ActiveMQ 5.4.x install under RHEL 5.x

Posted on January 6, 2012 by Sébastien

Tested with ActiveMQ 5.4.3, Red Hat Linux Enterprise 5.7 64 bits with Sun JVM 1.5

ActiveMQ 5.5.x requires JVM 1.6

The following is a simple copy and paste howto. Simply adapt the install variables and you’re good to go.

Let’s declare some variables for the install process :

AMQDIR="/usr/local" VERSION="5.4.3"

Download and installation :

cd /root wget http://apache.cu.be//activemq/apache-activemq/$VERSION/apache-activemq-$VERSION-bin.tar.gz cp /root/apache-activemq-$VERSION-bin.tar.gz $AMQDIR cd $AMQDIR tar xvzf apache-activemq-$VERSION-bin.tar.gz chown root. apache-activemq* -R ln -f -s apache-activemq-$VERSION activemq

Configuration :

sed -i 's#ACTIVEMQ_HOME.*#ACTIVEMQ_HOME="$AMQDIR/activemq"#g' $AMQDIR/activemq/bin/linux-x86-64/activemq


sed -i 's#set.default.ACTIVEMQ_HOME=.*#set.default.ACTIVEMQ_HOME=$AMQDIR/activemq#g' $AMQDIR/activemq/bin/linux-x86-64/wrapper.conf

sed -i 's#set.default.ACTIVEMQ_BASE=.*#set.default.ACTIVEMQ_BASE=$AMQDIR/activemq#g' $AMQDIR/activemq/bin/linux-x86-64/wrapper.conf

Init script and making ActiveMQ start at boot :

ln -s $AMQDIR/activemq/bin/linux-x86-64/activemq /etc/init.d/activemq chkconfig --add activemq chkconfig activemq on service activemq start

Logs :

tail -f /usr/local/activemq/data/wrapper.log

Accessing the admin section :

http://$SERVER:8161/admin/index.jsp

Two step authentication on SSH with Google Authenticator under Debian Sid

Posted on October 25, 2011 by Sébastien

On a Debian Sid system, install the following :

apt-get install libpam-google-authenticator

Edit /etc/ssh/sshd_config and set :

ChallengeResponseAuthentication yes

Restart the service :

service ssh restart

Now run :

google-authenticator

Scan the barcode from the Google Authenticator app on your mobile device.

Edit /etc/pam.d/sshd and add at the very beginning of the file :

auth required pam_google_authenticator.so

Now test a SSH connection. You should be prompted by a cool “Verification code :”
Then by the regular password prompt.

A basic OpenLDAP server in under 15 minutes

Posted on January 28, 2010 by Sébastien

Tested under Debian Lenny

This howto is basic, as in “no security involved”. I may come up with a second part to this guide about securing OpenLDAP with TLS, if I ever find the time.
Meanwhile see http://www.openldap.org/doc/admin23/security.html for the security aspect of things.

In this example, I’ll create a tree following this scheme : dc=my,dc=domain,dc=tld.
It’s really up to you how you organize your tree, it’s really for organizational purposes. You can limit your tree to a single root branch, for example dc=myname.

Install OpenLDAP server and some useful utilities :

# apt-get install slapd ldap-utils

You should be prompted for a password, if not create it from the command line :

# slappasswd New password: Re-enter new password: {SSHA}vFk3EP4SSW0RDm4yEKD

Edit /etc/ldap/slapd.conf :

You should copy the password obtained with slappasswd under the rootpw option.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath	/usr/lib/ldap
moduleload	back_hdb
sizelimit 500
tool-threads 1
backend		hdb
database        hdb
suffix          "dc=my,dc=domain,dc=tld"
rootdn          "cn=admin,dc=my,dc=domain,dc=tld"
rootpw		"{SSHA}vFk3EP4SSW0RDm4yEKD"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=my,dc=domain,dc=tld" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=admin,dc=my,dc=domain,dc=tld" write
        by * read

“cn=admin,dc=my,dc=domain,dc=tld” is the database admin. This is what you will use as credential when you need to modify something in the database.

Then edit /etc/ldap/ldap.conf :

This is the configuration for the LDAP client.

HOST 127.0.0.1 BASE dc=my,dc=domain,dc=tld URI ldap://localhost

Now create a directory that will contain some initial configuration files.

