Aug 23

LDAP Installation and Configuration for User Authentication

Installation of LDAP Server LDAP

(Lightweight Directory Access Protocol) allows central user, group, domain….. authentication, information storage … Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network. This tutorial will be split in 2 parts. In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate through LDAP if the user does not exist on the local filesystem. In this tutorial, I will suppose that our LDAP server is located at All machines in the network can resolve the host name ldap to The LDAP server is going to manage domain debuntu.local. The server runs Debian 6.03

LDAP Installation?

#apt-get install slapd ldap-utils migrationtools
#apt-get install ssh nmap

check whether Ldap is running or not.

#nmap -p 389 localhost

Restart ldap server

#/etc/init.d/slapd restart
#ldapsearch -x -h localhost -b ‘dc=wakhok,dc=ac,dc=jp’

Inserting User information in Ldap database

Frist of all create a entry named People and Group. create a file people.ldif

vi people.ldif
dn: ou=people,dc=wakhok,dc=ac,dc=jp
objectClass: top
objectClass: organizationalUnit
ou: People

Similarly create a file group.ldif

vi group.ldif
dn: ou=Group,dc=wakhok,dc=ac,dc=jp
objectClass: top
objectClass: organizationalUnit
ou: Group

Add to ldap Database

ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f people.ldif
ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f group.ldif

Now we must enter linux user information to Ldap database. Lets make a file data.ldif so that we can add to database using this file

dn: uid=gopal,ou=people,dc=wakhok,dc=ac,dc=jp
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
#objectClass: inetOrgperson
uid: gopal
cn: gopal
sn: gopal
uidNumber: 1009
gidNumber: 1000
loginshell: /bin/bash
homeDirectory: /home/gopal
gecos: gopal
givenName: gopal
telephoneNumber: 090-8429-402

Add to database using following command

#ldapadd -x -h localhost -D ‘cn=admin,dc=wakhok,dc=ac,dc=jp’ -W -f data.ldif

Use the following command to generate the ‘Userpassword’ entry and copy-paste in the file.

# /usr/sbin/slappasswd -h ‘{CRYPT}’
New password:
Re-enter new password:

LDAP client configuration

Install nss-ldap

apt-get install libnss-ldap

you will have to enter the URI of Ldap server, base value of Ldap server and Ldap V3 in the series of screens that appear The message which says that nsswitch.conf cannot be configured automatically will be displayed. Inorder to check the configuration, check the file /etc/libnss-ldap.conf

In line 24:

base dc=wakhok,dc=ac,dc=jp

In line 27:


In line 53:

rootbinddn cn=admin,dc=wakhok,dc=ac,dc=jp

Now edit the file /etc/nsswitch.conf which must be as :

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.#passwd: compat ldap
#group: compat ldappasswd: files ldap
shadow: files ldap
group: files ldaphosts: files dns ldap
networks: files ldap

protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap

Install pam-ldap

apt-get install libpam-ldap

you will be asked two questions both the answers should be ‘NO’
Edit the file /etc/pam.d/common-auth

auth [success=2 default=ignore] nullok_secure
auth [success=1 default=ignore] use_first_pass
auth requisite pam_deny.soauth require
auth optional

Edit the file /etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore]
account [success=1 default=ignore]
account requisite
account required

edit the file /etc/pam.d/common-password

password [success=2 default=ignore] obscure sha512
password [success=1 user_unknown=ignore default=die] se_authtok try_first_pass
password requisite
password required
password optional

edit the file /etc/pam.d/common-session

session [default=1]
session requisite
session required
session required
session optional
session optional nox11 session

edit the file /etc/pam.d/common-session-non-interactive

session [default=1]
session requisite
session required
session required
session optional

Now restart the nscd server at client

/etc/init.d/nscd restart

Cheeers !!

Written by: Dibesh Shrestha

May 04

Setting up SSL — Apache 2

This document requires that you've got a signed server.crt and a server.key file available. You may have just gone through my page Creating Certificate Authorities and self-signed SSL certificates. If not, go there first and follow the instructions.

The remaining steps involve Apache and other tweaks detailed step-by-step below. This file was originally written for Ubuntu 6.06, but has been kept current and verified with 10.04 Lucid Lynx. It should work with most/all releases in between -- and probably Debian-based distros in general, with little or no modification.

(1) Preliminaries and Packages.

If you have a registered DNS name, be sure that you properly set it up. On the Gnome console: System->Administration->Networking:General. Your host/domain name here should match the one you'll be using in later steps. You can also edit /etc/hosts directly if you're comfortable with that route.

