Install IPA Server and replicas (cluster)

IPA Server can be installed standalone or as master – master cluster

Create Master – Master cluster (simple option)

  1. Install and create stand alone IPA Server (@ipa1)
  2. Install client on IPA Client (@ipa3)
  3. Promote ipa client on @ipa3 to server a master
  4. Install ca certificates on ipa3

1. Install and create standalone IPA Sever

For simplicty all password are 123456798; dns forwarder 192.168.178.1 (acces to internet)

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync
sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y
sudo dnf install ipa-server -y
sudo dnf install ipa-server-dns -y
sudo ipa-server-install --domain=ipa.tomdus.lab --realm=IPA.TOMDUS.LAB --ds-password=123456798 --admin-password=123456798 --mkhomedir --ssh-trust-dns --idstart=100000 --no-ntp --setup-dns --forwarder=192.168.178.1 --auto-reverse --allow-zone-overlap

...

sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

2. Install IPA client

In order to install ipa client it is sufficient to enable only idl:DL1/client module, thus as this server will be promoted to IPA Replica muss enable idl:DL1/server and idl:DL1/dns (required by DNS Server)
[tomas@ipa3 ~]$ sudo dnf module list idm:DL1
Last metadata expiration check: 0:00:17 ago on Wed 08 Jun 2022 01:45:55 PM CEST.
CentOS Stream 8 - AppStream
Name Stream Profiles Summary
idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync -y

sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y

Verify network connection on ipa3

[tomas@ipa3 ~]$ ping 10.0.2.38  (IP Address of IPA1)[tomas@ipa3 ~]$ cat /etc/resolv.conf 
# Generated by NetworkManager
search ipa.tomdus.lab
nameserver 10.0.2.38
[tomas@ipa3 ~]$ dig ipa1.ipa.tomdus.lab
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> ipa1.ipa.tomdus.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10689
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b6dd4e79f5137f6a795623dc62a096d3ae0ca70d1d10c863 (good)
;; QUESTION SECTION:
;ipa1.ipa.tomdus.lab. IN A

;; ANSWER SECTION:
ipa1.ipa.tomdus.lab. 1200 IN A 10.0.2.38

;; AUTHORITY SECTION:
ipa.tomdus.lab. 86400 IN NS ipa1.ipa.tomdus.lab.

;; Query time: 1 msec
;; SERVER: 10.0.2.38#53(10.0.2.38)
;; WHEN: Wed Jun 08 14:32:17 CEST 2022
;; MSG SIZE rcvd: 141

Install client

[tomas@ipa3 ~]$ sudo dnf install ipa-server -y[tomas@ipa3 ~]$ sudo ipa-client-install --mkhomedir --domain=ipa.tomdus.lab --realm IPA.TOMDUS.LAB --principal admin --password 123456798 --no-ntp
This program will set up IPA client.
Version 4.9.8

Discovery was successful!
Client hostname: ipa3.ipa.tomdus.lab
Realm: IPA.TOMDUS.LAB
DNS Domain: ipa.tomdus.lab
IPA Server: ipa1.ipa.tomdus.lab
BaseDN: dc=ipa,dc=tomdus,dc=lab

Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Issuer: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Valid From: 2022-06-02 06:40:56
Valid Until: 2042-06-02 06:40:56

Enrolled in IPA realm IPA.TOMDUS.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TOMDUS.LAB
Systemwide CA database updated.
Hostname (ipa3.ipa.tomdus.lab) does not have A/AAAA record.
Missing reverse record(s) for address(es): 10.0.3.5.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.tomdus.lab as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Client has been succesfully registered and visible inside IPA server

3. Promote client ipa3 to replica

In order to promote client as a replica the client muss be assigned to host group ipaservers

Check DNS entries for ipa3

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab
10.0.3.5[tomas@ipa3 ~]$ host -r 10.0.3.5
Host 5.3.0.10.in-addr.arpa. not found: 3(NXDOMAIN)

Common problem that can be solved inside DNS

Check – OK

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab
10.0.3.5[tomas@ipa3 ~]$ host -r 10.0.3.5
5.3.0.10.in-addr.arpa domain name pointer ipa3.ipa.tomdus.lab.

