Monday, 22 February 2021

Linux Admin - Install Anonymous FTP

 Before delving into installing FTP on CentOS, we need to learn a little about its use and security. FTP is a really efficient and well-refined protocol for transferring files between the computer systems. FTP has been used and refined for a few decades now. For transferring files efficiently over a network with latency or for sheer speed, FTP is a great choice. More so than either SAMBA or SMB.

However, FTP does possess some security issues. Actually, some serious security issues. FTP uses a really weak plain-text authentication method. It is for this reason authenticated sessions should rely on sFTP or FTPS, where TLS is used for end-to-end encryption of the login and transfer sessions.

With the above caveats, plain old FTP still has its use in the business environment today. The main use is, anonymous FTP file repositories. This is a situation where no authentication is warranted to download or upload files. Some examples of anonymous FTP use are −

  • Large software companies still use anonymous ftp repositories allowing Internet users to download shareware and patches.

  • Allowing internet users to upload and download public documents.

  • Some applications will automatically send encrypted, archived logs for or configuration files to a repository via FTP.

Hence, as a CentOS Administrator, being able to install and configure FTP is still a designed skill.

We will be using an FTP daemon called vsFTP, or Very Secure FTP Daemon. vsFTP has been used in development for a while. It has a reputation for being secure, easy to install and configure, and is reliable.

Step 1 − Install vsFTPd with the YUM Package Manager.

[root@centos]# yum -y install vsftpd.x86_64

Step 2 − Configure vsFTP to Start on Boot with systemctl.

[root@centos]# systemctl start vsftpd 
[root@centos]# systemctl enable vsftpd 
Created symlink from /etc/systemd/system/multi-
user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.

Step 3 − Configure FirewallD to allow FTP control and transfer sessions.

[root@centos]# firewall-cmd --add-service=ftp --permanent 
success 
[root@centos]#

Assure our FTP daemon is running.

[root@centos]# netstat -antup | grep vsftp 
tcp6       0       0 :::21       :::*       LISTEN       13906/vsftpd         
[root@centos]#

Step 4 − Configure vsFTPD For Anonymous Access.

Create a root FTP directory

[root@centos]# mkdir /ftp

Change owner and group of FTP root to ftp

[root@centos]# chown ftp:ftp /ftp
Set minimal permissions for FTP root:

[root@centos]# chmod -R 666 /ftp/

[root@centos]# ls -ld /ftp/
drw-rw-rw-. 2 ftp ftp 6 Feb 27 02:01 /ftp/

[root@centos]#

In this case, we gave users read/write access to the entire root FTP tree.

Configure /etc/vsftpd/vsftpd.conf"

[root@centos]# vim /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.

We will want to change the following directives in the vsftp.conf file.

  • Enable Anonymous uploading by uncommenting anon_mkdir_write_enable=YES

  • chown uploaded files to owned by the system ftp user

    chown_uploads = YES

    chown_username = ftp

  • Change system user used by vsftp to the ftp user: nopriv_user = ftp

  • Set the custom banner for the user to read before signing in.

    ftpd_banner = Welcome to our Anonymous FTP Repo. All connections are monitored and logged.

  • Let's set IPv4 connections only −

    listen = YES

    listen_ipv6 = NO

Now, we need to restart or HUP the vsftp service to apply our changes.

[root@centos]# systemctl restart vsftpd

Let's connect to our FTP host and make sure our FTP daemon is responding.

[root@centos rdc]# ftp 10.0.4.34 
Connected to localhost (10.0.4.34). 
220 Welcome to our Anonymous FTP Repo. All connections are monitored and logged. 
Name (localhost:root): anonymous 
331 Please specify the password. 
Password: 
'230 Login successful. 
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp>

Set Up Postfix MTA and IMAP/POP3

 In order to send an email from our CentOS 7 server, we will need the setup to configure a modern Mail Transfer Agent (MTA). Mail Transfer Agent is the daemon responsible for sending outbound mail for system users or corporate Internet Domains via SMTP.

It is worth noting, this tutorial only teaches the process of setting up the daemon for local use. We do not go into detail about advanced configuration for setting up an MTA for business operations. This is a combination of many skills including but not limited to: DNS, getting a static routable IP address that is not blacklisted, and configuring advanced security and service settings. In short, this tutorial is meant to familiarize you with the basic configuration. Do not use this tutorial for MTA configuration of an Internet facing host.

With its combined focus on both security and the ease of administration, we have chosen Postfix as the MTA for this tutorial. The default MTA installed in the older versions of CentOS is SendmailSendmail is a great MTA. However, of the author's humble opinion, Postfix hits a sweet spot when addressing the following notes for an MTA. With the most current version of CentOS, Postfix has superseded Sendmail as the default MTA.

Postfix is a widely used and well documented MTA. It is actively maintained and developed. It requires minimal configuration in mind (this is just email) and is efficient with system resources (again, this is just email).

Step 1 − Install Postfix from YUM Package Manager.

[root@centos]# yum -y install postfix

Step 2 − Configure Postfix config file.

