When creating the certificate request enter for eg *.example.com in the common name field and you can then use the one certificate on all servers that fall in that domain.

BIG WARNING! This is very dangerous if the keys are not secured properly. As if somebody compromises one key, they have compromised all of the services on all the machines that use the same key! So make sure you really want to do this, have the file permissions set correctly and are prepared for the consequences.

The openldap-server guide does try to take you from wo to go fairly well and the following notes are just extra things that would have been handy to know or were needed to continue.

Configuration

The first ldapmodify commands are add extra DbIndex’s. These are handy to know when you receive errors in syslog such as:

• Apr  3 11:01:18 virt01 slapd[11465]: <= bdb_equality_candidates: (objectClass) not indexed

You can view the current DbIndex values:

• ~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex
  Enter LDAP Password:
  dn: olcDatabase={1}hdb,cn=config
  olcDbIndex: objectClass eq
  olcDbIndex: cn eq,pres,sub
  olcDbIndex: uid eq,pres,sub
  olcDbIndex: entryUUID eq
  olcDbIndex: memberUid eq
  olcDbIndex: uniqueMember eq

And index’s can be added using the ldapmodify examples. If you need to delete the entire list and start again these ldapmodify commands will help you:

• dn: olcDatabase={1}hdb,cn=config
  delete: olcDbIndex

The sample of output from my ldap setup above will make an okay base to work with.

I followed the schemas section ok with the exception of a correction of the ldapadd command missing a ‘-W’ arg (prompt for password).

• ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif

Populating LDAP

You will now notice with the ldapadd command the reference a second admin principal (cn=admin,dc=example,dc=com). This principal is created with the same password as the first admin (cn=admin,cn=config).

LDAP replication

LDAP replication without TLS was setup within minutes following the guide.

Just be very careful to make sure all modifications are complete and correct before adding the ldif files.

The cn=config replication needs to be applied on both servers, but the dc=example,dc=com replication ldif only needs to be applied on one as once cn=config replication is setup it will replicate the dc=example,dc=com settings to the other server.

The second server also does not need to be setup with all the same changes as the first. Just setup the same domain and password when installing slapd then apply the replication ldif. The additional changes made on ldap01 will be replicated to ldap02 automatically. Once both servers have the ldif applied, then restart slapd on each.

It took a fair while to get replication working again using TLS. Most of my problems were certificate related and couple of missed changes in the TLS replication ldif that would not change back.

TLS and SSL

I created my certificates with CA.pl from an existing CA I have setup for other servers. When creating the certificates make sure that the commonName matches the host name of the server as it will be addressed. Ie:

• Server name: ldap01.example.com
• commonName: ldap01.example.com

TLS verification will fail if you do a ldap search against ldap://ldap01/ (as opposed to ldap://ldap01.example.com/).

I have not yet tested wildcard certificates either. Also the ca-certificate can be referred to either by file (olcTLSCACertificateFile) or the dir containing the cert (olcTLSCACertificatePath). But only referring to the cert by file name worked in my testing even though I added to cert to Ubuntu’s ca-certificate management scheme. Ie:

• sudo cp cacert.pem /usr/share/ca-certificates/Example.Com-CA.crt

• echo 'Example.Com-CA.crt' | sudo tee -a /etc/ca-certificates.conf

• sudo update-ca-certificates

I had to set the SLAPD_SERVICES line to: SLAPD_SERVICES=”ldap:/// ldaps:/// ldapi:///” To allow TLS ldap:// connections from other hosts.

The TLS connections are over ldap:// and SSL is over ldaps://. TLS is the newer and preferred standard, but the ldap:// protocol also allows cleartext communication as a fallback.

To test a TLS connection use:

• ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W -H ldap://ldap01.example.com/ -ZZ

• -H ldap://ldap01.example.com/ – specifies the hostname. Make sure it is the same as commonName in the certificate used.
• -ZZ – Issues a StartTLS command and requires it succed. Using just -Z issues StartTLS but still allows a cleartext connection if the StartTLS directive fails.

To debug a connection append -d5 to the command. It will spew a lot of output, but in there will most likely be the reason for the cause of the error.