If you haven't done so already, use apt-get, Synaptic or some other tool to get and install Apache 2. I prefer apache2-mpm-prefork. You should also have openssl by this point.

(2) Copy the server.crt and server.key files into position.

This step suggests putting certificate-related files in this location: /etc/apache2/ssl. If the "ssl" directory doesn't already exist there, go ahead and mkdir it now.

Then copy the server.key and server.crt files into position:

cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl

(3) Enable ssl.

You'll want to run the /usr/sbin/a2enmod script. If you look at this script, it's simply a general purpose utility to establish a symlink between a module in /etc/apache2/mods-available to /etc/apache2/mods-enabled (or give a message to the effect that a given module doesn't exist or that it's already symlinked for loading).

a2enmod ssl

(4) Create a stub SSL conf. file (if needed) and establish a necessary symlink.

NOTE. Ubuntu 10.04 already ships with a stub SSL conf file (/etc/apache2/sites-available/default-ssl), so you won't need to copy the 'default' conf as a stub for the 'default-ssl' conf -- but you will STILL need a symlink between it and the sites-enabled directory.

So if using an Ubuntu prior to ~10.04:


/etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl

For all versions of Ubuntu:

Next, establish a symlink from the 'available' default-ssl file to the 'enabled' file. The symlinking methodology between those two directories is similar in philosophy to mods-available and mods-enabled (previous step). The general idea is that enabled files exist as symlinks created to their available counterparts. Ubuntu prefixes '000-' in front of the default file, so we may as well keep the same convention with default-ssl:

ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

(5) Set up the document roots.

The default location for HTML pages with an initial install of Ubuntu is /var/www and there exists no separate place for ssl files. I prefer to serve up basic HTML pages in /var/www/html and SSL pages in /var/www-ssl/html. Whatever works for you. But at this point I create the directories.

cd /var/www
mkdir html
cd /var
mkdir www-ssl
cd www-ssl
mkdir html

(6) Configure virtual hosts.

su to the superuser and make a backup of the original Apache configuration file. Call it whatever you want. My practice is to add "_original" to any default configuration file before I make changes -- in case I need to revert. You should not make a backup of the following file in the sites-enabled directory, since both the original and backup will be loaded when you restart Apache. Also note that a symlink exists from /etc/apache2/sites-enabled/000-default to /etc/apache2/sites-available/default. Back it up in the sites-available directory or some other location outside of Apache altogether.

sudo su
cd /etc/apache2/sites-available
cp /etc/apache2/sites-available/default default_original

(Note: If using Ubuntu 10.04+ you may want to backup the original SSL conf also):
cp /etc/apache2/sites-available/default-ssl default-ssl_original

Now you need to declare the IP of your box (or FQDN/DNS name) and document roots you created in a previous step.

To configure HTTP over port 80 (edit /etc/apache2/sites-available/default):

NameVirtualHost *:80
(Note: Look down just a bit and make a change to the virtual host settings.)

ServerName localhost
DocumentRoot /var/www/html/
(Note: Use your assigned IP or DNS name followed with ":80" if you have one for ServerName).

Similar procedure for HTTPS over port 443 (edit /etc/apache2/sites-available/default-ssl):

NameVirtualHost *:443
(Note: Look down just a bit and make a change to the virtual host settings.)

ServerName localhost
DocumentRoot /var/www-ssl/html/
(Note: Again, use your assigned IP or a DNS name followed with ":443" if you have one for ServerName.)

(7) Instruct Apache to listen to 443.

Go to this file /etc/apache2/ports.conf and add the following to it:

Listen 443

I noted that starting with Ubuntu 7.10 (or thereabouts), the ports.conf may already have an IfModule clause in it for the SSL portion. If you see this, you can just leave it as-is:

Listen 443

(8) Turn on the SSL engine.

Make sure the following are in your default-ssl file. The SSLengine should be on, and the cert and key should be properly pathed:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

(9) Make an /etc/hosts tweak (if need be) -- and restart apache.

