Wednesday, September 19, 2007

LDAP Authentication in Apache Directory Protection?

openLDAP is a open source implementation of Light Weight Directory Access Protocol.it is read optimized which is used to store user information for authentication purpose.

Once we have implemented password protection in Apache there comes the natural question ?

Why to create another password file ???
Cant we utilize our existing authentication mechanism?

Yes,we can.

from some changes in .htaccess, we need not to alter any settings in Apache's httpd.conf.

Following lines have been added in .htaccess to allow LDAP Authentication and allow only certain users.

AuthType Basic
AuthName "Message which will appear in Login Window"
#AuthUserFile /usr/local/apache/passwd/passwd (Not needed anymore)
AuthLDAPURL ldap://linuxadmin.ofb.net:389/ou=people,o=ofb (Fake address)

require user "shailesh.mishra"
require user "tom"
require user "harry"


It is assumed that LDAP server is running in linuxadmin.ofb.net (Fake address) on port 389 with ou=people,o=ofb.

Although all these directive could have been written in httpd.conf itself but its always a good idea not to fiddle with existing settings.

How to implement password protection in sensitive directory in Apache Web Server?

If any website contains sensitive information or is intended for only a small group of known people, apache provides some standard ways of protecting. Method mentioned below is applicable in Apache 2.x.Location of Apache configuration file may differ.

Basics of password protection in Website

•Make adjustments in /etc/httpd/conf/httpd.conf ( Apache 2.0 in RHEL Destro)
•Make password file (using htpasswd utility)
•Prepare .htaccess file (to provide user names who are authorized to access)

Adjustments in httpd.conf:-

We need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive.Following directive have been in added in httpd.conf under :-

AllowOverride AuthConfig

AllowOverride must be “None” in all the other situations. It is good security practice and it also improves Apache performance. In case of virtual hosting (shared hosting with single IP),AllowOverride should in disabled(by equating it None) in main configuration section of Apache and it should be enabled inside .

Make password file :-

You'll need to create a password file. This file should be placed somewhere not accessible from the web. To create the file, use the htpasswd utility that came with Apache. htpasswd stands for HyperText Password.

% htpasswd -c /usr/local/apache/passwd/passwd shailesh.mishra

-c is being used for the first user so that htpasswd utility can create the file. Above command will create one password file named “passwd” in location /usr/local/apache/passwd.

htpasswd will ask you for the password, and then ask you to type it again to confirm it.

To add more users, use only htpasswd (without –c,or else it will again creat another file). Password is encrypted.

Prepare .htaccess file :-

Till now, we have configured httpd to accept user authentication for a particular directory. We have also made password file. But we need to attach this password file so that it can be used for user verification. This will be done with the help of .htaccess file. We need to create one file with the name .htaccess with the following content and store in the directory which needs to be protected.This file must be named as .htaccess as this name is specified in Apache Configuration file httpd.conf)

AuthType Basic
AuthName "Any Message which will be displayed in Login Box"
AuthUserFile /usr/local/apache/passwd/passwd
Require valid-user

If all the steps are properly followed, when user tries to access the password protected site, Login window will appear. User can login by providing user-id and password.

Parameter AuthConfig is used to tell Apache that authentication needs to be implemented.

Thursday, September 13, 2007

What is gam server ? How to stop?

It is a known bug in RHEL.
It hogs all the processors and some time claims 99% of CPU time. This type of behavior is mainly contributed to screen saver. As We are run our server in INIT 3 level,so screen saver is not the culprit in our case.
Gam_server is the running instance name of “gemin” which is by default loaded with RHEL.Its the successor of FAM (File Alteration Module).FAM (or gam_server) is used to decrease CPU cycle by effectively implementing Locking/Unlocking file handles. When used with IMAP , it is claimed that it will ease shared folder implementation.
In our scenario,huge number of gam_servers(sometimes > 350) were running and virtually doing nothing.At the same time, these processes use to fire mails to root which could not be delivered thus giving unnecessary load to Postfix(these mails were lying in Q and postfix tries to resend Q’ed mails after certain intervals)Courier-IMAP has been compiled with FAM module so it was the part and parcel of it. We have not implemented shared folders so I toggled two parameters of imapd.Two parameters IMAP_USELOCKS and IMAP_ENHANCEDIDLE are used to implement shared folders.If you not interested in shared folders(Some webmail client like squirrelmail lets you to implement shared folder ) you can disable these two parameters.

IMAP_USELOCKS=0

IMAP_ENHANCEDIDLE=0

Changed (toggled parameter) is written in RED BOLD. Both these parameters are used in conjunction with Shared Folder Implementation.

After restarting imapd,no gam_server will be spawned.

Wednesday, September 12, 2007

DDS-4 20/40 GB stores 20 GB data NOT 40 GB

Today, i came to know that 20/40 GB(150 mm) DDS-4 tape stores roughly around 20 GB data.Hardware or software compression may not be very useful.So beware,DDS-4 will store only 20 GB data not 40 GB as i was thinking.
After seeing from the log that tar command is not sucessful and tape is not getting ejected automatically,i sensed that something was wrong.I can not recall the exact error message but it was something related to less storage available on tape.
As the users data are getting increased,we need to think on this front too.For the time being,i used -M switch in tar command (it allows more than one tape cartridges).
tar -cvMf /dev/st0 /home.Please be aware that software zipping (Z )will not work with multi volume.