http://www.oracle.com/technetwork/java/javase/downloads/jre-7u4-download-1591157.html

Install JRE using the following command:

yum install jre-7u4-linux-x64.rpm

Next, download OpenKM using the following command:

wget http://downloads.sourceforge.net/project/openkm/5.1/OpenKM-5.1.9_JBoss-4.2.3.GA.zip?r=http%3A%2F%2Fwww.openkm.com%2Fformulario%2Fdownload.php%3Faction%3DOnly%2520download&ts=1336620287&use_mirror=internode

Extract the application to “/var/www/html/OpenKM” as follows:

unzip ./OpenKM-5.1.9_JBoss-4.2.3.GA.zip
mv jboss-4.2.3.GA /var/www/html/OpenKM

Now you need to start OpenKM (manually):

nohup /var/www/html/OpenKM/bin/run.sh -b 0.0.0.0 &

Or on system boot, add this to the file “/etc/rc.local”:

nohup /var/www/html/OpenKM/bin/run.sh -b 0.0.0.0 &

Visit the website as using the following URL where the web servers IP address is “192.168.1.2″:

http://192.168.1.2:8080/OpenKM

TIP: the username is “okmAdmin” and password “admin”.

At this point you will have a working OpenKM system.

Use the following command to shutdown the OpenKM system:

/var/www/html/OpenKM/bin/shutdown.sh -S

The following steps will help for document previews within OpenKM:

yum install ImageMagic*
yum install gcc* automake zlib-devel libjpeg-devel giflib-devel freetype-devel

Install SWFtools:

wget http://www.swftools.org/swftools-0.9.1.tar.gz
cd swftools-0.9.1
./configure
make
make install

Remove all cache files (may be needed if things don’t work as expected):

rm -rf /var/www/html/OpemKM/cache/*

In the admin section of OpenKM (Administration – Configuration), set the following:

system.ghostscript.ps2pdf	String	 /usr/bin/ps2pdf
system.imagemagick.convert	String	 /usr/bin/convert
system.openoffice.path	String	 /usr/lib64/openoffice.org3
system.openoffice.port	Integer	 2002
system.openoffice.tasks	Integer	 5
system.swftools.pdf2swf	String	 /usr/local/bin/pdf2swf ${fileIn} ${fileOut}

Having installed the extras, you should restart OpenKM.

yum clean all

The “yum clean” command has other options but the “all” option will be most liberal.

You should first install Squid to suite your needs. Read this HowTo for help with Squid configuration and installation.

Squid Version 3.1.10 and CentOS 6.2 were used for this HowTo.

First add the following to the file “/etc/squid/squid.conf”:

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

Install ClamAV using this article.

Install ICAP. Download it from here. Follow these instructions (we used version 0.1.7):

tar zxvf c_icap-0.1.7.tar.gz
cd c_icap-0.1.7
./configure
make
make install

Edit the file “/usr/local/etc/c-icap.conf” to look like the following. Make sure to customise it to your situation:

ServerAdmin support@agix.in
ServerName agix-icap

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 1
ModulesDir /usr/local/lib/c_icap
ServicesDir /usr/local/lib/c_icap
TemplateDir /usr/local/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /usr/local/etc/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
ServerLog /usr/local/var/log/server.log
AccessLog /usr/local/var/log/access.log
Service echo srv_echo.so
Service squidclamav squidclamav.so

Edit the file “/etc/rc.local” and add this above any “exit” statement you see there:

# Start C-ICAP
nohup /usr/local/bin/c-icap &

Install SquidClamAV. Download it from here. Install SquidClamAV as follows:

tar -xzf squidclamav-6.5.tar.gz
cd squidclamav-6.5
./configure
make
make install

Edit the file ” /etc/squidclamav.conf” to look like the following. Customise it to suite your situation:

maxsize 5000000
redirect http://www.agix.in/virus.php
clamd_local /tmp/clamd.socket
timeout 1
logredir 0
dnslookup 1

Consider a system reboot at this point. Of you can restart squid and execute “/etc/rc.local” manually.

