If you’re a user that has a desktop computer always on at home (Mac or Windows) and you carry a laptop around, this post can help set yourself up with some private web browsing.

I’m going to cover all the different Mac & Windows options here, because I know not everyone uses the same set of computers. I hope the post doesn’t get too cluttered…

Home Computer Setup

1. A Dynamic DNS account configured using your high speed internet account.
2. An SSH server running (this is the tricky part)
3. A properly configured home firewall

1. Dynamic DNS

There are lots of Dynamic DNS services out there, but my favorite is DynDNS.com.  I’ve had an account with them for over 10 years and I don’t think they’ve ever been offline.  I use their paid Custom DNS service because it gives me a lot of flexibility and control.

I’m going to leave the setup process for Dynamic DNS on your home account out of this post.  Your firewall may already have integrated support and there are lots of other pages out there to set this up.  Here are a few:

• http://www.dyndns.com/services/dns/dyndns/howto.html
• http://minitutorials.com/apache/dyndns11.shtml
• http://geekswithblogs.net/saifkhan/archive/2008/12/29/setup-dyndns-dynamic-dns-on-a-linksys-wrt54g-router-again.aspx

For reference, I set my custom DNS name to, home.mydomain.com.  This is the hostname I’ll use when configuring the remote SSH tunnel.

2a. An SSH Server using Mac OS X

With Mac OS X as your home computer, you’re in luck, this is easy to setup.  First, I recommend creating a user account used only for SSH connections.  Open System Preferences – Accounts, click the + icon to create a new account, and name it whatever you want, something cryptic maybe, I’ll call my new user, goodbadtechremote2009, and I recommend picking a very strong password, 8+ characters, letters, numbers, symbols, etc.

Next, enable remote access by opening System Preferences -> Sharing.  Then click the checkbox next to “Remote Login”.  In the “Allow Access” section, change the selection to “Only these users”, and add the user you just created.

Last, configure your Mac to use a static IP address.  This can be done under System Preferences -> Network.  Make note of the address you use, I’ll refer to it later as SSHIP.  Take a look at this link for additional help: http://answers.vt.edu/kb/entry/1867/

That’s it on the Mac side, you’re ready to go.

2b. An SSH Server using Microsoft Windows

Running Windows, it’s definitely more of a challenge to get an SSH server online.  I know some people have used Cygwin, but I think using the free VMWare Server product is a better way to go. It makes the whole process much faster, is more reliable and VMWare is just cool.

1. So, step one, download and install VMWare Server.  VMWare provides a lot of great documentation regarding how to get the product downloaded and installs, but typically you just need to download and run the installer with all the default options.
2. Reference my post regarding installing CentOS 5 as a VMWare guest.  Complete the steps in the section, CentOS 5.  Make sure you choose Bridged for the type of network connection. There are also many other places that detail installing Linux operating systems in VMWare, feel free to use a different resource if you have one you prefer.
3. Login to your new Linux operating system as root
   1. Add a new user for SSH connections and set a very strong password, let’s call the user goodbadtechremote2009
      /usr/sbin/adduser goodbadtechremote2009
   2. I recommend you edit /etc/ssh/sshd_config to lock access down.  Here is a sample config that I like to use.

      Port                            22
      Protocol                        2
      ListenAddress                   0.0.0.0
      AllowUsers                      goodbadtechremote2009
      SyslogFacility                  AUTH
      LogLevel                        INFO
      PermitRootLogin                 no
      StrictModes                     yes
      RSAAuthentication               yes
      PubkeyAuthentication            yes
      PasswordAuthentication          yes
      PermitEmptyPasswords            no
      KerberosAuthentication          no
      X11Forwarding                   no
      PrintMotd                       yes
      PrintLastLog                    yes
      KeepAlive                       yes
      UseLogin                        no
      UsePrivilegeSeparation          no
      Subsystem                       sftp            /usr/libexec/openssh/sftp-server
      Banner                          /etc/issue
      UseDNS                          no

   3. I also like to edit the /etc/issue file to include a simple “keep away” statement.

                                  NOTICE TO USERS
      
      This computer system is the private property, whether individual,
      corporate or government.  It is for authorized use only. Users
      (authorized or unauthorized) have no explicit or implicit
      expectation of privacy.
      
