HowTo: Generate Certificate for OpenLDAP and using it for certificate authentication.

Posted on

LDAPS Server Certificate Requirements

LDAPS requires a properly formatted X.509 certificate. This certificate lets a OpenLDAP service listen for and automatically accept SSL connections. The server certificate is used for authenticating the OpenLDAP server to the client during the LDAPS setup and for enabling the SSL communication tunnel between the client and the server. As an option, we can also use LDAPS for client authentication.

Having spent quite some time to make a TLS work, I thought this may be usefull to some :

Creating Self CA certificate:

1, Create the  ldapclient-key.pem private key :

openssl genrsa -des3 -out ldapclient-key.pem 1024

2, Create the ldapserver-cacerts.pem certificate :

openssl req -new -key ldapclient-key.pem -x509 -days 1095 -out ldapserver-cacerts.pem

Creating a certificate for server:

1, Create the ldapserver-key.pem private key

openssl genrsa -out ldapserver-key.pem

2, Create a server.csr certificate request:

openssl req -new -key ldapserver-key.pem -out server.csr

3, Create the ldapserver-cert.pem certificate signed by your own CA :

openssl x509 -req -days 2000 -in server.csr -CA ldapserver-cacerts.pem -CAkey ldapclient-key.pem -CAcreateserial -out ldapserver-cert.pem

4, Create CA copy for the client:

cp -rpf ldapserver-cacerts.pem   ldapclient-cacerts.pem

Now configure the certificates in slapd.conf, the correct files must be copied on each server:

TLSCACertificateFile /etc/openldap/certs/ldapserver-cacerts.pem
TLSCertificateFile /etc/openldap/certs/ldapserver-cert.pem
TLSCertificateKeyFile /etc/openldap/certs/ldapserver-key.pem

# personnally, I only check servers from client.
# If you do, add this :
TLSVerifyClient never

Configure certificate for ldap clients

Key : ldapclient-key.pem
Crt : ldapclient-cert.pem

Howto: Allowing SFTP access while chrooting the user and denying shell access.

Posted on Updated on

Usually SFTP will allow a system user to access their home directory to upload and download files with their account. The SFTP user can navigate anywhere in the server some times can download files it will produce security vulnerability.

The Chroot for SFTP will be denied to access the rest of the system as they will be chrooted to the user home directory. Thus users will not be able to snoop around the system to /etc or application directories. User login to a shell account will also be denied.

I the below procedures will allowed me to enable SFTP security,

1, Add a new group

2, Create a Chroot dir for launch the logins, which should owned by root

3, Modify sftp-internal for forcing chroot dir

4, reload the configuration

Steps :

Create Chroot launch directory with other have no previlege

mkdir /opt/chroot
chown root:root /opt/chroot
chmod 700 /opt/chroot

Create a common group for the chrooted users , SSH rule will work for the group

groupadd sftpgroup
useradd -g sftpgroup -s /sbin/nologin  -d /opt/chroot/planetuser planetuser
passwd planetuser

Modify ssh configuration

vi /etc/ssh/sshd_config

Comment the general sftp subsubsystem and add new rule

#Subsystem sftp /usr/lib/openssh/sftp-server

#Add the line 
Subsystem sftp internal-sftp

# Rules for sftp group
Match group sftpgroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Then restart SSH service

service sshd restart

HowTo: Enable URL rewite for tomcat or other servlet container

Posted on Updated on

It is a URL rewrite feature which is most similar to the apache mod_rewrite, we can use the similar rules to apply the rewrite. Ensure that the ‘UrlRewriteFilter‘ JAR file is on your web-application’s classpath.  place the JAR file in your webapp under ‘/WEB-INF/lib’ will do the trick, and if you’ve spent any time at all working with webapps you probably already have a preferred way of doing this. Alternately, you may want to install the JAR file in your servlet container’s ‘/lib’ folder, particularly if you are deploying multiple webapps on your server and you want to have ‘UrlRewriteFilter‘ available to any/all of them automatically.

Download JAR from here

Read more Examples

once you have the ‘UrlRewriteFilter‘ JAR on your webapp’s classpath, the real setup can begin. Open your application’s ‘web.xml‘ file, and add the following filter configuration to your webapp


This will make the serverlet container to redirect the traffic to UrlRewriteFilter.  Note that although it is not discussed on the official site, that ‘logLevel‘ parameter is absolutely essential for filter to be apply for the traffic.

If you finish adding the tags in web.xml, then move to create urlrewrite.xml in the same directory as with the web.xml. Configure the example rules  for  the URL rewrite.

<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE urlrewrite PUBLIC "-// UrlRewrite 3.2//EN"
        <name>Domain Name Check</name>
        <condition name="host" operator="notequal"></condition>
        <to type="redirect">$1</to>
        <to type="redirect">%{context-path}/examples</to>

The first rule is for any request tot he application with IP or alternative alias Domain name added in the server has to rewrite to It can be also use to rewite for including www. in the URL .

