How To Change User Password on Debian 10

On Debian 10, users are able to change their password pretty easily.

It is also possible, if you have sudo rights, to change user passwords as well as to define rules for password change on the host.

In this tutorial, we are going to see how you can change the user password on Debian 10 through the command-line and the user interface if you are using a GNOME desktop.

Change User Password using passwd

The first way to change the user password is to use the passwd command.

$ passwd

Changing password for devconnected.
Current password:
New password:
Retype new password:
passwd: password updated successfully

If you type the same password, you are going to have a warning message saying

Password unchanged

Change Another User’s Password with passwd

Before running the passwd command, make sure that you have sudo rights on your Debian 10 host.

To check sudo rights quickly, run the sudo command and make sure that you have error messages.

$ sudo -v

If you have sudo rights, you can run the passwd command.

Note: when updating another’s user account, you are not forced to know the current user password. It is very handy if you want to restrict the access to a user.

$ sudo passwd <user>

New password:
Retype new password:
passwd: password updated successfully

Delete Another User’s Password with passwd

Sometimes you want to reset the user password, maybe because it has lost it or because the password has been compromised.

You can set the password for the user, or you can delete the existing password to make the account passwordless.

To delete another user’s password, run the following command

$ sudo passwd -d <user>
passwd: password expiry information changed

Now when logging via the GNOME user interface, you won’t be prompted with a password. The account will automatically be logged in.

Note: deleting a user password must be done under rare circumstances and the account should be updated quickly to set a secure and long password.

User data might be compromised if no passwords are set for the account.

Expire Another User’s Password with passwd

When setting a passwd on Debian, the password will never expire by default.

But sometimes, because you want to apply correct password policies, you may want to set an expiration time or to expire some accounts after a given time.

To expire another user’s password on Debian, run the following command

$ sudo passwd --expire <user>
passwd: password expiry information changed

Now when logging on the other user account, it should be prompted to change its password.

Expire Another User’s Password with passwd expire-user-password

Change your password on the GNOME desktop

If you are using Debian 10 with a GNOME desktop, you can modify your password via the user interface.

System administrators tend to use the command line to perform administrative operations, but nothing forces you to do it this way.

1. In the Activities search box, type “Settings” and open it.

Add a user using the GNOME desktop settings

2. In the Settings window, choose the “Details” option.

Change your password on the GNOME desktop details-1

3. Choose the “Users” option, and find the user you want to modify.

Change your password on the GNOME desktop users-window

4. Click on the password field. Specify your old password and change your password to a secure one.

Change your password on the GNOME desktop change-password-debian

Click on “Change” and your password should be changed. Make sure to log again to test your new password.

Troubleshooting

In some cases, you may run into some errors while changing your password on Debian 10.

Here is the list of the most common errors and their solutions.

Default root password on Debian 10

By default, there is no default password for the root account on Debian 10.

This is because the root account is locked by default and setting a root password will unlock the account.

If you forgot your root password, you will have to reset it by rebooting and starting a bash shell into the GRUB.

Forgotten password on Debian 10

If you forgot your password on Debian, you will have to reset your password using the passwd command.

If you are not the system administrator, you have to ask the admin to run the passwd command in order to reset your password and make it expire immediately.

If you are the system administrator, you can run the passwd yourself.

$ sudo passwd <user>

If you remember the root password, connect as root and change the user password over there.

$ su -

$ passwd <user>

Conclusion

With this tutorial, you learnt how to change user password on Debian 10 Buster.

Another method to authenticate on a server is to use SSH keys. Make sure to check this article if you are interested in logging with SSH keys on Debian 10.

I hope that you learnt something new today.

Until then, have fun, as always.

How To Add Swap Space on Debian 10 Buster

This tutorial focuses on how to create swap space on Debian 10 via a swap file or a swap partition on your hard drive.

On a Linux system, it is very common to run out of memory, because you run too many programs, or because you run programs that are consuming too much memory.

As a consequence, if your RAM is full, you won’t be able to launch new programs on your computer.

You will have to manually shut down programs or tweak them to consume less memory.

There is however another way to virtually increase your memory : by using swap space.

In this tutorial, we are going to see how you can add swap space on Debian 10, either by creating a swap file or by creating a disk partition dedicated to swap.

Looking to add swap space on CentOS 8?

What is Swap Space on Debian?

Swap space is a space allocated to handle additional programs running when your RAM memory is full.

Let’s say that you have 4 GBs of RAM on your computer, and that 3 programs are already taking 3.5 GBs out of the 4 available.

What is Swap Space on Debian ram-1

If you are trying to run a program that is taking 1 GB on normal usage, you won’t be able to do it as you don’t have the space necessary for the program.

You could buy some RAM (which is expensive), or you could choose to create some swap space on your host.

When running your 1 GB program, your operating system (Linux here) will “move” or “swap” one of the programs to a dedicated part of your hard drive (your swap partition) and run your 1 GB program on the newly allocated space.

What is Swap Space on Debian ram-2

As you can imagine, the OS can switch programs from swap to RAM and vice versa.

The threshold to determine when programs should be switched from RAM to Swap is called the swappiness, but configuring ths swappiness will be reserved for another tutorial.

Now that you have some basics on what the swap space is and how the swap space works on Linux, let’s see on you can create some swap space on Debian 10.

Prerequisites

Sudo privileges

In order to add swap space on Debian 10 Buster, you need to have sudo privileges on your host.

Make sure this is the case by running the following command

$ sudo -v

If you are not getting any errors messages, you are good to go.

Checking existing swap partitions

In order to see existing swap partitions available on your host, run the following command

$ sudo swapon --show

If a partition is already existing, you should get at least one line as a result.

swap-show

As you can see, I already own a swap partition on my sda drive of size 8 GB.

As the current memory on my computer is sufficient, my host is not using swap at the moment.

If no swap spaces are configured on your system, this is the output that you should expect.

swap-show-2

Add Swap Space with a swap file

The first method to add swap space on Debian is to use a dedicated swap file.

Many tutorials are not specifying this detail, but swap files cannot contain any holes at all.

It means that you should not use the cp command to create your swap file.

It is also not recommended to use the fallocate commands on file systems that support preallocated files such as XFS and ext4.

As a consequence, you are going to use the dd command in order to add swap space on Debian.

add-swap-space-dd

In this case, we are going to create a 2 GB swap file.

Note : there are no performance improvements in using a swap file rather than creating a file partition. Swap files are just easier to manage because the file size can be easily adjusted. Changing the partition size for swap can be trickier than changing the file size.

a – Create a swapfile using dd

To add swap space, run the following command

$ sudo dd if=/dev/zero of=swapfile bs=1MiB count=$((2*2014))

Make sure that your swap file was created by issuing the following command.

$ ls -l swapfile

swap-2

b – Secure your swapfile with permissions

Swap files are only used by the operating system for memory optimization purposes.

As a consequence, it should not be modified by any users except for the root user.

Change the file permissions of your swapfile.

$ sudo chmod 600 /swapfile

c – Enable your swapfile

Now that your swapfile is secure, it is time to activate your swap space.

To enable swap space on Debian 10, run the following command.

$ sudo mkswap /swapfile

This is going to set the file as a swap file, setting the correct headers for the swapon binary.

mkswap

Now that the swapspace is correctly set, you can enable it.

$ sudo swapon /swapfile

To verify that your swap space is active, you can run the initial command with the –show flag.

$ sudo swapon --show

swapon-success

d – Make your swap space permanent

Similarly to the creation of filesystems, changes won’t be made permanent if you don’t append some changes to the fstab file.

If you leave it this way, your swap space will be erased at the next host reboot.

To make your swap space permanent, edit the /etc/fstab file and paste the following changes.

$ cd /etc/
$ sudo nano fstab

/swapfile none swap defaults 0 0

This configuration specifies that :

  • /swapfile: the name of the “swap filesystem” we are creating;
  • none: there is mount point for this filesystem
  • swap: the filesystem type used
  • defaults: the filesystem options, set as default for this example
  • 0: the dump option for the filesystem, as well as the pass option.

Save your file, and restart your changes to make sure that the changes are still effective.

$ sudo reboot
$ sudo swapon --show

Congratulations!

You successfully created swap space on Debian 10 using a swap file.

Add Swap Space with a swap partition

Another way to add swap space on Debian is to create a dedicated swap partition.

If you run the initial Debian 10 installation, there is a high chance that some swap partition is already created on your system.

However for this tutorial, we are going to start from scratch and create our own swap partition.

a – Create a swap space partition with fdisk

To have a look at the existing partitions on your host, run the following command

$ sudo fdisk -l

list-partition-1

As you can see, I already own a ext4 primary partition and a second partition that is not currently used.

We are going to add a swap partition as an extended or logical partition on sda.

Run the fdisk utility, and create a new partition on the hard drive that you want (sda in my case)

$ sudo fdisk /dev/sda

Welcome to fdisk (util-linux 2.30.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n

Run the “n” command to add a new partition to your disk.

Note : if your host is running out of primary partitions, you can add swap space within an extended partition.
All space for primary partitions is in use
Adding logical partition 5
First sector (48291898-65062911, default 48291840):

You can leave the first sector option as default by just pressing Enter.

