Open LDAP importing certificate and mapping user`s home directory in redhat7

The OpenLDAP logo

LDAP is a platform-independent protocol. Several common Linux distributions include OpenLDAP Software for LDAP support. The software also runs on BSD-variants, as well as AIX, Android, HP-UX, macOS, Solaris, Microsoft Windows (NT and derivatives, e.g. 2000, XP, Vista, Windows 7, etc.), and z/OS.

We have an open LDAP server :

First we need to check ldap package is installed or not in the LDAP server

#rpm -qa | grep openldap

#rpm -qa | grep nfs*

Here we created some users in home/guests

Next step go to Client server system or desktop system

configure static IP add LDAP server IP in /etc/hosts

Ping with the LDAP server IP

install yum install -y sssd*

The System Security Services Daemon is a software package originally developed for the Linux operating system that provides a set of daemons to manage access to remote directories and authentication mechanisms.

install authconfig*
the authconfig-tui command being deprecated (tui stands for Text User Interface), the only remaining options are the system-config-authentication and authconfig commands. One is a graphical command, this other a text one.

#yum install authconfig*

#authconfig-gtk in GNOME terminal
note: in TUI #authconfig-tui

check the URL certificate link :

Then check in /etc/openldap/cacerts/

you can see that .pem file

Restart sssd service

#systemctl restart sssd

Verification :

#getent passwd <username> here am using the user ldapuser0

or

#id ldapuser0

If you can see the userid details then you configured ldap certificate successfully.

Other wise you may check the URL link and the LDAP server URL name whether its correct or not .

You can check with ssh localhost also ;

Now you can check with the user with ldapuser0@localhost or su – ldapuser0

You can log in but you must get permission denied error .That we can fix with autofs configuration .

Mapping User`s home directory

#yum install -y autofs*

check the installed package

create a map file under # vi /etc/auto.ami (anyname you can give )

add the line

ldapuser0 -rw classroom.example.com:/home/guests/ldapuser0

Above command and URL should be corrected

Then save and quit

here i wanted ldapuser0 home directory should mount when log in to the server :

then add this in to auto.master file:

#systemctl restart autofs

#su – ldapuser0

For adding all other users by default read and write

ldapuser0 -fstype=auto classroom.example.com:/home/guests/ldapuser0 (for individual user)

* -fstype= auto classroom.example.com:/home/guests/& (for all the users)

If we are adding this entry all the users can get read and write ie won`t get permission denied error

Only single user home directory mount this will be the output : here ldapuser1 entry added so users can read and write :

Below example all the ldap users can able to read and write :

If you are getting error like mkdir: warning cannot create directory ‘home/guests’: permission denied then try

authconfig --enablemkhomedir --update

Thats it ……

Reset Root Passwords on RHEL 7 and CentOS 7 Linux Systems

Grub2

Select e for edit

come to the line linu16 end UTF-8 type rd.break

then ctrl + x

2

 

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot

sh-4.2# echo “New-root-password” | passwd --stdin root

or 
#passwd root
#passwd 
sh-4.2# touch /.autorelabel (Note :relabel spelling is important)

# exit
# exit

restarted the system

Ticketing tools

Many ITIL based ticketing tools are avail in the market .These are among popular using

 

Service Now

Achieve end to end transformation for your IT services and infrastructure through a single cloud based platform. ServiceNow® IT Service Management (ITSM) lets you consolidate fragmented tools and legacy systems while automating service management processes. It’s simple to configure and fast to deploy, so you can go live quickly with confidence, while scaling to your business needs.

