The RHCSA is a lot of fun: I am learning lots of very useful stuff I did not know before, and that's fantastic, however I am not just learning the OS, I am picking up study skills, and this is what this post is about.
When I build a new server, I install git as early as possible in the process, and add /etc into it. This is useful because
a) I can revert a config change quickly and easily
b) I can remind myself of changes I have made
c) I quickly discover new configuration files when I install a package
d) most importantly: I have visibility on what the server is doing when I make a change.
As an example, install the authconfig-tui. This is software that helps you hook your server up to OpenLDAP or FreeIPA. It's deceptively simple. A couple of button presses and you can connect to either type of server, however, the changes that are going on behind the scenes are enormous and without visibility on them you'll miss them. Enter git-versioning on /etc. Even the simple act of using authconfig-tui leads to changes in at least six different files, only now you can see them, with ease, without really knowing very much - a very useful trick!
[root@server01 cacerts]# git diff --ignore-all-space diff --git a/nslcd.conf b/nslcd.conf index a8fd2ad..8604c34 100644 --- a/nslcd.conf +++ b/nslcd.conf @@ -15,14 +15,14 @@ gid ldap #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator -uri ldap://127.0.0.1/ +uri ldap://ldap01.labs.io # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. -base dc=example,dc=com +base dc=labs,dc=io # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. @@ -141,3 +141,5 @@ base dc=example,dc=com #map group cn groupName #map group gidNumber gid # This comment prevents repeated auto-migration of settings. +ssl start_tls +tls_cacertdir /etc/openldap/cacerts diff --git a/openldap/ldap.conf b/openldap/ldap.conf index aa6f8fd..b391cab 100644 --- a/openldap/ldap.conf +++ b/openldap/ldap.conf @@ -12,7 +12,9 @@ #TIMELIMIT 15 #DEREF never -TLS_CACERTDIR /etc/openldap/certs +TLS_CACERTDIR /etc/openldap/cacerts # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on +URI ldap://ldap01.labs.io +BASE dc=labs,dc=io diff --git a/pam.d/fingerprint-auth-ac b/pam.d/fingerprint-auth-ac index 162f0bb..0fb4706 100644 --- a/pam.d/fingerprint-auth-ac +++ b/pam.d/fingerprint-auth-ac @@ -5,9 +5,10 @@ auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so -account required pam_unix.so +account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password required pam_deny.so @@ -17,3 +18,4 @@ session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so +session optional pam_ldap.so diff --git a/pam.d/password-auth-ac b/pam.d/password-auth-ac index 4b80407..4d51faf 100644 --- a/pam.d/password-auth-ac +++ b/pam.d/password-auth-ac @@ -5,15 +5,18 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so -account required pam_unix.so +account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_ldap.so use_authtok password required pam_deny.so @@ -23,3 +26,4 @@ session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so +session optional pam_ldap.so diff --git a/pam.d/smartcard-auth-ac b/pam.d/smartcard-auth-ac index 83b3c90..1c4b1ce 100644 --- a/pam.d/smartcard-auth-ac +++ b/pam.d/smartcard-auth-ac @@ -5,9 +5,10 @@ auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so -account required pam_unix.so +account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password required pam_pkcs11.so @@ -17,3 +18,4 @@ session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so +session optional pam_ldap.so diff --git a/pam.d/system-auth-ac b/pam.d/system-auth-ac index 78a1684..eefa0be 100644 --- a/pam.d/system-auth-ac +++ b/pam.d/system-auth-ac @@ -6,15 +6,18 @@ auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so -account required pam_unix.so +account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke @@ -22,3 +25,4 @@ session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so +session optional pam_ldap.so diff --git a/selinux/targeted/active/commit_num b/selinux/targeted/active/commit_num index 406d5d6..abffc04 100644 Binary files a/selinux/targeted/active/commit_num and b/selinux/targeted/active/commit_num differ diff --git a/selinux/targeted/active/policy.kern b/selinux/targeted/active/policy.kern index 397fdbe..5558f07 100644 Binary files a/selinux/targeted/active/policy.kern and b/selinux/targeted/active/policy.kern differ diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31 index 397fdbe..5558f07 100644 Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ diff --git a/sysconfig/authconfig b/sysconfig/authconfig index ef286a7..c03231c 100644 --- a/sysconfig/authconfig +++ b/sysconfig/authconfig @@ -12,8 +12,8 @@ USEFPRINTD=yes USEHESIOD=no USEIPAV2=no USEKERBEROS=no -USELDAP=no -USELDAPAUTH=no +USELDAP=yes +USELDAPAUTH=yes USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no
Permissions change, lines are added and removed. This way, one can see what one's server is doing.
My "/etc git" life cycle is as follows:
- Make a new VM, patch it
- Install vim, tmux and git
- Turn /etc into a version controlled folder
- use the server, and use git in the normal way
- e.g. install a new software package
- commit the configs
- change the configs
- commit the changes
- change the configs and commit
- ...usual git stuff
- Git become useful when one wants to refer back to old changes...
Best of luck
No comments:
Post a Comment