Internet Express Version 6.
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................19 Intended Audience................................................................................................................................19 Document Organization.......................................................................................................................19 Typographic Conventions.......................................................
3.5 Creating Groups..............................................................................................................................52 3.6 Displaying User Account Information............................................................................................53 3.7 Deleting User Accounts...................................................................................................................54 3.8 Changing Groups for User Accounts.................................................
4.4.4 Deleting a User Entry..............................................................................................................86 4.4.5 Retrieving a User Entry...........................................................................................................86 4.4.6 Synchronizing with a Password File.......................................................................................87 4.4.7 Adding a Group Entry.............................................................................
5.1.4.8.3 Deleting a Mail Filter.............................................................................................112 5.1.4.8.4 Filters Included with Internet Express..................................................................113 5.1.4.8.5 Creating a New Mail Filter....................................................................................113 5.1.4.8.6 Adding the Sample Filter Using the Administration Utility................................113 5.1.4.8.7 Testing the New Filter......
6.2.3 Converting IMAP Mail Folders.............................................................................................137 6.2.4 Controlling the Cyrus IMAP Server......................................................................................138 6.2.5 Controlling the UW IMAP Server.........................................................................................138 6.2.6 Configuring SSL for UW-IMAP..........................................................................................
9.1.3 Modifying Access to a Wrapped Network Service...............................................................172 9.1.4 Testing TCP Security Modifications......................................................................................173 9.2 FireScreen Administration.............................................................................................................174 9.2.1 Installing FireScreen...............................................................................................
11.2.3.2 Closing a Main Window..............................................................................................206 11.2.3.3 Viewing a Directory Entry in a Separate Window......................................................206 11.2.3.4 Refreshing an Entry.....................................................................................................206 11.2.3.5 Controlling Client-Side Schema Checking..................................................................206 11.2.3.
14.4 Administering the Samba Server Using the SWAT Program......................................................226 14.4.1 Configuring the Samba Server Using the SWAT Program..................................................226 14.4.1.1 Configuring Global Variables......................................................................................228 14.4.1.2 Configuring Share Parameters....................................................................................228 14.4.1.3 Controlling Printers...
16.1 Configuring IRC..........................................................................................................................253 16.2 Controlling the IRC Server..........................................................................................................253 17 PostgreSQL Database and MySQL Administration..............................................255 17.1 Installing PostgreSQL.....................................................................................................
List of Figures 1-1 1-2 1-3 3-1 3-2 3-3 3-4 3-5 3-6 3-7 3-8 3-9 3-10 3-11 3-12 3-13 3-14 3-15 3-16 4-1 5-1 5-2 5-3 5-4 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 6-12 6-13 6-14 7-1 7-2 7-3 9-1 9-2 9-3 9-4 9-5 9-6 9-7 9-8 9-9 9-10 9-11 Administration Utility Main Menu...............................................................................................26 Sample Administration Utility Form............................................................................................
9-12 9-13 9-14 9-15 9-16 9-17 9-18 9-19 9-20 9-21 9-22 11-1 13-1 14-1 14-2 15-1 15-2 15-3 17-1 17-2 17-3 17-4 14 New Screening Rule Confirmation Page.....................................................................................184 Checking Screening Rules...........................................................................................................184 Delete Screening Rules Form.......................................................................................................
List of Tables 1-1 1-2 1-3 4-1 4-2 5-1 5-2 5-3 5-4 5-5 5-6 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 7-1 7-2 8-1 9-1 9-2 15-1 15-2 15-3 15-4 17-1 17-2 18-1 18-2 Administration Utility Menu Options and Tasks.........................................................................26 Internet Express Accounts and Ports............................................................................................29 Keywords for URL Line..........................................................................
List of Examples 4-1 4-2 4-3 5-1 5-2 11-1 14-1 Security Matrix Enabled for LDAP...............................................................................................70 LDAP Caching Daemon Configuration File.................................................................................72 Sample RFC 2307 User and Group Object Class Definitions........................................................75 Sample Virtual Domain Table.......................................................................
About This Document This manual describes how to use the HP Internet Express for Tru64™ UNIX Administration utility to configure and manage Internet software components supplied with the product kit. Information on managing components that are not configured through the Administration utility is also included in this document, as well as information on managing user accounts.
Typographic Conventions This document uses the following typographical conventions: %, $, or # audit(5) Command Computer output Ctrl+x ENVIRONMENT VARIABLE [ERROR NAME] Key Term User input Variable [] {} ... | WARNING CAUTION IMPORTANT NOTE A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells. A number sign represents the superuser prompt. A manpage. The manpage name is audit, and it is located in Section 5.
• • • • • • Secure Web Server Administration Guide — This manual describes how to use the Secure Web Server Administration utility. Internet Services User's Guide — This manual explains how to get started with e-mail, the TIN news reader, and a Web browser using a character-cell terminal. Internet Monitor Administrator's Guide — This manual describes how to install, configure, and use the Internet Monitor software. QuickSpecs — This document is a specification of the Internet Express product.
Reading Documentation from the Internet Express CD–ROM You can also access the Documentation Bookshelf on the Internet Express Installation and Documentation CD–ROM from your Tru64 UNIX System or a PC. The documentation is available in the following formats: • HTML • Portable Document Format (PDF) On a Tru64 UNIX System To read the documentation from the Internet Express Installation and Documentation CD–ROM on an AlphaServer system, follow these steps: 1. Log in to your system as root. 2.
You can also define the man command's MANPATH environment variable on the command line or in a file, such as your .profile file or .login file.
1 Using the Administration Utility The Administration utility for Internet Express helps you manage Internet services and the AlphaServer system through a Web browser. Because you use a browser to perform these tasks, you are not expected to be familiar with Tru64 UNIX. The Administration utility is a set of CGI programs that use a configured instance of the Secure Web Server (powered by Apache) on port 8081.
1.1 Using the Administration Utility Main Menu Figure 1-1 shows the Administration utility for Internet Express Main Menu. Figure 1-1 Administration Utility Main Menu Table 1-1 shows which selection to make From the Administration utility Main menu, depending on the task you want to perform. Note: The availability of certain administration tasks depends on the Internet Express components installed on your system.
Table 1-1 Administration Utility Menu Options and Tasks (continued) Menu Options Tasks Samba File and Print Server administration (Chapter 14) InterNetNews (INN) administration (Chapter 15) Internet Relay Chat (IRC) Server administration (Chapter 16) PostgreSQL account administration (Chapter 17) MySQL account administration (Chapter 17) BIND domain name server (Chapter 18) Install/Remove Components Install or remove components (Section 1.6: Installing and Removing Components).
Figure 1-2 Sample Administration Utility Form Every Administration utility form has the following properties: • A navigation bar at the top of the form (Section 1.1.
set during installation). To change the password for the Internet Express Administration utility, see Chapter 7. Note: The Secure Web Server is initially configured to allow access to the Internet Express Administration utility from the local system only. To allow access from remote systems, see the Secure Web Server Administration Guide. Table 1-2 summarizes the ports on which the administration accounts are installed by default, and shows the URLs for accessing these accounts.
Note: If the locker account exists from a previously installed version of Internet Express, the iass account is set up as an alias for the locker account. 1.4 Accessing and Managing the Internet Monitor The HP Internet Monitor software allows administrators to monitor Internet services running on a Tru64 UNIX system. The Internet Monitor product can be accessed directly or from the Administration utility for Internet Express. To access the Internet Monitor from the Administration utility: 1.
subsequent actions to affect the selected member. The instances where this is the case include the following: — Tuning the kernel for Internet services — Installing and managing FireScreen — Displaying the mail log file — Shutting down or rebooting the operating system 1.6 Installing and Removing Components You can use the Administration utility to add new Internet components or remove previously installed components, as well as include your own component on the Manage Components menu.
Figure 1-3 Manage Components Menu 1.7 Accessing Web-Based System Management Tools This section describes the system management options available from the Internet Express Administration utility. From the Administration utility Manage Components menu, you can: • Link to the sysman Web-based management utility to perform Web-based system management (Section 1.7.
1.7.1 Performing Web-Based System Management From the Administration utility Manage Components menu, you can link to the sysman Web-based management utility to perform a variety of system management tasks such as shutting down and rebooting the system, and managing local printers. Follow these steps to access the sysman Web-based management utility: 1. Under System on the Manage Components menu, choose Web-Based Management. 2. From the Web-Based Management menu, click on the link for the sysman utility.
Note: Because AlphaServer configurations differ, and a recommended value might not provide optimal performance for all configurations, exercise caution when modifying attribute values. — — 5. Current—Sets both the Run-Time Value and Boot-Time Value to the run-time value the attribute had when the form was initially displayed. Default—Sets both the Run-Time Value and the Boot-Time Value to the default setting for the attribute. To set the attribute values as shown on the form, click on Submit.
2 Where to Find More Information This chapter contains a list of Web sites and other information sources that are relevant to the administration of Internet Express for Tru64 UNIX. The list includes links to Web sites dealing with Internet Express products and services, and system security, as well as links to commercial and nonprofit organizations on the World Wide Web that might be of interest. Note: The URLs and contents of sites listed here are subject to change.
expect http://expect.nist.gov/ expect is a tool for automating and testing interactive applications, such as telnettelnet, FTP, passwd, fsck, rlogin, tip, and so on. Exploring Expect: A Tcl-Based Toolkit for Automating Interactive Applications (ISBN 1-56592-090-2), written by Don Libes and published by O'Reilly & Associates, is an excellent source of information. The expect homepage provides access to FAQs, examples, contributed scripts, and software. Firefox http://www.mozilla.
INN Server http://www.isc.org/index.pl?/sw/inn/ InterNetNews (INN) is a complete usenet system that provides tools to manage newsfeed services, including connections to external newsfeed configurations and control of client access to newsgroups. The Internet Software Consortium homepage for the INN server provides release notes and access to the latest kit.
OpenLDAP http://www.openldap.org The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. It can be used to provide a standalone directory service or to provide lightweight access to the X.500 directory. The OpenLDAP Project is a collaborative effort to provide a robust, commercial-grade, fully featured, and open source suite of LDAP applications and development tools.
The Internet Express kit includes PostgreSQL documentation in the source tar files on the Internet Express “Installation and Documentation” CD-ROM. Documentation is also available from the PostgreSQL Web site. Procmail Mail Filtering Language http://www.procmail.org/ ftp://ftp.procmail.org/pub/procmail/ The Procmail mail filtering language, written by Stephen van den Berg of Germany, lets you filter hundreds or thousands of incoming mail messages per day according to a predefined set of rules.
Apache Struts is a free open-source framework for creating Java web applications. TCP Wrapper ftp://ftp.porcupine.org/pub/security/index.html TCP Wrapper intercepts an incoming network connection and verifies that the connection is allowed before passing the connection to the network daemon. TCP Wrapper is configured through the /etc/hosts.allow file. The FTP archive of the Mathematics and Computing Science Department of Eindhoven University of Technology (the Netherlands) contains TCP Wrapper kits.
CERT works with the Internet community to facilitate the community's response to security events involving hosts, takes proactive steps to improve the community's awareness of security issues, and conducts research aimed at improving the security of existing systems. CERT services include a 24-hour hotline for responding to security incidents, product vulnerability assistance, and technical documentation and tutorials. CIAC http://www.ciac.
Encompass, formerly DECUS (US Chapter), is an association of information technology professionals who share a common interest in the products, services, and technologies of Hewlett-Packard Company. From their homepage, you can find connections to member services, local user groups, training, events, and publications.
3 User Administration The Manage Users menu lets you perform a variety of user account management functions. To access this menu: 1. From the Internet Express Administration Utility Main menu, choose Manage Components. The Manage Components menu is displayed. 2. From the Manage Components menu, under Users, choose Manage Users. The Manage Users menu is displayed (Figure 3-1).
• • • • Change an account's password (see Section 3.9: Changing the Password for an Account) Change an account's mail service (see Section 3.10: Changing Mail Services for Users) Manage the iass account (see Section 3.11: Managing the iass Account) Allow users to self-manage their accounts (see Section 3.12: Managing the User Self-Administration Feature) 3.