The Postfix configuration file is located in: /etc/postfix/main.cf

In a simple Postfix configuration, the following must be configured for a specific host: host name, domain, origin, inet_interfaces, and destination.

Configure the hostname − The hostname is a fully qualified domain name of the Postfix host. In OpenLDAP chapter, we named the CentOS box: centos on the domain vmnet.local. Let’s stick with that for this chapter.

# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
myhostname = centos.vmnet.local

Configure the domain − As stated above, the domain we will be using in this tutorial is vmnet.local

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
mydomain = vmnet.local

Configure the origin − For a single server and domain set up, we just need to uncomment the following sections and leave the default Postfix variables.

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites.  If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part. 
#
myorigin = $myhostname
myorigin = $mydomain

Configure the network interfaces − We will leave Postfix listening on our single network interface and all protocols and IP Addresses associated with that interface. This is done by simply leaving the default settings enabled for Postfix.

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on.  By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes. 
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported
inet_protocols = all

Step 3 − Configure SASL Support for Postfix.

Without SASL Authentication support, Postfix will only allow sending email from local users. Or it will give a relaying denied error when the users send email away from the local domain.

Note − SASL or Simple Application Security Layer Framework is a framework designed for authentication supporting different techniques amongst different Application Layer protocols. Instead of leaving authentication mechanisms up to the application layer protocol, SASL developers (and consumers) leverage current authentication protocols for higher level protocols that may not have the convenience or more secure authentication (when speaking of access to secured services) built in.

Install the "cyrus-sasl* package

[root@centos]# yum -y install  cyrus-sasl 
Loaded plugins: fastestmirror, langpacks 
Loading mirror speeds from cached hostfile 
 * base: repos.forethought.net 
 * extras: repos.dfw.quadranet.com 
 * updates: mirrors.tummy.com 
Package cyrus-sasl-2.1.26-20.el7_2.x86_64 already installed and latest version
Nothing to do

Configure /etc/postfix/main.cf for SASL Auth

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

My SASL Options in main.conf

##Configure SASL Options Entries:
smtpd_sasl_auth_enable = yes
smptd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtp_sasl_type = dovecot
smtp_sasl_path = private/auth/etc

Step 4 − Configure FirewallD to allow incoming SMTP Services.

[root@centos]# firewall-cmd --permanent --add-service=smtp 
success

[root@centos]# firewall-cmd --reload 
success

[root@centos]#

Now let's check to make sure our CentOS host is allowing and responding to the requests on port 25 (SMTP).

Nmap scan report for 172.16.223.132 
Host is up (0.00035s latency). 
Not shown: 993 filtered ports 
PORT    STATE  SERVICE 
   20/tcp  closed ftp-data 
   21/tcp  open   ftp 
   22/tcp  open   ssh 
   25/tcp  open   smtp 
   80/tcp  open   http 
   389/tcp open   ldap 
   443/tcp open   https 
MAC Address: 00:0C:29:BE:DF:5F (VMware)

As you can see, SMTP is listening and the daemon is responding to the requests from our internal LAN.

Install Dovecot IMAP and POP3 Server

Dovecot is a secure IMAP and POP3 Server deigned to handle incoming mail needs of a smaller to larger organization. Due to its prolific use with CentOS, we will be using Dovecot as an example of installing and configuring an incoming mail-server for CentOS and MTA SASL Provider.

As noted previously, we will not be configuring MX records for DNS or creating secure rules allowing our services to handle mail for a domain. Hence, just setting these services up on an Internet facing host may leave leverage room for security holes w/o SPF Records.

Step 1 − Install Dovecot.

[root@centos]# yum -y install dovecot

Step 2 − Configure dovecot.

The main configuration file for dovecot is located at: /etc/dovecot.conf. We will first back up the main configuration file. It is a good practice to always backup configuration files before making edits. This way id (for example) line breaks get destroyed by a text editor, and years of changes are lost. Reverting is easy as copying the current backup into production.

Enable protocols and daemon service for dovecot

# Protocols we want to be serving. 
protocols = imap imaps pop3 pop3s

Now, we need to enable the dovecot daemon to listen on startup −

[root@localhost]# systemctl start  dovecot 
[root@localhost]# systemctl enable dovecot

Let's make sure Dovecot is listening locally on the specified ports for: imap, pop3, imap secured, and pop3 secured.

[root@localhost]# netstat -antup | grep dovecot 
 tcp        0        0 0.0.0.0:110        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:143        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:993        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:995        0.0.0.0:*        LISTEN        4368/dovecot
 tcp6       0        0 :::110                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::143                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::993                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::995                :::*          LISTEN        4368/dovecot

[root@localhost]#

As seen, dovecot is listening on the specified ports for IPv4 and IPv4.

POP3110
POP3s995
IMAP143
IMAPs993

Now, we need to make some firewall rules.

[root@localhost]# firewall-cmd --permanent --add-port=110/tcp 
success
 
[root@localhost]# firewall-cmd --permanent --add-port=143/tcp 
success
 
[root@localhost]# firewall-cmd --permanent --add-port=995/tcp 
success
 
[root@localhost]# firewall-cmd --permanent --add-port=993/tcp 
success
 
[root@localhost]# firewall-cmd --reload 
success
 
[root@localhost]#

Our incoming mail sever is accepting requests for POP3POP3sIMAP, and IMAPs to hosts on the LAN.

