Friday, October 31, 2008

Free & Open Source Systems Management on Linux

Spacewalk is an open source (GPLv2) Linux systems management solution. It is the upstream community project from which the Red Hat Network Satellite product is derived.





http://www.redhat.com/spacewalk/

Friday, October 10, 2008

SER vs OpenSER





SER was originally developed by the FhG Fokus research institute in Berlin, Germany, and released under the GPL license. The core developers of SER were Andrei Pelinescu-Onciul, Bogdan-Andrei Iancu, Daniel Constantin Mierla, Jan Janak, and Jiri Kuthan. Some contributors joined the project later, namely Juha Heinamen (RADIUS, ENUM, DOMAIN, URI), Greg Fausak (POSTGRES), Maxim Sobolev (NATHELPER), Adrian Georgescu (MEDIAPROXY), Elena Ramona Modroiu (XLOG, DIAMETER, AVPOPS, SPEEDDIAL), Miklos Tirpak (Permissions),
and others.

OpenSER is a fork of the original SER project. In 2004 FhG Fokus started a spinoff of the SER project creating the iptel.org. In 2005 the commercial variant of IPtel was sold to TEKELEC. The core development team was split in two. Three of them went to iptel.org (Andrei Pelinescu-Onciul, Jan Janak, and Jiri Kuthan). The other two (Bogdan Andrei Iancu and Daniel Constantin Mierla) left the FhG to start a company called Voice-System the main maintainer of the OpenSER project started in 2005.

OpenSER has become OpenSIPS

Wednesday, October 8, 2008

Setting up a PXE install for Linux

Installing Linux via PXE boot over a network can be a really nice way to do it and it is especially useful, if your client machine doesn’t have a CD / DVD drive. However, it can be a bit tricky to understand how it all works, so this post will hopefully explain what is going on, as well as show you how to set it up.

You will need:

* A DHCP server
* A TFTP server (tftpd-hpa)
* vmlinuz and initrd.img from your distribution of choice
* The PXELINUX.0 boot loader and a suitable config file

Install the TFTP server

Ensure you use the tftpd-hpa package, as PXELINUX requires that the boot server has a TFTP server which supports the “tsize” TFTP option. If you don’t use tftpd-hpa you will most likely see an error such as ‘TFTP server does not support the tsize option’

sudo apt-get install tftpd-hpa tftp-hpa xinetd

Configure xinetd to load TFTP

Create a new file called /etc/xinetd.d/conf/tftp and add the following contents:

service tftp
{
protocol = udp
port = 69
socket_type = dgram
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = /tftpboot
disable = no
}

Create the /tftpboot folder, and ensure it is world readable. Then restart xinetd, and then test you can connect using tftp.

Set up the DHCP server

Add the following config to your /etc/dhcpd.conf file:

host pxeinstall {
# specify your client's MAC address
hardware ethernet 00:13:21:1F:F1:82;
# give it an IP
fixed-address 192.168.0.10;
#If the tftp server is on a different host to the DHCP server, specify its IP.
next-server 192.168.0.2;
# path of the bootloader file, with tftpd-hpa it must be the absolute path
filename "/tftpboot/linux-install/pxelinux.0";
}

Then reboot dhcpd.

Setting up PXELINUX

PXELINUX is a SYSLINUX derivative, for booting Linux off a network server. Essentially, it is used to load a linux kernel of your choice on to your machine. You specify which kernel to load in a config file. You can download the latest pxelinux.0 file from kernel.org. You will need to extract it from the syslinux archive .