At this point you should have a working Squid with antivirus. For troubleshooting, consider the following:

Monitor related packets:

tcpdump port 1344

Monitor related logs:

tail -f /usr/local/var/log/*

For some background information, here is an extract of the /etc/nsswitch.conf file that doesn’t use Winbind:

passwd:     files
shadow:     files
group:      files

And here is one configured to use Winbind:

passwd:     files winbind
shadow:     files
group:      files win bind

The above means “for users and groups, check both the /etc/passwd file and the windows domain controller”.

The problem is (as this article is titled) it can take a long time (a few minutes) for Active Directory changed to get through to Winbind and for you to see them take effect in your scripts and user logins. By adding the following lines to the “[general]” section of your “/etc/samba/smb.conf” file, you can lower the delay between AD changes and getent and winbind:

        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1

For example:

[global]
        realm = AGIX.LOCAL
        workgroup = AGIX
        netbios name = flow
        password server = 192.168.0.199
        log level = 2
        security = domain
        preferred master = no
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        os level = 10
        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1

For more information about Samba and Winbind, click here.

postsuper -d ALL

You’ll see something like the following:

postsuper: Deleted: 613 messages

Where i’ve just removed 613 emails from the Postfix queue.

Install the LDAP server:

yum install -y openldap openldap-clients openldap-servers

Start the LDAP server and have it start on system boot:

service slapd restart
chkconfig slapd on

Next install the schemas:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

Add the following to a new file called “/tmp/back.ldif”:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=agix,dc=in
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=agix,dc=in
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=agix,dc=in" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=agix,dc=in" write by * read

And run the command:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/back.ldif

Add the following to a file called “/tmp/front.ldif”:

# Create top-level object in domain
dn: dc=agix,dc=in
objectClass: top
objectClass: dcObject
objectclass: organization
o: AGIX Organization
dc: agix
description: AGIX LDAP

# Admin user.
dn: cn=admin,dc=agix,dc=in
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret

dn: ou=people,dc=agix,dc=in
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=agix,dc=in
objectClass: organizationalUnit
ou: groups

dn: uid=john,ou=people,dc=agix,dc=in
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@agix.in
postalCode: 31000
l: Toulouse
o: agix
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD

dn: cn=MyGroup,ou=groups,dc=agix,dc=in
objectClass: posixGroup
cn: mygroup
gidNumber: 10000

And run the command:

ldapadd -x -D cn=admin,dc=agix,dc=in -W -f /tmp/front.ldif

Confirm your configuration by running the command. Tip, your password is “secret”:

ldapsearch -xLLL -b "dc=agix,dc=in" uid=john sn givenName cn

Now you should have a confirmed working LDAP. Consider installing Webmin and the LDAP modules to allow you to easily interface with your new LDAP. The two modules to install are “LDAP Server” and “LDAP Users and Groups”. The LDAP Server tool allows you to browse and modify your LDAP database. The LDAP Users and Groups module allows you to administer user accounts stored in LDAP.

Install Webmin (not documented here) Once you can log into Webmin:

1. go to Webmiun
2. Webmin Configuration
3. Webmin modules
4. Tick “Standard module from www.webmin.com” and click the browse button
5. Select “LDAP Server” and then click Install Module.

Do the same for LDAP Users and Groups.

Now you need to configure the modules.

1. In Webmin, click on Servers
2. Click on LDAP Users and Groups
3. Click on Module Config
4. LDAP Server host = localhost
5. Bind to LDAP server as = cn=admin,dc=agix,dc=in
6. Base for users = ou=people,dc=agix,dc=in
7. Base for groups = ou=groups,dc=agix,dc=in
8. Other objectClasses to add to new users = inetOrgPerson
9. Click Save

Now locate LDAP Server and go through the following:

1. LDAP server hostname = localhost
2. Login for LDAP server = cn=admin,dc=agix,dc=in
3. Password for LDAP server = secret
4. Click Save

You should now be able to create user accounts using the “LDAP Users and Groups” module and create contacts (like a phone directory) using “LDAP Server”. However, until you configure PAM and NSS, you wont be able to log into the local system using your LDAP users. Although you can authenticate against your LDAP for other systems. For example, you can point your FTP server to your LDAP server for authenticating FTP users.

