How to install OpenLDAP password check module in ubuntu? - passwords

We recently installed ppolicy module and the related things in our OpenLDAP instance for password policy ( http://www.zytrax.com/books/ldap/ch6/ppolicy.html#account-unlock) . However, among them there was no way to set up something that does a password check whenever a new password is set. Then, we were pointed out to this link - http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password , where pwdPolicyChecker seemed like a module that can solve this issue. But we have no idea how to install this C module in our current ubuntu OpenLDAP set up. Also, the instructions provided seemed to be more like how the openldap setup used to be earlier in ubuntu and not like how it is now with slapd.d . Has anyone done an installation of a C module in OpenLDAP in the new ubuntu setup? Any pointers toward that would be very much appreciated.
Thanks!

I've been using the LTB's pwdCheckerModule for years without a glitch.
I just rebuilt it - as a package, for Debian/Stretch - using the tweaked Onyx Point's version; https://github.com/onyxpoint/ppolicy-check-password
I created the corresponding Debian-specific fork - https://github.com/cedric-dufour/ppolicy-check-password/tree/debian-stretch - including the README.DEBIAN file that should answer your question (most relevant part copied below); doing the same for Ubuntu should not be too different.
* Get the Debian source code for the OpenLDAP packages and build dependencies:
apt-get source openldap
apt-get build-deps openldap
* Include the ppolicy-check-password source code into the OpenLDAP source tree
and install additional build dependencies:
cd openldap-<version>
mkdir -p contrib/slapd-modules/ppolicy-check-password
cp /path/to/ppolicy-check-password.git/* contrib/slapd-modules/ppolicy-check-password/.
apt-get install libcrack2-dev
* Patch the Debian (packaging) directory:
patch -p1 < /path/to/ppolicy-check-password.git/debian/debian-directory.patch
* Build the OpenLDAP packages:
dpkg-buildpackage -us -uc -b
* Copy and install the slapd-ppolicy-check-password_<version>.deb package to
the target server:
dpkg -i slapd-ppolicy-check-password_<version>.deb
* Configure the ppolicy-check-password module:
vim /etc/ldap/check_password.conf
* Add the ppolicy-check-password module/check to your PPolicy:
pwdCheckModule: check_password.so
pwdCheckQuality: 2

Related

Can't install nautilus-dropbox on Centos 8

I try to install dropbox on Centos8, however Terminal gives strange errors. Tried different commands, same error.
Firstly downloaded *.rpm file from dropbox website, currently trying to install it.
Commands I tried:
rpm -ivh nautilus-dropbox-2020.03.04-1.fedora.x86_64.rpm
yum localinstall nautilus-dropbox-2020.03.04-1.fedora.x86_64.rpm
Error:
Last metadata expiration check: 0:18:27 ago on Thu 12 Mar 2020 03:46:17 PM EET
Error:
Problem: conflicting requests
nothing provides libgnome >= %{gnome_version} needed by nautilus-dropbox-2020.03.04-1.fc21.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
[root#localhost Downloads]
Also tried --skip-broken and --nobest - but no luck.
Also tried sudo yum install libgnome but it gives error:
Last metadata expiration check: 9:51:39 ago on Thu 12 Mar 2020 02:42:06 PM UTC.
No match for argument: libgnome
Error: Unable to find a match: libgnome
I have:
[adminuser#localhost ~]$ cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
Tried to google this mistake, but no luck. Could you please give me any hint how I could overcome this?
Thank you
This is a bug in packaging. Contact Dropbox support and report it as a bug.
Technical details (just in case you are Dropbox employee):
During building rpm, when you use macro then it is expanded. Try yoursel:
$ rpm --eval '%{_bindir}'
/usr/bin
However, when the macro is not defined, you get original value:
$ rpm --eval '%{some_bullshit}'
%{some_bullshit}
So the macro gnome_version should likely contain some version, but this macro was not defined.
nothing provides libgnome
"libgnome" is about libgnome-2 → https://linux.dropbox.com/fedora/ → I.e. Fedora only packages. CentOS 8 has no libgnome* available.
https://www.dropbox.com/install-linux → Compile from source → CentOS 8
# dnf install nautilus-devel-3.28.1-10.el8.x86_64 python3-docutils
tar xvf nautilus-dropbox-2020.03.04.tar.bz2
cd nautilus-dropbox-2020.03.04/
./configure && make
# make install
Result : nautilus-dropbox-2020.03.04-1.el8.x86_64.rpm https://drive.google.com/file/d/1AcxlVdbWOzQvcoVOFYCiaVny9MzgC-Ea/view?usp=sharing
# rpm -Uvh nautilus-dropbox-2020.03.04-1.el8.x86_64.rpm : No issues.
First, realize that the command showing at the install page is for the headless installation. It will probably work, but my preference is to use Dropbox with nautilus integration.
This instructions assumes a installation of Dropbox with Nautilus integration.
We need to compile the installer from source.
a. Download last package
wget https://linux.dropbox.com/packages/nautilus-dropbox-2020.03.04.tar.bz2
b. Extract tarball
tar xjf ./nautilus-dropbox-2020.03.04.tar.bz2
c. Try to compile
cd nautilus-dropbox-2020.03.04; ./configure;
Then you get an Error:
Erro:
Problema: conflicting requests
- nothing provides libgnome >= %{gnome_version} needed by nautilus-dropbox-2020.03.04-1.fc21.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
Now we need to install nautilus-devel and python3-docutils
NOTE: You will get configure: error: couldn't find docutils if forget python3-docutils.
This command will enable the PowerTools repository and install what is needed:
dnf --enablerepo=PowerTools install nautilus-devel python3-docutils
Now you can run ./configure && sudo make install
That's it. Go for the start menu type "Dropbox", it will start the installer.
Restore a local backup of Dropbox (optional)
If you have a local backup, turn of the network after you see the Dropbox folder created. Then copy all your files to that folder and turn it on after copy.
This solution worked for me running CentOS Linux release 8.2.2004 (Core).