Port Scanning host: 192.168.1.143

   Open TCP Port:   21          ftp 
   Open TCP Port:   22          ssh 
   Open TCP Port:   25          smtp 
   Open TCP Port:   80          http 
   Open TCP Port:   110         pop3 
   Open TCP Port:   143         imap 
   Open TCP Port:   443         https 
   Open TCP Port:   993         imaps 
   Open TCP Port:   995         pop3s 

Linux Admin - MySQL Setup On CentOS 7

 As touched upon briefly when configuring CentOS for use with Maria DB, there is no native MySQL package in the CentOS 7 yum repository. To account for this, we will need to add a MySQL hosted repository.

MariaDB vs MySQL On CentOS Linux

One thing to note is MySQL will require a different set of base dependencies from MariaDB. Also using MySQL will break the concept and philosophy of CentOS: production packages designed for maximum reliability.

So when deciding whether to use Maria or MySQL one should weigh two options: Will my current DB Schema work with Maria? What advantage does installing MySQL over Maria give me?

Maria components are 100% transparent to MySQL structure, with some added efficiency with better licensing. Unless a compelling reason comes along, it is advised to configure CentOS to use MariaDB.

The biggest reasons for favoring Maria on CentOS are −

  • Most people will be using MariaDB. When experiencing issues you will get more assistance with Maria.

  • CentOS is designed to run with Maria. Hence, Maria will offer better stability.

  • Maria is officially supported for CentOS.

Download and Add the MySQL Repository

We will want to download and install the MySQL repository from −

http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm

Step 1 − Download the Repository.

The repository comes conveniently packaged in an rpm package for easy installation. It can be downloaded with wget −

[root@centos]# wget http://repo.mysql.com/mysql-community-release-el75.noarch.rpm
   --2017-02-26 03:18:36--  http://repo.mysql.com/mysql-community-release-el75.noarch.rpm
   Resolving repo.mysql.com (repo.mysql.com)... 104.86.98.130

Step 2 − Install MySQL From YUM.

We can now use the yum package manager to install MySQL −

[root@centos]# yum -y install mysql-server

Step 3 − Start and Enable the MySQL Daemon Service.

[root@centos]# systemctl start mysql 
[root@centos]# systemctl enable  mysql

Step 4 − Make sure our MySQL service is up and running.

[root@centos]# netstat -antup | grep 3306 
tcp6       0       0 :::3306       :::*       LISTEN       6572/mysqld
[root@centos]#

Note − We will not allow any firewall rules through. It's common to have MySQL configured to use Unix Domain Sockets. This assures only the web-server of the LAMP stack, locally, can access the MySQL database, taking out a complete dimension in the attack vector at the database software.

Install Apache Web Server CentOS 7

 In this chapter, we will learn a little about the background of how Apache HTTP Server came into existence and then install the most current stable version on CentOS Linux 7.

Brief History on Apache WebServer

Apache is a web server that has been around for a long time. In fact, almost as long as the existence of http itself!

Apache started out as a rather small project at the National Center for Supercomputing Applications also known as NCSA. In the mid-90's "httpd", as it was called, was by far the most popular web-server platform on the Internet, having about 90% or more of the market share.

At this time, it was a simple project. Skilled I.T. staff known as webmaster were responsible for: maintaining web server platforms and web server software as well as both front-end and back-end site development. At the core of httpd was its ability to use custom modules known as plugins or extensions. A webmaster was also skilled enough to write patches to core server software.

Sometime in the late-mid-90's, the senior developer and project manager for httpd left NCSA to do other things. This left the most popular web-daemon in a state of stagnation.

Since the use of httpd was so widespread a group of seasoned httpd webmasters called for a summit reqarding the future of httpd. It was decided to coordinate and apply the best extensions and patches into a current stable release. Then, the current grand-daddy of http servers was born and christened Apache HTTP Server.

Little Known Historical Fact − Apache was not named after a Native American Tribe of warriors. It was in fact coined and named with a twist: being made from many fixes (or patches) from many talented Computer Scientists: a patchy or Apache.

Install Current Stable Version on CentOS Linux 7

Step 1 − Install httpd via yum.

yum -y install httpd

At this point Apache HTTP Server will install via yum.

Step 2 − Edit httpd.conf file specific to your httpd needs.

With a default Apache install, the configuration file for Apache is named httpd.conf and is located in /etc/httpd/. So, let's open it in vim.

The first few lines of httpd.conf opened in vim −

# 
# This is the main Apache HTTP server configuration file.  It contains the 
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. 
# In particular, see  
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> 
# for a discussion of each configuration directive.

We will make the following changes to allow our CentOS install to serve http requests from http port 80.

Listening host and port

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

From here, we change Apache to listen on a certain port or IP Address. For example, if we want to run httpd services on an alternative port such as 8080. Or if we have our web-server configured with multiple interfaces with separate IP addresses.