You are going to be creating a folder structure that will eventually look like this:

/tftpboot/
/tftpboot/linux-install
/tftpboot/linux-install/pxelinux.0
/tftpboot/linux-install/pxelinux.cfg
/tftpboot/linux-install/pxelinux.cfg/default
/tftpboot/linux-install/distros
/tftpboot/linux-install/distros/ubuntu8.04
/tftpboot/linux-install/distros/ubuntu8.04/linux
/tftpboot/linux-install/distros/ubuntu8.04/initrd.gz
/tftpboot/linux-install/distros/centos5.1
/tftpboot/linux-install/distros/centos5.1/vmlinuz
/tftpboot/linux-install/distros/centos5.1/initrd.img
/tftpboot/linux-install/menu.msg

So, create a linux-install folder inside the /tftpboot folder. Inside this directory you should copy in pxelinux.0 (the PXE network boot loader) and create another folder called pxelinux.cfg. Inside pxelinux.cfg, create a file called default and copy in something like the following code:

pxelinux.cfg/default

Make a folder called pxelinux.cfg inside /tftboot/linux-install and then inside that create a file called default, with the following contents:

PROMPT 1
TIMEOUT 200
DISPLAY menu.msg

DEFAULT linux

LABEL linux
localboot 0

LABEL centos5.1
KERNEL distros/centos5.1/vmlinuz
APPEND initrd=distros/centos5.1/initrd.img ramdisk_size=6454 ip=dhcp

LABEL ubuntu8.04
KERNEL distros/ubuntu8.04/linux
APPEND initrd=distros/ubuntu8.04/initrd.gz ramdisk_size=6454 ip=dhcp

What this does is set up a boot prompt where you can choose to load any of the specified labels (kernels). In my example, I have used centos 5.1 and Ubuntu 8.04.

There is a 20 second timeout (200=20 seconds) and after this, it will load the default label.

The options we specify after each label direct the boot loader to the location of the kernel and the initrd files for that particular distro. NB: You must specify the path relative to the PXELINUX.0 file.

We have also specified menu.msg file - this just shows an ASCI menu to let people know what options they have. Unfortunately we could find a way to auto-generate a boot menu, so you need to edit the menu.msg manually every time you change the pxe config.

Linux Kernel and Initial Ram Disk

The only two files that are really needed to begin installing a distribution after PXELINUX loads are the compressed linux kernel and initial ram disk of your choice. You can define these as shown above in the pxelinux config. For ubuntu 8.04 they are called linux and initrd.gz, and can be found in the netboot folder of the ubuntu archive. For centos 5.1 they are called initrd.img and vmlinuz and can be found in the pxeboot images folder on any Centos Mirror. Once you have downloaded whichever ones you want to use, put them into your linux-install folder as shown in the directory structure above.

menu.msg

This is a really simple ASCII file that will be displayed as the boot menu. The one we use is as follows:

0a
.-=-. .--.
__ .' '. / " )
_ .' '. / .-. \ / .-'0c\0a
( \ / .-. \ / / \ \ / / 0c^0a
\ `-` / \ `-' / \ `-` /
`-.-` '.____.' `.____.'
07
_
__ _ _ __ __ _ ___ ___ _ __ __| | __ _
/ _` | '_ \ / _` |/ __/ _ \| '_ \ / _` |/ _` |
| (_| | | | | (_| | (_| (_) | | | | (_| | (_| |
\__,_|_| |_|\__,_|\___\___/|_| |_|\__,_|\__,_|

07

Choose one of the following labels in order to boot:
- linux (localboot)
- centos5.1
- ubuntu8.04

Authenticated SMTP with SMTP-AUTH

Authenticated SMTP with SMTP-AUTH

SMTP AUTH is particulary useful when you have roaming users as well as users with dynamic IP assigned by their ISPs. These users can now use your SMTP server to relay their mails even if their IP or network is not listed in your allowed list of networks/IPs in qmail-smtpd.cdb file. Authenticated SMTP will allow such users to enter their credentials which are verified against their account entry in qmail-ldap and upon successful authentication they will be granted access to relay mails using your server regardless of their current IP or network. Read more about relaying in my mail relaying document.

