Using OpenLDAP to authenticate HP-UX users

Introduction
This page describes how to configure the HP-UX LDAP client services to authenticate against OpenLDAP. For the OpenLDAP configuration see: LDAP server configuration RHEL 5.
The OpenLDAP directory server must be prepared and configured in advance before the HP-UX LDAP clients can be configured and the HP-UX system will authenticate against the directory. LDAP-UX can be configured to bind to the directory using a proxy. This is in principle more secure. The standard software is used, all authentication and password management is done by the directory. To make sure HP-UX reacts properly when a password has expired or a password reset has occurred (user must at next logon choose his/her own password) the pam_authz library is used.
To configure HP-UX the following must be done:

• Installation of the LDAP packages
• Import the certificate of the relevant CA - only if the secure LDAP protocol (SSL) is used
• Run /opt/ldapux/config/setup
• Provide DN of the system profile entry (as installed in the directory)
• Check the ldapclientd daemon is running
• Adjust the nsswitch.conf file
• Configure pam to use the LDAP (in /etc/pam.conf
• Copy provided pam.ldap example to pam.conf
• Adjust pam.conf to enable pam_authz.policy for password policy effects
• Configure /etc/opt/ldapux/pam_authz.policy file
• Enable and configure the proxy settings

More information can be found in the HP_UX LDAP-UX client services administration guide. Be aware this document describes the process of getting LDAP-UX to work against Netscape Directory Services 6.x. Officially this is the only (non-Microsoft) directory service supported under HP-UX. OpenLDAP works very well though when configured properly.

Getting XUbuntu 8.04 beta to work on an old Dell Latitude CPi's

It has been a while since our last post. But two days ago we started work on an interesting, though perhaps a bit weird, challenge: to get xubuntu 8.04 Beta to work on an old Dell Latitude CPi. This is the trouble we get into when we boast about how great Linux is and that it is more than ready for the desktop ;-). We choose xubuntu because of it's claim to be light and easy on the hardware.

We have two old Dell Latitude spare laptops. One of them had the keys partly ripped of a few years ago, by a diligent, very creative 2 year old. The other was left abandoned by it's previous owner because of a failed hard drive. They are not completely identical, but they have enough in common to use one of them as a spare for the other. Eventually we ended up with the with the following configuration:

• Dell Latitude CPi
  
• Pentium-II 400Mhz
• 160MB system memory
• 4 MB Neomagic 2360 video controller
• 12,073 MB hard drive
• CD-ROM installed in modular bay
• external Trust USB keyboard (USB legacy mode enable in BIOS)
• PCMCIA Xircom RealPortRBE-100 10/100Mbs ethernet card
• Single primary partition occupying the whole disk with a FAT32 file system
  

First we would like to share the things that went wrong, before we figured out how to get xubuntu to work (yes we did after two days of fiddling):

• Slow boot because of xubuntu insisting on checking for non-existent floppy drives
• Extremely slow boot after the second installation menu
  
• Problems with ext3 formatting caused by the fix for the previous problem
• Network interface card not getting an IP address

Slow boot because of floppy trouble.
The first problem was easily resolved by setting the floppy "Diskette reconfig" to "At Reboot Only" in the BIOS. This makes a big difference in boot time. As we didn't have a floppy drive installed in one of the spare bays, disabling this option, saves minutes in boot time.
Extremely slow boot after second installation menu.
The installation and live cd boot both fail, well not quite, but after 10 hours of churning on the CD we considered it failed ;-). The installer seems to be getting itself stuck after the second menu (Welcome - installation language), looking at F8 the last message displayed by the system is: "* Starting Ubiquity...". No response from the mouse, the animated cursor has stopped animating and the CD is continuously active with occasional hard drive activity. Originally we thought the trick would be to find the right kernel parameter to solve this problem. But this was not the case. But after some deeper digging and running top in one of the consoles (we had to do this immediately after we clicked on "Forward" at the second install menu, while the system was in the process of responding). Using F1 we managed to get a slow terminal prompt and top showed the system was waiting for I/O more than 85% (%WA) of the time (5th field from the left in 3rd line from the top):



This gave us the idea that actually all we needed to do was to enable a small (twice the size of internal memory) swap partition on the hard drive. After we did that the difference in response time was remarkable .... but now we created a new problem.
ext3 formatting failed.
As we now claimed the drive, the Linux kernel couldn't dynamically load the partition table after we choose "Guided partitioning", manually partitioning the system didn't work either of course. This was caused by
mkfs -t ext3 /dev/sda1 failing with a "could not stat /dev/sda1". Happily the fix to this wasn't difficult, a reboot and the new partition table was picked up and so was the swap partition.
Network interface card not getting an IP address.
After login it turned out the network wasn't running, after some investigation it turned out to be the network interface was set into "roaming" mode. After taking that out and enabling DHCP we could surf the Internet usingFirefox.