Note: Whenever you use the Administration utility to manage user accounts, you may see a message displayed in a box titled Security Information warning you that some unencrypted information may be transmitted over the network. Click on Continue to continue the operation. You can temporarily disable this message by clearing the checkmark in front of Show This Alert Next Time.
3.1.4 Searching for User Accounts Several user management tasks (such as displaying or deleting user accounts or changing groups) require you to select the user accounts on which you want to operate. The Administration utility allows you to search for user accounts, using one or more of the following search criteria: • Name Pattern • Group • Mail Service If you select more than one search criterion, the logical operator AND is applied to the criteria.
Figure 3-3 Selecting User Accounts To return the criteria in the User Account Selection Criteria frame to their default values, click on Reset. If you do not clear or reset the previous choices, they remain in effect to be used in a subsequent query. You can omit an individual selection criterion from subsequent queries by turning off its associated checkbox. 3.1.5 Assigning Users to Groups When you create a user account, you can assign the user to from one to four logical categories called groups.
secondary groups by selecting more than one group from the list box. (If you select more than four groups, the user is assigned to only the first four groups, starting at the top of the list.) For captive Internet Express users, group assignment is optional. You can select up to four groups to associate with an Internet Express user account.
Check this checkbox when you want to store this user account information in the LDAP directory server. 9. Click on Submit. Figure 3-4 shows the Create Named User Account form. Figure 3-4 Creating a Named User Account When the captive account for the named user is successfully added to the system, the Administration utility displays information about the account on a confirmation page. 3.
8. Check this checkbox when you want to store this user account information in the LDAP directory server. Click on Submit. Figure 3-5 shows the Create Generic User Accounts form. Figure 3-5 Creating Generic User Accounts For example, suppose you specify guest as the prefix and 3 as the number of users. If no existing user name matches the specified prefix (guest), the Administration utility creates accounts for guest1, guest2, and guest3.
5. Optionally, you can: • Specify and verify the user password (see Section 3.1.2: Assigning Passwords to User Accounts). If you do not specify a password, the system generates one. • Specify a user identifier (UID). You can enter a UID greater than 105 (up to the maximum UID value available on the system), but if you leave the user ID field blank, the Administration utility assigns the next available UID from the list maintained in the /etc/passwd file.
Figure 3-6 Creating a System User Account 3.5 Creating Groups To create a user group, follow these steps: 1. From the Manage Users menu, choose Create Groups. 2. On the Create Groups form, enter the name of the new group you want to create in the Unique Group Name field. (The names of existing groups are displayed in the Available Groups list box as a convenience.) Use only alphabetic, numeric, or combinations of alphabetic and numeric characters.
Note: On a system using the Network Information Services (NIS), you cannot create a group name that conflicts with an NIS group name even if that name does not exist in your local /etc/group file. Figure 3-7 Creating Groups 3.6 Displaying User Account Information You can display user account information for any number of selected users. (See Section 3.1.4: Searching for User Accounts for instructions on searching for users.
Figure 3-8 Displaying User Account Information Note: On a system using the Network Information Services (NIS), the names of UNIX system accounts (or groups) are not displayed in the User Account Names (or User Account Groups) list box, nor will any NIS user information be included in the output when you click on Submit. 3.7 Deleting User Accounts You can deny a user access to the system by deleting a user's account.
• • 4. Click on one or more names from the User Account list and click on Display Selected. Click on Display All to select all the names in the User Account list box. The Delete User Accounts form shows the login name, UID, primary group and login directory for each user you selected. To remove a user's home directory when the account is deleted, click on the checkbox in the Remove Directory column. (By default, a user's home directory remains on the system after the account is deleted.
3. Use one of the following methods to select user accounts: • Click on one or more names from the User Account Selection List and click on Display Selected. • Click on Display All to select all the names in the User Name list box. 4. The Change User Secondary Groups form shows the current group assignments for the selected users. In the Secondary Groups list box, click on one or more secondary groups to which the selected users are to be assigned. (See Section 3.1.
4. Enter the new password for the selected account in the New Password field, and again in the Verify Password field. If you make a mistake, click on Clear. Passwords must conform to the conventions described in Section 3.1.2: Assigning Passwords to User Accounts. If you want the Administration utility to generate a password for you, leave these fields blank. 5. Click on Submit to change the password.
• • Cyrus IMAP with Password (see Section 3.10.4: Assigning Cyrus IMAP with Password Mail Service) APOP (see Section 3.10.5: Assigning APOP with Password Mail Service) 3.10.1 Assigning Regular Delivery Mail Service With regular delivery, mail is delivered into the /var/spool/mail directory.
6. 7. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu. 3.10.3 Assigning the Cyrus IMAP Mail Service To assign the Cyrus IMAP service to the users you selected, follow these steps: 1. From the Change User Account Mail Service form, choose Cyrus IMAP from the Mail Service menu. 2.
7. 8. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu. 3.10.5 Assigning APOP with Password Mail Service You can set up selected users to use POP mail with an encrypted password (using MD5 encryption).
3.11.2 Managing the .users.list File The file ~iass/.users.list contains the account names and passwords of users. From the Manage the .users.list file menu, you have the following options: • List User Accounts and Passwords (see Section 3.11.2.1: Listing User Accounts and Passwords) • Purge Passwords for User Accounts (see Section 3.11.2.2: Purging Passwords for User Accounts) • Remove the .users.list file (see Section 3.11.2.3: Removing the .users.list File) 3.11.2.
Note: In order to administer the User Self-Administration feature, you must have a public Web server instance installed. Without a public Web server instance, the Manage User Self-Administration link will not appear on the Manage Users menu. This section describes how to perform the following tasks: • Enable (or disable) the User Self-Administration feature (Section 3.12.1: Enabling and Disabling the User Self-Administration Feature) • Modify the Web server configuration (Section 3.12.
Figure 3-11 Manage User Self-Administration Menu 2. From the Manage User Self-Administration menu, choose Enable/Disable User Self-Administration. The Administration utility displays the current status allowing you to enable or disable user self-administration, depending on which is appropriate. Figure 3-12 shows a page where the User Self-Administration feature is disabled. 3. Click on Enable to enable user self-administration. Once this feature has been enabled, the Enable button changes to Disable.
1. 2. 3. From the Configure Web Server for User Self-Administration form, select an SSL virtual host from the list box. Enter an alias name or accept the default name. (The alias name is used to access the self-administration pages.) The alias name should begin and end with a slash (/). For example, if you set the virtual host to _default_:443 and the alias name to /SelfAdmin/, the administration pages will be accessed by https://hostname/SelfAdmin/login.php. Click on the Submit button.
1. 2. From the Manage User Self-Administration menu, choose Modify Web Server Configuration. Select a Virtual Host from the list of virtual hosts or click on Remove Configurations to remove all user self-administration configurations from the httpd.conf file (Figure 3-14: Modify Web Server Configuration Page). When you select a virtual host, it must be configured on your system. See Section 3.12.1.1: Enabling User Self-Administration When No Web Server Configuration Exists for more information.
3.12.4 Managing User Self-Administration Groups The User Self-Administration feature is organized in different groups that can be enabled and disabled independently. User self-administration groups contain the following elements: • ID – A unique, short word used to identify a group. • Description – Information used as menu item text and as page headers. • Main Page – Information that identifies the file to which the user's main menu provides a link.
Figure 3-16 Adding Groups 3.12.4.2 Deleting and Modifying Groups To modify the properties for an existing group or delete an existing group: 1. From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups forms is displayed. Existing groups are listed in the Existing Group Descriptions field. 2. Select the group you want to delete or modify from this list. • To delete a group, click on the Delete button.
3.12.5 Customizing the User Self-Administration Feature You can add functionality to allow users to make changes to other user account information. The Administration utility allows users to change their passwords and use a vacation mail service. Note: Changes to the vacation mail service can be made only if you have installed the Procmail subset (IAEPROC). To add functionality, you should create a new group for each menu item to be added to the user's main menu page (see Section 3.12.
4 User Authentication The Internet Express Administration utility lets you set up and manage user authentication with the LDAP Module for System Authentication, which serves as a central repository of user information, for identifying and authenticating individual users This chapter describes the following: • • Section 4.1: Managing the LDAP Module for System Authentication Section 4.6: Overview of the LDAP Client 4.
4.1.1 Default Configuration for the LDAP Module for System Authentication Internet Express configures the security matrix in the/etc/sia/matrix.conf file to use the LDAP Module for System Authentication. The security matrix consists of a list of security-related system calls and the library to be used for each call. As shown in Example 4-1, the siad_ses_authent and siad_ses_estab calls are configured to use the libsialdap.so library first.
Figure 4-1 LDAP Caching Daemon program libc.so getpwent SIA library SIA/LDAP plug-in library socket controlled by: maximum threads caching daemon (ldapcd) network connection controlled by: active connections cache controlled by: expire entries expire cache LDAP directory server ZK-1475U-AI Configuration information, used by the LDAP caching daemon and the provided tools, use a the configuration file, /etc/ldapcd.conf.
Example 4-2 LDAP Caching Daemon Configuration File # # directory server and port, active ldap connections cached # by the daemon, max worker threads started # directory: host.xyz.
service), set the maximum number of threads to 64 or greater (if your system has sufficient memory). The value of pw_cachesize determines how many individual passwd entries are allowed to be cached. The value of pw_expirecache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of pw_expirecache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry.
/usr/local/bin/ldapmodify -add \ -D "machine_dn" -w "machine_pass" \ -f file 5. Verify that the accounts branch works by entering the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass: /usr/local/bin/ldapsearch \ -D "machine_dn" -w "machine_pass" \ -b "searchbase" \ ou=accounts 6. Use the Administration utility (or manually edit the /etc/ldapcd.
Example 4-3 shows sample user and group object class definitions. Example 4-3 Sample RFC 2307 User and Group Object Class Definitions # # Partial RFC 2307 schema. # # The OIDs are derived from iso(1) org(3) dod(6) # internet(1) directory(1) nisSchema(1). # # Attribute types from RFC 2307 # attribute attribute attribute attribute attribute attribute uidNumber gidNumber gecos homeDirectory loginShell memberUid 1.3.6.1.1.1.1.0 1.3.6.1.1.1.1.1 1.3.6.1.1.1.1.2 1.3.6.1.1.1.1.3 1.3.6.1.1.1.1.4 1.3.6.1.1.1.1.
Table 4-1 LDAP Database Index Types (continued) Index Type Description sub Substring index. Allows for searches that return entries containing a specified substring. matching rule International index. Allows for searches that return entries that are sorted according to a specified collation order. 4.1.4.1 Adding Indices for OpenLDAP To index attributes for your directory server using OpenLDAP, follow these steps: 1. Shut down slapd using the following command: # /sbin/init.d/openldap stop 2. 3.
Notes: After you configure the LDAP Module for System Authentication, you must import users (unless you are using an existing LDAP server). For instructions on importing or exporting users and groups to and from the LDAP directory server, see Section 4.3: Importing and Exporting Users from /etc/passwd. Statically linked clients and executables (which do not use shared libraries) cannot take advantage of the LDAP Module for System Authentication loadable architecture.
6. 7. 8. 9. 10. 11. 12. 13. For the OpenLDAP Directory Server, the installation procedure initially sets the Root Distinguished Name to cn=root,o=. The OpenLDAP Directory Server uses the password specified to access the iass login account and the administration servers for the initial Root DN Password. The System Name is the name of the system on which the LDAP directory server is running or a comma-separated list of names of systems on which replicated directory servers are running.
The Password Branch Name field is used as the starting point in the LDAP directory for password entries. Branches are used to partition a directory into smaller, easier to manage sections and are not required. The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Password structure. The name of each attribute must be a member of the object class specified in the Object Class Name field.
The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Group structure. The name of each attribute must be a member of the object class specified in the Object Class Name field. • The Group Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the name of a UNIX user group. The default value is cn.
4.3.1 Importing Users into the Directory Server To import users from the /etc/passwd file and store them in the LDAP database, follow these steps: 1. Configure the LDAP server to use extended LDAP schema for UNIX account information (see Section 4.1.3: Extended LDAP Schema for UNIX Account Information). 2. Verify through either of the following methods that the server is running and that you can connect to it: • Use the Test the LDAP Configuration function in the Administration utility (see Section 4.2.
4.3.5 Access Control By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ldapusers.allow. A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on.
