Category Archives: UNIX Like

Lightweight Directory Access Protocol (LDAP) Linux

In this section, we will add some description also about web-based LDAP client phpLDAPadmin. In order to simplify configuration of LDAP. Honestly, this is a ‘deprecated’ article from my post but definitely still fulfill your needs.
The contents it self consists of two following parts : 1). Installation and configuration LDAP and phpLDAPadmin, and 2). Integration LDAP into Thunderbird Addressbook for e-mail purposes.
Ok, here we are. Ubuntu 16.04 xenial will be our proper Operating system to implement this. It has a bunch of packages we can install, here is parameters to install ldap :

1). Installation and configuration LDAP and phpLDAPadmin

root@ubuntu:/home/tifosilinux# apt-get update
root@ubuntu:/home/tifosilinux# apt-get install slapd ldap-utils
root@ubuntu:/home/tifosilinux# slapd -VVV
@(#) $OpenLDAP: slapd  (Ubuntu) (Oct 23 2018 12:47:19) $
        buildd@lgw01-amd64-005:/build/openldap-rkQ3K8/openldap-2.4.42+dfsg/debian/build/servers/slapd

Included static backends:
    config
    ldif

The information above tell us that we are ready to configure ldap and create some configuration then. Reconfigure them:

root@ubuntu:/home/tifosilinux# dpkg-reconfigure slapd

You will be prompt to input : administrator password, DNS Domain Name, Organization Name, Database Backend (BDB, HDB, or MDB can be used). For an instant deployment, install phpldapadmin and .ldif (instead of csv, dsml, vcard) as configuration files like these.

root@ubuntu:/home/tifosilinux# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=hary,dc=tifosilinux,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hary.tifosilinux.com
dn: dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: telkom
dc: hary

# admin, hary.tifosilinux.com
dn: cn=admin,dc=hary,dc=tifosilinux,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# users, hary.tifosilinux.com
dn: ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

# groups, hary.tifosilinux.com
dn: ou=groups,dc=hary,dc=tifosilinux,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

# admin, users, hary.tifosilinux.com
dn: cn=admin,ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: harysmatta
cn: admin
givenName: hary

...

root@ubuntu:/home/tifosilinux# cat self.ldif
dn: cn=admin, ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: Libria Puji
gn: Bia
sn: Agustiani
userPassword: secret
mail: beeya@yahoo.com
o: telkom
postofficebox: PO Box 17135
l: Jakarta Forest
st: JKT
postalCode: 17135
telephoneNumber: (02) 9451 1144
facsimileTelephoneNumber: (02) 9451 1122
mobile: 0408 239 711

# Edit configuration phpldapadmin
root@ubuntu:/home/tifosilinux# vim /etc/phpldapadmin/config.php
...
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;
...
/* Examples:
   'ldap.example.com',
   'ldaps://ldap.example.com/',
   'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
           (Unix socket at /usr/local/var/run/ldap) */
$servers->setValue('server','host','192.168.75.158');

/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue('server','port',389);

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
   auto-detect it for you. */
#$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('server','base',array('dc=hary,dc=tifosilinux,dc=com'));
...

root@ubuntu:/home/tifosilinux# ldapadd -x -D 'cn=admin,dc=hary,dc=tifosilinux,dc=com' -W -f <filename>.ldif

For our table reference and LDAP attributes Used in Address Book Entries, we are using this information :

  • CN = Common Name
  • OU = Organizational Unit
  • DC = Domain Component

Next we should be able to determine our objective, like do we want to add some Generic: User Account, Generic: Posix Group, Generic: Organisational Unit or others.


2). Integration LDAP into Thunderbird Addressbook for e-mail purposes.

Eventually, this could be very challenging and tough to port those into another technology in our corporate.