Promote client to replica

[tomas@ipa3 ~]$ sudo ipa-replica-install --admin-password=123456798 --mkhomedir --ssh-trust-dns --setup-dns --forwarder=192.168.178.1 --auto-reverse --allow-zone-overlap
Lookup failed: Preferred host ipa3.ipa.tomdus.lab does not provide DNS.
Checking DNS forwarders, please wait ...
Reverse record for IP address 10.0.3.5 already exists OK as we corrected is manually above
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds[1/38]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=ipa,dc=tomdus,dc=lab ...
Perform post-installation tasks ...[2/38]: tune ldbm plugin[3/38]: adding default schema[4/38]: enabling memberof plugin[5/38]: enabling winsync plugin[6/38]: configure password logging[7/38]: configuring replication version plugin[8/38]: enabling IPA enrollment plugin[9/38]: configuring uniqueness plugin[10/38]: configuring uuid plugin[11/38]: configuring modrdn plugin[12/38]: configuring DNS plugin[13/38]: enabling entryUSN plugin[14/38]: configuring lockout plugin[15/38]: configuring topology plugin[16/38]: creating indices[17/38]: enabling referential integrity plugin[18/38]: configuring certmap.conf[19/38]: configure new location for managed entries[20/38]: configure dirsrv ccache and keytab[21/38]: enabling SASL mapping fallback[22/38]: restarting directory server[23/38]: creating DS keytab[24/38]: ignore time skew for initial replication[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[26/38]: prevent time skew after initial replication[27/38]: adding sasl mappings to the directory[28/38]: updating schema[29/38]: setting Auto Member configuration[30/38]: enabling S4U2Proxy delegation[31/38]: initializing group membership[32/38]: adding master entry[33/38]: initializing domain level[34/38]: configuring Posix uid/gid generation[35/38]: adding replication acis[36/38]: activating sidgen plugin[37/38]: activating extdom plugin[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=ipa3,idnsname=ipa.tomdus.lab.,cn=dns,dc=ipa,dc=tomdus,dc=lab'.
Configuring Kerberos KDC (krb5kdc)[1/5]: configuring KDC[2/5]: adding the password extension to the directory[3/5]: creating anonymous principal[4/5]: starting the KDC[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin[1/2]: starting kadmin [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)[1/3]: configuring TLS for DS instance[2/3]: importing CA certificates from LDAP[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)[1/22]: stopping httpd[2/22]: backing up ssl.conf[3/22]: disabling nss.conf[4/22]: configuring mod_ssl certificate paths[5/22]: setting mod_ssl protocol list[6/22]: configuring mod_ssl log directory[7/22]: disabling mod_ssl OCSP[8/22]: adding URL rewriting rules[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf[10/22]: setting up httpd keytab[11/22]: configuring Gssproxy[12/22]: setting up ssl[13/22]: configure certmonger for renewals[14/22]: publish CA cert[15/22]: clean up any existing httpd ccaches[16/22]: enable ccache sweep[17/22]: configuring SELinux for httpd[18/22]: create KDC proxy config[19/22]: enable KDC proxy[20/22]: starting httpd[21/22]: configuring httpd to start on boot[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd[1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'ipa1.ipa.tomdus.lab' as master peer.
Configuring ipa-custodia[1/4]: Generating ipa-custodia config file[2/4]: Generating ipa-custodia keys[3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)[1/2]: configure certmonger for renewals[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds[1/10]: stopping directory server[2/10]: saving configuration[3/10]: disabling listeners[4/10]: enabling DS global lock[5/10]: disabling Schema Compat[6/10]: starting directory server[7/10]: upgrading server[8/10]: stopping directory server[9/10]: restoring configuration[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)[1/8]: generating rndc key file[2/8]: setting up our own record[3/8]: adding NS record to the zones[4/8]: setting up kerberos principal[5/8]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'[6/8]: setting up server configuration[7/8]: configuring named to start on boot[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)[1/7]: checking status[2/7]: setting up bind-dyndb-ldap working directory[3/7]: setting up kerberos principal[4/7]: setting up SoftHSM[5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)[6/7]: creating replica keys[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is not empty
The following configuration options override local settings in named.conf:

