How to add a new schema to openLDAP 2.4+

I tried to stay away from the new config type in LDAP introduced in v.2.3 as much as I could but today I had to face it.

I understand the reasons behind but I have to say that the docs are pretty scarce and any newbie has a pretty steep learning curve ahead especially if used to the old way of configuring LDAP.

The configuration now is in ldif format and it follows a pretty logical scheme which is clearly shown in this picture

What you find inside these trees (which are also directories inside /etc/ldap/slapd.d dir) is all your LDAP server knows about, all the rest in the /etc/ldap is not really that interesting.

Anyway you are to read something else, I know. I could not honestly find a straight answer to the question which gives the title to this post, even though there are a lot of places that contain bits of info but as usual the amount of work needed to get everything in place is still some. That's why I am writing this post.

[UPDATE: just found this which is pretty close to what I needed.]

I will start with a practical real-life example: Adding the sshPublicKey schema kindly provided here to your LDAP server. [I am basing my example on a Debian Squeeze installation]

Now you will find in /etc/ldap/schema/ a lot of .schema files. And there is where you will start to get confused... so forget the schema files.

Copy paste the openssh-lpk_openldap.schema in /etc/ldap/schema/ directory (just to keep them happy together):

#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
# 
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
 DESC 'MANDATORY: OpenSSH Public key' 
 EQUALITY octetStringMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
 DESC 'MANDATORY: OpenSSH LPK objectclass'
 MAY ( sshPublicKey $ uid ) 
 )

Create a tmp directory, e.g. /tmp/ldapstuff and create a dummy file there called for instance slapd.conf which simply has this line

include /etc/ldap/schema/openssh-lpk_openldap.schema

Run

cd /tmp/ldapstuff && slaptest -f slapd.conf -F .

This will create in place a dir called cn=config and a file cn=config.ldif.

Run

cd cn=config/cn=schema && vim cn={0}openssh-lpk_openldap.ldif 

 The only interesting things that need to stay in that file are the  following:

dn:
cn:
objectClass:
olcAttributeTypes:
olcObjectClasses: 

So remove everything else and edit dn and cn. This is a schema so it will need to be inside the cn=schema,cn=config LDAP tree, so the result should be

dn: cn=openssh-lpk_openldap,cn=schema,cn=config
cn: openssh-lpk_openldap

Now you are ready to add this to your LDAP server:

ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn=config/cn=schema/cn={0}openssh-lpk_openldap.ldif

That's it, you can verify that it's really there by

ldapsearch -xLLL -D cn=admin,cn=config -W -b cn=config cn=*ssh*

This should give you some result. This is pretty much applicable to any other schema.

Downgrade from squeeze to lenny..

If you were distracted in the last 3 days and forgot that Debian 'stable' became 'squeeze' last Sunday, or just inadvertently issude 'apt-get upgrade' on your lenny machine, wondering why you had more than 200 packages to update, but still pressing Yes Yes Yes... well you have done the thing I did at least  on one of my servers...

But no problem, downgrading is easy in apt.

Just put:

Package: *
Pin: release a=oldstable
Pin-Priority: 1001

in /etc/apt/preferences and do again

apt-get update && apt-get upgrade

I was so lucky to have to force jsut one package

dpkg -i --force-overwrite /var/cache/apt/archives/sysvinit_2.86.ds1-61_i386.deb

 And reinstall one of them because apticron was failing the downgrade

apt-get install mktemp --reinstall && apt-get install apticron

Cheers

Debian packaging: Changing permissions and ownership of dirs

Regarding creating users and permissions our beloved Debian Policy [chap. 10.9] tells us:

...you must arrange for your package to create the user or group if necessary using adduser in the preinst or postinst script (again, the latter is to be preferred if it is possible).

I wanted to stick to the postinst since it's preferrable so I couldn't change the permissions in the rules file.