Table 4-2 LDAP Database Utilities (continued) Program Name Options ldap_del_user -b branch – Branch to delete users from. Description Deletes a user from the LDAP -f input-file – Specifies an input file containing directory server. You can specify users on the command line, in a login names. file, or from stdin (with -f -). -n – Do not submit. -v – Verbose output.
Table 4-2 LDAP Database Utilities (continued) Program Name Options ldap_get_group -b branch – Branch to get groups from. Description Gets group entries from the LDAP -f output-file – Specifies the name of the output directory server. By default, selects all groups on the default file in which to store search results (the default is group branch or search base. Use stdout). the -s option to select a subset of -s searchfilter – Specifies an optional LDAP group.
Note: If any of the LDAP servers specified in the ldapcd.conf file fail the verification, the remaining servers are not checked and the entire verification fails. • • • • Verifies that the search base (the top-level directory for searches) exists If specified, verifies that user and group branches exist (see Section 4.1.
If a problem is encountered when adding a user to the LDAP database, the ldap_add_user utility returns an exit code greater than 0. For a description of the options you can use with this utility, see Table 4-2. To add one or more users from a file: ldap_add_user -f input-file To add one or more users from stdin: cat filename | ldap_add_user -f - Note: The input must be in passwd(4) format. 4.4.
ldap_get_user -S filter For example, a search filter might look like the following: uid=bjensen (&(uidNumber>=10)(uidNumber<=20)) Note: You must quote the filter string according to your shell. To retrieve a range of users (where start is the starting UID in the range and end is the optional ending UID in the range): ldap_get_user -R start[-end] If you do not specify end, the search retrieves all users from the starting UID through the highest UID in the LDAP directory server.
Note: The input must be in group(4) format. 4.4.8 Maintaining Group Membership Use the ldap_mod_group utility to add or remove users from groups in the LDAP database. The ldap_mod_group utility adds the specified login names to the specified group as group members. Use the -r option to remove the specified login names from the group member list. If a problem is encountered when modifying group membership in the LDAP database, the ldap_mod_group utility returns an exit code greater than 0.
Note: In the following examples, the -b branch and -f input-file options (which are not shown) can also be used. To use a search filter to find groups: ldap_get_group -s filter To use a search filter with object class restrictions added to the search: ldap_get_group -S filter A search filter might look like the following: gid=staff (&(gidNumber>=10)(gidNumber<=20)) Note: You must quote the filter string in accordance with your shell.
Note: Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method. 4.5 Maintaining the LDAP Directory Server Using LDAP Commands You can use LDAP commands (instead of the LDAP utilities supplied with Internet Express) to formulate different queries than those provided by the Internet Express LDAP utilities.
mail=shmoe@fac.digieng.com uid=jshmoe title=Process Engineer For more information, see ldapmodify(1). 4.6 Overview of the LDAP Client This section provides a summary of the LDAP client functionality and related files. 4.6.1 Actions Performed by the LDAP Client The LDAP client daemon does the following when started. • • Updates the /etc/sia/matrix.conf file to include the LDAP Security Integration Architecture (SIA) mechanism.
If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty. The existence of this file invokes the stricter access control rules. Additional considerations related to the /etc/ldapusers.deny and /etc/ldapusers.allow files include the following: • • • • Consider if the /etc/ldapusers.allow file is not present, then all the users except for those in /etc/ldapusers.
5 Mail Delivery Administration Using the Internet Express Administration utility, you can manage the following delivery components: • Sendmail Mail Transport Agent for sending, distributing, and delivering mail (Section 5.1: Sendmail Server Administration). • Majordomo mailing list administrator to create and maintain mailing lists (Section 5.2: Majordomo Mailing List Administration). • Mailman mailing list management system (Section 5.3: Mailman) • Bogofilter to filter spam (Section 5.
— — — — Configure MILTER (Sendmail Server/ Using Open Source Configuration Rules only) (see Section 5.1.4.8: Configuring Mail Filters (MILTER)) Configure Queues (Sendmail Server/ Using Open Source Configuration Rules only ) (see Section 5.1.4.9: Configuring Queues) Configure Queue Performance (Sendmail Server/ Using Open Source Configuration Rules only) (see Section 5.1.4.
1. 2. 3. 4. Under Mail on the Manage Components menu, choose Sendmail Server. From the Sendmail Server Administration menu, choose Configure Sendmail Server. From the Configure Sendmail Server menu, choose Server and click on Configure. On the Configure Server form, you must first configure the Internet Mail Protocol (SMTP). The first time you configure your system as a mail server, the Available Protocols menu offers only the Internet Mail Protocol.
and the host alias—as synonyms for this system. You can also use host aliases to allow Sendmail to recognize all the system's network interface names as synonyms for this system. If you configured your system to be a mail server, you can use the Administration utility to create one or more host aliases for any protocol you configure for the server. (You can also create one or more host aliases for your system when you initially configure it as a mail server; see Section 5.1.
• • • • Configure MILTER (Sendmail Server/ Using Open Source Configuration Rules only) (see Section 5.1.4.8: Configuring Mail Filters (MILTER)) Configure Queues (Sendmail Server/ Using Open Source Configuration Rules only ) (see Section 5.1.4.9: Configuring Queues) Configure Queue Performance (Sendmail Server/ Using Open Source Configuration Rules only) (see Section 5.1.4.
5.1.4.1.2 Configuring the MTS Protocol To configure the MTS protocol for the Sendmail server, complete the Configure MTS Protocol form as follows: 1. Create one or more pseudo domain aliases, if needed (see Section 5.1.4.1.1: Creating and Deleting Pseudo Domain Aliases). 2. Create one or more host aliases, if needed (see Section 5.1.3.1: Creating and Deleting Host Aliases for a Mail Server). 3. Select one of the following routing methods: • Internet—Forwards mail over the Internet to an unspecified gateway.
• • 5. 6. 7. Enter the name of the relay system in the Relay Hostname field. You can enter from 1 to 21 alphanumeric characters (including special characters). The name cannot start or end with a hyphen (-). Select the relay protocol (the protocol that will be used to forward mail to the relay) from the Relay Protocol pull-down menu. SMTP is the default. Enter the DECnet node address for this server (area.node) for this server in the Node Address field; for example, 32.958.
7. Click on Submit. A message is displayed indicating that the changes have been accepted. Click on Continue to return to the Configure Sendmail Server form. If an error occurs, use the navigation bar to return to the Configure DNET5 Protocol form. 8. On the Configure Server form, you can select another protocol to configure. If you are finished configuring protocols, click on Submit. A message is displayed confirming that the configuration was successful, and that the Sendmail server has been restarted.
• • • Internet—Forwards mail over the Internet to an unspecified gateway. The Internet depends on BIND/DNS to select an appropriate relay; therefore, you do not need to specify a relay host name for Internet routing. Direct—Sends mail directly to the addressee. This option is not displayed if the X.25 protocol is not installed on this server. Relay—Forwards mail to another system (called the relay host) for processing. 4.
Figure 5-1 Configure Masquerading Form 5.1.4.2.2 Users Automatically Excluded from Masquerading The following users are always excluded from masquerading (whether or not you explicitly specify them in the Excluded Users List field or in the Excluded Users File): • root • postmaster • news • uucp • mailer-daemon • rdist • nobody • daemon • pop • imap 5.1.4.2.3 Configuring Your System for Masquerading To configure your system for masquerading, follow these steps: 1.
Note: You must specify an entry in the Masquerading Hosts/Domains List field if you intend to exclude host aliases from masquerading (see step 8) or if you want to enable masquerading for subdomains (see step 9). You must specify to Sendmail the hosts and domains you want to masquerade (since the local host name and local aliases will be excluded). 4.
10. To masquerade the envelope addresses, check Enable Masquerading for the Envelope. By default, the header addresses are masqueraded; however, by checking this item, the envelope addresses are also masqueraded. 11. Click on Submit to change the server configuration (or click on Cancel to cancel the changes and return to the Configure Sendmail Server menu).
1. 2. 3. 4. 5. 6. 7. 8. 9. Under Mail on the Manage Components menu, choose Sendmail Server. From the Sendmail Server Administration menu, choose Configure Sendmail Server. On the Configure Sendmail Server menu, make sure that Server is selected and click on Configure. From the Configure the Sendmail Server menu, choose Configure Virtual Domains. On the Configure Virtual Domains form, set the Use Virtual Domains checkbox to enable virtual domains.
3. 4. 5. On the Configure Sendmail Server menu, make sure that Server is selected and click on Configure. From the Configure Sendmail Server menu, choose Enable/Disable Procmail. On the Enable/Disable Procmail form, if Procmail is not currently enabled, click on Enable. Otherwise, click on Disable. The Administration utility displays a message confirming that the configuration has been changed, and indicates that the Sendmail server has been restarted.
• • • • • • • In the Relaying Domains List field, specify the list of domain names or IP addresses, to and from which your Sendmail server is allowed to transmit messages. Separate entries in this field with blank spaces. If you have a file containing the domain names and IP addresses to which you want to restrict relaying, enter the full pathname for the file in the Relaying Domains File field. Set the Allow Relaying from Any Host in Local Domain checkbox to allow any host in your domain to relay.
• • • To reject mail from specific domains and addresses (RHS: REJECT or a specific error message) Accept mail even though it might be rejected by subsequent checks (RHS: OK) Permit mail to be relayed (RHS: RELAY) The access database uses e-mail addresses, domain names, and network numbers as keys, and uses values to indicate how the Sendmail server should handle mail based on these keys. Example 5-2 shows the syntax of entries in an access database.
Figure 5-2 Configuring an Access Database 6. 7. 8. 9. On the Configure Access Database form, set the Use Access Database checkbox to enable access database lookups. (You can turn off this checkbox to disable database lookups while retaining the access database configuration.) Enter the complete pathname for the access database you created but do not include the extension. (The default pathname is /var/adm/sendmail/accessdb.
If there were any errors in the configuration, the Administration utility displays a list of the errors. 12. To block incoming mail for certain recipient user names, host names, or IP addresses, return to the Configuring Relaying page (Section 5.1.4.6.1: Configuring Relaying) and set the Check for Blacklist Recipients in Access Database checkbox. 5.1.4.6.
63 attributes. Use a space to separate attributes. The ldapsearch command returns all the attributes that it can successfully populate. For example: mailForwardingAddress mail uid If a mailForwardingAddress and mail attribute exists, it will return both. Each one will then be treated as a separate address and will be individually processed. This field corresponds to the -v option in the K line in sendmail.cf. 10.
Socket: inet:1066@myhost.com,T=C:5m;S:10s;R:10s;E:5m In this example, a network socket is accessed via IPv4 port number inet:1066 on myhost.com with the default timeouts defined. Timeout Field Timeout Field Default Timeout E The overall timeout from sending end of message to filter to the final end of message reply. 5 minutes R The timeout for reading a reply from the filter. 10 seconds S The timeout for sending information from the mail transfer agent 10 seconds to a filter.
3. 4. 5. 6. 7. On the Configure Sendmail Server menu, make sure that Server is selected and click on Configure. From the Configure Sendmail Server menu, choose Configure MILTER. In the Existing Filters list, choose the filter to be deleted. Click Delete. On the confirmation page, click Continue. 5.1.4.8.4 Filters Included with Internet Express Bogofilter and Clam AV anti-virus filters are supplied with this release. Clam AV anti-virus can be enabled using the Administration Utility (see Section 5.1.4.
Subject: testing sample filter Example text of a message . 250 2.0.0 bD213442 Message accepted for delivery QUIT 221 2.0.0 example.hp.com closing connection 221 2.0.0 example.hp.com closing connection # In this example, the lines beginning with numbers are output by Sendmail, and the bold lines are typed input. A successful test will create a file in /tmp /msg.XXXXXXXX (where the Xs represent any combination of letters and numbers) and it will the message body and headers from the text entered above.
If multiple queues are used, separate Sendmail daemon commands should be scheduled to periodically check and transfer any queued mail. The following example illustrates the point: # sendmail –bt –q queue-name 5.1.4.9.2 Modifying a Queue Group To modify the values for a queue group, follow these steps: 1. 2. 3. 4. 5. 6. 7. 8. Under Mail on the Manage Components menu, choose Sendmail Server/Using Open Source Configuration Rules. From the Sendmail Server Administration menu, choose Configure Sendmail Server.