Advertisements

Sorting Algorithm with Python

There are many ways to solve case of sorting data instead of using sort command in Linux/ Unix (although in other case the sort command can save your time). For an example, sort with options -n and -r will be sort a file with numeric data and reverse it (~# sort -nr file_with_numeric.txt), even you could use options -k to defined sort as basis column (~# sort -k 2n file_with_two_column.txt) and -M to sort by month name. But, that is out of our topic in this subject, python will be the progamming language on how to understand which can be the fastest method to fix our wrangling/ munging data. Bubblesort, Insertion, Selection, and Quicksort will be the choice to sorting data efficiently and correctly.

data_structure_quicksort.py

#!/usr/bin/env python3.5

import time

# Python program for implementation of Quicksort Sort 

# This function takes last element as pivot, places 
# the pivot element at its correct position in sorted 
# array, and places all smaller (smaller than pivot) 
# to left of pivot and all greater elements to right 
# of pivot 

start = time.time()

def partition(arr,low,high):
    i = ( low-1 )        # index of smaller element
    pivot = arr[high]    # pivot
    
    for j in range(low , high): 

        # If current element is smaller than or 
        # equal to pivot
        print('arr[j] & pivot | j = %d & %d | %d \t\t' % (arr[j],pivot,j), end='')
        print()
        if arr[j] <= pivot:
            
            # increment index of smaller element
            i = i+1
            print('cond.bf arr[i], arr[j] | i & j = %d & %d | %d & %d \t\t' % (arr[i],arr[j], i, j), end='')
            arr[i],arr[j] = arr[j],arr[i]
            print('cond.aft arr[i], arr[j] | i & j = %d & %d | %d & %d \t\t' % (arr[i],arr[j], i, j), end='')
            print()

    print('++++++++++++++++++++++++++++++++++++++++++++')
    print('before arr[i+1], before arr[high] = %d & %d \t\t' % (arr[i+1],arr[high]), end='')            
    arr[i+1],arr[high] = arr[high],arr[i+1]
    print('after arr[i+1], after arr[high] = %d & %d \t\t' % (arr[i+1],arr[high]), end='')
    return ( i+1 ) 

# The main function that implements QuickSort 
# arr[] --> Array to be sorted, 
# low --> Starting index, 
# high --> Ending index 

# Function to do Quick sort 
def quickSort(arr,low,high):
    print()
    print('kondisi array terkini : ' , arr)
    print('low & high : %d & %d \t' % (low,high), end='')
    print()
    if low < high:
    
        # pi is partitioning index, arr[p] is now
        # at right place
        pi = partition(arr,low,high)
        print('Begin value of element : ', arr, low, high, pi)
        print()
        # Separately sort elements before
        # partition and after partition
        quickSort(arr, low, pi-1)
        print('End value of element : ', arr, low, pi-1)
        quickSort(arr, pi+1, high)
        print('Get value of element : ', arr, pi+1, high)

# Driver code to test above 
arr = [56,8,88,1,4,3,17,20,3,87]
print('Initiate array : ', arr)
n = len(arr)
quickSort(arr,0,n-1) 

print ("Sorted array is:")
for i in range(n):
    print ("%d " % arr[i], end='')

print()
print()
end = time.time()
print('Speed time : ',(end-start))

# This code is contributed by Mohit Kumra - modified by HarysMatta

Eventually, the rest of code i already keep on my github account. Check these out (on logic directory). https://github.com/Haryjava/python.git

Sense of firewall with pfSense

Herewith some capture from my little task about how to use haproxy’s pfsense which adapted from native services of haproxy itself. The main purposes are to avoiding complicated configuration as usual, with pretty user interface (UI) and comfortable user experience (UX). Developed and maintained by netgate, If we’ve installed latest version of pfsense, it has a bunch of feature we can use for our security and needs, such as VPN, Captive Portal, DNS, DHCP, Snort, Zabbix event ssl configuration.
Following these step will guide you to accomplish SSL Nginx configuration without set key, chain, chipers and others on Nginx sites-enabled or sites-available configuration.

  • we are going to go to  System – Cert. Manager – Certificates to add or sign cert / chain SSL and .key we’ve been used (see https://tifosilinux.wordpress.com/2019/02/25/haproxy-gnu-linux/)
  • Choose import an existing certificate then copy paste your chain cert and key into field available (with this steps, we don’t need to use ssl_certificate or ssl_certificate_key on nginx conf then it is enough to use open port 80 instead of 443 and enable ssl on – we do not need it)
  • Go to Firewall – Rules – WAN to define your destination and port
  • Go to Firewall – NAT – Port Forward where we have to redirect domain / sub domain ‘with SSL’ to specific machine which has same public IP but different port redirecting to private IP. 
  • Go to Services – HAProxy – Add Frontend (defined by Public IP with 443 port on address field. I.e : 123.456.789.012:443)
  • Go to Services – HAProxy – Add Backend (defined by Private IP with 80 port on address field on server list. I.e : 10.10.2.26:80)