On the next prompt, specify the size of your swap partition. In this case, I am going to use 2 GiB again.

Last sector, +/-sectors or +/-size{K,M,G,T,P} : +2G

Created a new partition 5 of type 'Linux' and of size 2 GiB.

As you can see, partitions are created with the Linux partition type by default.

This is not what we want, since we want to have a swap partition on our drive.

To change the partition type, run the “t” command in fdisk.

Command (m for help): t
Partition number (1,2,5, default 5): 5
Hex code (type L to list all codes): 82

On Linux, swap partitions have the partition type ID 82 in fdisk.

Hit Enter, and make sure that your partition type was correctly changed.

Changed type of partition 'Linux' to 'Linux swap / Solaris'

Don’t forget to write your changes to disk as fdisk does not directly write to disk unless you ask it do it.

To write on disk, run the “w” command in fdisk.

The partition table has been altered
Syncing disks.

Make sure that your swap partition was correctly added by running the fdisk command again.

list-partition-2

Now that your swap partition is created, it is time to enable it on our Debian 10 host.

b – Enabling your swap partition

First, make sure to run the mkswap for the swap headers to be correctly set on your partition.

$ sudo mkswap /dev/sda5

mkswap-2
Now that your headers are set, run the swapon command.

$ sudo swapon /dev/sda5

Similarly to the other method, make sure that your swap space was correctly created.

$ sudo swapon --show

swapon-show-2

c – Make your swap space permanent

In order to make your swap space permanent, it needs to be added to the fstab file.

First of all, get the UUID for your newly created partition.

$ sudo blkid

c – Make your swap space permanent blkid

Copy the UUID value, and edit your fstab to append the following changes.

$ sudo nano /etc/fstab

UUID=4c46c5af-3530-486b-aabe-abca2543edca   none   swap  defaults   0   0

Save your file, and restart your system to make sure that your changes are permanent.

$ sudo reboot
$ sudo swapon --show

swapon-show-3

Congratulations, you correctly created a swap partition using fdisk on Debian 10 Buster.

Remove swap partition on Debian

Removing swap partitions on Debian is pretty straightforward : first you need to use the command “swapoff” on the swap partition you are trying to remove.

If you are not sure about your current existing partitions, run a simple “blkid” command.

$ blkid 

$ sudo swapon /dev/sda5

Finally, edit your fstab and remove the entry associated with the swap partition.

$ sudo nano fstab

UUID=4c46c5af-3530-486b-aabe-abca2543edca   none   swap  defaults   0   0     <--- To be removed.

Troubleshooting

When adding swap space on Debian 10 Buster, you may run into the following error.

Troubleshooting

swapon: /swapfile: read swap header failed.

This error is happening when you don’t run the mkswap command before running the swapon command.

As a reminder, mkswap sets the header for the file or the partition to be used as swap space.

If you forget to run the mkswap command, Linux won’t be able to assign it as swap space on your host.

Location of swap file on Linux

By default, swap files are located into the “/proc/swaps” directory of your system.

~$ cat /proc/swaps
Filename                Type        Size    Used    Priority
/swapfile               file        1025101 0       -1

From there, you know that your swap file is located at your root directory.

Another way to get the location of your swap file is to inspect the fstab file.

$ cat /etc/fstab

/swapfile    none     swap    sw     0       0

Conclusion

Today, you learnt that there are two ways to add swap space on a Debian 10 host, by creating a swap file or by creating a swap partition with fdisk.

How To Install and Enable SSH Server on Debian 10

This tutorial focuses on setting up and configuring a SSH server on a Debian 10 minimal server

SSH, for Secure Shell, is a network protocol that is used in order to operate remote logins to distant machines within a local network or over Internet. SSH architectures typically includes a SSH server that is used by SSH clients to connect to the remote machine.

As a system administrator, it is very likely that you are using SSH on a daily basis to connect to remote machines across your network.

As a consequence, when new hosts are onboarded to your infrastructure, you may have to configure them to install and enable SSH on them.

In this tutorial, we are going to see how you can install and enable SSH, via OpenSSH, on a Debian 10 distributions.

Prerequisites

In order to install a SSH server on Debian 10, you will need to have sudo privileges on your host.

To check whether you have sudo privileges or not, run the following command

$ sudo -l

If you are seeing the following entries on your terminal, it means that you have elevated privileges

sudo

By default, the ssh utility should be installed on your host, even on minimal configurations.

In order to check the version of your SSH utility, you can run the following command

$ ssh -V

ssh-utility

As you can see, I am running OpenSSH v7.9 with OpenSSL v1.1.1.

Note that it does not mean that SSH servers are installed on my host, it just means that I may able to connect to remote machines as a client using the SSH utility.

It also mean that specific utilities related the SSH protocol (such as scp for example) or related to FTP servers (such as sftp) will be available on my host.

Installing OpenSSH Server on Debian 10

First of all, make sure that your packages are up to date by running an update command

$ sudo apt-get update

Installing OpenSSH Server on Debian 10 apt-get-update

In order to install a SSH server on Debian 10, run the following command

$ sudo apt-get install openssh-server

The command should run a complete installation process and it should set up all the necessary files for your SSH server.

If the installation was successful, you should now have a sshd service installed on your host.

To check your newly installed service, run the following command

$ sudo systemctl status sshd

Installing OpenSSH Server on Debian 10 sshd-service
By default, your SSH server is going to run on port 22.

This is the default port assigned for SSH communications. You can check if this is the case on your host by running the following netstat command

$ netstat -tulpn | grep 22

netstat 2

Great! Your SSH server is now up and running on your Debian 10 host.

Enabling SSH traffic on your firewall settings

If you are using UFW as a default firewall on your Debian 10 system, it is likely that you need to allow SSH connections on your host.

To enable SSH connections on your host, run the following command

$ sudo ufw allow ssh

ufw-allow

Enable SSH server on system boot

As you probably saw, your SSH server is now running as a service on your host.

It is also very likely that it is instructed to start at boot time.

To check whether your service is enable or not, you can run the following command

$ sudo systemctl list-unit-files | grep enabled | grep ssh

If no results are shown on your terminal, enable the service and run the command again

$ sudo systemctl enable ssh

Enable SSH server on system boot service-enabled

Configuring your SSH server on Debian

Before giving access to users through SSH, it is important to have a set of secure settings to avoid being attacked, especially if your server is running as an online VPS.

As we already saw in the past, SSH attacks are pretty common but they can be avoided if we change default settings available.

By default, your SSH configuration files are located at /etc/ssh/

Configuring your SSH server on Debian ssh-config

In this directory, you are going to find many different configuration files, but the most important ones are :

  • ssh_config: defines SSH rules for clients. It means that it defines rules that are applied everytime you use SSH to connect to a remote host or to transfer files between hosts;
  • sshd_config: defines SSH rules for your SSH server. It is used for example to define the reachable SSH port or to deny specific users from communicating with your server.

We are obviously going to modify the server-wide part of our SSH setup as we are interested in configuring and securing our OpenSSH server.

Changing SSH default port

The first step towards running a secure SSH server is to change the default assigned by the OpenSSH server.

Edit your sshd_config configuration file and look for the following line.

#Port 22

Make sure to change your port to one that is not reserved for other protocols. I will choose 2222 in this case.

Changing SSH default port default-prot

When connecting to your host, if it not running on the default port, you are going to specify the SSH port yourself.

Please refer to the ‘Connecting to your SSH server’ section for further information.

Disabling Root Login on your SSH server

By default, root login is available on your SSH server.

It should obviously not be the case as it would be a complete disaster if hackers were to login as root on your server.

If by chance you disabled the root account in your Debian 10 installation, you can still configure your SSH server to refuse root login, in case you choose to re-enable your root login one day.

To disable root login on your SSH server, modify the following line

#PermitRootLogin

PermitRootLogin no

Disabling Root Login on your SSH server permitrootlogin

Configuring key-based SSH authentication

In SSH, there are two ways of connecting to your host : by using password authentication (what we are doing here), or having a set of SSH keys.

If you are curious about key-based SSH authentication on Debian 10, there is a tutorial available on the subject here.

Restarting your SSH server to apply changes

In order for the changes to be applied, restart your SSH service and make sure that it is correctly restarted

$ sudo systemctl restart sshd
$ sudo systemctl status sshd

Restarting your SSH server to apply changes status-ssh

Also, if you change the default port, make sure that the changes were correctly applied by running a simple netstat command

$ netstat -tulpn | grep 2222

Restarting your SSH server to apply changes 2222

Connecting to your SSH server

In order to connect to your SSH server, you are going to use the ssh command with the following syntax

$ ssh -p <port> <username>@<ip_address>

If you are connecting over a LAN network, make sure to get the local IP address of your machine with the following command

$ sudo ifconfig

Connecting to your SSH server ifconfig

For example, in order to connect to my own instance located at 127.0.0.1, I would run the following command

$ ssh -p 2222 <user>@127.0.0.1

You will be asked to provide your password and to certify that the authenticity of the server is correct.

Connecting to your SSH server ssh-localhost

Exiting your SSH server

In order to exit from your SSH server on Debian 10, you can hit Ctrl + D or type ‘logout’ and your connection will be terminated.