In this example, the “workstation” is the computer that you’re sitting in front of. The “server” is the computer running the VNC server who’s desktop you are trying to see and control.

On the workstation, run the following:

ssh -C -f root@vnc-server.agix.in -L 5901:vnc-server.agix.in:5901 sleep 20

In the above we can see we’re connecting to the server as the root user. The remote server’s name is “vnc-server.agix.in”. We’re connecting to port 5901 (first VNC session) on the server. And we have 20 seconds to start the session starting from when we enter the root users password having run the above command.

When the session is started, on the workstation run the VNCviewer program and connect to the address “localhost:5901″. You should then be connected to the servers VNC service.

Installation of the PMS software is well documented at the link below:

http://www.ps3mediaserver.org/forum/viewtopic.php?f=3&t=9608

The configuration file below is modified as you made selection changes to via the PMS interface. However, we found it a little overwhelming – hence the need for the sample configuration below. As the root user, the configuration file is as follows:

/root/.config/PMS/PMS.conf

Below is a sample output of our test configuration file. Some defaults are left out by the PMS software.

audiobitrate = 384
TranscodeExtensions=mp4,m4v
thumbnails = true
image_thumbnails = true
minimized = false
prevents_sleep_mode = true
maximumbitrate = 0
folders = /home/movies,/home/music
usecache = true
hidevideosettings = true
hide_media_library_folder = true
hide_transcode_folder = true
hide_extensions = true
hide_empty_folders = true
use_mplayer_for_video_thumbs = true
hostname = 192.168.0.199
uuid = dc93f855-d15b-4d25-94bb-74d8e10ef8dd

The PMS software can be started from the “/etc/rc.local” file for an automatic start. Of you can start it manually as needed.

Internode: http://www.internode.on.net/residential/fibre_to_the_home/nbn_plans/

Telstra/Bigpond: http://www.telstra.com.au/bigpond-internet/national-broadband-network/our-plans/#tab-bigpond-velocity

iinet: http://www.iinet.net.au/nbn/nbn-plan-residential.html

What are Selinux security context types?

Selinux adds security contexts to files to prevent them from being used in unintended ways. For example, the file “/etc/ssh/sshd_config” has a security context type of “etc_t”. If we changed that context to be something else, Selinux wouldn’t permit the SSH daemon from starting. Another example is that the “/var/www/html/” directory has “httpd_sys_content_t”. If it were anything but that, the HTTPD daemon would not have access to it and fail to serve websites. Consider that because the security type is “httpd_sys_content_t”, the FTP server (for example) could not serve that directory. For the FTP server to serve data from the “/var/www/html/” directory, the directory would have to have a security context type of “public_content_t”. You can see now that security context types prevent compromised systems from using data in unintended ways.

To see the current Selinux security context type of a directory:

ls -dZ /var/www/html

To copy security context type from “/var/www/html/” to “/home/var/www/html/” you would do this:

chcon -R --reference /var/www/html /home/var/www/html

The above would “relabel” the directory “/home/var/www/html/” with the same Selinux security context type as the directory “/var/www/html/”. Whilst that would survive a reboot, it would not survive a “relabel”. A relabel is a process were Selinux goes through files (either all files or specified files) and sets their security types to what it reads from the file “/etc/selinux/targeted/contexts/files/file_contexts”. We can save the changes we made in the example above by issuing the following command. Note that for custom security types (as we are doing right now) another file is used to store our changes, “/etc/selinux/targeted/contexts/files/file_contexts.local”. This is to keep the systems context types separate from our custom types.

semanage fcontext -a -t httpd_sys_content_t /home/var/www/html

The above command states that “-a” is to add a new directory to the “/etc/selinux/targeted/contexts/files/file_contexts.local” file. And the security context type “-t” is “httpd_sys_content_t”.

To reinstate default security context types to the “/etc” directory:

restorecon -rv /etc

In the above example, the “-r” means to recursively relabel files and directories. The “-v” means to be verbose about changes and print them to the screen as changes are made. Note that the above example checks both the “/etc/selinux/targeted/contexts/files/file_contexts” and “/etc/selinux/targeted/contexts/files/file_contexts.local” files for changes to make.