Total Hit Counter

Thursday, December 10, 2015

Chef Server install and configure


To get started with installation you must have below things ready.

  • Centos 6.5 installed.
  • Internet connection
  • Stop iptables and selinux.


 Step1: Download latest rpm from chef website.

https://downloads.chef.io/chef-server/redhat/

I downloaded chef-server-core-12.3.1-1.el6.x86_64.rpm.

Step2: Now install chef rpm. Execute below command to install chef rpm





Step3: Edit /etc/hosts file and add chef-server fqdn to get it resolved. Chef server fqdn must be resolved from anywhere in you network.

127.0.0.1 chef-server.cignex.com

Create file /etc/opscode/chef-server.rb with below content

server_name = "chef-server.cignex.com"api_fqdn server_namebookshelf['vip'] = server_namenginx['url'] = "https://#{server_name}"nginx['server_name'] = server_namenginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"


Step4: Now configure chef server by executing below command
chef-server-ctl reconfigure
At the last you will get message like Chef Server Reconfigured! 
Step5: To start with web console you have to install it.

chef-server-ctl install opscode-manage
 If above command fails then enable yum repo in this file /etc/yum.repos.d/chef-stable.repo
Then install opscode-manage manually and execute above command again.
chef-server-ctl reconfigureopscode-manage-ctl reconfigure
 Now execute below command for installing reporting tool.

chef-server-ctl install opscode-reporting
 If above command fails then enable yum repo in this file /etc/yum.repos.d/chef-stable.repo
Then install opscode-reporting manually and execute above command again.
chef-server-ctl reconfigureopscode-reporting-ctl reconfigure


Step 6: Now restart chef service. by executing below command.
/opt/opscode/bin/chef-server-ctl restart

Step 7:  Create Admin user for login into web console

Command:
chef-server-ctl user-create ADMIN_USER_NAME ADMIN_FIRST_NAME ADMIN_LAST_NAME ADMIN_EMAIL ADMIN_PASSWORD --filename ADMIN_USER_NAME.pem
Example:
[root@chef-server ~]# chef-server-ctl user-create shankar Shankar Patel shankar.patel@cignex.com Cignex --filename Cignex.pem
Reset password for created user
[root@chef-server ~]#  chef-server-ctl password shankar
         
Step 8:  Create Organization to manage nodes under a single roof

Command:
chef-server-ctl org-create ORG_SHORT_NAME "ORG_LONG_NAME" --association_user ADMIN_USER_NAME
Example:
[root@chef-server ~]# chef-server-ctl org-create cignex 'CIGNEX Datamatics Pvt Ltd' --association_user shankar 
You must define organization name in small leters, otherwise it will not create any organization.



Thats it!

You are done now.

Now you can browse URL to login in console

https://chef-server.cignex.com/login



Posted by at No comments:

Monday, May 18, 2015

Openldap pass-through authentication with active directory @CIGNEX Datamatics


1. Install cyrus-sasl, openldap servers and clients
yum install openldap-servers openldap-client* *cyrus*sasl*

2. Edit /etc/sysconfig/saslauthd as below
[root@localhost ~]# vim /etc/sysconfig/saslauthd 
[root@localhost ~]# cat /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=ldap
FLAGS='-O /etc/saslauthd.conf'

3. Create /etc/saslauthd.conf and paste below content (AD details)
[root@localhost ~]# vim /etc/saslauthd.conf
[root@localhost ~]# cat /etc/saslauthd.conf
ldap_servers: ldap://172.16.197.138
ldap_search_base: CN=Users,dc=myad,dc=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: CN=Administrator,CN=Users,dc=myad,dc=com
ldap_password: Test1234
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

4. Create file /usr/lib64/sasl2/slapd.conf with below content.
[root@localhost ~]# vim /usr/lib64/sasl2/slapd.conf
[root@localhost ~]# cat /usr/lib64/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux

5. Edit /etc/openldap/ldap.conf and add below lines.
sasl-host localhost
sasl-secprops none
BASE dc=myad,dc=com
URI ldap://localhost
[root@localhost ~]# tail -5 /etc/openldap/ldap.conf
sasl-host localhost
sasl-secprops none
BASE dc=myad,dc=com
URI ldap://localhost

6. Restart saslauthd and slapd service and test as below
/usr/sbin/testsaslauthd -u administrator -p Test123

8. Execute commands as below: 
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
service slapd restart

9. Get encrypted password using slappasswd command
[root@localhost ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}rSzjUq/YAVYjnybwN01AsHYs3jHTeZam


10. create chrootpw.ldif as below content. Replase {SSHA}xxxxxxxxxxxxxxxxxxxxxx with output of above command.
[root@localhost ~]# vim chrootpw.ldif
[root@localhost ~]# cat chrootpw.ldif 
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}rSzjUq/YAVYjnybwN01AsHYs3jHTeZam

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"


13. Execute below commands and get again encrypted password for your admin account using slappasswd command
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

[root@localhost ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}HBRqaFKHvhq6EFF5T+MK9/oUN7WQB7Ov


14. Create chdomain.ldif as below. Replase {SSHA}xxxxxxxxxxxxxxxxxxxxxx with output of above command.
[root@localhost ~]# vim chdomain.ldif
[root@localhost ~]# cat chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
 read by dn.base="cn=Manager,dc=myad,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=myad,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=myad,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HBRqaFKHvhq6EFF5T+MK9/oUN7WQB7Ov

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
 dn="cn=Manager,dc=myad,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=myad,dc=com" write by * read




15. Execute below command. 

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"




16. Create basedomain.ldif with below content.

[root@localhost ~]# cat basedomain.ldif 
dn: dc=myad,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Myad Com
dc: myad

dn: cn=Manager,dc=myad,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=myad,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=myad,dc=com
objectClass: organizationalUnit
ou: Group


17. Execute below command. 

[root@localhost ~]# ldapadd -x -D cn=Manager,dc=myad,dc=com -W -f basedomain.ldif 
Enter LDAP Password: 
adding new entry "dc=myad,dc=com"

adding new entry "cn=Manager,dc=myad,dc=com"

adding new entry "ou=People,dc=myad,dc=com"

adding new entry "ou=Group,dc=myad,dc=com"


18. Create new user in ldap to map with AD. Create new file as below content

[root@localhost ~]# cat user.ldif 
dn: uid=user01,ou=People,dc=myad,dc=com
uid: user01
cn: user01
loginShell: /bin/bash
uidNumber: 2055
gidNumber: 100
sn: user01
homeDirectory: /home/o/user01
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
userPassword: {SASL}india@myad.com

19. ldapadd -x -D cn=Manager,dc=myad,dc=com -W -f user.ldif -v


ldapsearch -H ldap://172.16.197.152:389 -x -D "uid=user01,ou=People,dc=myad,dc=com" -W -b "uid=user01,ou=People,dc=myad,dc=com" -s sub -a always -z 1000 "(objectClass=*)" "objectClass"  | grep -v ^# | grep -v ^$

Posted by at No comments:

Tuesday, April 28, 2015

Lifray 6.2 authentication with Active Directory and Open Ldap @CIGNEX

Configure Liferay authentication with Active Directory OR OpenLDAP

Hi Guys,
I am working as Sr. Consultant - MCS ( Manage Cloud Service) in CIGNEX Datamatics Pvt. Ltd. We often used to do Liferay authentication with different different Directory server, Like Active Directory, Open LDAP, etc.. We can implement multiple directory servers' authentication in liferay also we can use active directory and openldap same time in multiple directory servers' authentication.
Today I am going to write here how we can implement Liferay 6.2 authentication with Active directory and open ldap. 
After Below exercise you will have liferay working with authentication with openldap and active directory using email id. You will have all users' imported in liferay. If you dont want to import in liferay you can stop by disabling import properties.