Actual procedure on how to get xubuntu 8.04 beta to work on the Latitude.
First things first, having learned our lesson, we adjusted the BIOS setting such that the "Diskette reconfig" only can be done at boot time. Then after obtaining the download ISO image from one of the xubuntu mirrors and burning a CD we booted the Latitude from the CD, the boot menu looks like this (yes it jumps straight into the F2 menu to select the language):



We decided to install directly to the hard drive, after selecting the language the first option was highlighted, we didn't want that:



We needed to select the second option and choose F6 "Other Options" to switch of quite mode. it is a good idea if the installation doesn't go according to plan to make the system a bit more chatty:



Removing the "quiet" kernel option:



Press enter and the system will start churning. While it is doing this have a look at the boot messages under F1. You will see some message scroll across the screen giving some indication of the kernel's process of working out what hardware it is running on:



To get back to the graphical installation choose F7:



After a while the system will show the, quite stunning, bird (is it a firebird?) wallpaper:



The first of 8 installation windows will now prompt you:



To go to the next screen click "Forward", at this stage, while the following menu (language choice) was displayed the excessive delay and CD activity started (when we tried this first time):



Here we chose the language of the installation and the default language used for running the system. Also here we got stuck so we needed to divert away from the installation process and create a swap partition. As quickly as possible at this menu or even better the menu before using cntl-alt-F1 open a terminal and enable swap.

First use fdisk to delete any old partition that was still present on the drive and create a new
empty partition of about twice the size of internal memory (the installation process will redo this, so the actual location and size isn't that important):

sudo fdisk /dev/sda

When fdisk starts (this can take a while), use the following commands as your guide:



The example above will create a partition of 320MBytes with a type of 82 (Linux Swap). Confirm this using (fdisk again):



At the prompt the new partition must now be enabled for swap, this will dramatically speed up the rest of the installation:

sudo mkswap /dev/sda1

sudo swapon /dev/sda1 (is not necessary as we need to reboot here)

We did try to continue from here and got stuck (see above). Here a reboot is required to go back to the installation menu. The system will now pick up the swap partition and use it. We went through the same menus (1 and 2 of eight and eventually got to the next step "Where are you" without to much delay):



The zoom feature used when the mouse hovers over the picture of the world map is a bit fanatic. The zooming is rather sensitive, amplifying the slightest mouse movement into a fast hunt for the home location! Quite a nice game, but not intended as such, we believe. After we hit the right spot (the drop down menu can also be used ;-). The next menu will come quickly:



As our laptop has an external USB international keyboard we choose the "USA-With EuroSign on 5 setting". This turned out to be the right choice.

Step 5 out of 8 is the process of setting up the disk partitioning. As the kernel now has the correct partition table loaded, using the Guided (full disk) partitioning worked beautifully:



A (quickly disappearing) message that it is reading the hard disk partition table is displayed and then the system responds reasonably quickly with the next menu, where the main login must be created:



Now the system has enough information to continue (on it's own) with the installation:



After clicking on "Install" several messages are displayed:



We thought at this stage it was safe to leave the office, go to home and to bed. Unfortunately leaving xubuntu unattended after the last step wasn't such a good idea. It spontaneously went into hibernation and didn't finish the installation (this was over night at about 15% in the "Installing System" stage). The next morning we had to go over the same steps again ..... while every so often keep clicking the mouse button to keep the system awake .....

In addition to that at about 61% the status display disappeared completely. After about 30 minutes the system came back with an installation ready status message, reboot and remove the CD and the system booted into xubuntu. But we were sailing blind for a while.

Eventually the system asked for a re-boot and yes when it came back up we were greeted with the login screen!