# mkdir /etc/ldap/LDIF

In this directory create the following files :

1_base.ldif (the base of our LDAP tree) :

dn: dc=my,dc=domain,dc=tld dc: my objectClass: domain

2_group.ldif (this will be the branch that will host our groups) :

dn: ou=Groups,dc=my,dc=domain,dc=tld ou: Groups objectClass: organizationalUnit

3_dev.ldif (this is our first group) :

dn: cn=dev,ou=Groups,dc=my,dc=domain,dc=tld cn: dev gidNumber: 30000 memberUid: user1 objectClass: posixGroup objectClass: top description: developers

4_people.ldif (this is the branch hosting users) :

dn: ou=People,dc=my,dc=domain,dc=tld ou: People objectClass: organizationalUnit

5_user1.ldif (this is our first user) :

dn: uid=user1,ou=People,dc=my,dc=domain,dc=tld uid: user1 cn: John Doe displayName: John Doe givenName: Doe sn: Doe objectClass: inetOrgPerson userPassword: pass mail: johndoe@domain.tld

When we are done, we can restart OpenLDAP and create the tree and import some data :

# /etc/init.d/slapd restart # cd /etc/ldap/LDIF # for i in `ls`; do ldapadd -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W -f $i ; done

You should be prompted for the admin password as much as you have LDIF files in the directory.
If you didn’t name your file 1_base.ldif, 2_group.ldif, etc. the command may fail as it may try to add a group or user before creating its branch.

Now you should be able to query the LDAP tree :

# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my.domain.tld
dn: dc=my,dc=domain,dc=tld
dc: my
objectClass: domain

# Groups, my.domain.tld
dn: ou=Groups,dc=my,dc=domain,dc=tld
ou: Groups
objectClass: organizationalUnit

# People, my.domain.tld
dn: ou=People,dc=my,dc=domain,dc=tld
ou: People
objectClass: organizationalUnit

# user1, People, my.domain.tld
dn: uid=user1,ou=People,dc=my,dc=domain,dc=tld
uid: user1
cn: John Doe
displayName: John Doe
givenName: Doe
sn: Doe
objectClass: inetOrgPerson
mail: johndoe@domain.tld

# dev, Groups, my.domain.tld
dn: cn=dev,ou=Groups,dc=my,dc=domain,dc=tld
cn: dev
gidNumber: 30000
memberUid: user1
objectClass: posixGroup
objectClass: top
description: developers

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

This command requires /etc/ldap/ldap.conf. If you don’t have ldap.conf configured you’d have to type the whole command :

# ldapsearch -x -b "dc=my,dc=domain,dc=tld" -H ldap://server

Now, you can authenticate several services against your new LDAP server.
For example, web authentication in Apache.. Take a look at http://blog.wains.be/index.php/2010/01/26/apache-simple-authentication-and-ldap-authentication-examples/

You also may want to install PHP LDAP Admin for managing your LDAP database through a web GUI :

# apt-get install phpldapadmin

Then go to http://server/phpldapadmin and authentify with cn=admin,dc=my,dc=domain,dc=tld and your rootpw.

Local user authentication with FreeRADIUS

Posted on January 25, 2010 by Sébastien

This one is a bit less complex than http://blog.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/

This is actually the most basic RADIUS configuration ever, useful for quick tests. I can only recommend checking the post mentioned above if you want to do something serious.

# apt-get install freeradius

# vim /etc/freeradius/users

login     Cleartext-Password := "password"
login2     Cleartext-Password := "password2"

#vim /etc/freeradius/clients.conf

client localhost {
	ipaddr = 127.0.0.1
        secret = radiuspassword
}

client router {
	ipaddr = 10.0.0.1
        secret = radiuspassword
}

# /etc/init.d/freeradius restart

Check if RADIUS is working :

# radtest login password localhost 1812 radiuspassword Sending Access-Request of id 222 to 127.0.0.1 port 1812 User-Name = "login" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20

# radtest login2 password2 localhost 1812 radiuspassword Sending Access-Request of id 1 to 127.0.0.1 port 1812 User-Name = "login2" User-Password = "password2" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

We expect Access-Accept from the server, not Access-Reject…

Configure your wireless access point :

Usually found under Security tab (or RADIUS, 802.1X, etc.)
Configure your device at 10.0.0.1 to authenticate against the Radius server with password radiuspassword.
Try to connect to your wireless access point using login and password.

Postfix + virtual users/groups/aliases stored in LDAP

Posted on January 25, 2010 by Sébastien

This will just explain the configuration files needed for Postfix to check against the LDAP server.

