How to Verify the LDAP or slapd Process in Zimbra

zimbraZimbra LDAP service running on OpenLDAP software. It is the directory service and identified when the Zimbra software is installed together with it’s own Zimbra schema. Zimbra LDAP service is used in Zimbra Collaboration Suite (ZCS) to store data for Zimbra Global configuration, user and authentication information, server, domain and class of service (COS) details. The following task will be very useful to zimbra system administrator in order to Verify the LDAP or slapd process in Zimbra. The command has been tested on ZCS 8.0.4 open-source version running on CentOS 6.4. I have documented these post as my own tutorial and also for my blog visitors reference.

1. How to verify ldap status in zimbra. Run as the zimbra user :

[zimbra@centos64 ~]$ ldap status
slapd running pid: 1351

2. How to verify that the slapd process is running or not :

ps auxww | grep zimbra | grep slapd

Example :

[zimbra@centos64 ~]$ ps auxww | grep zimbra | grep slapd
zimbra    1351  0.1  3.9 18840944 75268 ?      Ssl  16:44   0:08 /opt/zimbra/openldap/sbin/slapd -l LOCAL0 -u zimbra -h ldap://centos64.ehowstuff.local:389 ldapi:/// -F /opt/zimbra/data/ldap/config
zimbra   42865  0.0  0.0   6376   724 pts/0    S+   18:01   0:00 grep slapd

3. To detect connection failure on default ldap port, 389, run telnet command :

Result if run from zimbra server itself :

[zimbra@centos64 ~]$ telnet centos64.ehowstuff.local 389
Trying 192.168.2.62...
Connected to centos64.ehowstuff.local.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

4. How to Stop and Start ldap in zimbra. Run as the zimbra user :
Start ldap :

[zimbra@centos64 ~]$ ldap stop
Killing slapd with pid 1351 done.

Stop ldap :

[zimbra@centos64 ~]$ ldap start
Started slapd: pid 47807

5. Verify ldap status from zmcontrol command :

[zimbra@centos64 ~]$ zmcontrol status
Host centos64.ehowstuff.local
        antispam                Running
        antivirus               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zmconfigd               Running

How to Install and Configure 389 LDAP Directory Server on CentOS 6.4

389389 Directory Server is an enterprise-class open source Lightweight Directory Access Protocol (LDAP) server for Linux and based on Fedora Directory Server. 389 Directory server has been developed by Red Hat, as part of Red Hat’s community-supported Fedora Project. This steps has been tested on CentOS 6.4 x86_64 and may work on other version of CentOS as well.

1. Prepare EPEL repository.

2. Install 389-ds file :

[root@centos64 ~]# yum install 389-ds -y

3. Enable SELINUX :

[root@centos64 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

4. Configure hostname, FQDN and host file has been configured correctly :

[root@centos64 ~]# hostname
centos64.ehowstuff.local
[root@centos64 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.2.64    centos64.ehowstuff.local centos64

5. To install 389 LDAP, run the configuration script :

[root@centos64 ~]# /usr/sbin/setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]:

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux2.6.32-358.2.1.el6.x86_64 (2 processors).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [centos64.ehowstuff.local]:

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]:
System Group [nobody]:

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]:

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [ehowstuff.local]:

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]:

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [centos64]:

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=ehowstuff, dc=local]:

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]:

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'centos64' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output:                                                    [  OK  ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupDJucbG.log'

6. Start dirsrv and dirsrv-admin service :

[root@centos64 ~]# /etc/init.d/dirsrv start
Starting dirsrv:
    centos64...                                            [  OK  ]
[root@centos64 ~]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin:
                                                           [  OK  ]

7. Make dirsrv and dirsrv-admin service auto start at boot :

[root@centos64 ~]# chkconfig dirsrv on
[root@centos64 ~]# chkconfig dirsrv-admin on

8. Check dirsrv and dirsrv-admin service status :

[root@centos64 ~]# /etc/init.d/dirsrv-admin status
dirsrv-admin (pid 1409) is running...
[root@centos64 ~]# /etc/init.d/dirsrv status
dirsrv centos64 (pid 1317) is running...