API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.245
Forward policy: first
IPA DNS servers: ipa1.ipa.tomdus.lab, ipa2.ipa.tomdus.lab

Configuring SID generation[1/7]: creating samba domain object
Samba domain object already exists[2/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do[3/7]: adding RID bases
RID bases already set, nothing to do[4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.[5/7]: activating sidgen task[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account[7/7]: adding fallback group
Fallback group already set, nothing to do
Done.

WARNING: The CA service is only installed on one server (ipa1.ipa.tomdus.lab).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

The ipa-replica-install command was successful

Enable firewall

sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

4. Install ca certificates on ipa3

[tomas@ipa3 ~]$ sudo ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes[1/28]: creating certificate server db[2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/28]: creating ACIs for admin
...[26/28]: importing IPA certificate profiles[27/28]: configuring certmonger renewal for lightweight CAs[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Updating DNS system records








Create Toolchain with ptxdist

This is a small introduction to create a toolchain with ptxdist (Version ptxdist-2019.08.0.tar.bz2)

 

sudo apt install libncurses5-dev python-dev

cd
mkdir ptxdist
cd ptxdist
wget http://public.pengutronix.de/software/ptxdist/ptxdist-2019.08.0.tar.bz2
tar -xjf ptxdist-2019.08.0.tar.bz2
cd ptxdist-2019.08.0
./configure --prefix /home/tomas/ptxdist/install
make
make install
cd /home/tomas/ptxdist/install/bin/
./ptxdist setup

Create your own toolchain

sudo apt install python3-dev
cd /home/tomas/ptxdist
wget https://public.pengutronix.de/oselas/toolchain/OSELAS.Toolchain-2018.12.0.tar.bz2
tar -xjf OSELAS.Toolchain-2018.12.0.tar.bz2
cd OSELAS.Toolchain-2018.12.0/
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 select ptxconfigs/i686-atom-linux-gnu_gcc-8.2.1_glibc-2.28_binutils-2.31.1_kernel-4.19-sanitized.ptxconfig
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 migrate
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 go

change in selected_ptxconfig from PTXCONF_PREFIX=“/opt“ to PTXCONF_PREFIX=“/home/tomas/ptxdist/toolchain“

How To Setup and Orange PI One

This is a small introduction to setup orange pi one

Format and prepare SD Card

Prepare 32GB SD Card, thus Orange Pi One can boot from up to 32GB SD Card. I am using SDCard Formatter,

Install Linux image on SD Card

Download image, e.g Debian Buster based version from https://www.armbian.com/orange-pi-one/.

Use e.g. Etcher to flash linux image to SD Card:

First time boot

Insert an SD Card into Orange Pi One and connect power supply

Connect to MySQL with python

The mysql libraries are not per see installed with python, thus:

sudo apt-get install python-mysql

Script:


#!/usr/bin/python
import MySQLdb

db = MySQLdb.connect(host="localhost", # your host, usually localhost
    user="tomas", # your username
    passwd="tomas1234", # your password
    db="test") # name of the data base

# Create a cursor object that executes all required queries
cur = db.cursor()

# create sample table
cur.execute("CREATE TABLE IF NOT EXISTS tomastest(id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, data VARCHAR(100))")

# create sample data
cur.execute("INSERT INTO tomastest(data) VALUES('Test data'); commit;")

# execute select sql
cur.execute("SELECT * FROM tomastest")

# Get the number of rows in the resultset
numrows = cur.rowcount
print "Rows count: ",numrows
for row in cur.fetchall():
    print row[0], row[1]
db.close()

If not providede, thus create test mysql db (sMySQL Docs)

mysql> CREATE DATABASE test;
mysql> use test

If not already exist create user (MySQL Docs)

mysql> CREATE USER 'tomas'@'localhost' IDENTIFIED BY 'tomas1234';
mysql> GRANT ALL ON test.* TO 'tomas'@'localhost';