 

IBM SCCD Tool:

SCCD (SmartCloud Control Desk) Now IBM Control Desk

Benefits

IBM Control Desk features innovative, industry-leading functionality in many areas, including:

  • A simple, easy-to-use service catalog and self service interface
  • Tools for easily reporting problems and requesting services
  • Applications that enable IT staff to be productive and responsive in prioritizing, tracking, and resolving end-user issues
  • ITIL-aligned change, configuration, release, incident, problem, and asset management
  • Integrated service, asset, and configuration management
  • Built-in integrations with IBM and third-party applications
  • Policy-based automation of job plans, task assignments, notifications, and workflows to reduce labor costs
  • Advanced analytics tools that provide insight into your environment and help you manage change more efficiently

 

 

 BMC Remedy

People-centric user experiences help you to work smarter

  • Stunning reports and visualizations allow intuitive exploration of data
  • Native mobile apps let you use the full power of Remedy 9 anywhere
  • Embedded ITIL v3 processes, with industry best practice reports and KPIs available out-of-the-box
  • Develop your own apps with Innovation Suite, a rich portfolio of intuitive drag-and-drop designers and tools
  • Multi-Cloud Service Management provides a seamless service experience across multi-cloud environments

 

 

MBR (Master Boot Record) and GPT (GUID Partition Table)

Set up a new disk on Windows 8.x or 10 and you’ll be asked whether you want to use MBR or GPT. GPT is the new standard and is gradually replacing MBR.

GPT brings with it many advantages, but MBR is still the most compatible and is still necessary in some cases. This isn’t a Windows-only standard — Mac OS X, Linux, and other operating systems can also use GPT.

What Do GPT and MBR Do?

RELATED ARTICLE

Understanding Hard Drive Partitioning with Disk Management
In today’s edition of Geek School, we’re going to talk about how to use Disk Management… but we’re going to… [Read Article]

You have to partition a disk drive before you can use it. MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways of storing the partitioning information on a drive. This information includes where partitions start and begin, so your operating system knows which sectors belong to each partition and which partition is bootable. This is why you have to choose MBR or GPT before creating partitions on a drive.

mbr-or-gpt-initialize-disk

MBR’s Limitations

RELATED ARTICLE

Beginner Geek: Hard Disk Partitions Explained
Hard disks, USB drives, SD cards — anything with storage space must be partitioned. An unpartitioned drive can’t be used… [Read Article]

MBR standards for Master Boot Record. It was introduced with IBM PC DOS 2.0 in 1983.

It’s called Master Boot Record because the MBR is a special boot sector located at the beginning of a drive. This sector contains a boot loader for the installed operating system and information about the drive’s logical partitions. The boot loader is a small bit of code that generally loads the larger boot loader from another partition on a drive. If you have Windows installed, the initial bits of the Windows boot loader reside here — that’s why you may have to repair your MBR if it’s overwritten and Windows won’t boot. If you have Linux installed, the GRUB boot loader will typically be located in the MBR.

MBR works with disks up to 2 TB in size, but it can’t handle disks with more than 2 TB of space. MBR also only supports up to four primary partitions — if you want more, you have to make one of your primary partitions an “extended partition” and create logical partitions inside it. This is a silly little hack and shouldn’t be necessary.

MBR became the industry standard everyone used for partitioning and booting from disks. Developers have been piling on hacks like extended partitions ever since.

windows-disk-management-extended-partitions-with-mbr

GPT’s Advantages

RELATED ARTICLE

HTG Explains: Learn How UEFI Will Replace Your PC’s BIOS
While most people may be familiar with a PC’s BIOS, they may not know what it is or what it… [Read Article]

GPT stands for GUID Partition Table. It’s a new standard that’s gradually replacing MBR. It’s associated with UEFI — UEFI replaces the clunky old BIOS with something more modern, and GPT replaces the clunky old MBR partitioning system with something more modern. It’s called GUID Partition Table because every partition on your drive has a “globally unique identifier,” or GUID — a random string so long that every GPT partition on earth likely has its own unique identifier.

This system doesn’t have MBR’s limits. Drives can be much, much larger and size limits will depend on the operating system and its file systems. GPT allows for a nearly unlimited amount of partitions, and the limit here will be your operating system — Windows allows up to 128 partitions on a GPT drive, and you don’t have to create an extended partition.