Now the thing is I need to give this user permissions for the dirs it will need to own/write and so on. I already have the dirs listed in debian/dirs and I don't want to hardcode anything else in the rules or in the postinst. Of course not being a so experienced debian devel I started to google but didn't find anything... asked around but nothing yet... so I hacked it in this way in the end:

debian/rules:
...
MYDIRS := $(shell cat $(CURDIR)/debian/dirs)
SUBME := $(foreach dir, $(MYDIRS), chown -R \$$the_user $(dir);)
SUBFRIENDLY := $(shell echo "$(SUBME)" | sed -e 's/\//\\\//g')
...
binary-indep: build install
...
dh_installdeb
sed -i -e 's/PLACEHOLDER/$(SUBFRIENDLY)/' $(DESTDIR)/DEBIAN/postinst
...
...

debian/postinst:
...
configure)
the_user="xyz"
#Creating the user if it does not exist
if ! getent passwd $the_user > /dev/null; then
adduser $the_user
fi

#Changing the permissions for the given dirs
PLACEHOLDER
...

(user=xyz can be easily changed to numeric ID)

I don't know if this is the 'standard' way to do it (nor if there is a standard way) but it's at least a way that worked... If anybody there can give me an hint on how to do it better, it would be really appreciated.

MiMMS: My first OSS project :D

I started to work on MiMMS, an MMS stream downloader written in python.

When I first looked at the application it looked pretty much what I needed to download Italian TV shows to my N810 and watch them while I was on the bus (trying to take advantage of dead periods). The little problem was that (as for many other mms servers) the bandwidth was limited and it was taking me an hour to download just one show.
So I registered a new branch of MiMMS that allows you to split the stream in many parts and use all your bandwidth to be quicker. It still has a lot of work to do, but it works pretty well and I hope it'll soon be packaged for Debian.

Enjoy ;)

Debian SSL vulnerability

http://www.debian.org/security/2008/dsa-1571

Sorry I couldn't help it... it was too funny :)

Apache2.2, LDAP authentication / authorization and require ldap-group

In Apache2.2 (default in Debian Etch) all the LDAP authentication/authorization was rewritten. (Thank you guys for a great piece of FREE software.)

The module that performs both authentication (Authn) and authorization (Authz) for Apache sometimes is not very intuitive as Brad Nicholes says in this comment.

The problem is this: I have a nice way to provide an authentication Alias through mod_authn_alias to keep my Apache config clean and understandable BUT I cannot use that Alias to perform Authorization in many cases...

For example if I want to use

Require ldap-group

directive I have two ways of doing it.

either you DON'T use AuthnProviderAlias (BTW I just understood that Authn stands for authentication while Authz stands for Authorization... VERY intuitive) like this:

<Directory /mydir>
AuthType Basic
AuthUserFile /dev/null
AuthName "Access"
AuthBasicProvider ldap
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
require ldap-group cn=AGroup, ou=Groups, o=myorg
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
</Directory>

Or you DO specify both the Authn alias AND the AuthLDAPUrl in the Directory, so like this:

<AuthnProviderAlias ldap ldap-alias>
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
</AuthnProviderAlias>
<Directory /mydir>
AuthType Basic
AuthUserFile /dev/null
AuthName "Access"
AuthBasicProvider ldap-alias
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
require ldap-group cn=AGroup, ou=Groups, o=myorg
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
</Directory>

In a few words it doesn't make sense to use AuthnProviderAlias in this case... Just use the first approach, even though it looks very bad... it looks better than the other :D

I havo no name! (problems with LDAP on Debian)

Short post.

If you bound your machine to an LDAP server using PAM and libnss on a Debian box and you run into this:

I have no name!@yourmachine:~$

Check the permission for both libnss-ldap.conf and pam_ldap.conf. They have to be world readable ;)

Enjoy :D

Linux Mint

I'm a Debian user since a while and I like it, well of course sometimes it's a bit difficult for the not-geek user to work with it, you always have to install something that is not here, copy something that is not there and so on. Despite everything I like it a lot.

I've never tried Ubuntu but I know it's more end-user oriented and easier to install. A week ago a distro based on Ubuntu Gutsy (that is based on debian) was released, so I decided to give it a try on a usb stick live installation.

Its name is Linux Mint and I was honestly really surprised by the ease of use of it and by the richness of the basic system. It's very strong in multimedia support so when it comes to Java, flash and divx support you don't have to do anything just use it.

If you have time to invest give it a try --> Linux Mint

Very easy also to put it on your usb stick --> here

Debian sid, gnome-power-manager suspend/hibernate and a ThinkPad X31

In my process of getting the laptop ready to be used I ran in a little problem really annoying: gnome-power-manager wasn't able to suspend nor to hibernate the laptop.

Luckily (after half an hour of googling) I found this in gnome power manager mailing list.