Table 5-1 General Queue Properties (continued) Queue Load Average When the load average (average number of processes in a run queue over the last minute) exceeds this value, mail is queued rather than deliver them 8 times number of CPUs present Queue Refuse Load Average When the load average (average number of processes in a run queue over the last minute) exceeds this value, sendmail refuses new connections 12 times the number of CPUs present MaxQueueChildren Limit number of concurrent queue process
Table 5-4 Sendmail Tunable Parameters Parameter Description Default Value MinFreeBlocks Minimum file space needed for Sendmail to operate 100 MaxHeaderLength Maximum size of the header section 32768 bytes MaxMessageSize Maximum message length 0 MaxMimeHeaders Maximum length of the MIME headers 0/0 To configure the Sendmail queue performance, follow these steps: 1. 2. 3. 4. Under Mail on the Manage Components menu, choose Sendmail Server/Using Open Source Configuration Rules.
Table 5-5 Certificate Defaults (continued) Distinguished name unique name DN Common name Common (not necessarily unique) Hostname, or user's full name CN A TLS certificate can be bought from a certification authority, or it can be created locally for use. Commercial companies such as VeriSign, Equivax and Thawte provide certification related functions. Once the commercial transaction has taken place, store the certificate information in the /var/adm/sendmail/certs/cacert.pem.
5.1.4.12 Enabling Support Using the Access Database Secure connections to servers and clients can be defined by adding lines to the access database (access db text file) and then running makemap to create the updated access_db file. Here are four examples that offer or do not offer TLS support for certain connections. Each line illustrates the line format used in the access database.
TEMP+ or PERM+ shorthands are used to mark an entry as temporary or permanent failure/rejection. Access database text line TLS_Clt:cbs.hp.com StartTLS connection as server to system cbs TLS_Clt:cbs.hp.com PERM+VERIFY StartTLS connection and certificate verification required (failure marked as permanent) TLS_Clt:cbs.hp.com TEMP+ENCR:64 Must encrypt with at least 64 bits (failure marked as temporary ) TLS_Clt:cbs.hp.
Summary of TLS options available for use in the access data file First field Second (or more) field Additional fields CERTISSUER Cert Issuer information RELAY or SUBJECT CERTSUBJECT Cert Issuer information RELAY or SUBJECT • • • • • • • Optional CN: Common name of the client or server certification (the fully qualified domain name of the server) CS: Common server certification (the fully qualified domain name of the server) CI: Common client certification (the fully qualified domain name of the cl
• • • 5. 6. Local /usr/spool/mail—The mailbox directory resides on this system and NFS is not used. NFS Export /usr/spool/mail—The mailbox directory on this system should be distributed by NFS to client systems. NFS Import /usr/spool/mail—The mailbox directory is NFS mounted from another system. If you specified that the mailbox sharing style is NFS Import, you must specify the name of the system that serves this directory in the Mailbox Server field. Click on Submit to change the server configuration.
5. Type a description of the purpose of the list (the list charter) in the Informational Message field. When someone sends an e-mail message to the list alias with the word “info” in the body of the message, this text is returned in the reply message. The charter text is stored in the /data/majordomo/lists/listname.info file, where listname is the name of the list you supplied in step 3. 6. Click on Submit. The created list will be listname@hostname, where hostname is the host name of the local system.
5. 6. 7. When Monitor Administrative Requests (administrivia) is set to yes, Majordomo forwards these requests (for example, subscribe or unsubscribe) to the list maintainer instead of the list members. You can change the Administration Password (admin_password), which controls access to handling administrative tasks on the list. Click on Submit. 5.2.2.3 Changing Subscription Parameters To change subscription parameters for a Majordomo mailing list, follow these steps: 1.
• 9. authentication number that must be sent back in with another unsubscribe command. This value overrides the value supplied by any existing files. approval required w/ confirmation—Requires maintainer approval for all unsubscribe requests to the list. Majordomo sends a reply back to the subscriber that includes an authentication number that must be sent back in with another unsubscribe command. This value overrides the value supplied by any existing files. Click on Submit. 5.2.2.
1. 2. 3. 4. 5. From the Administration utility Main menu, choose Manage Components. Under Mail on the Manage Components menu, choose Majordomo Mailing Lists. Select mailing list you want to modify from the Existing Mailing Lists list. From the Modify Majordomo Mailing List menu, choose Modify Digest Parameters. The value in the Digest Name (digest_name) field serves as the subject line for the digest. The volume and issue are appended to the digest name. 6.
5.2.2.8 Changing List Restriction Parameters To change the list restriction parameters for a Majordomo mailing list, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Mail on the Manage Components menu, choose Majordomo Mailing Lists. 3. Select mailing list you want to modify from the Existing Mailing Lists list. 4. From the Modify Majordomo Mailing List menu, choose Modify List Restriction Parameters. 5.
7. 8. When Remove Comments from Addresses on the List (strip) is set to Yes, only the raw e-mail address is added to the list file; extraneous text and comments are stripped off. If the file .strip exists, it is the same as setting this field to Yes. Click on Submit. 5.2.3 Deleting a Majordomo List To delete a Majordomo list, follow these steps: 1. Under Mail on the Manage Components menu, choose Majordomo Mailing Lists. 2. Select one or more list names from the Existing Mailing Lists list. 3.
# cd /usr/internet/mailman # bin/newlist mailman Enter the email of the person running the list: user@yourhost.adomain.com Initial mailman password: 5.3.3 Deleting a Mailing List To delete a Mailman mailing list: 1. 2. Log in as mailman/root. Use the following command to delete the created Mailman list: 3. /usr/internet/mailman/bin/rmlist Update the file /var/adm/sendmail/aliases as displayed in the command output. 5.3.
The Mailing List Administration menu enables the list adminstrator to set a variety of configuration options. To set an option: 1. Click on the category name. The menu is refreshed with the fields relevant to the configuration option chosen. 2. 3. Fill out the form as desired. The menu provides help links for each option. To complete the process, click on Submit Your Changes. 5.3.
Second, the non-spam message group is fed to bogofilter. Again, each message is broken down into word tokens, scored and recorded in the bogofilter database as non-spam. The following command is used to register a set of non-spam messages collected in mbox: $ bogofilter -n -M mbox # non-spam messages At the end of each training run, bogofilter saves its updated database in a file called .bogofilter/wordlist.db. Over the course of time, spam message content will change.
{ EXITCODE=75 HOST } # file the mail to spam-bogofilter if it's spam. :0: * ^X-Bogosity: Yes, tests=bogofilter spam-bogofilter 5.4.3.2 Mutt Integration with Bogofilter The following .muttrc lines will create mutt macros for dispatching mail to bogofilter.
3. 4. Set up the MTA to invoke bogofilter on each message. While this is an MTA specific step, you'll probably need to use the -p, -u, and -e options. Set up a mechanism for users to register spam/non-spam messages, as well as to correct misclassifications. The most generic solution is to set up alias email addresses to which users bounce messages. For sendmail integration, follow the procmail example from Section 5.4.3.1: Using Bogofilter with procmail. 5.
6 Mail Access Administration Using the Internet Express Administration utility, you can manage the following mail access components: • Post Office Protocol (POP) based on the Qualcomm POP Mail Server (Section 6.1: POP Mail Server Administration) • Cyrus IMAP Server and University of Washington IMAP Servers (Section 6.2: IMAP Mail Server Administration) • The Internet Messaging Program (IMP) to implement an IMAP-based Webmail system (Section 6.3: IMP Webmail Administration) 6.
1. 2. 3. Under Mail on the Manage Components menu, choose POP Server. From the POP Server Administration menu, choose Enable/Disable the POPPASSD Server. If the server is currently enabled, you can disable the server by clicking on Disable. If the server is currently disabled, you can enable the server by clicking on Enable. 6.1.4 Viewing the POP Mail Server Log The entries in the server log file are generated from data in the /var/adm/syslog.dated directories. To view the POP3 or POP2 server log file: 1.
http://h30097.www3.hp.com/docs/internet/TITLE.HTM 6.2.1 Setting Up a UNIX User Account for UW IMAP No special administration tasks are normally needed to set up a user to use the UW-IMAP server, but if the user had been using mail folders in the mh format, convert the folders to UNIX "From-style" folders using the /usr/dt/bin/mailcv -A command. (To read the mailcv(1) reference page, use the man n mailcv command.
mailcv [-vd] -U [-f foldername newfoldername ] For example, to convert the tree of UNIX (“From style”) folders for user duke into a tree of Cyrus IMAP folders, starting at directory bar, enter the following command: % /usr/dt/bin/mailcv -I -t -f .
6.2.6 Configuring SSL for UW-IMAP You can configure the Secure Sockets Layer (SSL) to enable encrypted communication between a mail client and the UW-IMAP Server. Support for SSL/TLS is built into the IMAP server and is enabled by the presence of the /usr/ssl/certs/imapd.pem certificate file. If this certificate file is present, the IMAP server will advertise STARTTLS capability. Mail clients that support TLS (e.g., Pine or Microsoft Outlook Express 6) will run STARTTLS and use encrypted communications.
6.3 IMP Webmail Administration IMP (Internet Messaging Program) Webmail provides access to IMAP and POP3 mail accounts through a Web interface. Users with an IMAP or POP3 account on a system accessible from the IMP program can view their mail from anywhere they have Web access. IMP is installed by the IAEIMP subset, which requires a public instanceSecure Web Server of the (IAEAPCH) and PostgreSQL (IAEPSQL). In addition, you should have an IMAP server configured (may be the same system running IMP).
Figure 6-1 IMP Webmail Administration Menu 6.3.2 Enabling and Disabling IMP Webmail To enable (or disable) IMP: 1. From the IMP Webmail Administration menu, choose Enable/Disable IMP Webmail. The Enable/Disable IMP page is displayed (Figure 6-2). Initially, the status message indicates that IMP is enabled and the Disable button will appear on the screen. (If IMP is disabled, the message and button text changes accordingly.) 2. Click on the Enable button (or Disable button).
To modify the mail server settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Mail Server Settings. The Mail Server Settings form is displayed (Figure 6-3). Figure 6-3 Mail Server Settings Form 2. 3. Select the desired settings by clicking on the appropriate checkbox. These settings are defined in Table 6-1. Click Submit to make the necessary changes. A status message is displayed when the changes are completed.
is not permitted to choose. See the Use server list settings in the Mail Server Settings form to configure what options for the user. Figure 6-4 Modify Mail Server List Form From this form, you can perform the following tasks: • • • Add a server name (Section 6.3.4.1: Adding a Mail Server) Modify settings for a server (Section 6.3.4.2: Modifying a Mail Server) Delete a server from the list (Section 6.3.4.3: Deleting a Mail Server) 6.3.4.
3. Click Add. A new form is displayed (Figure 6-5). Figure 6-5 Mail Server List Form for Adding or Modifying Servers 4. 5. Fill out the form. Table 6-2 defines the settings. Click Submit to make the necessary changes. A status message is displayed when the changes are complete. Table 6-2 IMP Mail Server List Settings 144 Setting Description Key A unique identifier for this server entry. If this key begins with an underscore character, “_”, then it is treated as a prompt.
Table 6-2 IMP Mail Server List Settings (continued) Setting Description SMTP Host If the mailer type is set to smtp, then enter this host for outbound SMTP connections. This will override all other configuration values. Realm Append this value to user names for preferences and Horde authentication. This can be used to prevent clashes on virtual host setups. Preferred Enter a space separated list of hosts on which this server entry should be default. Use this if you use the same server.
Figure 6-6 Mailbox Settings Form 2. 3. Fill out the form. Table 6-3 describes the settings. Click Submit to make the necessary changes. A status message is displayed when completed. Table 6-3 IMP Mailbox Settings Setting Description Date format Enter the format used in the mailbox's Date field for messages sent on days other than today. The format will be used in a call to the PHP strftime function. See the PHP documentation for more information.
Figure 6-7 Compose Settings Form 2. 3. Fill out the form. Table 6-4 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-4 IMP Compose Settings Setting Description Allow setting Cc: header Select to allow users to set the Cc: heading. Allow setting Bcc: header Select to allow users to set the Bcc: heading.
