The research’s findings are worrying indeed.

• 74% of organisations are not very confident that they can fully recover after a disaster, according to a new survey of 1,750 European companies
• 54% surveyed have lost data and/or suffered systems downtime in the last year
• 61% report hardware failure as the primary cause of data loss and downtime;  natural disasters and employee sabotage being much less likely culprits
• 43% of organisations cite loss of employee productivity as the single biggest economic impact
• 28% point to lost revenue as a result of a disaster
• 40% of organisations still use tape for recovery and 80% of these organisations want to replace tape all together, highlighting the need for next generation backup and recovery

The fact that 74% of companies and organisations feel that they’re not prepared or equipped to properly recover data after an outage or disaster might be seen as very worrying for business overall.  We’ve all suffered data loss but the data losses suffered by business could affect us and them in many different ways.  They could lose customer orders, lose valuable employee details or details of current projects and so on.

The survey also details that more than half of the businesses and organisations surveyed said they had experienced data loss or systems downtime in the last year.  It’s common for companies to suffer from downtime and it’s a pity the research doesn’t go into more detail about what percentage of companies had actually experienced data loss, all we have is a corruption figure that in itself seems too high.

They say the most commonly reported causes of downtime are…

• Hardware failure: 61%
• Power failure: 42%
• Data corruption: 35%

One of the problems seems to be that 40% of the companies surveyed are still replying on tape for backup.  With the falling costs of hard disks and the increased bandwidth that dedicated phone lines can bring more and more companies are moving to secure and stable off-site backup solutions and indeed many business ISPs and server hosts now offer this facility as standard.  It is clear though that not enough companies are heeding the warnings of data loss and, more important of good security.

The research found that businesses are spending, on  average, 10% of their IT budgets on backup and recovery, and 29% of businesses  do not feel they are spending enough.   For backup and disaster recovery purposes, 40% of companies still rely  on tape, with an average annual cost of €74,000 on transporting, storing,  testing and replacing tapes. Where tape is used for disaster recovery purposes,  10% still have an employee take home a copy of the backup tapes with them.

The companies surveyed included manufacturing, retail, financial services and telecoms, among others and, frankly, it is disappointing that so many companies still seem unprepared for IT and data failures when computers have now been in business for over 30 years and have been on every desk for the vast majority of that time.

Now they’ve expanded their virtualisation line-up into the server space with the new Zirtu Serverless VDI, type 0 Hypervisor.  Like other comparable products this allows users to run an operating system contained in a virtual machine on any othger computer, and use the full hardware resources of the host machine.  This includes full access to the graphics card, memory and the ability to take complete control of the processor.

The virtual machine in this case would be run from a server, enabling a single virtual machine to run on many terminals in a business simultaneously.  Where Zirtu takes things to the next level though is in support for working offline.  In a recent demo they demonstrate a virtual machine that has only just loaded to a machine, continue to work with support for all the programs and files when the network connection to the server is disconnected.

Where this comes in very handy is in permitting users to continue working on their PCs when their internal or tunnelled network connection dies, or when they are on the road and away from a connection.  The next time they log into the server all the files, programs and documents in the VM are automatically synchronised with the server, with the user noticing nothing about the connection problems.

Zirtu also uses existing virtualisation technology from the company that supports the computer’s hardware in ways that allows a virtual machine created on one machine, to work on another with a completely different hardware configuration, something that would normally break any Windows installation.

The concept of having a decentralised virtual machine that can keep people working when away from a direct connection to the server is hugely compelling, especially when downtime can cost companies so much money.  The ability to maintain the VMs centrally can also present significant cost-savings to business and provide additional benefits.

Among these is a solution that would allow users to run VMs on their own personal laptops and desktop PCs, something that business normally bans citing quite valid security concerns.  This type of virtualisation technology turns any home PC into a work PC.  The fact that it works so well and so quickly, in the demo given at a recent conference it’s virtual machine was shown fully working after only loading on the host PC for a few seconds before the network connection was pulled, is driven by technology the company is being tight-lipped about, unsurprisingly.

Either way this product demonstrates perfectly the types of virtualisation and cloud services that business might employ in the coming years to slash IT management costs, and to run better and more efficient IT operations.

The Gadmin tools are a set of GUI administration tools that allow for easy administration of various services, systems, and applications that would otherwise be challenging for the average user. One of those tools that is exceptionally helpful to have is the VPN Server tool. Let’s install it and set up an VPN server with this GUI.

Installation

The installation of Gamin-VPN-Server is simple, thanks to the fact that the tool exists in the standard repositories of most distributions. Because of that, the installation is as easy as following these steps:

1. Open up the Add/Remove Software utility.
2. Search for “gadmin” (No Quotes).
3. Mark Gadmin VPN Server for installation.
4. Accept any dependencies necessary.
5. Click Apply to install.
6. Close the Add/remove Software utility when finished.

The Gadmin VPN Server tool can now be started from within the System Tools folder from the Applications menu.

Configuring the VPN server

Figure 1

Now for the real work. Open up the Gadmin tool to view the main window. This is where all of the configurations are done.

To set up a VPN server the following will need to be configured.

Server Settings:

External Address: This is the WAN side address of the network – the address the external users can reach. If this VPN server is on an internal network, it will be critical to make sure VPN traffic is routed to the server hosting the VPN server.

LAN interface address: The internal address used by the VPN Server.

LAN Subnet mask: The subnet used by the internal address on the VPN server.

Client Address range: The valid addresses the clients will be assigned when they log onto the VPN server.

Encryption Type: The encryption type to be used on the VPN.

