OpenLDAP

Linux does have directory server called OpenLDAP, but it requires good understanding and admin skills. MS-Ad has reputation for ease of use. Samba is a free software re-implementation of SMB/CIFS networking protocol mainly used by Microsoft. One of the goals of Samba version 4 is to implement an Active Directory compatible Domain Controller. Major features for Samba 4 already include:

  • support of the ‘Active Directory’ logon and administration protocols
  • new ‘full coverage’ testsuites
  • full NTFS semantics for sharing backends
  • Internal LDAP server, with AD semantics
  • Internal Kerberos server, including PAC support
  • fully asynchronous internals
  • flexible process models
  • better scalablilty from micro to very large installations
  • new RPC infrastructure (PIDL)
  • flexible database architecture (LDB)
  • embedded scripting language (ejs)
  • generic security subsystem (GENSEC)
  • over 50% auto-generated code!

 

 

Step-by-step OpenLDAP Installation and Configuration

 

Easy steps for adding users:
1. Create unix user
2. Create unix user’s ldap passwd file
3. Convert passwd.file to ldif file
4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

 

Step #2. Start the service

[root@ldap ~]# chkconfig –levels 235 ldap on
[root@ldap ~]# service ldap start

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd
New password:
Re-enter new password:
{SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW
[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb
    #69 suffix          "dc=adminmart,dc=com"
    #70 rootdn          "cn=Manager,dc=adminmart,dc=com"
    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #5. Apply Changes

[root@ldap ~]# service ldap restart

Step #6. Create test users

[root@ldap ~]# useradd test1
[root@ldap ~]# passwd test1
Changing password for user test1.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@ldap ~]# useradd test2
[root@ldap ~]# passwd test2
Changing password for user test2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@ldap ~]#

Note: Repeat the same for the rest of users

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root
[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1
[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

 Note: Repeat the same for the rest of users

Step #8. Update default settings on file /usr/share/openldap/migration/migrate_common.ph

    #71 $DEFAULT_MAIL_DOMAIN = "adminmart.com";
    #74 $DEFAULT_BASE = "dc=adminmart,dc=com";

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users

Step #10. Update root.ldif file for the “Manager” of LDAP Server

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=adminmart,dc=com
    #2 uid: root
    #3 cn: Manager
    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/adminmart.com.ldif)

[root@ldap ~]# cat /etc/openldap/adminmart.com.ldif

    dn: dc=adminmart,dc=com
    dc: adminmart
    description: LDAP Admin
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: rootobject 
    dn: ou=People, dc=adminmart,dc=com
    ou: People
    description: Users of adminmart
    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=adminmart,dc=com” -W -f  /etc/openldap/adminmart.com.ldif
Enter LDAP Password:
adding new entry “dc=adminmart,dc=com”
adding new entry “ou=People, dc=adminmart,dc=com”
[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=adminmart,dc=com” -W -f  /etc/openldap/root.ldif
Enter LDAP Password:
adding new entry “uid=root,ou=People,dc=adminmart,dc=com”
adding new entry “uid=operator,ou=People,dc=adminmart,dc=com”
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=adminmart,dc=com” -W -f  /etc/openldap/test1.ldif
Enter LDAP Password:
adding new entry “uid=test1,ou=People,dc=adminmart,dc=com”
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=adminmart,dc=com” -W -f  /etc/openldap/test2.ldif
Enter LDAP Password:
adding new entry “uid=test2,ou=People,dc=adminmart,dc=com”
[root@ldap ~]#

 Note: Repeat the same for the rest of users

Step #13. Apply Changes

[root@ldap ~]# service ldap restart

Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b ‘dc=adminmart,dc=com’ ‘(objectclass=*)’

Tinyproxy

Tinyproxy

Tinyproxy is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution for use cases such as embedded deployments where a full featured HTTP proxy is required, but the system resources for a larger proxy are unavailable.

Tinyproxy is distributed using the GNU GPL license (version 2 or above).

