OpenAM with OpenLDAP as user store (on ubuntu 12.04)

I am using OpenAM 10.0 on ubuntu 12.04. I want to user OpenLDAP as a user store (for the configuration I am using the OpenAM internal store). Unfortunatly, OpenAM does not provide an out of the box plugin for LDAP. Fortunatly, there is a book about OpenAM, and even better, the relevant chapter for integrating OpenLDAP is available for free, together with the nessessary schema.

For your convenience (and my personal documentation), I will show all the steps I took to get things working. First, I downloaded the above mentioned resources from packt publishing.

Setting up OpenLDAP

Bevor installing open ldap, think about the suffix you want your install to have and take apropriate action.

Then install openldap:
 
apt-get install slapd ldap-utils

Then add a suffix and a manager account to the directory:

slapadd -l /tmp/init_suffix.ldif

with the following as content of /tmp/init_suffix.ldif:dn: ou=people,dc=opensso,dc=java,dc=net
objectClass: top
ou:people
objectClass: organizationalUnit
dn: ou=groups,dc=opensso,dc=java,dc=net
ou:groups
objectClass: top
objectClass: organizationalUnit
dn: cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amadmin
sn: amadmin
uid: amadmin
userPassword: secret124
dn:cn=defaultGroup,ou=groups,dc=opensso,dc=java,dc=net
objectclass: top
objectclass: groupofnames
member:cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
cn:default1

dn: dc=opensso,dc=java,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: opensso
dc: opensso
structuralObjectClass: organization

Make sure you have the dc=java,dc=net set to the values of your directory.

Add the OpenSSO4OpenLDAP.schema as provided by packt (under "Downloads"). You will need to convert it to an ldif file, as has been explained here(read untill the end, it was usefull for me).

Then add some more data:

 ldapadd -Y EXTERNAL -H ldapi:/// -f template.ldif

with

dn: ou=people,dc=opensso,dc=java,dc=net
objectClass: top
ou:people
objectClass: organizationalUnit

dn: ou=groups,dc=opensso,dc=java,dc=net
ou:groups
objectClass: top
objectClass: organizationalUnit

dn: cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amadmin
sn: amadmin
uid: amadmin
userPassword: secret124
dn:cn=defaultGroup,ou=groups,dc=opensso,dc=java,dc=net
objectclass: top
objectclass: groupofnames
member:cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
cn:default1

in your template.ldif file. Again, make sure your distinguished names (dn) are matching your setup.

Setting up tomcat7

After installing tomcat7 via

 apt-get install tomcat7-docs tomcat7-examples tomcat7-admin\ tomcat7

you need to provide more memory to OpenAM then the default tomcat install on ubuntu does. This is done by creating a script called setenv.sh in /usr/share/tomcat7/bin:

root@tih1:/usr/share/tomcat7/bin# cat setenv.sh
#!/bin/bash

export CATALINA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"

Then the apropriate rights should be set

chmod 755 setenv.sh

chown tomcat7:tomcat7 setenv.sh

Then start (or restart, depending on the previous state) tomcat:

 service tomcat7 start

Note that if you redeploy OpenAM (maybe because you screwed up your setup), restarting tomcat is a good idea. I am not much of a tomcat expert, but when fiddling around I found that restarting tomcat solved a lot of strange problems for me.

Also, in my fresh installation both apache and tomcat were listening on port 8080, and when connection to http://<myserver> , I only saw the default apache page. So I had to configure on of tomcat and apache to listen on a different port. I changed the tomcat port to 8081, which can be configured in

/etc/tomcat7/server.xml

There is a line which reads  <Connector port="8080" protocol="HTTP/1.1"
Which port you choose depends on what you want, there is no specific reason for my choice of 8081 other then making it different from apaches 8080.

Also, check the access rights for tomcat.

Deploying OpenAM

Read the instructions of the official installation guide. Read it carefully, it will save you time and trouble (Skip the section "To Configure OpenAM With Defaults (For Testing)", it won't help with OpenLDAP). Then read on, then execute the deployment.