After the server configurations have been entered, click the Apply button in the tool bar to save the settings. Now, scroll down to the…

Certificate Settings:

These settings are near the bottom of the Server settings tab. A pre-existing certificate need not be installed as Gadmin-VPN-Server has the ability to generate the necessary certificate. Just fill in the necessary information and then click the Apply button underneath the Certificate Settings to generate the necessary certificate.

Users

After the server has been set up, valid user accounts must be added. If the user already has an account on the server, a new account will not have to be created. If the user does not have an account on the server, create one in the User Accounts tab.

Starting the server

After everything is complete, click the Activate button and your VPN server will be ready to accept incoming connections. Users now only need set up their clients to connect to the correct address, using their credentials that reside on the VPN server, and they will be good to go.

SQL Buddy is one of the easiest web-based admin tools you will ever find. Not only does it make the process of creating and editing MySQL databases easy, it is also incredibly easy to install. Let’s see just how easy this is to manage.

What you need

You will, of course, need a working installation of MySQL. You will also have to have your MySQL admin user and password handy. As far as dependencies, you will need to have the following installed:

• PHP >= 4.3
• MySQL >= 4

Of course, if you already have the MySQL server up and running you might only need the PHP piece installed. You can install the PHP dependency easily from your Add/Remove Software tool. Search for “php” (no quotes) and install the version recommended for your distribution and release.

You will also need to download the SQL Buddy file. You can find that from the SQL Buddy main page. This file will be a .zip file. Save that file into your web server’s document root (on a Ubuntu machine that would be /var/www).

Installation

Figure 1

You will be shocked to know there really is no installation. All you need to do is unzip the sqlbuddy_XXX.zip (Where XXX is the release number) within your web server document root and then point your browser to http://ADDRESS_TO_SERVER/sqlbuddy. Where ADDRESS_TO_SERVER is the actual address of your MySQL server. When you do this you will be prompted for the MySQL admin credentials. Enter the credentials and, upon successful authentication, you will find yourself on the SQL Buddy main page (see Figure 1).

Figure 2

Once you are in you will find the interface very simple to use. Here you can create new databases by entering a name for the database, selecting the correct charset (Very important), and hitting Submit. Once you do that you will find yourself at a new screen. This new screen (Figure 2) allows you to edit the database and create tables for the database.

You do need to pay close attention to the creation of tables for your database. Make sure you add the correct fields for the the table or you will get an SQL error and the table will not be saved.

After you successfully enter the data for your tables, click Submit and your table will be added to the new Database (and the database will be successfully saved).

Final thoughts

If you have been searching for an easy method to manage your MySQL databases, search no more…SQL Buddy will have you easily creating and managing databases on your MySQL server.

Pithos is a native Pandora client for the GNOME desktop. It is easy to install, has a user-friendly GUI, and won’t drag your machine into the murky waters. Let’s take a look at how to install and use this client so you can start your new year out rockin’.

Before you begin, you will need to have a Pandora account. Once you have a Pandora account you will be able to manage your stations from within Pithos (so need to bother adding/removing stations from within the Pandora site.)  In fact, it’s actually easier to manager your stations from within Pithos than it is from within the site.

Installation

Pithos is not found in the standard repositories, so you have to add the Pithos repository. Adding the repository is simple. Open up a terminal window and issue the following commands:

sudo add-apt-repository ppa:kevin-mehall/pithos-daily
sudo apt-get update

Once you have the repository in place, you can then install the application. This is done with the following command:

sudo apt-get install pithos

Once the application is installed you will find it located in Applications > Sound and Video.

Usage

Figure 1

When you first start up Pithos you will be required to authenticate to your Pandora account. Once you do this Pithos will download your current list (or the default list) of stations associated with your account and open up the main window (see Figure 1). You can change the channel you want to listen to simply by clicking the channel drop-down and selecting the desired channel.

Figure 2

To create new channels to enjoy click on the Preferences button (the gear with the drop-down arrow) and select Manage Stations. In this new window (see Figure 2) click the Add Station button and then enter the name of an artist. You will then be presented by a number of choices to select from. Choose the correct artist and click OK. That artist will be added to your station list.

You can also include each station in your QuickMix list. The QuickMix list is like a shuffle for Pandora. Select which stations you want to include in your QuickMix and then, from the Station drop-down (in the main window), select QuickMix to get a mix of music from all of your stations.

Other features

One of the nicer features of Pithos is the inclusion of a notification icon. From this icon you can left-click and quickly “Love”, skip, play, pause, “Ban”, or “Tired” a currently playing song and you can quickly quit Pithos.

Pithos also includes:

• Cover Art.
• Notification popup with song info.
• Launching pandora.com song info/station page.
• Reconnecting when pandora session times out
• Media Key support
• Proxy support
• Last.fm scrobbling

Final thoughts

At last Linux has a worthy client for the enormously popular Pandora Music service. Make this your go-to application for Music listening in Linux and you won’t be sorry.

The server OSes justifiably make this task a bit more challenging to keep administrators from inadvertently sharing out folders that shouldn’t be shared or causing security holes to pop up on their servers. But that does not mean the task is impossible…in fact it’s not that much more difficult than it is on their brethren desktop. Let’s take a look at how this is done on CentOS.

The tool

Figure 1

Fortunately, there is a GUI tool for just about everything. This too goes for configuring Samba. In the CentOS distribution, the task of administering Samba shares is handled by system-config-samba. This tool is easy to use, but must be run as the root user. If you do not have access to the root user, you will have no luck starting the tool. But with that coveted root user password you can start up the Samba admin tool with the command system-config-samba.