Convert PFX certificate to crt and key for apache httpd

How to convert PFX certificate to .crt and .key to use with apache httpd

Certificate in PFX format are commonly exported from MS Active Directory Using OpenSSL Command in Linux System:

openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts

server.key

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIl4COeWKpJooCAggA
MBQGCCqGSIb3DQMHBAhzLEVbvIcuIASCBMhLiTd6/n6feWfBNRPDpeQl4oecUt6Q
nQrGbtcbDlPaMcCjSrquZO3MCfwstPhv3kyk6ntc8A6MJZCALvAdf6g0xetNb4L0
ThoJ5IfsVM4K7SRy/Q4JxR6OWhdTVNSinc4aPncjJClImPmFc+QOrHuFY19Z9kTW
nVsWOg3CG4tx2HfNVLrH3ZQJ7bM0Imohw464wGLf2k+l5/+XEnqqHfJLazx67GbP
KGdq7YnZLWXv8j6E4ZLrxpEx+KyGgSqB8vcVMttpjM07iVTKD7ig0FwRaN2TlPeT
FiK7n0y/UCIpH4KRFtJIgJfWuGkKUJFQVs+eiD8xZRM6sl6KvkebG4O4vEtJS2PF
cXNfVxtbmhroOjRrP9Wjd0K9tZQ+zBGnhoF2fo5T8LCyeTRPeECFCiRoGmW2QF3y
8QHz017qw4CwfSPMQRf6Y6gTlvg9tFmuIHgA9YGSGXYgqNXYtkw7dxR40LsbKYTb
y81j5EjT0Whn6dQYhYx4dSWGcx/m7Ybzlka9ftkrV+E9KvBh1eg8vjrU/VSAAFHo
BmDCK3dxQNt5gDqlbjX5d/cmd9eu1oYGqZKkhC1fN0TRK7XmnPEZ8bHc+YCDzeHb
yAEgETngSm2AOTFRd7TMpzHOaMJUMnFqX4QYeQfuerPkF3lvIf/OOi9UKdcYkY3Y
97zFqZny2rFVmaCiFk/a8X+Ecwn4xm9RZHeibo1dCTrZ54BIzO7bBaae7HOjxwwH
ZqWCfLeFboZ2GoQ3zAhIOF3h8jL+UVHJRDKlJJix9i0uyOm0JmIzFyx7k1b1lr66
zxfQbl2H5up3GU2dzRRdNOfFefOmDqwSyJ6ZThzpSyhvqmDWlRdRoRQ105G+8OrP
dj+Y/Kxm1znucHUHuaKrIOiwrHtXIX3Lfmp66/Azmw2TBBV/4sv5+lKwewXbPuSq
34lAXHYIw1/v85/KlAE3fr0O/u0ROofzpUKlhdCJ4c/1VrWvfdCmbbxjsXTIzLrY
cvzT7FPo8avVE6jfgVKt9Y4Q8pmS2ZjvHmmB7HwwOpR/jDJwuvTRAly5s1rdrkW9
0sU3jrujY0zyV/oPyuBdJBmixFOrZx8jaYyoC6wgRzlfXBxi0wCIvOLRZE305co6
qFN1zRYjL8Hv1rj3kI+oRtGgg/al8/WItBG28l+N4Q3qucG3+fXZ7sTULHV5TIVp
Ud6PjkstveK+3oosBxwkDqXtC4gdRSzjtnUHEWwE+Df2pqQGDEK0kLxisgorGaDz
0P4eYHce8y14UZty0y2KioyUW7nlunwsPAvResyNjqjgxJ7USaurRCspkIDDXrim
C0c3Xj7J6F8wNakHCzX9cJamV9I0rYGDEEwM29MtS3W8UU03YeeAdGxbmZRXyOH8
xYZdHxCdh3QKxf3+U19LRdUEUdTWpa96yp4lcTZyvEK6AODjzY8Qg9PhZqAH1L1T
6HePzR70udLzEXiUci4H0oLqMtHJOhLfhsFZFiO0Std+nKUSJu5KdsXzxIhRAYCu
3oxhAGc8QaYruZ0qx2VZ3ujIcD+CzezqzXzjeKWrjP6dKEKx3uEP8qIRPnrkDX9d
GpjKRI3ATOt8ojzgdreGv3Hg9qSAHXVl23ocTCl18HPRLzaF9TZrVhiuferQHO5k
M3U=
-----END ENCRYPTED PRIVATE KEY-----

