Thursday, May 22, 2014

Membuat DNS Server (MASTER RECORD-BIND / RHEL 6.4 / CENTOS 6.4)

Preparation RHCE

Sekali lagi biar gak lupa. hehe

1)  yum install bind bind-utils

2) Edit /etc/named.conf lalu ganti bagian yg di bold, menjadi seperti dibawah ini :

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

3) masih di /etc/named.conf tambahin ini

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

4) lalu buat file example.com.zone di /var/named

# vim /var/named/example.com.zone

[root@rhce1 ~]# cat /var/named/example.com.zone
$TTL 86400
@   IN  SOA     ns1.example.com. root.example.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
IN NS ns1.example.com.
IN MX 10 mail.example.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1 IN A 192.168.122.22
rhce1 IN A 192.168.122.22
rhce2 IN A 192.168.123.22
rhce3 IN A 192.168.124.22
;IN MX 10 mail.example.com.

; Define hostname -> IP pairs which you wish to resolve
@ IN A 192.168.122.22
www IN A 192.168.122.22


5) Start service 

# /etc/init.d/named start

6) Verivikasi dengan command host -al example.com, dimana example.com itu optional tergantung domain yg sebelumnya dibuat

NOTE : Sebelum verifikasi, jangan lupa /etc/resolve.conf nya ditembak ke arah IP Address dimana file konfigurasi dns master ini disetting. Misal kalo di case ini, pake ip 192.168.122.22

#vim /etc/resolve.conf
nameserver 192.168.122.22

lalu gunakan command dibawah ini untuk vervikasi

[root@rhce1 ~]# host -al example.com
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36348
;; flags: qr aa ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com. IN AXFR

;; ANSWER SECTION:
example.com. 86400 IN SOA ns1.example.com. root.example.com. 2013042201 3600 1800 604800 86400
example.com. 86400 IN NS ns1.example.com.
example.com. 86400 IN NS rhce1.example.com.
example.com. 86400 IN NS rhce2.example.com.
example.com. 86400 IN NS rhce3.example.com.
example.com. 86400 IN MX 10 mail.example.com.
example.com. 86400 IN A 192.168.122.22
ns1.example.com. 86400 IN A 192.168.122.22
rhce1.example.com. 86400 IN A 192.168.122.22
rhce2.example.com. 86400 IN A 192.168.123.22
rhce3.example.com. 86400 IN A 192.168.124.22
www.example.com. 86400 IN A 192.168.122.22
example.com. 86400 IN SOA ns1.example.com. root.example.com. 2013042201 3600 1800 604800 86400

Received 305 bytes from 192.168.122.22#53 in 1 ms

Done. ^^

Posted by at No comments:
Labels: , ,

Friday, May 16, 2014

MEMBUAT LDAP SERVER DENGAN OPEN-LDAP ( CENTOS 6.4 / RHEL 6.4 )

Biar gak lupa di tulis di blog hehe..

1) Step pertama install OPEN-LDAP-nya dengan command dibawah ini, dengan catetan udah konek ke repository lokal atau publik yah gan hehe :
[root@ldap1 ~]# yum install openldap openldap-servers openldap-clients -y

2) Copy contoh file dari konfigurasi ldapnya bernama slapd.conf ke /etc/openldap/ 
[root@ldap1 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

3) Generate password untuk rootdn yg dipake oleh si /etc/openldap/slapd.conf
[root@ldap1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX

4) Copy password yg sudah di generate lalu edit file /etc/openldap/slapd.conf
     note : edit yg di highlited merah

[root@ldap1 ~]# vim /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap

# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=example,dc=com" read
        by * none

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
loglevel        256
sizelimit       unlimited
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM 


5) Remove existing konfig LDAP sebelumnya (bila ada), lalu di re-inisialisasi :
[root@ldap1 ~]# rm -rf /var/lib/ldap/*
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*

6) Copy sample DB_CONFIG file ke /var/lib/ldap/
[root@ldap1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

7) Set permission di /var/lib/ldap/ dan /etc/openldap/slapd.d/ ownernya jadi milik user 'ldap'
[root@ldap1 ~]# chown -Rf ldap. /etc/openldap/slapd.d/
[root@ldap1 ~]# chown -Rf ldap. /var/lib/ldap/
[root@ldap1 ~]# chmod 700 /var/lib/ldap/
[root@ldap1 ~]# chmod 700 /etc/openldap/slapd.d/

8) Cek & ricek apakah ada error di file konfigurasi /etc/openldap/slapd.conf : 
[root@ldap1 ~]# slaptest -u
config file testing succeeded

9) Convert file konfigurasi kedalam dinamik konfigurasi pada direktori /etc/openldap/slapd.d/ 
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded

10) Start slapd daemon untuk nyalain open-ldapnya :
[root@ldap1 ~]# /etc/init.d/slapd start