Figure 6-8 Message Settings Form 2. 3. Fill out the form. Table 6-5 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-5 IMP Message Settings Setting Description Prepend header Select to include the contents of /usr/internet/horde/imp/config/header.txt in the header of all messages sent. Append trailer Select to include the contents of /usr/internet/horde/imp/config/trailer.txt at the end of every message sent.
Figure 6-9 Logging Settings Form 2. 3. Fill out the form. Table 6-6 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-6 IMP Logging Settings Setting Description Enabled Select to enable IMP logging of events. Driver If logging is enabled, choose the driver type from the selection list. The file driver type will log in to a text file. The syslog driver type will log in to the syslog facility.
To modify the preference driver settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Preference Driver Settings. The Preference Driver Settings form is displayed (Figure 6-10). Figure 6-10 Preference Driver Settings Form 2. 3. Fill out the form. Table 6-7 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete.
To modify the miscellaneous settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Miscellaneous IMP Settings. The Miscellaneous IMP Settings form is displayed (Figure 6-11). Figure 6-11 Miscellaneous IMP Settings Form 2. 3. Fill out the form. Table 6-8 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete.
Figure 6-12 Horde Settings Form 2. 3. Fill out the form. Table 6-9 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-9 Horde Settings Setting Description Display Help Links Select this box to display help links on the user's pages. PHP error level Click the value to use in the PHP error_reporting function to configure the amount and types of PHP errors displayed on the user's screen. For more information, see: http://www.php.
Table 6-9 Horde Settings (continued) Setting Description Compress pages If selected, then pages over a certain size will be compressed and sent to the user's browser as gzip-encoded data. This will– increase CPU usage but can dramatically decrease the size of pages resulting in faster delivery of information, especially over slower connections. Umask Enter the umask value (octal value) to run as. This affects the permissions of temporary files created.
Figure 6-13 Turba Settings Form 2. 3. Fill out the form. Table 6-10 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-10 IMP Turba Settings 154 Setting Description Enabled If selected, enables access to Turba contacts manager. If not selected, users will not have access to their addressbook. Database Type Enter the type of the database server. The only supported value is pgsql for a PostgreSQL database.
6.3.13 Using IMP Upgrade Tools Starting with Internet Express Version 5.9, the configuration syntax and database schema requirements of Horde and IMP have changed. After doing the upgrade installation, you will have a working installation of IMP, but most of your previous configurations and all stored user information (preferences and contact lists) will not be available. This information must be converted to the new formats.
Figure 6-14 Upgrade Database Settings Form 3. 4. Fill out the form. Table 6-11 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 6-11 IMP Database Upgrade Settings Setting Description Database Info These values should refer to the current database containing the Horde/IMP tables. The new tables will be added to this database. Database Name Enter the name of the database. The default installation uses database horde.
Table 6-11 IMP Database Upgrade Settings (continued) Setting Description Preference Table Convert Preference Table? Select if you want to convert the table containing all user's preferences. Current Preference Table Enter the name of the preference table used for Internet Express installations prior to Version 6.0. New Preference Table Enter the name of the new table to be created. This table must either be empty or not exist for the conversion to take place. 6.3.
7 Web Services Administration The Internet Express Administration utility lets you manage the following Web service components: • Secure Web Server— (powered by Apache) An implementation of the Apache Software Foundation's (ASF) Apache HTTP server for Tru64 UNIX (Section 7.1: Secure Web Server Administration). • ht://Dig search tool — A complete World Wide Web index and search system for a domain or an Intranet (Section 7.2: ht://Dig Search Tool Administration). 7.
Notes: Only those Web servers that are installed are presented by the Administration utility. For example, if the Internet Monitor is not installed, the Administration Server will not appear. Similarly, if you do not create a public Web server instance when installing the Secure Web Server subset, the public server will not appear. Internet Express Version 6.0 and later allows you to choose either Apache Version 1.3 or Version 2.0, or both for the public Web server.
When you access the Web server, you are given access to privileged files and can perform system management tasks until exiting the browser. Do not leave an Administration session unattended. Limit access to the admin account to those individuals authorized to perform Internet system management tasks. In a TruCluster Server environment, the Secure Web Server runs on all cluster members concurrently. Connections are distributed among the cluster members based on how the cluster alias has been configured.
• • • • • Virtual hosts URL defaults HTML directory aliases CGI directory aliases Logging and reporting parameters The Secure Web Server configuration files are read in the following order: • httpd.conf • srm.conf • access.conf Note: By default, the configuration files access.conf and srm.conf do not contain any directives. While they remain supported in Internet Express Version 6.4, all directives are defined in httpd.conf.
7.1.5 Allowing Remote Access to the Internet Monitor Administration Server The installation procedure installs the Internet Monitor Administration Server on port 8086, and initially allows access to the server from the local system only. To allow access to the Internet Monitor Administration Server from remote systems, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Web on the Manage Components menu, choose Secure Web Server. 3.
Figure 7-1 Ht://Dig Indexing and Search Administration Page 3. 4. To check if the Public Web Server is running, click on Start/Stop the Public Web Server which connects to the Web Server Administration page. If the Public Web Server is not running, you can start it at this time from the Web Server Administration page. Click on the htdig symlink button to enable the search function. This action makes the ht://Dig files available from the document root.
Figure 7-2 Link to Ht://Dig Search Index Page 5. 6. Click on the documents symlink button to enable indexing. This action makes the Internet Express documents available from your document root. To update the ht://Dig configuration file (/usr/internet/www/conf/htdig.conf) to specify a start URL or exclude URLs from the search, enter the URL information in the respective fields and click on Update Ht://Dig configuration.
To create an index of this server, review the configuration in /usr/internet/www/conf/htdig.conf and run /usr/internet/www/bin/rundig For example, to configure ht://Dig to index the Internet Express documentation, follow these steps: 1. Create a symlink to the Internet Express documentation and the ht://dig documents in /usr/internet/httpd/htdocs, as follows: # cd /usr/internet/httpd/htdocs # ln -s /usr/internet/docs/IASS documents # ln -s /usr/internet/www/htdocs/htdig htdig 2.
8 XML Component Administration The XML components provide commercial-quality, standards-based XML solutions. These components include: Xerces XML parsers in C++ and Java, Xalan XSLT stylesheet processor in C++ and Java, FOP XSL formatting objects in Java, Batik Scalable Vector Graphics (SVG) toolkit in Java, Cocoon XML-based Web publishing in Java, and Apache Axis. All are from the Apache XML Project.
Table 8-1 Directories and Subsets for XML Components (continued) Directory Contents Subsets /usr/local/include/xml Xerces and Xalan C++ header files IAEXMLCLIB /usr/local/include/libxml2 Libxml2 header files IAEXMLCLIB 8.2 Apache Axis Server Administration As part of the IAEXMLJLIB subset, Internet Express installs the Apache Axis client API for invoking SOAP services. The Apache Axis Server is installed and configured by the IAESOAP subset.
8.3 Apache Cocoon Servlet Administration The IAEXML subset installs and configures the Apache Cocoon Servlet. Prerequisite subsets include the IAETOMCAT and IAEXMLJLIB subsets. The Apache Cocoon Servlet will be configured on all available public instances of the Secure Web Server (1.3 and 2.0) and Tomcat. Cocoon can be used for the automatic creation of HTML from XML files as well as XSL:FO rendering to PDF files.
1. 2. 3. 170 From the Manage Components menu, under XML Tools, choose Apache Cocoon Servlet. The Apache Cocoon Servlet page is displayed. From the Apache Cocoon Servlet page, choose View Cocoon Logs. The View Cocoon Logs menu is displayed. From the View Cocoon Logs menu, choose the desired log file. The contents of the selected file is displayed. For example, the View Core Log page displays the contents of the core.log file.
9 Network Security Administration This chapter describes how to manage the following network security components: • TCP Wrapper (Section 9.1: TCP Wrapper Administration) • FireScreen Firewall (Section 9.2: FireScreen Administration) • Snort Intrusion Detection System (Section 9.3: Snort Intrusion Detection System ) • FreeRADIUS Server Administration (Section 9.4: FreeRADIUS Server Administration) 9.1 TCP Wrapper Administration TCP Wrapper lets you control access to network services.
Table 9-1 Network Services Wrapped by Internet Express (continued) Network Service Default Access Setting pop2 Allows you to run the POP2 (Post Office Protocol Version 2) e-mail server poppassd Allows you to change passwords popper Allows you to run the POP3 (Post Office Protocol Version 3) e-mail server rexecd Allows you to execute commands on a remote system rlogind Allows you to log in to a remote system rpc.
3. 4. From the TCP Wrapper Administration menu, choose Display/Update Configuration to display a list of the services available on your system and the current access settings for each service. Select the service for which you want to modify access. The TCP Wrapper Service Management form shows the current security setting for the service you chose and offers the settings described in Table 9-2.
1. 2. 3. 4. 5. Under Network Security on the Manage Components menu, choose TCP Wrapper. From the TCP Wrapper Administration menu, choose Test Configuration to display the Test Configuration form. Select a service from the Service to Test list box. Enter a domain name, IPv4 address, or IPv6 address in the Requesting Client field, using the syntax defined in the hosts_access(5) reference page. Click Submit.
Note: The AltaVista Firewall and FireScreen software cannot coexist on the same system. If you plan to use the AltaVista Firewall software, do not install FireScreen. The Administration utility will not allow you to install FireScreen if it detects the presence of the AltaVista Firewall software.
Figure 9-3 Checking FireScreen Installation Prerequisites 2. 3. Click on Install. At this point in the FireScreen installation, the following startup variables are added to the /etc/rc.config file: • SCREEND Indicates whether the FireScreen daemon is to be started when the system is booted. • SCREEND_FLAGS Indicates which options are to be used when the FireScreen daemon is started on the system. • SCREEND_MODE Indicates whether screening is on.
4. You can specify a different system configuration file, a different kernel, or both, before proceeding with the installation (Figure 9-4). Note: Modifications that FireScreen makes to your system's kernel configuration file are not preserved when you update the Tru64 UNIX operating system. You must reinstall FireScreen after updating the operating system to replace these modifications and to ensure that the kernel is built with the option required by FireScreen.
Figure 9-5 Install FireScreen Page with Gateway Screening Enabled Figure 9-6 shows how the Install FireScreen page appears after the FireScreen installation with gateway screening was disabled in the kernel before installing FireScreen. Follow the link from the Web-Based Management page to the page for shutting down or rebooting the operating system before configuring FireScreen (Section 1.7: Accessing Web-Based System Management Tools). Change the number of minutes to wait from 30 to 1.
Figure 9-6 Install FireScreen Installation Page with Gateway Screening Disabled 9.2.2 Configuring FireScreen To configure FireScreen, on the FireScreen Administration menu, choose Configure FireScreen. Figure 9-7 shows the Configure FireScreen menu. 9.
Figure 9-7 Configure FireScreen Menu Use the Configure FireScreen menu to perform the following tasks: • Set command-line options (Section 9.2.2.1: Setting Command-Line Options) • Set the screening mode (Section 9.2.2.2: Setting the Screening Mode) • Add a screening rule (Section 9.2.2.3: Adding a Screening Rule) • Check the syntax of screening rules (Section 9.2.2.4: Checking Syntax of Screening Rules) • Delete a screening rule (Section 9.2.2.
To change the default configuration file for FireScreen, make sure the Configuration File check box is selected and enter the full pathname of the configuration file you want to use in the field provided. • 2. Screening records will be logged in the /var/adm/syslog.dated/$DATE/daemon.logfile (where the value of $DATE is incremented every 24 hours based on the time that the system was last booted). When the syslog.conf file does not contain a daemon entry, the /var/adm/firescreen.
Notes: The -c option performs the same function as Check Screening Rules form (Figure 9-13), so this option is not available on the Set Options form. The -d option is also not available on the Set Options form. If you want to use the -d option to debug FireScreen, you must set this option on the command line. 9.2.2.2 Setting the Screening Mode To set the screening mode for FireScreen, follow these steps: 1. From the Configure FireScreen menu, choose Set Screening Mode.
