Setting Time on Cisco & HP switches

Setting correct time on the network devices is a very important step, when you configure new equipments. But most of the people don't care this in case of switches and other devices.

But be aware, the correct time on the devices will help you a lot when you refer logs to find out the details of any issues or access related items etc.

Here I am putting some simple commands to configure time on Cisco and HP Procurve switches.

Adding NTP server names in these devices is the easier and safer way, but if you don't have an NTP server in house and no interest of using public NTP servers, then you may need to set the time locally.

Cisco

On a Cisco device (switch or router), use the following commands to add an NTP server

switch01(config)# ntp server 131.107.1.10
switch01(config)# ntp server 202.152.74.200 prefer

prefer means this is the preferred one.

And if you want to set it manually on the machine, use the following commands.

switch01(config)#clock timezone IST +5

The above command will set the timezone, my time zone is IST and the +5 denotes it is 5 hour ahead from GMT.

For setting date and time, need to run the command on privileged execution mode (enable#). The following is the syntax of setting the same.

clock set hh:mm:ss <1-31> MONTH <1993-2035>

So we can run the command as follows,

switch01#clock set 18:30:01 26 May 2011

We can check the current time on the switch by show clock command and the output will be similar as below,

switch01#show clock
18:31:19.738 IST Thu May 26 2011

HP Procurve

To setup Procurve to use external NTP servers for time synchronization, use the following commands.

switch02(config)#sntp server 192.43.244.18
switch02(config)#sntp unicast
switch02(config)#timesync sntp

If you prefer to set the time manually, you can use any of the following pair of commands.

time MM/DD[/[YY]YY]
time HH:MM[:SS]
(OR)
clock set MM/DD[/[YY]YY]
clock set HH:MM[:SS]

switch02(config)# clock set 05/26/2011
switch02(config)# clock set 18:35:01

We can use show time command to display the current time on the system and the output will be similar as follows,

switch02(config)#show time
Thu May 26 18:58:12 2011

Hope this will help somebody like me, who need to google several times a day to find valuable informations.

Find dormant accounts on a Linux server

In busy production systems, there will be lot of accounts which may not be using from longer intervals. Finding them we have standard linux utilities like "last" and "lastlog".

The "last" command display the audit details of the users who were logged in the system with time frame. On the other hand "lastlog" display all the user's last logged in details with time frame.

last command uses the log file /var/log/wtmp for getting the user data. As in the modern linux systems, the wtmp file is rotating monthly basis the last command gives only the current month's statistics.

If we want to have the last command output with an yearly statistics, we need to change the rotation configuration in /etc/logrotate.conf as below,

/var/log/wtmp {
missingok
monthly <= change it to "yearly"
create 0664 root utmp
rotate 1
}

The following script will display the users who are not logged in the last 3 calendar months including the current month. I am sure this will be usefull for people like me to get a clear idea of who are not active on the system.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 3 calendar months including the current one.
#
umask 077

THIS_MONTH=`date +%h`
LAST_MONTH=`date --date="1 month ago" +%h`
LLAST_MONTH=`date --date="2 months ago" +%h`

last | grep "$THIS_MONTH \|\ $LAST_MONTH \|\ $LLAST_MONTH" | awk '{print $1}' | sort -u > /tmp/users1$$
cat /etc/passwd | awk -F: '{print $1}' | sort -u > /tmp/users2$$
comm -13 /tmp/users[12]$$
rm -f /tmp/users[12]$$


The above script assumes the last command can show the user statistics of more than 3 months.

Using "lastlog"

The simple and dirty way to find the dormant accounts on a linux system is using the"lastlog" command. The following script will do the trick.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 90 days.
#
PATH=/bin:/usr/bin;export PATH
umask 077
lastlog -b 90 |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users1$$
lastlog |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users2$$
comm -2 /tmp/users[12]$$ | grep -v Username
rm -f /tmp/users[12]$$

Mediawiki Migration

This is again I have done as part of our datacenter movement from India to US. We are on the recent release of mediawiki (1.15.2), I just need to make the ditto box in US before shutting down the old one in India. There are plenty of help articles on internet which helped me to do the same, again I am detailing here because of my future reference and ofcourse may help somebody like you.

The following are the details of the software versions installed on both the boxes.

MediaWiki 1.15.2
PHP 5.1.6 (apache2handler)
MySQL 5.0.77

Lets start the detailed step of the upgrade as follows,

On Old Server:-

1. Shutdown apache server for stoping further updates to the wiki (#service httpd stop)
2. Backed up all the content of the web folder of apache (mediawiki files) (#tar -zcvf wiki.tar.gz /var/www/html/wiki)
3. Copy the tar file to the new server
   
4. Dump the MySQL database (#mysqldump -u (username) -p (password) wikidb >backup-wikidb.sql )
5. Copy the dump file to the new server

On the New Server:-

• Restore the database from the backup-wikidb.sql file (sql>mysql -u (username) -p (password) wikidb )
• Untar the copied wiki.tar.gz file and copy it in to the documentroot of apache (#tar -zxvf wiki.tar.gz; cp -R wiki /var/www/html)
• Edit the Localsettings.php and Adminsettings.php files to match the wikidb and wiki user credentials
• Restart apache server (#service httpd restart)
• If everything went well go and browse the wiki with existing user credentials.