Features

Tinyproxy has a small footprint and requires very little in the way of system resources. The memory footprint tends to be around 2 MB with glibc, and the CPU load increases linearly with the number of simultaneous connections (depending on the speed of the connection). Thus, Tinyproxy can be run on an older machine, or on a network appliance such as a Linux-based broadband router, without any noticeable impact on performance.

Tinyproxy requires only a minimal POSIX environment to build and operate. It can use additional libraries to add functionality though.

Tinyproxy allows forwarding of HTTPS connections without modifying traffic in any way through the CONNECT method (see the ConnectPort directive).

Tinyproxy supports being configured as a transparent proxy, so that a proxy can be used without requiring any client-side configuration. You can also use it as a reverse proxy front-end to your websites.

Using the AddHeader directive, you can add/insert HTTP headers to outgoing traffic.

If you’re looking to build a custom web proxy, Tinyproxy is easy to modify to your custom needs. The source is straightforward, adhering to the KISS principle. As such, it can be used as a foundation for anything you may need a web proxy to do.

Tinyproxy has privacy features which can let you configure which HTTP headers should be allowed through, and which should be blocked. This allows you to restrict both what data comes to your web browser from the HTTP server (e.g., cookies), and to restrict what data is allowed through from your web browser to the HTTP server (e.g., version information).

Using the remote monitoring facility, you can access proxy statistics from afar, letting you know exactly how busy the proxy is.

You can configure Tinyproxy to control access by only allowing requests from a certain subnet, or from a certain interface, thus ensuring that random, unauthorized people will not be using your proxy.

With a bit of configuration (specifically, making Tinyproxy created files owned by a non-root user and running it on a port greater than 1024), Tinyproxy can be made to run without any special privileges, thus minimizing the chance of system compromise. Furthermore, it was designed with an eye towards preventing buffer overflows. The simplicity of the code ensures it remains easy to spot such bugs.

 

 

 

1. Download & install tinyproxy

On Ubuntu/Debian, you can do this with the command “sudo apt-get install tinyproxy” or use the Synaptic package manager in Ubuntu. Other flavors of linux may have tinyproxy available via their own package system (rpm, yum), or you can download the source here:
https://www.banu.com/tinyproxy/download/

2. Configure tinyproxy

Use a text editor (e.g. nano, vi) change these lines in the tinyproxy config file.

/etc/tinyproxy/tinyproxy.conf

Code:
# Change loglevel to connect, or even Warning to limit log traffic
LogLevel Connect