Before we could surf the Net we had to setup the ethernet interface as the system had installed it by default with "roaming" enabled. We're not quite sure what is meant with that on a wired network, any ideas please feel free to leave a comment. It's fairly easy to rectify this problem, on the left top menu Applications under the drop down menu System, Network the network manager can be found:




When the "Network Settings" application starts up, unlock the access to the ability to make any changes and enable DHCP:



First impressions are very positive (after we recovered from the installation ....). The system is responsive, very similar to Windows XP on the same laptop. In a later post we will share our experience using xubuntu on this laptop.

Using Hewlett Packard blade systems for iLO installation of RHEL 4.

Two weeks ago we had the opportunity to do some work for a customer in Brussels, Belgium and to use a Hewlett Packard blade system. The HP blade rack was stored in a separate computer room from the training room and we used full remote access to install Red Hat Enterprise Linux 4 from a USB key attached to a laptop running SuSE Linux. The USB key contained ISO images from the 4 RHEL 4 installation CDs.

A (not very good mobile phone) picture of the naked front of the blades:

Another picture of the front of the actual blade boards. You can see clearly the hard drives attached to the motherboards and the cable attaching the management and diagnostics console to the system:

The management console sits in a sliding tray, nicely tucked in at the top of the rack. It can be pulled out, the screen lifted and a keyboard becomes available from underneath (in this picture it shows running a non-open source operating environment, sorry):

A final image of a blade server "tray". The (very noisy) fans are clearly visible doing their job keeping the dual core CPUs at the right temparature:

b

The purpose of the exercise was to provide a classroom server, running RHEL 4 with Apache, LDAP and DNS and to install it without any interaction with the physical blade hardware.

The installation did take some time of course as the installation ISOs had to be accessed from the USB (2.0) key, over the network to the blade (it was part of the fun getting that to work). We used the HP's "Integrated Lights Out" iLO console to "mount" the USB key as if it was a locally attached CD/DVD drive. Click here for a Wikipedia link to find out what iLO really is.

First we needed to identify ourselves to the iLO console through login as the administrator:

After successful login the iLO console displays the status summary menu from where several tasks can be performed:

To access the ISO images on the memory stick click on "Virtual Devices" and in the dialogue point the virtual CD-Rom to the local image file (in our case it was on the memory stick on /media/ISO-STICK/:

We connected (virtually) the first RHEL4 ISO on the memory stick and now the system can boot from it.

To be able to see the installation process and answer the questions asked by Anaconda we enabled the "Remote Console" from the iLO main menu (see previous screenshot above). iLO will launch a Java application with a view on the virtual console:

The above screenshot shows the installation halfway during the Red Hat packages copy and install process. The reason the remaining time is high is caused by us "removing" the virtual CD-Rom at one point at the end of the day. Allowing the system to generate an error message (with a retry option to re-read the CD-Rom), leaving the building for the evening and night, returning back the next morning, remounting the ISO image to the virtual CD-Rom and allowing Anaconda to retry reading the CD-Rom. Amazingly enough it worked and the installation did continue where it had stopped although the timing was confused of course.

The following sceen shows the dialogue to insert another CD-Rom (disk 4), using the "Virtual Media" menu just umount the existing ISO image, point to the next ISO image and re-mount the file as a virtual CD-Rom:

The timing eventually manage to correct itself, 35 minutes left!

Eventually we were rewarded with RHEL4' login menu through the virtual console:

The power of the Integrated Lights Out technology is clearly demonstrated. We installed a complete Red Hat Enterprise 4 installation without touching the actual hardware at any time. The installation worked very well over the network, using a standard laptop running SuSE 10.0 with a USB memory stick containing the RHEL 4 ISO images mounted as a virtual CD-Rom. Not bad, not bad at all. Can we have 10 please ;-).

Powered by ScribeFire.

Installation tutorial: Red Hat Enterprise Linux 4, introduction - part 3 (final)

This is the third (and final) part of the RHEL 4 installation tutorial, You can find the first part here and the second part here.

4.1 First boot (setup agent)
When the system comes back up after you have asked it to reboot, login using the root account (remember the root password) and the system will present you with the "first boot" welcome menu:

Click "Next" to move on to the next menu where you will be asked to agree with Red Hat's licensing scheme:

It is important to notice here that this license in many cases refers to licenses included with the source code of each software component that has been shipped with the Red Hat media. Most of the components adhere to the GNU Public License version 2, click here to learn more about what that means.

If you agree tick the "Yes, I agree to the License Agreement" and click "Next".

Here you can set the date and time at your location or alternatively allow the system clock to be set using the Network Time Protocol (NTP) by referring to time servers scattered around the Internet (we won't cover this, if you want to know more about NTP click here).