How to install Apache on OmniOS

I am attempting to install Apache on OmniOS. I followed the instructions here: option 2 https://wiki.openindiana.org/oi/3.+Installing+software+and+package+management
Ran the command:
echo $PATH results in /opt/local/sbin:/opt/local/bin:/usr/gnu/bin:/usr/sbin:/sbin
curl https://pkgsrc.joyent.com/packages/SmartOS/bootstrap/bootstrap-2016Q4-x86_64.tar.gz | gtar -zxpf - -C /
pkgin -y update
pkgin -y install apache-2.4.6 resulted in the messages Calculating dependencies...done and then nothing to do
I can not find the apache service or configuration directory as they are described here: https://docs.joyent.com/public-cloud/instances/infrastructure/images/smartos/apache
/opt/local/etc/httpd The configuration directory for Apache
svcs pkgsrc/apache Checking service for Apache
Server Info:
uname -v results in omnios-r151026-d9b45886bd
Running x86
Also running SunONE webserver
Though incomplete, my commands did make a change. My Perl scripts can no longer find DBI.
Why does the Apache install say there is nothing to do? What am I missing?
UPDATE
Ran which apache2 resulted in no apache2
Ran pkgin list to list all installed packages. Only apache
reference is apache-maven-3.5.4
Ran find . -name '*apache*' in the following directories:
\etc nothing
\opt found:
vim, el, and elc files in SUNWspro
org-apache-tools-ant-module files and folder in netbeans/3.5V11/modules/patches
apache folder in SUNWwbsvr/plugins/java/samples/webapps/jstl/src/org which contains java files
vim, tag, el and elc files in sfw --- also an apache folder in sfw which contains readme/bash type files for apache/php and one so file
apache-maven-3.5.4 files/folders in local
org-apache-xml-resolver* files in sunstudio12.1
'\usr' found:
2 vims in share/vim/vim80/syntax
apache-fcgi.conf in lib/python2.7/vendor-packages/cherrypy/scaffold
'\var' nothing
As far as I can tell, the binaries have not been installed
I tried running pkgin -y install apache-2 and it worked. It installed apache-2.4.3. Perhaps apache-2.4.6 does not exist in the repository.
This mean apache is already installed on the Linux system. To run below command which will tell the location of the system binary.
which apache2
for the configuration folder look for below directory:
/etc/apache2