      Any or all uses of this system and all files on this system may be
      intercepted, monitored, recorded, copied, audited, inspected, and
      disclosed to your employer, to authorized site, government, and law
      enforcement personnel, as well as authorized officials of government
      agencies, both domestic and foreign.
      
      By using this system, the user consents to such interception, monitoring,
      recording, copying, auditing, inspection, and disclosure at the
      discretion of such personnel or officials.  Unauthorized or improper use
      of this system may result in civil and criminal penalties and
      administrative or disciplinary action, as appropriate. By continuing to
      use this system you indicate your awareness of and consent to these terms
      and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
      conditions stated in this warning.

   4. Configure a static IP address
      1. run /sbin/ifconfig and note your current IP address and Network.
      2. In CentOS, edit /etc/sysconfig/network-scripts/ifcfg-eth0, so it looks something like the text below.  Make sure to replace the IP address and Gateway with a valid address in your network.  I’ll later referece the IP address you set here as SSHIP

         TYPE=Ethernet
         DEVICE=eth0
         BOOTPROTO=
         IPADDR=192.168.0.10
         GATEWAY=192.168.0.1
         NETMASK=255.255.255.0
         USERCTL=yes
         IPV6INIT=no
         PEERDNS=yes
         ONBOOT=yes

   5. Restart the SSH server

      /etc/init.d/sshd restart

   6. Restart your networking

      /etc/init.d/network restart

   7. That’s it, your Linux setup in Windows should be ready to go.

3. Your home firewall

Disclaimer: Open remote access to an SSH server in your home network at your own risk.  I can’t cover all the details of this setup process here and there are several security concerns to consider.   Also, your internet provider may NOT allow home servers running over the Internet.

In order to access your own computer over the Internet, you’ll need to allow remote access through your home firewall/router (you are using a firewall on your high speed connection right?).

I use a LinkSys WRT300N wireless router.  Most of the LinkSys, Belkin, NetGear, etc routers operate pretty much the same.  For me, I logged into the router, went into the Applications & Gaming section and setup single port forwarding.

A little trick I use is to set the external port to 443 instead of 22 (which is the default for SSH connections) because some networks control outbound traffic and port 443 is more likely to be allowed outbound then port 22 is.  Also, if anyone were to glance at the actual traffic it would look like the HTTPS encrypted traffic they’d expect to see.

Make sure to set the internal port to 22, set the protocol to TCP, and enter the SSHIP address you recorded in earlier and save your settings.

You’re ready to setup your laptop to open the SSH tunnel.

Laptop Setup

Windows SSH Tunnels

• Download putty.exe and save it to your hard drive.  I usually place the executable in my Program Files directory.
• Run PuTTY
• We need to create a saved session for easily opening an SSH connection with all the right settings in the future
  • Expand the Connection section and click Data and enter goodbadtechremote2009 in teh Auto-Login username field.
  • Expand Connection->SSH and click on Tunnels
  • In the Source Port field type 1080
  • Leave the Destination field empty
  • Change the Local radio button to Dynamic
  • Click on the Session category
  • Type in the hostname you configured when setting up Dynamic DNS, home.mydomain.com, in my example
  • Make sure the connection type is SSH
  • The default port will be 22, change this to 443 if you set your home firewall up the way I did in this example.
  • In the Saved Sessions text box, type in a name for the session.  I like to use the remote hostname I’m connecting to, home.mydomain.com.
  • Click Save
• Test the new PuTTY session by clicking open.  If all goes right you’ll get a terminal session window that opens and it will prompt you for a password.  On your first connection attempt you may be asked to verify that you are connecting to a valid host, you can type yes to authorize the connection.
• Shortcut tip:  Create a shortcut on your desktop to the putty.exe application.  Edit the properties of the shortcut and add some information to the target line.  Mine looks like this:

  "C:\Program Files\SSH Client\putty.exe" -load "home.mydomain.com"

Windows Web Browser changes

This is the last step, configuring the browser.  There are a number of different ways to set this up.  I’m going to keep it simple here.  I use Internet Explorer 8 for my primary web browsing, and I downloaded and installed Firefox to use when I want use my private browsing SSH tunnel.   So here is the process for this approach:

• Download and install Firefox if it’s not installed already. http://www.mozilla.com/en-US/firefox/personal.html
• Open Firefox and click on Tools -> Options
• Click the Advanced Icon at the top of the Options Window
• Click the Network Tab
• Click the Settings button
• Select “Manual Proxy Configuration”
• Under SOCKS Host, type in, 127.0.0.1
• Set the port for SOCKS Host to 1080
• Select the SOCKS v5 radio button
• Click OK
• Click OK again to close the Options window

If your SSH connection is still open, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by closing your PuTTY session window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open the PuTTY shortcut you configured on your desktop, then open Firefox and no body at your office or in the coffee shop or where ever will be able to detect or restrict what web sites your visiting.

