Tuesday, April 30, 2013

zimbra mail Multi Server installtion with split DNS

Some Words: Suppose your need to change your email domain, you will have to install another zimbra email server with new email id. As you have more then 100 email user's you have to configure multiserver zimbra installation with split DNS. Assume you are currently using vikas.singh@xyz.com now you have to change you email id to vikas.singh@abc.com, I will help you to configure another email server and email forwarding. Simple follow the steps:

Step1. Download zimbra7 from the following link:
   http://files2.zimbra.com/downloads/7.1.4_GA/zcs-7.1.4_GA_2555.RHEL5.20120105094627.tgz
Step2. Extract with the following command
tar -xvf zcs-7.1.4_GA_2555.RHEL5.20120105094627.tgz
Step3. cd zcs-7.1.4_GA_2555.RHEL5.20120105094627
Step4.Edit you hosts file as described following
 vi /etc/hosts
IP  FQDN HOSTNAME
Step5: ./install --platform-override
Above command will check your system's all dependencies and start installation.





For more detail and help write here in comment box.

Sunday, April 28, 2013

how to squid with ldap auth users and groups

                                 How to Proxy Server With LDAP Auth.

Follow this post to install samba with ldap support. I assuming you have configured ldap server for authenticate users in intranet with ip 192.168.1.12 and your proxy server ip is 192.168.202.17. On your proxy server should have direct internet connected with DSL or any modem or direct access to internet from firewall.


login to your linux server and follow the step by step guide.

root@proxy~] # ping www.google.com   <---- this to check if internet is working
64 bytes from maa03s04-in-f18.1e100.net (74.125.236.50): icmp_seq=1 ttl=57 time=37.8 ms
root@proxy~]# yum install squid nss_ldap -y
root@proxy~]# cat /etc/squid/squid.conf > /etc/squid/squid.conf.bkp
root@proxy~]# vi /etc/squid/squid.conf (edit some lines as following)
#auth_param basic program /usr/lib/squid/ncsa_auth /usr/local/squid/etc/passwd <-comment this line No.274>
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3  <-- This is for ldap auth>

##external_acl_type used for group authentication from ldap
external_acl_type ldapgroups %LOGIN /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldapserver
acl ldapgroup external ldapgroups squid <--Add this line after line 572. This is for group (squid) auth from ldap>
###deny all other user not in squid group####
http_access deny !ldapgroup

acl ldapauth proxy_auth REQUIRED
http_access allow  ldapauth

To make sure your squid server talk to ldap server run the following command
 out put should similar like this if not some thing  went wrong.
[root@proxy ~]# /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3  
username password

user filter 'uid=username', searchbase 'dc=yourdomain,dc=com'
attempting to authenticate user 'uid=username,ou=users,dc=yourdomain,dc=com'
OK

[root@proxy ~]# /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10
username group
OK






Friday, April 26, 2013

samba authenticate with external open ldap users


                              
                         how to samba with ldap authentication

[~] yum install samba samba-clients smbldap-tools openldap openldap-servers openldap-clients phpldapadmin -y
[~] cp -r /etc/openldap /etc/openldap.bkp
[~] vi /etc/openldap/slapd.conf ----- New file
# create new
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
[~] cp /etc/openldap/slapd.d /etc/openldap/slapd.d_bkp
[~] rm -rf /etc/openldap/slapd.d/*
[~] slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
[~] cp -r /usr/share/doc/samba-3.*.*/LDAP/samba.ldif /etc/openldap/schema
[~] cp -r /usr/share/doc/samba-3.*.*/LDAP/samba.schema /etc/opeldap/schema
[~] vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 4: change
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[~] vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
# create new
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

[~]chown -R ldap. /etc/openldap/slapd.d

[~/etc/init.d/slapd start

[~chkconfig slapd on

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif

[~] slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[~] vi backend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "olcRootPW: ***" to your own password generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=server,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=com
olcRootPW: {SSHA}QDzMAHRnhnq9A3b43kqMcg2vCQoha/xv
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=com" write by * read


$] ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"

[~] vi frontend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "userPassword: ***" to your own password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server

dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups

[~] ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif

Enter LDAP Password:
# password you set

adding new entry "dc=server,dc=world"

adding new entry "cn=admin,dc=server,dc=world"

adding new entry "ou=people,dc=server,dc=world"

adding new entry "ou=groups,dc=server,dc=world"

[~] /etc/init.d/slapd restart

[~] yum install phpldapadmin -y ( to install phpldapadmin from you need to install epel repository.)