We want to be able to send emails to username@domain.tld
We also want to have aliases for our users, for example : firstname.lastname@domain.tld pointing to username@domain.tld
Finally, we want groups to act as a mailing list, forwarding emails to members of the group, for example : support@domain.tld

LDAP tree

dc=domain,dc=tld
|-------ou=Aliases,dc=domain,dc=tld
|---------------cn=support,ou=Aliases,dc=domain,dc=tld
|
|		cn : support
|		description : alias support
|		gidNumber : 50000
|		mailRoutingAddress : support@domain.tld
|		memberUid : it (this is a group with a inetLocalMailRecipient class and a mailRoutingAddress field defined)
|		memberUid : username3 (this is a user account)
|
|-------ou=Groups,dc=domain,dc=tld
|---------------cn=it,ou=Groups,dc=domain,dc=tld
|
|		cn : it
|		description : IT dept group
|		gidNumber : 40000
|		mailRoutingAddress : it@domain.tld
|		memberUid : username1
|		memberUid : username2
|
|-------ou=Users,dc=domain,dc=tld
|---------------uid=username1,ou=Users,dc=domain,dc=tld

		cn : username1
		gecos : John Doe
		gidNumber : 10000
		homeDirectory : /home/username1
		mail : john.doe@domain.tld
		mailLocalAddress : john.doe
		uid : username1
		[...]

Postfix configuration

For this to work, we must define “append_at_myorigin = yes” in main.cf
For group/alias emails to work, the group must have the inetLocalMailRecipient class and mailRoutingAddress defined

So we basically add in main.cf :
virtual_alias_maps = ldap:/etc/postfix/ldap-account.cf, ldap:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-alias.cf

It means that Postfix will check ldap-account.cf first, then ldap-group.cf and finally ldap-alias.cf.

So we create those files :

ldap-account.cf (for virtual users) :

server_host = localhost port = 389 version = 3 search_base = ou=Users,dc=domain,dc=tld scope = sub # we search through the Users base for the recipient email address (%s) query_filter = (mail=%s) # if we find anything under ou=Users,dc=domain,dc=tld, we deliver to the account specified under "uid" # so basically, if we send an email to john.doe@domain.tld, we will find an entry, finally delivering the email to uid username1 result_attribute = uid

ldap-alias.cf (for virtual aliases) :

server_host = localhost port = 389 version = 3 scope = sub # we search through the Aliases base... search_base = ou=Aliases,dc=domain,dc=tld # ...for the recipient email address (%s) specified under mailRoutingAddress field query_filter = mailRoutingAddress=%s # If we find anything, return memberUid, that can be accounts, groups, or aliases result_attribute = memberUid

ldap-group.cf (for virtual groups) :

server_host = localhost port = 389 version = 3 scope = sub # Same as aliases, but in a different base search_base = ou=Groups,dc=domain,dc=tld query_filter = mailRoutingAddress=%s result_attribute = memberUid

Asterisk : XMPP notifications for missed calls

Posted on January 20, 2010 by Sébastien

Tester under Asterisk 1.4.21.

If someone calls and hangs up before leaving a voicemail (that means while the phone is ringing or during voicemail message), Asterisk will send a “missed call” notification by XMPP/Jabber.

/etc/asterisk/jabber.conf :

This file contains the info for Asterisk to connect to the Jabber server.
When restarting Asterisk, it will connect automatically and add contacts specified under buddy fields to its contact list.
You can specify several accounts in this file, and use different accounts for different notifications, for example.
From Asterisk CLI, there’s a command “jabber test” which would display the status of your contacts, this command only works with the account specified in the [asterisk] context.

[general]
debug=no
autoprune=no ; this is important to set this to no, if set to yes and you don't specify any "buddy=" it will delete contacts from your buddy list
autoregister=yes        

[asterisk] ; must be called "asterisk" if we want the command "jabber test" to work
type=client
serverhost=jabber.example.org
username=pbx@example.org/pbx
secret=PASSWORD
port=5222       
usetls=yes
usesasl=yes
buddy=youraccountreceivingnotifications@gmail.com
buddy=anotheraccountthatmayreceivenotifications@gmail.com
statusmessage=Asterisk XMPP bot. Don't talk to me, your messages would be lost forever.
timeout=100

[account2]
type=client
serverhost=jabber.example.org
username=anotheraccount@example.org/pbx
secret=PASSWORD
port=5222       
usetls=yes
usesasl=yes
buddy=someoneelse@gmail.com
statusmessage=Asterisk XMPP bot. Don't talk to me, your messages would be lost forever.
timeout=100

/etc/asterisk/extensions.conf :

When you pass the option “g” to the Dial() command, when the user hangs up, Asterisk exits the Dial() command and continue by jumping to the special “h” extension in the current context. From the console you should expect something like “Spawn extension (macro-DialVM, h, 5) exited” when the whole thing has been processed.

