Thursday, July 31, 2014

LDAP server configuration - Part-1

Directory Service

It is a software which stores the information of network entities like users, servers etc. It can store any kind of information in the form of attribute and its value.


Mostly we are using this term something like addressing a database which stores information. But it is a protocol to communicate with directory services or information directory. It supports TCP/IP so we can use this in network. Mostly we will call this LDAP information directory service as LDAP server, which supports ldap queries to store and retrieve data.

Is LDAP server is just like a database? . It acts as a database for storing information but it is more optimized for read operation because modification to LDAP entities will be very less but read operation will be very high.

LDAP server is mostly using for authentication purpose.

What is the advantage of using LDAP server for authentivation

1. LDAP is a protocol . Since it is a standard most of the platform support it.
2. Most of the applications are LDAP ready because they don't need to worry in handling user database in their application
3. Security, There are Access Control List  (ACL) to restrict the entity access .
4. There are lot of LDAP server vendors both in commercial and open-source.Installation of these are very easy.
5. Replication option is there to store the data in remote location for security purpose.

You want cross platform support?, Change of data less frequent? More read operation?   if answer is yes then LDAP server will be the best place to store the information.

Structure of  LDAP Directory Tree.

 Its structure is just like an inverted rooted tree similar to DNS or linux directory structure.Each entry in LDAP tree is uniquely identified by Distinguished Name or will call DN. Mostly we are reading this DN from leaf node to root. I will explain how it is in later portion.

Suppose I am creating ldap server for company

In the above picture the first box ( dc=example,dc=com) is the Base DN for this ldap.
There are multiple format for defining the base DN. But here I used the DNS name format. So Base DN is the top level of the ldap tree.

Suppose we have number of employees in our company . So in LDAP , as we discussed earlier it will be stored in another category or as a node named OU. OU stands for organizational unit. Mostly OU is using for defining a broad categories like ou=users, ou=computers,ou=groups, etc. OU can be further be divided . Suppose we have users in US and UK the the structure will be go like this

 So DN which identifies the users in US will be like .

See how it is, from individual entry back to words the root of tree.

For "ou=gourps" what will be the DN?  it will be ou=groups,dc=example,dc=com.

An entry in the ldap contains set of attributes which is uniquely identified by DN. There is one term called RDN ( Relative Distinguished Name) . It is nothing but a relative path to an entity based on another DN.

consider the case ou=UK,ou=users,dc=example,dc=com. This a DN and ou=UK, ou=users  is a RDN based on the base DN dc=example,dc=com. Simply like absolute path and relative path in file system.

In LDAP we can store almost data in a format of attribute and value. For example for a user named "John Smith" there will be multiple details related to him like Name, Address, Email etc. all these can be stored in LDAP.

 Here is a sample ldap entry for a user John Smith.

dn: uid=jsmith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
givenName: John
sn: Smith
telephoneNumber: +999999999
title: Test Engineer
uid: jsmith
uidNumber: 10000
gidNumber: 100
homeDirectory: /home/jsmith
loginShell: /bin/bash

in this example these are the attribute we need store in the  LDAP.
So look at the first line it defines the DN for user John Smith, But here uid is taken to build DN . This uid just like a user name ( not the uid , gid in linux ).

Here we can see objectClass: inetOrgPerson,  objectClass: posixAccount. The object class defines these atrributes.Which means to use an attribute in LDAP we need to include corresponding object class in the LDAP entry.

Configuring LDAP server will be explained in next part

Sunday, July 27, 2014

Apache Benchmark load generating tool for website testers.

Apache Benchmark is a good tool for generating load in our website. This is useful while we doing performance testing.

To Install: 

Download apache from and install. For linux you can use command "yum install httpd" .

To Run:

Go to the path where apache installed. In linux the command path will be populated automatically

Use command "ab" with required parameters.