Mac OS SSH Tunnels

This is a pretty quick process, here goes…

1. Open your Applications folder -> Utilities -> Terminal
2. Type
   pico ~/.bash_profile
3. scroll down to the very bottom of the file
4. Add this line
   alias homessh=”/usr/bin/sshtunnel -D 1080 -f -C -q N  -p 443 goodbadtechremote2009@home.mydomain.com”
5. Type Ctrl+x to exit the Pico editor, type Y, to indicate you want to save the changes
6. Now at your command prompt type, homessh, this should connect to your home SSH server and prompt you for your password. Type in your password and your tunnel will be ready to go.  \

Mac OS Web Browser changes

On my MacBook Pro, I find it works best to use the location functionality. Note: This will only effect the Safari browser.  Firefox will ignore these location settings.

1. I go into the Apple Menu, Select Location, then select “Network Preferences”
2. In the Location drop-down menu select “Edit Locations…”
3. Click the + icon at the bottom of the Locations menu that pops up and name your new location, “Home SSH Proxy”, click Done.
4. Back in the Network system preference, select the new “Home SSH Proxy” location
   
5. Click on the Ethernet icon
6. Click on the Advanced button
7. Click on the proxies tab
8. Click the check box next to Web Proxy (HTTP)
9. In the Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
10. Now click the check box next to Secure Web Proxy (HTTPS)
11. In the Secure Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
    
12. Click OK
13. Repeat steps 6-12 for your AirPort connection

That should be everything.  Just as in the Windows setup, if your SSH connection is still open and your location is set to Home SSH Tunnel, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by typing exit in your terminal window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open a terminal window and type homessh, enter your ssh password, then switch your location to “Home SSH Tunnel”.  Make sure to switch back to your normal network location when you’re done.

Additional Reading

• Read the Public Key Setup section on Public Key Authentication

As always, feel free to post any questions in the comments below.

So the question is: Who is my computer connected to and what’s it sending them?

First I needed to know the IP address of my home internet connection.  The home web server is on a Comcast cable modem with DHCP that doesn’t change its IP address very often, but does every once in a while.  To get started I logged in to the home computer via my LogMeIn connection, opened up the web browser, and hit up http://www.whatsmyip.org to verify my IP address, looks like it’s 12.345.678.9 (no, that’s not actually my IP address, but I don’t want to post my real public IP for everyone to see)

Note: I actually use DynDNS to keep track of my home IP address, the whatsmyip.org method is just a little faster if you don’t already have Dynamic DNS running somewhere.

With my remote IP address in hand, I was ready to check out what connections were active.

Open up your Terminal application (Applications -> Utilitys -> Terminal.app) and run,

netstat -napt

Here is what returned:

[goodbadtech@tim:~]$ netstat -napt
netstat: t: unknown or uninstrumented protocol

Oh right, that’s the Linux netstat syntax, it lists all active TCP connections, their process ID, and turns off DNS translations so just the IP address shows up

To get the same output in Mac OS I had to change the syntax a bit:

netstat -na -p tcp

The results this time where much better.  I needed to narrow the results down, 46 TCP connections where too many to scan through.

netstat -na -p tcp | grep 12.345.678.9

Running this command which only outputs connections that contain the IP address I specified, I expected to see an empty result, because I wasn’t aware of any active connections to my home network. However, this is what I saw:

tcp4       0      0  10.1.1.110.50994       12.345.678.9.4242        ESTABLISHED

The destination port was a little suspicious to me, 4242.  I had no idea what the connection was.  I also noticed something else, no process ID was listed.  I forgot about that too.  I’m so used to the Linux version of netstat including PID information, I forget that Mac OS doesn’t include PID.

