ldap initial configuration

A more or less initial configuration for openldap (>2.4)

# to import run:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f $filename
# to verfiy run:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}hdb,cn=config"
# to create a password:
# slappasswd -h {SSHA} -s admin

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=de
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=de" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=de" write by * read
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=de
replace: olcRootPW
olcRootPW: {SSHA}4RHgrU6ghLqA21CNI8biQblHtEodToyd

TLS config

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: AES128+EECDH:AES128+EDH
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.crt
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/cert.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/keyfile.key
add: olcTLSVerifyClient
# never - allow - try - demand
olcTLSVerifyClient: demand

openldap – tls config
openldap – access

systemd – abstract

Rescue Mode


Analyzing the boot process

* systemd-analyze
* systemd-analyze blame
* systemd-analyze plot > /tmp/plot.svg

Start/Stop/Disable services

* systemctl start/stop/restart/mask [service]
* systemctl daemon-reload
* systemctl list-units –type=[timer,service,target,mounts,…]


* journalctl -u ssh
* _PID=1
* -b

Custom unit


Retrieve Windows key from ACPI MSDM table

[root@localhost ~]# hexdump -C /sys/firmware/acpi/tables/MSDM
00000000 4d 53 44 4d 55 00 00 00 03 d3 4c 45 4e 4f 56 4f |MSDMU.....LENOVO|
00000010 54 50 2d 47 32 20 20 20 70 25 00 00 50 54 4c 20 |TP-G2   p%..PTL |
00000020 02 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 |................|
00000030 00 00 00 00 1d 00 00 00 XX XX XX XX XX XX XX XX |........xxxxx-xx|
00000040 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX |xxx-xxxxx-xxxxx-|
00000050 XX XX XX XX XX                                  |xxxxx|
cat /sys/firmware/acpi/tables/MSDM | dd bs=1 skip=56 2>/dev/null

Ahh yes…and thanks to everyone how post a howto with screenshots with black bars – don’t forget the hexdump 😉

Syncing a fork with git/github

  • Configure a remote
    git remove -v
    # git remote add <name> <url>
    git remote add upstream https://github.com/foo/bar.git
    git remove -v
  • Pull “upstream”
    # git fetch <name>
    git fetch upstream
  • Checkout the master
    git checkout master
  • Merge “upstream” master to local master
    # git merge <name>/<branch>
    git merge upstream/master
  • (optional) Delete old branch
    # git push origin :<branch>
    git push origin :foobar
    git branch -d foobar

Refs https://help.github.com/articles/

OS X Mavericks and MacPorts

A few weeks ago i upgraded to Mavericks (10.9)…so far, so good.

But i had some trouble with my MacPorts installation…

:info:configure CMake Error at Modules/Platform/Darwin.cmake:211 (message):
:info:configure   CMAKE_OSX_DEPLOYMENT_TARGET is '10.9' but CMAKE_OSX_SYSROOT:
:info:configure    ""
:info:configure   is not set to a MacOSX SDK with a recognized version.  Either set
:info:configure   CMAKE_OSX_SYSROOT to a valid SDK or set CMAKE_OSX_DEPLOYMENT_TARGET to
:info:configure   empty.

On https://trac.macports.org was this problem already reported but without any solutions that worked for me. So i did my own research and i ended up with a really dirty workaround.

Create a list of all installed ports (incl. variants)

sudo port -qv installed

Uninstall all ports

sudo port -f uninstall installed

Clean any builds

sudo port clean all

Reinstall all necessary ports

port install <port> +variant1

Yeah…it’s not the best… i know!

Create a shared disk for VMware ESX guests

To create a shared disk between two or more VMs, login into one of your ESX hosts and create a disk image.

cd /vmfs/volumes/#volume-name#/#vm-name#/;
vmkfstools -d thick -a lsilogic -c 50G shareddisk.vmdk;

Add the new hardrive to the guest(s) and select a new SCSI bus (like SCSI 2:0). VMware create a new SCSI controller. Set SCSI Bus Sharing = Physical or Virtual and have fun 🙂

Linux routing basics

You getting from your ISP a subnet like this,
and your router has the ip !

You need to enable the ip forwarding in the kernel

sysctl -w net.ipv4.ip_forward=1

And we need to enable proxy arp! This is necessary because your router must answer all arp request for hosts other than itself 😉

sysctl -w net.ipv4.conf.eth0.proxy_arp=1
sysctl -w net.ipv4.conf.eth1.proxy_arp=1

Edit your /etc/sysctl.conf !

net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth1.proxy_arp = 1

If your router has no external ip on the internal nic, you need to setup routes like

route add -host gw eth1

Ubuntu PHP hardening with Suhosin

Ubuntu includes the php suhosin patches….

Install suhosin extension

aptitude install php5-suhosin


; suhosin parameters
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.mail.protect = 2
suhosin.sql.bailout_on_error = On

Restart apache

service apache2 restart

Sometimes it could be necessary to set suhosin.session.encrypt to off for some login scripts.