On an MBR disk, the partitioning and boot data is stored in one place. If this data is overwritten or corrupted, you’re in trouble. In contrast, GPT stores multiple copies of this data across the disk, so it’s much more robust and can recover if the data is correupted. GPT also stores cyclic redundancy check (CRC) values to check that its data is intact — if the data is corrupted, GPT can notice the problem and attempt to recover the damaged data from another location on the disk. MBR had no way of knowing if its data was corrupted — you’d only see there was a problem when the boot process failed or your drive’s partitions vanished.

windows-8.1-gpt-disk-management-with-more-than-four-primary-partitions

Compatibility

GPT drives tend to include a “protective MBR.” This type of MBR says that the GPT drive has a single partition that extends across the entire drive. If you try to manage a GPT disk with an old tool that can only read MBRs, it will see a single partition that extends across the entire drive. The MBR ensures the old tools won’t mistake the GPT drive for an unpartitioned drive and overwrite its GPT data with a new MBR. In other words, the protective MBR protects the GPT data from being overwritten.

Windows can only boot from GPT on UEFI-based computers running 64-bit versions of Windows 10, 8.1, 8, 7, Vista, and corresponding server versions. All versions of Windows 10, 8.1, 8, 7, and Vista can read GPT drives and use them for data — they just can’t boot from them without UEFI.

Other modern operating systems can also use GPT. Linux has built-in support for GPT. Apple’s Intel Macs no longer use Apple’s APT (Apple Partition Table) scheme and use GPT instead.

gparted-gpt-on-linux


You’ll probably want to use GPT when setting up a drive. It’s a more modern, robust standard that all computers are moving toward. If you need compatibility with old systems — for example, the ability to boot Windows off a drive on a computer with a traditional BIOS — you’ll have to stick with MBR for now.

Active Directory (AD)

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.[1][2] Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.[3]

A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.[4]

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft’s version of Kerberos, and DNS.

Contents

History

Active Directory, like many information-technology efforts, originated out of a democratization of design using Request for Comments or RFCs. The Internet Engineering Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. Active Directory incorporates decades of communication technologies into the overarching Active Directory concept then makes improvements upon them.[citation needed] For example, LDAP underpins Active Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),[5] RFC 2307, RFC 3062, and RFC 4533. [6] [7] [8]

Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Additional improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional services were added to Active Directory, such as Active Directory Federation Services.[9] The part of the directory in charge of management of domains, which was previously a core part of the operating system,[9] was renamed Active Directory Domain Services (ADDS) and became a server role like others.[3] “Active Directory” became the umbrella title of a broader range of directory-based services.[10] According to Bryon Hynes, everything related to identity was brought under Active Directory’s banner.[3]

Active Directory Services

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain Services. Commonly abbreviated as ADDS or simply AD.[11]

Domain Services

Active Directory Domain Services (AD DS) is the cornerstone of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server (or the cluster of servers) running this service is called a domain controller. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs a line-of-business Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server technologies rely on or use Domain Services; examples include Group Policy, Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.

Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM),[12] is a light-weight implementation of AD DS.[13] AD LDS runs as a service on Windows Server. AD LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server.

Certificate Services

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

AD CS predates Windows Server 2008, but its name was simply Certificate Services.[14]

AD CS requires an AD DS infrastructure.[15]

Federation Services

Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based service (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS’s purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them use this same set in a different network.

As the name suggests, AD FS works based on the concept of federated identity.

AD FS requires an AD DS infrastructure, although its federation partner may not.[16]

Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them.

Logical structure

As a directory service, an Active Directory instance consists of a database and corresponding executable code responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of Windows services and processes that run on Windows 2000 and later.[1] Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and Security Accounts Manager services.[2]

Objects

A simplified example of a publishing company’s internal network. The company has four groups with varying permissions to the three shared folders on the network.

Active Directory structures are arrangements of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in Active Directory.