If you don’t specify the option, Asterisk will exit at the Dial() command. You would then see “Spawn extension (macro-DialVM, s, 1) exited” right after the user hangs up.

In this bit of dialplan, we enable XMPP notifications for calls made on extension 555 in the context named Local.
Dialing is made through a macro called macro-DialVM.
XMPP notifications are sent through macro-XMPPSend.

[macro-XMPPSend]
;;; Description : sends XMPP messages only if user is online and not away
;;; ARG1 = Jabber ID to be notified
;;; ARG2 = Message
;;; Jabberstatus and Jabbersend take the account name to user to send notifications as first argument ([asterisk] or [account2] under jabber.conf)

; getting user's status
; Status can be in order : 1)Online, 2)Chatty, 3)Away, 4)XAway, 5)DND, 6)Offline, 7)Not in roster
exten => s,1,Jabberstatus(asterisk,${ARG1},STATUS)
; If the value of STATUS is anything under 3 (or Away), in other words if user is Online or in Chatty mode
exten => s,n,GotoIf($["${STATUS}"  s,n(available),NoOp(${ARG1} is available)
exten => s,n,Jabbersend(asterisk,${ARG1},${ARG2})
exten => s,n,MacroExit()
; if the user is not available, we don't send anything
exten => s,n(unavailable),NoOp(${ARG1} is not available in at least one location.. Do not send notification)
exten => s,n,MacroExit()

[macro-DialVM]
;;; Description : dials (option g enabled, jumps to h extension) and goes to voicemail if reaching timeout.
;;; ARG1 = extension to be dialed
;;; ARG2 = timeout
;;; XMPP notification if call missed

exten => s,1,Dial(SIP/${ARG1},${ARG2},wg)
exten => s,n,Voicemail(${ARG1})

; option g must be passed to Dial() to jump to h extension or it would spawn at "macro-DialVM,s,1"
; if user doesn't leave a voicemail, VMSTATUS = FAILED
; if user hangs up before reaching the voicemail app, DIALSTATUS = CANCEL
exten => h,1,NoOp(Did user hang up before leaving a voicemail ?)
exten => h,n,GotoIf($["${VMSTATUS}" = "FAILED"]?missed:nextcheck)
exten => h,n(nextcheck),GotoIf($["${DIALSTATUS}" = "CANCEL"]?missed:notmissed)
exten => h,n(missed),Macro(XMPPSend,youraccountreceivingnotifications@gmail.com,${CALLERID(all)} just tried to call ${ARG1})
exten => h,n(notmissed),Hangup()


[Local]
;;; Description : Local calls context

; My extension is 555, with a timeout of 30 seconds
exten => 555,1,Macro(DialVM,${EXTEN},30)

Installing TRAC with Apache2 and mod-python on Debian Lenny

Posted on January 20, 2010 by Sébastien

This is based on a fresh install.

Install the necessary stuff :

# apt-get install apache2 subversion trac # apt-get install libapache2-svn

libapache2-svn will enable dav and dav_fs modules.

More stuff :

# apt-get install libapache2-mod-python

Create your directories for TRAC environments (/home/trac/), projects source files (/home/dev/) and SVN repositories (/home/svn/) :

# mkdir /home/{trac,dev,svn}

Create your first project :

# mkdir /home/dev/project1 # echo "" > /home/dev/project1/index.php

Create the SVN repository for the project :

# svnadmin create /home/svn/project1

Import the project into the SVN repository :

# svn import -m "Initial import" /home/dev/project1/ file:///home/svn/project1/
Adding         /home/dev/project1/index.php

Committed revision 1.

Move your sources to a safe place, while we checkout the project :

# mv /home/dev/project1 /home/dev/project1-orig

Checkout the project :

# svn checkout file:///home/svn/project1 /home/dev/project1 A /home/dev/project1/index.php Checked out revision 1.

Make sure the project is now under revision, you should see a “.svn” directory :

# ls -lah /home/dev/project1 total 16K drwxr-xr-x 3 root root 4.0K Jan 20 12:42 . drwxr-xr-x 4 root root 4.0K Jan 20 12:42 .. drwxr-xr-x 6 root root 4.0K Jan 20 12:42 .svn -rw-r--r-- 1 root root 19 Jan 20 12:42 index.php

It’s now safe to delete the copy not under revision :

# rm -fr /home/dev/project1-orig/

Set up TRAC for your first project, in bold what you need to specify :

# trac-admin /home/trac/project1 initenv
Creating a new Trac environment at /home/trac/project1

Trac will first ask a few questions about your environment 
in order to initialize and prepare the project database.