When starting and stopping Apache there may be a complaint such as "Could not determine the server's fully qualified domain name, using for ServerName". You may encounter this if you don't have a DNS name for your server, and are just using an IP. If this applies to you, go into your /etc/hosts file and make the following changes. Basically, we'll be adding "localhost.localdomain" to the IP and whatever system name you chose when you installed Ubuntu (assuming you've not changed it). The final line below should be there if you have a static IP, and corresponding DNS name registered to it. If this is the case, earlier steps that wanted ServerName should have a value which corresponds to the DNS name also indicated here. localhost localhost.localdomain {your system name} {your system name}
{static IP if you you have one} {fully qualified DNS host name if you have one}

It may be that I first noticed additional behavior with Ubuntu 8.04 Hardy Heron. If you don't have a fully qualified domain name (FQDN) for your box, you may need to make an additional tweak. In your /etc/apache2/apache2.conf file, you may want to add the following line at the very end of the file if Apache is still complaining about lacking a fully qualified domain name at startup:

ServerName localhost

Restart Apache.

cd /etc/init.d
./apache2 restart

Done -- test it out!

Nov 28

Postfix Mail Setting : Tutorial Step by Step

(Note: I have written this tutorial for FreeBSD server)

First Install Apache in your server.


cd /usr/ports/www/apache22
make install
echo ‘apache22_enable=”YES”‘ >> /etc/rc.conf

Install Postfix on FreeBSD

Installing Postfix mail server on FreeBSD server from ports is easy. Just type two commands, you will be ready to go

# cd /usr/ports/mail/postfix-current
# make install clean

Installation ask you few questions, just enter y for yes. After   installation is finished, you need to disable sendmail and enable   postfix, this can be done by modifying /etc/rc.conf
# vi /etc/rc.conf

Add following line to end of /etc/rc.conf file






Now reboot the server, on booting up, you will be using postfix as your mail server.

# /usr/local/etc/rc.d/ start
/usr/local/etc/rc.d/ stop

You can also set a symlink from /etc/postfix to /usr/local/etc/postfix

# cd /etc # ln -s /usr/local/etc/postfix

Now, Test your postfix server either working or not.

# telnet localhost 25

You will get following message

Connected to localhost.
Escape character is ‘^]’.
220 ESMTP Postfix

If you input


Output is like this


Send a test email in your mailbox

mail from: <>
250 2.1.0 Ok

rcpt to: <>
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
Subject: Hello This mail is Coming from Postfix Server
I just wanted to send some test mail to you :-)

Good bye !
250 2.0.0 Ok: queued as B95C8110064


You are done Check your mailbox either it is arriving or not. If arrived !!!

Cheers !!


Nov 09

Secure Remote login through ssh


OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

Here is a brief tutorial for easy setup.
Install SSH

apt-get install ssh

Study following tutorial thoroughly and setup your unix/linux machine secure.


Create Public and private keys from openssh and save it to your local computer by following command in your unix machine.


$ssh-keygen –t rsa

2 keys are

  • (Public Key)
  • id_rsa (Private Key)

Step 2:
Change the mode of public key

$chmod 600

Step 3:
Transport the key to the server

$scp user@host:~/directory path

Step 4:

Make a .ssh directory in the home of the user

$mkdir .ssh

Step 5:
Change the key to authorized key in .ssh folder.

$cat >>authorized_keys

(Multiple Public can pe kept in server with same name either dsa key or rsa key from putty or linux)

Client Setting
Make directory .ssh in home of the user at local.

$mkdir .ssh

$cp id_rsa.ssh/

Now Connect your server with the key you generated by following command.

$ssh user@host

Connecting Server with PuTTY Key

Download PuTTY Installer from the following link

Step 1.

Install the Putty in your local windows machine.

Step 2.

Generating Key pairs from PuTTYgen. Move your mouse during key generation.

Save your public key and private key in your folder.

Step 3.

Transport the key to the server

$scp id_rsa user@host:~/directory path

Step 4 .

Make a .ssh directory in the home of the user

$mkdir .ssh

Step 5 .

Transforming putty key into open-ssh key

In order to translate putty key into open-ssh key, you need to have ssh-keygen tool in your computer

$ssh-keygen –i –f putty_pu_key>> authorized_keys


Putty Setting

  1. Start putty
  2. Make a new session
  3. Set server ip in the Host/IP address form as shown in figure below
  4. Save the session as per the name of your server as shown in figure(pc1f044@feeBSD)
  5. Set the private key in the putty as shown in figure.
  6. -go to ssh

    -click auth

  7. give path of your private key.
  8. Save your session
  9. Connect to the server.
  10. Congratulation

Disable Password Authentication

Use your favourite text editor Vim to edit /etc/ssh/sshd_config on the machine you wish to ssh to, and set these options.

ChallengeResponseAuthentication no

PasswordAuthentication no

UsePAM no

Restart ssh server

$sudo /etc/init.d/sshd restart (Linux)

$/etc/rc.d/sshd restart (FreeBSD)

Cheers !!