Have a look at /etc/dbus-1/system.d/hal.conf and change the at_console="true" line to user="username_of_you". Then restart dbus.

And that made the trick :D

(I also added myself to powerdev group... you never know ;) )

adduser [myuser] powerdev

Debian etch on ThinkPad X31 via USB stick (for dummies like me)

I was trying to install Debian Etch from scratch on my ThinkPad X31 and since it doesn't have a cd-rom I had to use a usb stick.

I followed the steps on Debian Installation Guide.

Copying the files — the easy way didn't work for me... I was getting "Boot Error".

So I tried Copying the files — the flexible way and it didn't go any further.

Then I read this warning:

If your system refuses to boot from the memory stick, the stick may contain an invalid master boot record (MBR). To fix this, use the install-mbr command from the package mbr:

# install-mbr /dev/sda

Well ok that went a bit better... now I was getting this at boot:

MBR FA:

Actually it wasn't that self-explaining... So I had to take a step more: read install-mbr docs.

--enable , -e

This option sets the list of boot sectors which may be loaded (or advanced mode). A boot sector may be loaded from one of the first 4 partitions of the disk, or from the first floppy drive. Use --enable + to add a boot sector to the list or --enable - to remove a boot sector from the list. Use --enable = to set the list to . may contain:

1, 2, 3, 4 The specified partition number.
F The first floppy disk.
A Advanced mode (not a boot sector).

It didn't say much but it was a hint. Well in the end it worked like this:
at boot when it shows "MBR FA:" I pressed A and then was showing a more clear "MBR 1234FA:". So I pressed 1 (the partition of the USB stick was the first)... and hurrah it worked.

If this doesn't work yet for you... here's a full list of useful hints

LinuxDay.IT

Sabato sará un giorno importante per i linuxari di tutta Italia, il Linux Day 2007 sará occasione per chi é appassionato di open-source e Linux di rinfrescarsi le idee e per chi non lo é di farsene di nuove... alla larga da Apple & Microsoft :D

Saturday will be an important day for all the linux users and fans all over Italy, the Linux Day 2007 will give the possibility to who's a fan of linux to refresh her ideas and for who's not to make new ones... away from Apple & Microsoft :D

More info on http://www.linuxday.it/

webdav cadaver and SSL certificates

I ran today in a bit of a problem with cadaver (cmd line interface for WebDAV). I wanted to connect to a DAV share on a secure site that had a self-signed certificate and wanted to put the procedure in a script. Each time cadaver was asking to accept the certificate and this wasn't compatible with the fact of putting it in a script.
So after 1 hour of googling I found out that cadaver fetches the CA certs from an not well defined "ca-bundle.crt" file and that the version compiled in debian lenny (0.22.5-2) doesn't have it defined. And (what is worse) you can define the variable only at compilation time.

So if you run into the same problem. Just do this:

1) Get the cert:

echo "quit" | openssl s_client -connect host:port 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

2) Added the cert to the certificates bundle file:

cat cert >> /etc/ssl/certs/ca-certificates.crt

3) Get cadaver sources:

apt-get source cadaver

4) Recompile them with the right options:

./configure --with-ca-bundle="/etc/ssl/certs/ca-certificates.crt" --with-ssl && make

5) Use the compiled version instead of the installed one in your script (or make install to install it)

midnight commander - key shortcuts quick reference

I have to admit: I'm not really an heavy user of midnight commander so I tend to forget the keyboard shortcuts and since you can't just try them (you can do something harmful to your files) I end up always looking for midnight commander key shortcuts in google.

Tired of doing it I copied the content of this page in a pdf and printed it... I thought maybe it could be useful to someone. So here it is

Configure pam on Debian to authenticate against an ldap server (sarge and etch)

There are tons of guides on how to use pam to link your debian to ldap, this is just another one, made as simple as possible.

Configure access to a Debian machine using PAM and LDAP

We assume here that you already have an LDAP server up, running and configured.

When configuring and/or re-configuring libnss-ldap and/or libpam-ldap it's always better to do it using dpkg-reconfigure rather than editing files by hand since the right services are then restarted automatically.

