Fix BCM BCM43142A0 (0a5c:216)

Well this was a tougher than expected but not too tough for me. First I tried to use the drivers on https://github.com/winterheart/broadcom-bt-firmware
Instructions were

• get the appropriate hid file and reboot
• copy to /lib/firmware
• reboot
• Look for Bluetooth. This is what bad looks light
  

Mar 17 01:15:20 BILL kernel: [ 2205.631184] Bluetooth: hci0: BCM: chip id 70
Mar 17 01:15:20 BILL kernel: [ 2205.632142] Bluetooth: hci0: BCM: features 0x06
Mar 17 01:15:20 BILL kernel: [ 2205.648147] Bluetooth: hci0: BILL
Mar 17 01:15:20 BILL kernel: [ 2205.648155] Bluetooth: hci0: BCM43142A0 (001.001.011) build 0000
Mar 17 01:15:20 BILL kernel: [ 2205.649174] Bluetooth: hci0: BCM: firmware Patch file not found, tried:
Mar 17 01:15:20 BILL kernel: [ 2205.649180] Bluetooth: hci0: BCM: 'brcm/BCM43142A0-0a5c-216c.hcd'
Mar 17 01:15:20 BILL kernel: [ 2205.649183] Bluetooth: hci0: BCM: 'brcm/BCM-0a5c-216c.hcd'
Mar 17 01:15:22 BILL kernel: [ 2207.661039] Bluetooth: hci0: command 0x1003 tx timeout
Mar 17 01:15:22 BILL kernel: [ 2207.662104] Bluetooth: hci0: unexpected event for opcode 0x1003
Mar 17 01:16:01 BILL kernel: [ 2246.952482] Bluetooth: hci0: urb 0000000034f8d926 failed to resubmit (2)
Mar 17 01:16:01 BILL kernel: [ 2246.952491] Bluetooth: hci0: urb 00000000f20ac1f5 failed to resubmit (2)

Well let's pretend the sun went down, came up and went down again as I googled my way to getting this working. Knowing what good looks like is the key. I did not

So originally thought the site had taken hex files found in the drivers and converted them to hid. They may well have done but it did not work. So once I found this was what bad looks like this is what I did

• Found the drivers on line bluetooth_Win7-8-8-1_V6515800_12009860.zip
• Unzip and look for PID_216C (the id of the card)
• This will give a list on files. Look for the most sensible, my case (Win64) was Bluetooth_Win7-8-8-1_V6515800_12009860/Win8_Win81/Win64/bcbtums-win8x64-brcm.inf
• Look for the right hex file by again search for the PID
• In the section ;;;;;;;;;;;;;RAMUSB216C;;;;;;;;;;;;;;;;; only one hex file is listed
• This is BCM43142A0_001.001.011.0197.0233.hex
• Convert to hid file with hex2hcd BCM43142A0_001.001.011.0197.0233.hex -o BCM43142A0-0a5c-216c.hcd
• Copy file to /lib/firmware/brcm
• Reboot and cross fingers
• Attempt at own risk and I believe it is also illegal to dont do it

This is what good looks like

Mar 17 01:24:10 BILL kernel: [   24.611457] Bluetooth: Core ver 2.22
Mar 17 01:24:10 BILL kernel: [   24.611489] Bluetooth: HCI device and connection manager initialized
Mar 17 01:24:10 BILL kernel: [   24.611493] Bluetooth: HCI socket layer initialized
Mar 17 01:24:10 BILL kernel: [   24.611495] Bluetooth: L2CAP socket layer initialized
Mar 17 01:24:10 BILL kernel: [   24.611499] Bluetooth: SCO socket layer initialized
Mar 17 01:24:10 BILL kernel: [   25.253630] Bluetooth: hci0: BCM: chip id 70
Mar 17 01:24:10 BILL kernel: [   25.254629] Bluetooth: hci0: BCM: features 0x06
Mar 17 01:24:10 BILL kernel: [   25.270595] Bluetooth: hci0: BILL
Mar 17 01:24:10 BILL kernel: [   25.270599] Bluetooth: hci0: BCM43142A0 (001.001.011) build 0233
Mar 17 01:24:10 BILL kernel: [   25.508569] Bluetooth: hci0: BCM43142A0 'brcm/BCM43142A0-0a5c-216c.hcd' Patch
Mar 17 01:24:10 BILL kernel: [   26.108639] Bluetooth: hci0: Broadcom 43142 Bluetooth 4.0 Adapter
Mar 17 01:24:10 BILL kernel: [   26.108643] Bluetooth: hci0: BCM43142A0 (001.001.011) build 0233
Mar 17 01:24:13 BILL systemd[1]: Started Bluetooth service.
Mar 17 01:24:13 BILL systemd[1]: Reached target Bluetooth.
Mar 17 01:24:13 BILL kernel: [   39.740491] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Mar 17 01:24:13 BILL kernel: [   39.740493] Bluetooth: BNEP filters: protocol multicast
Mar 17 01:24:13 BILL kernel: [   39.740499] Bluetooth: BNEP socket layer initialized
Mar 17 01:24:13 BILL bluetoothd[699]: Bluetooth management interface 1.17 initialized

