Default dhcp and dnsmasq are conflict in a OS.
Just change to another if one failed.

yum install dhcp

/etc/sysconfig/dhcpd is no longer needed in RHEL-7. However, it is still working in other distributions. Just assign an IP to the interface which in the subnet you want dhcp serve.

[root@localhost ~]# vi /etc/sysconfig/dhcpd
DHCPDARGS="eth0 eth1";

[root@localhost ~]# yum -y install dhcp
[root@localhost ~]# vi /etc/dhcp/dhcpd.conf
# create new
# specify domain name
option domain-name "";
# specify name server's hostname or IP address
option domain-name-servers;
# default lease time
default-lease-time 600;
# max lease time
max-lease-time 7200;
# this DHCP server to be declared valid
# specify network address and subnet mask
subnet netmask {
    # specify the range of lease IP address
    range dynamic-bootp;
    # specify broadcast address
    option broadcast-address;
    # specify default gateway
    option routers;
[root@localhost ~]# systemctl start dhcpd 
[root@localhost ~]# systemctl enable dhcpd 
ln -s '/usr/lib/systemd/system/dhcpd.service' '/etc/systemd/system/'


Dnsmasq is very useful in libvirt/qemu/docker based environment.
To bind to interface br0(

/usr/sbin/dnsmasq --strict-order --pid-file=/var/run/libvirt/network/br0--conf-file= --except-interface lo --bind-interfaces br0 --listen-address --dhcp-range, --dhcp-leasefile=/var/lib/libvirt/dnsmasq/br0.leases --dhcp-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/br0.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/br0.addnhosts

1. Install incrontab.

2. Edit /etc/incron.allow


3. Use incrontab command

<path> <mask> <command>
IN_ACCESS File was accessed (read) (*)
IN_ATTRIB Metadata changed (permissions, timestamps, extended attributes, etc.) (*)
IN_CLOSE_WRITE File opened for writing was closed (*)
IN_CLOSE_NOWRITE File not opened for writing was closed (*)
IN_CREATE File/directory created in watched directory (*)
IN_DELETE File/directory deleted from watched directory (*)
IN_DELETE_SELF Watched file/directory was itself deleted
IN_MODIFY File was modified (*)
IN_MOVE_SELF Watched file/directory was itself moved
IN_MOVED_FROM File moved out of watched directory (*)
IN_MOVED_TO File moved into watched directory (*)
IN_OPEN File was opened (*)

When monitoring a directory, the events marked with an asterisk (*) above can occur for files in the directory, in which case the name field in the returned event data identifies the name of the file within the directory.

The IN_ALL_EVENTS symbol is defined as a bit mask of all of the above events. Two additional convenience symbols are IN_MOVE, which is a combination of IN_MOVED_FROM and IN_MOVED_TO, and IN_CLOSE which combines IN_CLOSE_WRITE and IN_CLOSE_NOWRITE.

The following further symbols can be specified in the mask:
IN_DONT_FOLLOW Don't dereference pathname if it is a symbolic link
IN_ONESHOT Monitor pathname for only one event

IN_ONLYDIR Only watch pathname if it is a directory

Additionaly, there is a symbol which doesn't appear in the inotify symbol set. It it IN_NO_LOOP. This symbol disables monitoring events until the current one is completely handled (until its child process exits). 
Command translation

$$   dollar sign
$@   watched filesystem path (see above)
$#   event-related file name
$%   event flags (textually)
$&   event flags (numerically)
# incrontab -l
# incrontab -e
/var/www IN_ACCESS echo "/var/www/ wass accessed at $$date"

Access your web server in a browser and watch the status change.
# tail /var/log/syslog

node1 eth0
node2 eth0

1. Install essential packages

Add following content to /etc/yum.repos.d/ha.repo, since you will need crmsh later:

name=HA Clustering

Install packages:

# yum install pacemaker corosync crmsh -y

2. Configure corosync

Using configuration files below if you need broadcast:

service {
    # Load the Pacemaker Cluster Resource Manager
    ver: 0
    name: pacemaker
    use_mgmtd: no
    use_logd: no

totem {
        version: 2
        secauth: off
        interface {
                member {
                member {
                ringnumber: 0
                mcastport: 5405
                ttl: 1
        transport: udpu

logging {
        fileline: off
        to_logfile: yes
        to_syslog: yes
        logfile: /var/log/cluster/corosync.log
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off

Here’s a sample using multicast:

service {
    # Load the Pacemaker Cluster Resource Manager
    ver: 0
    name: pacemaker
    use_mgmtd: no
    use_logd: no

totem {
        version: 2

        # secauth: Enable mutual node authentication. If you choose to
        # enable this ("on"), then do remember to create a shared
        # secret with "corosync-keygen".
        secauth: off

        threads: 0

        # interface: define at least one interface to communicate
        # over. If you define more than one interface stanza, you must
        # also set rrp_mode.
        interface {
                ringnumber: 0
                mcastport: 5405
                ttl: 1

logging {
        fileline: off
        to_stderr: no
        to_logfile: yes
        logfile: /var/log/cluster/corosync.log
        to_syslog: yes
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off

Note that if the ver in the service section of pacemaker is 0, pacemaker will be loaded automatically, or else you will start the pacemaker service manually.