So how to I find the PID of a TCP connection on a Mac?  Here we turn to lsof.  Note, lsof requires root permission, so we’ll be running the commend with sudo

sudo lsof -i -Pn

-i limits the results to files with Internet connections active
-Pn turns off reverse port and IP address translation which just speeds the results up a bit

Now we’re getting somewhere, expect the list of files returned is still large, 145, and I don’t like to look through so many lines, so let’s get grep involved again to help filter the results

sudo lsof -i -Pn | grep 12.345.678.9

And the one line I was looking for was displayed

java       6756           root   70u  IPv4  0x8c3ce64      0t0    TCP 10.1.1.110:50994->12.345.678.9:4242 (ESTABLISHED)

Okay, process ID 6756, good, that’s the info I was looking for.  However, I saw the process name was java.  Great, that could be anything.  Why in the world was a java process started by root connected to my home computer network?  We go back to lsof to find the answer.  (That sentence makes me think I’ve been watching too much History channel lately)

sudo lsof -p 6756

-p the lower case p limits results to open files in use by process ID 6756.

With a 122 lines returned I saw there was plenty of activity, fortunately, I quickly saw exactly what was going on.

java    6756 root   51u     REG       14,2        44   5116740 /Library/Caches/CrashPlan/cpft366842740763787782x

There were many lines output similar to this one, so I don’t need to include the whole output here, the point is, the line segment /Library/Caches/CrashPlan, tells me that CrashPlan had created the connection.  Okay, I’m cool with that.  I hope you found this useful.  Send me a message on Twitter @goodbadtech if you have any questions.  Back to my original software testing…

Notes:

A quick editorial on CrashPlan, its very slick backup software, especially for those of you that have multiple computers in different locations.  The basic concept is, you backup for your office and your office backs up to your house.  Make sure you at least check out the link.

netstat and lsof are great utilities to get familiar with.  If your computer is running slow or you want to check connections on your web server, they should come to mind right away.  One of my favorites on a Linux web server will list all established connections to your web server (assuming you’re running Apache)

netstat -atp | grep httpd | grep ESTABLISHED

This will count all the established connections to your web server and output the value

netstat -atp | grep httpd | grep ESTABLISHED | wc -l

Here is a great post of netstat commands to try out if you’re looking for some additional reading.

http://www.mydigitallife.info/2007/12/13/how-to-find-and-check-number-of-connections-to-a-server

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server (you are here)

Step 3 – Finalize the iFolder Web Server

As you’ll recall in (if you don’t recall, don’t miss out on) step 1, we created a very basic OpenSUSE 10.3 installation and converted it to a template before the installation process completed.  Then in step 2 we created the LDAP server. Here we’ll get the web server up and running with iFolder installed.

In the VMWare Infrastructure Client, right-clicking on my OPENSUSE10.3 template, I select “Deploy Virtual Machine from this template…”   The settings you enter in the Deploy Template Wizard will be very specific to your environment so I won’t cover them in detail here.

I made two changes after the deployment process completed.  First, I disconnected the CD / DVD ISO because I won’t be needing it anymore.  Second, I added a second virtual disk to be used as my iFolder data store.  I went with a 250GB virtual disk which should hold all my files, at least for a while anyway.

Power on the virtual machine (mine is named IFOLDERWEB01) and open up the console.

Finish Setup

OpenSUSE will detect that you have not completed the installation process and load up the YaST First run utility.

1. Set your root password, as always, set a good one.
2. Hostname and Domain name: This can anything you want, just remember what the settings are.  I always uncheck “Change hostname via DHCP”
3. Network configuration: You’ll need to set a static IP address, valid DNS servers, and a valid default gateway.
4. Test Internet Connection: I always skip this
5. Authentication Method: LDAP
   1. LDAP Client Configuration wizard
   2. Address of LDAP server: Enter the address assigned to your LDAP server from step 2
   3. You can use “Fetch DN” to get the correct base DN
   4. Uncheck LDAP TLS/SSL
   5. Open Advanced Configuration
      1. View Administration Settings
      2. Enter the full Administrator DN as recorded in step 2
      3. Accept
   6. Select Next
   7. Install any missing packages requested by YaST
6. Release Notes: select Next
7. Finish

At this point you should have a very basic OpenSUSE server up and running and connected to the Internet.  From here, we’ll install the Web server and iFolder services.  You should be back at the login prompt, so login as root, type “yast” (no quotes) and press enter.