Once the tool has started you will find a very user-friendly GUI (see Figure 1). By default nothing has been shared out…and before you do share anything, you will need to configure Samba. To do this click Preferences > Server Settings. This new window has two tabs:

• Basic: Configure the name of your workgroup and a description of said workgroup.
• Security: Configure the security of your Samba server.

NOTE: The more important tab is the security tab. Here  you will configure the authentication mode.

Figure 2

Once you have the server configured click on Preferences > Users. You must add users here before anyone can authenticate (if you select Security = users). Figure 2 shows how users are added. Make sure you select the correct Unix username from the dropdown. After you add that username click OK to be returned to the original window.

You are now ready to connect to your newly added share. You might, however find that you can not connect to that share. If so, the most likely reason is the firewall. Click on System > Administration > Security Level and Firewall. In this window (see Figure 3) you will need to make sure that Samba is checked, but also add ports 137 – 139 and 445.

Figure 3

After you have added all the necessary ports you should be able to connect to that share without a problem. Although you may be tempted to drop your firewall all together (in order to let Samba connections through) it is imperative that you do not simply drop your firewall. Remember, CentOS is a server OS and should be protected.

Final thoughts

It’s nice to see that even on the server distributions that Samba has become an incredibly easy system to administer. The system-config-samba tool makes sharing out server directories as easy as if you were on the desktop. Kudos to CentOS, Red Hat, and GNOME!

But setting up a secure web server isn’t complete without the inclusion of SSL and certificates. If you are wanting to serve up sercure web pages you will certainly want your audience to be able to send them to https instead of http. So…with CentOS how do you do that? I will show you how.

Installing all of the packages

I will assume you already have CentOS installed as well as the Apache Web Server. Make sure you are able to go to the default Apache web page (or any web page on your CentOS web server), before you set up SSL. When you have all of that working you will need to install a couple of packages. This is done with the following steps:

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install mod_ssl openssl.
4. Let the installation complete.

With SSL installed and ready, it’s time to create your certificates for usage.

Creating your certificate

You will now have everything on your server to create CAs. You need to generate a private key, a csr, a self-signed key, and then you need to copy these files to the correct location. This is done with the following steps.

1. Open up a terminal window.
2. Su to the root user.
3. Generate the private key with the command openssl genrsa -out ca.key 1024.
4. Generate the csr with the command openssl req -new -key ca.key -out ca.csr.
5. Generate the self-signed key with the command openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt.
6. Move the self-signed key with the command cp ca.crt /etc/pki/tls/certs.
7. Move the private key with the command cp ca.key /etc/pki/tls/private/ca.key.
8. Move the csr with the command cp ca.csr /etc/pki/tls/private/ca.csr.

Edit the Apache SSL configuration

Open the file /etc/httpd/conf.d/ssl.conf and look for the section SSLCertificateFile. Make sure that line reads:

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Now look for the SSLCertificateKeyFile and make sure that section reads:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save that file and you are ready to restart Apache.

Restart and test

Before you try to test Apache’s new SSL feature, you must restart the daemon. To do this issue the command /etc/rc.d/init.d/httpd restart. Hopefully you will see no warnings or errors. If not, then point your browser to https://ADDRESS_TO_SERVER Where ADDRESS_TO_SERVER is either the IP Address or the domain. You should then see a warning from your browser about the certificate for the site. If you see this warning congratulations, your Apache server is now ready for secure connections.

Remember, though, you created a self-signed certificate. To get the most out of SSL you might want to purchase a CA from a trusted name like Verisign (There are, of course, plenty of other places where you can purchase those certifiacates).

Once LDAP is installed you have, at your fingertips, plenty of tools to add, edit, and delete data on that server. One of those tools is critical to keeping data current. That tool is ldapmodify. In this article I am going to show you how to use this tool to modify an entry in an LDAP server.

Command basics

The ldapmodify command isn’t exactly like all other commands. Instead of just running a single command and being done with it, you issue the command, do you work, and then escape out of the command. The actual modification of the data doesn’t happen until you escape the command. The sequence goes like this:

1. Issue the ldapmodify command (with appropriate options).
2. Inform ldapmodify what you are modifying.
3. Modify your data.
4. Escape with CTRL-d.
5. ldapmodify will make the changes.

Yes, it does seem like a fairly complex process…and yes it is a complex, but a very necessary process.

Let’s take a look at the actual process. As an example I am going to modify the gecos entry of an already existing directory entry. The gecos entry is a general information field that can be used for just about anything). Let’s have some fun and change the gecos entry for user scooper and indicate that Sheldon Cooper is a Theoretical Physicist at Caltech University. We’ll assume the gecos entry only contains the information “Sheldon Cooper” and the LDAP server’s is on 192.168.1.10 and the full dc is wallen.local. Here is the actual process for this task:

Issue the command:

ldapmodify -h localhost -x -W -D "cn=admin,dc=wallen,dc=local"

It will now seem like the command is stuck. It’s actually just waiting for input. The input will look like this (hit Enter after each line):

dn: uid=scooper,ou=People,dc=wallen,dc=local
changetype: modify
replace: gecos
gecos: Theoretical Physicist, Caltech University

Once you have completed entering this text, hit Enter, and then hit CTRL-d to escape the command and then you should see something like:

modifying entry "uid=scooper,ou=People,dc=wallen,dc=local"

Now if you issue the ldapsearch command you will see the changes made. The ldapsearch command would look something like:

ldapsearch -x -b "dc=wallen,dc=local" -s sub "objectclass=*"

You should see Sheldon’s listing like this:

# scooper, People, wallen.local
dn: uid=scooper,ou=People,dc=wallen,dc=local
uid: scooper
cn: Sheldon Cooper
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 500
gidNumber: 120
homeDirectory: /home/scooper
gecos: Theoretical Physicist Caltech University

You now have modified the entry. Of course you aren’t limited to the gecos entry. You can actually modify any entry you want using the same technique.