Listen

Keeps Apache from attaching to every listening daemon onto every IP Address. This is useful to stop specifying only IPv6 or IPv4 traffic. Or even binding to all network interfaces on a multi-homed host.

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
Listen 10.0.0.25:80
#Listen 80

DocumentRoot

The "document root" is the default directory where Apache will look for an index file to serve for requests upon visiting your sever: http://www.yoursite.com/ will retrieve and serve the index file from your document root.

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

Step 3 − Start and Enable the httpd Service.

[root@centos rdc]# systemctl start httpd && systemctl reload httpd 
[root@centos rdc]#

Step 4 − Configure firewall to allow access to port 80 requests.

[root@centos]# firewall-cmd --add-service=http --permanent

Linux Admin - Create SSL Certificates

 

TLS and SSL Background

TLS is the new standard for socket layer security, proceeding SSL. TLS offers better encryption standards with other security and protocol wrapper features advancing SSL. Often, the terms TLS and SSL are used interchangeably. However, as a professional CentOS Administrator, it is important to note the differences and history separating each.

SSL goes up to version 3.0. SSL was developed and promoted as an industry standard under Netscape. After Netscape was purchased by AOL (an ISP popular in the 90's otherwise known as America Online) AOL never really promoted the change needed for security improvements to SSL.

At version 3.1, SSL technology moved into the open systems standards and was changed to TLS. Since copyrights on SSL were still owned by AOL a new term was coined: TLS - Transport Layer Security. So it is important to acknowledge that TLS is in fact different from SSL. Especially, as older SSL technologies have known security issues and some are considered obsolete today.

Note − This tutorial will use the term TLS when speaking of technologies 3.1 and higher. Then SSL when commenting specific to SSL technologies 3.0 and lower.

SSL vs TLS Versioning

The following table shows how TLS and SSL versioning would relate to one another. I have heard a few people speak in terms of SSL version 3.2. However, they probably got the terminology from reading a blog. As a professional administrator, we always want to use the standard terminology. Hence, while speaking SSL should be a reference to past technologies. Simple things can make a CentOS job seeker look like a seasoned CS Major.

TLSSSL
-3.0
1.03.1
1.13.2
1.23.3

TLS performs two main functions important to the users of the Internet today: One, it verifies who a party is, known as authentication. Two, it offers end-to-end encryption at the transport layer for upper level protocols that lack this native feature (ftp, http, email protocols, and more).

The first, verifies who a party is and is important to security as end-to-end encryption. If a consumer has an encrypted connection to a website that is not authorized to take payment, financial data is still at risk. This is what every phishing site will fail to have: a properly signed TLS certificate verifying website operators are who they claim to be from a trusted CA.

There are only two methods to get around not having a properly signed certificate: trick the user into allowing trust of a web-browser for a self-signed certificate or hope the user is not tech savvy and will not know the importance of a trusted Certificate Authority (or a CA).

In this tutorial, we will be using what is known as a self-signed certificate. This means, without explicitly giving this certificate the status of trusted in every web browser visiting the web-site, an error will be displayed discouraging the users from visiting the site. Then, it will make the user jump though a few actions before accessing a site with a self-signed certificate. Remember for the sake of security this is a good thing.

Install and Configure openssl

openssl is the standard for open-source implementations of TLS. openssl is used on systems such as Linux, BSD distributions, OS X, and even supports Windows.

openssl is important, as it provides transport layer security and abstracts the detailed programming of Authentication and end-to-end encryption for a developer. This is why openssl is used with almost every single open-source application using TLS. It is also installed by default on every modern version of Linux.

By default, openssl should be installed on CentOS from at least version 5 onwards. Just to assure, let's try installing openssl via YUM. Just run install, as YUM is intelligent enough to let us know if a package is already installed. If we are running an older version of CentOS for compatibility reasons, doing a yum -y install will ensure openssl is updated against the semi-recent heart-bleed vulnerability.

When running the installer, it was found there was actually an update to openssl.

[root@centos]# yum -y install openssl
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-60.el7 will be updated
---> Package openssl.x86_64 1:1.0.1e-60.el7_3.1 will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-60.el7_3.1 for 
package: 1:openssl-1.0.1e-60.el7_3.1.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-60.el7 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-60.el7_3.1 will be an update
--> Finished Dependency Resolution 
Dependencies Resolved

===============================================================================
=============================================================================== 
 Package                               Arch
 Version                            Repository                        Size 
=============================================================================== 
=============================================================================== 
Updating: 
openssl                               x86_64                          
1:1.0.1e-60.el7_3.1                 updates                           713 k
Updating for dependencies:

Create Self-signed Certificate for OpenLDAP

This is a method to create a self-signed for our previous OpenLDAP installation.

