496 Part VII: System Administration The limit you set for a quota can be hard or soft. A hard limit will deny a user the ability to exceed his or her quota, whereas a soft limit will just issue a warning. For the soft limit, you can designate a grace period (up to 48 hours) during which time the user can reduce her disk space below the limit. If the disk space still exceeds the limit after the grace period expires, the user can be denied access to her account. For example, a soft limit is typically 75MB, whereas the hard limit could be 100MB. The quota record begins with the hard disk device name and the blocks of memory and inodes in use. The limits segments have parameters for soft and hard limits. If these entries are 0, no limits are in place. You can set both hard and soft limits, using the hard limit as a firm restriction. Blocks in Linux are currently about 1000 bytes. The inodes are used by files to hold information about the memory blocks making up a file. To set the time limit for a soft limit, use the edquota command with the -t option. The following example displays the quota record for larisa: Quotas for user larisa: /dev/hda3: blocks in use: 9000, limits (soft = 40000, hard = 60000) inodes in use: 321, limits (soft = 0, hard = 0) repquota and quota As the system administrator, you can use the repquota command to generate a summary of disk usage for a specified file system, checking to see what users are approaching or exceeding quota limits. repquota takes as its argument the file system to check; the -a option checks all file systems. Here’s an example: repquota /dev/hda1 Individual users can use the quota command to check memory use and determine how much disk space is left in their quota. Table 22-6 shows the options for the command. Lightweight Directory Access Protocol The Lightweight Directory Access Protocol (LDAP) is designed to implement network- accessible directories of information. In this context, the term directory is defined as a database of primarily read-only, simple, small, widely accessible, and quickly distributable information. It is not designed for transactions or updates. It is primarily used to provide information about users on a network, such as their e-mail addresses or phone numbers. Such directories can also be used for authentication purposes, identifying that a certain quota Option Description -g Prints group quotas for the user’s group -u Prints the user’s quota -v Displays quotas on file systems where no storage is allocated -q Prints information on file systems where usage is over quota T ABLE 22-6 Options for quota PART IPART IPART IPART IPART VII Chapter 22: Managing Users 497 user belongs to a specified network. You can find out more information on LDAP at http://ldapman.org. You can think of an LDAP directory for users as an Internet-accessible phone book, where anyone can look up your e-mail address or other information. In fact, it may be more accurate to refer to such directories as databases of user information that are accessible over networks such as the Internet. Normally, users on a local network are spread across several different systems, and to obtain information about a particular user, you have to know what system the user is on and then query that system. With LDAP, user information for all users on a network is kept in the LDAP server, so you can query only the network’s LDAP server to obtain information about a user. For example, Sendmail can use LDAP to look up user addresses. You can also use Firefox or Netscape to query LDAP. NOTE NOTE LDAP is a directory access protocol to an X.500 directory service, the OSI Directory Service. LDAP directories are implemented as clients and servers; you use an LDAP client to access an LDAP server that manages the LDAP database. Ubuntu uses OpenLDAP, an open-source version of LDAP (see www.openldap.org). OpenLDAP provides an LDAP server (slapd), an LDAP replication server (slurpd), an LDAP client, and LDAP utilities. On Ubuntu, you install the LDAP packages using the ldap-auth-config metapackage. This package will also select and install the ldap-auth-client, libpam-ldap, and libnss-ldap packages. For the LDAP server, you select the slapd package. If you are running Postfix mail server, you may want to use postfix-ldap. When installing ldap-auth-config, you are prompted to enter in the URI for the LDAP server, the distinguishing name of the search base, and the version to use. You are then prompted to specify whether the administrator on your system has administrative access to the LDAP server and if the LDAP database requires a login. Then specify the LDAP account for the root and the LDAP root account password. For documentation of the LDAP server on Ubuntu, check the OpenLDAP Server entry for your distribution at https://help.ubuntu.com. LDAP Configuration Files All LDAP configuration files are kept in the /etc/ldap directory. These include slapd.conf, the LDAP server configuration file, and ldap.conf, the LDAP clients and tools configuration file. To enable the LDAP server, you have to edit the slapd.conf file manually and change the domain value (dc) for the suffix and rootdn entries to your own network’s domain address. This is the network that will be serviced by the LDAP server. To enable LDAP clients and their tools, you must specify the correct domain address in the ldap.conf file in the BASE option, along with the server’s address in the URI option (domain name or IP address). For clients, this is the configuration information you entered when installing the ldap-auth-config package. You can also edit the ldap.conf file directly. See the ldap.conf man entry for detailed descriptions of LDAP options. If you installed the LDAP server, you can start, stop, and restart the LDAP service using