Solaris LDAP client configuration

LDAP DIT
Oracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users/groups and other repository. You can use different ways to do this, and I will describe few of them.

If secure communication is required, and we have Self Signed certificates, we need to install CA certificate on each client.
This can be achieved by import CA certificate to local store with certutil (/usr/sfw/bin/certutil in Solaris 10). First create NSS DB (Don’t enter password. Just hit return)

certutil -N -d /var/ldap
chmod 444 /var/ldap/*

Continue reading Solaris LDAP client configuration

LDAP server for Solaris and Linux clients

LDAP-DITFew months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer’s infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL/TLS support. Servers was installed on Virtual Machines with CentOS 6.7.
I will not describe LDAP installation, because on modern Linuxes it’s simple like:

$ sudo yum install openldap-server

Continue reading LDAP server for Solaris and Linux clients

Solaris 10 Release and Solaris Cluster 3.x upgrade + patching

On the day of writing, the newest version of Solaris 10 is u11 (1/13) and Cluster (for Solaris 10) is 3.3u2.
Cluster 3.2 is still supported by Oracle, but patches are no longer released. Update 11 for Solaris 10 is probably last Release of Solaris 10 and has some new features, which are not available if you only patching a system with Recommended Patches.
Before starting with upgrade it is good to check and fix any issues with current system and environment.
Please check a Cluster status, Quorum device status, running services, zpools, metadevices, metasets, hardware components etc.
If you have any issues, fix them before you start. Plan your Maintenance Window, make backup of your files and configuration.
Continue reading Solaris 10 Release and Solaris Cluster 3.x upgrade + patching

Migration root disk into mirror in LVM

I’ve found several manuals describing how to add second disk to Volume Group and transform it into mirror. This does not looks complex, and everyone can do it, when everything is working like described in documentation. The problems start when something goes wrong, and one of steps failed.
In my environment there is virtual machine with CentOS 7 hosted by VMWare ESXi. This VM has system disk on one datastore. To provide redundation on OS level I decided to add second disk with the same capacity from another datastore and create RAID-1 (mirror) on them.
Continue reading Migration root disk into mirror in LVM

Trusted certificates for free – StartSSL

startsslHow many times did you see a pop-up message “Security certificate of this site is not trusted!”? We are used to it, and most of people even don’t check who is Certificate Authority and for who is certificate issued. Just click and confirms that they know the risk. This is not proper behavior, because the certificate should be trusted, issued for proper subject (domain), not expired and signed by Trusted Certificate Authority (CA). It’s very important, especially when you are dealing with bank, e-shop, mobile operator etc. But what about private blogs and sites? Most of them are using self-signed certificates. They have valid domain and date, but they are not signed by CA which is known to our browsers. What to do if you have your own site which is using SSL/TLS and you need a trusted certificate? You can get it from StartSSL.com with no charge! Yes, I’m using them on my sites for a long time.

First you need to fulfill registration form with your own data. After data verification you will receive verification code to your email and you will be able to authenticate on StartSSL site. Personal certificate will be automatically installed in your browser. Good practice is to make a backup of it (export). How to do this export (backup) you can find in FAQ on StartSSL site. Next step is domain validation. To do this you will need email (or alias): postmaster@your.domain.com, webmaster@your.domain.com or hostmaster@your.domain.com. You can choose one to which verification code will be send. Then, after validation you will be able to generate new certificate for website, mail server, jabber etc. Good luck!

Postscreen – Greylisting in Postfix

Greylisting is well known antispam technique. It’s idea basing on fact, that spamming hosts (zombies) doesn’t have time for retransmission and trying to send maximum amount of spam in shortest time period. This is achieved by connections to different mail servers and submission of message even without wait for server’s response. In opposition to that, legitimate mail servers presents themselves and waits for server’s response, and then beginning mail submission. If they receive temporary error code (4xx) from server, they will try to submit mail again after defined time period (e.g. 5 minutes)
Continue reading Postscreen – Greylisting in Postfix

Mail system implementation

My experience, which I gained during implementation of different systems shows, that implementation should be done in stages. Then, at each stage you can see if it works, if there are some fields to improve and then go to the next stage of implementation. Mail system implementation is not exception. We can divide this into following stages:

Stage I

Basic configuration of sending and receiving mail for system users
Continue reading Mail system implementation

Building mail system

This description is based on my experience, which I gained during mail system implementation on University of Silesia (Katowice/Poland). In the first stage there was about 3 000 of users, now the system is handling about 40 k of mail users. Whole system (exluding Sophos AV) is based on Open Source software. Their main components are:
Continue reading Building mail system

Postfix – compilation

MyszaPostfix does not have a configure script, so you need to add proper paths and libraries when you creating Makefiles (make makefiles). I must admit, that Postfix code is one of the least problematic code to compile on differents systems. To make my compilations reproducible, I wrote a script and set proper options for compilation.
Continue reading Postfix – compilation

Work Smart, Not Hard