To create an self-signed OpenLDAP Certificate.

openssl req -new -x509 -nodes -out /etc/openldap/certs/myldaplocal.pem -keyout
/etc/openldap/certs/myldaplocal.pem -days 365

[root@centos]# openssl req -new -x509 -nodes -out /etc/openldap/certs/vmnet.pem 
-keyout /etc/openldap/certs/vmnet.pem -days 365 
Generating a 2048 bit RSA private key
.............................................+++
................................................+++
writing new private key to '/etc/openldap/certs/vmnet.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Califonia
Locality Name (eg, city) [Default City]:LA
Organization Name (eg, company) [Default Company Ltd]:vmnet
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos
Email Address []:bob@bobber.net
[root@centos]#

Now our OpenLDAP certificates should be placed in /etc/openldap/certs/

[root@centos]# ls /etc/openldap/certs/*.pem 
/etc/openldap/certs/vmnetcert.pem  /etc/openldap/certs/vmnetkey.pem
[root@centos]#

As you can see, we have both the certificate and key installed in the /etc/openldap/certs/ directories. Finally, we need to change the permissions to each, since they are currently owned by the root user.

[root@centos]# chown -R  ldap:ldap /etc/openldap/certs/*.pem
[root@centos]# ls -ld /etc/openldap/certs/*.pem
-rw-r--r--. 1 ldap ldap 1395 Feb 20 10:00 /etc/openldap/certs/vmnetcert.pem 
-rw-r--r--. 1 ldap ldap 1704 Feb 20 10:00 /etc/openldap/certs/vmnetkey.pem
[root@centos]#

Create Self-signed Certificate for Apache Web Server

In this tutorial, we will assume Apache is already installed. We did install Apache in another tutorial (configuring CentOS Firewall) and will go into advanced installation of Apache for a future tutorial. So, if you have not already installed Apache, please follow along.

Once Apache HTTPd can be installed using the following steps −

Step 1 − Install mod_ssl for Apache httpd server.

First we need to configure Apache with mod_ssl. Using the YUM package manager this is pretty simple −

[root@centos]# yum -y install mod_ssl

Then reload your Apache daemon to ensure Apache uses the new configuration.

[root@centos]# systemctl reload httpd

At this point, Apache is configured to support TLS connections on the local host.

Step 2 − Create the self-signed ssl certificate.

First, let's configure our private TLS key directory.

[root@centos]# mkdir /etc/ssl/private 
[root@centos]# chmod 700 /etc/ssl/private/

Note − Be sure only the root has read/write access to this directory. With world read/write access, your private key can be used to decrypt sniffed traffic.

Generating the certificate and key files.

[root@centos]# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout 
/etc/ssl/private/self-gen-apache.key -out /etc/ssl/certs/self-sign-apache.crt 
Generating a 2048 bit RSA private key
..........+++
....+++
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:xx
Locality Name (eg, city) [Default City]:xxxx
Organization Name (eg, company) [Default Company Ltd]:VMNET
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos.vmnet.local
Email Address []:

[root@centos]#

Note − You can use public IP Address of the server if you don't have a registered domain name.

Let's take a look at our certificate −

[root@centos]# openssl x509 -in self-sign-apache.crt -text -noout
Certificate:
   Data:
      Version: 3 (0x2)
      Serial Number: 17620849408802622302 (0xf489d52d94550b5e)
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: C=US, ST=UT, L=xxxx, O=VMNET, CN=centos.vmnet.local
   Validity
      Not Before: Feb 24 07:07:55 2017 GMT
      Not After : Feb 24 07:07:55 2018 GMT
   Subject: C=US, ST=UT, L=xxxx, O=VMNET, CN=centos.vmnet.local
   Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
         Public-Key: (2048 bit)
            Modulus:
               00:c1:74:3e:fc:03:ca:06:95:8d:3a:0b:7e:1a:56:
               f3:8d:de:c4:7e:ee:f9:fa:79:82:bf:db:a9:6d:2a:
               57:e5:4c:31:83:cf:92:c4:e7:16:57:59:02:9e:38:
               47:00:cd:b8:31:b8:34:55:1c:a3:5d:cd:b4:8c:b0:
               66:0c:0c:81:8b:7e:65:26:50:9d:b7:ab:78:95:a5:
               31:5e:87:81:cd:43:fc:4d:00:47:5e:06:d0:cb:71:
               9b:2a:ab:f0:90:ce:81:45:0d:ae:a8:84:80:c5:0e:
               79:8a:c1:9b:f4:38:5d:9e:94:4e:3a:3f:bd:cc:89:
               e5:96:4a:44:f5:3d:13:20:3d:6a:c6:4d:91:be:aa:
               ef:2e:d5:81:ea:82:c6:09:4f:40:74:c1:b1:37:6c:
               ff:50:08:dc:c8:f0:67:75:12:ab:cd:8d:3e:7b:59:
               e0:83:64:5d:0c:ab:93:e2:1c:78:f0:f4:80:9e:42: 
               7d:49:57:71:a2:96:c6:b8:44:16:93:6c:62:87:0f:
               5c:fe:df:29:89:03:6e:e5:6d:db:0a:65:b2:5e:1d:
               c8:07:3d:8a:f0:6c:7f:f3:b9:32:b4:97:f6:71:81:
               6b:97:e3:08:bd:d6:f8:19:40:f1:15:7e:f2:fd:a5:
               12:24:08:39:fa:b6:cc:69:4e:53:1d:7e:9a:be:4b:

Here is an explanation for each option we used with the openssl command −

CommandAction
req -X509Use X.509 CSR management PKI standard for key management.
-nodesDo not secure our certificate with a passphrase. Apache must be able to use the certificate without interruption of a passphrase.
-days 2555Tells the validity of the certificate to 7 years or 2555 days. Time period can be adjusted as needed.
-newkey rsa:2048Specified to generate both key and certificate using RSA at 2048 bits in length.