Final thoughts

Hopefully LDAP is getting easier and easier for you. You can now add and modify entries. We will keep digging and eventually you will have the LDAP basics mastered.

So, yeah…LDAP comes with it’s own set of management tools and, in this article, we are going to take a look at the primary tool for adding entries to your LDAP databases: ldapadd.

From file or command?
One of the best things about the ldapadd command is that you can have it read all of your entries from files. That way you don’t have to issue lengthy commands every time you want to add an entry. This also means you can add multiple entries at once. I will show you how to add entries this way so your LDAP administration life is much simpler. And from that process you should be able to glean enough to know the full command-line process.

ldapadd

When you see an ldapadd command for the first time, you might cringe, thinking it far too difficult to use. But once you understand the usage, it becomes quite easy. Now, you must have admin rights to issue the ldapadd command; so, depending up your distribution, you will either have to su to the root user or use sudo to issue the command.

The basic usage of the ldapadd command is:

ldapadd [OPTIONS] [CREDENTIALS] filename

Any file name you read into the ldapadd command should be in the form of an .ldif file. Now, let’s take a look at the more common options you will use with ldapadd:

• x: Use simple authentication, instead of SASL authentication.
• D: This options means you are going to use the Distinguished Name (binddn) to bind to the LDAP directory.
• W: Prompt for simple authentication.
• f: The file name you want to read into ldapadd.

Using the D option means you are going to be using a Distinguished Name. What this means is that you are going to authenticate in the form of:

cn=admin,dc=wallen,dc=local

The above entry means you are using the admin user on the domain wallen.local.

Now, let’s take a look at the format of the file you will use. Let’s examine a very basic entry. Let’s say I want to add the user Willow Wallen to my LDAP address book. I will do that within the file users.ldif. The entry looks like:

# Willow's Entry
dn: cn=Willow Wallen,ou=people,dc=wallen,dc=local
cn: Willow Wallen
objectClass: person
sn: Wallen

This will add the user Willow Wallen to the group people and she will be labeled as a person. Save that file and now let’s add her with the command:

sudo ldapadd -x -D cn=admin,dc=wallen,dc=local -W -f users.ldif

You will have to enter both your sudo password and your ldap password.

Final thoughts

You have taken one major step forward in your usage of LDAP. This is a very powerful, very complex tool you have at your finger tips. It’s important to understand the basics and learn one step at a time. We’ll continue our journey into LDAP in upcoming articles.

But here’s the thing – the slapd server can be a real pain to set up. It didn’t used to be. The old fashion way was to install slapd and then edit the /etc/ldap/slapd.conf file to suite your needs. Thing is, the slapd.conf configuration file has been deprecated and now, trying to figure out how to configure slapd is like finding the proverbial needle in the proverbial haystack. Fortunately, in my desperate scouring to work out an easy method of doing this, I have found some tools to make the job easier. And that’s what this article is all about, getting slapd up and running on a Ubuntu machine so you too can have LDAP running.

Installation

Of course there is a bit of installation to take care of before you do anything. But the installation isn’t challenging and there isn’t too much to install. Here are the steps you need to follow:

1. Open up a terminal window.
2. Issue the command sudo apt-get install slapd ldap-utils php5-ldap.
3. Type your sudo password and hit Enter.
4. Accept any dependencies necessary.

And that’s it. You are now ready for the configuration of slapd. But what to do? This article isn’t about a fancy GUI tool. Instead I have found a script floating around the web (who’s author I can not name because I have seen this script on a number of sites) which actually makes this process amazingly easy. I have posted the script here on pastebin for you to either download or copy and paste.

No matter if you download or copy and paste the script, name it something like ldap_script.sh and save it in your home directory. Once you have it saved give it executable permissions with the command:

chmod u+x ldap_script

Now the script is almost ready. You do have to make a few simple changes. Near the top of the script you will see:

passwd=pleaseeditme
dc1=pleaseeditme
dc2=pleaseeditme

Obviously you need to change each pleaseeditme entry to suit your needs. For my LDAP server that section lookes like:

passwd=mypassword
dc1=wallen
cd2=local

You will also notice, near the end of the script, it adds a user. The section #Adding user can be edited to suit your needs, or it can be left alone so that at least one correct user is added at first.

When you have the script ready, it’s time to execute. Issue the command sudo ./ldap_script and watch the magic fly by. When all is said and done you should then be able to check out your LDAP server with one of the means mentioned in previous articles, or you can issue the command:

ldapsearch -x -h localhost -b "dc=EXAMPLE,dc=COM" "(objectClass=*)"

Where EXAMPLE and COM match your dc entires.

Final thoughts

You should now have your LDAP server up and running. You can start adding entries and managing it with whatever tool (or command line) you want. NOTE: We’ll take a look at the management of LDAP via the command line in later articles. Enjoy your LDAP server!

That is, until I discovered a very handy little tool, just for this purpose, called Luma. Luma is an LDAP manager that is pure graphical ease. If you already have your LDAP server up and running, you won’t have any problem managing your data with this tool. In this article I am going to show you how to install Luma and how to connect to your LDAP server.

Installation

I’m going to show you how to install Luma on both Ubuntu and Fedora. It’s actually quite simple. Just follow these steps:

Fedora

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install luma.
4. Okay any dependencies (if necessary).
5. Once installation is complete, you can close the terminal.

