Setting up LDAP 

Now
that we’ve seen what a directory is, and how it stores data, we can get on
with setting up an  LDAP server under Linux and use it to centralize
network resource information. Here, we’ll configure an LDAP server to
authenticate and manage network resource information for a Linux-only
network.

Setting up and Configuring
OpenLDAP

The
accompanying Red Hat 6.2 (Zoot) CD comes with OpenLDAP project’s LDAP
server. OpenLDAP is based on the code of the University of Michigan’s
original LDAP server. The OpenLDAP distribution includes both slapd (the
directory server) and slurpd (the replication server), as well as several
tools and libraries. Also, several accompanying packages are bundled to
allow you to easily reconfigure the system to use LDAP for authentication.

To install the LDAP server,
mount the zoot CD-ROM, and run the command:

# rpm -ivh /mnt/cdrom/RedHat/RPMS/openldap*.rpm

This will install both the
server and the development packages.

All the remaining LDAP
support packages are pre-installed on your system (as part of pam and
nss_ldap)

The LDAP configuration files
are stored in the directory /etc/openldap.

Become root, and edit the
file /etc/openldap/slapd.conf.

Here, modify the suffix entry
for your domain name (for example, the domain pcquest.com becomes)

suffix dc=pcquest,dc=com

Set up a rootdn (the root, or
manager’s distinguished name)

rootdncn=Manager,dc=pcquest,
dc=com

The "Manager" entry
should specifically not be any user on the network.

Set up a password for the
Manager. As the warning suggests, cleartext passwords are a bad idea. Find
out how to add an encrypted entry and do it. For now, we’ll stick with a
cleartext entry.

rootpw secret

That should be sufficient to
get your LDAP server up and running. Note that we haven’t configured
slurpd, which is the replication server. It isn’t necessary to be running
slurpd, but if you’re planning to use the setup in a production
environment, it’s definitely a good idea to have it up.

Let’s continue with
configuring the directory server–slapd.

Start slapd with the command

# /etc/rc.d/init.d/ldap
start

Now, we can
get down to the task of entering network resource information into the
directory service.

To understand what logrotate can do....

To understand what logrotate
can do, first ask yourself what you want to do with your log files. The
table "Planning for a log processing and archiving policy" might
help you to start. The first row lists the processing and reporting to be
done, while the first column lists the files on which the processing is to
be done. Put down the different log files in column 1, tick out the log
processing of your choice, and you can come up with a policy for using
logrotate.

Let me briefly explain what
each column implies. A "yes" on column 2 indicates that you want
to retain the log file as a record, so it’s best kept compressed.
Similarly, a "yes" in column 3 indicates that you merely want to
scan the file, look for the unusual, and then discard it. You might want to
mail this file to yourself or to the relevant administrator. Column 4 says
that you want to discard the file straightaway. In the sysadmin world, this
obviously doesn’t qualify for best practice. Columns 5 and 6
mention the actions you want to perform before and after you do the log
processing. Column 7 is for an e-mail address to which errors during log
processing are to be reported, and column 8 indicates how often you want the
processing to be done. Note that you might want a time threshold with a
granularity of a day or choose to have a file size threshold to rotate the
logs. This table is not exhaustive or mandatory in nature–it’s is merely
an example of how you would go about the policy-making exercise. So, don’t
implement this, as is, as a policy. Evolve one to suit your needs.

If you’re ready with a
table such as the one above, you have a policy. You can now use logrotate to
implement this policy.

The policy is specified using
keywords, as well as with a script-like language comprising keywords
specific to logrotate. The script is intuitive and easy to understand. By
default, most logs are rotated four times, uncompressed, before they’re
removed from the system. This should explain the presence of files with the
extensions .1, .2, .3 and .4 in the /var/log directory. Take the file /var/log/messages
as an example. After a certain time period or after a certain file size is
reached (as specified in /etc/logrotate. conf), this file is renamed to
messages.1 and an empty file called messages is created to take in the new
log input. This is repeated until they’re rotated four times.

Let’s look at a portion of
the configuration from /etc/logrotate.conf from a standard install. The
first line mentions the name of the file for which the policy is laid out.
Notice the intuitive keywords–"monthly" indicates that the
rotation cycle is monthly, "create" specifies the permissions and
ownerships to be used when the old file is moved to another name and an
empty file is created. "Rotate 1" indicates that one rotated
logfile will be retained:

/var/log/wtmp
{ monthly

create 0664
root utmp

rotate 1

}

Here’s a portion of the
file /etc/logrotate.d/apache–the policy for processing apache log files.
The keyword missingok implies that if the log file isn’t found, continue
processing the rest. Notice the command in between the keywords postrotate
and endscript. This command is executed after log processing is done.
Surprisingly, you don’t find any other instructions such as the frequency
of rotation or the number of rotations, as in the previous case. When there’s
no explicit mention made, the definitions in the global configuration file
will apply.

/var/log/httpd/access_log
{

missingok

postrotate

/usr/bin/killall -HUP httpd 2> /dev/null || true

endscript

}

logrotate is typically run
once a day by the cron. If you are logged in as superuser, you would see an
entry similar to the one below in the crontab file:

0 0 * * * /usr/sbin/logrotate

The utility runs every
midnight. You can run it more often if you need to.

A good start towards
minimizing disk storage space would be to uncomment the compress option in
/etc/logrotate. conf, so that all the rotated log files are kept compressed.

Avinash
Shenoy is a systems and network administrator at the NCBS, Bangalore,
and Gopi Garge is a technology
consultant with Exocore Consulting <www.exocore.com>