Next, we want to create a Diffie-Heliman group for negotiating PFS with clients.

[centos#] openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will take from 5 to 15 minutes.

Perfect Forward Secrecy − Used to secure session data in case the private key has been compromised. This will generate a key used between the client and the server that is unique for each session.

Now, add the Perfect Forward Secrecy configuration to our certificate.

[root@centos]# cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/self-sign-apache.crt

Configure Apache to Use Key and Certificate Files

We will be making changes to /etc/httpd/conf.d/ssl.conf −

We will make the following changes to ssl.conf. However, before we do that we should back the original file up. When making changes to a production server in an advanced text editor like vi or emcas, it is a best practice to always backup configuration files before making edits.

[root@centos]# cp /etc/httpd/conf.d/ssl.conf ~/

Now let's continue our edits after copying a known-working copy of ssl.conf to the root of our home folder.

  • Locate
  • Edit both DocumentRoot and ServerName as follows.
\\# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName centos.vmnet.local:443

DocumentRoot this is the path to your default apache directory. In this folder should be a default page that will display a HTTP request asking for the default page of your web server or site.

ServerName is the server name that can be either an ip address or the host name of the server. For TLS, it is a best practice to create a certificate with a host name. From our OpenLdap tutorial, we created a hostname of centos on the local enterprise domain: vmnet.local

Now we want to comment the following lines out.

SSLProtocol

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
 ~~~~> #SSLProtocol all -SSLv2
 
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
 ~~~~> #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Then let Apache know where to find our certificate and private/public key pair.

Specify path to our self-signed certificate file

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
~~~~> SSLCertificateFile /etc/ssl/certs/self-sign-apache.crt
specify path to our private key file
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
~~~~> SSLCertificateKeyFile /etc/ssl/private/self-gen-apache.key

Finally, we need to allow inbound connections to https over port 443.

Install and Configure Open LDAP

 LDAP known as Light Weight Directory Access Protocol is a protocol used for accessing X.500 service containers within an enterprise known from a directory. Those who are familiar with Windows Server Administration can think of LDAP as being very similar in nature to Active Directory. It is even a widely used concept of intertwining Windows workstations into an OpenLDAP CentOS enterprise. On the other spectrum, a CentOS Linux workstation can share resources and participate with the basic functionality in a Windows Domain.

Deploying LDAP on CentOS as a Directory Server Agent, Directory System Agent, or DSA (these acronyms are all one and the same) is similar to older Novell Netware installations using the Directory Tree structure with NDS.

Brief History of LDAP

LDAP was basically created as an efficient way to access X.500 directories with enterprise resources. Both X.500 and LDAP share the same characteristics and are so similar that LDAP clients can access X.500 directories with some helpers. While LDAP also has its own directory server called slapd. The main difference between LDAP and DAP is, the lightweight version is designed to operate over TCP.

While DAP uses the full OSI Model. With the advent of the Internet, TCP/IP and Ethernet prominence in networks of today, it is rare to come across a Directory Services implantation using both DAP and native X.500 enterprise directories outside specific legacy computing models.

The main components used with openldap for CentOS Linux are −

openldapLDAP support libraries
openldap-serverLDAP server
openldap-clientsLDAP client utlities
openldap-develDevelopment libraries for OpenLDAP
compay-openldapOpenLDAP shared libraries
slapdDirectory server daemon of OpenLDAP
slurpdUsed for LDAP replication across an enterprise domain

Note − When naming your enterprise, it is a best practice to use the .local TLD. Using a .net or .com can cause difficulties when segregating an online and internal domain infrastructure. Imagine the extra work for a company internally using acme.com for both external and internal operations. Hence, it can be wise to have Internet resources called acme.com or acme.net. Then, the local networking enterprise resources is depicted as acme.local. This will entail configuring DNS records, but will pay in simplicity, eloquence and security.

Install Open LDAP on CentOS

Install the openldap, openldap-servers, openldap-clients and migrationstools from YUM.