Ubuntu

1. Open up a terminal window.
2. Issue the command sudo apt-get install luma.
3. Enter your sudo (user) password.
4. Okay any dependencies (if necessary).
5. Once the installation is complete, you can close the terminal.

Now that you have Luma installed, let’s open it up and connect to a server.

Usage

Figure 1

To start up Luma you will not find a menu entry, so you will have to run Luma from command line (or create a menu entry). To do this click Alt-F and then enter luma in the run dialog. Or you can leave that terminal window open and then just issue the command from within there.

Once started you will see a simple window (see Figure 1) where you can choose from any one of the available plugins. In order to add a server you need to click Settings > Edit Server List. From this window click the Add button to create a new server.

The first step is to give this new server a name. This is a human readable name so it does not need to be a hostname or IP address.  After you create a name click OK to move on to the real work.

Figure 2

Once you have created the server you have three configurations to take care of (see Figure 2):

• Network options: Hostname, Port, Encryption type.
• Authentication: Mechanism for authentication (simple, or SASL type), Bind as (login authentication), and Password.
• LDAP options: Follow aliases and/or Use Base DNs provided by the server.

The trickiest option for most is going to be the Authentication “Bind as” setting. You do not just log in with a plain username. Instead (as you can see in Figure 2), you log in with username and domain in the form of cn=USERNAME,dc=DOMAIN, dc=NAME. In the case of my example it’s cn=admin,dc=wallen,dc=local.

Figure 3

Once you have logged in you can then use the plugins like Browse (see Figure 3). This examples illustrates how you can manage the various aspects of your LDAP entries.

Final thoughts

In upcoming articles we will deal with more LDAP administration with Luma as it is, by far, one of the easiest front ends for the LDAP server I have come across.

But because LDAP is fairly complex, it is not often used except by those who have the lengthy period of time it takes to understand the task of getting an LDAP server up and running. That doesn’t need to be the case, if you happen to have a Fedora server lying around. There is a tool, 389 Directory Server, that helps you to get this up and running quickly and easily.  In this article I am going to show you how to install and set up the 389 Directory Server.

Installation

The installation of 389 DS is simple. Just follow these steps:

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install fedora-ds.
4. Accept all of the dependencies.
5. Wait for the installation to finish.

Now you are ready to begin. The configuration of 389 is done via command line. Once that is complete you can then manage your LDAP server with a nice GUI tool.

Configuration

Figure 1

The configuration takes place in the terminal window. To begin the process issue the command (as root) setup-ds-admin.pl. This will begin a process that will take about 14 steps. Each step looks similar to that in Figure 1.

The steps for the setup are:

1. Agree to license.

2. Set up warning alert.

3. Choose type of installation.

4. Configure fully qualified domain name for name.

5. Server user name.

6. Do you want to register this software with an existing configuration directory server?

7. Administrator ID.

8. Administration domain.

9. Server network port.

10. Directory server identifier (name).

11. Valid DN for your directory suffix.

12. Directory Manager DN.

13. Administration network port.

14. Save configuration and set up server.

The final step is basically writing your configurations to the config script and then starting the server. Once you have completed these steps, the hard part is over! Don’t worry about not understanding any of the above explanations, as each step is clearly explained on its own screen (as shown in Figure 1).

Now that your setup is complete, you are ready to fire up the GUI admin tool.

The admin tool

Figure 2

The administration tool is started (as the root user) with the command 389-console. When you login to the admin tool you will need to use your admin username and password you created during the setup and the URL (including port number) you created (see Figure 2).

Figure 3

Once you have successfully logged in you will now be in the 389 Directory Server Management Console (see Figure 3). It is from within this console that you actually take care of all of the LDAP management (we’ll save that for another article).

Final thoughts

If you’ve ever tried to set up LDAP manually then you know it can be a real pain. With tools like 389 Directory Server, this process has become exponentially easier. Give this a try and see if you have better luck setting up your LDAP server.

In this article I am going to show you how to install and use gnoMINT to generate your very own self-signed certificates that can be used for your web or email (or whatever) servers. NOTE: This article is not about showing you how to add those certificates to your various servers, but how to generate those certificates that can then be applied.

Installation

The installation of gnoMINT is simple. Just follow these directions:

1. Open up you Add/Remove Software tool.
2. Search for “gnomint” (no quotes).
3. Mark the tool for installation.
4. Click Apply to install.

Figure 1

Once you have gnoMINT installed you will find it located in Applications > System Tools. Let’s take a look at the process for creating a self-signed certificate now.

Creating a certificate

Figure 2

When you open up the gnoMINT application you will see a fairly minimal window (see Figure 1). In this new window you can create a new certificate by clicking Certificate > Add > Self-signed CA. When you do this a new window will open (see Figure 2) requiring the standard information for CAs.

Once you have entered all the necessary information in this window a smaller window appearing needing just a few more details about this certificate. The details you will need are:

• Private key type: RSA or DSA.
• Prive key bit length: 2048 is the default.
• Months before root certificate expiration: 240 is the default. You can not set to this to zero and assume it will not expire.

After you create your certificates they will be listed in the main window.

Exporting your certificates

Figure 3

Although we are not going to discuss how you would add these certificates to your server needs, I do want to mention the export process. From the main window if you right-click a certificate you can select Export. When you do this a new window will open where you can select what you want to export (see Figure 3). You have four options for export. Make sure you select the correct option that will exactly match your servers’ needs.