 Please enter the name of your project.
 This name will be used in page titles and descriptions.

Project Name [My Project]> Project1
 
 Please specify the connection string for the database to use.
 By default, a local SQLite database is created in the environment
 directory. It is also possible to use an already existing
 PostgreSQL database (check the Trac documentation for the exact
 connection string syntax).

Database connection string [sqlite:db/trac.db]> PRESS ENTER
 
 Please specify the type of version control system,
 By default, it will be svn.

 If you don't want to use Trac with version control integration,
 choose the default here and don't specify a repository directory.
 in the next question.

Repository type [svn]> svn

 Please specify the absolute path to the version control
 repository, or leave it blank to use Trac without a repository.
 You can also set the repository location later.

Path to repository [/path/to/repos]> /home/svn/project1

Creating and Initializing Project
 Installing default wiki pages
 TracSyntaxColoring imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSyntaxColoring
 TracChangeset imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracChangeset
 TracWiki imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracWiki
 WikiHtml imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiHtml
 TracRevisionLog imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRevisionLog
 TracFastCgi imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracFastCgi
 TracTicketsCustomFields imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTicketsCustomFields
 SandBox imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/SandBox
 WikiMacros imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiMacros
 TracUpgrade imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracUpgrade
 TracBackup imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracBackup
 TracAccessibility imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracAccessibility
 RecentChanges imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/RecentChanges
 WikiDeletePage imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiDeletePage
 TracNavigation imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracNavigation
 TracImport imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracImport
 TracModPython imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracModPython
 TracEnvironment imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracEnvironment
 TracBrowser imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracBrowser
 WikiFormatting imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiFormatting
 TracPlugins imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracPlugins
 WikiPageNames imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiPageNames
 TracNotification imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracNotification
 TracInstall imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracInstall
 TracIni imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracIni
 TracAdmin imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracAdmin
 TracRss imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRss
 TracLogging imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracLogging
 TracGuide imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracGuide
 WikiStart imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiStart
 TracQuery imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracQuery
 WikiNewPage imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiNewPage
 CamelCase imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/CamelCase
 TracRoadmap imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracRoadmap
 TracLinks imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracLinks
 TracStandalone imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracStandalone
 TracInterfaceCustomization imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracInterfaceCustomization
 TracUnicode imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracUnicode
 InterMapTxt imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterMapTxt
 TracPermissions imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracPermissions
 TitleIndex imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TitleIndex
 WikiProcessors imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiProcessors
 InterWiki imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterWiki
 TracCgi imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracCgi
 TracTimeline imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTimeline
 InterTrac imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/InterTrac
 PageTemplates imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/PageTemplates
 TracTickets imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracTickets
 TracSupport imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSupport
 TracWorkflow imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracWorkflow
 TracSearch imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracSearch
 TracFineGrainedPermissions imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracFineGrainedPermissions
 WikiRestructuredTextLinks imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiRestructuredTextLinks
 TracReports imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/TracReports
 WikiRestructuredText imported from /usr/lib/python2.5/site-packages/trac/wiki/default-pages/WikiRestructuredText
 Indexing repository
 [1]
---------------------------------------------------------------------
Project environment for 'Project1' created.

You may now configure the environment by editing the file:

  /home/trac/project1/conf/trac.ini

If you'd like to take this new project environment for a test drive,
try running the Trac standalone web server `tracd`:

  tracd --port 8000 /home/trac/project1

Then point your browser to http://localhost:8000/project1.
There you can also browse the documentation for your installed
version of Trac, including information on further setup (such as
deploying Trac to a real web server).

The latest documentation can also always be found on the project
website:

http://trac.edgewall.org/

Congratulations

The configuration is stored under /home/trac/project1/conf/trac.ini.