the slapd script: sudo /etc/init.d/slapd start 498 Part VII: System Administration You can also have the LDAP servers started when your system starts up by checking the LDAP Server entry in the services-admin tool: choose System | Administration | Services. TIP TIP Keep in mind that the /etc/ldap.conf and /etc/ldap/ldap.conf files are not the same. /etc/ ldap.conf is used to configure LDAP for the Name Service Switch and PAM support, whereas /etc/ldap/ldap.conf is used for all LDAP clients. Configuring the LDAP Server: /etc/ldap/slapd.conf You configure the LDAP server with the /etc/ldap/slapd.conf file, where you will find entries for loading schemas and for specifying access controls, the database directory, and passwords. The file is commented in detail, with default settings for most options, although you will have to enter settings for several. First you need to specify your domain suffix and root domain manager. The default settings are shown here: suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" In the next example, the suffix is changed to mytrek, for mytrek.com. The rootdn remains the same. suffix "dc=mytrek,dc=com" rootdn "cn=Manager,dc=mytrek,dc=com" Next you will have to specify a password with rootpw. Entries are available for both plain text and encrypted versions, and both are commented. Remove the comment for one. In the following example, the plain text password option, secret, is used: rootpw secret # rootpw {crypt}ijFYNcSNctBYg For an encrypted password, you can first create the encrypted version with slappasswd, as shown next. This will generate a text encryption string for the password. Then copy the generated encrypted string to the rootpw entry. On GNOME, you can simply cut and paste from a terminal window to the /etc/ldap/slapd.conf file in Text Editor (Accessories). You can also redirect the encrypted string to a file and read it in later. SSHA encryption is used by default. # slappasswd New password: Re-enter new password: {SSHA}0a+szaAwElK57Y8AoD5uMULSvLfCUfg5 The rootpw root password entry should then look like this: rootpw {SSHA}0a+szaAwElK57Y8AoD5uMULSvLfCUfg5 PART IPART IPART IPART IPART VII Chapter 22: Managing Users 499 Use the password you entered at the slappasswd prompt to access your LDAP directory. The configuration file also lists the schemas to be used. Schemas are included with the include directive: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema NOTE NOTE LDAP supports the Simple Authentication and Security Layer (SASL) for secure authentication with methods such as MD5 and Kerberos. LDAP Directory Database: ldif A record (also known as entry) in an LDAP database begins with a name, known as a distinguishing name, followed by a set of attributes and their values. The distinguishing name uniquely identifies the record. For example, a name could be a username and the attribute would be the user’s e-mail address, the address being the attribute’s value. Allowable attributes are determined by schemas defined in the /etc/ldap/schema directory. This directory will hold various schema definition files, each with a schema extension. Some will be dependent on others, enhancing their supported classes and attributes. The basic core set of attributes is defined in the core.schema file. Here you will find definitions for attributes such as country name and street address. Other schemas, such as inetorgperson.schema, specify core.schema as a dependent schema, making its attributes available to the classes. The inetOrgPerson schema will also define its own attributes such as jpegPhoto for a person’s photograph. Schema Attributes and Classes Attributes and classes are defined officially by RFC specifications that are listed with each attribute and class entry in the schema files. These are standardized definitions and should not be changed. Attributes are defined by an attributetype definition. Each is given a unique identifying number followed by a name by which it can be referenced. Fields include the attribute description (DESC), search features such as EQUALITY and SUBSTR, and the object identifier (SYNTAX). See the OpenLDAP administrative guide for a detailed description. attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC 'RFC2256: street address of this object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{123} ) A class defines the kind of database (directory) you can create. This will specify the kinds of attributes you can include in your records. Classes can be dependent, where one class becomes and extension of another. The class most often used for LDAP databases is inetOrgPerson, defined in the inetOrgPerson.schema file, shown next. The term inetOrgPerson stands for Internet Organization Person, as many LDAP directories perform Internet tasks. The class is 500 Part VII: System Administration derived from the organizationalPerson class defined in core.schema, which includes the original attributes for commonly used fields such as street address and name. # inetOrgPerson # The inetOrgPerson represents people who are associated with an # organization in some way. It is a structural class and is derived # from the organizationalPerson which is defined in X.521 [X521]. objectclass ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) You can create your own classes, building on the standard ones already defined. You can also create your own attributes, but each attribute will require a unique object identifier (OID). Distinguishing Names Data in an LDAP directory is organized hierarchically, from general categories to specific data. So, for example, an LDAP directory can be organized starting with countries, narrowing to states, then organizations and their subunits, and finally individuals. Commonly, LDAP directories are organized along