Security plugin in Local yum repository

I've created a local yum repository for RHEL 7 on a separate server. Then I used the "reposync" command to get the packages from RHN.
reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-rh-common --download_path=/rhel_security_repo/
reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-optional --download_path=/rhel_security_repo/
reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-releases --download_path=/rhel_security_repo/
After that, I executed the following command to create my repo:
createrepo --database /rhel_security_repo/
The repository was created successfully with over than 9000 packages as expected. What I am trying to do now is to have other boxes using this local repository. I've created a yum config file in the other boxes where the baseurl points to this server with the local yum repository.
[security-updates-rhel7]
name=Repository for RHEL7 security updates
baseurl=ip-server
enabled=1
gpgcheck=1
All the servers are able to talk to this server with the local yum repo and they can install packages from it.
The problem is I can't update packages when I run yum update --security:
Example:
yum --disablerepo="*" --enablerepo="security-updates-rhel7" --security update mariadb-libs
Loaded plugins: amazon-id, rhui-lb
--> 1:mariadb-libs-5.5.37-1.el7_0.x86_64 from #rhui-REGION-rhel-server-releases removed (updateinfo)
--> 1:mariadb-libs-5.5.40-2.el7_0.x86_64 from security-updates-rhel7 removed (updateinfo)
No packages needed for security; 1 packages available
Resolving Dependencies
However, if I run the command without --security, I can see available updates:
yum --disablerepo="*" --enablerepo="security-updates-rhel7" update mariadb-libs
Loaded plugins: amazon-id, rhui-lb
Resolving Dependencies
--> Running transaction check
---> Package mariadb-libs.x86_64 1:5.5.37-1.el7_0 will be updated
---> Package mariadb-libs.x86_64 1:5.5.40-2.el7_0 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================
Updating:
mariadb-libs x86_64 1:5.5.40-2.el7_0 security-updates-rhel7 753 k
Transaction Summary
==============================================================================================================================
Upgrade 1 Package
Total download size: 753 k
Is this ok [y/d/N]:
It seems I lost the security metadata when I did the reposync.
Any ideas what the problem could be?
Etan has the right idea; those are the two ways we found to get around the issue with RHEL6. You could pull the Redhat metadata straight out of your yum cache and copy it into your local repo, and that works 90% of the time... but 10% it will give you random failures if Redhat happens to be updating a repository while you are syncing it.
Redhat has a guide for how to graft security metadata into your local repo in RHEL5/6, I assume it works similarly in RHEL7. If you have a Redhat Support account, see: https://access.redhat.com/solutions/55654
If you don't, below is my own take on it:
Run your reposync command with --download-metadata and other trimmings, but I would start with one repo at a time and put each one in it's own directory similar to how Redhat does it. ex. mkdir -p /path/to/repo-id && reposync -l -n --download-metadata -r repo-id -p /path/to/repo-id/.
Pull the abcdefghij-updateinfo.xml.gz metadata files from Redhat, which contains security metadata for each repository. Do this by running yum list-sec and then look for it in your local yum cache, under each repository's subdirectory. Probably somewhere in /var/cache/yum/arch/7Server/repo-id.
Run createrepo on just that repository. createrepo -v /path/to/repo-id/
Go into /path/to/repo-id/ and then into the repodata subfolder. Copy in the abcdefghij-updateinfo.xml.gz from your local yum cache into the repodata folder, but rename it to remove the hash at the beginning. Left with a file called updateinfo.xml.gz
Use the modifyrepo command to insert the security metadata into that repo's table of contents (repomd.xml) file.
modifyrepo /path/to/repo-id/updateinfo.xml.gz /path/to/repo-id/

SSL CA cert (path? access rights?)

I am using CentOs 6.6 64bit, and have a problem when using curl. The server primarily hosts several wordpress blogs using apache and mysql.
My simplest means to generate the error is with the following yum command which outputs the below
yum list "ca-certi*"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
* base: cosmos.cites.illinois.edu
* epel: mirror.cogentco.com
* extras: mirrors.rit.edu
* updates: mirrors.rit.edu
Installed Packages
ca-certificates.noarch 2014.1.98-65.1.el6 #base
Soutions tried and failed so far based from googling around
1) I have tried restarting the VPS, no good
2) Executing curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt without any luck
3) This solution was no good at all, as it relies on yum to solve the SSL problem that yum also suffers http://syslint.com/syslint/curl-77-problem-with-the-ssl-ca-cert-path-access-rights-solved/
Can I run these yum steps to install with wget?, would you think it would help?
# yum reinstall ca-certificates
# yum reinstall openssl
I think virtualmin had installed some updates in the last 24 hours, is there a log of updates it ran somewhere?
Can anyone please help get around this "Problem with the SSL CA cert (path? access rights?)" problem.
TIA
More easy solution for centos 6/7. Remove ca and reinstall certificate.
rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates
Problem that if you just only reinstall certs. This will dont replace ca-bundle. Leave it new with .rpmnew name.
this worked for me :
centos 6
mkdir /usr/src/ca-certificates && cd /usr/src/ca-certificates
wget
http://mirror.centos.org/centos/6/os/x86_64/Packages/ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm
rpm2cpio ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm | cpio -idmv
cp -pi ./etc/pki/tls/certs/ca-bundle.* /etc/pki/tls/certs/
do yes to override
to check :
curl -vvv https://www.unixy.net
Solution from here
https://www.virtualmin.com/node/35857
nss-softokn breaks yum/rpm in CentOS 6 In order to fix it do the following:
wget http://mirror.centos.org/centos/6/updates/x86_64/Packages/nss-softokn-fr...
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
cd lib64
cp libfreeblpriv3.* /lib64
yum update # sync new repo package