The notes at the end of the TLS replication section are also handy for getting a TLS client connection working. I needed the following line in /etc/ldap/ldap.conf on all hosts:

• TLS_CACERT /etc/ssl/certs/Example.Com-CA.crt

Or if you do not wish to check the validity of certificates then you could use:

• TLS_REQCERT allow

TLS Replication

This should only be attempted once both hosts are confirmed working over TLS. Also make sure you test establishing a TLS connection from one host to the other (ie, running the ldapsearch from ldap01 using -ZZ -H ldap://ldap02.example.com/).

After adding the cn=config TLS change to one host (remember it will be replicated to the other host automatically), then restart both slapd backends (sudo /etc/init.d/slapd restart).

If that is working without any errors in syslog then proceed to the dc=example,dc=com tls replication and restart both backends again.

LDAP Authentication

My next headache was with the auth-client-config command. The correct command to use is:

• sudo auth-client-config -t nss -p lac_ldap

Some sites also note another command that is actually unnecessary:

• sudo pam-auth-update ldap

pam-auth-update allows you to pick which auth methods will be used in your system, but ldap is automatically added when you install libnss-ldap.

Other changes I made to /etc/ldap.conf was uncommenting two lines:

• pam_filter objectclass=account

• ssl start_tls

This requires a user have the objectclass=account attribute to be able to login. And the second requires a TLS connection to the ldap server.

To use TLS for pam auth you will need to make sure the cert is specified in /etc/ldap/ldap.conf just as on the server. This can be tested by running the same ldapsearch command on the client as on the server.

After managing to get that working on one client the rest were managed easily using puppet.

User and Group Management

The command to put the ‘secret’ in /etc/ldapscripts/ldapscripts.passwd will not work as expected if you have a dollar symbol in the password. Ie:

• sudo sh -c "echo -n '$ecret' > /etc/ldapscripts/ldapscripts.passwd"

Will result in an empty passwd file. The correct way to echo the password is to escape the $. Ie: ‘$ecret’. This is not a problem with the server guide, just an oversight that caught me out. It can be seen in the log file as:

• >> 04/01/09 - 17:23 : Command : /usr/sbin/ldapadduser george example
  ldap_bind: Server is unwilling to perform (53)
          additional info: unauthenticated bind (DN with no password) disallowed
  ldap_bind: Server is unwilling to perform (53)
          additional info: unauthenticated bind (DN with no password) disallowed
  Error adding user george to LDAP

The ldapscripts will also often fail if replication is not working either. Check the output of /var/log/ldapscripts.log.

• >> 04/02/09 - 13:49 : Command : /usr/sbin/ldapadduser george example
  Additional information: value does not conform to assertion syntax
  ldap_modify: Server is unwilling to perform (53)
          additional info: shadow context; no update referral
  Error adding user george to LDAP

That is the ldapscripts log output I get when replication was not working.

Finale

After that was all sorted out I was happy as Larry. Next thing to try is SASL authentication i guess. If anybody wants to point me in the right direction to assist with the Jaunty server guide it would be much appreciated. As well as any more notes and corrections to my post.

I purchased one from Dick Smiths last night plugged it into my (Ubuntu-8.10 powered) laptop and was up and running within seconds.

Signal strength and speed are fairly industry standard. Cost AU$50. I probably could have found it cheaper elseware but DSE was conveniently on my way home last night.

D-Link DWA-110

Now just to find an access point with decent signal strength.

My goal was to install Alfresco in Ubuntu-8.10 and store the Alfresco install and config in git excluding the application data in such a way that I am able to checkout my Alfresco git repo on a new Ubuntu install and have Alfresco running immediately.

This turned out to be fairly easy and makes testing new configuration changes very simple.

There is plenty of information on configuring Alfresco on the Alfresco wiki, and most of my setup is based on the install tutorial for Ubuntu-8.04. So I will only cover the differences in the way I setup Alfresco.