Install required packages

In the YaST2 Control Center select Software -> Sofware Management.  Your system may update it’s cache at this point.  After a few moments you should see a list of installed software.  You’ll want to install the following packages and let YaST handle the dependencies:

• apache2-worker
• openssl
• wget
• log4net

After those packages are installed, I recomment creating a temp directory somewhere to download the required iFolder RPM files.  I ran the following…

cd ~
mkdir rpmtmp
cd rpmtmp
mkdir ifolder
mkdir mono
cd mono
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-core-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-data-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-data-sqlite-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-web-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-nunit-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/x86/mono/1.2.6-4/mono-winforms-1.2.6-4.novell.i586.rpm
wget http://ftp.novell.com/pub/mono/download/noarch/xsp/1.2.6-2/xsp-1.2.6-2.novell.noarch.rpm
wget http://ftp.novell.com/pub/mono/download/suse-103-i586/mod_mono/1.2.6-1/apache2-mod_mono-1.2.6-1.suse103.novell.i586.rpm
rpm -Uvh *.rpm
cd ../ifolder/
wget http://superb-west.dl.sourceforge.net/sourceforge/ifolder3/ifolder3-enterprise-3.7.2.9089.1-0.2.i586.rpm
wget http://superb-east.dl.sourceforge.net/sourceforge/ifolder3/ifolder-enterprise-plugins-3.7.2.9089.1-2.i586.rpm
rpm -Uvh *.rpm

There, iFolder is installed. It’s not too bad once you get the right list of mono packages.  Next we need to configure the iFolder server and link it to our LDAP server. As the ifolder RPM indicates, “Run /usr/bin/simias-server-setup to configure the server”.  But wait, before we do that, that new virtual disk I created in VMWare needs to be formatted so it’s ready to go.

YaST -> System -> Partitioner

1. Create a new Disk
2. Select the disk you created, in my case, /dev/sdb
3. Primary Partition
4. Leave the format defaults as they are.  Note, iFolder requires an Ext3 or Reiser filesystem
5. Leave the size with it’s defaults
6. Set the Mount Point to, /data
7. Select, OK
8. Back in the main partitioner window, select Apply
9. Confirm the changes by selecting Apply again.  Note: I’ve found selecting Finish often ends up requiring a reboot for some reason, so I shy away from it now.
10. Also note, don’t screw this part up or you’ll be starting over by deploying your VM from template again.
11. When the formatting is complete, select Quit to exit the Partitioner wizard

Now, back to the iFolder setup process, here is what I did:

/usr/bin/simias-server-setup
Server Data Path: /data/simias
Server Name: ifolderweb01
SSL: NONSSL
Public URL: http://myip/simias10
Private URL: http://myip/simias10
System Name: ifolder
System Description: iFolder Enterprise System
Use Key Recovery Agent? Y
Recovery Agent Certificate Path? /var/simias/data
Use LDAP? Y
LDAP Server? your ldap server IP
LDAP Secure? N
LDAP Admin DN? This is the full Administrator DN as recorded in step 2
LDAP Admin Password? Your password
System Admin? cn=admin,dc=yourdomain,dc=com (this is a little tricky, just use the same full Administrator DN you used, except swap, admin, in place of, administrator
System Admin Password? whatever you want
LDAP Proxy DN? cn=SimiasProxy,dc=yourdomain,dc=com
LDAP Proxy Password? whatever you want
LDAP Search Context? cn=iFolderUsers,ou=group,dc=mynightowl,dc=com
Naming Attribute? mail
Configure Apache? Y
Ldap Groups Plugin? Y

Whew, you have no idea how many times I ran the setup process to get that to work. The problem is all the default values are for non LDAP installations, and while I’ve very familiar with Windows and Active Directory, I don’t spend a lot of time looking at what all the specific Distinguished Names are in an LDAP directory.

Web Server Configuration

• /usr/bin/ifolder-web-setup
  • Web Alias? /ifolder
  • Require SSL? N
  • Require Server SSL? N
  • iFolder URL? http://youripaddress:80/
  • Redirect URL? leave blank
• /usr/bin/ifolder-admin-setup
  • Web Alias? /admin
  • Require SSL? N
  • Require Server SSL? N
  • iFolder URL?  http://youripaddress:80/
  • Redirect URL? leave blank
• /sbin/chkconfig apache2 on
• /etc/init.d/apache2 start

That is it.  You’re up and running.  Visit the addresses below in your web browser and start clicking around.  Keep in kind, I disabled ALL encryption for this installation.  In my particular case, all traffic will be contained to a trusted local area network.  If you’re doing anything over the Internet you’ll of course want to enable encryption.