Zoom

You need to download the zoom.deb from the site

apt install libgl1-mesa-glx libegl1-mesa libxcb-xtest0   libxcb-xinerama0
sudo apt install gdebi
sudo dpkg i ~/Download/zoom.deb

Making fakecam work Add this to /var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam

@{PROC}/@{pid}/mounts r,
# and
/sys/fs/cgroup/cpuset/cpuset.cpus r,

Reload with

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam

Gimp

Install flatpak

To install gimp we need to install flatPak. We can to this with

sudo apt install flatpak

Add Repositories

We then add the repositories. We need the beta for Gimp and the normal one for dependencies

flatpak remote-add --user flathub-beta https://flathub.org/beta-repo/flathub-beta.flatpakrepo
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

# List repositories with
flatpak remote-list

Install Software

At the time I needed org.gnome.Platform//3.38. To find out which you can install in reverse. i.e.

flatpak install --user flathub-beta org.gimp.GIMP

Then install the software

# From flathub
flatpak install flathub org.gnome.Platform//3.28
# From flathub-beta
flatpak install --user flathub-beta org.gimp.GIMP

Network Stuff

ip link list eno1
ip link set eno1 down
ip link set eno1 up
netplan apply

Set up Monitors

Change .config/monitor.xml, test and copy to

sudo cp ~/.config/monitors.xml /var/lib/gdm3/.config/
sudo chown gdm:gdm /var/lib/gdm3/.config/monitors.xml

My monitor 2020-09-07

<monitors version="2">
  <configuration>
    <logicalmonitor>
      <x>0</x>
      <y>0</y>
      <scale>1</scale>
      <transform>
        <rotation>left</rotation>
        <flipped>no</flipped>
      </transform>
      <monitor>
        <monitorspec>
          <connector>DVI-D-0</connector>
          <vendor>DEL</vendor>
          <product>DELL U2412M</product>
          <serial>9W5YH33E2ECS</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1200</height>
          <rate>59.950172424316406</rate>
        </mode>
      </monitor>
    </logicalmonitor>
    <logicalmonitor>
      <x>2400</x>
      <y>0</y>
      <scale>1.25</scale>
      <primary>yes</primary>
      <monitor>
        <monitorspec>
          <connector>HDMI-0</connector>
          <vendor>AOC</vendor>
          <product>V27t</product>
          <serial>0x01010101</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1080</height>
          <rate>60</rate>
        </mode>
      </monitor>
    </logicalmonitor>
  </configuration>
</monitors>

Set up Apache HSTS

In Apache 2 000-default.conf

<VirtualHost *:80> 
ServerName example.com 
Redirect permanent / https://example.com/
</VirtualHost>

In Apache 2 default-ssl.conf

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

On time setups on 19.04 upwards

To add scaling

gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"

Auto hide taskbar

Go to settings->dock->auto-hide the dock

Hide top bar

sudo apt install gnome-shell-extension-autohidetopbar

• log out
• log in
• run gnome-tweak
• extension->Hide to bar

On time setups on 20.04 upwards

Mediwiki

Create database

 CREATE DATABASE my_wiki
 CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';

Restore database

 mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44

Copy Wiki files

 cp <backup>/mediawiki /var/lib/mediawiki

Postfix

Create database

 CREATE DATABASE mail
 CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON mail.* TO 'newuser'@'localhost' WITH GRANT OPTION;
 mysql -u root -p XXXX < db_backup_my_XXXX_23_10_2019_04_21_44

Setup mail user and directory

 cd /var
 ln -s /mnt/<RAID ARRAY>/vmail .

 groupadd -g 5000 vmail
 useradd -m -d /var/vmail -s /bin/false -u 5000 -g vmail vmail