the lines of Internet domains. In this format, the top category is the domain name extension, such as .com or .ca. The directory then breaks down to the network (organization), units, and finally users. This organization helps define distinguishing names that will identify the LDAP records. In a network-based organization, the top-level organization is defined by a domain component specified by the dcObject class, which includes the domainComponent (dc) attribute. Usually you define the network and extension as domain components to make up the top-level organization that becomes the distinguishing name for the database itself. Here’s an example: dc=mytrek, dc=com Under the organization name is an organizational unit, such as users. These are defined as an organizationalUnitName (ou), which is part of the organizationalUnit class. The distinguishing name for the user’s organizational unit would be ou=users, dc=mytrek, dc=com Under the organizational unit you can then have individual users. Here the username is defined with the commonName (cn) attribute, which is used in various classes, including Person, which is part of organizationalPerson, which in turn is part of inetOrgPerson. The distinguishing name for the user dylan is then cn=dylan,ou=users,dc=mytrek,dc=com PART IPART IPART IPART IPART VII Chapter 22: Managing Users 501 LDIF Entries Database entries are placed in an LDAP Interchange Format (LDIF) file. This format provides a global standard that allows a database to be accessed by any LDAP-compliant client. An LDIF file is a simple text file with an .ldif extension placed in the /etc/ldap directory. The entries for an LDIF record consist of a distinguishing name or attribute followed by a colon and its list of values. Each record begins with a distinguishing name to uniquely identify the record. Attributes then follow. You can think of the name as a record and the attributes as fields in that record. You end the record with an empty line. Adding the Records Once you have created your LDIF file, you can then use the ldapadd command to add the records to you LDAP directory. Use the -D option to specify the directory in which to add the records and the -f option to specify the LDIF file to read from. You could use ldapadd to enter fields directly. The -x option says to use simple password access, the -W will prompt for the password, and the -D option specifies the directory manager: ldapadd -x -D "cn=Manager,dc=mytrek,dc=com" -W -f mytrek.ldif Searching LDAP Once you have added your records, you can use the ldapsearch command to search your LDAP directory. The -x and -W options provide simple password access, and the -b option specifies the LDAP database to use. Following the options are the attributes to search for, in this case the street attribute: ldapsearch -x -W -D 'cn=Manager,dc=mytrek,dc=com' -b 'dc=mytrek,dc=com' street If you want to see all the records listed in the database, you can use the same search command without any attributes. LDAP Tools To make or change entries in the LDAP database, you use the ldapadd and ldapmodify utilities (ldap-utils package, Ubuntu main repository). With ldapdelete, you can remove entries. Once you have created an LDAP database, you can then query it, through the LDAP server, with ldapsearch. For the LDAP server, you can create a text file of LDAP entries using the LDAP Data Interchange Format (LDIF). Such text files can then be read in all at once to the LDAP database using the slapadd tool. The slapcat tool extracts entries from the LDAP database and saves them in an LDIF file. To reindex additions and changes, you use the slapindex utility. See the LDAP HOWTO at the Linux Documentation Project for details on using and setting up LDAP databases such as address books (http://tldp.org). Pluggable Authentication Modules Pluggable Authentication Modules (PAM) is an authentication service that lets a system determine the method of authentication to be performed for users. In a Linux system, authentication has traditionally been performed by looking up passwords. When a user logs in, the login process looks up the user’s password in the password file. With PAM, users’ 502 Part VII: System Administration requests for authentication are directed to PAM, which in turn uses a specified method to authenticate the user. This could be a simple password lookup or a request to an LDAP server, but it is PAM that provides authentication, not a direct password lookup by the user or application. In this respect, authentication becomes centralized and controlled by a specific service, PAM. The actual authentication procedures can be dynamically configured by the system administrator. Authentication is carried out by modules that can vary according to the kind of authentication needed. An administrator can add or replace modules by simply changing the PAM configuration files. See the PAM Web site at http://kernel.org/pub/linux/libs/pam for more information and a listing of PAM modules. PAM modules are located in the /lib/security directory. PAM modules will usually have their own man pages that list options that can be used for particular modules. Some of the more commonly used are pam_unix (password check), pam_deny (lock out), pam_env (PAM environment variables), and pam_group (check group membership). The following command in a terminal window will display the man page for pam_unix: man pam_unix PAM Configuration Files PAM uses different configuration files for different services that request authentication. Such configuration files are kept in the /etc/pam.d directory. For example, you have a configuration file for logging in to your system (/etc/pam.d/login), one for the graphical login (/etc/pam.d/gdm), and one for accessing your Samba server (/etc/pam.d/samba). A