HA Linux Mail Server – Part 0

I’ve been working on a project to learn more about RHCS in general and decided to build a HA Mail server.

Technologies Used:
– Centos 6.6
– RHCS
– Postfix
– Dovecot (IMAP)
– OpenLDAP
– GlusterFS
– MySQL
– Roundcube

Over the coming weeks I’ll be posting the steps required to set this up.

The general idea is to have two RHCS services

mail-svc

  • VIP for postfix/dovecot
  • glusterfs for delivered mail, postfix and dovecot configuration files

mysql-svc

  • VIP for mysql
  • glusterfs for mysql config and data

 

Each node runs the following locally

  • httpd + roundcube
  • OpenLDAP replicating from another LDAP server

While the above two services could certainly be cluster services, this is not required.

We NAT our public IP to the VIP for mail-svc.

To avoid SSH key issues, copy your SSH keys from /etc/ssh to the other node (So SSH to the public IP will not result in errors after a failover)

 

 

OpenLDAP SSL Replication

Following the excellent guide here: https://wiki.debian.org/LDAP/OpenLDAPSetup

I was able to get LDAP replication working fairly easily. There are two problems with this however.

1. The default slapd configuration will use dc=nodomain (if no domain was picked at install) otherwise whatever domain you picked at install. You are not asked to choose, so of course if you have a different domain than your LDAP server replication will not function.

2. The above guide does NOT use SSL for replication for some reason

On your client, do the following to change dc=nodomain to whatever it should be for replication


/etc/init.d/slapd stop
rm /var/lib/ldap/*
vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

Update all dc=nodomain entries to dc=your,dc=domain

Then start slapd

/etc/init.d/slapd start

Create an LDIF file like the following (in this case, mirror.ldif)


dn: olcDatabase={1}hdb,cn=config
changeType: modify
add: olcSyncrepl
olcSyncrepl: rid=004 provider=ldaps://YOURMASTERHOSTNAME:636 bindmethod=simple binddn="cn=mirrormode,dc=bbis,dc=us" credentials=YOURPASSWORD tls_reqcert=never searchbase="dc=bbis,dc=us" schemachecking=on type=refreshAndPersist retry="60 +" tls_cert=/etc/ldap/ssl/server.pem tls_cacert=/etc/ldap/ssl/server.pem tls_key=/etc/ldap/ssl/server.pem
-
add: olcMirrorMode
olcMirrorMode: TRUE
-

Note that “rid=004” should be different for each LDAP server you bring in to play. Replace dc=bbis,dc=us with your domain.

Now add it to your schema

ldapmodify -QY EXTERNAL -H ldapi:/// -f mirror.ldif

Use ldapsearch to verify functonality

ldapsearch -H ldap://127.0.0.1 -x

LDAP User Add Script

A bug with phpldapadmin in Ubuntu 10.04 has forced me to find other ways to add a generic Linux account to LDAP.

This consists of three files; I keep them in /root/ldap and have a symlink to add_ldap_user.sh in /usr/local/bin

add_ldap_user.sh Script

last.uid The last used UID, auto-incriments

user.ldif Sample linux account in LDIF format

add_ldap_user.sh


#!/bin/bash
NEWUID=`cat /root/ldap/last.uid`
echo -ne "First Name: "
read FIRST
echo -ne "Last Name: "
read LAST
echo -ne "User Name: "
read USERNAME

sed “s/FIRST/`echo $FIRST`/g” /root/ldap/user.ldif > /root/ldap/temp
sed “s/LAST/`echo $LAST`/g” /root/ldap/temp > /root/ldap/temp2
sed “s/USERNAME/`echo $USERNAME`/g” /root/ldap/temp2 > /root/ldap/temp
sed “s/USERUID/`echo $NEWUID`/g” /root/ldap/temp > /root/ldap/temp2

ldapadd -x -w`cat /etc/ldap.secret` -D “cn=admin,dc=YOUR,dc=HOSTNAME” < /root/ldap/temp2
echo `expr $NEWUID + 1` > /root/ldap/last.uid
rm /root/ldap/temp
rm /root/ldap/temp2
passwd $USERNAME

user.ldif


dn: cn=FIRST LAST,ou=People,dc=YOUR,dc=HOSTNAME
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: FIRST
sn: LAST
cn: FIRST LAST
uid: USERNAME
userPassword: {MD5}QaJUwABOZ6gUsv/xOD/FOQ==
gidNumber: 100
homeDirectory: /home/USERNAME
loginShell: /bin/bash
uidNumber: USERUID

last.uid

1900

Note that because the LDIF contains a place-holder password, you must be able to run ‘passwd LDAP-USER’ on the host you are running this on.

Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

host 192.168.1.1
base dc=example,dc=com

#This is important! Don't use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE    dc=example,dc=com
URI    ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never

/etc/pam.d/common-account

account    sufficient   pam_ldap.so
account    required     pam_unix.so

/etc/pam.d/common-auth

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/
session    optional     pam_ldap.so

/etc/nsswitch.conf


passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf


<deny send_interface="org.freedesktop.Hal.Device.Volume"/>
<deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab

192.168.1.1:/home       /home   nfs defaults 0 0

OpenLDAP Client and NFS on Windows XP

I am assuming your LDAP server is set up as per my previous post.

Before we go further, I would suggest setting up NFS and then updating your /etc/ldap/slapd.conf file

Since Windows (for me) had issues importing my openssl generated cert, I had to allow unencrypted. Depending on your setup, you may not find this to be a suitable option. You must then get a CA cert that isn’t self-signed.

Otherwise, just add ‘by auth’ to your existing access block.


access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=uwptechforce,dc=com" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by auth
by * none

/etc/init.d/slapd restart

Go to http://pgina.org/ and download pGina and Plugins. Install pGina and extract the Plugins archive into c:pGina

You will have to install ldapauth; the installer for x86 and x86_64 is located in C:pGinapluginsLDAP

Unfortunately, from here on out we have to use a graphical configuration utility. Execute C:pGinaconfigure.bat

In the ‘Plugin’ tab, Select this file for the ‘Plugin Path’

C:pGinapluginsldapauthldapauth_plus.dll

You may also want to check the Show authentication method checkbox on this tab; it allows you to select between LDAP and the Local machine in the login window.

Under the Account Interaction tab, check:

Keep Profiles: This will allow you to have persistent files/settings, allow you to make persistent permission changes (remote desktop, file permissions, etc.).

Force Login: If you change your password elsewhere, this will allow you to use the local password with the password you’re authenticated with

Under the Profile tab, you might want to consider changing the default groups for users who log in (separated with semi-colons). By default everyone is a ‘Limited’ user; Power Users might be more appropriate for a Windows workstation. Do not set any options for ‘Profiles’; they do not work and will conflict with LDAP.

We will now configure LDAP using the Plugin Tester; it provides a good way to debug issues and allows you to configure/test in an easy manner. Execute C:pGinaplugin_tester.exe

Browse and select C:pGinapluginsldapauthldapauth_plus.dll. Now let’s configure it.

Click on the ‘Search’ button. Next to LDAP Server enter the hostname/ip of your LDAP server. Set the port to 389. Add “ou=People,dc=server,dc=com” in Contexts.

If you would like to restrict what users can log into pGina, you can set this in the User Configuration tab. I would recommend against changing anything else here until you have a working setup.

Now for the test. Push the pGina Load button. Enter a user/pass and push ‘Login’.

If this does not work, do the usual and debug slapd and look in the Event Viewer in Windows.

Now for NFS.

On any linux LDAP client, you will need to getent passwd > map.txt && getent group > map2.txt to generate a passwd-like file for Windows. No passwords are stored here. I suggest doing this on the NFS server in cron.


0 1 * * 1 getent passwd > /nfs/map.txt
0 1 * * 1 getent group > /nfs/map2.txt

Once a week your passwd and group map will be updated; coincidentally Windows NFS client updates it’s mapping once a week by default. Feel free to change this to happen more often if needed.

Still, you need to copy over map.txt and map2.txt from Linux before NFS works.

Google Windows Services for UNIX Version 3.5. Extract it and run the installer; select ONLY the Client for NFS under NFS and User Name Mappings under Authentication tools for NFS. When prompted, choose ‘passwd-like files’ instead of NIS.

When prompted, browse for your map.txt and map2.txt files.

Create a file called C:nfs.bat


mount 192.168.1.1home Z:

You probably want to run this at startup; just add a new “String Value” in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with a name like “mount nfs” and a value of C:nfs.bat

This entry can be easily disabled later with msconfig.

Now run nfs.bat, and check to see that a Z: was created. If so, you’re done!