Nov 08

The following signatures couldn’t be verified because the public key is not available

Re: gpg error intrepid Release
What you need to do, is the following:

Open gnome-terminal and enter the following:

gpg –keyserver –recv C71839136CF5CE97
(replace “C71839136CF5CE97″ by the code in your error message)

Then enter the following:

gpg –export –armor C71839136CF5CE97 | sudo apt-key add -
(here again, replace “C71839136CF5CE97″ by the code in your error message)

Then, to finish off, enter the following:

sudo apt-get update

Nov 08

Teamviewer for Linux as a service


General Question:

I have installed the new Teamviewer Beta for Linux onto my computer which is running Debian 6.0.1. It is working awesome! However right now, if I need for any reason to restart my home computer (debian) I can not logon to my computer again as Teamviewer is down.

So my question is, how can I either
1) setup teamviewer to start as a service as soon as the computer has started, and not me logging in yet. or
2) start teamviewer from command line?

Thanks for any help on the subject.

Solution 1 :

go to system / preferences / startup applications and add teamviewer to it

Solution 2 :

You could try to make shell script like this one: 


or whatever is the path to the teamviewer executable, save it to:


and change permission:

chmod 777 /etc/init.d/teamviewer

create lin

ln -s /etc/init.d/teamviewer /etc/rc5.d/S99teamviewer

and it should start with the machine regardless of the fact that no user has yet done login.
/etc/rc5.d/ is the directory where startup scripts are located (default init level is 5, that’s why it is named rc5.d). Scripts whose names start with capital “S” are executed in alphabetical order, starting from S00 to S99.
Following the analogy, the directory /etc/rc0.d/ contains stop script executed when machine goes down. Their names begin with “K” starting from K00 to K99.

Nov 04

Domain Name System (DNS) Setting Step by Step

(Note: Here I am Describing DNS Setting in FreeBSD. I hope this tutorial is helpful for Linux and other BSD distribution. )
FreeBSD utilizes, by default, a version of BIND (Berkeley Internet Name Domain), which is the most common implementation of the DNS protocol. DNS is the protocol through which names are mapped to IP addresses, and vice versa. For example, a query for will receive a reply with the IP address of my blog server, whereas, a query for will return the IP address of the corresponding FTP machine. Likewise, the opposite can happen. A query for an IP address can resolve its hostname. It is not necessary to run a name server to perform DNS lookups on a system.

Starting BIND

The default named configuration is that of a basic resolving name server, running in a chroot environment, and restricted to listening on the local IPv4 loopback address ( To start the server one time with this configuration, use the following command:

# /etc/rc.d/named onestart
To ensure the named daemon is started at boot each time, put the following line into the /etc/rc.conf:


There are obviously many configuration options for /etc/namedb/named.conf that are beyond the scope of this document. However, if you are interested in the startup options for named on FreeBSD, take a look at the named_* flags in /etc/defaults/rc.conf and consult the rc.conf(5) manual page. The Section 12.7 section is also a good read.

Configuration Files

Configuration files for named currently reside in /etc/namedb directory and will need modification before use unless all that is needed is a simple resolver. This is where most of the configuration will be performed.

options {
directory “/etc/namedb”;
pid-file “/var/run/named/pid”;
dump-file “/var/dump/named_dump.db”;
statistics-file “/var/stats/named.stats”;
allow-update {key rndc;};

zone “.”{
type hint;
file “named.root”;

zone “” {
type master;
file “master/”;

zone “” {
type master;
file “master/”;


zone “” {

type master;
file “master/”;


zone “localhost” {
type master;
file “master/”;

zone “” {
type master;
file “master/localhost.rev”;

# You don’t need to write rndc-key as you will generate and write later in this file.
key “rndc-key” {
algorithm hmac-md5;
secret “IZKpqlIsx87wJrjoc8vTbA==”;


$TTL 86400
@ IN SOA (




$TTL 86400
@ IN SOA (



$TTL 60800
@ IN SOA (


localhost. IN A


$TTL 60800
@ IN SOA (


1 IN PTR localhost

Enable named in rc.conf by


The /etc/rc.conf file is in my case is as below.

