0EfgSLR0f+K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n 
/zMyahxtV7+mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N 
9YdbjveMVXW0v4XwIDAQABoAAwDQYK 
------END NEW CERTIFICATE REQUEST-----
  3. Send the email message to the CA.
After emailing the certificate request, wait for the CA to respond with the server certificate. Response time for requests varies. For example, if the CA is internal to the company, it may only take a day or two to respond to the request. If the selected CA is a third-party, it could take several weeks to respond to the request.
After receiving the certificate, install it in the Directory Server's certificate database. When the CA sends a response, be sure to save the information in a text file. The certificate must be available to install in the Directory Server.
Also, keep a backup of the certificate data in a safe location. If the system ever loses the certificate data, the certificate can be reinstalled using the backup file.


Posted by at No comments:

Tuesday, 1 November 2011

Install Red Hat Directory Server


Then increase the maximum number of open files on the system by editing the /etc/security/limits.confconfiguration file. Add the following entry:
*        -        nofile        8192


1. Install OpenJDK 1.6.0.
  • yum install java-openjdk -y
  • /usr/sbin/alternatives --config java
2. Install the Directory Server packages.
  • yum install redhat-ds
3. Run the setup-ds-admin.pl script.
  • /usr/sbin/setup-ds-admin.pl
Posted by at No comments:

Tuesday, 16 August 2011

provides a service fail-over between the nodes



Adding a Failover Domain
To add a failover domain, follow the steps in this section. The starting point of the procedure is at the
cluster-specific page that you navigate to from Choose a cluster to administer displayed on the
cluster tab.
1. At the detailed menu for the cluster (below the clusters menu), click Failover Domains. Clicking
Failover Domains causes the display of failover domains with related services and the display of
menu items for failover domains: Add a Failover Domain and Configure a Failover Domain .

2. Click Add a Failover Domain. Clicking Add a Failover Domain causes the display of the Add a
Failover Domain page.

3. At the Add a Failover Domain page, specify a failover domain name at the Failover Domain
Name text box.
Note
The name should be descriptive enough to distinguish its purpose relative to other names
used in your cluster.

4. To enable setting failover priority of the members in the failover domain, click the Prioritized
checkbox. With Prioritized checked, you can set the priority value, Priority, for each node
selected as members of the failover domain.

5. To restrict failover to members in this failover domain, click the checkbox next to Restrict failover
to this domain's members. With Restrict failover to this domain's members checked,
services assigned to this failover domain fail over only to nodes in this failover domain.

6. To specify that a node does not fail back in this failover domain, click the checkbox next to Do not
fail back services in this domain. With Do not fail back services in this domain checked, if a
service fails over from a preferred node, the service does not fail back to the original node once it
has recovered.

7. Configure members for this failover domain. Under Failover domain membership, click the
Member checkbox for each node that is to be a member of the failover domain. If Prioritized is
checked, set the priority in the Priority text box for each member of the failover domain.

8. Click Submit. Clicking Submit causes a progress page to be displayed followed by the display
of the Failover Domain Form page. That page displays the added resource and includes the
failover domain in the cluster menu to the left under Domain.

Posted by at No comments:

support filesystem quotas


mount -o quota=on BlockDevice MountPoint

example
mount -o quota=on /dev/vg01/lvol0 /mygfs2

Setting Quotas, Hard Limit
gfs2_quota limit -u User -l Size -f MountPoint
gfs2_quota limit -g Group -l Size -f MountPoint

Setting Quotas, Warn Limit
gfs2_quota warn -u User -l Size -f MountPoint
gfs2_quota warn -g Group -l Size -f MountPoint

Synchronizing Quota Information
gfs2_quota sync -f MountPoint

This example synchronizes the quota information from the node it is run on to file system /mygfs2.
gfs2_quota sync -f /mygfs2
This example changes the default time period between regular quota-file updates to one hour (3600 seconds) for file system /mygfs2 on a single node.
gfs2_tool settune /mygfs2 quota_quantum 3600


Posted by at No comments:

Sunday, 14 August 2011

Custom udev for iscsi

Create a rule that will create a symlink called /dev/iscsi[1-9] that points to /dev/sda[1-9]

/etc/udev/rules.d/75-iscsi_sda.rules

KERNEL=="sda[1-9]", \
POGRAM=="scsi_id -g -s /block/sda/sda%n", \
RESULT=="GUID", \
SYMLINK+="iscsi%n"

replace GUID with output from scsi_id -g -s /block/sda
Posted by at No comments:
Subscribe to: Posts (Atom)