openssl pkcs12 -in server.pfx -out server.crt -clcerts
server.crt

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAOu8IGet1qEEMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzA2MTE1MTAxWhcNMTgwNzA2MTE1MTAxWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtM/17uVeeUsFzt0QL8OhoIbma5l6gpqRGZOPcbAMBmdVFcOgouwe8DLF
Jt+2yZMnHbjdEMArgcDFOZW+jJKJiI7vV/fvMB5Ey50A57P4IADrwZN4nAHVqDD6
1v1ZwI9hintyUs+Mke1fDl++Q9D4eFfv36VEx6IV+xWdEREbJZPqxzQCNUDQhSwg
Tsr/mWUKvwomY0Dt8l6BWPKIzlx0hOZFsz7mAc1FlRRodt0GaUtVJskPjjJ3WDsW
zmk/RGViGKSpFyz8Dk9Sc7+lElCas39Yx8869DIRSdcgw0DU0kORZsIH4OJUUBn/
A8/CEkDOi1/2tYjnnzg7YUqjrDrDXQIDAQABo1AwTjAdBgNVHQ4EFgQUcR0veqM0
EAIVawdoqhln/mvEYFQwHwYDVR0jBBgwFoAUcR0veqM0EAIVawdoqhln/mvEYFQw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEArPZNXaa7EG1tm4P65Mis
2u/Bf5qa8ylgJVKUfEvz6SQRKq+5NV7FE/CyVRGinkmNKy37G3IUV7J+UkaPx+Rz
7CwGQC3yIWOA/ASClTs4P/56sLZ5RxtzAdJ/bZZUKx4HhfkkWYFUEM1PCl8ZXJQq
uWliKzF6Id/HdsgJtH7vBFyp0yuKoKrB2msRdPWK99D7ir6T2PZ457OqpQtJhGYW
R9AvftZUG0QfsSSAOa942ItnPW7kgoU/pgV88zkvUYnAhEQ98NFSgTSQa83eaBXz
id8lrrea7Yi5TXkArgh9kMQbuTWBbyJCAKKeBNV6nt7ZVLcTn22Xjkat+33BgaFh
4g==
-----END CERTIFICATE-----

Zertifikats Inhalts auslesen

Wie lese ich den Inhalt des Zertifikates (*.pem oder *.crt) aus?

Der Inhalt des Zertifikates kann mit OpenSSL ausgelesen werden:

openssl x509 -in ZERTIFIKAT.CRT -text -noout

openssl x509 -in ZERTIFIKAT.PEM -text -noout

Beispiele

openssl x509 -in /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem -text -noout