Create the password files for web authentication :

# htpasswd -c /etc/apache2/passwd-trac yourusername

Set up Apache :

# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/projects

# vim /etc/apache2/sites-available/projects

    DocumentRoot /var/www/

    
        Order allow,deny
        Allow from all
    


    ### TRAC Root : http://server/trac or http://server/trac/

        # Rewrite ./trac to ./trac/
        RewriteEngine on
        RewriteRule ^(.*)/trac$ $1/ [NC]

    
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonInterpreter main
        PythonOption TracEnvParentDir /home/trac
        PythonOption TracUriRoot /trac/
        SetEnv PYTHON_EGG_CACHE /tmp
    

    ### TRAC Login : http://server/trac/*/login
    
        AuthType Basic
        AuthName "TRAC Login"
        AuthUserFile /etc/apache2/passwd-trac
        Require valid-user
    

    ### SVN repository : http://server/svn
    
        DAV svn
        SVNParentPath /home/svn
        SVNListParentPath on

        AuthType Basic
        AuthName "SVN Repository"
        AuthUserFile /etc/apache2/passwd-trac
        Require valid-user

Enable rewrite module :

# a2enmod rewrite Enabling module rewrite. Run '/etc/init.d/apache2 restart' to activate new configuration!

Disable the default website :

# a2dissite default Site default disabled. Run '/etc/init.d/apache2 reload' to activate new configuration!

Enable the newly configured website :

# a2ensite projects Enabling site projects. Run '/etc/init.d/apache2 reload' to activate new configuration!

Restart Apache :

# /etc/init.d/apache2 restart

Make sure Apache can read and write TRAC configuration files.
This is a basic working example but you may want to do something more elaborate involving Set-GID or POSIX ACL.

# chown -R www-data. /home/trac

Now go to http://server/trac, it should rewrite the URL to http://server/trac/ and display a list of available projects.

WALLA

Please let me know if it works for you. Thanks.

Partially based on http://www.willamaze.eu/?p=732

AFP server in under 15 minutes (Debian)

Posted on January 14, 2010 by Sébastien

Tested under Debian Lenny 32 bits.

This howto is based on http://www.kremalicious.com/2008/06/ubuntu-as-mac-file-server-and-time-machine-volume/
Matthias’ post is very comprehensive. This post is basically a raw copy paste of commands, if you want more information, go see Matthias post.
If you find this useful, please give credit to Matthias

Why AFP (Apple Filing Protocol) ?

I wanted to see if AFP was faster than SMB.
A quick test showed my Macbook (running OS 10.6.2) is transfering files 20 % faster on AFP than SMB.

Build netatalk to support encryption

Starting with Netatalk version 2.0.4 (and Debian Squeeze) you won’t need to rebuild to support SSL (see Frank’s comment).

Lenny comes with version 2.0.3 so we still need to go through recompilation (which I recommend doing on another box).

# apt-get build-dep netatalk # apt-get install cracklib2-dev fakeroot libssl-dev # apt-get source netatalk # cd netatalk-2* # DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot

Install modified version of netatalk

# dpkg -i ../netatalk_2*.deb # echo "netatalk hold" | dpkg --set-selections

/etc/default/netatalk

ATALKD_RUN=no PAPD_RUN=no CNID_METAD_RUN=yes AFPD_RUN=yes TIMELORD_RUN=no A2BOOT_RUN=no

/etc/netatalk/afpd.conf

- -transall -uamlist uams_dhx.so -nosavepassword

/etc/netatalk/AppleVolumes.default

/home/seb "Seb's share" allow:seb

Start netatalk

/etc/init.d/netatalk start

Advertise the service with Avahi

You can skip this step, but it’d mean the server doesn’t magically appear as a Shared drive in your Finder.

apt-get install avahi-daemon

/etc/avahi/services/afpd.service


%h AFP
_afpovertcp._tcp

548
_device-info._tcp

0

model=Xserve

# /etc/init.d/avahi-daemon restart

Firewall :

Allow tcp/548 (netatalk) and tcp/5353 (avahi)

Nagios + SMS notifications with Gammu and Siemens MC35i

Posted on January 5, 2010 by Sébastien

What you need :

- a working Nagios
- a GSM modem (this has been tested with a Siemens MC35i) or a cellphone with modem capabilities supported by Linux (I don’t have that)
- Gammu

Set up the modem :

Connect the GSM modem to the Nagios machine through the serial port and make sure it receives signal from the carrier (LED blinking slowly means everything is OK, if not it blinks fast)

Install and configure Gammu :

# apt-get install gammu

The modem should be accessible through /dev/ttyS0

# vim /etc/gammurc

[gammu] port = /dev/ttyS0 connection = at19200 startinfo = no name = Siemens synchronizetime = no use_locking = no

Test the modem

# gammu --identify
Manufacturer         : Siemens
Model                : unknown (MC35i)
Firmware             : REVISION 02.00
IMEI                 : 3515590XXXXXX
Product code         : MC35i
SIM IMSI             : 2061021XXXXXX

# gammu --networkinfo Network state : home network Network : 206 10 (Mobistar, Belgium), LAC 6B08, CID 19EC Name in phone : "B mobistar"

# gammu --monitor 1
Press Ctrl+C to break...
Entering monitor mode...

Enabling info about incoming SMS    : No error.
Enabling info about incoming CB     : No error.
Enabling info about calls           : No error.
Enabling info about USSD            : No error.
SIM phonebook        :  59 used,  41 free
Dialled numbers      :   7 used,   3 free
Received numbers     :   0 used,  10 free
Missed numbers       :   0 used,  10 free
Own numbers          :   1 used,   2 free
Phone phonebook      :   0 used, 250 free
Leaving monitor mode...