Setup Cetificates for SSL

 systemctl stop apache2
 apt-get install python3-certbot-apache

 certbot -n  --agree-tos --standalone certonly -d www.bibble.co.nz
 certbot -n  --agree-tos --standalone certonly -d mail.bibble.co.nz
 certbot -n  --agree-tos --standalone certonly -d imap.bibble.co.nz

Install postfix

 apt-get install postfix
 apt-get install postfix-mysql 
 apt-get install postfix-policyd-spf-python
 apt-get install postgrey 
 apt-get install sasl2-bin libsasl2.2 libsasl2-modules

Install opendkim

apt-get install opendkim
cp -r /backup/etc/opendkim /etc
# Change /etc/opendkim.conf
Socket    local:/var/spool/postfix/opendkim/opendkim.sock
# Change /etc/default/opendkim
Socket    local:/var/spool/postfix/opendkim/opendkim.sock
# Change /etc/postfix/main.cf
 smtpd_milters = local:opendkim/opendkim.sock

Install Amavisd And Spamassasin

apt-get install amavisd-new spamassassin \
      clamav clamav-daemon unzip bzip2 libnet-ph-perl \
      libnet-snpp-perl libnet-telnet-perl nomarch lzop

In /etc/amavis/conf.d/15-content_filter_mode uncomment

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

Add to postfix

 postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
 postconf -e 'receive_override_options = no_address_mappings'


systemctl restart amavis
systemctl restart clamav-daemon
systemctl restart postfix

usermod -a -G clamav amavis
usermod -a -G amavis clamav

Change /etc/amavis/conf.d/05-node_id to have

05-node_id:$myhostname = "denise.bibble.

Dovecot

apt install dovecot-imapd dovecot-pop3d
apt install dovecot-sieve dovecot-solr dovecot-antispam
apt-get install dovecot-mysql
apt-get install dovecot-lmtpd

Setting netplan to render through network manager

network:
    version: 2
    renderer: NetworkManager
    ethernets:
        enp4s0:
            addresses: [10.1.1.70/24]
            gateway4: 10.1.1.99
            nameservers:
                    search: [bibble.local] 
                    addresses: [10.10.1.2]
            dhcp4: no

Setting up repo for current packages on ubuntu

Get list of package installd

$ apt list --installed > install.list

Then translate it into apt understandable format:

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3=\2/g' > install.list.to.dl

Then download the current packages versions:

$ xargs apt download < install.list.to.dl

You would need to create a Packages.gz file in order to add this folder as a source for apt. E.g.

$ cd ~/deb_server/debs/
$ dpkg-scanpackages -m . /dev/null | gzip -9c >  Packages.gz  

EDIT: path for dpkg-scanpackages must be relative, otherwise this will break the download process later (-m allows you to have multiple versions, if you want the most recent version, remove the -m) Now you have to bring up a file server for example apache2 and configure it to index files.

/etc/apache2/sites-enabled/000-debserver.conf

Containing:

DocumentRoot /var/www
  <Directory /var/www/>
    Options +Indexes +FollowSymLinks
    Require all granted
  </Directory>

And finally you need to symlink the deb folder to /var/www. (Or configure the server to the current deb download location) e.g.

$ ln -s ~/deb_server/debs/ /var/www/repo

The last bit is to add the server machine as the only source for apt updates on each target machine.

$ deb [trusted=yes] http://deb_server_ip/repo /

If you want to update the packages, you need to re-run apt download of the list, but without the version.

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3/g' > install.list.for.update
$ apt update && xargs apt download < install.list.for.update

Setting up Iot Edge on 19.04

Not yet released so here is how to do it

Install docker

wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/i/iotedge/iotedge_1.0.8-2_amd64.deb
wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/libi/libiothsm-std/libiothsm-std_1.0.8-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5.3_amd64.deb

Fixing ubuntu 19.04 mouse

Install kernel 5.2.x

Cerificates

Initial

 apt-get install software-properties-common python-software-properties
 add-apt-repository ppa:certbot/certbot
 apt-get update
 apt-get install python-certbot-apache 

 certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
 certbot -n  --agree-tos --standalone certonly -d <site2.domain.com>

Renew

certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
systemctl restart dovecot
systemctl restart apache2

Building r8168

This is not necessary as you can use the command

apt-get install r8168-dkms

Updating DNS

This script runs in crontab once every 15 minutes

#!/bin/bash
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=denise.bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.bibble.co.nz' 
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=sync.bibble.co.nz'

Backup MySQL

I use the following script to back up the databases

#!/bin/sh

myBackupFolder="/home/iwiseman/backups"
myBackupLogFileName="$myBackupFolder/"backup_log_"$(date +'%Y_%m')".txt