Install the needed modules:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd

Configuring libnss-ldap

Sarge

enable automatic configuration updates by debconf yes

LDAP server host address yourldap.com

distinguished name of the search base o=yourorganization

LDAP version to use 1 #( where 1. 3 2. 2)

database requires login no

make configuration readable/writeable by owner only yes

Etch

LDAP server Uniform Resource Identifier: ldap://yourldap.com

Distinguished name of the search base: o=yourbase

LDAP version to use: 1 #( where 1. 3 2. 2)

Does the LDAP database require login? no

Special LDAP privileges for root? no

Make the configuration file readable/writeable by its owner only? yes

Configuring nss

Edit file /etc/nssswitch.conf

passwd: ldap compat
group: ldap compat
shadow: ldap compat

Configuring pam_ldap

Sarge

LDAP Server host. yourldap.com

The distinguished name of the search base. dc=whatever

LDAP version to use. 1

Make local root Database admin. no

Database requires logging in. no

1. clear 2. crypt 3. nds 4. ad 5. exop 6. md5

Local crypt to use when changing passwords. 2

Etch

LDAP server Uniform Resource Identifier: ldap://yourldap.com

Distinguished name of the search base: dc=whatever

LDAP version to use: 1

Make local root Database admin. no

Does the LDAP database require login? no

1. clear 2. crypt 3. nds 4. ad 5. exop 6. md5

Local crypt to use when changing passwords. 2

Editing pam configuration files

Add to /etc/pam.d/common-account

account sufficient pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Add to /etc/pam.d/common-auth

auth sufficient pam_ldap.so

Add to /etc/pam.d/common-password

password sufficient pam_ldap.so

Add to /etc/pam.d/common-session

session sufficient pam_ldap.so

If you want to restrict access with some complex string add to /etc/pam_ldap.conf

pam_filter |(uid=oneuser)(uid=anotheruser)(objectclass=specialAccount)

REMEMBER TO RESTART NSCD and SSH EVERY TIME YOU CHANGE SOMETHING!

debianPackaging (for dummies) part two

So now that you built your package you want to put some nice message during its installation...

shell script in the postinstall? Naaahh... it's highly deprecated... debconf is what you're looking for.

debconf is not that complicated thing as debuild is. Clicking the link you get most of the stuff explained.

Just a couple of things:

* remember to declare every variable you use in your templates file
* remember to put dh_installdebconf in your rules file
* if you really want to display that info message that you really want to display put Type: note

debianPackaging (for dummies) part one

I'm writing this post because quite recently I've had to deal with some simple debian packaging and it took me a while (2 days) to obtain something out of it. Debian mantainer guide didn't help and googling around neither.

Luckily my beloved colleague helped me in find my way to a debian package.

The problem seemed quite easy: I have N scripts and I wanted just to create a bunch of packages to ease the installation of them.

First thing to do:

mkdir <name-of-package>-<version>
cd <name-of-package>-<version>
mv <all-the-scripts-you-want> .
dh_make

This will create a debian directory inside your dir and hopefully a <name-of-package>-<version>.orig.tar.gz outside of that (if not don't worry it'll appear).

Now you have two choices:
1) create just one binary package out of your source directory
2) create multiple binary packages

Here is the point where I got puzzled since nowhere is written how debuild takes the informations of what to put where.

Now the Debian Mantainer Guide and many other resources explains you how to use debian/rules, debian/control files but actually they don't explain really what to put there (at least I haven't found where...).

. debian/rules
This is nothing more than a Makefile itself and it's called automatically each time you run debuild.

. debian/control
This lists the package(s) that will be built and theirs characteristics (dependencies over all)

What no-one tells you is that debian directory is the **special** place that HAS to contain your scripts/your binaries in their final-destination-directory path.

Case 1) --single binary--
So if you want scriptA to finish in /usr/share/whatever/scriptA directory once your package is installed, you have to put it somehow in debian/usr/share/whatever/. Pay attention that the script doesn't have to be already there but has to be put there during debuild, i.e. you have to write inside debian/rules the commands to take scriptA from your-source-dir and put it in your-source-dir/debian/usr/share/whatever/

Snippet of debian/rules:

install)
install -m 755 scriptA debian/usr/share/whatever/

Case 2) --mulitple binaries--
Same as Case 1) BUT the script(s) has to be put in debian/usr/share/whatever/name-of-the-package, where name-of-the-package is the name of the binary package that you defined in debian/control

Now go in the source directory and run debuild, if you are lucky everything will go fine.