[~] vi /etc/phpldapadmin/config/config.php
#edit line No. 397 and 398, This will allow login as dn in phpldap admin

$servers->setValue('login','attr','dn');
////$servers->setValue('login','attr','uid');

##Now edit some lines in samab

[~] yum install samba samba-clients smbldap-tools -y

[~] cat /etc/samba/smb.conf > /etc/samba/smb.conf.bkp

[~] vi /etc/samba/smb.conf

74 workgroup = SAMBA
75 server string = Samba Server Version %v

# ----------------------- Standalone Server Options ------------------------
94 #
95 # Scurity can be set to user, share(deprecated) or server(deprecated)
96 #
97 # Backend to store user information in. New installations should
98 # use either tdbsam or ldapsam. smbpasswd is available for backwards
99 # compatibility. tdbsam requires no further configuration.
100
101 security = user
102 ; passdb backend = tdbsam
103 passdb backend = ldapsam:ldap://192.168.202.10
104 ldap suffix = dc=server,dc=world
105 ldap machine suffix = ou=machines
106 ldap user suffix = ou=users
107 ldap group suffix = ou=groups
108 ldap idmap suffix = ou=Idmap
109 ldap admin dn = cn=admin,dc=server,dc=com
110 ldap ssl = no
111 ldap passwd sync = yes


#--------------------------------------------------------------------------
$] perl /usr/share/doc/smbldap-tools-0.9.6/configure.pl <--configure it for samba to access ldap server to create and delete user

[~]# perl /usr/share/doc/smbldap-tools-0.9.6/configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
  workgroup name [SAMBA] >
. netbios name: netbios name of the samba controller
  netbios name [] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [] >
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\\%U'
  logon home (press the "." character if you don't want homeDirectory) [\\\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
  logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
  default password validation time (time in days) [45] >
. ldap suffix [dc=server,dc=com] >
. ldap group suffix [ou=groups] >
. ldap user suffix [ou=users] >
. ldap machine suffix [ou=machines] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SAMBA] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
  ldap master server [192.168.202.10] >
. ldap master port [389] >
. ldap master bind dn [cn=admin,dc=server,dc=com] >
. ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
  ldap slave server [192.168.202.10] >
. ldap slave port [389] >
. ldap slave bind dn [cn=admin,dc=server,dc=com] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain SAMBA: SID of the domain (can be obtained with 'net getlocalsid ')
  SID for domain SAMBA [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx] >
. unix password encryption: encryption used for unix passwords
  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] > server.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.




$] smbpasswd -w secret
$] smbldap-populate
Populating LDAP directory for domain SAMBA (S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx)
(using builtin directory structure)
entry dc=server,dc=com already exist.
adding new entry: ou=users,dc=server,dc=com
entry ou=groups,dc=server,dc=com already exist.
adding new entry: ou=machines,dc=server,dc=com
adding new entry: ou=Idmap,dc=server,dc=com
adding new entry: uid=root,ou=users,dc=server,dc=com
adding new entry: uid=nobody,ou=users,dc=server,dc=com
adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Users,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=com
adding new entry: cn=Administrators,ou=groups,dc=server,dc=com
adding new entry: cn=Account Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Print Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Replicators,ou=groups,dc=server,dc=com
entry sambaDomainName=SAMBA,dc=server,dc=com already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

$] smbldap-useradd -a -m test.user
$] smbldap-passwd test.user
Changing UNIX and samba passwords for test.user
New password:
Retype new password:

Now ready to accept smb connetion from windows.

Go to run and enter \\192.168.202.10\
enter uid and password

#####################Errors and Solutions#############################################################
error1: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 adding new entry "cn=cosine,cn=schema,cn=config"
 ldap_add: Other (e.g., implementation specific) error (80)
     additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2
slution: it is because, while run slaptest you have alteady definde this ldif in slapd.conf file so you may ingnore this error and go ahead.




error 2: "make_server_info_sam() failed with NT_STATUS_UNSUCCESSFUL"
solution: To fix- check samba domain sid and user provided sid in phpldapadmin, then check user sid it would be in for digit.