How to Install and Configure phpLDAPadmin on CentOS 6.2

phpLDAPadmin (also known as PLA) is a web-based LDAP administration tool to manage, browse and administer your LDAP directory server. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. With it you can browse your LDAP tree, view LDAP schema, perform searches, create, delete, copy and edit LDAP entries. You can even copy entries between servers. This post will show you on how to install phpLDAPadmin on linux CentOS 6.2 server. Assumed that you already install install EPEL repository on your CentOS 6.2 server as below :
How to Install and Configure EPEL Repository on CentOS 6.2

1. Install phpLDAPadmin using this command :

[root@centos62 ~]# yum install phpldapadmin -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.ipserverone.com
 * epel: ftp.cuhk.edu.hk
 * extras: centos.ipserverone.com
 * updates: centos.maulvi.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package phpldapadmin.noarch 0:1.2.2-1.el6 will be installed
--> Processing Dependency: php-ldap for package: phpldapadmin-1.2.2-1.el6.noarch
--> Running transaction check
---> Package php-ldap.i686 0:5.3.3-3.el6_2.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                  Arch               Version                      Repository           Size
====================================================================================================
Installing:
 phpldapadmin             noarch             1.2.2-1.el6                  epel                776 k
Installing for dependencies:
 php-ldap                 i686               5.3.3-3.el6_2.6              updates              35 k

Transaction Summary
====================================================================================================
Install       2 Package(s)

Total download size: 811 k
Installed size: 2.3 M
Downloading Packages:
(1/2): php-ldap-5.3.3-3.el6_2.6.i686.rpm                                     |  35 kB     00:00
(2/2): phpldapadmin-1.2.2-1.el6.noarch.rpm                                   | 776 kB     00:08
----------------------------------------------------------------------------------------------------
Total                                                                62 kB/s | 811 kB     00:13
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : php-ldap-5.3.3-3.el6_2.6.i686                                                    1/2
  Installing : phpldapadmin-1.2.2-1.el6.noarch                                                  2/2

Installed:
  phpldapadmin.noarch 0:1.2.2-1.el6

Dependency Installed:
  php-ldap.i686 0:5.3.3-3.el6_2.6

Complete!

2. Configure phpLDAPadmin. Allow 198.168.1.x network to access thru phpLDAPadmin :

#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1 192.168.1.0/24
  Allow from ::1
</Directory>

3. Restart httpd server :

[root@ldap 389 ~]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

4. Installation and configuration completed. Navigate and administer ldap as below URL :

http://ldap_server_ip/ldapadmin

phpLDAPadmin

How to Configure Squid Proxy for LDAP Authentication on CentOS 6.2 using squid_ldap_auth

In this post i will show on how to configure squid proxy server to go through 389 LDAP authentication on linux CentOS 6.2 server. This authentication is using squid_ldap_auth module in that come with squid proxy. Assumed that you have 389 Ldap Directory server and Squid proxy configured. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. 389 Directory Server is an enterprise-class open source LDAP server for Linux.

Some informations regarding proxy server and ldap server.
Proxy server : 192.168.1.44 proxy.ehowstuff.local
LDAP server : 192.168.1.48 ldap.ehowstuff.local

Prerequisites :
How to Install and Configure Squid Proxy Server on CentOS 6.2
How to Restrict Web Access By Time Using Squid Proxy Server on CentOS 6.2
How to Install 389 Directory Server on CentOS 6.2
How to Setup and Configure 389 Directory Server on CentOS 6.2

Add in this lines on your squid.conf file :

auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

“http_access deny all” is optional, it’s depend on your configuration.

Open squid.conf file and modify as below :

..
..
..
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com
..
..
..

Proxy ip : 192.168.1.44
Domain/Hostname : proxy.ehowstuff.local
Port : 3128

Browser that was configured with proxy setting will prompt as below :
squid

Complete Squid configuration :

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com



# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

How to Install openldap-clients on CentOS 6.2

In this post i will show how to install openldap-clients on linux CentOS 6.2 server. openldap-clients will be require when you need to run LDAP search tool, ldapsearch command. LDAP search tool is the simplest tool remotely searching on the directory servers such as 389 directory server and Windows active directory. It’s usefull to retrieve the information remotely and greatly helps in troubleshooting the problems.

Simply run this command to install openldap-clients :

[root@centos62 ~]# yum install openldap-clients -y