[root@localhost]# yum -y install openldap openldap-servers openldap-clients
migration tools
 Loaded plugins: fastestmirror, langpacks
 updates
 | 3.4 kB  00:00:00
 updates/7/x86_64/primary_db
 | 2.2 MB  00:00:05
 Determining fastest mirrors
 (1/2): extras/7/x86_64/primary_db
 | 121 kB  00:00:01
 (2/2): base/7/x86_64/primary_db
 | 5.6 MB  00:00:16
 Package openldap-2.4.40-13.el7.x86_64 already installed and latest version
 Resolving Dependencies
 --> Running transaction check
 ---> Package openldap-clients.x86_64 0:2.4.40-13.el7 will be installed
 ---> Package openldap-servers.x86_64 0:2.4.40-13.el7 will be installed
 --> Finished Dependency Resolution
 base/7/x86_64/group_gz
 | 155 kB  00:00:00
 
 Dependencies Resolved
 
=============================================================================== 
=============================================================================== 
Package                                Arch
Version                             Repository                        Size 
=============================================================================== 
=============================================================================== 
Installing: 
openldap-clients                    x86_64
2.4.40-13.el7                    base                                 188 k 
openldap-servers                    x86_64
2.4.40-13.el7                    base                                 2.1 M  

Transaction Summary 
=============================================================================== 
===============================================================================
Install  2 Packages

Total download size: 2.3 M 
Installed size: 5.3 M 
Downloading packages:

Installed: 
openldap-clients.x86_64 0:2.4.40-13.el7                                       
openldap-servers.x86_64 0:2.4.40-13.el7                                       
Complete! 
[root@localhost]#

Now, let's start and enable the slapd service −

[root@centos]# systemctl start slapd 
[root@centos]# systemctl enable  slapd

At this point, let's assure we have our openldap structure in /etc/openldap.

root@localhost]# ls /etc/openldap/ 
certs  check_password.conf  ldap.conf  schema  slapd.d
[root@localhost]#

Then make sure our slapd service is running.

root@centos]# netstat -antup | grep slapd
tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN      1641/slapd
tcp6       0      0 :::389                 :::*                   LISTEN      1641/slapd
 
[root@centos]#

Next, let's configure our Open LDAP installation.

Make sure our system ldap user has been created.

[root@localhost]# id ldap 
uid=55(ldap) gid=55(ldap) groups=55(ldap)
[root@localhost]#

Generate our LDAP credentials.

[root@localhost]# slappasswd  
New password:  
Re-enter new password:  
{SSHA}20RSyjVv6S6r43DFPeJgASDLlLoSU8g.a10

[root@localhost]#

We need to save the output from slappasswd.

Configure Open LDAP

Step 1 − Configure LDAP for domain and add administrative user.

First, we want to set up our openLDAP environment. Following is a template to use with the ldapmodify command.

dn: olcDatabase={2}hdb,cn=config 
changetype: modify 
replace: olcSuffix 
olcSuffix: dc=vmnet,dc=local 
dn: olcDatabase = {2}hdb,cn=config 
changetype: modify 
replace: olcRootDN 
olcRootDN: cn=ldapadm,dc=vmnet,dc=local 
dn: olcDatabase = {2}hdb,cn=config 
changetype: modify 
replace: olcRootPW 
olcRootPW: <output from slap

Make changes to: /etc/openldap/slapd.d/cn=config/olcDatabase = {1}monitor.ldif with the ldapmodify command.

[root@localhost]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/rdc/Documents/db.ldif  
SASL/EXTERNAL authentication started 
SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth 
SASL SSF: 0 
modifying entry "olcDatabase = {2}hdb,cn=config" 
modifying entry "olcDatabase = {2}hdb,cn=config" 
modifying entry "olcDatabase = {2}hdb,cn=config" 

[root@localhost cn=config]#

Let's check the modified LDAP configuration.

root@linux1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif

[root@centos]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
 # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. 
 # CRC32 a163f14c
dn: olcDatabase = {2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1bd9aa2a-8516-1036-934b-f7eac1189139
creatorsName: cn=config
createTimestamp: 20170212022422Z
olcSuffix: dc=vmnet,dc=local
olcRootDN: cn=ldapadm,dc=vmnet,dc=local
olcRootPW:: e1NTSEF1bUVyb1VzZTRjc2dkYVdGaDY0T0k = 
entryCSN: 20170215204423.726622Z#000000#000#000000 
modifiersName: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170215204423Z

[root@centos]#

As you can see, our LDAP enterprise modifications were successful.

Next, we want to create an self-signed ssl certificate for OpenLDAP. This will secure the communication between the enterprise server and clients.

Step 2 − Create a self-signed certificate for OpenLDAP.

We will use openssl to create a self-signed ssl certificate. Go to the next chapter, Create LDAP SSL Certificate with openssl for instructions to secure communications with OpenLDAP. Then when ssl certificates are configured, we will have completed our OpenLDAP enterprise configuration.

Step 3 − Configure OpenLDAP to use secure communications with certificate.

Create a certs.ldif file in vim with the following information −

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/yourGeneratedCertFile.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/youGeneratedKeyFile.pem

Next, again, use the ldapmodify command to merge the changes into the OpenLDAP configuration.

[root@centos rdc]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@centos]#

Finally, let's test our OpenLADP configuration.

[root@centos]# slaptest -u 
config file testing succeeded 
[root@centos]#

Step 4 − Set up slapd database.

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG && 
chown ldap:ldap /var/lib/ldap/*

Updates the OpenLDAP Schema.

Add the cosine and nis LDAP schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Finally, create the enterprise schema and add it to the current OpenLDAP configuration.