Here we are

At the end, here is the sample nginx configuration without enable ssl

server {
    listen 80;
    index index.php index.html index.htm;

        set $root_path '/var/www/html/';
        root $root_path;

    server_name 10.10.2.26;

        location / {
                 set $root_path "$root_path/cms-merchant-biller";
                 try_files $uri $uri/ @up_op_rewrite;
         }

        location @up_op_rewrite {
                 rewrite ^/report-ppob/(.*)$ /index.php?_url=/$1;
         }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }


}

Compare Files Line by Line with diff

There are a lot of mandatory arguments on diff tools. Such as how to get the difference (only addition) between two files in linux, How to just show if the files are different, how to show a message if the files are the same OR how to produce the differences side by side.
Now you could use that first one as your ‘alternative Excel’ . Here is the code :

$ diff -u file1-1.csv file1.csv  | grep -v '-'

OR

$ diff -u file1-1.csv file1.csv  | grep -E '^+'

HAProxy GNU/ Linux

This is simple configuration for HAProxy in order to integrate with Secure Socket Layer Nginx on LXC. A picture is worth a thousand words, so you should be able to read below configuration without any long description from me.

global
    nbproc          16
    log         127.0.0.1 local2
 
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     40000
    user        haproxy
    group       haproxy
    daemon
 
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048 // better with 2048 but more processor intensive
 
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
 
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option http-server-close
        option forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
 
 
frontend http-in
  bind *:80
  mode http
  acl is_alpha hdr_end(host) -i <domain1>.co.id
  acl is_files hdr_end(host) -i <domain2>.id
  acl is_dila hdr_end(host) -i <domain3>.co.id
  use_backend alpha_http if is_alpha
  use_backend files_http if is_files
  use_backend dila_http if is_dila
   
frontend https-in
  bind *:443
  mode tcp
  option tcplog
  option forwardfor
  tcp-request inspect-delay 5s
 
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend dila_https if { req_ssl_sni -i <domain3>.co.id }
 
 
backend alpha_http
        option http-server-close
        option forwardfor
        balance leastconn
        mode http
        server stn_container <Private IP domain1>
 
backend files_http
        balance leastconn
        mode http
        # Learn on response if server hello.
        server stn_container1 <Private IP domain2>
 
backend dila_http
        balance leastconn
        mode http
        server stn_container1 <Private IP domain3>
 
backend dila_https
        option forwardfor header X-Client-IP
        option http-server-close
        option forwardfor
        mode tcp
        server dila-https <Private IP domain3>
server {
 listen 172.17.61.40:443 ssl;
 server_name     <domain3>.co.id;
 ssl     on;

 ssl_certificate /etc/ssl/nginx/domain.chained.crt;
 ssl_certificate_key /etc/ssl/nginx/star_domain.key;

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;


index index.php index.html index.htm;
 set $root_path '/var/www/html/';
 root $root_path;

location / {
 set $root_path "$root_path/<apps>/public/";
 try_files $uri $uri/ @up_op_rewrite;
 }

location @up_op_rewrite {
 rewrite ^/(.*)$ /index.php?_url=/$1;
 }

location ~ \.php($|/) {
 #try_files $uri =404;
 fastcgi_pass unix:/var/run/php5-fpm.sock;
 fastcgi_index index.php;
 fastcgi_split_path_info ^(.+\.php)(.*)$;
 fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }

}

Ansible – Openshift

Pengantar

for you

Teknologi itu terkadang ‘mengganggu’ ya, dengan tanda kutip, teknologi itu kadang mengganggu dengan sifatnya yang selalu dinamis berkembang dari waktu ke waktu. Teringat hukum moore untuk grafik peningkatan kecepatan microprocessor, tidak saja kita dituntut untuk selalu update di setiap perkembangannya. Satu sisi, kita me-leverage diri memiliki kecakapan guna mendukung performansi di lingkungan pekerjaan. Salah satunya jika kita berbicara tentang sistem otomasi yang sangat berguna bagi para system administrator atau DevOps dalam mengelola puluhan atau bahkan ratusan server selain menggunakan kustomisasi script. Meksipun bukan hal yang baru, dilihat dari fitur yang disediakan ansible cukup mumpuni untuk hal ini. Ditambah kita bisa integrasikan dengan layanan openshift sebagai PaaS (Platform as a Service) atau container platform dimana kita bisa mengembangkan aplikasi yang kita buat (bisa menggunakan java, perl, javascript, php, python, ruby, atau .NET) dan dilakukan deployment.