The schema object lets administrators extend or modify the schema when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.[17]

Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Icons-mini-page url.gif Domain-Boston
Icons-mini-page url.gif Domain-New York
Icons-mini-page url.gif Domain-Philly
Icons-mini-page tree.gif Tree-Southern
Icons-mini-page url.gif Domain-Atlanta
Icons-mini-page url.gif Domain-Dallas
Icons-mini-page url.gif Domain-Dallas
Icons-mini-folder.gif OU-Marketing
Icons-mini-icon user.gif Hewitt
Icons-mini-icon user.gif Aon
Icons-mini-icon user.gif Steve
Icons-mini-folder.gif OU-Sales
Icons-mini-icon user.gif Bill
Icons-mini-icon user.gif Ralph
Example of the geographical organizing of zones of interest within trees and domains.

Organizational units

The objects held within a domain can be grouped into Organizational Units (OUs).[18] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization’s structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well.

Organizational units do not each have a separate namespace; e.g. user accounts with an identical username (sAMAccountName) in separate OUs within a domain are not allowed, such as “fred.staff-ou.domain” and “fred.student-ou.domain”, where “staff-ou” and “student-ou” are the OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain.[19] However, two users in different OUs can have the same Common Name (CN), the name under which they are stored in the directory itself.

In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is that Microsoft primarily relies on the principles of NetBIOS, which is a flat-file method of network object management that for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.

As the number of users in a domain increases, conventions such as “first initial, middle initial, last name” (Western order) or the reverse (Eastern order) fail for common family names like Li (李), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student id numbers to use as account names in place of actual user’s names, and allowing users to nominate their preferred word sequence within an acceptable use policy.

Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.

Shadow groups

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.

In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU.

Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU’s account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[20]

The division of an organization’s information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[21]

Partitions

The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. Microsoft often refers to these partitions as ‘naming contexts’.[22] The ‘Schema’ partition contains the definition of object classes and attributes within the Forest. The ‘Configuration’ partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The ‘Domain’ partition holds all objects created in that domain and replicates only within its domain.

Physical structure

Sites are physical (rather than logical) groupings defined by one or more IP subnets.[23] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level.

Physically, the Active Directory information is held on one or more peer domain controllers, replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called Member Servers.[24] A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.[25][26] Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC’s database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[27] Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.

Replication

Active Directory synchronizes changes using multi-master replication.[28] Replication by default is ‘pull’ rather than ‘push’, meaning that replicas pull changes from the server where the change was effected.[29] The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication.

Each link can have a ‘cost’ (e.g., DS3, T1, ISDN etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain based by site.

Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.[30]

Implementation

In general, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and restore of Active Directory is possible for a network with a single domain controller,[31] but Microsoft recommends more than one domain controller to provide automatic failover protection of the directory.[32] Domain controllers are also ideally single-purpose for directory operations only, and should not run any other software or role.[33]

Certain Microsoft products such as SQL Server[34][35] and Exchange[36] can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them can make configuration or troubleshooting of either the domain controller or the other installed software more difficult.[37] A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server licenses, to provide for at least two separate domain controllers, and optionally, additional domain controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL Server,[38] and so forth to support the various server roles.

Physical hardware costs for the many separate servers can be reduced through the use of virtualization, although for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.[39]

Database

The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller’s database. Microsoft has created NTDS databases with more than 2 billion objects.[40] (NT4’s Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. Windows Server 2003 added a third main table for security descriptor single instancing.[40]

Programs may access the features of Active Directory[41] via the COM interfaces provided by Active Directory Service Interfaces.[42]

Single server operations

Flexible Single Master Operations Roles (FSMO, pronounced “fizz-mo”) operations are also known as operations master roles. Although domain controllers allow simultaneous updates in multiple places, certain operations are supported only on a single server. These operations are performed using the roles listed below:

Role name Scope Description
Schema Master 1 per forest Schema modifications
Domain Naming Master 1 per forest Addition and removal of domains if present in root domain
PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.
RID Master 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects
Infrastructure Master 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain.

Trusting

To allow users in one domain to access resources in another, Active Directory uses trusts.[43]

Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology

One-way trust
One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way.
Forest trust
Applies to the entire forest. Transitive, one- or two-way.
Realm
Can be transitive or nontransitive (intransitive), one- or two-way.
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[44]

Forest trusts

Windows Server 2003 introduced the forest root trust. This trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos-based (as opposed to NTLM).