Following is for a domain called vmnet.local with an LDAP Admin called ldapadm.

dn: dc=vmnet,dc=local
dc: vmnet
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=vmnet,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou = People,dc=vmnet,dc=local
objectClass: organizationalUnit
ou: People

dn: ou = Group,dc=vmnet,dc=local 
objectClass: organizationalUnit 
ou: Group

Finally, import this into the current OpenLDAP schema.

[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f ./base.ldif
 Enter LDAP Password:
adding new entry "dc=vmnet,dc=local"

adding new entry "cn=ldapadm ,dc=vmnet,dc=local"

adding new entry "ou=People,dc=vmnet,dc=local"

adding new entry "ou=Group,dc=vmnet,dc=local"

[root@centos]#

Step 5 − Set up an OpenLDAP Enterprise Users.

Open vim or your favorite text editor and copy the following format. This is setup for a user named "entacct" on the "vmnet.local" LDAP domain.

dn: uid=entacct,ou=People,dc=vmnet,dc=local 
objectClass: top
objectClass: account 
objectClass: posixAccount 
objectClass: shadowAccount 
cn: entacct 
uid: entacct 
uidNumber: 9999 
gidNumber: 100 
homeDirectory: /home/enyacct 
loginShell: /bin/bash 
gecos: Enterprise User Account 001 
userPassword: {crypt}x 
shadowLastChange: 17058 
shadowMin: 0 
shadowMax: 99999 
shadowWarning: 7

Now import the above files, as saved, into the OpenLdap Schema.

[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f entuser.ldif 
 Enter LDAP Password:
adding new entry "uid=entacct,ou=People,dc=vmnet,dc=local" 

[root@centos]#

Before the users can access the LDAP Enterprise, we need to assign a password as follows −

ldappasswd -s password123 -W -D "cn=ldapadm,dc=entacct,dc=local" -x "uid=entacct 
,ou=People,dc=vmnet,dc=local"

-s specifies the password for the user

-x is the username to which password updated is applied

-D is the *distinguished name" to authenticate against LDAP schema.

Finally, before logging into the Enterprise account, let's check our OpenLDAP entry.

[root@centos rdc]# ldapsearch -x cn=entacct -b dc=vmnet,dc=local
 # extended LDIF
 #
 # LDAPv3
 # base <dc=vmnet,dc=local> with scope subtree
 # filter: cn=entacct
 # requesting: ALL 
 # 
 # entacct, People, vmnet.local 
dn: uid=entacct,ou=People,dc=vmnet,dc=local 
objectClass: top 
objectClass: account 
objectClass: posixAccount 
objectClass: shadowAccount 
cn: entacct 
uid: entacct 
uidNumber: 9999 
gidNumber: 100 
homeDirectory: /home/enyacct 
loginShell: /bin/bash 
gecos: Enterprise User Account 001 
userPassword:: e2NyeXB0fXg= 
shadowLastChange: 17058 
shadowMin: 0 
shadowMax: 99999 
shadowWarning: 7

Converting things like /etc/passwd and /etc/groups to OpenLDAP authentication requires the use of migration tools. These are included in the migrationtools package. Then, installed into /usr/share/migrationtools.

[root@centos openldap-servers]# ls -l /usr/share/migrationtools/
total 128
-rwxr-xr-x. 1 root root  2652 Jun  9  2014 migrate_aliases.pl
-rwxr-xr-x. 1 root root  2950 Jun  9  2014 migrate_all_netinfo_offline.sh
-rwxr-xr-x. 1 root root  2946 Jun  9  2014 migrate_all_netinfo_online.sh
-rwxr-xr-x. 1 root root  3011 Jun  9  2014 migrate_all_nis_offline.sh
-rwxr-xr-x. 1 root root  3006 Jun  9  2014 migrate_all_nis_online.sh
-rwxr-xr-x. 1 root root  3164 Jun  9  2014 migrate_all_nisplus_offline.sh
-rwxr-xr-x. 1 root root  3146 Jun  9  2014 migrate_all_nisplus_online.sh
-rwxr-xr-x. 1 root root  5267 Jun  9  2014 migrate_all_offline.sh
-rwxr-xr-x. 1 root root  7468 Jun  9  2014 migrate_all_online.sh
-rwxr-xr-x. 1 root root  3278 Jun  9  2014 migrate_automount.pl
-rwxr-xr-x. 1 root root  2608 Jun  9  2014 migrate_base.pl

Step 6 − Finally, we need to allow access to the slapd service so it can service requests.

firewall-cmd --permanent --add-service=ldap 
firewall-cmd --reload

Configure LDAP Client Access

Configuring LDAP client access requires the following packages on the client: openldap, open-ldap clients, and nss_ldap.

Configuring LDAP authentication for client systems is a bit easier.

Step 1 − Install dependent packeges −

# yum install -y openldap-clients nss-pam-ldapd

Step 2 − Configure LDAP authentication with authconfig.

authconfig --enableldap --enableldapauth --ldapserver=10.25.0.1 --
ldapbasedn="dc=vmnet,dc=local" --enablemkhomedir --update

Step 3 − Restart nslcd service.

systemctl restart  nslcd