Important note:
Before Going to start please be confirm following things:
  1. AD/OpenLdap server should be accessible from your machine on 389 port.
  2. All users’ must have values in given fields: sAMAccountName, userPassword, userPrincipalName, givenName, sn  
  3. None of users have '@' or '_' ind of extra character in sAMAccountName or UID. if any user containing these special characters then those users' will not be authenticated or imported.
  4. You must have java installed in your machine with version 1.7.0 or latest
  5. JAVA_HOME must be set
  6. PATH must be set  to be accessible java bin directory.
  7. iptables and selinux should be off.

Step 1: Download liferay zip file and put in /opt directory
root@shankarpatel:~# cd /opt
Step 2: Extract it.
root@shankarpatel:/opt# unzip liferay-portal-tomcat-6.2-ce-ga2-20140319114139101.zip
Step 3 : rename to liferay directory and change to liferay directory
root@shankarpatel:/opt# mv liferay-portal-6.2-ce-ga2 liferay
root@shankarpatel:/opt# cd liferay
Step 4: Create portal-ext.properties file
root@shankarpatel:/opt/liferay# vim portal-ext.properties
Step 5: now paste below content in the file
#################################################
# Below properties are basic properties to connect with database and use mysql driver
#################################################
# Use mysql connector
jdbc.default.driverClassName=com.mysql.jdbc.Driver
# connect to localhost’s mysql server
jdbc.default.url=jdbc:mysql://localhost/lportal?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false
# database credentials
jdbc.default.username=root
jdbc.default.password=redhat
####
#   Common properties to Configuration for users import from ldap in liferay
#######
ldap.auth.enabled=true
ldap.import.user.password.enabled=true
ldap.import.enabled=true
ldap.import.on.startup=true
ldap.import.interval=5
Context.REFERRAL=follow
####
#   Configuration for authenticating with Active directory.
#######
ldap.base.provider.url.0=ldap://192.168.1.1:389
ldap.base.dn.0=dc=server,dc=com
ldap.security.principal.0=user1
ldap.security.credentials.0=Test1234
ldap.user.mappings.0=screenName=sAMAccountName\npassword=userPassword\nemailAddress=userPrincipalName\nfirstName=givenName\nlastName=sn\njobTitle=title
ldap.import.user.search.filter.0=(objectClass=person)
# If you want to set login using SCREEN NAME enable below line
#ldap.auth.search.filter.0=(sAMAccountName=@screen_name@)
# If you want to set login using email address enable below line
#ldap.auth.search.filter.1=(userPrincipalName=@email_address@)

# you can have multiple AD or 1 AD and 1 OpenLdap
# if you want to configure authentication with open ldap put below configuration
####
#   Configuration for authenticating with OPEN LDAP.
#######
ldap.base.provider.url.1=ldap://localhost:389
ldap.base.dn.1=dc=server,dc=com
ldap.security.principal.1=cn=shankar,ou=People,dc=server,dc=com
ldap.security.credentials.1=Test1234
ldap.user.mappings.1=screenName=uid\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title
ldap.import.user.search.filter.1=(objectClass=person)
# If you want to set login using SCREEN NAME enable below line
#ldap.auth.search.filter.0=(cn=@screen_name@)
# If you want to set login using email address enable below line
#ldap.auth.search.filter.1=(mail=@email_address@)


Before applying above settings please change below parameters with your credentials.
jdbc.default.url = Change hostname localhost to your db server 
jdbc.default.username= Change username as you have for database 
jdbc.default.password= Change password as you have for above user

ldap.base.provider.url.0=ldap://<your Active Directory Server name or IP>
ldap.base.dn.0=dc=your,dc=domain
ldap.security.principal.0=Active Directory Admin Username
ldap.security.credentials.0= Password of above user

ldap.base.provider.url.1=ldap://<your OpenLDAP Server name or IP>
ldap.base.dn.1=dc=OPENLDAP,dc=domainname
ldap.security.principal.1=Active Directory Admin Username
ldap.security.credentials.1= Password of above user




Now Start your liferay it will be able to authenticated with open ldap and active directory users.
Enjoy..............

Posted by at No comments:
Subscribe to: Posts (Atom)