Forest trusts are transitive for all the domains within the trusted forests. However, forest trusts are not transitive between forests.

Example: Suppose that a two-way transitive forest trust exists between the forest root domains in Forest A and Forest B, and another two-way transitive forest trust exists between the forest root domains in Forest B and Forest C. Such a configuration lets users in Forest B access resources in any domain in either Forest A or Forest C, and users in Forest A or C can access resources in any domain in Forest B. However, it does not let users in Forest A access resources in Forest C, or vice versa. To let users in Forest A and Forest C share resources, a two-way transitive trust must exist between both forests.

Management solutions

Microsoft Active Directory management tools include:

  • Active Directory Users and Computers,
  • Active Directory Domains and Trusts,
  • Active Directory Sites and Services,
  • ADSI Edit,
  • Local Users and Groups,
  • Active Directory Schema snap-ins for Microsoft Management Console (MMC),

These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party solutions extend the administration and management capabilities. They provide essential features for a more convenient administration processes, such as automation, reports, integration with other services, etc.

Dynamic DNS (DDNS or DynDNS)

 

 

Dynamic DNS (DDNS or DynDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

Create an account in

http://www.noip.com/

 

after that go to your router here TP-Link :

noip

You can see connection status succeed.

We have to enable RDP for port forwarding

 

then go  to run type  mstsc type the domain name ,username and password .

 

its ready…..

 

 

Clipbucket free video sharing on Ubuntu 14.04

ClipBucketLogo-500×500ClipBucket is open source script used for video sharing.It comes with very effective features like  HQ video customization, Multiple language support, several video moderation tools.It uses FFMpeg, flash and HTML5 for streaming.It comes with media management and user management features.

#apt-get update

#apt-get install wamp
#apt-get install ruby

Install other dependencies

#Install FFMPEG

#apt-add-repository ppa:mc3man/trusty-media

Sample output

Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp624ee04k/secring.gpg' created
gpg: keyring `/tmp/tmp624ee04k/pubring.gpg' created
gpg: requesting key ED8E640A from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp624ee04k/trustdb.gpg: trustdb created
gpg: key ED8E640A: public key "Launchpad PPA for Doug McMahon" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK

Update System and install ffmpeg package

apt-get update && apt-get install ffmpeg

Install imagemagic

#apt-get install imagemagick php5-imagick

#install flvtool2

#gem install flvtool2

Sample output

Fetching: flvtool2-1.0.6.gem (100%)
Successfully installed flvtool2-1.0.6
Parsing documentation for flvtool2-1.0.6
Installing ri documentation for flvtool2-1.0.6
Done installing documentation for flvtool2 after 1 seconds
1 gem installed

Install GPAC

#apt-get install gpac mediainfo

Download package

#wget http://netix.dl.sourceforge.net/project/clipbucket/ClipBucket%20v2/clipbucket-2.8.v3354-stable.zip
or http://clip-bucket.com/latest.php

Unzip downloaded folder and copy to web directory

#apt-get install unzip

#unzip clipbucket-2.8.v3354-stable.zip -d /var/www/html/

Rename Package

cd /var/www/
mv clipbucket-2.8.v3354-stable/ clipbucket

Change permissions and ownership of Package

 chown -R www-data:www-data clipbucket/
 chmod -R 777 /var/www/clipbucket

go to phpmyadmin

create database and user for clipbucket

Open Browser

and type

192.168.0.102/clipbucket/upload and proceed

  1. Accept License Agreement and click to next, if all things looks good click to next
  2. All file permission looks good, click next
  3. Provide database credentials which you have created in database
  4. Change admin password, save settings and continue
  5. Skip and finish
  6. Login to admin panel first then upload videos

 

 

Home Page after uploaded images

2

 

 

admin logged page

1

 

Its ready…………….

Dolibaar ERP & CRM on Ubuntu 14.04

dolibaar

Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.