This report explains how FireScreen (which is based on the screend daemon) operates, what FireScreen can and cannot do to protect your network, and how to use screening rules to implement firewall security policies. To add a screening rule, follow these steps: 1. From the Configure FireScreen menu, choose Add New Screening Rule. The first time you add a screening rule, the only rule defined is the default rule. 2.
Figure 9-12 New Screening Rule Confirmation Page To return to the Add New Screening Rule form, use the navigation bar at the top of the screen. To check the syntax of screening rules, see Section 9.2.2.4: Checking Syntax of Screening Rules. 9.2.2.4 Checking Syntax of Screening Rules To check the syntax of screening rules in the FireScreen configuration file, on the Configure FireScreen menu, choose Check Screening Rules. The existing screening rules are displayed and checked for syntax errors.
Figure 9-14 Delete Screening Rules Form 3. Click on Delete. 9.2.3 Starting and Stopping FireScreen When you make changes to the FireScreen configuration file, you must restart FireScreen for the changes to take effect (Section 9.2.3.1: Starting FireScreen). When you stop FireScreen with screening mode enabled, all IP forwarding is rejected until FireScreen starts again (Section 9.2.3.2: Stopping FireScreen).
Figure 9-16 Start/Stop FireScreen Form with Restart Option Enabled To protect your system from unauthorized access, the Administration utility starts a new FireScreen process, which reads the latest FireScreen configuration file, and then stops any FireScreen process that was previously running, as shown in the confirmation page (Figure 9-17). Figure 9-17 Start/Stop FireScreen Confirmation Page 9.2.3.2 Stopping FireScreen To stop FireScreen, follow these steps: 1. 2.
Figure 9-19 Stop FireScreen Confirmation Page 9.2.4 Viewing FireScreen Status Using the View FireScreen Status menu, you can view the following: • Screening rules (Section 9.2.4.1: Viewing FireScreen Screening Rules) • Log file (Section 9.2.4.2: Viewing the FireScreen Log) • Statistics (Section 9.2.4.3: Viewing FireScreen Statistics) To access this menu, choose View FireScreen Status from the FireScreen Administration menu. 9.2.4.
Figure 9-21 View Log File Page To specify the types of events to be recorded in the FireScreen log file, access the Configure FireScreen menu and choose Set Options. See Section 9.2.2.1: Setting Command-Line Options for more information. 9.2.4.3 Viewing FireScreen Statistics FireScreen invokes the /usr/sbin/screenstat command to display statistics for IP packet handling. To view FireScreen statistics, choose View Statistics from the View FireScreen Status menu. The statistics are displayed (Figure 9-22).
./snort -vde (include the data link layer headers) • Packet Logger Mode — log TCP/IP packet headers to disk Use the previous snort commands along with the -l switch and a log directory name to automatically go into packet logger mode. ./snort -vd -l ./log You must have an existing directory by that name to prevent Snort from exiting with an error. You should also specify the local host address, using the -h ipaddress switch.
3. 4. Click in a checkbox to select the preprocessor desired option: Option Description Perform IP defragmentation The IP defragmentation preprocessor uses memory management routines that are used in other parts of Snort. It uses the default memory limit of 4194304 bytes (4 MB) and a timeout period of 60 seconds. The timeout period is used to determine a length of time that a unassembled fragment should be discarded.
9.4.1 Considerations While Installing FreeRADIUS The installation procedure includes the build, install of the IAEFRAD subset. For more details, refer the Installation Guide. FreeRadius is installed in the /usr/local/radius directory. The configuration files exist in /usr/local/etc/raddb directory. When you install FreeRadius, all the necessary directories are created. You can run tests by using existing UNIX system accounts. 9.4.
Login-IP-Host = 0.0.0.0, Callback-Number = "9,5551212", Login-Service = Telnet, Login-TCP-Port = Telnet" clients.conf file This file defines a RADIUS client (usually a NAS). The information given here over rides anything given in the clients file, or in the naslist file. The configuration here contains all of the information from those two files, and allows for more configuration items. The shortname is be used for logging.
HP recommends that you run the server with as few permissions as possible. That is, if you are not using shadow passwords, the user and group items below should be set to nobody. On SCO (ODT 3) use user = nouser and group = nogroup. Note that some kernels refuse to setgid(group) when the value of (unsigned)group is above 60000. Do not use group nobody on these systems. On systems with shadow passwords, you might have to set group = shadow for the server to be able to read the shadow password file.
1. From the Manage Components menu, choose FreeRADIUS. The FreeRADIUS menu is displayed. 2. On the FreeRADIUS menu, choose View the FreeRADIUS Log. The contents of the log file are displayed. Use the standard navigation features to advance page by page, go to a specific page, or search for a particular text string.
10 Proxy Services Administration The Internet Express Administration utility lets you manage the following Proxy service components: • Dante SOCKS Server – A circuit-level firewall/proxy server that can be used to provide convenient and secure network connectivity to a wide range of hosts (Section 10.1: Dante SOCKS Server Administration). • Squid Proxy/Caching Server – A high-performance, proxy/caching server for clients that supports FTP, Gopher, and HTTP requests (Section 10.
For information on controlling the Dante SOCKS Server outside the Administration utility, see the sockd(8) reference page. 10.1.2 Configuring the Dante SOCKS Server You configure the Dante SOCKS Server by editing the /etc/sockd.conf configuration file. This file controls both access controls and logging and is divided into two parts, server settings and rules. To use the Dante SOCKS Server, you must specify valid information in the method, client pass, and pass fields in /etc/sockd.conf.
Use the Squid Proxy/Caching Server Administration menu to perform the following tasks: • Reinitialize the disk cache (see Section 10.2.2: Reinitializing the Disk Cache) • Manage the Squid Proxy/Caching Server through the Cache Manager Interface (see Section 10.2.3: Managing the Squid Proxy/Caching Server). • Rotate log files (Section 10.2.4: Rotating Log Files). • Display access statistics (Section 10.2.5: Displaying Access Statistics). • Start or stop the Squid Proxy/Caching Server (Section 10.2.
See the comments in the squid.conf file for more information on setting passwords for Cache Manager operations. A URL is required only for the Refresh Object operation. 5. 6. Use the Operation list box to select an operation and click on Submit. Only the Shutdown Cache and Refresh Object operations perform an action; the rest display statistical information only. Restart Squid with the following command line: /sbin/init.d/squid_8080 restart 7.
10.2.6 Controlling the Squid Proxy/Caching Server To control the Squid Proxy/Caching Server, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server. 3. From the Squid Proxy/Caching Server Administration menu, choose Start/Stop the Squid Proxy/Caching Server. The Start/Stop the Squid Proxy/Caching Server page shows the current state of the server. 4.
11 LDAP Directory Server Administration The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as the yellow pages.
Figure 11-1 LDAP Directory Tree Structure o=unix ou=people uid=straw RDN: ou=people DN: ou=people, o=unix uid=smith ou=groups cn=Engineering cn=Marketing RDN: uid=straw DN: uid=straw, ou=people, o=unix ZK-1476U-AI The attributes that are required or allowed in a directory entry are defined in an object class. Each directory entry must contain an objectclass attribute that has at least one object class definition for that entry.
11.2.1 Installing and Running the LDAP Browser To install the LDAP Browser on a system, ensure that the Internet Express OpenLDAP subset is installed. Then, follow these steps: 1. 2. From the Internet Express Administration utility Main menu, choose Manage Components. From Directory Services, choose Download LDAP Browser. The Download the LDAP Browser form is displayed. 3. 4. Right-click on the ldapbrowser.jar link to bring up the browser menu, and then save the file to a directory on your system.
Field Description Port Enter the port number on which the LDAP server is listening. The default LDAP port is 389. Base DN Enter the base distinguished name for this connection. The base distinguished name defines the top of the directory tree. To obtain a list of base distinguished names for a particular directory, make sure the host name and port fields have been filled in correctly and then click the Fetch button.
the browser and server. For an SSL connection to be established successfully, the following conditions must be satisfied: • • The LDAP server must be configured by its administrator to accept SSL connections. The default port for LDAP over SSL is port 636. Many servers are not configured by default to accept SSL connections, so check with the server administrator if there is any doubt.
directory entry identified by its relative distinguished name (RDN). From the main browsing window, you can perform the following functions: • • • • • Operate on a directory entry — Click on an entry in the directory tree, and then choose any of the appropriate operations from the Edit or View menus or from the entry's context-sensitive pop-up menu. View a directory entry — Click on an entry in the directory tree to select it and see a list of its attributes in the adjoining table.
• • • • The add attribute dialog box presents only choices allowed by the schema. Multiple values cannot be added for attributes defined as single-valued by the schema. When objectClass attribute values are removed or modified, attributes that are no longer allowed as a result of the change are removed, after warning the user first. When objectClass attribute values are added or modified, newly required attributes that do not already exist in the entry are automatically added. 11.2.3.
• • • The entry can be copied to either the same parent or to a new one. Multiple copies of an entry can also be made. By default, an underscore and a sequence number will be appended to the RDN of each copy to distinguish them from each other. Alternatively, if a pound sign (#) is included in the new RDN value, the new RDN value will be generated by replacing the pound sign with a sequence number. An entry's descendants can be copied along with the entry itself. 11.2.3.
11.2.3.15 Managing Directory Entry Templates Directory entry templates define which object classes a newly created entry will belong to and which attributes and attribute values will be included in entry creation forms by default. Entry templates can be added, modified, deleted, copied, and renamed by choosing Manage entry templates from the Edit menu and performing those operations in the resulting dialog box. 11.2.3.
1. 2. From the main window, choose an entry to serve as the search base. From the View menu, select Search. The resulting search form prompts for the following information: • • • • 3. Base DN — The base node for the search Search filter — A standard LDAP search filter. The default of (objectclass=*) will match any entry. Attributes — A list of attributes that the search should return. These attributes will be displayed in columns that can be used as the basis for sorting the search results.
11.3 Managing and Using the OpenLDAP Directory Server The OpenLDAP Directory Server Version 2.0.19 is an Open Source LDAP implementation based on the LDAP Version 3 protocol. For extensive information about OpenLDAP, including a searchable FAQ page, visit the following Web sites: http://www.openldap.org http://www.openldap.org/doc/admin 11.3.1 Managing the OpenLDAP Directory Server Using the Internet Express Administration utility, you can: • • Start or stop the OpenLDAP Directory Server (see Section 11.
11.3.1.3 Configuring the OpenLDAP Directory Server Independently of the Installation Procedure Use the /usr/internet/openldap/config_openldap.sh script to configure the /usr/internet/openldap/etc/slapd.conf file and to initialize an LDAP database. You will need to provide an Organization Name, used as the searchbase, a Distinguished Name, used for connections to the server, and an Administrative password. Once this script has run, use the /sbin/init.
12 OpenSLP Administration Internet Express provides the OpenSLP server and Application Program Interfaces based on the SLP Version 2 standard protocol. The Service Location Protocol (SLP) provides client/server applications with the means to discover and select system services on the network. This chapter provides the following information: • An overview of OpenSLP (Section 12.1: OpenSLP Overview). • A listing of OpenSLP configuration files and examples (Section 12.2: Configuration Files and Examples).
File/Example Description slp.spi The SLP security parameter index file. This file is installed in /etc with the appropriate ownership and protection. example.c The SLP example program. The file is 22KB and is installed in /usr/internet/openslp/examples. Once installed, ownership should be set to the user. example.conf The SLP example configuration file. This file is installed in /usr/internet/openslp/examples. Once installed, ownership should be set to the user. example.
http://h30097.www3.hp.com/unix/cdsa Note: CDSA is available only for Tru64 UNIX 5.1 and later. If you are running Tru64 UNIX 5.0A, you cannot run security-enabled SLP. 2. Enable security in OpenSLP by placing the following entry in the /etc/slp.conf configuration file: net.slp.securityEnabled = true 3. In the root account, run the keytool utility to generate pairs of public and private keys. To do this, you must have an account on the system for user daemon.
4. 5. To stop a running OpenSLP daemon, click the Stop button. This action terminates the OpenSLP daemon (slpd). Click the Restart button to stop the OpenSLP daemon and then start it again. The Cancel option leaves the OpenSLP daemon in its current state and displays a message that daemon will not be changed.