Alfresco dependencies in Ubuntu

I chose to use puppet for taking care of dependencies as it is already in deployment for all the servers I use. The other common way of taking way of taking care of dependencies is to create a script that installs the dependencies and store it in the root Alfresco dir managed by git. If you do not want to setup puppet then see the initialize.sh file below. My puppet rule as follows also installs lighttpd and phpmyadmin.

class alfresco_base {
        package { [
                imagemagick,
                lighttpd,
                mysql-server,
                'openoffice.org-headless',
                php5-cgi,
                swftools]:
                        ensure => installed;

                phpmyadmin:
                        ensure => installed,
                        require => [Package['php5-cgi'], Package['lighttpd']],
                        notify => File['50-phpmyadmin.conf'];

                sun-java6-jre:
                        ensure => installed,
                        require => Exec[preseed-licence-dlj];
        }

        file {
                '50-phpmyadmin.conf':
                        name => "/etc/lighttpd/conf-available/50-phpmyadmin.conf",
                        ensure => "/etc/phpmyadmin/lighttpd.conf",
                        notify => Exec[lighttpd-enable-phpmyadmin]
        }

        exec {
                "lighttpd-enable-phpmyadmin":
                        command => "lighty-enable-mod fastcgi phpmyadmin",
                        refreshonly => true,
                        notify => Exec[lighttpd-restart];

                "lighttpd-restart":
                        command => "/etc/init.d/lighttpd restart",
                        refreshonly => true;

                "preseed-licence-dlj":
                        command => "echo sun-java5-jdk shared/accepted-sun-dlj-v1-1 boolean true | debconf-set-selections";
        }
}

Initially installing Alfresco

To have something to put into the git repo we first must install Alfresco the usual way for your platform. If you are installing on a 64bit install you will need to install ia32libs first too.

• ./Alfresco-Labs-3Stable-Linux-x86-Install --mode console

Once installed turn your install into a git repo.

• cd Alfresco

• git init

• git add .

• git commit -m "Initial install of Alfresco Labs 3 Stable"

Now we need to define some exclusions for files that are changed or defined after install such as log folders and user data.

• echo "alf-backstop-*
  alf_data/
  alfresco.log
  tomcat/logs/
  tomcat/temp/
  tomcat/conf/tomcat-users.xml
  tomcat/webapps/alfresco/
  tomcat/webapps/share/
  tomcat/webapps/studio/
  tomcat/work/
  virtual-tomcat/logs/
  virtual-tomcat/work/
  alfresco.log.*
  tomcat/webapps/alfresco.war-*" >> .git/info/exclude

Your git repo is now ready to be uploaded to you preferred place of storing git repos such as a file server or gitosis. I’m using a file server via ssh.

• ssh git@fileserver "mkdir Alfresco; cd Alfresco; git init"

• git remote add origin git@fileserver:Alfresco

• git push origin master

• scp .git/info/exclude git@fileserver:Alfresco/.git/info/exclude

Congratulations! You now have a fresh install of Alfresco stored in git on your fileserver.

Initial configuration

Before checking out on a new server there are a few changes we needed to commit.

File: initialize.sh:

#!/bin/sh
ALF_HOME=/opt/Alfresco
# Uncomment the following line if not using puppet
#apt-get install imagemagick mysql-server openoffice.org-headless php5-cgi swftools sun-java6-jre
echo "Creating init.d links"
ln -s $ALF_HOME/alfresco.sh /etc/init.d/alfresco
ln -s $ALF_HOME/virtual_alf.sh /etc/init.d/virtual_alf
update-rc.d alfresco defaults
ln -s $ALF_HOME/alfresco.sh /etc/init.d/alfresco
ln -s $ALF_HOME/virtual_alf.sh /etc/init.d/virtual_alf
update-rc.d alfresco defaults
update-rc.d virtual_alf defaults
echo "Creating MySQL database tables - Password for MySQL root user:"
mysql -u root -p < $ALF_HOME/extras/databases/mysql/db_setup.sql
[ ! -d $ALF_HOME/tomcat/logs ] || mkdir $ALF_HOME/tomcat/logs
[ ! -d $ALF_HOME/virtual-tomcat/logs ] || mkdir $ALF_HOME/virtual-tomcat/logs

initialize.sh links alfresco into /etc/init.d, sets it to start at boot time and creates the alfresco mysql user. If you are using the puppet recipe above then the default mysql root password is blank and should be changed either at the command line or from phpmyadmin (http://localhost/phpmyadmin/). If you are not using puppet then uncomment the apt-get line at the top of the file and customise the dependencies for your needs.