Exiting your SSH server logout-ssh

Disabling your SSH server

In order to disable your SSH server on Debian 10, run the following command

$ sudo systemctl stop sshd
$ sudo systemctl status sshd

Disabling your SSH server disable-ssh

From there, your SSH server won’t be accessible anymore.

Disabling your SSH server connection-refused

Troubleshooting

In some cases, you may run into many error messages when trying to setup a SSH server on Debian 10.

Here is the list of the common errors you might get during the setup.

Debian : SSH connection refused

Usually, you are getting this error because your firewall is not properly configured on Debian.

To solve “SSH connection refused” you have to double check your UFW firewall settings.

By default, Debian uses UFW as a default firewall, so you might want to check your firewall rules and see if SSH is correctly allowed.

$ sudo ufw status

Status: active
 
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere

If you are using iptables, you can also have a check at your current IP rules with the iptables command.

$ sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

If the rule is not set for SSH, you can set by running the iptables command again.

$ sudo iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Debian : SSH access denied

Sometimes, you may be denied the access to your SSH server with this error message “SSH access denied” on Debian.

To solve this issue, it depends on the authentication method you are using.

SSH password access denied

If you are using the password method, double check your password and make sure you are entering it correctly.

Also, it is possible to configure SSH servers to allow only a specific subset of users : if this is the case, make sure you belong to that list.

Finally, if you want to log-in as root, make sure that you modified the “PermitRootLogin” option in your “sshd_config” file.

#PermitRootLogin

PermitRootLogin yes

SSH key access denied

If you are using SSH keys for your SSH authentication, you may need to double check that the key is correctly located in the “authorized_keys” file.

If you are not sure about how to do it, follow our guide about SSH key authentication on Debian 10.

Debian : Unable to locate package openssh-server

For this one, you have to make sure that you have set correctly your APT repositories.

Add the following entry to your sources.list file and update your packages.

$ sudo nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian wheezy main

$ sudo apt-get update

Conclusion

In this tutorial, you learnt how you can install and configure a SSH server on Debian 10 hosts.

You also learnt about basic configuration options that need to be applied in order to run a secure and robust SSH server over a LAN or over Internet.

If you are curious about Linux system administration, we have a ton of tutorials on the subject in a dedicated category.

How To Add and Delete Users on Debian 10 Buster

Adding and deleting users is one of the most basic tasks when starting from a fresh Debian 10 server.

Adding user can be quite useful. As your host grows, you want to add new users, assign them special permissions, like sudo rights for example.

In this tutorial, we are going all the ways to add and delete users on Debian 10 hosts.

Prerequisites

In order to add and delete users on Debian, you need to have sudo rights, or to belong to the sudo group.

If you are not sure about how to add a user to sudoers, make sure to check the tutorial we wrote about it.

To check your sudo rights, run the following command

$ sudo -v

If no error messages appear, you are good to go, otherwise ask your system administrator to provide you with sudo rights.

Adding a user using adduser

The first way to add users on Debian 10 is to use the adduser command.

The adduser command is very similar to the useradd command. However, it provides a more interactive way to add users on a Debian host.

Generally, it is preferred to use adduser rather than useradd (as recommended by the useradd man page itself)

To add a user, run this command

$ sudo adduser ricky

Adding user 'ricky'
Adding new group 'ricky' (1007)
Adding new user 'ricky' (1005) with group 'ricky'
Creating home directory '/home/ricky'
Copying files from '/etc/skel'

You will be asked to choose a password for the user

New password: <type your password>
Retype new password: <retype your password>
Changing the user information for ricky

Then you will be asked to specify some specific information about your new user.

You can leave some values blank if you want by pressing Enter.

Enter the new value, or press ENTER for the default
   Full Name []:
   Room Number []:
   Work Phone []:
   Home Phone []:
   Other []:

Finally, you will be asked if the information provided is correct. Simply press “Y” to add your new user.

Is the information correct? [Y/n] Y

Now that your user was created, you can add it to the sudo group.

Adding a user using useradd

$ sudo useradd <username>

To assign a password to the user, you can use the -p flag but it is not recommended as other users will be able to see the password.

To assign a password to a user, use the passwd command.

$ sudo passwd <username>

New password:
Retype new password:
passwd: password updated successfully

Add a user using the GNOME desktop

If you installed Debian 10 with GNOME, you can also create a user directly from the desktop environment.

In the Applications search bar, search for “Settings”.
Add a user using the GNOME desktop settingsIn the Settings window, find the “Details” option.

Add a user using the GNOME desktop

Click on “Details”, then click on “Users”.

Add a user using the GNOME desktop users

On the top right corner of the window, click on “Unlock”.

Add a user using the GNOME desktop unlock

Enter your password, and a “Add User” option should now appear in the panel.

Add a user using the GNOME desktop add-user

In the next window, choose what type of account you want for the user (either with sudo rights or not).

Fill the full name field, as well as the username field.

You can choose to assign a password now or you can let the user decide on its password on its next logon.

When you are done, simply click on “Add”.

gnome-add-user

Congratulations, your account was successfully created.

account

Check that your user was added

In order to check that your user was created on Linux, run the following command.

$ cat /etc/passwd | grep <user>
<user>:x:1005:1007:User,,,:/home/user:/bin/bash

If there are no entries for the user you just created, make sure to use the adduser command again.

Deleting a user using deluser

In order to delete a user on Debian 10, you have to use the deluser command.

$ sudo deluser <username>

To remove a user with its home directory, run the deluser command with the –remove-home parameter.

$ sudo deluser --remove-home <username>

Looking for files to backup/remove
Removing user 'user'
Warning: group 'user' has no more members.
Done.

To delete all the files associated with a user, use the –remove-all-files parameter.

$ sudo deluser --remove-all-files <username>

Deleting a sudo user with visudo

If you removed a sudo user on Debian, it is very likely that there is a remaining entry in your sudoers file.

To delete a user from the sudoers file, run visudo.

$ sudo visudo

Find the line corresponding to the user you just deleted, and remove this line.

<username>    ALL=(ALL:ALL) ALL

Save your file, and your user should not belong to the sudo group anymore.

Deleting a user using the GNOME Desktop

From the users panel we used to create a user before, find the “Remove user” option at the bottom of the window.
delete-account

Note : you need to unlock the panel to perform this operation.

When clicking on “Remove User”, you are asked if you want to keep the files owned by this user. In this case, I will choose to remove the files.

Deleting a user using the GNOME Desktop files

Troubleshooting

In some cases, you may have some error messages when trying to execute some of the commands above.

adduser : command not found on Debian

By default, the “adduser” command is located in the “/usr/sbin” folder of your system.

$ ls -l /usr/sbin/ | grep adduser
-rwxr-xr-x 1 root root    37322 Dec  5  2017 adduser

To solve this issue, you need to add “/usr/sbin” to your $PATH.

Edit your .bashrc file and add the following line

$ sudo nano ~/.bashrc

export PATH="$PATH:/usr/sbin/"

Source your bashrc file and try to run the adduser command again.

$ source ~/.bashrc

$ sudo adduser john
Adding user `john' ...
Adding new group `john' (1001) ...
Adding new user `john' (1001) with group `john' ...
Creating home directory `/home/john' ...
Copying files from `/etc/skel' ...

You solved the “adduser : command not found” problem on Debian 10.

Conclusion

As you can see, adding and deleting users on Debian 10 is pretty straightforward.

Now that your users are created, you can also set up SSH keys on Debian 10 for a seamless authentication.

Command Not Found in Bash Fixed

Every system administrator got this error at least one time in a shell : “bash : command not found“.

However, you were pretty sure that you wrote the command correctly, or that you installed the tool that you are actually trying to execute.

So why are you getting this error?

The “bash : command not found” error can happen for various reasons when running commands in a Bash terminal.

Today, we are taking a look at the different ways to solve the “command not found” error in Bash.

Bash & PATH concepts

Before starting out with the solution, it is important to have a few concepts about what the PATH environment variable is and how it is related to the commands you run.

PATH is an environment variable that lists the different directories that your bash terminal will visit in order to find utilities on your system.

To have a look at your PATH environment variable, simply use the “echo” command with the PATH variable.

$ echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

As you can see, PATH is defined by a list of different system paths delimited by colons.

They are the different paths visited by my interpreter in order to run commands.

If I were to remove an entry from the PATH, or remove the PATH all together, you would not be able to run commands in the bash without specifying the entire path to the binary.

It is an important point to understand because not being able to run a command does not mean that your binary was deleted on the system.

Now that you understand how environment variables are related to your bash interpreter, let’s see how you can solve your error.

Verify that the file exists on the system

The first step to solve this error is to verify that the command you are looking for actually exist on the system.

There are really no points going further if you mispelled the command or if you didn’t install it at all.

Let’s say for example that you cannot run the “ls” command.

Verify that the binary actually exists by searching for the binary on the system.

$ /usr/bin/find / -name ls 2> /dev/null

/bin/ls
/usr/lib/klibc/bin/ls

With the find command, you are able to locate the binary along with the directory where it is stored.

It is quite important because we will need to add this path to our PATH environment variable later on.

