May 162013
 

I recently ran into an issue configuring HTTP Basic authentication against Active Directory using Apache httpd.  What was happening was that I’d get a 500 Internal Server Error page every time I hit a location that required Basic authentication.  There wasn’t anything useful in the logs, and I started playing around with the configuration (which, I must point out, was correct in a way).  After about two hours of trial I finally figured out the problem — there appears to be some sort of bug either in the OpenLDAP libraries, Apache httpd, or Active Directory itself, when Apache was trying to connect to AD via LDAP.  I found this only appeared when I had my search base configured to be the top-level DN of my Active Directory.  Changing the search base to an OU lower also resolved the problem, but I couldn’t do that because I have users across several OU’s off the top of the DIT.  The solution I came up with was to connect to port 3268, the Global Catalog, rather than the normal port of 389.

Here’s my mod_authnz_ldap configuration settings:

Hope that helps!

Jul 182012
 

It’s been a while since I left you with my last pearl of wisdom.  A couple months ago, I presented a couple methods for authenticating to Active Directory using winbind and for authenticating using the LDAP interface.  In more recent versions of CentOS and RHEL, there is a new method for retriving user information and authenticating – SSS, the System Security Service, which runs as sssd.  SSS was devised by Red Hat as a replacement for the various nss and PAM modules and it seems like they did a halfway decent job with it.

SSS acts as a replacement for the various PADL, Samba winbind, and other ldap and AD based pam and nss modules.  In addition to consolidating several nss and authentication types, there are a couple other advantages, including one unified configuration file and offline authentication, as well as access control.

Continue reading »

Mar 242012
 

I’ve posted some new packages for php 5.4 in the TechRockDo yum repository.  I originally had uploaded some under the php package name.  To avoid confusion with doing an update from 5.3 straight to 5.4, I’ve since renamed them as php54.  The original packages can be found under the deprecated tree of the repository.

Repoview packages for the various RHEL versions and architectures are listed below:

If you want to install and use these packages, just run

Feb 222012
 

I’ve built and uploaded several new packages and uploaded them to the TechRockDo Yum Repository.    In case you missed the previous post, you can use the TechRockDo Yum Repository by issuing the following command (use the correct one based on your version of RHEL/Cent and your system architecture):

or

The following packages have been added: Continue reading »

Jan 182012
 

The TechRockDo yum repository has been created as a place to hold all rpm’s that I roll and use.  I’m making them available to the public; I hope you find everything you find here useful.  For now, only CentOS and RHEL 6 are supported.  There are channels for both 32- and 64-bit architectures.  To use the repository, just install the trd-release package for your architecture:

This will install the yum repository definition and the GPG key.  After that, you’ll be able to use the repository just like any other.

Enjoy!

Dec 302011
 

A while back, I described a method for authenticating CentOS and RHEL servers to Active Directory using LDAP.  While this approach is easy to set up and works right out of the gate, there are a few drawbacks to it that I’ve run across:

  • Changing passwords from the Linux server does not work unless you set up LDAP over TLS/SSL, which I’ve found very difficult (though not impossible!) to accomplish
  • While changing the passwords does work, it can be very user unfriendly.  In particular error messages given are very cryptic to the lay user.  Unless you are in IT, you’re not going to know or care about the LDAP error codes that are reported back, nor are you going to want to research what the appropriate character classes are for the AD passwords so that you can choose from at least three of them appropriately.

In this article, I’ll describe how to use winbind to join your Linux server to a Microsoft Active Directory and become a domain member.

Continue reading »

Sep 212011
 

For the past few weeks, I’ve been spinning my wheels trying to get CentOS 6 to use Active Directory (Windows 2008 R2-based) for user information and authentication. I currently am using LDAP for these purposes, but in the interest of moving towards a more centralized environment am working towards having all of the UNIX and Linux hosts use AD as a central repository for user information and authentication. This is can be done relatively easily and can be done a couple of different ways that I will outline for you here.

Continue reading »

Jul 192011
 
PHP Logo

A new TLF yum repository has been created for Red Hat Enterprise Linux 6-based distributions (ie CentOS 6).  As of right now, there is only a 64-bit repo.  32-bit packages are forthcoming.  php 5.3.6 packages are available here by running the following set of commands:

There are several php packages available and the above yum command is only an example if you wanted to install php, the cli, and the mysql and mbstring extensions. The extensions you need will be based upon your usage.

Jul 102011
 
PHP Logo

The Linux Fix yum repository has been updated with new rpm’s for the tlf-release package and for php version 5.3.6.  The new tlf-release package includes changes to the layout of the yum repository, including splitting off a separate 32-bit and 64-bit repo.  You can read the release notes for php 5.3.6 here.

You may install or update the TLF repository with the following command:

Note that this command will work on 64-bit architectures as well.  I also need to repeat the disclaimer that using any of the database extensions for this version of php will also update sqlite to version 3.6.20, which replaces some pretty core functionality of RHEL and CentOS, so please use them at your own risk.

 

Apr 052011
 

One of the most frustrating things about using Red Hat Enterprise Linux or CentOS in an enterprise environment, in my opinion, is maintaining updates on hosts that are supposed to be identical and are in different environments, like dev, test, and production.  In the past, I’d roll out patches to my dev server, run yum update (or up2date) on my test servers, and then do the same in production.  By the time I got through with production, dev and test would be off a bit and production would generally have at least a dozen rpm’s that were newer than their dev and test counterparts.  This is attributed to the frequency with which bug fixes, security, and other errata are released for these distributions.  In an enterprise environment with auditing requirements in place, this can cause a real pain in the neck.

This is the first reason I started testing out Spacewalk.  Spacewalk is the upstream project for Red Hat Network Satellite, which allows you, for all intents and purposes, to have an RHN install right in your own datacenter.  The benefit that added to me originally was simply being able to choose a cut off date for syncing patches, apply those patches to my systems, then resume syncing again.  This ensures all of my systems have the same package version.  If you’re familiar with Red Hat Network at all, you’ll know that there is a lot of gravy too.  It lets you work with groups of servers, create custom channels, provision servers, execute remote commands, manage configuration files on clients, provision new hosts, and monitor clients as well.  There is a web-based API that leverages XML RPC that you can script against.

It took a lot of work up front to get set up, but it’s getting to the point where managing the systems is a breeze.  In my opinion, Spacewalk is still a little buggy, but as of version 1.3 which is current at the time of this writing, stability and functionality has increased dramatically since I started working with version 0.6.  If you’re looking for a way to manage your Linux systems (including Red Hat Enterprise, CentOS, Scientific, or Debian), I highly suggest taking a look at Spacewalk.