Permission is granted to copy, distribute, and/or modify this document under the terms of the Open Publication Licence, Version 1.0, or any later version. Information about installing, configuring, running and maintaining a LDAP (Lightweight Directory Access Protocol) Server on a Linux machine is presented on this document.

Die PC-FAQ enthält Antworten zu vielen Fragen rund um den PC, sowie Erklärungen der häufigsten Computerbegriffe und ein Wörterbuch.

Open. LDAP Software 2. Administrator's Guide: Using TLSOpen.

Copyright 2017 The Apache Software Foundation. Licensed under the Apache License, Version 2.0. This document is not a complete reference for OpenLDAP software; the manual pages are the definitive documentation. For best results, you should use the manual pages. Ready to Amp Up Your Nessus Experience? Get Nessus Professional to scan unlimited IPs, run compliance checks & more. Buy Nessus Professional Now. Hi Geek Stuff, i have encounter the fencing loop in RHCS. Do you aware of this? The documentation in below from access.redhat.com “A fencing loop can occur on a 2. This enables the pam

LDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASLEXTERNAL mechanism. TLS is defined in RFC4. Note: For generating certifcates, please reference http: //www. TLS uses X. 5. 09 certificates to carry client and server identities. For more information on creating and managing certificates, see the Open. SSL, Gnu. TLS, or Moz.

NSS documentation, depending on which TLS implementation libraries you are using. The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the subject. Alt. Name certificate extension. Since X. 5. 09 is a part of the X.

LDAP is also based on X. DN formats and generally the DN in a user's X. DN of their LDAP entry. However, sometimes the DNs may not be exactly the same, and so the mapping facility described in Mapping Authentication Identities can be applied to these DNs as well. After obtaining the required certificates, a number of options must be configured on both the client and the server to enable TLS and make use of the certificates. The server must be configured with the CA certificates and also its own server certificate and private key. Typically a single CA will have issued the server certificate and all of the trusted client certificates, so the server only needs to trust that one signing CA.

However, a client may wish to connect to a variety of secure servers managed by different organizations, with server certificates generated by many different CAs. As such, a client is likely to need a list of many different trusted CAs in its configuration.

The configuration directives for slapd belong in the global directives section of slapd. This directive specifies the PEM- format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates.

If the signing CA was not a top- level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top- level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

This directive specifies the path of a directory that contains individual CA certificates in separate files. When using this feature, the Open. SSL library will attempt to locate certificate files based on a hash of their name and serial number. As such, this option can only be used with a filesystem that actually supports symbolic links. In general, it is simpler to use the TLSCACertificate. File directive instead.

When using Mozilla NSS, this directive can be used to specify the path of the directory containing the NSS certificate and key database files. Certificates are generally public information and require no special protection. When using Mozilla NSS, if using a cert/key database (specified with TLSCACertificate. Path), this directive specifies the name of the certificate to use. TLSCertificate. File Server- Cert. If using a token other than the internal built in token, specify the. TLSCertificate. File my hardware device: Server- Cert.

Use certutil - L to list the certificates by name. L. This directive specifies the file that contains the private key that matches the certificate stored in the TLSCertificate. File file. Private keys themselves are sensitive data and are usually password encrypted for protection. However, the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully. When using Mozilla NSS, this directive specifies the name of a file that contains the password for the key for the certificate specified with TLSCertificate.

File. You can use the command. ALL. to obtain a verbose list of available cipher specifications. Besides the individual cipher names, the specifiers HIGH, MEDIUM, LOW, EXPORT, and EXPORT4. TLSv. 1, SSLv. 3, and SSLv. To obtain the list of ciphers in Gnu. TLS use. gnutls- cli - l.

When using Mozilla NSS, the Open. SSL cipher suite specifications are used and translated into the format used internally by Mozilla NSS. If the system provides /dev/urandom then this option is not needed, otherwise a source of random data must be configured. Linux) provide /dev/urandom by default, while others (e. Cara Upgrade Software Blackberry 9900 Charging. Solaris) require the installation of a patch to provide it, and others may not support it at all. In the latter case, EGD or PRNGD should be installed, and this directive should specify the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename.

Also, in the absence of these options, the . To use the . rnd file, just create the file and copy a few hundred bytes of arbitrary data into the file.

The file is only used to provide a seed for the pseudo- random number generator, and it doesn't need very much data to work. This directive is ignored with Gnu. TLS and Mozilla NSS. This directive specifies the file that contains parameters for Diffie- Hellman ephemeral key exchange.

TLSCertificate. Key. File points to a DSA key), and RSA when the 'key encipherment' key usage is not specified in the certificate. This option is set to never by default, in which case the server never asks the client for a certificate. With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of try the certificate is requested, and if none is provided, the session proceeds normally.

If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated. Note: The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session.

As such, a non- default TLSVerify. Client setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received. The names of the directives are different, and they go into ldap. Also, while most of these options may be configured on a system- wide basis, they may all be overridden by individual users in their . The LDAP Start TLS operation is used in LDAP to initiate TLS negotiation.

As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply. This is equivalent to the server's TLSCACertificate. Path option. The specified directory must be managed with the Open. SSL c. This is a user- only directive and can only be specified in a user's . When using Mozilla NSS, if using a cert/key database (specified with TLS.

The same constraints mentioned for TLSCertificate. Key. File apply here.

This is also a user- only directive. This directive is the same as the server's TLSRand. File option. This directive is equivalent to the server's TLSVerify. Client option. However, for clients the default value is demand and there generally is no good reason to change this setting.

How to Setup Postfix Mail Server and Dovecot with Database (Maria. DB) Securely. Setup Postfix Mail Server in Cent. OS 7. In this 3- article series we will discuss how to set up a Postfix mail server with antivirus and spam protection in a Cent.