Example : ab -n 20 -c 5 http://localhost:8080/

C:\Program Files\Apache Group\Apache2\bin>ab -n 20 -c 5 http://localhost:8080/
This is ApacheBench, Version 2.0.41-dev <$Revision: $> apache-2.0
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd,
Copyright (c) 2006 The Apache Software Foundation,
Benchmarking localhost (be patient).....done

Server Software:        Apache-Coyote/1.1
Server Hostname:        localhost
Server Port:            8080
Document Path:          /
Document Length:        11430 bytes
Concurrency Level:      5
Time taken for tests:   0.46875 seconds
Complete requests:      20
Failed requests:        0
Write errors:           0
Total transferred:      231420 bytes
HTML transferred:       228600 bytes
Requests per second:    426.67 [#/sec] (mean)
Time per request:       11.719 [ms] (mean)
Time per request:       2.344 [ms] (mean, across all concurrent requests)
Transfer rate:          4800.00 [Kbytes/sec] received
Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    0   3.4      0      15
Processing:     0    6   7.7      0      15
Waiting:        0    3   6.2      0      15
Total:          0    7   7.7     15      15
WARNING: The median and mean for the total time are not within a normal deviatio
        These results are probably not that reliable.
Percentage of the requests served within a certain time (ms)
  50%     15
  66%     15
  75%     15
  80%     15
  90%     15
  95%     15
  98%     15
  99%     15
 100%     15 (longest request)

To get other  parameters just run command ab.

C:\Program Files\Apache Group\Apache2\bin>ap
'ap' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Apache Group\Apache2\bin>ab
ab: wrong number of arguments
Usage: ab [options] [http://]hostname[:port]/path
Options are:
    -n requests     Number of requests to perform
    -c concurrency  Number of multiple requests to make
    -t timelimit    Seconds to max. wait for responses
    -p postfile     File containing data to POST
    -T content-type Content-type header for POSTing
    -v verbosity    How much troubleshooting info to print
    -w              Print out results in HTML tables
    -i              Use HEAD instead of GET
    -x attributes   String to insert as table attributes
    -y attributes   String to insert as tr attributes
    -z attributes   String to insert as td or th attributes
    -C attribute    Add cookie, eg. 'Apache=1234. (repeatable)
    -H attribute    Add Arbitrary header line, eg. 'Accept-Encoding: gzip'
                    Inserted after all normal header lines. (repeatable)
    -A attribute    Add Basic WWW Authentication, the attributes
                    are a colon separated username and password.
    -P attribute    Add Basic Proxy Authentication, the attributes
                    are a colon separated username and password.
    -X proxy:port   Proxyserver and port number to use
    -V              Print version number and exit
    -k              Use HTTP KeepAlive feature
    -d              Do not show percentiles served table.
    -S              Do not show confidence estimators and warnings.
    -g filename     Output collected data to gnuplot format file.
    -e filename     Output CSV file with percentages served
    -h              Display usage information (this message)

Wednesday, July 23, 2014

Multiple SSL certificate support in apache with single IP - (SNI)

We mostly work on apache SSL and observed that we require multiple IP address for hosting multiple SSL websites ( with different SSL certificates). Here I found one TLS extension for apache named SNI stands for Server Name Indication. Using this we can host multiple SSL website in a single apache with single IP address.


NameVirtualHost *:443

SSLStrictSNIVHostCheck off

 DocumentRoot /var/www/html/web1
 SSLEngine ON
 SSLCertificateFile /etc/httpd/certs/web1/server.crt
 SSLCertificateKeyFile /etc/httpd/certs/web1/server.key
 ErrorLog /var/www/vhosts/web1/logs/error.log
 CustomLog /var/www/vhosts/web1/logs/access.log common

 DocumentRoot /var/www/html/web2
 SSLEngine ON
 SSLCertificateFile /etc/httpd/certs/web2/server.crt
 SSLCertificateKeyFile /etc/httpd/certs/web2/server.key
 ErrorLog /var/www/vhosts/web2/logs/error.log
 CustomLog /var/www/vhosts/web2/logs/access.log common

Tuesday, July 22, 2014

pfSense - Opensource gateway/firewall

Here  I am telling about one distribution in BSD which I had used as a Gateway solution. It is pfSense , an open source firewall/gatway solution.