Ansible

[root@master tifosilinux] # ansible –version
ansible 2.7.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Pada tulisan ini ansible 2.7 berjalan di atas OS CentOS 7 dengan tahap instalasi dan konfigurasi yang tidak sulit. Cukup menggunakan parameter berikut dan ansible sudah ada di dalam lingkungan sistem operasi kamu:

~# yum install -y epel-release && yum -y –enablerepo=epel install docker ansible git wget

Berikut konfigurasi yang digunakan di /etc/ansible/hosts :

[OSEv3:children]
masters
nodes

[OSEv3:vars]
ansible_ssh_user=tifosilinux

ansible_sudo=true
ansible_ask_sudo_pass=false
ansible_become=true

deployment_type=origin

#openshift_master_identity_providers=[{‘name’:’htpasswd_auth’,’login’:’true’,’challenge’:’true’,’kind’:’HTPasswdPasswordIdentityProvider’,’filename’: ‘/etc/origin/master/htpasswd’}]

containerized=true
openshift_release=v3.10
openshift_image_tag=v3.10
openshift_public_hostname=master.tifosilinux
# Untuk master default subdomain bisa di marking jika kita tidak melakukan pointing (menggunakan key) ke cloud hosting/ domain
#openshift_master_default_subdomain=apps.master.tifosilinux

[masters]
master.tifosilinux

[nodes]
master.tifosilinux openshift_node_labels=”{‘zone’:’west’}”
node.tifosilinux openshift_node_labels=”{‘zone’:’east’}”

Untuk result/ output dari versi ansible yang digunakan adalah sebagai berikut :

[root@master tifosilinux]# ansible –version
ansible 2.7.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] 

Tes dengan parameter berikut apakah master atau node me-reply dengan baik sesuai konfigurasi :

[root@master tifosilinux]# ansible -m ping master.tifosilinux
[DEPRECATION WARNING]: DEFAULT_ASK_SUDO_PASS option, In favor of Ansible Become, which is a generic framework. See become_ask_pass. , use become instead. This feature will be removed in
version 2.8. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the “become” command line arguments. This feature will be removed in version 2.9. Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.
SUDO password:
master.tifosilinux | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

Sebelumnya jangan lupa untuk menambahkan fungsi di ansible untuk melewatkan password (biasanya cara ini dilakukan jika mengalami kendala saat master/ node melakukan shared connection) serta cara bagaimana me-setting hostname dan copying key agar passwordless untuk master dan per node. Namun jangan lupa lakukan setting hostname sebelumnya.

[tifosilinux@master ~]$ hostnamectl set-hostname master.tifosilinux # lakukan juga di node
[tifosilinux@master ~]$ ssh-copy-id tifosilinux@master.tifosilinux # lakukan juga ke node
[tifosilinux@master ~]$ export ANSIBLE_ASK_SUDO_PASS=true

Kurang lebih cara tersebut sudah bisa dilakukan sebelum lebih jauh mengenal inventory, playbooks as configuration, deployment, and orchestration language, dan best practice nya 

Openshift

Brought to you by redhat

Seperti yang telah diterangkan di awal, openshift ini sangat membantu para developer melakukan deployment dan me-scale up aplikasi mereka. Melalui git kita dapat mengunduh openshift yang telah di integrated dengan ansible dengan tujuan kemudahan maintenance aplikasi yang berjalan diatas container atau instance dalam skala besar. Objective membuat aplikasi dengan framework django (dengan bahasa python) pun bisa dilakukan di environment openshift.