After you export your certificate you will have the necessary files you need and you can simply upload them to your server. You will then need to make sure you configure your server to actually make use of the keys.

Final thoughts

Although the process of creating self-signed certificates by command line isn’t challenging, it’s nice to have a GUI tool with which to manage these keys. And for those that prefer not to bother learning the command line tools, gnoMINT is and ideal replacement for the command line.

When you have users that need access to your SMTP server from outside of your LAN you have to enable SASL (Simple Authentication and Security Layer). In this article I am going to show you how to do just that.

Assumptions

Naturally this article will assume you already have a working Postfix server that is both sending and receiving email. This article will describe the process as related to a CentOS 5 server (which makes an outstanding mail server for any size company). I will also assume you have root access to this server (as everything done in this article will need administrative privileges).

First step

The first thing you need to do is add a few lines to your /etc/postfix/main.cf file. What is needed is the following (add it to the end of the file):

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

The next step is to add permit_sasl_authenticated to the smtpd_recipient_restrictions section of the same file. If you do not have an smtpd_recipient_restrictions section, just create the section like this:

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

Second step

Figure 1

The next step is to configure auth default in the authentication processes section (around line 778)  of /etc/dovecot.conf. This one is really tricky – only because this section of the dovecot.conf file is heavily commented and already contains some of the lines you will see Figure 1 and below. The code in figure 1 gives an easier representation of what needs to be added to the dovecot.conf file. The copy/paste-able text is below:

auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Now it’s time to restart Postfix with the commands:
service dovecot restart
postfix reload

Testing

It’s time to see if your setup works. To do this you will need to telnet to your mail server on port 25 like so:

telnet ADDRESS_OF_SERVER 25

Where ADDRESS_OF_SERVER is the actual address of your mail server. Now you need to generate a Base64 username/passcode to do so. This is possible with the help of Perl like so:
perl -MMIME::Base64 -e 'print encode_base64("00USERNAME00PASSWORD");'

You can insert an actual username/password combination that exists on your server if you like in the command aboe (where you see USERNAME and PASSWORD).

This will print out a string of characters for you to use in the testing. The testing will look like this:
telnet ADDRESS_OF_SERVER 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN STRING_OF_CHARACTERS
235 2.0.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.
Where everything in bold is what you must enter and STRING_OF_CHARACTERS is the string generated by the earlier Perl command.

Final thoughts

If all is good you should have seen Authentication successful in your test. Congratulations, you can now access your SMTP server from outside of your LAN.

The application works similar to Microsoft’s own tool Lockoutstatus.exe with the exception that it adds features to the troubleshooting process to streamline it.

Lockout Fixer for instance allows the administrator to view the audit failure logs that were recorded at the time of the lockout. It furthermore displays event log entries related to lockouts that include the client IP address needed to identify the issue.

lockout fixer

Lockout Fixer queries domain controllers on startup and displays the available ones in the computer network in the left sidebar. Domain controllers can be selected easily using the available checkboxes.

Here is how it works. The system administrator checks the servers from the sidebar listing and types in the username of a locked account.

It is then possible to immediately unlock the account by clicking the unlock account button or to use the check lock out status button to troubleshoot the lockout.

The lock out time, last bad password time and bad password count are then displayed for each selected domain controller. The timezone is that of the remote computer which is important if some of the servers are located in a different timezone.

The data that is displayed can be selected again to lookup the audit failure logs of the selected servers.

The event log query tool can be used separately to enter a computer name to retrieve its logs.

Two tips are provided by the developer that are helpful in the troubleshooting process.

Unlocked accounts might still be shown as locked if the account got unlocked after a specific period of time and the user has not logged into the account in the meantime.

It can also happen that the logs are not displayed for the bad password time that is selected. This can happen if the lockout has been recorded in the log prior to the lockout time / bad password time. It helps in those cases to change the time to a second before the bad password occurred to see the log information.

Lockout Fixer is a helpful troubleshooting tool for Windows system administrators. It is compatible with 32-bit and 64-bit editions of Microsoft Windows, a download is provided at the developer’s website over at Lockoutfixer.cz.cc.

That complexity is what an introductory article is needed. I have seen plenty of users try to just jump into the heart and soul of iptables, only to see them fail miserably. To fully understand iptables one must first understand how iptables is actually used. In this article I will help you to understand the fundamentals of iptables so later on we can further that knowledge with more in-depth scripts and commands.

What IS iptables?

As I mentioned earlier, iptables is a powerful way to control packet traffic to and from your Linux box. But how does it manage this?  It does so by creating TABLES made up of CHAINS. There are three types of chains:

• INPUT: Controls packets coming in.
• OUTPUT: Controls packets going out.
• FORWARD: Controls packets that are forwarded.

These are also applied to the default policies. When you install a Linux operating system it will have three pre-defined iptables chains (one for each of the above).

Now each chain can handle the packet traffic in one of four different ways (actions):

• ACCEPT: Allow the packet in/out.
• REJECT: The target device will reject the packet.
• DROP: The packet is immediately dropped and the target device never sees said packet.
• RETURN: Go to another chain in your table as if it never saw the rejecting chain.

So now you have a TABLE made up of CHAINS that use ACTIONS to route traffic. Is this getting any easier? Now, you can also have more than one TABLE on a machine – but that is far too complex for an introductory article. Your machine will also have a default POLICY for each chain (INPUT, OUTPUT, FORWARD). By default these POLICIES are typically set to the action ACCEPT.