A few things I found to be different then described: The ports for the configuration store are set to -1, which should be fine according to the offical docs. It did not work on my box, so I assigned random ports above 1023:

Now comes the whole point of this post: Integrating OpenLDAP. For the user store, choose OpenDJ, and enter the data and credentials for your ldap server:

Finish the configuration Dialog, and you should be set up with OpenLDAP as a user store in your OpenAM. In Theory. In Practise, there is a bit more of configuration to be done in OpenAM bevore your ldap users will be ready for use.

Configuring OpenAM

Under "Access Control", "/ (Top Level Realm)","Authentication":

• Under "Authentication Chaining", choose "ldapService", change "DataStore" to "LDAP". Save, and back

If you allready have accounts in your OpenLDAP directory, and can't find them in OpenAM (e.g. "Access Control", "Top level realm","subjects" - should have a listing of your users ), try the following:
"Access Control", "Top level realm","DataStore", there should be a listing of configured data stores. If you followed the steps above, there should be only one called "OpenDJ". This is your OpenLDAP DataStore. Klick it, and scroll down to "User Configuration". At the very end of that section, there are two fields, called

"LDAP People Container Naming Attribute" and "LDAP People Container Value". These probably contain values such as "ou" and "people". Void both.

Make OpenAM reload safe

Allthough its supposed to only happen with JBoss, it also happend with tomcat to me: openam lost its configuration after restart/reload. Follow the steps described in the link to get things back on track, just replace JBoss with Tomcat.

Clarity

These are notes I took over the course of some days. If anything is not so clear, please let me know and I will try to be more accurate.

tomcat7 on Ubuntu 12.04 - access rights need change

After setting up tomcat, I deployed openam. The  initial configuration screen gave me "Configurator does not have write access to /usr/share/tomcat". It turns out that the user tomcat7 (who runs tomcat) has his home in /usr/share/tomcat7 (have a look at /etc/passwd). For some reason (bug?), this directory is owned by root, which made it unwritable for tomcat7. The fix is an easy (as root)

chown -R tomcat7:tomcat7 /usr/share/tomcat7

Debian: Copy package selection to another system

The other day I moved to new desktop hardware and wanted to have all the packages that I had on my old desktop there. I made a package list of both systems with dpkg -l, put them together and then extracted the ones only present on one system with uniq. Then I looped over that list with for p in `cat packages.txt`;do apt-get install $p;done . Well, that worked, but it was rather tedious. I finally stumbled upon this mailling list post, which presented a much easier solution:

"

 To make a local copy of the package selection states: 

     $ dpkg --get-selections "*" >myselections   # or use \*

"*" makes myselections include package entries for "purge" too. 

You transfer this file to another computer, and install it there with: 

     # apt-get update
     # dpkg --set-selections <myselections
     # apt-get -u dselect-upgrade

"

Works like a charm!

experience with apache on opensuse 11.4

Today I had a apache webserver, which did not serve the page it was supposed to. It gave an "access denied" error. It turns out that the        
Options +FollowSymLinks
was in the <Location> block instead of the <Directory> block. Well. The funy thing was, that in order to let the configuration change take effect, a restart of apache was required. That is, I moved the Options thingy to the Directory block. But for checking I moved it back, and for that to take effect, a reload was enough. So for one change a restart is required, but for reversing the effect, a reload is enough. Strange, isn't it? (it took me hours to discover this, since I though a reload would be enough for both changes ...)

lpic 1 done

So finally I made it. If there is one piece of advice that is to be given: Read the objectives! Read the man pages of all the tools and files mentioned! Use all the tools and files at least once!

And: if you don't allready have a good background with X, don't spend too much time with it. There is plenty to know about it, but very little with relevance to the exam. If you do well in the other sections, you might just skip X.

Preparing LPIC-1, #7 umask

The command 'umask' sets the default permissions on files and directories. The umask itself is specified as digits which are subtracted from the standard permissions maks, which is

• 666 for files (that is rw-rw-rw-),  and
• 777 for directories (that is rwxrwxrwx)

So if 'umask 002'  is specified, files will have standard permissins of 664 and directories will have 775.

'umask' without any parameters displays the currently set umask. If you give a parameter, 'umask' will interpret it as a umaks and set it. Thus you can change your umask by putting something like 'umask 022' in your .profile.