We can download the setup file from below link

http://www.dolibarr.org/files/stable/standard/

#mv dolibaar.* /var/www/dolibaar

#chmod 777 /var/www/dolibaar

2

NEXT>>

3

chmod 777 /htdocs/conf/conf.php

NEXT>>

4

NEXT>>

5

NEXT>>

6

NEXT>>

7

NEXT>>

8

NEXT>>

10

NEXT>>

11

Create internal and external users and try with HRM and Accounts

Setup IT and Asset Management System With GLPI On Ubuntu14.04

glpi

GLPI is the Information Resource-Manager with an additional Administration Interface. You can use it to build up a database with an inventory for your company. It has enhanced functions to make the daily life for the administrators easier, like a job-tracking-system with mail-notification and methods to build a database with basic information about your network-topology.

Features list of GLPI

General

- Multi-entities management (multi-park, multi-structure)
- Multi-users management
- Multiple Authentication System (local, LDAP, AD, Pop/Imap, CAS, x509…) and multiple servers
- Multilingual management (45 languages available )
- Permissions and profiles system
- Pagination system
- Complex search module
- Bookmark search system
- Publishing system for public or personal reminders
- Publishing system for public or personal RSS feeds
- Configurability of display fields in lists
- Export System in PDF, CSV, SLK (spreadsheet), PNG and SVG
- Saving/restoration module of the database to the SQL format
- Exportation of the database to the XML format
- Configurable dropdowns
- Dictionary
- System of notifications on events (consumable stock, expiry of contracts and licenses), customizable and by entity
- Customizable cron tasks
- Updates check system
- UTF8 interface
- HTML 4.01 compatibility

Inventory

- Import inventory’s datas from OCS Inventory NG servers with the plugin OCS Inventory NG
- Import inventory’s datas from FusionInventory agents with the plugin FusionInventory
- Inventory of the computers fleet with management of its components, disk space and TCO management
- Inventory of the monitors with management of the connections to the computers
- Inventory of the network hardware fleet with management of the connections to the devices (IP, Mac addresses, VLANs…).
- Inventory of printers fleet with management of connections to the computers and management of consumable associated and consumption and the thresholds of alarm.

- Inventory of the external devices (scanners, graphical tables…) with management of the connections to the computers – Inventory of the telephones fleet with management of connections to the computers
- Inventory if the software fleet with license and expiration dates management
- Assignment of the hardware by geographic area (room, floor…)
- Typing models management to make the insertion of equal configurations easier
- Administrative and financial Information management (purchase, guarantee and extension, damping)
- Filing of the materials left the inventory
- Management of the status of the hardwares
- Management of the various states for the materials (in repair…) – Management of generic peripherals and monitors being able to be associated several computers
- Management of external bonds towards other applications
- History of the modifications on the elements of the inventory

Servicedesk ITIL

- Management of the tracking requests for all the types of material of the inventory
- Management of recurrent tracking requests for regular maintenance
- Problems management
- Change management
- Project management with Gantt graphs
- Tracking requests opened using web interface or email
- Business rules when opening tickets (customizable by entity)
- SLA with escalation (customizable by entity)

Final user

- Final user front-end for intervention demand
- Mail tracking of the intervention demand feature
- Interventions history consultation
- Possibility of adding comments at the request of intervention using web interface or email
- Approval of the solution
- Satisfaction survey

Technicians

- Interventions demands priority management
- Interventions demands templates with management of hidden, mandatory and predefined fields
- Tracking of interventions demands
- Link between interventions demands management
- Mail tracking of interventions
- Request validation
- Assignment of interventions demands
- Opening/Closing/Re-opening of interventions
- Assignment of a real time of interventions
- History of done interventions
- Displaying of the interventions to do by a technician
- Displaying of the history of the interventions for a given hardware
- Posting of the interventions to be realized by technician
- Check availability of technicians before assignment of an intervention
- Posting of the history of the interventions for a given material
- Management of planning of intervention
- Define the solution

Statistics

Statistics reports by month, year, total in PNG, SVG or CSV.