You must also understand that when a packet arrives on a machine it must traverse the iptables CHAIN until it either matches a CHAIN rule or it passes through all rules unscathed. Because of this you want to create your chains carefully. If you do not you can wind up with traffic you want to ACCEPT getting REJECTed because of a poorly ordered chain. For example:

Let’s say you want to ACCEPT all ssh traffic within your internal network safe passage to your machines. But what if you have a CHAIN rule that REJECTS ssh traffic in place before that internal rule? If you do this all internal ssh traffic will be REJECTed as well. In this case you would want your TABLE chain order like so:

CHAIN ACCEPTing incoming LAN ssh traffic

CHAIN REJECTing incoming WAN ssh traffic

Let’s take a look at how you use itables as a command to create or change POLICY chains.

Usage

Figure 1

If you issue the command iptables -L all of your current chains will be listed like what you see in Figure 1. NOTE: The iptables command MUST be run as either the root user or with the help of sudo.

As you can see, in my output, my TABLE consists of the three default policy CHAINS and each is currently set to the action ACCEPT.  What if I want to change my INPUT policy to DROP? After all, do you want incoming traffic to have total access to your machine? You can set the input POLICY to DROP with the following command:

sudo iptables -P INPUT DROP

What you have effectively done above is set your default INPUT POLICY to REJECT. So without creating any new CHAINS all incoming traffic to that machine will be REJECTED. Here’s the problem with that…say, for instance, you want to allow ssh traffic into that machine? If you leave it as is this will not happen. Because you have the INPUT POLICY set to REJECT and you have no other CHAINS in place, no incoming traffic will work. Remember, though, what I said about creating CHAINS in the right order to ensure needed traffic can find safe passage.

Final thoughts

Thus begins our journey with iptables. It’s not the most simple system to employ, but it certainly is powerful.  Is it worth the time and effort when there are so many GUI tools to choose from? That depends upon your needs. If you are working on nothing more than a desktop – then the GUI front-end will more than likely be enough. If, however, you have a server with mission-critical or sensitive data you might need the extra power and flexibility that iptables brings to the table.

In this article I am going to show you how to set up the Partimage Server as well as save an image to it from a remote machine.

Assumptions

You will need to make sure the system you are imaging is NOT an ext4 machine (this would leave out Ubuntu 10.04 and Fedora 13 for sure). You will also need an IP address for your server as well as super user access in order to run Partimage. Finally you will need to make sure your server has plenty of room to store the image file(s) it is to house.

Installation

You’ve already installed Partimage in the previous article. But you did not install the server. In order to install the server on Ubuntu do the following:

1. Open up a terminal window.
2. Issue the command sudo apt-get install partimage-server
3. Enter your sudo password.

That’s it. If you are installing on Fedora you would have to su to the root user and issue the command yum install partimage-server. On OpenSuSE that command would be zypper install partimage-server.

Configuring the server

There is very little to configure for the server. What you will need to do is open up the file /etc/partimaged/partimagedusers and add a user to that file that will be used to authenticate from the clients. The user you add MUST have an account on the Partimage server machine. There is nothing fancy about the user setup, you just add the user (or users) one per line in the file, save, and close the file.

Once you have added that user it’s time to start the server. Do this with the command /etc/init.d/partimaged restart. The server will start and you are ready to go.

Connecting to the server

Figure 1

If you refer back to the original article you will see how to get to this step. It is very similar to creating the image on the local machine, only you will select the option for Connect to server (see Figure 1).

Figure 2

Once you have filled out that information, click F5 to continue one. You will then be asked for the username/password for the user you added to the partimagedusers file. After you enter that information (see Figure 2), tab down to the OK button and hit Enter to continue on.

After the login succeeds Partimage will continue on as it did when you were saving that partition to the local drive. And when it completes, you will have an image of that system stored on your Partimage Server.

Final thoughts

Even though there is no support for ext4 file systems, Partimage does support many other types, making it a very useful tool. I would like to think that ext4 would be rolled into the system in the future, but there is not much indicating this is the case. That would also make me believe newer file systems will also not be supported. If this is the case, I hope a new tool like Partimage will arrive on the scene that will support ext4 and btrfs file systems.

In this article I am going to show you how to install and run an infinote server so that Kobby and Gobby can communicate with one another.

Installation

There are two packages you must install for this to work. One of those packages will have been installed when you install Gobby. That package is libinfinity. If you did not install Gobby on the machine that will act as your infinote server you will need to install the libinfinity package as well as the package listed below. Follow these steps for installation:

1. Fire up your package management system (Synaptic, Ubuntu Software Center, gnome-packagekit, etc).
2. Search for “infinoted” (no quotes).
3. Mark infinoted for installation.
4. Click Apply to install.

That’s it! You are now ready to begin.

Usage

There are two ways to use infinoted: with or without encryption. If you want to offer password-protected sessions you will have to run with encryption. No passwords = no encryption. Let’s start off with the non-encrypted session first.

To launch an encryption-less session open up a terminal window and issue the following command:

infinoted –security-policy=no-tls

NOTE: When launching this session you will not be returned your prompt. Even if you add the “&” to the end of your prompt (which usually places the command in the background) you still won’t get your prompt back. When you issue this command the command will instruct you which port the server is listening on. By default infinoted will listen to port 6523 (in case you do not issue the command from the terminal window – more on that in a bit).

Now let’s take a look at starting the server with encryption. To do this you will issue two commands, the first command creates the necessary keys, the second launches the daemon. Let’s take a look at the commands. The first command:

infinoted –create-key –create-certificate -k KEY_NAME.pem  -c CERT_NAME.pem

Where KEY_NAME is the name of the key and CERT_NAME is the name of the certificate. When you issue that command infinoted will generate the necessary key/cert pair and then you are ready to start the server with the command:

infinoted -k key.pem  -c cert.pem

Now when you start up your Gobby and/or Kobby instances, you can host your server with password protection.