I plan to follow up here with a special Step on enabling public encryption.  But up next in this series are the Windows and Mac OS desktop clients for iFolder.  This is where things get really useful.  Check back soon, follow me on Twitter @goodbadtech, or subscribe to Feedburner email notifications to stay informed of new posts.

User Access:  http://youripaddress/ifolder
Admin Access: http://youripaddress/admin

Authentication

The admin user you created has a username of, cn=admin,dc=yourdomain,dc=com, I know that’s a little unusual, but it’s just the default admin.  All other users you add to your LDAP directory will login using their email address.  I suggest logging in as cn=admin,dc=yourdomain,dc=com, then setting that first LDAP user you created as an iFolder admin, then you can use that for administering the system instead of the admin user with the complete distinguished name.

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server (you are here)

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server (you are here)
• Step 3 – Finalize the iFolder Web server

Step 2 – Finalize the LDAP Server

As you’ll recall in (if you don’t recall, don’t miss out on) step 1, we created a very basic OpenSUSE 10.3 installation and converted it to a template before the installation process completed.  I’m going to move on from there with the LDAP server first.

In the VMWare Infrastructure Client I brought up the view of all the templates in my environment.  Right-clicking on my OPENSUSE10.3 template, I select “Deploy Virtual Machine from this template…”   The settings you enter in the Deploy Template Wizard will be very specific to your environment so I won’t cover them in detail here.  The only change I made after the deployment process completed was to disconnect the CD / DVD ISO because I won’t be needing it anymore.

Power on the virtual machine (mine is named IFOLDERLDAP01) and open up the console.

Finish Setup

OpenSUSE will detect that you have not completed the installation process and load up the YaST First run utility.

1. Set your root password, as always, set a good one.
2. Hostname and Domain name: This can anything you want, just remember what the settings are.  I always uncheck “Change hostname via DHCP”
3. Network configuration: You’ll need to set a static IP address, valid DNS servers, and a valid default gateway.
4. Test Internet Connection: I always skip this
5. Authentication Method: Even though we’ll be installing openldap, it’s not installed yet, so set the Authentication Method to local
6. New Local User: Enter in a default first user
7. Release Notes: select Next
8. Finish

At this point you should have a very basic OpenSUSE server up and running and connected to the Internet.  From here, we’ll install the LDAP server.  You should be back at the login prompt, so login as root, type “yast” (no quotes) and press enter.

Install required packages

In the YaST2 Control Center select Software -> Sofware Management.  Your system may update it’s cache at this point.  After a few moments you should see a list of installed software.  Open the search field and type “ldap”.  A list of results will show up, scroll down to openldap2 and press Shitf+=, this will place a + sign next to the package to it’s marked for installation.  Continue scrolling down to “yast2-ldap-server” and press Shift+=  Select Accept.  YaST will auto resolve a few dependencies.  You can accept the changes it suggests.    When the packages are finished being installed, you can exit out of Yast.

Now is a good time to update any basic system settings you normally would, I always update the sshd_config to it’s locked down much better than the default settings.  Also, if you’re running the SuSE Firewall, make sure you have TCP ports 22 and 389 open for SSH and basic LDAP connections.

Configure LDAP Server

Open up yast again and navigate to Network Services -> LDAP Server

Select “Yes” and go into the configuration, then highlight Databases and select “Add Database…”

On the Add Database screen, you’ll need to enter your Base DN, as well as the LDAP root password.  You can leave the Root DN with it’s default value if you like. After you’ve added the Database select Finish to close the LDAP Server Configuration window.

Back at the YaST main Control Center screen, I suggest going into Network Servers -> LDAP Browser to verify your LDAP server is running.

Access Credentials

• LDAP server: 127.0.0.1
• Administrator DN: cn=Administrator,dc=yourdomain,dc=com (use the domain name you entered)
• Password: the password you entered

Note: Make note of the Administrator DN, you’ll need it again in later steps.  Also, if given an TLS/SSL error, it’s okay to retry the connection without encryption enabled.