Verify your PATH environment variable

Most of the time, you will run into the “bash : command not found” after changing your PATH environment in order to add new entries.

First, verify that the path you searched for before is listed in your PATH environment variable.

$ echo $PATH

/home/user/custom:/home/user

As you can see here, the “/bin” directory is not listed in my PATH environment variable.

By default, the PATH is defined in the “/etc/environment” file for all the users on the system.

If your PATH environment variable is different from the one defined in the environment file, it is because you have overriden the PATH.

Now that you have two choices : either you know where you exported the PATH variable or you don’t.

Fixing your profile scripts : bashrc, bash_profile

In most of the cases, you modified the .bashrc or the .bash_profile file in order to add your PATH override.

To search where you exported your PATH, run the following command

$ /usr/bin/grep -rn --color "export PATH" ~/. 2> /dev/null

./.bashrc:121:export PATH="/home/devconnected"

This command returns the file where the PATH was exported as well as the line number.

Edit this file and add the path from the first section to the export statement.

$ nano /home/user/.bashrc

export PATH="/home/devconnected:/bin"

Save your file and exit the nano editor.

For the changes to be applied, you will have to source your current bash terminal.

This will ensure that the .bashrc file is executed again in the current shell terminal.

$ source .bashrc
Why can you execute source without having to specify the full path?

Because “source” is a shell built-in command.

Try executing “builtin source .bashrc” for example

Now, you can try to execute the command you failed to execute before.

$ ls

file  devconnected  file2  directory1  swap file3

Awesome!

You fixed the “bash : command not found” error on Linux!

Reset the PATH environment variable properly

Even if you solve your issue, you will have to define your PATH environment variable properly if you don’t want to modify your bashrc file all the time.

First, have a look at the PATH variable defined in the “/etc/environment” file.

$ cat /etc/environment

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

In order to reset your PATH environment variable on your environment, export the PATH defined in the environment file.

$ export=PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

Now, modify your .bashrc file but use the $PATH syntax in order to append your paths to the existing PATH variable.

$ sudo nano ~/.bashrc

export PATH="$PATH:/home/devconnected"

Exit the file and source your bashrc file for the changes to be applied.

$ source ~/.bashrc

$ echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/home/devconnected

Awesome!

You have successfully resetted your PATH environment variable, you should not get the “bash : command not found” error anymore.

Execute the command as sudo

In some cases, your PATH environment variable may be perfectly configured but you will have to execute the command as sudo.

You may get this error or just a simple “permission denied” error.

In any cases, first make sure that you have sudo rights with the sudo command.

$ sudo -l

User user may run the following commands on ubuntu:
    (ALL : ALL) ALL

If this is the case, you should be able to execute your command as sudo.

$ sudo <command>

Congratulations!

You have solved the “bash : command not found” error on your system.

Verify that the package is correctly installed

In some cases, you think that your command is installed but you didn’t install the command to begin with.

Let’s say for example that you are looking to run the “htop” command but you are not able to do it.

$ htop

bash : Command 'htop' not found

To verify if the command is correctly installed, depending on your distribution, run the following commands.

$ dkpg -s htop     [Ubuntu/Debian]

dpkg-query: package 'htop' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ rpm -qa | grep htop    [CentOS/RHEL]

In any case, you will have to install the command if you want to run it properly.

$ sudo apt-get install htop   [Ubuntu/Debian]

$ sudo yum install htop       [CentOS/RHEL]

Now you can try to run the command that was missing.

$ htop

Conclusion

In this tutorial, you learnt how you can solve the famous “bash : command not found” error that many system administrators encounter every day.

If you solve your issue with a solution that is not described in the article, make sure to leave a comment in order to help other administrators.

If you are interested in Linux system administration, we have a complete section dedicated to it on the website, so make sure to have a look.

How To Rename a Directory on Linux

If you have been working with Linux systems for quite some time, you already know how important it is to keep your filesystem structured.

In some cases, you may need to create temporary directories with random names that need to be renamed later on.

Renaming directories on Linux is not done with a dedicated renaming command but with a command that serves multiple purposes : the “mv” command.

The “mv” command is used on Linux in order to be able to move files but also to rename directories.

In this tutorial, we are going to learn how you can rename directories on Linux.

Rename Directories on Linux using mv

To rename a directory on Linux, use the “mv” command and specify the directory to be renamed as well as the destination for your directory.

$ mv <source_directory> <target_directory>

For example, let’s say that you want to rename a specific directory on your filesystem named “temp” (located in your home directory) to “directory” (also in your home directory)

To rename this directory, you would use the “mv” command and specify the two directory names.

$ mv /home/user/temp /home/user/directory
Note : using the mv command will not delete the content stored inside your directories, you won’t lose any files by renaming your directories on Linux.

Now if you take a look at all the directories stored in your home directory, you will see a new entry for your “directory” folder.

$ ls -l /home/user

drwxr--r-x   2 user user 4096 Nov  9 16:41 Desktop/
drwxr-xr-x   2 user user 4096 Nov  9 16:41 Documents/
drwxr-xr-x   2 user user 4096 Nov  9 16:41 Downloads/
drwxr-xr-x   2 user user 4096 Nov  9 16:41 Music/
drwxrwxr-x   2 user user 4096 Dec 20 10:53 directory/

Awesome, you just renamed a directory on Linux.

Rename Directories using find

In some cases, you may not know directly where your directories are located on your system.

Luckily for you, there is a command that helps you find and locate directories on a Linux system : the find command.

In order to find and rename directories on Linux, use the “find” command with the “type” option in order to look for directories. You can then remove your directories by executing the “mv” command with the “-execdir” option.

$ find . -depth -type d -name <source_directory> -execdir mv {} <target_directory> \;

For this example, let’s pretend that you want to rename a directory beginning with “temp” on your filesystem to “directory”.

The first part of the command will locate where your directory is located.

$ find . -depth -type d -name "temp"

./temp

Now that you know where your directory is, you can rename it by using the “execdir” option and the “mv” command.

$ find . -depth -type d -name temp -execdir mv {} directory \;

Rename Multiple Directories using Bash

As described in our previous tutorials, the Bash scripting language can also be used in order to rename multiple directories on your filesystem.

To rename multiple directories on Linux, create a new script file and use the “mv” command in a “for” loop to iterate over directories.

#!/bin/bash

# Takes directory entries specified and renames them using the pattern provided.

for directory in *
do
    if [ -d "$directory" ]
    then
      mv "${directory}" "${directory}_temp" || echo 'Could not rename '"$directory"''
    fi
done

Save this script as “change_name” and add it to your PATH environment variable if you want to use it on your entire system.

In this script, we are listing all the files and directories that are located in the current working folder (where the script is located).

We are testing if the entry is a directory and if the directory exists using the “-d” option.

Then, if the directory exists, it is renamed to have a “_temp” extension at the end. Feel free to customize this line in order to rename the directories however you want them to be renamed.

$ ls

folder1/  folder2/

$ change_name

$ ls 

folder1_temp/  folder2_temp

Congratulations, you just renamed directories using a Bash script on Linux.

Rename Directories using rename

Instead of using the “mv” command, you can use a dedicated built-in command, however this command may not be directly available on your distribution.

In order to rename directories on Linux, use “rename” with how you want the files to be renamed as well as the target directory.

$ rename <expression> <directory>

As an example, let’s say that you want to rename all your directories written in uppercases to directories names in lowercase letters.

In order to rename those directories, you would run the following command

$ rename 'y/A-Z/a-z/' *

$ ls -l 

drwxrwxr-x 2 user user 4096 Dec 21 02:26 a_temp
drwxrwxr-x 2 user user 4096 Dec 21 02:26 b_temp

Filtering directories to be renamed

In some cases, you may want to rename only a few directories using the rename command.

In order to achieve that, you essentially have two options :

  • Use wildcards in order to filter directories to be renamed.

For example, if you want to rename directories ending with a given string, you would run the following command.

$ rename 'y/_html/_temp/' *
The syntax used by the rename command is the same one as the sed command : you can use this reference to have more information about this syntax.
  • Use input redirection in order to filter directories to be renamed
$ ls -d *_html | rename 'y/*_html/*_temp/'

When using one of those two options, your folders will be renamed to have a “_temp” extension.

$ ls -l

drwxrwxr-x 2 user user 4096 Dec 21 02:42 a_temp
drwxrwxr-x 2 user user 4096 Dec 21 02:42 b_temp

Awesome, you successfully renamed your directories using the rename command!

Conclusion

In this tutorial, you learnt all the ways of renaming directories on Linux, the most common way being the “mv” command.

You also learnt that it is possible to rename directories using the “find” command in order to locate your directories or by using the rename command (that may not be directly available on your system by default).

If you are interested in Linux System Administration, we have a complete section dedicated to it on the website, so make sure to check it out!

How To List Users and Groups on Linux

On Linux, as a system administrator, you often want to have a complete list of all the users and all the groups on your host.

It is quite crucial for security purposes to make sure that you have the correct amount of users and that you didn’t forget to delete some.

There are several ways to list users and groups on Linux.

First, you can read the passwd and the group file on your system, with cut commands to extract useful information.