default PAM configuration file, called /etc/pam.d/other, is invoked if no services file is present. The system-auth file contains standard authentication modules for system services. PAM Modules A PAM configuration file contains a list of modules to be used for authentication. They have the following format: module-type control-flag module-path module-args The module-path is the module to be run, and module-args are the parameters you want passed to that module. Though a few generic arguments can be used, most modules have their own specific ones. The module-type refers to different groups of authentication management: account, authentication, session, and password. The account management performs account verification, checking such account aspects as whether the user has access or whether the password has expired. Authentication (auth) verifies who the user is, usually through a password confirmation. Password management performs authentication updates such as password changes. Session management refers to tasks performed before a service is accessed and before it is shut down. These include tasks such as initiating a log of a user’s activity or mounting and unmounting home directories. TIP TIP As an alternative to the /etc/pam.d directory, you can create one configuration file called the /etc/pam.conf file. Entries in this file have a service field, which refers to the application for which the module is used. If the /etc/pam.d directory exists, /etc/pam.conf is automatically ignored. PART IPART IPART IPART IPART VII Chapter 22: Managing Users 503 The control-flag field indicates how PAM is to respond if the module fails. The control can be a simple directive or a more complicated response that can specify return codes such as open_err with actions to take. The simple directives are requisite, required, sufficient, and optional. The requisite directive ends the authentication process immediately if the module fails to authenticate. The required directive ends the authentication only after the remaining modules are run. The sufficient directive indicates that success of this module is enough to provide authentication unless a previous required module has failed. The optional directive indicates the module’s success is not needed unless it is the only authentication module for its service. If you specify return codes, you can refine the conditions for authentication failure or success. Return codes can be given values such as die or ok. The open_err return code could be given the action die, which stops all authentication and returns failure. On Ubuntu, commonly used PAM module entries are placed in the PAM files prefixed with the common term. These include common-account, common-auth, common-password, and common-session. The common-account modules are used to verify that the user has a valid account on the system. The common-session modules provide support for login sessions. The common-auth modules provide system authentication. The common-password modules check passwords. The common-account modules include pam_unix.so (Unix password authentication), pam_ldap.so (LDAP server authentication), and pam_deny.so (deny access): account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so The common-password modules will also include options for password length, retries, and shadow passwords. Check the man pages for each to see their options, including pam_cracklib: password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so A common PAM file is included in a PAM configuration file with the @include command: @include common-account The /etc/pam.d/vsftpd configuration file for the FTP server is shown next. The pam_listfile module allows a particular file to be used for authentication, in this case, /etc/ftpusers. The deny setting for the sense option will set up /etc/ftpusers to deny access to any users listed there. The pam_shells module checks for a valid login shell. See the man pages for each for more details and options. auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed @include common-account @include common-session @include common-auth auth required pam_shells.so This page intentionally left blank 23 File Systems F iles reside on physical storage devices such as hard drives, CD-ROMs, or floppy disks. The files on each storage device are organized into a file system, and the storage devices on your Linux system are presented as a collection of file systems that you can manage. When you want to add a new storage device, you need to format it as a file system and then attach it to your Linux file structure. Hard drives can be divided into separate storage devices called partitions, each of which has its own file system. You can perform administrative tasks on your file systems, such as backing them up, attaching or detaching them from your file structure, formatting new devices or erasing old ones, and checking a file system for problems. To access files on a device, you attach its file system to a specified directory. This is called mounting the file system. For example, to access files on a floppy disk, you first mount its file system to a particular directory. With Linux, you can mount a number of different types of file systems. You can even access a Windows hard drive partition or tape drive, as well as file systems on a remote server. Recently developed file systems for Linux now support journaling, which allows your system to recover from a crash or interruption easily. The ext3, ReiserFS, XFS, and Journaled File System (JFS) from IBM maintain a record of file and directory changes, called a journal, which can be used to recover files and directories in use when a system suddenly crashes due to unforeseen events such as power interruptions. Most distributions currently use the ext3 file