File: alfresco.sh and virtual_alf.sh

Change @@ALFRESCO_DIR@@ to your install dir, eg: /opt/Alfresco
Change @@JAVA_HOME@@ to your jvm dir, eg: /usr/lib/jvm/java-6-sun/

File: tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties

There is a conflict with the port used by the virtual server that needs to be changed else the virtual server will not start a second time and complain that the port is already in use (and it is).

Change avm.rmi.service.port=50501 to avm.rmi.service.port=50509

Commit

First get a list of files you have changed:

• git status

If you want to commit all those changed files then commit like:

• git commit -a -m "You commit message"

Or if you only want to commit a couple of the changes, eg:

• git add initialize.sh alfresco.sh virtual_alf.sh

• git commit -m "Your commit message"

Now push the changes:

• git push origin master

And you will find you use that process fairly often to start with. I also found myself using branching to test larger changes or changes I wanted to keep separate for now. But documenting all of those commands is beyond this post. Other changes I made were changing the database backend to mysql and authentication to active directory.

Checkout Initialize Run

Now lets test it. Lets assume your using a clean install of Ubuntu again (with a puppet client setup already).

• sudo git clone git@fileserver:Alfresco /opt/Alfresco

• sudo scp git@fileserver:Alfresco/.git/info/exclude /opt/Alfresco/.git/info/exclude

• sudo /opt/Alfresco/initialize.sh

• sudo /etc/init.d/alfresco start

Your Alfresco server should start after a few minutes and be ready for testing. You can commit and push changes from any checkout too.

There may be other files or directories you need to add to the exclude file too. You will see most of these after starting Alfresco the running git status.

Stay tuned for: Active Directory integration

When using the default Ubuntu desktop (Gnome) the main interface applications see after bootup are:

• gnome-panel – The top and bottom panels
• gnome-applets – The items on the top and bottom panels
• nautilus – The file manager and desktop icons
• metacity or compiz – The window decorator / manager

Userspace Daemons

Underlying those applications are others that run in the background, which can be found via System->Preferences->Sessions. In the following list only the applications which are not self explanatory have descriptions. Applications that are referred to as daemons are just applications that run invisibly in the background, either at a system level which affect everybody using the machine (such as mail server daemons), or at a userspace level which only affect you. Most of the applications in this list fall into the category of userspace daemons.

• AT SPI – Assitive technology (For keyboard and mouse assistance and screen reading)
• Bluetooth Manager
• jockey-gtk – Checks for new hardware drivers
• gnome-keyring-daemon – Keeps stored passwords safely in a keyring and keep them in memory
• gnome-settings-daemon
• network-manager
• OpenOffice Quickstart Applet
• Power Manager – For managing laptop battery’s and CPU speed for conserving power
• Print Queue Applet
• PulseAudio Session Manager – The sound server
• Remote Desktop
• Tracker – For keeping a database of your files for fast searching of names and contents
• Update Notifier – When system updates are available
• User folders updater
• Visual Assistance

To slim down system usage and increase startup times unused items above can be disabled. And on the flip side, common applications that you want to start every time you login can also be added here too. On slower systems I disable tracker, and on my personal machine I also start pidgin, skype and tomboy.

Gnome Panel

The gnome-panels are initially located at the top and bottom of the screen. On their own they are not very use full. Their contents though are made up of gnome-applets. The default applets are:

• Top Left:
  • Menu Bar
  • Firefox Launcher
  • Evolution Email Launcher
  • Help Launcher
• Top Right:
  • Notification Area
  • Volume Control
  • Clock
  • User Switcher
• Bottom Left:
  • Show Desktop
  • Window List
• Bottom Right:
  • Workspace Switcher
  • Garbage Bin

New applets can be added to the gnome-panel by right clicking the panel where a new applet is desired, selecting Add to panel then selecting the desired applet and clicking Add.

Some applets can also be customised by right clicking on them and selecting Preferences.

New panels can also be added or removed by right clicking on an existing panel. The minimum number of panels is also 1 so dont worry about deleting all the panels and not being able to create a new one.

My preference is for a single panel at the top of the screen with my only additional applets being a Menu shortcut, and System Monitor displaying CPU, memory, and disk activity.