- Global
- By technician or enterprise
- By hardware, location or type
- By user
- By category
- By priority

Management

- Management of enterprises (manufacturers, suppliers, conveyors, people receiving benefits…) and associated contacts
- Management of the contracts (loan, hiring, leasing, insurance, maintenance and service)
- Management of the documents related to the elements of inventories, contracts…
- Management of the types of authorized documents
- Budget management

Reservation
- Management of the reservations for the material in affected inventory with the park of loan
- User interface (calendar) for reservation

Knowledge Database
- Management of a basic system of knowledge hierarchical
- Management of a public FAQ
- Content management by targets

Reports

Reports generation about the devices

- By device-type
- By associated contract
- By commercial informations

Network Reports

Technicals aspects

GLPI use the following technologies :

- PHP
- MySQL/MariaDB for the database
- HTML for the Web pages
- CSS for style sheets
- XML for report generation

========================================================================

 

Now we have to create a database for GLPI. To do so, log in to your MySQL server using command:

# mysql -u root -p
mysql> create database glpidb;
mysql> GRANT ALL ON glpidb.* TO ami@localhost IDENTIFIED BY 'ubuntu';
mysql> flush privileges;
mysql> exit

Download the setup file from :
http://www.glpi-project.org/spip.php?article41

# mv glpi/ /var/www/glpi

# chmod -R 777 /var/www/glpi/files/
# chmod -R 777 /var/www/glpi/config/

Installation screen shot as follows:

1 2 3 4 5 6 7 8 9
# rm -fr /var/www/glpi/install/install.php

# chmod 400 /var/www/glpi/config/config_db.php


Setup SVN server on Ubuntu 14.04

 

 

SVN (Subversion) is an opensource version control system. it is used to store previous changes of your project files like documentation, coding etc. also you can track and identify who made the particular changes in the project files . Here in this article we can see how to setup SVN server on ubuntu 14.04 .

Setup SVN server on ubuntu 14.04

Let’s start the installation .
Step 1 » Issue the below command to update the repositories.
sudo apt-get update
Step 2 » After updating repositories , Issue the below command to install SVN and apache webserver (To access SVN through http ) .
sudo apt-get install subversion apache2 libapache2-svn apache2-utils
Step 3 » Now create a directory and create a new repository in that directory ( Here i’m using testrepo as repository name ).
sudo mkdir -p /svn/repos/
sudo svnadmin create /svn/repos/testrepo

Step 4 » Now change ownership for the repository.
sudo chown -R www-data:www-data /svn/repos/testrepo
Step 5 » Create a file testrepo.conf in /etc/apache2/sites-available/ and add the below lines for creating apache virtual host.

SVNParentPath /svn/repos/ : Parent Directory without repository name.
AuthUserFile /etc/svnpasswd : File need to be created ( Step 8) for user details.

Step 6 » Issue the below command to enable the Site ( testrepo in the below command should match the file name created in the previous step )
sudo a2ensite testrepo
Step 7 » Now restart or reload apache service.
sudo service apache2 reload
Step 8 » Issue the command to create user for accessing repository and add the user details to /etc/svnpasswd file.
Use this command to create first user.
sudo htpasswd -cm /etc/svnpasswd user1
Use the same command without c option to create additional users.
sudo htpasswd -m /etc/svnpasswd ami
Step 9 » Now you can access http://yourip/svn/testrepo in your browser ( Eg http://192.168.1.7/svn/testrepo ) Enter your username and password:

svn

you can see the page like below after successful authentication.

svn login

 

That’t it , your server is ready.
You could use svn clients such as Tortoisesvn on windows and Rapidsvn on ubuntu for commiting and updating repository.

                                                       For Windows

Here i am using Tortoisesvn so my client is windows

first we need to install Tortoisesvn 

After that click all programmes>tortoisesvn>tortoise repository browser  to open

enter your url info my case http://192.168.1.7/svn/testrepo/

It will ask your username and password see below :

resp browser

 

This html file was created in windows through pop up menu add file option  ie ami.html

2

User info:

3

Now check with your url : you can see the revision 3 I made three changes

 

4

We can go with revision 1 or 2 what we wanted later if we made anything done wrong coding.