Building a playground quota system on linux

I wanted to get a bit of experience using the linux quota system. I had no extra partition or disk at hand, so I created a virtual file system image. First I needed a file for this:

dd if=/dev/zero of=disc.img bs=1k count=100000

Then I created a partition table and a partition on it (not quite shure if this is really nessessary) using fdisk:

fdisk disc.img

Then I created a filesystem on my virtual partition:

mkfs.ext3 disc.img

ignoring the warning, that my disc.img is not a block device. Note that other filesystems would be possible, but  LPIC1 (for which I am currently preparing) does not require ext4 or btrfs which would be more modern filesystems. This might change soon though. I hear new exams are comming this summer.

Then I mounted it with the option for user quotas:

mkdir mnt
sudo mount  -o loop,usrquota disc.img mnt

Then I needed to create a quota file. This is a file wich resides at the root of the filesystem for which we want to use quotas. It can be done like this:

sudo quotacheck -u mnt/

This creates a  aquota.user file, which enables quotas for users. Now I set a quota


sudo setquota -u isaac 1000 10000 100 200 mnt/

following the syntax
 setquota -u user  <block-softlimit> <block-hardlimit> <inode-softlimit> <inode-hardlimit>

Bash filedescriptors and IO redirection with exec

The topic is very well covered in my favorite Bash-Scripting Guide. However, in a few examples they used something like the following code:

#!/bin/bash
# read a file line by line and echo it

filename=$1

exec 3<> $filename
while read line <&3
  do
  echo $line
done

exec 3>&-

The line "exec 3<> $filename" redirects the $filename to filedescriptor 3, which is then used as stdin in the next line. This example just uses input from the file, so I wondered why there was a "<>" instead of just "<", which would be sufficient for just reading the file. The reason is simple: Even though for this example it is not needed, the file is not only opened for reading, but also for writing, thus the ">". The last line "exec 3>&-" closes the file again.

We could modify the example to take advantage of the writing:

#!/bin/bash
# read a file line by line and echo it

filename=$1

exec 3<> $filename
while read line <&3
  do
  echo $line
done
echo another line >&3

exec 3>&-

This adds another line to the file given to the script as first argument. Its the "echo another line >&3" ( -- I should probably start using proper code highlighting ).

ISO-8859 to UTF8 conversion

I thought I was through with this long time ago, but just today it bit me again: a text file with German umlauts was not displaying correctly in less. It turned out to be ISO-8859 encoded ... To make sure I'll remember, here is what I did:

iconv --from-code=ISO-8859-1 --to-code=UTF-8 file.txt >file_utf8.txt

Again, this has been described a lot of times elsewhere. 

win 7 multiinstall iso

It might appear weired to start a linux related blog with a post on windows, but it just so happened that I decided to start a blog and tried to install win 7 home premium from a win 7 ultimate dvd. This is what I did, on my ubuntu 12.04 beta machine:

Copy the dvd to disk:
  dd if=/dev/sr0 of=win7.iso 
There is a file called ei.cfg that defines which installation flavour you have. If its not present, windows will ask you which version you want. Besids from that, the install media are all the same. The trick is described in various blogs, e.g. this one.
In order to modify the iso (delete ei.cfg ), do the following:
  mkdir mpoint
  sudo mount -o loop win7.iso mpoint
  mkdir copy
  cp -ra mpoint/* copy/
The loop mounted iso is read only, so we need to copy it first. Now delete ei.cfg:
  rm copy/sources/ei.cfg
This is the easy part. Now we want to create a bootable iso image from the directory copy, and here it gets a bit tricky. Luckily I found this very helpfull post. It boils down to extract the boot image from the original iso with
  dd if=win7.iso of=copy/boot.img bs=2048 count=8 skip=734
and create the new iso with
  mkisofs -o win7_multiinstall.iso -b copy/boot.img -no-emul-boot -c BOOT.CAT -iso-level 2 -udf -J -l -D -N -joliet-long -relaxed-filenames
This should leave you with a new iso image which lets you choose the installation version. Of course, you still need a valid key for that version :-)