A more effective way is to use the getent command that relies on the Name Service Switch, a Unix-based facility to define custom databases on your host.

Here is how you can list users and groups on Linux.

List Users on Linux

In order to list users on Linux, you have to execute the “cat” command on the “/etc/passwd” file. When executing this command, you will be presented with the list of users currently available on your system.

Alternatively, you can use the “less” or the “more” command in order to navigate within the username list.

$ cat /etc/passwd

$ less /etc/passwd

$ more /etc/passwd

You will be presented with a list of users currently available on your system.

Note : it does not mean that users are connected right now!

List Users on Linux etc-passwd

But what do the columns of the passwd file even mean?

list-users-linux

As a quick side note, an “x” in the password column means that the password is encrypted and it is to be found in the /etc/shadow file.

Now that you know how to list users on your Linux host, let’s see how you can effectively isolate a list of usernames.

List Usernames using the /etc/passwd file

As you probably noticed, the /etc/passwd file is made of lines separated by colons.

a – List Usernames using cut

In order to list usernames on Linux, use the “cat” command and pipe it to the “cut” command in order to isolate usernames available in the first column of your file.

To achieve that, run the following command

$ cat /etc/passwd | cut -d: -f1

First, you are printing a list of all records in the passwd file. Next, those results are piped (using Linux pipes and redirection) to the cut command.

The cut command defines a custom separator (with the d option) that is equal to the colon character.

Finally, we are isolating the first field of the results we are getting. In this case, this is equal to the usernames as defined by our schema on the passwd columns.

a – List Usernames using cut cut-options

b – List Usernames using awk

In order to list usernames on Linux, you can also use the “cat” command piped with the “awk” command that is similar to the “cut” command that we have seen before.

As a reminder, the awk command (or mawk) is an interpreter for the AWK programming language.

AWK is a programming language designed to ease data extract and manipulation for data streams.

It is widely used on Unix-based systems when text structures are quite complicated and cannot be separated with a single command.

To list usernames on Linux using the awk interpreter, run the following command

$ cat /etc/passwd | awk -F: '{print $1}'

b – List Usernames using awk -list

List Users on Linux using getent

The easiest way to list users on Linux is to use the “getent” command with the “passwd” argument and specify an optional user that you want to list on your system.

getent passwd <optional_user>

As a reminder, the getent command retrieves entries from Name Service Switch databases.

The Name Service Switch is a Unix utility that retrieves entries from a set of different datasources such as files, LDAP, a DNS server or a Network Information Service.

The list of all the datasources available can be read from the nsswitch.conf file located at /etc.

List Users on Linux using getent nsswitch

In our case, it can be used in order to list users and groups easily on our Linux host.

To list users using the getent function, run the following command

$ getent passwd

getent-passwd

a – List Usernames with getent

Similarly to the previous section, it is possible to list only usernames when interacting with the getent command.

To achieve that, you can alternatively execute the cut command or the awk command in the following way.

$ getent passwd | cut -d: -f1

Or with AWK

$ getent passwd | awk -F: '{print $1}'

a – List Usernames with getent-passwd

List Connected Users on your Linux host

As mentionned previously, inspecting the passwd file, either with less or with getent, does not provide you with a list of all the connected users on your host.

To achieve that, you are going to use the who command.

$ who

List Connected Users on your Linux host who

As you can see, you are provided with a list of users currently connected on your host along with the shell they are using and when they connected.

Alternatively, you can use the users command to achieve the same result with less details.

$ users
devconnected john

Pretty handy!

Now that we have seen how we can list users on a Linux host, let’s see how we can apply the same knowledge to list groups on your system.

List Groups on Linux using the /etc/group file

In order to list groups on Linux, you have to execute the “cat” command on the “/etc/group” file. When executing this command, you will be presented with the list of groups available on your system.

Use one of the following commands to list groups on your system.

$ cat /etc/group

$ less /etc/group

$ more /etc/group
List Groups on Linux using the etc group file
But what do the columns of the group file even represent?

Let’s take a complete line on the group file to inspect it.

List Groups on Linux using the etc group file group-users

As you can see, similarly to the passwd file, the entries are separated by colons. They are fairly easy to understand.

List Groups on Linux using the etc group file etc-group-file

Note : the password field is not used most of the time, it is reserved to create privileged groups on your system.

List Groupnames using the /etc/group

As you can see, inspecting the /etc/group gives you a complete and sometimes too detailed listing of all the groups on your system.

However, you sometimes want to isolate the groupnames on your group file.

To achieve that, you can either use the cut command or the AWK command.

$ cat /etc/group | cut -d: -f1

List Groupnames using the etc group cut-etc-group

$ cat /etc/group | awk -F: '{print $1}'

List Groupnames using the etc group cut-etc-group-awk

You can of course choose to isolate one group if you want to see which users belong to the group you are targeting.

$ cat /etc/group | grep <group>

List Groupnames using the etc group isolate-one-group

List Groups using getent

Again, you can choose to list groups on Linux by using the getent command.

$ getent <database> <key>

Here, we are interested in the “group” database.

If you choose not to provide a key, you will be provided with the entire group file.

$ getent group

List Groups using getent getent-group

Similarly to the passwd database, you can choose to “target” one specific group by providing a key to the getent function.

$ getent group sudo

List Groups using getent getent-group-sudo

List Groups for the current user

The groups commands is used to get a list of groups a specific user is in.

$ groups <username>

If provided with no arguments, it will return the groups for the user that launched the command.

List Groups for the current user groups

To prove that it provides the groups for the user that launched the command, try to launch the command with sudo privileges.

$ sudo groups

List Groups for the current user sudo-groups

The result is.. root! Because the command is executed as root and root only belongs to one group which is the root group.

Conclusion

In this tutorial, you learnt how you can list users and groups on any Linux based system.

You learnt more about specific configuration file like passwd and group, as well as the getent command for Name Service Switch facilities.

Again, if you are interested in Linux system administration, we have tons of tutorials on the subject in our Linux System Administration category.

Click the image below to check them.

How To Run a Bash Script

As a system administrator, it is quite likely that you have written some Bash scripts in order to automate your work.

For example, you may want to run Bash scripts in order to backup your work or to log some events happening on your server.

Bash scripts, like scripts written in other programming languages, can be run in a wide variety of ways.

In this tutorial, we are going to focus on all the ways to run a Bash script on Linux.

Prerequisites

Before being able to run your script, you need your script to be executable.

In order to make a script executable on Linux, use the “chmod” command and assign “execute” permissions to the file.

You can either use the binary or the symbolic notation in order to make it executable.

$ chmod u+x script

$ chmod 744 script

If you don’t own the file, you will have to make sure that you belong to the correct group or that permissions are given to the “other” group on your system.

Some distributions will highlight your file in a different color when your file is executable.

Prerequisites script

Now that your file is executable, let’s see how you can run your Bash script easily.

Run Bash Script from script path

In order to run a Bash script on Linux, simply specify the full path to the script and provide arguments that may needed in order to run your Bash script.

$ /path/to/script <arg1> <arg2> ... <argn>

As an example, let’s say that you have a Bash script located in your home directory.

In order to execute this script, you can specify the full path to the script that you want to run.

# Absolute path

$ /home/user/script 

# Absolute path with arguments

$ /home/user/script "john" "jack" "jim"

Alternatively, you can specify the relative path to the Bash script that you want to run.

# Relative path

$ ./script

# Relative path with arguments

$ ./script "john" "jack" "jim"

Awesome, you learnt how you can easily run a Bash script on your system.

Run Bash Script using bash

In order to run a Bash script on your system, you have to use the “bash” command and specify the script name that you want to execute, with optional arguments.

$ bash <script>

Alternatively, you can use “sh” if your distribution has the sh utility installed.

As an example, let’s say that you want to run a Bash script named “script”.

In order to execute it using the “bash” utility, you would run the following command

$ bash script

This is the output from your script!

Execute Bash script using sh, zsh, dash

Depending on your distribution, you may have other shell utilities installed on your system.

“Bash” is the shell interpreter installed by default, but you may want to execute your script using other interpreters.

In order to verify if a shell interpreter is installed on your system, use the “which” command and specify the interpreter you are looking for.

$ which sh

/usr/bin/sh

$ which dash

/usr/bin/dash

Whenever you have identified the shell interpreter that you want to use, simply call it in order to run your script easily.

Run Bash script from anywhere

In some cases, you may want to run Bash scripts wherever you are on your system.

In order to run a Bash script from anywhere on your system, you need to add your script to your PATH environment variable.

$ export PATH="<path_to_script>:$PATH"

Now that the path to the script is added to PATH, you can call it from where you want on your system.

$ script

This is the output from script!

Alternatively, you can modify the PATH environment variable in your .bashrc file and use the “source” command in order to refresh your current Bash environment.

$ sudo nano ~/.bashrc

export PATH="<path_to_script>:$PATH"

Exit the file and source your bashrc file for the changes to be applied.

$ source ~/.bashrc

$ echo $PATH

/home/user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Great! Now your script can be executed from where you want on your system.

Run Bash Scripts from the graphical interface

The last way to execute Bash scripts is to use the graphical interface, in this case the GNOME interface.