Following are the features in pfSense.

1. Firewall
2. NAT
3. Multi wan routing : this is one of the  main reasons I had chosen pfSense. I had 2 Internet connection. So if one of the link goes down pfSense automatically route traffic to the backup Internet connection.
4. VPN
5. DNS
and more.

So simply we can say this a complete IT solution for an organization who wants to implement in low cost.

One more point about the configuration there is a good UI for managing and for viewing the reports.You can take the backup configuration as single file can restore easily if anything went wrong. For more details visit :

Here is a good tutorial for installation . I had installed it using live cd then I installed it to Hard Drive

Proxy Servers


It meas the authority to represent some one else. Here in computer network  proxy is a computer/ software which acts as intermediate between client  and  the server  they  wants to connect.
There are some advantages on this

1. Hide the identity of servers
2. Security filtering
3. Caching which speed up the response to client
4. Can host multiple services in a single IP

There are 2 types of proxies

1. Forward proxy

This is mostly we are referring as proxy. This kind of proxy we are mostly using for sharing Internet connection. That is a clients in a common network can communicate to external network( like Internet)  through this proxy.The proxy is communicating to the external network behalf of clients.

There are so many proxy softwares for this purpose. Squid Proxy server is one of the major software using in Linux for this purpose. You can do settings for caching , content filtering and security configurations in this.

2. Reverse Proxy

This is just opposite to the forward proxy. This kind of proxy settings is used in server side network. Suppose there is a network of multiple servers in data center and there is only one public IP for that network  for clients to connect. Then this reverse proxy in public IP will accept service requests behalf of each servers then redirect that request to corresponding servers and sending back response of requests to respective client.

Both of these proxies give a single point of administration so that we can control the traffic and security parameters in proxy server level.

Apache as proxy

Apache is a web server which can be use in  both Linux and windows platform. We can use apache as proxy server by adding its proxy modules.

LoadModule proxy_module modules/
LoadModule proxy_http_module modules/

Forward Proxy

ProxyRequests On
This is the parameter for enabling the proxy in apache.

Reverse Proxy

ProxyPass /example
ProxyPassReverse /example

This is the sample parameter to enable a proxy in apache. Let us assume is the domain name which mapped in the proxy server( forward) . So if you access then the proxy server will receive your request and send it to the  server and send back the response to the client.So there is no direct interaction between client and server1.

This is page is only to give a basic idea about proxy. I will be posting one more page on apache proxy configuration.

Sunday, July 20, 2014

Add and Change default gateway / route in Linux

Routing information is very important in network for the connectivity. This defines path to next network.Mostly we are using this for getting internet connection.

If there any network which we wants to route there should be a router. Mostly a gateway system will have capability to work as a router.Either it will contain proxy software or else it will forward the traffic to desired network.

In linux we can define the routing information with "route" command. To display current routing information following command can use.

             route -n 

For adding new route the following command will help.Here assumes is the network and is the gateway system.

            route add default gw
            ip route add default via

Here is the command for  changing default route.

        ip route change default via  

Saturday, July 19, 2014

Rsync backup over SSH


Backup is the one of the major task in the IT administration. There are so many tools  are there both in open source and proprietary.Rsync is one of the best tool which we can use in Linux. This can be used for taking backup in local system as well as in remote Linux system.

Rsync is using synchronization mechanism for copying the files from source to location. The main advantage of it is it can copy the delta changes so that we can reduce the time of copying entire content again.

For example, if we need to take a backup of an application server and which is running currently. So mostly we will stop the application serverto get proper backup and will copy the content to backup location. But if the size of the directory is very big the time to copy the entire content will take time so the larger will be the down time. here we can use rsync with out stopping the application server initially. How it is, do the rsync of the directory first with out stopping application server. Once it is done most of the files will be copied to the destination. Then stop the application server and do one more rsync with same . This will only cope the delta files so the time for copying will be very less. So you can start the application in short down time.


rsync -avz --delete source/ destination/

Here is one script for Rsync from  remote server to local server over ssh.