Exit out of YaST.

There are a few useful steps you can review over on OpenSUSE.org as well.  I do recommend checking the link out, but I’ll show you a different way, using YaST, to add users.

LDAP Client Configuration

In the YaST control center, go to Network Services -> LDAP Client.  In the User Authentication box select “Use LDAP”.  In the LDAP Client box change the LDAP Base DN to the domain you’re using, uncheck LDAP TLS/SSL, and then open up “Advanced Configuration…”

Change from the “Client Configuration” window you start in to “Administration Settings”.  In the Administrator DN field, enter in the same Administrator DN you recorded up in the Access Credentials section above.   Accept the Changes and then select Finish back on the LDAP Client Configuration window.

Here, YaST may notify you that a few missing packages need to be installed, go ahead and continue so they can be installed.

Add a User

First, you need to configure some basic user/group options for LDAP users.  In YaST, navigate to Security and Users -> User Management, then select LDAP Options -> LDAP User and Group Configuration. You’ll need to authenticate before you can proceed.  Notice the Administrator name is pre-populated with the Administrator DN you entered in the LDAP Client Configuration advanced settings.

A warning appears up that “No entry with DN”… exists, Create it Now? You should select Yes.  Select New, leave the susegroupconfiguration Object selected, enter “groupconfiguration”, and select OK

Leave all the default settings for the groupconfiguration.  Select New again, notice only the suseuserconfiguration object is availabe.  Enter, “userconfiguration”, and select OK.  Now, we’ll edit two values in the userconfiguration module.  Set suseminuniqueid to 10000, and set susenextuniqueid to 10000.  Select Accept when you’re finished with the changes.

Set the User Filter to LDAP Users.

Two warnings will appear that No entry with DN…. exists, select Yes for each one and continue.

Select Add, and enter the user information, First Name, Last Name, Username, Password, Confirm Password.  Before selecting Accept, change to the Plug-Ins screen.

Highlight the “Edit Remaining LDAP Attributes” and select Launch, scroll down to the mail Setting, and enter the user’s email address.  Accept the changes, and select Accept again to create the user.

Let’s create a Group too.  The process is pretty much the same as users.  Change over to the groups screen, set the filter to LDAP groups, and Add a new group.  I’ll call mine, “iFolderUsers”, and add the user I just created to the group.

You can add more users and groups here if you like, but at this point, I think I’m done with the LDAP server.  Time to move on to Step 3.

• Step 1 – Virtual Machine Setup
  
• Step 2 – Finalize the LDAP server (you are here)
• Step 3 – Finalize the iFolder Web server

• Step 1 (you are here)
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server

Step 1 – The Virtual Machine setup

Since I’m using a separate LDAP server from the iFolder web server, I decided to start with an OpenSUSE 10.3 virtual template that I could then use to customize each server.  Also, this would give me a good fall back point if I decided to start over the build process for either one of them.   Its a pretty basic virtual machine setup.  I started with a 4GB disk, 1024 MB of memory, 2 CPUs, 1 NIC, etc.  I set my guest operating system to “Other Linux 32-bit”.

I set the full ISO for openSUSE-10.3-GM-GNOME-i386.iso to be my Datastore ISO file so I could boot the VM and get the install started.  You could probably get away with the net-install ISO, but this was an ISO I already had a copy of in my datastore. (Note: make sure you set the status of your virtual CD/DVD Drive to both Connected and Connected at power on)

Starting up the VM, I was greated with the OpenSUSE welcome screen.  Even though I have the full ISO downloaded, I like to do network based installs because the CD always seems to be missing a package or two that I’d like to install.  Also, since I’m doing very minimal installs, the download time required is pretty small.  So hit F4 to change your source and enter in the details of your preferred mirror and get the install going…

Installation Steps

1. Select your language
2. Accept the license agreement
3. Select New Installation (this will download lots of files the the online mirror you selected on the Welcome screen.  The downloads took about 3 minutes on my network)
4. Timezone: set your timezone and clock settings
5. Desktop Selection: I use “Other – Text Mode”
6. Installation Settings:
   1. Partitioning: for me, no changes
   2. Software: Since I’m only doing a base installation right now, no changes here
   3. Locale Settings: again, no changes
   4. Click Accept, and then confirm on the popup window that appears
7. Now you get to watch the installation process.  The 210 MB download and install took about 20 minutes for me.  After the install finishes, the system will automatically reboot.  If you want to create a virtual machine template, this is a great spot to do it, power off the virtual machine when it starts the boot up process.
8. Back in your VMWare Infrastructure Client, right-click on your guest, “OPENSUSE10.3″ in my case, and select “Convert to template…”
9. That’s all for Step 1, in Step 2 we’ll tackle the rest of the install for the LDAP server and Web server.