In order to qmail-smtpd support this functionality you have to edit current /var/qmail/boot/qmail-smtpd/run script to invoke auth-smtp program installed with qmail-ldap in your installation. Open this file in your favorite editor and look for the following lines towards end of file.
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd

Add command $QMAIL/bin/auth_smtp /usr/bin/true to the last line, so now the last line in your run script become..
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd $QMAIL/bin/auth_smtp /usr/bin/true

Now add these variables to your qmail-smtpd.rules file
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

So now your qmail-smtpd.rules file will look as shown below
127.:allow,RELAYCLIENT=""
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

Now you have to rebuild the cdb file from qmail-smtpd.rules file. For this you have to issue following command as root. The variable SMTPAUTH tells qmail-smtpd that authorization is required before relaying mail from your server. Next variable NOPBS tells smtpd not to use PBS (POP Before SMTP). You do not need this since you are using SMTP AUTH. This may be required when you are using clustered servers but not now.
# tcprules qmail-smtpd.cdb rules.tmp < qmail-smtpd.rules

You have to restart the smtpd service for these changes to take effect. To do this issue following command as root.
# svc -t /service/smtpd

To test this setup try sending mail from some other host using sender's address on mail envelop as your servers default domain. It should ask you for authentication. If this works, you are done with SMTP AUTH. Don't forget to verify the service is running using svstat command as follows before you test.
# svstat /service/smtpd
/service/smtpd: up (pid 26698) 14 seconds
Back to qmail-ldap installation


Securing SMTP with TLS

When you authenticate over internet, auth passwords are in clear text equivalent base64 encoding. So if someone can capture the packets using some packet capturing tool, your users are vulnerable to Identity theft. So a step beyond this authenticated SMTP relaying is the ability to negotiate a secure connection with your SMTP server for secure authentication and privacy of data transferred over the Internet. This will prevent password sniffing. qmail-ldap allows us to use and configure this ability in qmail-smtpd. Remember we have enabled a variable TLS=-DTLS_REMOTE -DTLS_SMTPD -DTLSDEBUG in Makefile before qmail installation. Refer to the Editing Makefile Section. This built the ability in our installation to configure SMTP with TLS option.

Before configuring this abilty you have to make sure you have created certificate by running make cert command in the patched source of qmail.
# cd src/qmail-1.03
# make cert

Read more on make cert.

It will prompt you to supply some vital information that will appear on your certificate. Remember, you need to provide the your server name as Common Name here. This will also change the permissions of the certificate file. Make sure permissions are as shown below:
# ls -lh /var/qmail/control/cert.pem
-rw-r----- 1 qmaild qmail 2.4K 2005-05-25 11:43 /var/qmail/control/cert.pem

~control/smtpcert: This is one this you have to perform before you restart qmail-smtpd. You have to define the path of cert.pem in this this file. It would be appropriate if you specify absolute path to this file as follows.
# echo /var/qmail/control/cert.pem > /var/qmail/control/smtpcert

This certificate will be sent to your clients when they smtp using tls. One this has been done you have to restart smtpd as follows. In my experience smtp with tls WILL NOT work until you add path to cert.pem to ~control/smtpcert file.
# svc -t /service/smtpd

Clients have to select appropriate options in their mail clients for using SSL or TLS with your SMTP server. Ascribe your clients to their email-client documentation if you/they are unsure about how to do it. When they try to send a message to SMTP server, their mail client will receive a certificate notice asking to proceed with encrypted SMTP. qmail-ldap can enforce client SMTP encryption as a mandatory feature by setting. This can be either specific clients or universally. For specific clients you can set this in /var/qmail/control/qmail-smtpd.rules or to set this feature globally you have to set the variable in /var/qmail/boot/qmail-smtpd/env which is same as /service/smtpd/env as it is nothing but symlink to the qmail-smtpd in /var/qmail/boot. You can enforce this globally as follows.
echo TLSREQUIRED > /service/smtpd/env/SMTPAUTH

Else you can do this in qmail-smtpd.rules file by changing last line of /service/smtpd/run as follows.
:allow,SMTPAUTH="TLSREQUIRED",NOPBS=""

Do not forget to create cdb file from qmail-smtpd.rules file. Restart the smtpd service as follows.
# svc -t /service/smtpd

Saturday, October 4, 2008

QMAIL-LDAP + AD INTEGRATE

========================================
QMAIL-LDAP + AD INTEGRATE
========================================


* Objective

Authenticate Windows AD Server with qmail-ldap.