How to install wkhtmltopdf on a linux based (shared hosting) web server

I have tried in all ways to get wkhtmltopdf installed on our web server but unfortunately it is not getting installed. I cannot access user/bin folder as stated in a tutorial on installation.
On the server in public_html folder there is a sub folder _vti_bin, I copied the file wkhtmltopdf-i386 from wkhtmltopdf-0.9.1-static-i386, but I am not able to execute it.
How to install wkhtmltopdf on (shared hosting) web server and get it working?
I've managed to successfully install wkhtmltopdf-amd64 on my shared hosting account without root access.
Here's what i did:
Downloaded the relevant static binary v0.10.0 from here: http://code.google.com/p/wkhtmltopdf/downloads/list
EDIT: The above has moved to here
via ssh on my shared host typed the following:
$ wget {relavant url to binary from link above}
$ tar -xvf {filename of above wget'd file}
you'll then have the binary on your host and will be able to run it regardless of if its in the /usr/bin/ folder or not. (or at least i was able to)
To test:
$ ./wkhtmltopdf-amd64 http://www.example.com example.pdf
Note remember that if you're in the folder in which the executable is, you should probably preface it with ./ just to be sure.
Worked for me anyway
If you have sudo access...
Ubuntu 14.04 / 15.04 / 18.04:
sudo apt-get install wkhtmltopdf
# or
sudo apt install wkhtmltopdf
Others
Look at the other answers.
If its ubuntu then go ahead with this, already tested.:--
first, installing dependencies
sudo aptitude install openssl build-essential xorg libssl-dev
for 64bits OS
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar xvjf wkhtmltopdf-0.9.9-static-amd64.tar.bz2
mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chmod +x /usr/local/bin/wkhtmltopdf
for 32bits OS
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz2
tar xvjf wkhtmltopdf-0.9.9-static-i386.tar.bz2
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
chmod +x /usr/local/bin/wkhtmltopdf
Debian 8 Jessie
This works
sudo apt-get install wkhtmltopdf
Chances are that without full access to this server (due to being a hosted account) you are going to have problems. I would go so far as to say that I think it is a fruitless endeavor--they have to lock servers down in hosted environments for good reason.
Call your hosting company and make the request to them to install it, but don't expect a good response--they typically won't install very custom items for single users unless there is a really good reason (bug fixes for example).
Lastly, depending on how familiar you are with server administration and what you are paying for server hosting now consider something like http://www.slicehost.com. $20 a month will get you a low grade web server (256 ram) and you can install anything you want. However, if you are running multiple sites or have heavy load the cost will go up as you need larger servers.
GL!
Latest update for CentOS:
sudo yum install -y libpng libjpeg openssl icu libX11 libXext libXrender xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi
wget https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar -xvf wkhtmltox-0.12.4_linux-generic-amd64.tar
sudo mv wkhtmltox/bin/* /usr/local/bin/
check installation success: wkhtmltopdf -V
rm -rf wkhtmltox
rm -f wkhtmltox-0.12.4_linux-generic-amd64.tar
Place the wkhtmltopdf executable on the server and chmod it +x.
Create an executable shell script wrap.sh containing:
#!/bin/sh
export HOME="$PWD"
export LD_LIBRARY_PATH="$PWD/lib/"
exec $# 2>/dev/null
#exec $# 2>&1 # debug mode
Download needed shared objects for that architecture and place them an a folder named "lib":
lib/libfontconfig.so.1
lib/libfontconfig.so.1.3.0
lib/libfreetype.so.6
lib/libfreetype.so.6.3.18
lib/libX11.so.6 lib/libX11.so.6.2.0
lib/libXau.so.6 lib/libXau.so.6.0.0
lib/libxcb.so.1 lib/libxcb.so.1.0.0
lib/libxcb-xlib.so.0
lib/libxcb-xlib.so.0.0.0
lib/libXdmcp.so.6
lib/libXdmcp.so.6.0.0
lib/libXext.so.6 lib/libXext.so.6.4.0
(some of them are symlinks)
… and you're ready to go:
./wrap.sh ./wkhtmltopdf-amd64 --page-size A4 --disable-internal-links --disable-external-links "http://www.example.site/" out.pdf
If you experience font problems like squares for all the characters, define TrueType fonts explicitly:
#font-face {
font-family:Trebuchet MS;
font-style:normal;
font-weight:normal;
src:url("http://www.yourserver.tld/fonts/Trebuchet_MS.ttf");
format(TrueType);
}
List of stable versions wkhtmltopdf: http://wkhtmltopdf.org/downloads.html
Installing wkhtmltopdf on Debian 8.2 (jessie) x64:
sudo apt-get install xfonts-75dpi
sudo apt-get install xfonts-base
sudo wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2.1/wkhtmltox-0.12.2.1_linux-jessie-amd64.deb
sudo dpkg -i wkhtmltox-0.12.2.1_linux-jessie-amd64.deb
Shared hosting no ssh or shell access?
Here is how i did it;
Visit https://wkhtmltopdf.org/downloads.html and download the appropriate stable release for Linux. For my case I chose 32-bit
which is wkhtmltox-0.12.4_linux-generic-i386.tar.xz
Unzip to a folder on your local drive.
Upload the folder to public_html (or whichever location fits your need) using an FTP program just like any other file(s)
Change the binary paths in snappy.php file to point the appropriate files in the folder you just uploaded.
Bingo! there you have it. You should be able to generate PDF files.
A few things have changed since the top answers were added. They used to work out for me, but not quite anymore, so I have been hacking around for a bit and came up with the following solution for Ubuntu 16.04. For Ubuntu 14.04, see the comment at the bottom of the answer. Apologies if this doesn't work for shared hosting, but it seems like this is the goto answer for wkhtmltopdf installation instructions in general.
# Install dependencies
apt-get install libfontconfig \
zlib1g \
libfreetype6 \
libxrender1 \
libxext6 \
libx11-6
# TEMPORARY FIX! SEE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/3001
apt-get install libssl1.0.0=1.0.2g-1ubuntu4.8
apt-get install libssl-dev=1.0.2g-1ubuntu4.8
# Download, extract and move binary in place
curl -L -o wkhtmltopdf.tar.xz https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar -xf wkhtmltopdf.tar.xz
mv wkhtmltox/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
chmod +x /usr/local/bin/wkhtmltopdf
Test it out:
wkhtmltopdf http://www.google.com google.pdf
You should now have a file named google.pdf in the current working directory.
This approach downloads the binary from the website, meaning that you can use the latest version instead of relying on package managers to be updated.
Note that as of today, my solution includes a temporary fix to this bug. I realize that the solution is really not great, but hopefully it can be removed soon. Be sure to check the status of the linked GitHub issue to see if the fix is still necessary when you read this answer!
For Ubuntu 14.04, you will need to downgrade to a different version of libssl. You can find the versions here. Anyways, be sure to consider the implications of downgrading libssl before doing so on any production server.
I hope this helps someone!
After trying, below command work for me
cd ~
yum install -y xorg-x11-fonts-75dpi xorg-x11-fonts-Type1 openssl git-core fontconfig
wget https://downloads.wkhtmltopdf.org/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar xvf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
mv wkhtmltox/bin/wkhtmlto* /usr/bin
Version 12.5 of wkhtmltopdf only lists DEB files on their download page now. Being a mac user and not knowing much linux or what DEB files were I couldn't use the solutions posted.
This page helped me get past the knew twist of downloading a DEB file: http://www.g-loaded.eu/2008/01/28/how-to-extract-rpm-or-deb-packages/
Basically what I did was:
Downloaded from https://wkhtmltopdf.org/downloads.html
Unzipped the DEB file.
Unzipped data.tar.xz
Uploaded the binary in the unzipped 'usr' folder from step 3 (usr/local/bin/wkhtmltopdf)
Then I found out that the 'exec' function was disabled on my host. So make sure you can specifically run 'exec' if you're using PHP to run this. "Can I run the wkhtmltopdf binary" isn't specific enough. My fault.