Starting your server

If you are like me, you don’t want to have a terminal window open in order to run the server. No matter which type of server you run (with or without encryption), you can add the startup line to your /etc/rc.local file so the server will start up at boot. If you don’t want to go that route you can always just hit <Alt>F2 and then enter the run line in the command dialog box.

Final thoughts

If you are looking for a very simple way to host a collaborative server for Gobby or Kobby, the Infinoted server is all you need for simplicity and reliability. Once the server is up and running all you will have to do is point your clients to the server (and the correct port) and your clients will be collaborating immediately.

You might think that Luckybackup is a tool only an end-user could love. Not so. Although Luckybackup is simple to use, open source, and free it’s a worthy candidate for business backup as well. Oh sure, you’re not going to image your machines with this backup tool, but you can backup your data. In this article I am going to show you how to install and use Luckybackup.

Installation

Installation is simple. If you’re lucky Luckybackup will be found in your distributions repositories. If that’s the case, just fire up your package manager tool, search for “luckybackup” (No quotes), select Lucky Backup for installation, and click apply. That’s it. If you’re not luck, and Lucky Backup isn’t in your repositories, then you will have to go to the Lucky Backup download page and download the binary for your distribution. Once you have that file it’s as simple as either letting your browser auto-detect and let a tool like GDebi install the package, or install from command line like so:

rpm -ivh luckybackup-XXX.rpm

Where XXX is the release number.

Using Lucky Backup

Figure 1

I am going to walk you through the steps for creating a remote backup using Lucky Backup. The remote backup I am going to illustrate uses ssh for the network transportation. For simplicities sake I am going to illustrate how you can do a backup with user intervention. To really make this work, you will want to set up password-less secure shell communication. You can see how this is done in my article “Five handy secure shell tips and tricks“.

Once installed open up a terminal window and issue the command luckybackup. This command will open up the user-friendly gui (see Figure 1) where you add all of the backups you want to create.

Let’s walk through the steps of creating an ssh-based backup.

Step 1: Click the Add button.

Figure 2

Step 2: Fill in the necessary pieces of information in the new window (see Figure 2). This information will include:

• Name: Name to give the backup.
• Type: Full or incremental.
• Source: What you want to backup.
• Destion: Directory on local or remote host to store backup.

REMOTE TAB:

• User remote host: Check this box.
• Destination: Check this box.
• User: Username on remote machine.
• Host: IP Address of remote machine
• Ssh: Check this box.

Step 3: Click Okay to save your settings.

Step 4: Click Start to begin the backup process.

If your backup was setup correct you will immediately be informed such and, in the terminal window where you started Lukcybackup from, you will prompted for the remote users password. Enter the password in that terminal window and hit enter. Your backup will begin.

As I mentioned earlier, to avoid having to be prompted for your password (this will be necessary for scheduled backup) you will need to set up password-less secure shell.

Final thoughts

That was simple. That is exactly how a backup tool should work. Give Lucky Backup a try, you may not find a Linux backup tool as simple to use.

In this article I am going to walk you through the section of the eGroupware installation that takes care of the final stages of the eGroupware installation. Once you are done with that, your eGroupware site will be ready to go.

Where are we?

Figure 1

The last thing you did was create the configuration file /var/www/egroupware/header.inc.php. Now it’s a matter of finishing up the installation from a page that is set up in stages (see Figure 1). You will have logged in by now and are ready to take care of the first stage in this final step.

Stage 1: The first stage is to create the database. You have to supply the charset, DB root username, and DB root password. For the charset, just let it as the default. The username/password will be for the username that can connect to the database you created for this setup. Once you have entered that information click Create Database. You should get the warning: Your database is working, but you don’t have any applications installed. When you do get that warning you will also see a button labeled Install all applications. You are now ready to click that button.

Stage 2: When you click the Install all applications button. When this

Figure 2

stage finishes you should see If you did not receive any errors, your applications have been installed. At that point click the Re-check my installation button. Now your setup page should look similar to that in Figure 2. As you can see there are only two stages left in the installation.

Stage 3: As you can see, in the Step 2 Configuration section we have neglected to create a couple of directories. This is simple. Open up a console window and issue the following commands:

• sudo mkdir /opt/egroupware
• sudo mkdir /opt/egroupware/default/
• sudo mkdir /opt/egroupware/default/files
• sudo mkdir /opt/egroupware/default/backup
• sudo chmod -R 777 /opt/egroupware

Now, oddly enough, we need to click on the Edit Current Configuration button and enter the following:

Full path for users and group files: /opt/egroupware/default/files

Full path to the backup directory: /opt/egroupware/default/backup

Click Save and you should be complete. Of course those directories could have been created during the prerequisite stage of the install, but I wanted to highlight how you could go back and re-configure at any stage of the installation. NOTE: If there are any other issues in your Current Configuration, now is the time to take care of them.

Stage 4: The final step is to click on the Create an Admin Account button. When you click on that you only need fill out the information for the admin account. All of the information is straight forward. You will notice two check boxes. One is to allow the admin access to all installed applications. Although they warn you this can be annoying, I tend to prefer it this way so my admin user can see everything. You can also opt to have eGroupware create demo accounts. This is users choice. You will be creating accounts anyway – so this is up to you.

That should do it. When you click Save on this you should have all green checks and be ready to log into your eGroupware installation. You will find a TON of stuff to configure now. Start playing around and see what eGroupware has to offer.