Consider the following notes when you review the SLP APIs used in the examples (Section 12.4: Running the Example Configuration) provided with the OpenSLP component: • A service registration with no scope specified is a member of the default scope. Service registrations containing a scope must have DEFAULT listed to be a member of the default scope. A service registration with no naming authority specified is a member of the default naming authority (IANA, represented by the empty string).
• Introduction to SLP – Provides an overview of the Service Location Protocol and a general description of the agents, messages, and APIs. http://www.openslp.org/doc/html/IntroductionToSLP/index.html • Service Location Protocol Version 2 – Information about the standard protocol for SLP. http://www.ietf.org/rfc/rfc2608.txt • Service Location Application Programming Interface (API) – Information about the standardized APIs for SLP in C and Java.
13 FTP Server Administration File Transfer Protocol (FTP) is a client/server protocol that allows a user on one computer to transfer files to and from another computer over a TCP/IP network. When you set up an anonymous FTP account on your system, any remote user can access your system by means of the user name ftp or anonymous. Once logged in, the user has access to only a special directory hierarchy containing public files, and can copy these files to another system using FTP.
• • • 5. Minimum UID – The Administration utility searches for the specified UID and, if it is available, assigns it to the account. If that UID number is not available, the utility assigns the next highest available UID. FTP Group Name — Name of the group to which you want to assign the anonymous Pure-FTP account. If the group you specify does not exist, the Administration utility creates it.
1. 2. 3. From the Administration utility Main menu, choose Manage Components. From the Manage Components menu, choose Pure-FTP Server. From the Pure-FTP Server Administration menu, choose Enable/Disable chroot. The current status is displayed (either enabled or disabled). 4. If chroot is enabled, click on Disable to disable the ability to execute chroot. If chroot is disabled, click on Enable to enable the ability to execute chroot. 13.1.
14 Samba File and Print Server Administration The Samba File and Print Server consists of the following three daemons, each listening on its own port: • smbd—Provides file and print services to SMB clients, such as Windows 2000, Windows NT, or LanManager • nmbd—Provides NETBIOS name serving and browsing support • The daemon for the Samba Web Administration Tool (SWAT), described in Section 14.4: Administering the Samba Server Using the SWAT Program The Samba server daemons read the smb.
Example 14-1 Samba Server Configuration File ; Configuration file for smbd. [global] 1 workgroup WORKGROUP domain master yes local master yes preferred master yes printing bsd printcap name /etc/printcap load printers yes guest account nobody browseable yes wins support true hosts allow domain_name ; ; This next option sets a separate log file for each client. Remove it if you want a combined log file. log file /usr/local/samba/log.
option allows Samba to act as a local master browser. The preferred master option causes the nmbd daemon to force a browser election on startup. For more information on domain masters and browsing, see /usr/internet/docs/samba/Browsing.txt. The printing, printcap name, and load printers options configure the Samba server to allow all printers on the Tru64 UNIX system configured with the normal BSD printing mechanism to be used by the Windows clients.
Note: If you want to allow handling of encrypted passwords on Windows 98 or Windows NT clients, the Samba server must maintain its own password database. (See /usr/internet/docs/samba/htmldocs/ENCRYPTION.html for instructions on how to create the password database.) 5 6 When hide dot files is set to yes, hidden files on the UNIX system are not displayed in PC client applications (such as Explorer). Internet Express configures the Samba server to preserve case in file names.
use the iass user name rather than root. If you specify the name of a user who has read but not write access to smb.conf, SWAT will be able to display the current values but will not be able to modify them. The smb.conf file is a configuration file for the Samba suite. This file consists of several sections and parameters. Each section describes a shared resource, known as a share. The special sections include Global, Homes, and Printers.
From the Configure the Samba Server menu, you can perform the following tasks: • • • • • • • Display the SWAT home page, which contains pointers to online documentation for the related daemons and components. Set global variables in the smb.conf file (See Section 14.4.1.1: Configuring Global Variables) Set parameters for shares, as defined in the smb.conf file (See Section 14.4.1.2: Configuring Share Parameters) Set parameters for printers (see Section 14.4.1.
1. 2. 3. 4. 5. 6. From the Administration utility Main menu, choose Manage Components. From the Manage Components menu, choose Samba Server. From the Samba Server Administration menu, choose Configure the Samba Server. Click on the Printers icon. The Printer Parameters form displays. Use the Choose Printer drop-down box to select a specific printer. The drop-down box lists printers specified in the local host's printcap file.
password modification. The name entered is resolved into an IP address using the name resolution mechanism used by programs in the Samba suite. For more information on Samba password management, see the smbpasswd(5) reference page.
15 InterNetNews Server Administration Using the Administration utility, you can set up your news server in the following ways: • You can use news as a local bulletin board; all information is local to your news server and is not propagated to the external InterNetNews (INN) network. Many Internet Service Providers (ISPs) configure news in this manner. • You can configure your news server to be a fed site.
Figure 15-1 InterNetNews Administration Menu Note: For information on tuning your system to improve the performance of your news server, visit the following Tru64 UNIX site: http://h30097.www3.hp.com/internet/inn_wp.htm 15.
Figure 15-2 Configuring the INN Server The fields for configuring a news server are as follows: • Domain—This field specifies the domain name of your system. By default, the domain name of your system is used. Enter a value in this field only if your system's host name (as stored in the HOSTNAME variable in the /etc/rc.config file) is not domain qualified. • From Host—This field is optional.
Inform the newsfeed server administrator which news categories, or newsgroups, you want (or do not want) to be fed to your server.
The Display External Newsfeeds page also lists newsfeed hosts, including the dummy newsfeed (see Section 15.3.2: Adding an External Newsfeed), and the flags and parameters that have been set for each. 5. To return to the Configure External Newsfeed menu, use the navigation bar at the top of the screen. 15.3.2 Adding an External Newsfeed The Modify External Newsfeeds form allows you to add a new external newsfeed and specify how incoming articles are to be handled by your news server.
for your site. Use the default subscription list to allow your news server to receive all articles from all newsgroups (except control, local.*, and junk). You can also use these fields to filter out articles from certain newsgroups. For example, to receive all articles from all comp newsgroups, but only the articles from the comp.sources.unix subgroup within the sources newsgroups, specify the following values: Send These Newsgroups: comp.*,comp.sources.unix Do NOT Send These Newsgroups: comp.sources.
out.going directory. (On an AlphaServer system, the file is usually /data/spool/news/out.going/newsfeed_hostname.) See the newsfeeds(5) reference page for a detailed explanation of feed types. 8. Click on Submit. When you submit the data on this form, the news server: • Stops and restarts the innd daemon • Sets up the feed using the Defaults for all Newsfeeds settings (see Section 15.3.
Consider using the actsync utility if you: • Are setting up a news server and need an initial active file as a starting point. • Have not actively managed the add and remove newsgroup messages in the control newsgroup. • Discover lots of articles in the junk newsgroup. • Want to synchronize with your newsfeed. See the actsync(8) reference page for detailed instructions on using the actsync utility. See the active(5) reference page for more information on the active file. 15.
The Administration utility shows the existing client access definitions, including host matching patterns and access type. You can use the navigation bar at the top of the page to return to the Modify Client Access Groups menu or the InterNetNews Administration menu. 15.4.2 Adding a Client Access Group To add a new client access group, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. On the Manage Components menu, choose InterNetNews. 3.
Table 15-2 Access Groups Form Fields (continued) Name Description Path headers stripped? If set to Yes, any Path: header provided by a user in a post is stripped rather than used as the beginning of the Path: header of the article. The default value is No. Bypass perl Filter? If set to No, posts made by these users do not pass through the Perl filter even if it is otherwise enabled. The default is Yes.
6. Click on Delete. The Administration utility displays a message indicating that the client access definition has been removed. 7. To return to the Modify Client Access Groups menu or the InterNetNews Administration menu, use the navigation bar at the top of the screen. 15.4.5 Displaying Client Authentication Groups Use the Configure Client Access menu to display authentication groups. To display client authentication groups follow these steps: 1.
Table 15-3 Client Authentication Groups Menu Fields (continued) Name Description User Authentication Command Specifies the command to be executed to authenticate the user making the connection request. This program must be in the /usr/news/bin/auth/passwd directory. This is an optional field and can be left blank. Key A parameter used to check the identity for some specific access groups against the users: parameter.
7. In the list box of existing groups, click on the group that you want to precede or follow the new group in the list. 8. Click on either the Before or After selection field. 9. On the Modify Client Authentication Groups form, modify the data you want to change. 10. Click on Submit. 15.4.6.3 Deleting Client Authentication Groups Use the Configure Client Access menu to delete authentication groups. To delete a client authentication group, follow these steps: 1.
Table 15-4 Options on the Configure Storage Menu Option Description Placement Indicates the search order of the group, relative to other methods. Storage Type Indicates either tradspool, cnfs, timecaf, or trash. For a description of these types, see the storage.conf(5) reference page. Newsgroups in this method Indicates the categories of newsgroups that are to be stored using the method. This can be a specific newsgroup, such as rec.music.dylan, or a wildcard list, such as alt.*.
15.5.1.4 Deleting a Storage Method Class To delete a storage method class, follow these steps: 1. 2. 3. 4. 5. 6. 7. From the Administration utility Main menu, choose Manage Components. On the Manage Components menu, choose InterNetNews. From the InterNetNews Administration menu, choose Configure Storage Options. From the Configure Storage Options menu, choose Configure Storage Method Entries. Choose Modify Storage Method Entries.
Note: The buffer will be automatically created if it does not already exists and is the size specified. d. e. 7. In the Size field, enter a value (in kilobytes) for the size of the buffer. Click on Submit. To add a new metacycbuff entry: a. Enter a name in the New Metacycbuff field. b. Click on Add. The Add Storage Method menu is displayed. c. d. Next to the Uses cycbuff entries label, select the cycbuff entry from the list to be associated with the new metacycbuff entry.
15.5.2.4 Deleting CNFS Entries To delete CNFS entries, follow these steps: 1. 2. 3. 4. 5. From the Administration utility Main menu, choose Manage Components. On the Manage Components menu, choose InterNetNews. From the InterNetNews Administration menu, choose Configure Storage Options. From the Configure Storage Options menu, choose Configure the CNFS Storage Method. Choose Modify Storage Method Entries. The Modify CNFS Entries menu is displayed, showing the currently defined CNFS entries. 6.
3. 4. From the InterNetNews Administration menu, choose Modify Article Expiration Definitions. From the Modify Article Expiration Definitions menu, choose Display Article Expiration Definitions. The Administration utility supplies the following default article expiration definitions: • All newsgroups matching * Articles with expiration headers are kept for a minimum of one day and a maximum of four days. Articles without expiration headers are kept for four days. • All newsgroups matching local.
c. buttons in this field to accept the minimum and maximum values specified in the expiration header, or to override either or both values. Flush Article With Expiration Headers—Articles with expiration headers specify a minimum and maximum number of days to keep expired articles. Use the radio buttons in this field to accept the minimum and maximum values specified in the expiration header, or to override either or both values.
6. 7. Modify any or all fields on the Modify Article Expiration Definition form. For more information on the fields on this form, see Section 15.6.2: Adding an Article Expiration Definition. Click on Submit. The Administration utility displays a message indicating that the article expiration definition has been modified. You can use the navigation bar at the top of the page to return to the Modify Article Expiration Definitions menu or the InterNetNews Administration menu. 15.6.
When you create a local newsgroup, use the prefix local. to exclude it from external newsgroups. Choose a name that describes the purpose or content of the information offered by the newsgroup (for example, local.org.research). Do not use spaces in newsgroup names. The Administration utility does not support the creation of external newsgroups. To create a newsgroup that can be accessed by other systems on the INN network, you must use UNIX commands on the command line.
3. 4. From the InterNetNews Administration menu, choose Start/Stop the INN Server. Depending on the current status of the INN server (shown at the top of the page), you can select the following: • Stop the INN server—Available when the current status is running. When you click on Stop, the INN server is immediately stopped. • Start the INN server—Available when the current status is stopped. When you click on Start, the INN server is immediately restarted and the configuration files are reloaded.