* System tested

Windows 2003 Server with SP2
OpenSuse Linux-10.2 and Ubuntu 6.10
qmail-ldap-1.03-20060201.patch

* Install process

First install Windows 2003 Server, and after finish installation, install SFU (MS Services for Unix) with NIS support.
After this add new user in AD and in new tab "Unix Attributtes" choose the domain and click in OK.
Change again the user password.

FINISH :-)


Now in you linux system, see the steps of site http://www.qmail-ldap.org/wiki/Full_Installation_Guide.
In step "Basic Qmail Installation"

After apply qmail-ldap patch.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src
wget http://200.4.48.8/pub/mail-tools/qmail/dist/qmail-1.03.tar.gz
wget http://www.nrg4u.com/qmail/qmail-ldap-1.03-20060201.patch.gz
tar xvfz qmail-1.03.tar.gz
cd qmail-1.03
zcat ../qmail-ldap-1.03-20060201.patch.gz | patch -p1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Apply my patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src/qmail-1.03
patch -p1 < /var/src/qmail-ad.patch
patching file Makefile
patching file qmail-ldap.h
patching file qmail-ldaplookup.c
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


And continue the steps from site.

Finish :D


-----------------------------------------------------------
My control files (my domain is test.com)

ldapbasednldapdefaultdotmode
cn=Users,dc=test,dc=com

ldapdefaultdotmode
both

ldaplogin
cn=Administrador,cn=Users,dc=test,dc=com

ldapmessagestore
/home/vmail

ldapobjectclass
User

ldappassword
mypass

ldapserver (Ip address of AD)
192.168.2.11

ldapuid
11184

ldapgid
2110
---------------------------------------------------------

Patch qmail-ad.patch

diff -uNr qmail-1.03.Ori/Makefile /var/src/qmail-1.03.ORI/Makefile
--- qmail-1.03.Ori/Makefile 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/Makefile 2007-03-07 15:46:34.000000000 -0300
@@ -19,7 +19,7 @@
# -DQMQP_COMPRESS to use the QMQP on the fly compression (for clusters)
# -DQUOTATRASH to include the Trash in the quota calculation (normaly it is not)
# -DSMTPEXECCHECK to enable smtp DOS/Windows executable detection
-#LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK
+LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK -DALTQUEUE

# Perhaps you have different ldap libraries, change them here
LDAPLIBS=-L/usr/local/lib -lldap -llber
@@ -33,7 +33,7 @@
#LDAPINCLUDES=-I/opt/OpenLDAP/include

# ZLIB needed for -DDATA_COMPRESS and -DQMQP_COMPRESS
-#ZLIB=-lz
+ZLIB=-lz
# or you installed zlib in a different path you can use something like this
#ZLIB=-L/opt/zlib/lib -lz
#ZINCLUDES=-I/opt/zlib/include
@@ -43,13 +43,13 @@
# use -DTLS_REMOTE to enable tls support in qmail-remote
# use -DTLS_SMTPD to enable tls support in qmail-smtpd
# use -DTLSDEBUG to enable additional tls debug information in qmail-remote
-#TLS=-DTLS_REMOTE -DTLS_SMTPD
+TLS=-DTLS_REMOTE -DTLS_SMTPD
# Path to OpenSSL includes
-#TLSINCLUDES=-I/usr/local/include
+TLSINCLUDES=-I/usr/local/include
# Path to OpenSSL libraries
-#TLSLIBS=-L/usr/local/lib -lssl -lcrypto
+TLSLIBS=-L/usr/local/lib -lssl -lcrypto
# Path to OpenSSL binary
-#OPENSSLBIN=/usr/local/bin/openssl
+OPENSSLBIN=/usr/bin/openssl
#OPENSSLBIN=openssl

# to make the Netscape download progress bar work with qmail-pop3d
@@ -57,13 +57,13 @@
MNW=-DMAKE_NETSCAPE_WORK

# to enable the auto-maildir-make feature uncomment the next line
-#MDIRMAKE=-DAUTOMAILDIRMAKE
+MDIRMAKE=-DAUTOMAILDIRMAKE