In order to run your scripts using GNOME, you have to set the behaviour of the File Explorer to “Ask what to do” for executable files.

To achieve that, in “Files“, click on the top right line icon and select “Preferences“.

Run Bash Scripts from the graphical interface preferences

In the menu, click on “Behavior” and select “Ask what to do” under the “Executable Files” section.

Run Bash Scripts from the graphical interface ask-what-to-do

Close this window and double-click on the script file that you want to execute.

When double-clicking, you are prompted with various options : you can either choose to run your script (in a terminal or not) or to simply display the content of the file.

In this case, we are interested in running this script in the terminal, so click on this option.

Run Bash Scripts from the graphical interface run-script

Success! Your script has been successfully executed within a new shell instance.

Conclusion

In this tutorial, you learnt how you can easily run Bash scripts on your system, either by specifying the path to the script or the interpreters available on your host.

You learnt that you can make it even easier by adding your script path to your PATH environment variable or using existing features in the GNOME user interface.

If you are interested in Bash or Linux system administration, we have a complete section dedicated to it on the website, so make sure to check it out!

How To Setup OpenLDAP Server on Debian 10

As a system administrator, you are probably already familiar with the LDAP protocol.

If you are working in a medium to large company, you can be sure that your company already owns a LDAP server, whether it is on Linux or Windows.

Invented in the early 80s, the LDAP protocol (for Lightweight Directory Access Protocol) was created in order to store data that should be accessed over a network.

The LDAP protocol was defined as part of the RFC 4511 specification and it was implemented by many different vendors.

In this tutorial, we are taking a look at one of the implementations of the LDAP protocol : OpenLDAP.

OpenLDAP is a free and open-source implementation of LDAP that provides a server (called slapd) as well as utilities and libraries for developers.

Using this tutorial, you will be able to setup a complete OpenLDAP server and configure it in order to use it for central authentication.

What You Will Learn

If you follow this tutorial until the end, you will be able to learn about the following topics :

  • How to install an OpenLDAP server on Debian 10;
  • How to configure OpenLDAP and what the configuration actually means;
  • How to use LDIF and LDAP utilities to modify your LDAP database;
  • How to add users in your OpenLDAP server for central authentication;
  • How to setup clients and how central authentication works on Linux;

That’s quite a long article so without further ado, let’s start by install a simple OpenLDAP server on Debian 10.

Install OpenLDAP server on Debian 10

Before starting, you should make sure that you have administrator rights on your system : you will need them to install new packages.

To check if you have sudo rights, execute the “sudo” command with the “-v” option.

$ sudo -v

If you are not sure on how to provide sudo rights for users on Debian 10 or CentOS 8, make sure to read our dedicated guides about it.

Also, make sure that your packages are correctly updated in order to get the latest package version from the repositories.

$ sudo apt-get update

On Linux, the OpenLDAP server is called “slapd“.

It is a simple and configurable stand-alone server that is used in order to read, modify and delete from a LDAP directory.

The slapd daemon also comes with many different utilities that can be used in order to create new entries easily, or to modify entries easily : slapadd or slappasswd just to name a few.

$ sudo apt-get install slapd

When installing this new package, you will be ask to configure the slapd daemon at the end of the installation.

Configuring slapd on Debian 10

The slapd configuration comes as text-based interfaces that you need to fill in order to setup the server properly.

First, you are asked to provide an administrator password for the LDAP server.

Configuring slapd on Debian 10 pass

Choose a secured password because the administrator entry in the LDAP directory has all the rights on the entire tree : add, delete and modify all the entries as well as reading all the LDAP attributes.

On the next screen, you are asked to confirm the password : simply type what you typed in the previous screen.

Configuring slapd on Debian 10 pass123-2

From there, your LDAP server should be initialized.

When installing the slapd server, the installation also :

  • Created a user named “openldap” on your server;
  • Created an initial configuration that is available at /etc/ldap
  • Created an initial and empty database that is ready to accept new entries.

Configuring slapd on Debian 10 configuration

By default, the OpenLDAP server will create a first database entry that reflects your current domain name.

However, if you did not configure your domain name properly (during the installation for example), there is a chance that your OpenLDAP server is badly configured.

To take a first look at the initial configuration of your OpenLDAP server, use the “slapcat” command and watch for the distinguished names created by slapd.

$ sudo slapcat

$ sudo slapcat | grep dn

slapcat

Usually, your OpenLDAP top DNs should match the DNS names of your domain.

It means that if you are currently working in the “devconnected.com” domain, your OpenLDAP server should have the “dc=devconnected,dc=com” top distinguished names.

As you can see, this is not the case for now but luckily for us there is a way to reconfigure the slapd daemon.

Reconfiguring slapd using dpkg-reconfigure

In order to reconfigure the slapd daemon, execute the “dpkg-reconfigure” command on the “slapd” daemon. Again, you need sudo privileges to reconfigure slapd.

$ sudo dpkg-reconfigure slapd

Reconfiguring slapd using dpkg-reconfigure slapd-1

First, you are asked if you want to omit the OpenLDAP server configuration.

We obviously want to press “No” on this option because we want the initial configuration of the database to be created for us.

On the next step, you are asked to provide the base distinguished name of your LDAP server.

Reconfiguring slapd using dpkg-reconfigure slap-dns

As you can see, the slapd daemon describes that the DNS domain name is used to build the base DN of your OpenLDAP directory.

In this case, we are choosing to have “dc=devconnected,dc=com” : note that you have to modify this entry to match your current DNS settings.

If you are not sure about the domain that you belong to, simply use the “domainname” command in your terminal.

$ domainname
devconnected.com

Next, you are asked to provide the name of your organization. This is exactly the same step as the one done before, simply type your organization name and hit “Ok”.

Reconfiguring slapd using dpkg-reconfigure slapd-3

Finally, similarly to the first slapd configuration, you are asked to provide admin credentials for your LDAP server.

Again, choose a strong password as it can be used in order to read and modify every single entry in the LDAP directory.

Reconfiguring slapd using dpkg-reconfigure pass-1

On the next screen, you are asked to provide the back-end to be used by LDAP.

For this step, you want to keep the default values (meaning a MDB for MariaDB back-end) unless you have a reason to choose another storage backend.
Reconfiguring slapd using dpkg-reconfigure mariadb

Next, you are asked if you want the database to be removed when slapd is purged.

In this case, we will choose “No” : there are many situations where you simply want to update your slapd package or switch to a different LDAP server.

If you choose yes, your database will be removed which can be a real problem if you don’t have any backups of your LDAP directory.

purge

Finally, you are prompted with a warning : there are already some files sitting in the “/var/lib” directory of your server.

In this directory, you currently have your old database stored. As you are trying to reconfigure your OpenLDAP server, you will overwrite the content of this folder.

By choosing “Yes”, the slapd utility will backup the content of your existing database to the “/var/backups” folder.

moveold

Done!

Your slapd server is now configured properly to match your current DNS settings.

To have a first look at the content of your LDAP database, simply execute the “slapcat” (with sudo privileges if you are not currently logged as root)

$ sudo slapcat

slapcat-2

With this initial setup :

  • Your configuration files are stored in “/etc/ldap” : they are storing the ldap configuration file, the schemas that you can add to slapd, as well as the slapd.d directory used for server customization;
  • Your database is stored at “/var/lib/ldap” under the “data.mdb” database : you should probably setup backups of this file in order to make sure that you won’t lose everything.

Configuring firewall rules for LDAP

If you are using a firewall, it is very likely that you will need to accept inbound requests to your LDAP server.

As a quick reminder, OpenLDAP runs on port 389.

To make sure that it is running correctly, run the “systemctl status” command on the “slapd” server.

$ sudo systemctl status slapd

slapd-service

If you are using recent distributions of Debian, you are probably using UFW as the default firewall.

To enable OpenLDAP on UFW, execute the “ufw allow” command on the port 389 of your server. You can accept TCP and UDP connections all together.

$ sudo ufw allow 389

Rule added
Rule added (v6)

You can then verify that the rule was correctly created using the status command.

firewall-status

In the next section, we are going to see how you can easily add new entries to your LDAP server using LDIF files.

Add OpenLDAP entries using LDIF files

When adding new entries to your OpenLDAP server, you could use the “slapadd” utility in order to add a new LDIF file.

However, this is not the utility that we are going to use, instead we are going to use “ldapadd”.

Difference between slapadd and ldapadd

Before adding new entries, it is important for you to know the difference between slap utilities and ldap utilities.

Both utilities take LDIF formatted files as an argument and they had the content to the database.

However, when using slapadd, you will have to restart your LDAP server for the changes to be applied.

This is not the case when using ldap utilities such as “ldapadd” : modifications are directly performed on the directory tree.

In order to be able to use “ldapadd”, “ldapsearch” and other LDAP utilities, you need to install the “ldap-utils” package on your system.

$ sudo apt-get install ldap-utils

Creating your first LDIF file

As explained earlier, if you are using the console line, you will need to create LDIF files and add them to your current LDAP configuration or database.

The LDIF format is a format used in order to add or modify existing entries in a LDAP directory.

Using LDIF, you specify the distinguished name of the node that you want to modify and you describe the modifications to be performed.