OS 7 box. Please note these instructions also works on other distributions such as RHEL/Fedora and Debian/Ubuntu. Part 1: How to Create and Setup Postfix Mail Server Database (Maria. DB) Securely. Our plan consists in storing email accounts and aliases in a Maria. DB database which is for our convenience, will be managed through php. My. Admin. If you choose to not install php. My. Admin, or are dealing with a CLI- only server, we will also provide the equivalent code to create the database tables that will be used throughout this series.

Since keeping a mail server up and running is one of the essentials tasks that are usually assigned to system administrators and engineers, we will also provide a few tips to efficiently run this critical service in a production environment. Create A and MX Records for Domain in DNSBefore proceeding further, there are a few prerequisites that must be met: 1. You will need a valid domain registered through a domain registrar. In this series we will use www.

Go. Daddy. 2. Such domain must be pointed to the external IP of your VPS or cloud hosting provider. If you are self- hosting your mail server, you can use the service offered by Free. DNS (requires registration). In any event, you have to set up A and MX records for your domain as well (you can learn more about MX records in this FAQ from Google).

Once added, you can look them up using an online tool such as Mx. Toolbox or View. DNS to ensure they are properly set up. Important: Please note that it may take a while (1- 2 days) until the DNS records are propagated and your domain is available. In the meanwhile, you can access your VPS through its IP address to perform the tasks indicated below. Configure the FQDN (Fully Qualified Domain Name) of your VPS: # hostnamectl set- hostname yourhostname. AAA. BBB. CCC. DDD, yourhostname, and yourdomain with the public IP of your server, your hostname, and your registered domain): AAA.

BBB. CCC. DDD yourhostname. Installing Required Software Packages. To install required software packages such as Apache, Postfix, Dovecot, Maria.

DB, Php. My. Admin, Spam. Assassin, Clam. AV, etc, you need to enable the EPEL repository: # yum install epel- release. Once you have followed the above steps, install the necessary packages: In Cent. OS based Systems: # yum update & & yum install httpd httpd- devel postfix dovecot dovecot- mysql spamassassin clamav clamav- scanner clamav- scanner- systemd clamav- data clamav- update mariadb mariadb- server php php.

My. Admin. In Debian and derivatives: # aptitude update & & aptitude install apache. My. Admin. 6. Start and enable the web and database servers: In Cent. OS based Systems: # systemctl enable httpd mariadb. In Debian and derivatives: # systemctl enable apache. When the installation is complete and the above service are enabled and running, we will start off by setting up the database and tables to store information about Postfix mail accounts.

Creating Postfix Mail Accounts Database. For simplicity, we will use php.

My. Admin, a tool intended to handle the administration of My. SQL / Maria. DB databases through a web interface, to create and manage the email database. However, in order to log on to and use this tool, we need to follow these steps: 7. Enable the Maria.

DB account (you can do this by running the mysql. Since we will be using a web application to manage the email server database, we need to take the necessary precautions to protect connections to the server. Otherwise, our php. My. Admin credentials will travel in plain text over the wire. To set up Transport Layer Security (TLS) in your server, follow the steps outlined in Part 8 of the RHCE series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache before proceeding further. Note: if you do not have access to the server’s console you will need to find another way to generate the necessary entropy during the key creation. In that case, you may want to consider installing rng- tools and running rngd - r /dev/urandom.

Configure and Secure Php. My. Admin. 9. In /etc/httpd/conf. My. Admin. conf (Cent. OS) or /etc/phpmyadmin/apache.

Debian and derivatives), locate all the occurrences of the following lines and make sure they point to the public IP of your server: Require ip AAA. BBB. CCC. DDD. Allow from AAA. BBB. CCC. DDD. Additionally, disable the default aliases and create a new one to access your php. My. Admin login page. This will help to secure the site against bots and external attackers who target www. My. Admin.#Alias /php. My. Admin /usr/share/php.

My. Admin. #Alias /phpmyadmin /usr/share/php. My. Admin. Alias /managedb /usr/share/php. My. Admin. Also, add following line inside < If. Module mod. Make sure your domain is added to the enabled sites.

Create /etc/httpd/sites- available/linuxnewz. Cent. OS) or /etc/apache. Debian) with the following contents (make sure the Document.

Root, sites- available, and sites- enabled directories exist): < Virtual. Host *: 8. 0>. Server. Name www. linuxnewz. Server. Alias linuxnewz. Document. Root /var/www/linuxnewz. Now you can open your php. My. Admin interface at https: //www.

My. Admin data directory). If that does not work (which can be caused by a delay in the propagation or lack of configuration of DNS records) for the time being you can try using your server’s public IP address instead of www. Php. My. Admin Login. In any event, after you log on to php. My. Admin you will see the following interface.

Click New in the left section: Create New Database in Php. My. Admin. Enter a name for the database (Email.

Server. On the next screen, choose a name for the first table (where we will store the domains this mail server will manage. Please note that even when in this series we will only manage one domain, you can add more later) and the number of fields you want in it, then click Go. You will be prompted to name and configure those two fields, where you may safely proceed as indicated in the following images: Create Database Table. When you choose PRIMARY under Index for Domain. Id, accept the default values and click Go: Add Database Index. Alternatively, you can click Preview SQL to see the code under the hood: CREATE TABLE `Email. Server. You will then be able to click New under Email.

Server. Now follow these steps to create the rest of the tables. Click on the SQL tab and enter the indicated code for each database object. Note that in this case we chose to create the table using a SQL query because of the relationships that must be established between different tables: Users. We will now insert the following records into the three tables.

The passwords for.