openssl x509 -in/etc/pki/tls/certs/localhost.crt -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 18473 (0x4829)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=centos1.localdomain/emailAddress=root@centos1.localdomain
Validity
Not Before: Oct 6 14:49:10 2016 GMT
Not After : Oct 6 14:49:10 2017 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=centos1.localdomain/emailAddress=root@centos1.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:0d:b0:20:81:73:a4:3f:d2:09:33:bd:5f:3d:
42:d8:4f:0e:11:86:ad:6d:84:93:55:5c:9c:b6:00:
4e:a0:35:a9:72:68:0e:f7:3d:9f:7d:b7:73:a3:30:
a5:d1:ea:c8:c3:6c:96:46:f2:9e:8c:d2:2c:5f:44:
4d:2b:07:35:f7:92:4e:48:80:a3:5f:d4:5f:16:82:
83:a5:f2:09:9e:74:b8:95:8f:55:13:1e:3d:a1:07:
c7:11:24:f3:e7:75:3e:e5:da:4e:85:dd:b6:b9:b5:
e3:32:8d:ec:23:08:bf:22:7c:c0:55:27:07:36:f2:
b3:18:5a:6b:62:0d:9a:a4:d0:4a:e0:3a:ea:b6:31:
d2:06:52:46:8a:6e:16:aa:cb:fe:bc:8a:f8:c8:94:
0f:ca:e1:78:a6:f9:b3:b6:69:07:0d:18:97:b1:60:
6e:24:4b:df:bf:ba:67:42:3e:2d:81:cf:f7:55:ed:
47:15:a0:00:b9:26:36:56:d3:29:d6:9e:bf:99:6d:
0f:a9:63:b8:4a:9f:f4:e0:f8:98:e5:ab:2e:81:9c:
f3:eb:a3:0a:27:dd:4f:70:e9:3b:e2:c1:1f:07:fe:
cb:1c:ee:5b:74:e9:31:b8:e8:5e:80:30:28:e6:e1:
7a:16:ac:25:d0:39:50:08:ff:db:71:5d:46:87:49:
47:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
37:e0:e1:92:2a:cc:51:8a:4c:d4:31:91:20:f4:f3:72:b2:bb:
34:82:5c:e0:b1:29:33:b5:6d:c5:3b:42:50:8b:49:2b:cc:8c:
72:57:c3:ff:92:00:f4:cb:7e:00:34:86:88:ed:38:ea:10:57:
8d:43:fc:9d:ae:5c:9d:87:4f:73:c0:8d:79:e4:a3:44:de:b1:
27:6c:93:f3:c9:d1:b3:4c:df:6c:5f:0b:1e:19:e9:51:69:68:
af:fb:47:45:85:03:64:04:a9:47:24:3a:8d:8b:b5:4f:0c:25:
44:e2:10:a8:58:6a:f9:8d:5d:3f:2f:9f:41:75:f5:04:47:a4:
e1:90:53:a1:dc:a1:fa:20:5b:d5:41:79:cb:f5:47:66:1b:02:
dd:94:bb:52:69:00:2c:3a:d5:44:0a:a4:15:23:36:fb:5c:aa:
fa:28:af:89:17:fb:f4:c6:d7:8b:1b:14:d2:7d:6b:01:d2:33:
eb:43:62:c0:bd:88:b9:31:86:ed:e7:28:11:b4:b2:9e:b3:1e:
c6:3e:bd:54:8b:f9:53:ed:0d:c3:ea:1d:c2:54:53:b5:d5:83:
30:58:6e:37:87:9f:d8:cf:44:3f:29:90:0c:84:b7:9f:cb:4f:
11:f5:d0:a3:6e:ea:22:87:eb:9b:63:b9:9c:46:99:32:6d:a7:
42:3c:e8:a0

MySQL auf Ubuntu installieren

Die MySQL Datenbank kann mit sudo apt-get install mysql-server installiert werden.

Während der Installation muss ein root Kennwort gesetzt werden. mysql root password

Der test login erfolgt mittels mysql -u root -p

Die Datenbank Konfiguration kann über command promt erfolgen oder via eine GUI. Eine passende quelloffene GUI ist MySQL Workbench MySQL Workbench. Die Instalaltion erfolgt mit sudo apt-get install mysql-workbench.

 

Ansible – Wie erfahre ich die Linux Distribution

Wie erfahre ich die Linux Distribution in Ansible?

  • Wie erfahre ich, welche Linux Distribution das Zielsystem hat?
  • Wie begrenze ich die Ausführung vom ansible tasks auf einige Linux Distributionen?

Ansible speichert automatisch die Beschreibung der linux Distribution in den folgenden Variablen:
ansible_distribution, ansible_distribution_release und ansible_distribution_version. (Mehr dazu in Ansible Best Practise)

Um die Distribution Information zu erhalten:  ansible all -m setup -a "filter=ansible_distribution*"

Mit dem Ergebnis:

"ansible_distribution": "CentOS",
"ansible_distribution_release": "Final",
"ansible_distribution_version": "6.4"

und um die tasks nur bei einigen Distributionen in ansible playbook durchzuführen
when: ansible_distribution == 'CentOS'