Yes we have finished the movement of mediawiki from old server to new server...!!!

Bugzilla Migration

As part of datacenter movement from India to US, I had to migrate my Bugzilla installation to a new server in US.

After certain googling I found the steps to do the same, but then also I had to face some issues, thats the reason for this blog.

My current Bugzilla installation (ver. 3.0) is more customized for our company purpose so I had to stick on the same version for now. Following are the steps I followed on both servers.

On new Server:-

1. Download the bugzilla-3.0.tar.gz from bugzilla.org (I had this on my old server, so I just copied from old to new server)
2. Untar the software (#tar -xvf bugzilla-3.2.2.tar.gz )
3. Rename it to bugzilla (#mv bugzilla-3.2.2.tar.gz bugzilla)
4. Copy bugzilla to apache webroot directory (#cp -R bugzilla /var/www/html )
5. Change the permission of bugzilla folder (#chmod -R 655 bugzilla)
6. Change the ownership to apache web user (#chown -R apache bugzilla)

Now login in mysql & create database & username.

mysql> CREATE DATABASE bugs;

mysql>grant all on bugs.* to bugs@localhost identified by 'Your Password';

mysql>commit;

mysql>quit;

Now go to the bugzilla folder and run the checksetup.pl perl script, which will tell what are the prerequisites need to install and how. Here you may need to install lot of perl modules which you can manually download from CPAN and install (perl MakeFile.PL ; make ; make install) or you can use MCPAN shell commands.

#./checksetup.pl

Old Server:-

1. Copy the data folder (/var/www/html/bugzilla/data) to the new server and replace the existing data folder with the same.
2. Copy localconfig file from (/var/www/html/bugzilla) folder to the new server and replace the existing file with the same.
3. Use mysqldump to make a backup of the bugs database. For a typical Bugzilla setup, such a command might look like this:

   mysqldump -u(username) -p(password) bugs > bugzilla-backup.sql

4. Copy the bugzilla-backup.sql file to the new server.

New Server:-

1. Restore the mysql data backup from the bugzilla-backup.sql file with the following command.

   mysql -u (username) -p(password) bugs < /path/to/bugzilla-backup.sql
   

If you get an error about "packet too large" or "mysql server has gone away", you need to adjust the max_allowed_packet setting in your my.cnf (usually in /etc/my.cnf) file to be larger than the largest attachment ever added to your Bugzilla.

If everything went well, run that "./checksetup.pl" file again and double confirm everything smooth.

Now go to web url & try to login with ur existing username password.

Yes now we all done the migration from old server to new.

Cheers !!!!!

Apache authentication against Active Directory

Apache is the world's most wanted and #1 web server on internet. Almost 50 percent of total web servers in internet running on Apache in various flavors of Operating systems.

For protecting the contents, apache support various types of authentication, which includes basic htpasswd, MySql, NTLM, LDAP, AD etc. Here I am mentioning how we can use Active Directory as a user/password database for Apache server.

Assuming we have an existing Active Directory Domain which holds the company's user informations. As part of Single Sign on, we want to use AD as the source of User credentials for accessing corporate wiki running on Apache server. Also assumes the Wiki and apache server running on GNU/Linux for documentation purpose.

The following are the steps needed to complete the integration of Apache with AD.

• Create one user in AD which we can use as the LDAP bind user for accessing the AD database as read only. Go to Active Directory Users and Computers in the DC and create a domain user say "apache" with a strong password "xxxxxxxxx".

• If we want to use ldaps (ldap+ssl) we need to export the certificate from AD and import it in to the web server machine. This export and import can be done in a single step using the openssl command as follows from webserver.

openssl s_client -connect dc.mydomain.com:636

Save the certificate as "domain.cer" in web server machine in /etc/httpd/conf.d directory.

• Go to the Linux Server and create a file namely "authz_ldap.conf" under the directory /etc/httpd/conf.d with the following parameters.

LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf.d/domain.cer
LDAPTrustedMode SSL
<"Location "/" ">
order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldaps://dc.mydomain.com:636/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN apache@mydomain.com
AuthLDAPBindPassword xxxxxxxx
AuthType Basic
AuthName "Only for trusted users"
require valid-user
<"/Location">

Here all the AD users will get access to the website as we using the option as "require valid-user". If you want to give access to only a specific group of users, you need to use the following option instead of "valid-user".

require ldap-group CN=mygroup,OU=groups,DC=mydomain,DC=com

Note: Ignore the quotes used within Angle brackets <> for specifying "Location" and "/Location".

• Also make sure the following modules are loaded in the apache's configuration file httpd.conf

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_host_module modules/mod_authz_host.so

• Add the following line in /etc/openldap/ldap.conf, this is very important for the working configuration.

REFERRALS off

• Finally restart apache server by issueing the following command.

/etc/init.d/httpd restart

Check the result by accessing the Wiki by pointing to the correct URL and enjoy !!!!!!