DoBackup()
{
        myDatabaseName=$1

        myCurrentDateTime="$(date +'%d_%m_%Y_%H_%M_%S')"
        myBackupFileName="db_backup_${myDatabaseName}_${myCurrentDateTime}".gz
        myFullyQualifieldBackupFileName="$myBackupFolder/$myBackupFileName"

        echo "mysqldump of $myDatabaseName started at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        mysqldump --user=root --password=xxxx --default-character-set=utf8 --single-transaction $myDatabaseName  | gzip > "$myFullyQualifieldBackupFileName"
        echo "mysqldump of $myDatabaseName finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
 
        chown iwiseman "$myFullyQualifieldBackupFileName"
        chown iwiseman "$myBackupLogFileName"
        echo "file permission changed" >> "$myBackupLogFileName"
 
        find "$myBackupFolder" -name db_backup_* -mtime +8 -exec rm {} \;
        echo "old files deleted" >> "$myBackupLogFileName"
 
        echo "operation finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        echo "*****************" >> "$myBackupLogFileName"
}


DoBackup mail
DoBackup wordpress424

exit 0

Fix Playstation

The works when enp1s0 is the interface of the second NIC and enp2s0 is the main NIC.

To fix the playstation create the following script

 #!/bin/bash
 echo 1 > /proc/sys/net/ipv4/ip_forward
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 iptables -A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT

Put this into /etc/rc.local e.g

 #!/bin/bash
 /usr/local/bin/fix_playstation.sh

Setting up L2TP VPN

You will need the following

Connection Name: xxxxxx
Username: xxxxxxx
Password: xxxxxxx
ServerAddress: xxxxxxx
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: xxxxxx
Under IPSec Settings (Linux)
3des-sha1-modp1024 for phase 1 (Linux)
3des-sha1 for phase 2 (Linux)
Authentication Methods: Pap, MSChapV2, Chap (Windows only)
EncryptionLevel: Optional (Windows only)

 sudo apt-get install network-manager-l2tp
 sudo apt-get install network-manager-l2tp-gnome
 sudo service xl2tpd stop
 sudo update-rc.d xl2tpd disable

Install Jenkins

This was done on a 20.04 Ubuntu server
We need java. On the page it says it supports OpenJDK JDK / JRE 8 - 64 bits and OpenJDK JDK / JRE 11 - 64 bits so we need to make sure it uses the right one by creating a .profile.(Note bashrc does not run for this user)

Install java

apt install openjdk-11-jdk-headless

Change the default to 11

sudo update-alternatives --config java

Install Jenkins

wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb https://pkg.jenkins.io/debian-stable binary/ > \
    /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins

Create a startup script

cat /var/lib/jenkins/.profile 
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the startup script etc init.d/jenkins

PATH=
....
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the java back

sudo update-alternatives --config java

Open LDAP

Install software

sudo apt install slapd ldap-utils

Reconfigure to your Domain

sudo dpkg-reconfigure slapd

You can verify this has worked with (don't forget sudo)

sudo ldapsearch -x -LLL -b "" -s base namingContexts

It should return your setup in my case

dn:
namingContexts: dc=bibble,dc=co,dc=nz

And view the RootDN

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:

It should return

p olcRootDN:
olcRootDN: cn=admin,cn=config
olcRootDN: cn=admin,dc=bibble,dc=co,dc=nz

Configuring Logging

To view the log level

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcLogLevel:

Which returns

p olcLogLevel:
olcLogLevel: none

We can either use

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -Q

To modify interactively or use LDIF files to update. Either way the contents are

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

To perform using LDIF use

sudo ldapmodify -Y EXTERNAL -H ldapi:///  -f /tmp/test.ldif

And verify with

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q

Setting up log files

Lets put the logs into their own file

sudo vi /etc/rsyslog.d/51-slapd.conf

Add the following

local4.* /var/log/slapd.log

Restart

sudo systemctl restart rsyslog slapd

Lets clean up the logs

 sudo vi /etc/logrotate.d/slapd

Add the following

 /var/log/slapd.log
 { 
         rotate 7
         daily
         missingok
         notifempty
         delaycompress
         compress
         postrotate
                 /usr/lib/rsyslog/rsyslog-rotate
         endscript
 }

Restart

 sudo systemctl restart logrotate

Set up ssl

The are three certs to worry about

rootCA
server cert
server key

I create these independently of this setup and these are place in

/etc/ssl/openldap/certs/rootCA.pem
/etc/ssl/openldap/certs/server.crt
/etc/ssl/openldap/private/server.key