Set the correct date and time for your system and click "Next". This will bring you to the graphics display configuration menu:

The system assumes a "safe" resolution setting (800x600) and will have attempted to detect the monitor you are using. We will configure the resolution to a more sensible setting, but before we can do that the system need to be made aware of the capabilities of your monitor. To set the monitor type click "Configure":

Depending on what you are using choose the monitor model closest matching your monitor type (if the monitor is not a latest model there is a chance the settings are correct and there won't be a need to change them).

Click "OK" and you will see a menu similar to (if you have chosen a different monitor model the values might differ):

The next menu will give you an opportunity to enable the additional Red Hat subscription service:

You can choose and existing subscription (you must provide a login and password), or at this point you can create a new Red Hat login id and you can skip the dialogue (but you willhave to go past a "why is this important" screen". In this tutorial we will choose the "Tell me why I need to register ....." option so if you have made another choice the next menu will be different:

As we won't be making a registration here make sure to tick the "I can not complete ...." option and click "Next" to continue to the next step:

Here you have an option to create an additional (system) user. It is strongly recommended not to use the system administrator user (root) for day to day tasks (such as surfing the Net, writing reports and so on). The sudo or su commands provide the possibility to run a command as root (once in the case of sudo) or from within a new root shell (with su). Many of the GUI administrative tools provided with RHEL will ask for the root password when invoked by a non-priviliged user.

Create a new user here by specifying a login name (the username field), an optional full name and a (secure) password (you need to confirm this in case of typos). When you're done click "Next" to continue:

If you have any additional software you desire to install here you can insert the extra CDs and install additional documentation, software and plugins. We will skip this step, click "Next":

You have reached the final menu after which you can use the system!

From here you can start exploring the system menus, administration tools, the shell and many other aspects of the installed system.

If you want to review the previous sections, click here for the first part and here for the second part of this tutorial.

Congratulations you have installed Red Hat Enterprise Linux version 4.

Powered by ScribeFire.

Installation tutorial: Red Hat Enterprise Linux 4, introduction - part 2

This is the second part of the RHEL 4 installation tutorial. You can find the first part here

3.2 Graphical installation: network
The next menus you will encounter are designed to assist you installing the network card and network characteristics of the Red Hat system being build:

Here you can choose a dynamic TCP/IP configuration or a static. In the next part you will setup a static configuration, this allows a more thorough review of the installation menus. If your LAN network configuration allows for it, there is no reason to just leave the default settings.

For the purpose of this tutorial click the "Edit" button, this will bring up the "Edit Interface eth0" dialogue box:

If they don't conflict with your local network addressing scheme choose the settings as shown above and click "OK" to continue to the next menu:

Notice the menu has been updated to reflect your choice of manual (fixed) IP address configuration. Finalise the network configuration as shown above (using your own values) and move on to the next section by clicking

3.3 Graphical installation: firewall and security enhanced Linux
The next menu will ask if you want to have the firewall installed and what level of security enhanced Linux you want to deploy. If this is a standalone, server system within a protected privat network you probably won't need the firewall enabled. It is very likely the kernel filters (using iptables rules) might interfere with the services you are trying to deliver. For the purpose of this tutorial you will disable the firewall.
Security enhanced Linux (SELinux), the code originally added by the United States government National Security Agency, provides a mandatory security implementation to Linux. In addition to the traditional Linux (Unix) style security, based on ownership, SELinux adds mandatory access controls (rules based) to the Linux kernel. SELinux uses rule sets to control who and what can be done to any object within the system. For the purpose of this tutorial you will set the SELinux level to "warn" only. This provides a good way to learn about SELinux without it being in the way of your day to day operation of the system:

Make sure you switch off the firewall and select "Warn" for SELinux and click "Next" to continue.
A warning will be displayed making sure you really, really want the firewall to be switched off:

Click to continue

3.4 Languages, timezones and root password settings
The next few menus deal with the default system language, if you desire to do so, the installation of additional language support, what timezone your system is operating in and the system administrator, root, password. The menus are self explanatory, if you want to know more don't forget to scroll through and read the help window pane on the left side of the main menu.