As an example, let’s say that you want to create a new node in your LDAP directory named “users”.

Adding a users group

To achieve that, create a new LDIF file named “users.ldif” and add the following content in it.

$ sudo touch /etc/ldap/users.ldif

# Content of the users file

dn: ou=People,dc=devconnected,dc=com
objectClass: organizationalUnit
ou: People

As you can see, we are provided the complete DN of the node to be added, we specify the object class and the name of the node to be created.

In order to add this entry to your LDAP directory, you have to use the “ldapadd” command and specify the LDIF file to be used.

$ sudo ldapadd -D "cn=admin,dc=devconnected,dc=com" -W -H ldapi:/// -f users.ldif

Enter LDAP Password:
added new entry "ou=People,dc=devconnected,dc=com"

If you are not familiar with ldap utility options, here is a description of the options provided :

  • -D : used to specify a node to bind to. When adding new entries to a LDAP server, you can choose your authentication mechanism but you usually want to bind to the admin node in order to gain all privileges on the tree;
  • -W : used in order to specify that we want the password to be prompted when connecting;
  • -H : used in order to specify the LDAP server to connect to. In this case, we are connecting to a LDAP server available at localhost;
  • -f : to specify the LDIF file to be added to the LDAP server.

Note that you can not use an external authentication in order to add new entries to LDAP by default : ACL are not configured to do that.

Now that your node is added to your tree, you can try to find it using the “ldapsearch” command.

$ sudo ldapsearch -x -b "dc=devconnected,dc=com" ou

ldapsearch

Great!

Now that the “People” organizational unit was added, let’s add some users to your LDAP tree.

Adding new users to LDAP

In order to add new users, we are going to follow the same logic : creating a LDIF file containing individual entries for users.

As described before, OpenLDAP uses schemas in order to define “objects” that can be added to the directory.

In this case, we are going to use the “posixAccount” schema which is already added to your database configuration by default.

The “posixAccount” object has several fields that can be used to describe a Linux user account such as the username, the surname but most importantly the user password.

Create a new LDIF file and add the following content in it :

$ sudo touch /etc/ldap/new_users.ldif

# Content of new_users LDIF file

dn: cn=john,ou=People,dc=devconnected,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: john
uid: john
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/john
userPassword: <password>
loginShell: /bin/bash

When you are done, save your file and use the ldapadd command in order to add your entry to the LDAP directory tree.

$ sudo ldapadd -D "cn=admin,dc=devconnected,dc=com" -W -H ldapi:/// -f new_users.ldif

Enter LDAP Password:
added new entry "cn=john,ou=People,dc=devconnected,dc=com"

Congratulations, you now have your first user stored in OpenLDAP.

You can read the user information by issuing a LDAP search command. Note that you won’t be able to read the user password as you are restricted by ACLs.

$ sudo ldapsearch -x -b "ou=People,dc=devconnected,dc=com"

new-users

Awesome, now that your LDAP server is configured, let’s configure a client in order to configure central authentication.

Configuring LDAP clients for centralized authentication

In the last section of this OpenLDAP server setup, we are going to see how you can configure LDAP clients (i.e your host machines) in order for them to connect using LDAP information.

How LDAP client authentication works

Before issuing any commands, it is important for you to have a global understanding of what we are actually building.

Before LDAP (and NIS), if you wanted to configure users and group permissions over multiple computers of a network, you would have to connect to them one by one and change their settings.

LDAP comes as a great solution for this : LDAP will centralize user information in one single place on your network.

central

When a client connects to any machine of your domain, the host will first contact the LDAP server and verify that the user password provided is correct.

The client library will bind (or authenticate) to the remote LDAP server using the admin account and retrieve the information associated with the user trying to connect.

Next, it will retrieve the password associated with the account and compare it with the password you typed when you logged in.

If the passwords match, you will be logged in your account, otherwise you will be denied.

hosts-openldap

Setup Client LDAP authentication on Debian

In order to setup client LDAP authentication, you will need to install the “libnss-ldap” package on your client.

$ sudo apt-get install libnss-ldap

When installing this package, you will be prompted with many different questions in order to configure client centralized authentication.

First, you are asked to provide the URL of your LDAP server : it is recommended to setup an IP address (configured as static obviously) in order to avoid problems in DNS resolutions.

On the server, identify your IP address with the ip command and fill the corresponding field on the client.

# On the server

$ ip a

client-12

Note : make sure that you are using the LDAP protocol and not the LDAPI protocol. For some reason, your server won’t be reachable if you use the LDAPI protocol.

Next, you are asked to provide the root distinguished name of your LDAP server. If you are not sure, you should run a ldapsearch command on the server to get this information.

client-2

On the next screen, you are asked the LDAP version that you want to use : choose the LDAP version 3 for now.

client-3

Next, you are asked if you want to make the local root the database admin.

You want to type “Yes” to this option as you want to change the user password directly from the host machine.

With this option, you will be able to run the “passwd” and have the password modified directly in the LDAP directory, which is pretty useful.

client-4

By default, the LDAP database does not require a login, so you can type “No” on this option.

Note : the LDAP database has no login but you have an admin account at the top of your LDAP directory. Those are two different concepts that are very different one from another.

client-5

Next, type the LDAP administrator account to be used for bindinds.

As a reminder, this is the account that will be used in order to get the user password information from the server.

client-6

Finally, type the password associated with the admin account on the LDAP server.

client-7

Done, you should now be able to query your LDAP server.

Linking client information to LDAP

In order to link your client information (such as username and password) to the LDAP directory, you need to modify the nsswitch file.

As a reminder, the nsswitch file is used in order to link some information on your system (such as users, groups or hosts) to various different sources (local, LDAP, NIS or others).

Edit the /etc/nsswitch.conf file and add a “ldap” entry to the first four sections : passwd, group, shadow, gshadow.

$ sudo nano /etc/nsswitch.conf

Linking client information to LDAP client-8

Save your file and you should now be able to list users from the LDAP server.

$ getent passwd
Note : if you are not familiar with the getent command, here are all the commands used to list users on Linux.

client-9

Awesome!

Now that your user can be retrieved via LDAP, you will be able to log to this account by using the user password you have specified in the LDAP directory.

$ su - john

<Type password specified in LDAP>

john@client:/home/john

Conclusion

In this tutorial, you learnt how you can easily setup a simple OpenLDAP server on Debian 10 using the slapd utility.

You also learnt about the LDAP utilities that you can use in order to add and search entries in your LDAP directory.

Finally, you have seen how you can configure client machines in order to use LDAP authentication to connect to your machines.

This is an architecture that can be used in most company IT architecture : note that you will have to setup TLS encryption in order to passwords not to be transmitted over the network in clear text.

If you are interested in Linux System administration, we have a complete section dedicated to it on the website, so make sure to check it out!

Network Manager on Linux with Examples

If you are an experienced system administrator, and if you focus on network management, you have probably already heard about the Network Manager.

Released in 2004 and developed by Red Hat, the Network Manager is a set of different tools, mostly interfaces, designed to facilitate network management on your system.

If you want to turn on a network adapter, you will probably use the Network Manager in order to achieve that.

Similarly, if you want to edit an existing network card in order to change the IP address assigned to it, you would use the Network Manager again.

In this tutorial, we are going to describe how you can use the various tools in the Network Manager suite in order to manage your networks easily.

After listing the tools embedded in the suite (nmcli, nmtui, nm-applet), we will go through a list of practical use cases for network administrators.

Network Manager Architecture

Before diving into the capabilities of the Network Manager, let’s first describe its architecture and how it can communicate with Kernel related modules.

Network Manager API

The first concept to understand is that the Network Manager stands as an API in order to configure the network interfaces on your host.

However, the Network Manager does not work alone : it is part of a process from receiving a network message on an endpoint called a network socket.

A network socket is physically represented by an Ethernet NIC connected to an Ethernet Cable in order to start sharing data over a network.

When an Ethernet cable is plugged, it is first recognized by the udev module which will send a signal to the Network Manager in order to notify that a new cable has been plugged in.

This way, the Network Manager is able to maintain connections but it is also able to expose network availability to other applications.

If you are using Firefox, and if Firefox needs to know the status of a network connection, it can query the Network Manager through DBus in order to get this information.

Network Manager is really a network API that will offer details about network cards, wired or wireless networks available.

It will also provide an easy way to configure your network cards and interfaces with dedicated configuration files.

Network Manager vs ifupdown

Historically, Linux operating systems use to manage network interfaces in a different way, mainly using configuration files located at /etc/network.

In this directory, a file can be used in order to configure network interfaces : the interfaces file.

Network Manager vs ifupdown interfaces

However, on recent distributions, the “interfaces” file used by ifup and ifdown utilities is not used.

By default, Network Manager is the one managing your network interfaces but the way network is managed can be changed in the Network Manager configuration file.

Precisely, the “managed” parameter in the “ifupdown” section of the NetworkManager.conf file describes if Network Manager is used on your system or not.
Network Manager vs ifupdown config

Note : “false” means that Network Manager manages your connections and devices, “true” means that you prefer to do it the old way using ifup and ifdown.

About systemd-networkd

On newer systems, systemd is set to handle pretty much everything and network is no exception to the rule.