Set permissions on the directory

chown -R openldap: /etc/ssl/openldap/

We need to allow apparmor to read the files so edit

vi /etc/apparmor.d/usr.sbin.slapd

With

...
  # Site-specific additions and overrides. See local/README for details.
  #include 

  #TLS
  /etc/ssl/openldap/certs/ r,
  /etc/ssl/openldap/certs/* r,
  /etc/ssl/openldap/private/ r,

  /etc/ssl/openldap/pri  /etc/letsencrypt/archive/ldap.bibble.co.nz/ r,
  /etc/letsencrypt/archive/ldap.bibble.co.nz/* r,vate/* r,

Reload

apparmor_parser -r /etc/apparmor.d/usr.sbin.slapd

Create a ldif to reflect your cert names and locations

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key

Had a lot of trouble getting the next bit to work thanks to no help from the product. Firstly add the ssl-cert to the openldap with

usermod -aG ssl-cert openldap

Also found that the key was read only for letsencryt so

chmod g+r  /etc/letsencrypt/archive/DOMAIN/privkey1.pem

The trick is to get the permissions right. I did this by looking at what others had done. Namely /etc/ssl. I checked the permisions on directories cert and private plus the contents and owner. Here is the end result

root@oliver:/etc/ssl# ls -lR openldap/
openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 13:39 certs
d-wx--x--- 2 openldap ssl-cert 4096 Nov  4 13:39 private

openldap/certs:
total 8
-rw-r--r-- 1 openldap ssl-cert 1411 Nov  4 13:39 rootCA.pem
-rw-r--r-- 1 openldap ssl-cert 1501 Nov  4 13:39 server.crt

openldap/private:
total 4
-rw-r----- 1 openldap ssl-cert 1704 Nov  4 13:39 server.key

Now you should be able to add then TLS entries with

 ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-tls.ldif

As ever you can verify this with

slapcat -b "cn=config" | grep -E "olcTLS"

Which should show

olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt

Let run a test before switching

slaptest -u

Which should show

config file testing succeeded

Add the certificate int /etc/ldap/ldap.conf

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
TLS_CACERT	/etc/ssl/openldap/certs/rootCA.pem

Restart the server

systemctl restart slapd

Finally, phew test the connectivity

ldapwhoami -H ldapi:/// -x -ZZ

For lets encrypt I ended up with

ls -lR  /etc/ssl/openldap/
/etc/ssl/openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 05:30 certs
drwxr-xr-x 2 openldap ssl-cert 4096 Nov  4 05:31 private

/etc/ssl/openldap/certs:
total 0
lrwxrwxrwx 1 openldap openldap 53 Nov  4 05:30 rootCA.pem -> /etc/letsencrypt/live/XXX/fullchain.pem
lrwxrwxrwx 1 openldap openldap 48 Nov  4 05:30 server.crt -> /etc/letsencrypt/live/XXX/cert.pem

/etc/ssl/openldap/private:
total 0
lrwxrwxrwx 1 openldap ssl-cert 51 Nov  4 05:31 server.key -> /etc/letsencrypt/live/XXX/privkey.pem

And the ldif

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

You can test this with

sudo ldapwhoami -H ldap://ldap.bibble.co.nz -x -ZZ

Add a user

Create a base dn

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: group

And add a user as below creating first a password with slappasswd

dn: uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mibeyam
cn: mibeyam
givenName: Amos
sn: Mibey
userPassword: {SSHA}sO8V/PZsGCta6098vs2qgX767AJF3Sw7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/mibeyam

dn: cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: mibeyam
gidNumber: 10000
memberUid: mibeyam

Set up client

You will need to know your base DN which is the first line of slapcat

I would recommend you test you user on the client prior to provisioning using you DN and account

 ldapwhoami -vvv -h localhost -D "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -x -W

A good result will echo the user

Install software

sudo apt-get update
sudo apt-get install libpam-ldapd libnss-ldapd

Change pam to create directory /etc/pam.d/common-session

...
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Restart services sudo systemctl restart nslcd sudo systemctl restart nscd

Useful Commands

List users

 ldapsearch -x -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com"

Delete user

ldapdelete -x -W -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Reset password

ldappasswd -H ldapi:/// -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -S "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

JWT (Java Web Tokens)

Java Web Tokens are used for Authorisation and Information Exchange. They consist of three parts, a header, Payload and a Signature. For example

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

Signature