Open port with firewalld (systemd)

Just reminder for myself to start looking into this new[good or bad?] systemd stuff.

For now, just opening TCP port:

firewall-cmd --permanent --add-port=16514/tcp
firewall-cmd --reload

Download all packages from Ubuntu repository

To download all packages from particular repository we can use "Packages" file. It contains meta information about every packages in repository.

1) Get particualr "Packages" file.

ls /var/lib/apt/lists/*_Packages

2) Use "apt-get download" to get all packages

for i in `grep "Package:" Packages | awk '{print $2}'`; do ${i}_* || apt-get download $i; done

It will download all deb files to current directory.

Synchronizing users from AD to OpenLDAP with LSC-project. Passwords are proxied with SASL.

This post includes:

- LSC-project installation

- Preparing lsc.xml

- saslauthd installation

LSC-project installation

For Ubuntu 12.04.




cat < EOF >> /etc/apt/sources.list.d/lsc-project.list

deb     http://lsc-project.org/debian lsc main

deb-src http://lsc-project.org/debian lsc main

EOF

wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -

apt-get update && apt-get install lsc

apt-get install openjdk-6-jre

mkdir /etc/lsc/ad-to-ldap

cp /etc/lsc/logback.xml /etc/lsc/ad-to-ldap/logback.xml




Preparing lsc.xml

You want to modify at least:

- ldapConection (Both source and dest)

- baseDN

- password

Put xml below to /etc/lsc/ad-to-ldap/lsc.xml

<?xml version="1.0"?>

<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">

  <connections>

    <ldapConnection>

      <name>dst-ldap</name>

      <url>ldap://10.20.0.3:389/DC=domain,DC=tld</url>

      <username>cn=admin,DC=domain,DC=tld</username>

      <password>xxx</password>

      <authentication>SIMPLE</authentication>

      <referral>IGNORE</referral>

      <derefAliases>NEVER</derefAliases>

      <version>VERSION_3</version>

      <pageSize>-1</pageSize>

      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>

      <tlsActivated>false</tlsActivated>

      <saslMutualAuthentication>false</saslMutualAuthentication>

    </ldapConnection>

    <ldapConnection>

      <name>src-ad</name>

      <url>ldap://172.18.160.38:389/DC=newdomain,DC=tld</url>

      <username>admin-user@newdomain.tld</username>

      <password>xxx</password>

      <authentication>SIMPLE</authentication>

      <pageSize>1000</pageSize>

    </ldapConnection>

  </connections>

  <audits/>

  <tasks>

    <task>

      <name>MySyncTask</name>

      <bean>org.lsc.beans.SimpleBean</bean>

      <ldapSourceService>

        <name>MySyncTask-src</name>

        <connection reference="src-ad"/>

        <baseDn>cn=Users,DC=newdomain,DC=tld</baseDn>

        <pivotAttributes>

          <string>mail</string>

        </pivotAttributes>

        <fetchedAttributes>

          <string>cn</string>

          <string>sn</string>

          <string>givenName</string>

          <string>mail</string>

          <string>sAMAccountName</string>

          <string>userPrincipalName</string>

        </fetchedAttributes>

        <getAllFilter>(&amp;(mail=*)(objectClass=user))</getAllFilter>

        <getOneFilter>(&amp;(mail={mail})(objectClass=user))</getOneFilter>

        <cleanFilter>(&amp;(mail={mail})(objectClass=user))</cleanFilter>

        <interval>6</interval>

      </ldapSourceService>

      <ldapDestinationService>

        <name>MySyncTask-dst</name>

        <connection reference="dst-ldap"/>

        <baseDn>ou=Users,DC=domain,DC=tld</baseDn>

        <pivotAttributes>

          <string>mail</string>

        </pivotAttributes>

        <fetchedAttributes>

          <string>cn</string>

          <string>sn</string>

          <string>objectClass</string>

          <string>userPassword</string>

          <string>givenName</string>

          <string>mail</string>

          <string>uid</string>

        </fetchedAttributes>

        <getAllFilter>(&amp;(uid=*)(objectClass=inetOrgPerson))</getAllFilter>

        <getOneFilter>(&amp;(objectClass=inetOrgPerson)(mail={mail}))</getOneFilter>

      </ldapDestinationService>

      <propertiesBasedSyncOptions>

        <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=Users,dc=domain,dc=tld"</mainIdentifier>

        <defaultDelimiter>;</defaultDelimiter>

        <defaultPolicy>FORCE</defaultPolicy>

        <dataset>

          <name>objectClass</name>

          <policy>FORCE</policy>

          <forceValues>

            <string>"inetOrgPerson"</string>

            <string>"organizationalPerson"</string>

            <string>"person"</string>

            <string>"top"</string>

          </forceValues>

          <delimiter>,</delimiter>

        </dataset>

        <dataset>

          <name>userPassword</name>

          <policy>KEEP</policy>

          <createValues>

            <string>"{SASL}" + srcBean.getDatasetFirstValueById("mail")</string>

          </createValues>

        </dataset>

        <dataset>

          <name>sn</name>

          <policy>FORCE</policy>

          <forceValues>

            <string>

  srcBean.getDatasetFirstValueById("sAMAccountName")</string>

          </forceValues>

        </dataset>

        <dataset>

          <name>uid</name>

          <policy>FORCE</policy>

          <forceValues>

            <string>

  srcBean.getDatasetFirstValueById("sAMAccountName")</string>

          </forceValues>

        </dataset>

        <dataset>

          <name>default</name>

          <policy>FORCE</policy>

        </dataset>

      </propertiesBasedSyncOptions>

    </task>

  </tasks>

</lsc>

To synchronize use (add "-n" for dry-tun):

/usr/bin/lsc -f /etc/lsc/ad-to-ldap/ -s all -c all

saslauthd installation

Configure password proxying with SASL. Installing saslauthd on the same node with OpenLDAP (slapd).

apt-get install libsasl2-modules-ldap sasl2-bin

sed 's/MECHANISMS\=.*/MECHANISMS\=\"ldap\"/' /etc/default/saslauthd







/etc/saslauthd.conf:

ldap_servers: ldap://172.18.160.38

ldap_search_base: cn=users,dc=newdomain,dc=tld

ldap_timeout: 10

ldap_filter: sAMAccountName=%U

ldap_bind_dn: cn=romans,cn=users,dc=newdomain,dc=tld

ldap_password: xxx

ldap_deref: never

ldap_restart: yes

ldap_scope: sub

ldap_use_sasl: no

ldap_start_tls: no

ldap_version: 3

ldap_auth_method: bind




/usr/lib/sasl2/slapd.conf:

pwcheck_method: saslauthd

saslauthd_path: /var/run/saslauthd/mux




/etc/ldap/slapd.conf:

sasl-host       localhost

sasl-secprops   none




Execute:




usermod -a -G sasl openldap

service saslauthd restart

service slapd restart




Checking installation




check that saslauthd working properly:

testsaslauthd -u test1 -p xxx




check that OpenLDAP able to proxy requests to AD:

ldapsearch -x -LLL \

           -H ldap://127.0.0.1/ \

           -b ou=users,dc=domain,dc=tld \

           -D 'mail=test1@newdomain.tld,ou=Users,dc=domain,dc=tld' \

           -w 'xxx'




Useful links:

1) Official LSC tutorial OpenLDAP to AD

2) Good blogpost AD to OpenLDAP

3) Official LSC documentation