16 Internet Relay Chat Administration Internet Relay Chat (IRC) allows users to communicate with each other in real time across a network of Internet servers. 16.1 Configuring IRC Information on configuring IRC is included in usr/internet/irc/example.conf on the Internet Express kit. You can customize your Internet Relay Chat (IRC) server by modifying the configuration file, /usr/internet/irc/lib/ircd/ircd.conf. The configuration options are documented in the comments in this file.
17 PostgreSQL Database and MySQL Administration Internet Express provides the PostgreSQL and MySQL database management systems. PostgreSQL is an advanced database server that supports most SQL constructs, including subselects, transactions, and user-defined types and functions. Each PostgreSQL server controls access to a number of databases, storage areas used by the server to partition information.
1. From the Manage Components menu, choose PostgreSQL Database Management System. The Manage PostgreSQL menu is displayed (Figure 17-1). Figure 17-1 Manage PostgreSQL Menu 2. From the Manage PostgreSQL menu, choose Start/Stop PostgreSQL. The current state of the PostgreSQL server is displayed: • To start a stopped server, click on the Start button. • If the server is running, click on Stop to stop the server or Restart to stop and restart the server.
1. 2. From the Manage Components menu, choose PostgreSQL Database Management System. The Manage PostgreSQL menu is displayed (Figure 17-1). On the Manage PostgreSQL menu, choose View PostgreSQL Log. The contents of the log file are displayed, as in Figure 17-3. Use the standard navigation features to advance page by page, go to a specific page, or search for a particular text string. Figure 17-3 View PostgreSQL Log Page 17.
Table 17-1 PostgreSQL Files and Directories Directory Contents /usr/internet/pgsql/man Location of PostgreSQL reference pages. /usr/internet/pgsql/doc Location of the PostgreSQL documentation. /usr/internet/pgsql/bin/ Location of the PostgreSQL commands. /usr/internet/pgsql/ Home directory of the PostgreSQL account where all files and directories are installed. /usr/internet/pgsql/.profile Contains a set of environment variable definitions for running most PostgreSQL commands.
Using the Administration utility, you can set up a crontab entry that runs a vacuum on your entire database at a specified time of day at daily or weekly intervals. The PostgreSQL server must be running for the vacuum to be performed. Although the vacuum can run in parallel with normal database operations (that is, select, insert, update, and delete), HP recommends that you schedule your database to be vacuumed during a low-usage period. To schedule the database vacuum, follow these steps: 1.
Note: The crontab entry that you created using the using the Setup Vacuum Crontab form should only be edited from the Administration utility. Directly editing this entry in the crontab file or adding additional entries which call /usr/internet/pgsql/bin/ix_vacuumdb can produce errors. If you want to create custom crontab entries for vacuuming your database, set the command for your crontab entry to call /usr/internet/pgsql/bin/vacuumdb. See the reference pages for crontab and vacuumdb for more information.
2. The requested shared memory segment was too small for your system. You need to lower the SHMMIN parameter in your kernel. 3. The requested shared memory segment already exists but is of the wrong size. This is most likely the case if an old version of PostgreSQL crashed and didn't clean up. The `ipcclean' utility can be used to remedy this. The PostgreSQL Administrator's Guide contains more information about shared memory configuration. b.
17.7.1 Directories and Files Established by MySQL Installation The MySQL installation procedure includes compiling, initializing, starting the server, and creating a database. MySQL is installed in /usr/internet/mysql/. A /usr/local/mysql symbolic link is created to duplicate the MySQL default installation path. The MySQL installation creates an account called mysql and the daemon is started by the mysql user.
17.7.4 MySQL Configuration Files The file /etc/my.cnf stores default startup options for both the server and for clients. To ensure the proper configuration of this file, the MySQL developers have included four sample my.cnf files within the distribution: • my-huge.cnf.sh • my-large.cnf.sh • my-medium.cnf.sh • my-small.cnf.sh Each of these files denotes recommended configuration settings in accordance with system resource availability. These files are available under /usr/local/mysql/share/mysql. 17.7.
18 BIND Domain Name Server Administration The Domain Name System (DNS) is a hierarchical, distributed database that stores information for mapping Internet host names to IP addresses and vice versa. It also stores mail routing information and other data used by Internet applications. The Internet Express version of the Berkeley Internet Name Domain (BIND) implements a domain name server for the Tru64 UNIX operating system.
Table 18-1 BIND Files and Directories (continued) Directory Contents /usr/share/man/ Location of BIND reference pages. usr/include/bind9 BIND Version 9.2.0 header files. Existing header files for older versions of BIND are not overwritten. These files are placed in a subdirectory under the bind9 directory. Table 18-2 describes the contents of the binary file directories.
Table 18-2 BIND Binary File Directories (continued) File Description /usr/bin/dig DNS lookup utility dig (domain information groper) – Interrogates DNS name servers. This tool performs DNS lookups and displays the answers that are returned from the name server (or servers) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use, and clarity of output. Other lookup tools tend to have less functionality than dig.
/etc/namedb9. The network administrator will need to either remove the directory statement to permit named9 to read files from its default location (/etc/namedb9) or the administrator may update this statement to reflect the new location. By default, the named daemon is built to read files from the sbin/init.d/ directory. You can change this default with an options statement in your named.conf file. If you cluster a standalone system, you must rerun /usr/sbin/bind9enable.
• • roadmap — Provides a roadmap to the BIND Version 9.2.0 source tree. sdb — Describes how to use and maintain the BIND Version 9.2.0 Simplified Database Interface, which allows you to extend BIND with new ways of obtaining the data published as DNS zones. Reference pages for BIND are available from the Internet Express Reference Pages. You can also access them from /usr/share/man/. Documentation for setting up a dynamic domain name server using BIND Version 9.2.
A Sendmail Supplemental Information This appendix includes the following Sendmail information: • How to create a certificate of authority (Section A.1: Creating a Certificate of Authority) • Background on OpenSSL certificate creation (Section A.2: Background - OpenSSL Certificate Creation) • A sample mail filter (Section A.3: Mail Filter Example) A.1 Creating a Certificate of Authority Local SSL certificates can be created using the security software included in the Sendmail subset of Internet Express.
#include "libmilter/mfapi.
return SMFIS_TEMPFAIL; } /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_eom(ctx) SMFICTX *ctx; { return mlfi_cleanup(ctx, true); } Sfsistat mlfi_close(ctx) SMFICTX *ctx; { return SMFIS_ACCEPT; } sfsistat mlfi_abort(ctx) SMFICTX *ctx; { return mlfi_cleanup(ctx, false); } sfsistat mlfi_cleanup(ctx, ok) SMFICTX *ctx; bool ok; { sfsistat rstat = SMFIS_CONTINUE; struct mlfiPriv *priv = MLFIPRIV; char *p; char host[512]; char hbuf[1024]; if (priv == NULL) return rstat; /* close the archive file
int main(argc, argv) int argc; char *argv[]; { bool setconn = false; int c; const char *args = "p:"; /* Process command line options */ while ((c = getopt(argc, argv, args)) != -1) { switch (c) { case 'p': if (optarg == NULL || *optarg == '\0') { (void) fprintf(stderr, "Illegal conn: %s\n", optarg); exit(EX_USAGE); } (void) smfi_setconn(optarg); setconn = true; break; } } if (!setconn) { fprintf(stderr, "%s: Missing required -p argument\n", argv[0]); exit(EX_USAGE); } if (smfi_register(smfilter) == MI_FAILU
Glossary Access filtering The preferred means of filtering IP packets at a system, router, gateway, or firewall on Tru64 UNIX operating systems. Access filtering is the means for implementing Ingress and Egress filtering. See also Ingress filtering and Egress filtering. Administrative domain The set of systems or networks over which you have administrative control. Apache Web Server A freely available UNIX-based Web server. It is currently the most commonly used server on Internet connected sites.
Domain Name System See DNS. DoS Denial of Service. Interruptions to internet service caused by a DoS attack. DoS attack An attack against a Web site, a network, a system, or other service provider intended to disrupt its ability to provide services to its users. Software that performs a DoS attack (DoS software ) overloads the service provider with requests for service until its capacity to respond to new service requests is exceeded.
Multipurpose Internet Mail Extensions See MIME. MX record Mail Exchange Record. A Domain Name System (DNS) resource record type, indicating which host can handle electronic mail for a particular domain. Network News Transfer Protocol See NNTP. newsgroup A hierarchical subject category into which InterNetNews articles are organized. NNTP Network News Transfer Protocol. A protocol for the distribution, inquiry, retrieval, and posting of Usenet news articles over the Internet.
TCP/IP Transmission Control Protocol/Internet Protocol. Ethernet protocols incorporated into 4.2 BSD UNIX. While TCP and IP specify two protocols, the combined term is used to refer to the entire Department of Defense protocol suite, including telnet and FTP. See also FTP, LDAP, TELNET protocol. TELNET Protocol The Internet standard protocol for remote logins. UNIX BSD includes the telnet program, which uses the protocol, and acts as a terminal emulator for remote login sessions.
Index Symbols .users.list file, 45, 60 managing, 61 removing, 61 /usr/news/etc/moderators file, 233 A access database configuring, 107 preserving quotation marks and escape characters in keys, 109 preventing conversion of keys to lowercase, 109 preventing database lookup, 109 specifying pathname, 109 access.
displaying entries, 245 modifying entries, 246 Cocoon Servlet administration, 169 disabling, 169 enabling, 169 managing, 169 viewing log files, 169 Computer Emergency Response Team (see CERT) Computer Incident Advisory Capability (see CIAC) Computer Security Resource Clearinghouse (see CSRC) config.
deleting, 54 specifying parent directory, 49 storing in LDAP directory, 49 GIDs assigning users, 52 GnuPG Web site, 36 group, 47 (see also IASS_Usr group) (see also Lkr_Usr_ group) adding accounts to, 47 assigning GIDs, 52 creating, 48, 52 primary for UNIX users, 48 storing in LDAP directory, 52 User Self-Administration feature, 66 H Hewlett-Packard Company AlphaServer products and services Web site, 35 Horde Application framework, 140 managing settings, 151 host alias creating, 95 deleting, 95 masqueradin
modifying an external newsfeed, 237 modifying article expiration definition, 249 modifying client authentication groups, 242 modifying CNFS entries, 246 modifying expired article retention period, 250 modifying newsfeed defaults, 237 nnrpd daemon, 232 reloading configuration file, 251 removing a client access definition, 240 removing an external newsfeed, 237 specifying configuration data, 232 starting, 251 updating local active file, 237 updating the active configuration file, 234 viewing log files, 251 We
sample, 271 mail server configuring for virtual domains, 104 creating host alias, 95 creating pseudo domain alias, 97 deleting host alias, 95 deleting pseudo domain alias, 97 mail server log (IMAP), 139 mail server log (POP), 136 mail server log (SMTP), 122 mail service APOP with encrypted password, 60 changing, 57 Cyrus IMAP, 59 Cyrus IMAP with password, 59 POP with password, 58 regular delivery, 58 types, 57 mail transport agent integration with bogofilter, 132 mailbox configuring access, 121 mailcv utili
using configuration files, 214 using registration files, 214 Web site, 38 N named captive user account changing mail service, 57 changing password, 56 changing secondary groups, 55 creating, 48 deleting, 54 specifying parent directory, 48 storing in LDAP directory, 48 netconfig utility, 175 netsetup utility, 175 network service access options, 173 newsgroup creating local, 250 deleting local, 251 managing local, 250 NIS importing users, 81 nnrpd daemon, 232 noncaptive user account assigning shell, 51 chang
Pure-FTP Server, 219 administering, 219 enabling and disabling, 219 Web site, 39 Q queue groups configuring for Sendmail, 114 R rc.config file, 233 reference pages modified mailcv command, 138 registration form online, 27 relational database management system (see PostgreSQL) relative distinguished name, 201 remote access Internet Monitor Administration Server, 163 S Samba File and Print Server, 223 (see also smb.
T TCP security testing modifications, 173 TCP Wrapper adding service to list, 172 administration, 171 controlling access to other network services, 172 default access to network services, 171 modifying access, 172 testing security modifications, 173 Web site, 40 TIN Web site, 40 TLS configuring, 117 Tomcat, 169 Web site, 40 TruCluster Server administration notes, 30 Trusted Layer Security (see TLS) Turba addressbook/contact management program, 140 managing, 153 U UDDI administration, 167 UDDI4J Java class