[tifosilinux@master ~]$ cd
[tifosilinux@master ~]$ git clone https://github.com/openshift/openshift-ansible.git

Terakhir, tinggal kita eksekusi parameter dengan menampilkan seluruh informasi / debugging berikut :

[tifosilinux@master ~]$ ansible-playbook -i /etc/ansible/hosts -vvvv openshift-ansible/playbooks/deploy_cluster.yml

Testimonial

Sekarang, saatnya saya review secara pribadi 😀 kesan-kesan menggunakan teknologi ini 😛 dan dengan jujur dan spontan saya katakan : “Cukup membuat saya enggan dengan teknologi ini 😀 “, karena setelah saya baca prerequisites nya (semisal) untuk openshift ini, membutuhkan requirement yang tidak kecil juga untuk ukuran orang yang hanya ingin sekedar mengenal dan mempelajari. Bagaimana tidak ?, lihat minimum requirement vCPU dan Memory di point-point berikut (untuk saya pribadi sih tidak masalah 🙂 , namun bagaimana dengan personal yang lain yang hanya ingin sekedar mengenal atau mungkin tertarik mengimplementasikan dengan uji coba terlebih dahulu) :

Masters– Physical or virtual system, or an instance running on a public or private IaaS.
– Base OS: RHEL 7.3, 7.4, or 7.5 with the “Minimal” installation option and the latest packages from the Extras channel, or RHEL Atomic Host 7.4.5 or later.
Minimum 4 vCPU (additional are strongly recommended).
Minimum 16 GB RAM (additional memory is strongly recommended, especially if etcd is co-located on masters).
– Minimum 40 GB hard disk space for the file system containing /var/. Minimum 1 GB hard disk space for the file system containing /usr/local/bin/.
– Minimum 1 GB hard disk space for the file system containing the system’s temporary directory.
– Masters with a co-located etcd require a minimum of 4 cores. 2 core systems will not work.
Nodes– Physical or virtual system, or an instance running on a public or private IaaS.
– Base OS: link:RHEL 7.3, 7.4, or 7.5 with “Minimal” installation option, or RHEL Atomic Host 7.4.5 or later.NetworkManager 1.0 or later.1 vCPU.
– Minimum 8 GB RAM.Minimum 15 GB hard disk space for the file system containing /var/
– Minimum 1 GB hard disk space for the file system containing /usr/local/bin/.
– Minimum 1 GB hard disk space for the file system containing the system’s temporary directory. 
– An additional minimum 15 GB unallocated space per system running containers for Docker’s storage back end; see Configuring Docker Storage. Additional space might be required, depending on the size and number of containers that run on the node.
External etcd Nodes– Minimum 20 GB hard disk space for etcd data.
– See the Hardware Recommendations section of the CoreOS etcd documentation for information how to properly size your etcd nodes.
– Currently, OpenShift Container Platform stores image, build, and deployment metadata in etcd. You must periodically prune old resources. If you are planning to leverage a large number of these resources, place etcd on machines with large amounts of memory and fast SSD drives.

Hasilnya ? ya sudah bisa ditebak :

Node Logging
master logging

PLAY RECAP
localhost : ok=8 changed=0 unreachable=0 failed=0
master.tifosilinux : ok=40 changed=0 unreachable=0 failed=1
node.tifosilinux : ok=20 changed=0 unreachable=0 failed=1

INSTALLER STATUS 
Initialization : Complete (0:00:50)
Health Check : In Progress (0:02:19)
This phase can be restarted by running: playbooks/openshift-checks/pre-install.yml


openshift-ansible recapitulation

Belum lagi terkendala masalah konifgurasi yang masih butuh banyak penyesuaian, akan cukup menyulitkan bagi sebagian orang.

root@master tifosilinux]# vim /home/tifosilinux/openshift-ansible/playbooks/init/sanity_checks.yml

Marking fitur validate openshift node group seperti berikut :


name: Run variable sanity checks
sanity_checks:
check_hosts: “{{ l_sanity_check_hosts | default(groups[‘oo_all_hosts’]) }}”
# node_group_checks is a custom action plugin defined in lib_utils.
#- name: Validate openshift_node_groups and openshift_node_group_name
# node_group_checks: {}

Belum lagi masalah kompatibilitas versi dari setiap dependensi 😀  (dalam hal ini openshift dan ansible bisa kita lihat versinya dengan params : ~# openshift version && ansible –version).
Jadi ya.. cukup merepotkan.

Salam

superb


Superb !!.. it’s just that