Configuring OpenLDAP on Ubuntu Server

This message shows you how an easy setup of OpenLDAP. I configured this to test a new ejabberd clustering setup using Ubuntu Servers. So I decided why not to integrate OpenLDAP with the ejabberd cluster, which is likely a more useful setup.

Most of the documentation is taken from https://help.ubuntu.com/community/OpenLDAPServer.

Setup:
Simple Dual-core server 1024 MB RAM, running Ubuntu Server 9.04.
Make sure that you are connected to the Internet and that you are logged on as
root.

Installing the necessary packages:
* Install the following packages:
** slapd: ldap server daemon
** ldap-utils: ldap utilities
** db4.2-util: ?, not sure if this one is necessary

When installing these packages you will be asked for a password for the LDAP
directory administrator, which is not the root password of the server on which
you're installing OpenLDAP.

Reconfigure the LDAP tree:

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? ... No
DNS domain name: ... example.com
Name of your organization: ... Whatever & Co
Admin Password: ******
Confirm Password: ******
OK
BDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No

Check if ldap works:

$ ldapsearch -x -b dc=example,dc=com

Generate an encrypted password with slappasswd:

$ slappasswd
New password:
Re-enter password:
{SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

This example shows what happens when using "secret" for the password, but your
result may vary!

Create the file /etc/ldap/slapd.conf and add the following content:


suffix "dc=example,dc=com"
directory "/var/lib/ldap"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

As root password use the generated password with the slappasswd tool.

Edit the file /etc/ldap/ldap.conf and uncomment the following line:


BASE dc=example,dc=com

Restart the LDAP service:

/etc/init.d/slapd restart

Populating the LDAP Tree
------------------------
Now that your LDAP directory is ready, you can start populating it. This will
be a 'classical' entry intended to be very compatible with Unix accounts
(posix), directories (like addressbooks), and classical accounts (for web
applications). But really it's just a starting point.

An LDAP directory can be fed with a ldif file ("ldap directory interchange
format" file). Create this file init.ldif somewhere on your system:


dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=loboloco,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: loboloco
sn: Loco
givenName: Lobo
cn: Lobo Loco
displayName: Lobo Loco
uidNumber: 1000
gidNumber: 10000
userPassword:
gecos: Lobo Loco
loginShell: /bin/bash
homeDirectory: /home/lobo
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: lobo.loco@example.com
postalCode: 31000
l: Brussels
o: Example
mobile: +32 (0)3 xxx xx xx
homePhone: +32 (0)475 xxx xxx
title: System Administrator
postalAddress:
initials: LL

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
memberUid: loboloco
gidNumber: 10000

dn: cn=example2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example2
gidNumber: 10001

In the example above, the directory structure, a user and group have been
defined. In other examples you might see the objectClass: top added in every
entry, but that is default behavior so you don't have to add it explicitly.

As with the LDAP root password, these passwords can be generated with
slappasswd using the MD5 or CRYPT hashing scheme. See man slappasswd).


Examples slappasswd:
(http://www.zytrax.com/books/ldap/ch14/)
Generate an SSHA password suitable for use as rootpw (in slapd.conf) or for use in a LDIF file for userPassword or authPassword attributes.


# no options required
slappasswd

# prompts twice for password string and then outputs
{SSHA}kjhfhfehflejhfvlldkl

# save to a file using normal re-direction
slapppasswd > /tmp/slappassword

# generate {SSHA} encoding of password secret
slappasswd -s secret

# generate {MD5) encoding of password secret
slappasswd -s secret -h {MD5}

To place the output in LDIF or slapd.conf, save to a file and copy, paste to
relevant file if GUI editing tools are being used. If vi is being used,
navigate to location in file where password is to be inserted then use :r
!slappasswd [opts] - this runs the command and inserts stdout into editing file at last cursor position. Alternatively save the output of slappasswd to a file, navigate to insert location in vi and execute :r /path/to/file - inserts file
contents into last cursor location.

When you're done, write and close the file.

Now, add your entries to the LDAP:

stop LDAP daemon: /etc/init.d/slapd stop

delete the content that was automatically added at installation:
rm -rf /var/lib/ldap/*

add the new content: slapadd -l init.ldif

correct permissions on the database:
chown -R openldap:openldap /var/lib/ldap

start LDAP daemon: /etc/init.d/slapd start

Your LDAP Server is up and running.

startup script ubuntu

When creating a new script to be executed at the startup of Ubuntu, create a script in /etc/init.d

For example 'foo', google for examples of startup scripts, can be anything...

Make the script executable: sudo chmod +x foo

And finally update the list of startup scripts: sudo update-rc.d foo defaults

Simple as that.

Increase duration of ringtones

When you get a call on your mobile, the duration of the dialing tone is 15s for most of the Belgian mobile providers before forwarding to voice mail. For some people this is too short, so here's a list how you can increase the dialing tone for the various Belgian mobile providers. Just enter the code and press the dial button to activate the new duration. In the examples I set the duration to 30s.

Proximus: **61*+32475151516*11*30# or **61*+32475151516**30#
Base: **61*+32486191933**30# or *61*+32486191933**30#
Mobistar: **61*5555**30#
Telenet: **61*5555**30#

Apparently for Proximus you can only use this code if you have post-paid formula, with Pay-And-Go (pre-paid) numbers the codes don't work.

ssh with passphrase authentication

i need to ssh quite a lot and i'm getting tired of always entering my password, so I finally decided to make use of the passphrase authentication.