system as their default, though you also have the option of using ReiserFS or JFS, an independently developed journaling system. Your Linux system is capable of handling any number of storage devices that are connected to it. You can configure your system to access multiple hard drives, partitions on a hard drive, CD-ROM discs, DVDs, floppy disks, and even tapes. You can elect to attach these storage components manually or have them automatically mount when you boot. Automatic mounts are handled by configuring the /etc/fstab file. For example, the main partitions holding your Linux system programs are automatically mounted whenever you boot, whereas a floppy disk can be manually mounted when you put one in your floppy drive, though even these can also be automatically mounted. Removable storage devices such as CD-ROMs, as well as removable devices such as USB cameras and printers, are now handled by udev and the Hardware Abstraction Layer (HAL), as described in Chapter 25 and partially discussed here. 505 CHAPTER Copyright © 2009 by The McGraw-Hill Companies. Click here for terms of use. [...]... hard drives use the prefix hd, whereas SATA and SCSI hard drives use the prefix sd RAID devices, on the other hand, use the prefix md The prefix for a hard disk is followed by a letter that labels the hard drive and a number for the partition For example, hda2 references the second partition on the first IDE hard drive, where the first hard drive is referenced with the letter a, as in hda The device sdb3... entry in the /etc/fstab file, you can mount the partition using only the mount directory specified in its fstab entry; you needn’t enter the device filename The mount command looks up the entry for the partition in the fstab file, using the directory to identify the entry and, in that way, finding the device name For example, to mount the /dev/hda1 Windows partition in the preceding example, the mount... when you start up At the same time, the HAL entries for both the CD-ROM and the floppy drives can specify where they are to be mounted when you decide to mount them The user option allows any user to mount the system, useful for removable devices The group option allows only users belonging to the device’s group to mount it The fscontext option is used by SELinux Table 23 -8 lists the options for mounting... check a file system, be sure that the file system is unmounted e2fsck should not be used on a mounted file system To use e2fsck, enter e2fsck and the device name that references the file system The -p option automatically repairs a file system without first requesting approval from the user for each repair task The following examples check the disk in the floppy drive and the primary hard drive: # e2fsck... /dev/hda3 for the third hard disk partition A label is specified by assigning the label name to the tag LABEL, as in LABEL=/ for an ext2 root partition The next field is the mountpoint directory in your file structure where you want the file system on this device to be attached The third field is the type of file system being mounted Table 23-7 provides a list of all the different types you can mount The type... Subdirectories and Files usually have abbreviated names ending with the number of the device For example, fd0 may reference the first floppy drive attached to your system The prefix sd references both Serial ATA (SATA) and SCSI hard drives, so sda2 would reference the second partition on the first SATA or SCSI hard drive In most cases, you can use the man command with a prefix to obtain more detailed information... be mounted on hard disk partitions only by the root user, whereas CD-ROMs and floppy disks can be mounted by any user Table 23-9 lists the different options for the mount command The mount Command The mount command takes two arguments: the storage device through which Linux accesses the file system, and the mountpoint directory in the file structure to which the new Option Description -a Mounts all file... located in the /dev directories and usually have abbreviated names ending with the number of the device For example, fd0 may refer to the first floppy drive attached to your system The following example mounts a hard disk in the first (hdc2) to the /mymedia directory The mountpoint directory needs to be empty If you already have a file system mounted there, you will receive a message that another file... up part of the space, while the remainder is available for new files and directories To find out how much space you have free on a file system, you can use the df command or, on the desktop, either the GNOME System Monitor, the Disk Usage Analyzer, or the KDE KDiskFree utility KDiskFree displays a list of devices, showing how much space is free on each partition and the percentage used For the GNOME... insert and mount the new one You unmount a file system with the umount command, which can take as its argument either a device name or the directory where it was mounted Here is the syntax: umount device-or-mountpoint The following example unmounts the floppy disk wherever it is mounted: umount /dev/fd0 Chapter 23: File Systems 527 Using the example in which the device is mounted on the /mydir directory, . file, you can then use the ldapadd command to add the records to you LDAP directory. Use the -D option to specify the directory in which to add the records and the -f option to specify the LDIF. a number for the partition. For example, hda2 references the second partition on the first IDE hard drive, where the first hard drive is referenced with the letter a, as in hda. The device sdb3. LDAP database requires a login. Then specify the LDAP account for the root and the LDAP root account password. For documentation of the LDAP server on Ubuntu, check the OpenLDAP Server entry for