Make sure you select the correct default language for your system. If you select any additional languages Anaconda, the installer, will add the appropriate dictionaries and language support files to your system but the default language is what you will use on a daily basis while interacting with the system. To continue click

As you can see overhere on this screenshot, London is the centre of the planet ...... not that we are biased overhere. You can use the map to "zoom" in on areas and select a city as close as possible to your location (make sure it is in the same time zone). You can also scroll down the list in the bottom window pane (that actually might be quicker and more accurate). When you're done click the "Next" button.

This menu asks you to provide the system "root" user password. As you undoubtedly are aware, the "root" user (on a non SELinux enhanced system) is able to access every file, process, system memory location, kernel driver and so on. A malicious non-priviliged user with bad intentions (even with good intentions) will try to elevate his/her privilege to the super user "root" as soon as possible (and then follows on to wipe out any traces of such an act). Choose the "root" user password with care. Strong passwords have a minimum length (8 characters), use upper and lower case characters, use punctuation characters and numbers but are relatively easy to remember and are not found in dictionaries. Some examples are (you can use normal words mixed with other characters): safe4Me+U, build2Strength!. Of course random characters are best but you might not be able to remember them. Whatever password you choose, type it into the appropriate menu field, make sure you remember, and click

3.5 Package selection
The following setup menu builds your final system to become a workstation or server or any other combination of software packages that Red Hat has included on the installation medium. Modern Linux distributions consist out of pre-selected and pre-configured package files that contain software, libraries, configuration and text files and many others together with the information where they need to be installed with what kind of security settings. If you have an opportunity when the system is running we suggest you have a look at the directory structure of one of the installation CDs and you will find within one of the directories a large amount of files with an ".rpm" file extention. These are the files that are used to create your system. Each ".rpm" file is a self contained unit and can be upgraded, removed or re-installed using simple command line or GUI tools.
To continue you need to decide what you want your system to be:

At this stage you will customise the installation by fine tuning what you want to have installed. Of course any selections you make overhere can be changed when the system is up and running. Choose the second option "Customize software packages to be installed" and click "Next".

The "Package Group Selection" menu shows the groups of packages, as selected by Red Hat, you can install on your system. You can further tune what you want to have installed by clicking the "Details" button, wherever available, to the right of the package selections. Red Hat for many years now has made this process very easy by using sensible package group names that are self explanatory (really!).
You can leave the defaults if you want or select your choice of packages. When you are done click "Next" which will bring you to the "About to Install" screen:

This menu as informational only and of course you have the option to return to the previous menus. Interesting is the mention of two files the system creates in the "/root" (i.e. the super user's home directory):

• /root/install.log
• /root/anaconda-ks.cfg

The first file contains a detailed log of the package installation process (the first view lines):
Installing 614 packages

Installing hwdata-0.146.10.EL-1.noarch.
Installing indexhtml-4-2.noarch.
Installing libgcc-3.4.3-22.1.i386.
Installing redhat-logos-1.1.25-1.noarch.
Installing rootfiles-8-1.noarch.
Installing setup-2.5.37-1.1.noarch.
Installing filesystem-2.3.0-1.i386.
Installing basesystem-8.0-4.noarch.
Installing termcap-5.4-3.noarch.
Installing tzdata-2005f-1.EL4.noarch.
Installing glibc-common-2.3.4-2.9.i386.
Installing glibc-2.3.4-2.9.i686.
Installing audit-0.5-1.i386.
Installing beecrypt-3.1.0-6.i386.
Installing bzip2-libs-1.0.2-13.i386.
Installing chkconfig-1.3.13.2-1.i386.
Installing device-mapper-1.01.01-1.RHEL4.i386.
Installing dmraid-1.0.0.rc6.1-3_RHEL4_U1.i386.
.....................

The second file contains, in simple text format, the choices you have made during the installation as interpreted by Anaconda, the Red Hat installer. In the more advanced installation tutorial you will learn how to use this file in unattended installations.

Continue with the installation, click
The system will let you know which installation media it requires:

Just click the "Continue" button and make sure you have the other media handy. The next information boxes will inform you about respectively the start of the installation process and the status of it (the behaviour of the progress bar is uncannily similar to the Microsoft version at installation time .....):

When done with the first CD the system will ask for the next (and so on):

When the system has asked for all the media it will perform some post installation tasks. You can see this in the final menu before the reboot:

Click the "Reboot" button and this part of the installation is complete.
After the reboot (don't forget to remove the last CD) the system will run a first boot script that will ask you for some final questions in configuring the system. This third and final part will be a subject of the next post, which you can find here.

Powered by ScribeFire.