By far this is the easiest way:
ssh-copy-id -i path/to/id_rsa.pub user@ipaddress

You can do this also manually, which is does the same as the ssh-copy-id command:

1. Check if you have already an rsa key-pair in ~/.ssh directory. You should have the files id_rsa and id_rsa.pub (or another name-combo, f.e. loboloco and loboloco.pub)
If there isn't such a file combo, proceed with the next step, otherwise skip to step 3.
2. first generate an rsa key-pair on your local machine in ~/.ssh:

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dewolfth/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/loboloco/.ssh/id_rsa.
Your public key has been saved in /home/loboloco/.ssh/id_rsa.pub.
The key fingerprint is:
d9:c5:65:7d:6b:38:fe:a2:d5:d4:d9:fc:c9:88:a9:01 loboloco@blackfrancis
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| . o o|
| o . o|
| o . o ++|
| ES . . oo+|
| . o.= o|
| . o o.+.|
| o .. . |
| . .. . |
+-----------------+
loboloco@blackfrancis:~$

3. Copy the .pub file to the destination server (scp, rsync)
4. Connect to the server via ssh
5. Copy the .pub file to the file ~/.ssh/authorized_keys: cat id_rsa.pub >> .ssh/authorized_keys

That should be it, when you connect again you won't have to enter your password anymore. Very handy if you have to commit code via ssh.

EID card reader on Ubuntu... what a mess

Installing a card reader on ubuntu isn't that hard, there exists even good documentation... but Ubuntu seems to mess up the middleware with some updates, kernel updates seem to be most likely.

So each time I need my card reader (let's say 1 time every three months), it has become out of order when trying to connect to a site with my EID, giving either error:

"ssl_error_handshake_failure_alert" or "ssl_error_bad_cert_alert"

This is what helps for me:

A. Reinstall middleware:
1. Download the middleware: here
If the link doesn't work, try this page (in Dutch) which contains a link to the binary.
2. Unpack the .tgz file: tar xvf beid-middlew...tgz
3. cd install
4. Execute "sudo ./install.sh" and follow the instructions. The execution can end with the following lines:

libqtgui4 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
./install.sh: 390: [[: not found
checking pcscd running...
./install.sh: 390: [[: not found
./install.sh: 390: [[: not found
Follow the instructions in the documentation to:
- register the software in Firefox.
- set the environment variable MOZILLA_CERTIFICATE_FOLDER

Please read the README file and licensing information for more information about
libraries this software and the software it is depending on

Try again in Firefox to connect to site with EID.

B. Certificate issues
1. uninstall the beid add-on in firefox, if already installed.
2. Open Firefox
3. Go to this page.
4. Click "Add to firefox".
5. Click "Install Now"
6. Restart firefox.
7. Go to Edit > Preferences > Advanced > Encryption and click View Certificates
8. On Authorities tab, select Belgium CA Root certificate and click Edit.
9. Select the 3 available options and click OK until you return to firefox.
10. Restart firefox to complete the update.

Hooray for ubuntu updates... next time take care of the middleware

Renaming files

When I travel, I always have at least two CF cards to take some, well most of my family say A LOT (but who cares...), pictures. My problem is always the numbering of the files, because I have set my camera to restart the numbering for a new card. Why, I don't have a clue, but it's like that... perhaps I should change my setting, but then you wouldn't be reading this blog message.

So my issue is that I want to put all files in one directory but then I have conflicting files because there will be 2 files named bla00001.jpg. So I have to add a fixed number to each file name of the second, third,... CF card in order to avoid these conflicts.

Perhaps my solution isn't the shortest, nor the best, but at least it works for me. The solution described here is originally created by my ex-colleague Erik.

So my camera produces the following file name format: DSC000001.JPG
Let's say that the highest number on my first CF card is 313, the first file name of the second CF card must then be 314, i.e. DSC00314.JPG.

So create a file somewhere on your hard drive, for example in /home/myworkspace/Pictures/rename.sh

Add this code to your file:

#!/bin/bash

for file in `ls *.jpg`
do
    numberpart=`echo ${file} | sed 's/DSC[0]*//g'`
    let number=`echo ${numberpart} | sed 's/\.jpg//g'`
    let number=number+313
    filename=DSC00${number}.jpg
    mv ${file} ${filename}
done


Save the file and make it executable via chmod +x rename.sh

Before testing it, make a backup of your pictures directory of which you need to rename the files!!!

Put the script in the directory and run it (./rename.sh)

Now I can put all my pictures in one dir, /me happy

Sound through HDMI cable

Recently I got myself a fine new full HD television. My laptop has HDMI output so I immediately wanted to watch some movies on my new television. Unfortunately the sound still came through the lousy laptop speakers. Some googling made me a happy man :-)

My system is an HP dv7 1140eb with nVidia 9200M GS running Ubuntu 9.10.

So this is what I had to do to get video and sound to play on my television through my HDMI cable:

1) Update the nVidia drivers to the latest (I used the nvidia drivers from nvidia.com). Go into
2) open sound preferences (system > preferences > sound): on the hardware tab, check if there is a profile Digital Stereo (HDMI) Output. If so select that profile
3) open alsamixer in shell, go to S/PDIF 0 and 1 with RIGHT arrow and unmute by pressing m.
4) test

if there is still no sound via your tv speakers continue, otherwise: w00tness!

1) upgrade alsa version to version 1.0.22:
http://ubuntuforums.org/showthread.php?p=6589810#post6589810
This procedure might take some time (in my case appx 15 minutes)
2) open the sound preferences (system > preferences > sound): on the hardware tab, select the proper Profile, in my case Digital Stereo (HDMI) Output (original value: Analog Stereo Output)
3) open alsamixer in shell, go to S/PDIF 0 and 1 with RIGHT arrow and unmute by pressing m.

That should do the trick. I hope this information helps other people.

Bye Bye til the Next Time