Everything looks fine !

Before we continue, let’s check permissions on /dev/ttyS0

# ls -l /dev/ttyS0 crw-rw---- 1 root dialout 4, 64 jan 5 16:14 /dev/ttyS0

Nagios is usually running as user “nagios”, so any notification command would be executed as “nagios”. We can see user nagios wouldn’t have permissions to access devices connected to /dev/ttyS0.

We’ll apply the SUID bit (set-UID) on the command in charge of sending SMS notifications, this will execute gammu on behalf of user root.

# chmod 4755 /usr/bin/gammu

We could put nagios in the dialout group as well. I didn’t as Nagios is running on an isolated box in the LAN.
If someone is able to mess up with gammu executed as SUID on that box, that would mean I’m already in a lot of troubles anyway

Before we continue, we’ll try to send a SMS to the belgian cell number 0475123456

# echo "test" | gammu --sendsms TEXT 0475123456 If you want break, press Ctrl+C... Sending SMS 1/1....waiting for network answer..OK, message reference=181

It worked.

Now, an example of Nagios config for SMS notifications :

define command{
        command_name    host-notify-by-sms
        command_line    /usr/bin/printf "%b" "NAGIOS / Host: "$HOSTNAME$" / State: $HOSTSTATE$ / Info:$HOSTOUTPUT$ / Date:$SHORTDATETIME$" | /usr/bin/gammu --sendsms TEXT $CONTACTPAGER$
        }

define command{
        command_name    notify-by-sms
        command_line    /usr/bin/printf "%b" "NAGIOS / Host: "$HOSTALIAS$" / State: $SERVICESTATE$ / Info:$SERVICEOUTPUT$ / Date:$SHORTDATETIME$" | /usr/bin/gammu --sendsms TEXT $CONTACTPAGER$
        }

define contact{
        contact_name                    email
        alias                           email
        service_notification_period     24x7
        host_notification_period        24x7
        service_notification_options    c,r
        host_notification_options       d,r
        service_notification_commands   notify-by-email
        host_notification_commands      host-notify-by-email
        email                           nagios@example.org
 }

define contact{
        contact_name                    sms
        alias                           sms
        service_notification_period     smshours
        host_notification_period        smshours
        service_notification_options    c,r
        host_notification_options       d,r
        service_notification_commands   notify-by-sms
        host_notification_commands      host-notify-by-sms
        pager                           0475123456
 }

define contactgroup{
        contactgroup_name       admins
        alias                   Nagios Administrators
        members                 email, sms
 }

define timeperiod{
        timeperiod_name smshours
        alias           SMS Hours
        sunday          00:00-24:00
        monday          00:00-07:00,18:00-24:00
        tuesday         00:00-07:00,18:00-24:00
        wednesday       00:00-07:00,18:00-24:00
        thursday        00:00-07:00,18:00-24:00
        friday          00:00-07:00,18:00-24:00
        saturday        00:00-24:00
}

WPA2 + FreeRADIUS + EAP-TLS

Posted on September 13, 2009 by Sébastien

WPA/WPA2 Enterprise on your wired or wireless network. Tested under Debian Lenny (server side) and Mac OS X 10.6, Windows XP and Android 2.2, Ubuntu 10.10 (client side)

BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT

This step is not needed anymore, starting from Debian Squeeze Freeradius comes with TLS support.
Please, do not build stuff on your production server. Build on a dedicated build machine and then install the resulting packages on the production server.