GNOME Do

GNOME Do is also fast becoming a favorite application for me. Especially with the addition of the Docky theme. A precise description of GNOME Do is best found on it’s homepage.

GNOME Do serves me in many ways as a global shortcut key. The shortcut key is by default <Win>-Space and after activating gnome-do the basic procedure is select and item and preform an action on it. Maybe some examples I use often will make this clearer. I will skip the shortcut key and dive straight into what I type and what I type I show in bold and the completions GNOME Do makes is non bold. And GNOME Do is not case sensitive. Some examples may have upper case characters, but I just type everything in lower case.

GIMP Image Editor <Enter> – Just typing gimp and pressing enter executes the default action for that item. In this case launching The Gimp. I also use this example for launching most applications I use. It does help to know the name of the application first though as there is no automatic list. Also from the screen shot you can see the whole name of the application as GIMP Image Editor. You can enter as much or as little of that name until you see the result you want. You can even just press g then the up and down arrows to move through the list of items that GNOME Do has found with that letter starting from the most commonly used.

Mum <Tab> Chat <Enter> – Pidgin plugin required. This opens a Pidgin conversation window with my Mum. Simple. No reason not to keep in touch now.

Downloads <Enter> – Opens my Downloads folder

Temp <Tab> Open Terminal Here <Enter> – Opens a new terminal in my Temp folder.

Install <Tab> banshee <Enter> – Install a package using apt. Banshee here is only an example. I use this command a far bit more than I should sometimes.

Search Google <Tab> Search Term <Enter> – Search Google for your search term and either display the results in GNOME Do or in a new browser tab.

Installing GNOME Do

The latest Ubuntu releases for gnome-do can be found at the GNOME Do PPA. Once you have followed the instructions for adding the PPA to your Ubuntu repositories, install gnome-do and gnome-do-plugins. 64bit builds of GNOME Do are also broken on launchpad at the moment, but there is a link at the top of the launchpad page to download the working package (as I had to do).

Configuring GNOME Do

After installing gnome-do it can be started from Applications->Accessories->GNOME Do.

The initial window looked a bit useless when I first saw GNOME Do, but you quickly learn that it’s simplicity is it’s strength.

If you do not see the GNOME Do window after launching try pressing <Win>-Space.

Click the triangle then Preferences in the top right corner to start configuring GNOME Do. I first change the Theme to Docky on the Appearance tab, then tick any plugins that look like they would be use full to me. To see how to use a plugin, click on it then click the About button below which will open that plugins wiki page on the GNOME Do website if available.

Applications can be added by dragging application launchers from the Application menus, gnome-panel or nautilus. They can also be removed from GNOME Do by right clicking and selecting Remove from Dock.

The length of Docky can be changed by dragging either end of the panel, and the height can be adjusted by placing the mouse the separator.

Zoom effects, window overlap, and the trash icon can all be configured by right clicking the GNOME Do icon.

Elements of GNOME Do

The default Docky theme will display from left to right: GNOME Do icon, application launchers, a separator, running applications and the trash icon.

The glowing dots below some icons indicate that the application is already open. If the application is not visible clicking it’s icon will bring it back to the fore, or if it is already visible, will minimise the window. If it is not open clicking the icon will launch it. Other actions can also be found by right clicking the icons, such as when the banshee plugin is enabled, right clicking banshee will give you Next, Play and Previous actions in addition to the defaults.

GNOME Do is activated by pressing <Win>-Space or clicking the GNOME Do icon and the panel then looks like the above. I have typed down, and it displays the Downloads folder as it’s first result. The plus in the circle on the left can be used to add this result permanently to Docky. The large folder icon display the icon of the currently found match. The smaller icon next to it is the icon of the default action if you just press enter. In this case Open Folder. Pressing <Tab> will then make the next icon the largest, from which you can choose your desired action.

The more you practice with GNOME Do the more shortcuts you will find.

Conclusion

I know this turned out to be a fairly large post about GNOME Do but using GNOME Do really has had that much affect on my desktop and the way I interact with it. And this is also the last beginner post I had to complete. As a linux sysadmin most of the rest of my posts will be more of a technical nature. But lets finish off with a final screenshot for good times sake in all of it’s minimalistic glory.