COMMAND=`which ssh`

Friday, July 18, 2014

Java Keystore for SSL



Keystore is a file which stores security or authorization certificates. We can say it is a repository of certificates. In java in order to connect to an ssl enabled service , ssl certificate of the service needs to be added in the keystore of Java. This is also called as trust store. By default "cacert" file in "jre/lib/security" directory is the trust store. But we can define another file as trust store by adding following parameter while we running the application.


Why keystore?

If your java program needs to connect a webservice or need to download something over ssl then you need to import the certificate/trust to your keystore. 

How can import a trust to keystore?

we can use openssl command for getting the trust and also for importing to keystore.

    openssl s_client -connect hostname_of_service:ssl_port >trust.cert

Open the trust.cert with a text editor and delete the lines before -BEGIN CERTIFICATE-  and the content after -END CERTIFICATE- line. Then save the file.
using following command we can import this trust to our keystore. Here I am trying to import to cacert of java. But if you are defining the file other than cacert you can use that file name as keystore file.

    keytool -import -alias "tomcat" -file trust.cert -keystore /java-6-openjdk-amd64/jre/lib/security/cacerts

The above command will prompt for password.

Note:- Instead of /java-6-openjdk-amd64/jre/lib/security/cacerts you can use the file which you are going to use as keystore.


If you are using eclipse check whether the correct Java is using . Because if there is multiple Java installed and  we configured a Java without our required keystore then  SSL connectivity will fail.

Java Heap Memoy and Permgen Space

Heap Memory

                It is the memory allocated from OS memory by the JVM. When new object in java created , jvm allocated it to heap memory. The object which are in use is called live objects and object which are not using is treated as garbage. To remove this garbage jvm performs garbage collection.

               Heap memory divided in to "young" and "old" generation. The objects which are initially created in young generation. This young portion is very active and garbage collection happens very frequently. So some of the objects will clear in this phase. The object which are surviving in GC will move to old generation. The old generation contains large long lasting objects which is survived from young GC. GC in this area is less frequent. The GC in young generation will not much impact but in old generation.

we will define heap memory in 2 values.

1. Max heap   -Xmx
2. Initial Heap / Min heap  -Xms

             There are some rules for choosing this values.There are 32 bit and 64 Bit systems. So in 32 bit system the maximum memory can use theoretically 4 GB. But in 64 bit it is unlimited because the addressing capability. So in 32 Bit system we can assign 1.4GB to 1.6 GB. ( Note: There are some exceptions in some operating systems).

We are defining heap memory mostly with JAVA_OPTS or can define in each application server's defined variables.

JAVA_OPTS="-Xms1024m -Xmx2048m"

Always use the correct megabyte values. 1024 X Mega byte you required.

Perm Gen Space | Permanent Generation

                Permanent Generation is used for storing class files. These class files  are mostly loading when application starts but some can load during application execution.

-XX:MaxPermSize=256m is the syntax for defining the Permgen space.

1/4 of Max Heap(Xmx) can be allocate as Permgen space.

For better calculation of memory for java it is always better to use some profiling tools like visual vm. In practical case mostly we will do -Xmx and -Xms as same .


Thursday, July 17, 2014

Exit status in linux shell and grep ( $? )

I hope we all are using exit status in shell scripting mostly for decision making. The interesting thing we only check exit status 0 or non zero. But when I made an analysis ( got into one mistake also ;) ) there are some exit status with valid reason.

After a command execution we are using $? for getting exit status in shell. If it returns 0 it means the command which had given executed successfully. But if something went wrong in the command execution?? we will get a non zero value as exit status. Here are the list of exit status.'

1 means general errors. 2 for misuse of shell builtins.  126 cannot invoke requested command. 127 Command not found. 128 Invalid arugment to exit. and  130  termination with Ctrl + C.

If you see the usage of grep it return 0 if the selected lines are found and 1 for not found. Grep returns 2 for general errors.

Which operating system you like most?