11) Confirm dengan menggunakan command dibawah ini : 
[root@ldap1 ~]# service slapd status
slapd (pid  1301) is running...[root@ldap1 ~]# netstat -ntlup | grep slapd
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1301/slapd
tcp        0      0 :::389                      :::*                        LISTEN      1301/slapd

[root@ldap1 ~]# ps -ef | grep slapd
ldap      1301     1  0 08:21 ?        00:00:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
root      1318  1208  0 08:23 pts/1    00:00:00 grep slapd

12) Apabila menggunakan iptables gunakan command dibawah ini :
[root@ldap1 ~]# netstat -ntlup | grep slapd
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1402/slapd
tcp        0      0 :::389                      :::*                        LISTEN      1402/slapd

 [root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 389 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 389 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 636 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 636 -j ACCEPT
[root@ldap1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

13) Create base DIT (Directory Information Tree) file menggunakan file dibawah ini :
[root@ldap1 ~]# vim dit.ldif
#Lalu isi dengan dibawah ini :
# Creates a base for DIT
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: Example Inc DIT

# Creates a Users OU (Organizational Unit)
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users

# Creates a Groups OU
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: ou=Admins,dc=example,dc=com
objectClass: organizationalUnit
ou: Admins

# Create a user student1 with some basic info
dn: uid=student1,ou=Users,dc=example,dc=com
uid: student1
cn: student1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student1
uidNumber: 15000


gidNumber: 10000

userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5

mail: student1@example.com
gecos: Student1 User

# Create a user student2 with some basic info
dn: uid=student2,ou=Users,dc=example,dc=com
uid: student2
cn: student2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student2
uidNumber: 15001
gidNumber: 10000
userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5
mail: student2@example.com
gecos: Student2 User

# Creates a ldapusers group under Groups OU
dn: cn=ldapusers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 10000
memberuid: uid=student1
memberuid: uid=student2

 14 ) Ubah file /etc/openldap/ldap.conf menjadi seperti dibawah ini :
[root@ldap1 ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs
ssl             start_tls
TLS_REQCERT     allow
BASE            dc=example,dc=com
URI             ldap://ldap.example.com #optional tergantung domain name anda
HOST            192.168.124.251 #optional tergantung ip address anda

 15)  Execute file dit.ldif dengan command dibawah ini :
[root@ldap1 ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f dit.ldif -H ldaps://ldap1.example.com 
LDAP Password: {masukan password yg tadi dibuat dgn command slappasswd}
adding new entry "dc=example,dc=com"

adding new entry "ou=Users,dc=example,dc=com"

adding new entry "ou=Groups,dc=example,dc=com"

adding new entry "uid=student1,ou=Users,dc=example,dc=com"

adding new entry "uid=student2,ou=Users,dc=example,dc=com"

adding new entry "cn=ldapusers,ou=Groups,dc=example,dc=com"

 16 ) Verivikasi data yg dimasukan dari file dit.ldif tadi sudah ada di dalem ldap databasenya dengan command dibawah ini :
[root@ldap1 ~]# ldapsearch -x -b "dc=example,dc=com" -H ldap://ldap.example.com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: Example
description: Example Inc DIT

# Users, example.com
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users

# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

# student1, Users, example.com
dn: uid=student1,ou=Users,dc=example,dc=com
uid: student1
cn: student1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student1
uidNumber: 14583100
gidNumber: 14564100
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student1@example.com
gecos: Student1 User

# student2, Users, example.com
dn: uid=student2,ou=Users,dc=example,dc=com
uid: student2
cn: student2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student2
uidNumber: 14583101
gidNumber: 14564100
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student2@example.com
gecos: Student2 User

# ldapusers, Groups, example.com
dn: cn=ldapusers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword:: e2NyeXB0fXg=
gidNumber: 14564100
memberUid: uid=student1
memberUid: uid=student2

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries:7



17) Membuat PHP-LDAP-ADMIN
Note: PHP-LDAP-ADMIN memudahkan kita dalam administrasi ldap database, menggunakan aplikasi ini kita gak perlu repot2 bikin pake dit.ldif seperti dilangkah ke 13.
*) Install phpldapadmin nya
[root@ldap1 ~]# yum install -y phpldapadmin 

*) Edit file konfigurasi httpd nya dengan menambahkan wording ini dibaris paling bawah :
[root@ldap1 ~]# vim /etc/httpd/conf/http.conf

#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  Order Deny,Allow
  Deny from all
  Allow from all
</Directory>

*) Restart httpd server
[root@ldap1 ~]# /etc/init.d/httpd restart 

*) Buka ldap php adminnya dari web browser :
http://ldap_server_ip/ldapadmin

18) Agar bisa login dengan DN dari phpldapadmin, ubah parameter di /etc/phpldapadmin/config.php :
$servers->setValue('login','attr','uid');

menjadi 

$servers->setValue('login','attr','dn');

lalu restart lagi httpd nya :
[root@ldap1 ~]# /etc/init.d/httpd restart 


Selamat mencoba ^^

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)