# Port to listen on.  Select a random 4-digit number.  Well-known ports are being filtered.
Port 7562

# Filter based on URLs rather than domains.
FilterURLs On

# Comment out any other Allow statements, replace with these below
Allow 127.0.0.1
# The IP below should should be your computer's external IP
Allow x.x.x.x
# Allow these Iranian IPs.  IP list from http://bit.ly/10f1ai 
Allow 62.60.128.0/17
Allow 62.193.0.0/19
Allow 62.220.96.0/19
Allow 77.36.128.0/17
Allow 77.77.64.0/18
Allow 77.104.64.0/18
Allow 77.237.64.0/19
Allow 77.237.160.0/19
Allow 77.245.224.0/20
Allow 78.38.0.0/15
Allow 78.109.192.0/20
Allow 78.110.112.0/20
Allow 78.111.0.0/20
Allow 78.154.32.0/19
Allow 78.157.32.0/19
Allow 78.158.160.0/19
Allow 79.127.0.0/17
Allow 79.132.192.0/19
Allow 79.170.144.0/21
Allow 79.175.128.0/18
Allow 80.66.176.0/20
Allow 80.69.240.0/20
Allow 80.71.112.0/20
Allow 80.75.0.0/20
Allow 80.191.0.0/16
Allow 80.242.0.0/20
Allow 80.253.128.0/20
Allow 80.253.144.0/20
Allow 81.12.0.0/17
Allow 81.28.32.0/20
Allow 81.28.48.0/20
Allow 81.31.160.0/20
Allow 81.31.176.0/20
Allow 81.90.144.0/20
Allow 81.91.128.0/20
Allow 81.91.144.0/20
Allow 82.99.192.0/18
Allow 82.115.0.0/19
Allow 83.147.192.0/18
Allow 84.47.192.0/18
Allow 84.241.0.0/18
Allow 85.9.64.0/18
Allow 85.15.0.0/18
Allow 85.133.128.0/17
Allow 85.185.0.0/16
Allow 85.198.0.0/18
Allow 86.109.32.0/19
Allow 87.107.0.0/16
Allow 87.247.160.0/19
Allow 87.248.128.0/19
Allow 89.144.128.0/18
Allow 89.165.0.0/17
Allow 89.221.80.0/20
Allow 89.235.64.0/18
Allow 91.98.0.0/15
Allow 91.184.64.0/19
Allow 91.186.192.0/19
Allow 91.206.122.0/23
Allow 91.208.165.0/24
Allow 91.209.242.0/24
Allow 91.212.16.0/24
Allow 91.212.19.0/24
Allow 91.212.252.0/24
Allow 92.42.48.0/21
Allow 92.50.0.0/18
Allow 92.61.176.0/20
Allow 92.62.176.0/20
Allow 92.242.192.0/19
Allow 93.110.0.0/16
Allow 93.190.24.0/21
Allow 94.74.128.0/18
Allow 94.101.128.0/20
Allow 94.101.176.0/20
Allow 94.101.240.0/20
Allow 94.139.160.0/19
Allow 94.182.0.0/15
Allow 94.184.0.0/17
Allow 94.232.168.0/21
Allow 94.241.128.0/18
Allow 95.38.0.0/16
Allow 95.80.128.0/18
Allow 95.81.64.0/18
Allow 95.82.0.0/18
Allow 95.82.64.0/18
Allow 95.130.56.0/21
Allow 95.130.240.0/21
Allow 188.34.0.0/16
Allow 188.93.64.0/21
Allow 188.121.96.0/19
Allow 188.121.128.0/19
Allow 188.136.128.0/17
Allow 188.158.0.0/15
Allow 193.189.122.0/23
Allow 194.225.0.0/16
Allow 195.146.32.0/19
Allow 212.16.64.0/19
Allow 212.33.192.0/19
Allow 212.50.224.0/19
Allow 212.80.0.0/19
Allow 212.95.128.0/19
Allow 212.120.192.0/19
Allow 213.176.0.0/19
Allow 213.176.32.0/19
Allow 213.176.64.0/18
Allow 213.195.0.0/18
Allow 213.207.192.0/18
Allow 213.217.32.0/19
Allow 213.233.160.0/19
Allow 217.11.16.0/20
Allow 217.24.144.0/20
Allow 217.25.48.0/20
Allow 217.64.144.0/20
Allow 217.66.192.0/20
Allow 217.66.208.0/20
Allow 217.146.208.0/20
Allow 217.172.96.0/19
Allow 217.174.16.0/20
Allow 217.218.0.0/15

Now create/edit the filter file, which will contain addresses to block for the proxy. This file may be blank, but I just added a well-known useless address for demonstration.

/etc/tinyproxy/tinyproxy.conf

Code:
goatse.cx

3. Set up a cron job to restart tinyproxy daily.

This is can help tinyproxy clear any memory leaks if it sees lots of heavy load. Note that I had to use separate start/stop jobs, since the restart script wouldn’t restart the proxy reliably.

Add these lines to /etc/tinyproxy/tinyproxy.conf

Code:
0 15 * * * root /etc/init.d/tinyproxy stop
1 15 * * * root /etc/init.d/tinyproxy start

You will want to change the hour value (15 in the example above, i.e. 3pm) to something that is sympathetic to Tehran’s timezone. I.e. don’t restart the proxy at 12pm Tehran time.

4. Restart tinyproxy to make the new settings take effect.

Do these 2 commands one after another at the shell prompt:

Code:
sudo /etc/init.d/tinyproxy stop
sudo /etc/init.d/tinyproxy start

5. Pass only your new proxy address to where it’s needed.

The address for your new proxy to pass along will be…

http://x.x.x.x:7562