# — sysinstall generated deltas — # Wed Nov 2 17:47:31 2011
# Created: Wed Nov 2 17:47:31 2011
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

Create rndc-key by following command

/usr/sbin/rndc-confgen -a -r keyboard

Start typing whatever you like until it says stop typing

send your key to name.conf by following command. First you must go to /etc/namedb

cat rndc.key >> named.conf

Restart named by following Command

/etc/rc.d/named restart < br /> or
/etc/rc.d/named stop< br /> /etc/rc.d/named start

It may give following error

named: the working directory is not writable

To fix this error, edit the following file:



/set type=dir uname=root gname=wheel mode=0755


/set type=dir uname=bind gname=wheel mode=0755

Then restart bind:

/etc/rc.d/named restart

Change ownership for named

# chown -R bind /var/named

Now You will must see the success reply

# /etc/rc.d/named start
. changed
user expected 0 found 53 modified
etc changed
user expected 0 found 53 modified
etc/namedb changed
user expected 0 found 53 modified
etc/namedb/master changed
user expected 0 found 53 modified
var changed
user expected 0 found 53 modified
Starting named.

Now you can dig using following command.

dig @ A

You must get Query: 1, Answer :1 …………..

Also, do nslookup


You will get server and Nameserver Host and IP.

Cheers !!

Jul 08

How To Install Windows 7 From USB Drive

  • Use a USB Key to Install Windows 7—Even on a Netbook

    Keeping the Windows 7 installation on a USB thumb drive has a few advantages—a small USB key is much more convenient for carrying around than a DVD, the OS will actually install much faster, and you can use a USB key to install Windows 7 on systems that do not have a DVD drive, such as a netbook. In fact, you can even install Windows 7 on netbooks that have fairly modest hardware. Dennis Chung, an IT Pro Evangelist at Microsoft recently posted a video demonstrating how easy it is to prepare your thumb drive and use it to install Windows 7. Here’s a quick look at the process:

  • First, you’ll need the DiskPart utility on the system you will use to prep the thumb drive. This is a free disk partitioning utility that is likely already installed on your Windows system. If not, you can download DiskPart here.
  • Launch the DiskPart utility by typing.
  • diskpart
  • Then run the list disk command to check the status of your drive.
  • list disk
  • Now run select disk 1 where the “1″ is actually the corresponding number of your USB drive.
  • select disk 1
  • Run clean.
  • clean
  • Once the thumb drive is clean, you can run create partition primary.
  • create partition primary
  • Now make the partition active by entering active
  • active
  • Then you need to set up the file system as Fat32 by running format fs=fat32 quick (quick, of course, specifies that you want to perform a quick format to speed up the process).
  • format fs=fat32 quick

    format fs=ntfs quick

Entering the assign command gives the USB drive a drive letter, making it easy to access from Windows Explorer


Then you can copy everything from the Windows 7 installation DVD onto the USB key (a simple drag and drop will do).

  • Now you can insert the thumb drive into the system you want to install Windows 7 onto and boot the system. The installation will now proceed as usual—but faster.

Jun 10

Recover from Unmounted VI : rc.conf Mistakenly Typed

Reboot your System.


Choose Single User mode from list. (Press F4)

Enter full path name of shell or RETURN for /bin/sh:

now your single usermode is enable.
Now the problem is even entered /bin/sh, still do not have any function can
change this configuration file, even “vi” is not available

After entering the single user mode, only your root filesystem
is mounted. If /usr (vi lives in /usr/bin) is a separate
filesystem, you have to mount it first. Try

# mount -a -t ufs
# /usr/bin/vi /etc/rc.conf

Change your /etc/rc.conf

reboot your system after cleaning your file.



May 27

Mount Removable Drive in Unix

A computer running Linux may only make a few drives (e.g., partitions on a hard disk or on a flash drive) available, among all drives recognized by the system. Unlike Windows, Linux does not keep independent folder hierarchies on separate drives designated by different letters. Linux integrates the files stored on separate drives into the same folder hierarchy. Users add a new drive by “mounting” it, that is, by designating a folder in the global hierarchy under which the contents of the new drive will be placed. You can easily mount and unmount drives on Linux.


Insert your USB Removable drive.
You will similar message

kernel: umass0: vendor 0×0000 USB Mass Storage Device, rev 2.00/1.00, addr 2
kernel: da0 at umass-sim0 bus 0 target 0 lun 0
kernel: da0:
Removable Direct Access SCSI-2 device
kernel: da0: 40.000MB/s transfers
kernel: da0: 2000MB (4048000 512 byte sectors: 64H 32S/T 1000C)

Make a folder for mounting your drive data.

mkdir mnt

Now, Mount your drive.

mount_msdosfs /dev/da0s1 /mnt

Now you can check your data

Add or copy your data as per your need.


Finally, Unmount your removable drive with following command.


To pull out the USB memory unmounted.

Older posts «