# to enable the auto-homedir-make feature uncomment the next line
-#HDIRMAKE=-DAUTOHOMEDIRMAKE
+HDIRMAKE=-DAUTOHOMEDIRMAKE

# on most systems we need this to make auth_pop and auth_imap
-#SHADOWLIBS=-lcrypt
+SHADOWLIBS=-lcrypt
# OpenBSD and other Systems do not have libcrypt, so comment the line out
# if you get linking problems.
# To use shadow passwords under some Linux OS, uncomment the next two lines.
@@ -73,7 +73,7 @@

# to enable the possibility to log and debug imap and pop uncoment the
# next line
-#DEBUG=-DDEBUG
+DEBUG=-DDEBUG
# WARNING: you need a NONE DEBUG auth_* to run with inetd

# for profiling ...
diff -uNr qmail-1.03.Ori/qmail-ldap.h /var/src/qmail-1.03.ORI/qmail-ldap.h
--- qmail-1.03.Ori/qmail-ldap.h 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldap.h 2007-03-07 15:46:32.000000000 -0300
@@ -93,11 +93,11 @@
ldap variables used in qmail-lspawn and auth_*
*********************************************************************/
#define LDAP_MAIL "mail"
-#define LDAP_MAILALTERNATE "mailAlternateAddress"
+#define LDAP_MAILALTERNATE "otherMailbox"
#define LDAP_QMAILUID "qmailUID"
#define LDAP_QMAILGID "qmailGID"
-#define LDAP_MAILSTORE "mailMessageStore"
-#define LDAP_HOMEDIR "homeDirectory"
+#define LDAP_MAILSTORE "sAMAccountName"
+#define LDAP_HOMEDIR "NOhomeDirectory"
#define LDAP_QUOTA "mailQuota"
#define LDAP_QUOTA_SIZE "mailQuotaSize"
#define LDAP_QUOTA_COUNT "mailQuotaCount"
@@ -108,10 +108,10 @@
#define LDAP_MODE "deliveryMode"
#define LDAP_REPLYTEXT "mailReplyText"
#define LDAP_DOTMODE "qmailDotMode"
-#define LDAP_UID "uid"
-#define LDAP_PASSWD "userPassword"
+#define LDAP_UID "mail"
+#define LDAP_PASSWD "msSFU30Password"
#define LDAP_OBJECTCLASS "objectClass"
-#define LDAP_ISACTIVE "accountStatus"
+#define LDAP_ISACTIVE "userAccountControl"
#define LDAP_PURGE "qmailAccountPurge"

#define DOTMODE_LDAPONLY "ldaponly"
@@ -132,10 +132,11 @@
#define MODE_PROG "program"
#define MODE_NOREPLY "noreply"

-#define ISACTIVE_BOUNCE "disabled"
+#define ISACTIVE_BOUNCE "514"
#define ISACTIVE_DELETE "deleted"
#define ISACTIVE_NOACCESS "noaccess"
-#define ISACTIVE_ACTIVE "active"
+#define ISACTIVE_ACTIVE "512"
+#define ISACTIVE_ACTIVE_AD "66048"

/*********************************************************************
ldap variables used in qmail-group
diff -uNr qmail-1.03.Ori/qmail-ldaplookup.c /var/src/qmail-1.03.ORI/qmail-ldaplookup.c
--- qmail-1.03.Ori/qmail-ldaplookup.c 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldaplookup.c 2007-03-07 15:46:33.000000000 -0300
@@ -321,16 +321,16 @@
if (r != OK) fail(q, "qldap_get_status", r);
switch (status) {
case STATUS_BOUNCE:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_BOUNCE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_BOUNCE, "=> disabled");
break;
case STATUS_NOACCESS:
output(subfdout, "%s: %s\n",
LDAP_ISACTIVE, ISACTIVE_NOACCESS);
break;
case STATUS_OK:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_ACTIVE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_ACTIVE, "=>active");
break;
case STATUS_UNDEF:
output(subfdout, "%s: %s\n", LDAP_ISACTIVE,