• Step 1 (you are here)
• Step 2 – Finalize the LDAP server
• Step 3 – Finalize the iFolder Web server

Recently I installed CentOS 5 as a guest host on my VMWare server to run a RoR development environment.  This the process I went through.  Much thanks to a post on the Rubyonrails.com wiki that got me going in the right direction.

CentOS 5

1. Download the NetInstall ISO of CentOS 5.2
2. I created my guest host using most of the basic Linux settings, 256 MB RAM and an 8GB hard drive (the great thing about VMWare is those values are so easy to change later
3. I set the VMWare configuration to boot off of the CentOS netinstall ISO and started it up
   1. I am installing the text version of CentOS only
   2. Select English language and US keyboard
   3. Installation source -> HTTP
   4. Enable IPv4 w/ DHCP was selected by default, I left that setting in place
   5. HTTP Setup
      1. Website Name: mirror.centos.org
      2. CentOS Directory: centos-5/5.2/os/i386
   6. Initialize the hard drive
   7. I selected “Remove all partitions on selected drives and create default layout” because I’m not that concerned with the specific directory structure and I can always add another virtual hard disk if I need more space.
   8. I got a memory warning that there isn’t a lot of memory on my machine, and a swap file is required right away.  I selected, “Yes”
   9. Use GRUB as the book loader
   10. I didn’t add any additional GRUB options or a GRUB password
   11. I left only my CentOS install as the only OS to attempt to boot
   12. Boot Loader goes in the MBR
   13. Configure the eth0 network interface = yes
   14. I turned off IPv6
   15. DHCP IP address
   16. Set my timezone
   17. Set the root password
   18. Software selection -> I selected “Customize Software Selection”
       1. Remove everything but Base
       2. Done
   19. Thanks to Comcast, my 540 MB netinstall took less than 10 minutes.
   20. Before you reboot your VM, edit the CD-ROM settings so it’s not connected and is set NOT to connect at power on.
   21. Reboot
   22. After the reboot completes, you will be prompted with some additional configuration options.  These are really up to you. I edited:
       1. The firewall settings, leaving it enabled, but opening ports 22, 80, 443, and 1900 (for RoR)
       2. Network settings to use a static IP address
       3. Some of the system services and turned off stuff I don’t need
   23. Login to localhost
   24. type, yum update, to get your system fully up to date
   25. There are a number of additional configuration steps to finish the CentOS install, but what exactly you do from here will be up to you.  I recommend at least creating a user so you can login as someone other than root, and update your SSH settings so that root cannot login.
   26. Next, I change from the VMWare console to an SSH client (keep in mind, that without completing your OS install properly you really are running the server at a greater risk level)…

Ruby on Rails

1. at the command prompt in your ssh client run, yum -y install ruby ruby-rdoc ruby-devel mysql-devel gcc
2. next run (check http://rubyforge.org/projects/rubygems/ for latest version), wget http://rubyforge.rubyuser.de/rubygems/rubygems-1.3.1.tgz
3. tar xzf rubygems-1.3.1.tgz
4. cd rubygems-1.3.1
5. ruby setup.rb
6. gem update –system
7. gem install mysql –no-rdoc –no-ri — –with-mysql-config=/usr/bin/mysql_config
8. gem install mongrel_cluster –no-rdoc –no-ri
9. /usr/sbin/adduser -r mongrel
10. mkdir /etc/mongrel_cluster
11. cp /usr/lib/ruby/gems/1.8/gems/mongrel_cluster-1.0.5/resources/mongrel_cluster /etc/init.d/
12. sudo chmod +x /etc/init.d/mongrel_cluster
13. /etc/init.d/mongrel_cluster start && /sbin/chkconfig mongrel_cluster on
14. mkdir /var/www
15. mkdir /var/www/apps

That should get you far enough to install your first Ruby on Rails app.  I’m sure I’ll follow up this post with more details about that part of the process.