In some cases, your system may rely on the systemd-network daemon in order to manage interfaces.

Note that, in order to avoid configuration conflicts related to networks, only one networking service should be enabled at one time : whether it is ifupdown, systemd-networkd or Network Manager.

If you are used to manage your networks using the “interfaces” file, you might want to keep doing that, otherwise it is recommended to switch to the Network Manager.

Network Manager Tools

Now that you have a greater understanding of the Network Manager, let’s start enumerating the tools that are provided in this suite.

The Network Manager provides the following tools :

  • nmcli : the dedicated command line tool used in order to configure, add, edit and remove connections using the Network Manager;
  • nmtui : a graphical user interface that provides just a subset of features compated to nmcli. Using nmtui, you can edit a connection, activate a connection or change the hostname of your computer;
  • nm-applet : available in GNOME desktop environments, this applet is used as an interface overlay which can be used in order to connect or disconnect from networks.

Network Manager Tools nmtui

Note that some distributions may have Network Manager “shortcuts” for the tools described above : nmtui-connect, nmtui-edit or nmtui-hostname.

Most of the time, those utilities are actually simple soft links to the main nmtui utility.

Network Manager Tools nmtui-2

In the following sections, we are going to see how you can use the different tools cited above in order to configure your networks properly.

Network Configuration using nmcli

As described in the previous section, nmcli is a command line utility that can be used in order to monitor your network connectivity, but also to add, edit, delete connections as well as having detailed information about devices on your system.

You can interact with nmcli using the following syntax

$ nmcli <options> <section> <action>

The nmcli has a set of eight sections :

  • help : used in order to get general help about the nmcli usage;
  • general : used in order to get the status and the global configuration of the Network Manager itself;
  • networking : exposes methods in order to shut down the Network Manager or to bring it up again;
  • radio : used in order to manage wireless transmissions protocols such as the WIFI or the WAN;
  • connection : as its name indicates, this section is used in order to bring interfaces up and down and to add and delete existing connections;
  • device : mostly used in order to modify parameters associated with a given device (the interface name for example) or to connect a device using an existing connection;
  • agent & monitor : those sections are used to respectively handle secrets and to watch network changes.

Each section described has a set of predefined actions that can be found reading the nmcli documentation (show, add, delete, modify, load and so on)

As an example, if you were to list all connections that are currently active, you would execute “nmcli” with the “connection” section and the “show” action.

$ nmcli connection show

Network Configuration using nmcli-connection-show

In this case, my host has a wired Ethernet connection on a network adapter named “eth0”.

In the following sections, we are going to see how you can interact with network cards and connections in order to properly configure your system.

Connection Management

When using Network Manager, a connection can be seen as a “network configuration“.

As a consequence, a “connection” has all the information related to the layers 2 (data-link layer) and layers 3 (likely related to IP addressing).

When a connection is used by a device, namely a network adapter on your host, it is set to be “active” or to be “up”.

On the other hand, a connection can be “idle” and now used by any network interface at all : in this case it is set to be “inactive” or “down”

The first key point here is that whenever we are configuring networking on a Linux host, we are essentially configuring connections, that will be bound to devices later on.

Listing Network Connections

In order to list network connections available on your host, you can run the “show” action of the “connection” section.

$ nmcli connection show

Listing Network Connections connection-show

Optionally, you can provide the “–active” flag in order to restrict the result to active connections (i.e used by network adapters)

nmcli connection show --active

Adding Network Connections

In some cases, it might be handy to have multiple connections configured.

Say that you are working at two different places : one that uses DHCP in order to assign your IP address (dynamic IP addressing) and one that assigns a static IP to your computer.

In order to achieve that, you can create additional network connections that can be switched on depending on your location.

To add new network connections using Network Manager, you can :

  • Add your configuration file to the system-connections directory located at /etc/NetworkManager;
  • Add the “nmcli connection” command with the “add” option;
  • Use the nm-connection-editor utility that provides a GUI in order to add, modify and delete existing connections.

Using the nmcli command line, you can create a new connection by running the following command

$ sudo nmcli connection add type ethernet ifname eth2

Adding Network Connections eth2

Using nmcli, a new UUID connection will be assigned to your newly created connection and you will be able to start using it to connect to Internet for example.

Modifying connection parameters

One great feature of the nmcli utility is to modify the parameters of your existing connections.

If you want to modify your IP address and switch from DHCP to manual IP addressing, you would also use the nmcli utility to change those parameters.

In order to modify existing connection parameters, you would use the following syntax

$ nmcli connection modify <connection_id> <parameter> <value>

As an example, let’s say that you want your IP address to static and set to the value ‘192.168.1.19’

To achieve that, you would run the following command

$ nmcli connection modify <uuid> ipv4.method manual

$ nmcli connection modify <uuid> ipv4.address 192.168.1.19/24
Note : when changing the IP address, do not forget to set the subnet mask (here /24), otherwise you might get a default mask assigned which will be wrong in most cases.

In order for your changes to be effective, you need to restart your connection by using the “up” and “down” actions of the “connection” section.

$ nmcli connection down <uuid>

$ nmcli connection up <uuid>

Now that your interfaces are restarted, your IP change should be effective.

$ hostname -I

192.168.1.19

Device Management

Device” is one of the sections of the nmcli utility and it can be used in order to manage network adapters on your host.

Listing Network Adapters

In order to have a listing of the network adapter on your host, you can run the “show” action on the “device” section.

$ nmcli device show

Device Management device-show

This command describes extensively your network adapter, it lists :

  • The device name : assigned by udev when the device was plugged to your computer (eth0 in this case);
  • Your device MAC address, referred here as the hardware address;
  • The device state : whether it is connected to the network or not;
  • The IPv4 address using a CIDR notation (192.168.1.16/24)
  • The IPv4 of your subnet gateway (192.168.1.1);
  • The IPv4 of your main DNS (192.168.1.1)
Note : here, the gateway is acting as the main DNS but you might have dedicated name servers in your company.

Those characteristics are quite useful if you want to list network cards available on your host and determine whether they are connect or not.

Changing device configuration

In some cases, it might be useful to change device configuration directly.

However, there is a crucial point that you need to remember : you can change your device live, but if you want your changes to be persisted, you need to modify your connection configuration instead.

In short, device configuration changes are temporary.

In order to change your device configuration, you need to execute the “nmcli device” command with the “modify” option and specify the parameter to be changed.

$ nmcli device modify <interface_name> <parameter> <value>

$ nmcli dev mod <interface_name> <parameter> <value>

For example, let’s say that you want to change the IP address of your “eth0” network interface. You also want IP attribution to be static instead of dynamic.

In order to achieve that, you would execute the following command

$ nmcli device modify eth0 ipv4.method manual

Connection successfully reapplied to 'eth0'

$ nmcli dev mod eth0 ipv4.address 192.168.1.19/24

Connection successfully reapplied to 'eth0'

Reapplying parameters

Just to showcase that changes are temporary, if you were to “reapply” parameters to your interface, all your changes would be lost.

Instead, parameters defined in your connection configuration file (in /etc/NetworkManager/system-connections) would be reapplied.

$ nmcli dev reapply eth0

Connection successfully reapplied to 'eth0'

Reinspecting the IP address would give you another IP address from the one you statically assigned in the previous section.

$ hostname -I

192.168.1.18/24

Network Manager Graphical Tools

In this section, we are going to take a look at graphical tools included in the Network Manager suite : nmtui and nm-applet.

Nmtui utility

The nmtui is, as its name describes, a text user interface built in order to facilitate network operations with an easy-to-use user interface.

In order to start with nmtui, simply execute “nmtui” in a terminal shell.

$ nmtui

Network Manager Graphical Tools nmtui

In this graphical menu, you have three options :

  • Edit a connection : where you are able to select network interfaces and modify parameters assigned to them (such as the DNS, the IP address or the gateway address);
  • Activate a connection : but also desactivate existing connections. As a reminder, connections are only active or enabled whenever they are assigned to a specific device;
  • Set system hostname : like the “hostnamectl” or the “hostname”, you can set the PC name over a network.

Navigating in the nmtui tool is pretty straightforward : you can use keyboard keys to navigate, the ‘Enter’ key in order to confirm your selection and the ‘Escape’ key in order to cancel and go back to the previous screen.

Nm-applet on GNOME

The last application related to the Network Manager is nm-applet : a GUI applet available for GNOME user-interfaces.

The nm-applet tool is an overlay user interface that is available in the top-right corner of your desktop menu.

Nm-applet on GNOME nm-applet

Using the nm-applet, you can : see existing connections, add, edit and remove them at will.

You can see detailed information about the settings of your wired connections and edit them in order tochange your IP address or change the IP attribution method (from DHCP to manual for example)

Nm-applet on GNOME nm-applet-2

Conclusion

In this tutorial, you learnt about the Network Manager : a tool on modern distributions that is used in order to create, modify and manage network connections.

You have discovered the tools associated with the Network Manager (namely nmcli, nmtui and nm-applet) and you have learnt how you can use those tools in order to modify your existing connections.

If you are interested in networking or in Linux System Administration, we have a complete section dedicated to it on the website, so make sure to check it out!