If you are running Debian Lenny on i386, you can skip the build steps and grab the packages at this address :
http://blog.wains.be/pub/freeradius-tls/

Let’s proceed…

Install the necessary packages :

apt-get install dpkg-dev fakeroot

Download the source :

cd /root mkdir freeradius-tls cd freeradius-tls apt-get source freeradius

Make the changes :

Edit /root/freeradius-tls/debian/rules :

and change
--with
by
--without
for eap_tls, eap_ttls, eap_peap and openssl

Just as :
--with-rlm_eap_tls --with-rlm_eap_ttls --with-rlm_eap_peap --without-rlm_eap_tnc --without-rlm_otp --with-rlm_sql_postgresql_lib_dir=`pg_config --libdir` --with-rlm_sql_postgresql_include_dir=`pg_config --includedir` --with-openssl --without-rlm_eap_ikev2 --without-rlm_sql_oracle --without-rlm_sql_unixodbc

Then, comment the following :
for pkg in ${pkgs} ; do if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then echo "$$pkg links to openssl" ; exit 1 ; fi ; done

Edit /root/freeradius-tls/debian/control :
On the line beginning by “Build-Depends”
Add the folowing :
", libssl-dev"
at the end of the line (without the quotes)

Install dev libraries :
apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

Build freeradius :
dpkg-buildpackage -rfakeroot

Building will end by a warning message, this is not important.

Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :

echo "freeradius hold" | dpkg --set-selections echo "libfreeradius2 hold" | dpkg --set-selections echo "freeradius-common hold" | dpkg --set-selections

Install the packages we’ve just built :
dpkg --install freeradius_2.0.4+dfsg-6_i386.deb freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb

CERTIFICATES

Creating the CA

apt-get install openssl

Edit /etc/ssl/openssl.cnf

[ CA_default ] dir = ./PKI

Edit /usr/lib/ssl/misc/CA.sh

CATOP=./PKI

Then type :

cd /etc/ssl /usr/lib/ssl/misc/CA.sh -newca

Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.

Optional : if you have Windows XP clients

Create /etc/openssl/PKI/xpextensions

[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2

[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1

Server certificate signing request :

cd /etc/ssl openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf

Set a challenge password

Sign the server certificate request :
cd /etc/ssl openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem

Then :
cp PKI/server_cert.pem PKI/server_cert.pem-backup

Edit server_cert.pem
Remove everything before the line —–BEGIN CERTIFICATE—– (this is needed for winxp clients)

Next :
cat PKI/server_key.pem PKI/server_cert.pem > PKI/server_keycert.pem

Create a client certificate signing request :
openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf

You MUST specify a Common Name (CN).

Sign client cert request :

Windows xp client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem
Mac OS X / Linux / Android client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem

Export P12 certs :

Windows and Mac clients :
openssl pkcs12 -export -in PKI/client_cert.pem -inkey PKI/client_key.pem -out PKI/client_cert.p12 -clcerts

Android clients :
openssl pkcs12 -export -in PKI/client_cert.pem -inkey PKI/client_key.pem -certfile PKI/cacert.pem -name "Wifi" -out PKI/client_cert.p12

You don’t need to export P12 certificates for Linux (smart OS, eh ?)

FREERADIUS CONFIG

Do :
mkdir /etc/freeradius/certs/ cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem

Then :
cd /etc/freeradius/certs openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 chown freerad dh chmod o-w dh

Next :
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default

/etc/freeradius/eap.conf :

eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no         

        tls {          
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs
                private_key_password = whatever
                private_key_file = ${certdir}/server_keycert.pem
                certificate_file = ${certdir}/server_keycert.pem
                CA_file = ${cadir}/cacert.pem
                dh_file = ${certdir}/dh
                random_file = ${certdir}/random
                fragment_size = 1024
                include_length = yes
                check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"
        }              
}

Edit /etc/freeradius/clients.conf

We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :

client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
        nastype     = other     # localhost isn't usually a NAS...
}


client 192.168.7.45 {
        secret = suchasecurepassword
        shortname = linksys
}

Start FreeRADIUS :

The first time it is recommended to launch with the following command, this gives a lot of output.
freeradius -X -f

When everything is fine and clients are happy, start the service the usual way :
/etc/init.d/freeradius start

Set up wifi access point for authentication against our new RADIUS server

It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword).

Make sure your firewall lets the Wi-Fi access point talk to FreeRADIUS on port UDP/1812.

Configure clients

You’ll need the following files for the following platforms :

Mac OS X : P12 certificate (cert + private key), PEM CA certificate
Windows XP : P12 certificate (cert + private key), PEM CA certificate
Android 2.2 : P12 certificate (cert + private key + CA) (see http://blog.wains.be/index.php/2011/03/13/importing-certificates-on-android-ca-and-client/)
Linux Ubuntu 10.10 (Network Manager) : PEM certificate, PEM private key, PEM CA certificate

This post is a stripped down version of the following howto by my colleague Jérôme :
http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html

Sébastien Wains

On Linux, Open Source, VoIP and other geeky stuff

Category Archives: Howto