The second rule is for the redirect the invalid application “test” to  to the examples,

Its looks like this :   –>  . Both the and are in the same server and same webapps



Error: posftix: warning: SASL authentication failure: No worthy mechs found

Posted on Updated on

After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails

Error : 
 postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server[]: no mechanism available
 postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found

Their must be two solid reasons behind this
1, SASL package is missing for plain module

yum install cyrus-sasl{,-plain}

2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted

smtp_sasl_security_options = noanonymous

Make Sure you enabled all the below options :

smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login


HowTo: Password lesslogin in linux.

Posted on Updated on

Password less logins allow you get get into the server even the password has been changed or expired ,

It can be achieve by single unix command you can use either this or the detailed steps given below. It will prompt password for server2,  once it is over the next login will be the password less

 [root@srv-51 ~]$ ssh-copy-id -i ~/.ssh/  syncfuser@

Detailed steps :

1, Generate public key on server-1, ignore this step if it is already exist

 [root@srv-51 ~]$ ssh-keygen
 Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa):
 Created directory '/root/.ssh'.
 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:
 Your identification has been saved in /root/.ssh/id_rsa.
 Your public key has been saved in /root/.ssh/
 The key fingerprint is:
 8f:99:9f:8f:ba:bf:15:ca:6b:1f:83:06:a2:1a:9c:59 root@srv-51
 The key's randomart image is:
 +--[ RSA 2048]----+
 | |
 | |
 | |
 | |
 | E . S . |
 | . + . . B o . |
 | = . + * + |
 | o o.= o |
 | . o=B+o |

3, Grab the key and add it in the authorized_keys file in server2

[root@srv-51 ~]# cat ~/.ssh/
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain

4, Server2 authorized_keys key entry is looks like this

[root@srv-52 ~]# cat /home/syncfuser/.ssh/authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain

Finally output will be like this

 [root@srv-51 ~]# ssh syncfuser@
 Last login: Wed Jun 25 17:08:25 2014 from
 [syncfuser@srv-52 ~]$

Now server1 root user can enter password less to the syncfuser on server2. 🙂

HowTo: Recover RAID volume and mount seperatly

Posted on Updated on

My NAS storage was crashed, this time I was forced to move one of the raid volume to another server to make the service up because the volume contains all VM’s used by XEN server,  most probably  it is a LVM disk.

Everybody knows that we can’t simply attach the raid disk to another machine, so just follow the procedures below.

Once I attached the HDD to another machine. check the disk availability

root@ubuntu:~# mdadm --examine /dev/sdb
 Magic : a92b4efc
 Version : 1.2
 Feature Map : 0x0
 Array UUID : ec2c6fb2:f211cfa5:8dfa8777:4f08bfed
 Name : openmediavault:storage
 Creation Time : Fri May 9 16:22:45 2014
 Raid Level : raid1
 Raid Devices : 2
Avail Dev Size : 1953523120 (931.51 GiB 1000.20 GB)
 Array Size : 976761424 (931.51 GiB 1000.20 GB)
 Used Dev Size : 1953522848 (931.51 GiB 1000.20 GB)
 Data Offset : 2048 sectors
 Super Offset : 8 sectors
 State : clean
 Device UUID : 3a9e90a0:ca0e458e:c48e1b34:f3aaf06f
Update Time : Tue Jun 24 16:20:00 2014
 Checksum : eaa54b02 - correct
 Events : 24468
 Device Role : Active device 1
 Array State : .A ('A' == active, '.' == missing)

It sounds good now move to the next step, It should be create the block device md* so it will be reveal the partitions.

root@ubuntu:~# mdadm --assemble --force /dev/md127 /dev/sdb

You will get the output like this

root@ubuntu:~# ll  /dev/md127
 brw-rw---- 1 root disk 9, 127 Jun 24 14:27 /dev/md127

Now you can see the LVM names

root@ubuntu:~# lvs
 LV   VG      Attr   LSize   Origin Snap%  Move Log Copy%  Convert
 nfs  storage -wi-ao 931.51g
 root@ubuntu:~# pvs
 PV         VG      Fmt  Attr PSize   PFree
 /dev/md127 storage lvm2 a-   931.51g    0
 root@ubuntu:~# vgs
 VG      #PV #LV #SN Attr   VSize   VFree
 storage   1   1   0 wz--n- 931.51g    0

Mount the partition manually

root@ubuntu:~# mount /dev/mapper/storage-nfs /export/
root@ubuntu:~# mount | grep nfs
 /dev/mapper/storage-nfs on /export type ext4 (rw)

That’s it now I got my files back,






HowTo: Extend the volume in windows

Posted on Updated on

It will be possible to resize the system partion with tools that are either commercially available or opensource. Acronis ‘Disk Partition Manager’ is a good example of a commerical product (, Thier is another tool that comes with Linux ‘Live CD’ called “GParted”. This will also resize partions without data loss. To extend a volume, follow these steps,

Run –> cmd –> type diskpart.exe.

Type list volume to display the existing volumes on the computer.

Type Select volume volume number where volume number is number of the volume that you want to extend.

Type extend [size=n] [disk=n] [noerr]. The following describes the parameters: size=n The space, in megabytes (MB), to add to the current partition. If you do not specify a size, the disk is extended to use all the next contiguous unallocated space. disk=n

The dynamic disk on which to extend the volume. Space equal to size=n is allocated on the disk. If no disk is specified, the volume is extended on the current disk.