Copy this configuration file to the other host and start the service:

# scp /etc/corosync/corosync.conf root@

# chkconfig corosync on
# service corosync start

# chkconfig corosync on
# service corosync start

3. Configure corosync using crmsh

Add virtual IP to your cluster:

# crm configure
crm(live)configure# primitive vip1 ocf:heartbeat:IPaddr2 params ip= cidr_netmask=24 op monitor interval=10s
crm(live)configure# property stonith-enabled=false # To prevent split-brain
crm(live)configure# property no-quorum-policy=stop # To prevent split-brain
crm(live)configure# commit


crm(live)configure# migrate vip1
crm(live)configure# unmigrate vip1

You will see migrating between these two nodes.

Windows 2008R2 server with AD role built.
User group: owncloudgrp
User in owncloudgrp: aaa, beta
Users must have logon name, first name, last name set.

Configure the owncloud:



User Filter:


Login Filter:


Group Filter:
Every time you change these two sections, wait for a few seconds until more than zero users discovered.


Advanced – Connection Settings:


Advanced – Directory Settings:


Add internal username: sAMAccountName


I need an authentication system with compatibility and many extended features(like bio-device). So, I’ve got AD, IPA and OpenLDAP to choose from. AD comes from MS and it is too “heavy” for the not-very-large system. IPA and OpenLDAP are almost same, but I prefer latter, since it’s compatible with oVirt(This why I choose CentOS rather than debian).

The simplest OpenLDAP server

A basic LDAP without any security or additional features.

OpenLDAP with SASL

Add SASL to our LDAP.


To add Windows PC to our domain.

OpenLDAP with Kerberos

This is what we want finally.

1. The simplest OpenLDAP server

I’ve got 2 ways to setup an openldap server: 389-ds script and manually configure.

1.1 Using 389-ds script

Here’s the original article.


Before setup, this configuration should be modified.
Add following:

Add following:

net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Add following:

*    soft    nofile    8192
*    hard    nofile    8192

Add following:

session    required    /lib/security/

Then reboot the machine to make above configurations work.

Setup 389-ds

# useradd ldapadmin
# passwd ldapadmin
# yum install -y 389-ds openldap-clients

Then you’ll see some questions like this(sorry for the high-lighting…):

This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]:   ## Press Enter ## 

Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is i686-unknown-linux2.6.32-431.el6.i686 (1 processor).

WARNING: 622MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes  ## Type Yes and Press Enter ##

Choose a setup type:
   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.
   2. Typical
       Allows you to specify common defaults and options.
   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:  ## Press Enter ##

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

Computer name []:     ## Press Enter ##

he servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: ldapadmin  ## Enter LDAP user name created above #
System Group [nobody]: ldapadmin

Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g., the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:   ## Press Enter ##

Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:   ## Press Enter ##
Password:    ## create password ##
Password (confirm):    ## re-type password ##

The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain []:   ## Press Enter ##

The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:   ## Press Enter ##

Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [server]:  ## Press Enter ##

The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=lofyer, dc=org]:   ## Press Enter ##


Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:   ## Press Enter ##
Password:               ## Enter the password ##
Password (confirm): 

The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:   ## Press Enter ##

The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:  ## Press Enter ##
Creating directory server . . .
Your new DS instance 'server' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin: 
output:                                                    [  OK  ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupo1AlDy.log'

Then make these two services start on startup.

# chkconfig dirsrv on
# chkconfig dirsrv-admin on

With 389-ds scripts, you could use 389-console, please refer to the link above.

1.2 Manually configure

Here’s the original article.

Install the packages

# yum install openldap{,-clients,-servers}

Change the configuration

Delete olcAllows: bind_v2 if you want only v3.
Modify olcIdleTimeout from 0 to 30 if you want close the idle connection for more than 30 seconds.

Before next step, run this command to generate a SHA encrypted password.

# slappasswd
New password:
Re-enter new password:

Then copy the output to your clipboard.

Modify olcSuffix, RootDN, olcRootPW to this:

olcSuffix: dc=lofyer, dc=org
olcRootPW: {SSHA}aW7TYJ3faz13RKsnr3uiCsbgi55RKhW9
RootDN: cn=admin, dc=lofyer, dc=org

Start service

# service slapd start
# chkconfig slpad on

Add rootdn and groups

dn: dc=lofyer,dc=org
objectclass: dcObject
objectclass: organization
o: Lofyer Org
dc: lofyer

dn: ou=People,dc=lofyer,dc=org
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=lofyer,dc=org
objectClass: organizationalUnit
objectClass: top

ou: Groups
dn: cn=admin,dc=lofyer,dc=org
objectclass: organizationalRole
cn: admin

Import the ldif:

# ldapadd -x -D "cn=admin,dc=lofyer,dc=org" -W -f /etc/openldap/schema/
# ldapsearch -x -b 'dc=lofyer,dc=org' '(objectclass=*)'

Create a user

Add following content to user.ldif

dn: uid=demo,ou=People,dc=lofyer,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: demo
cn: demo
sn: demo
givenName: demo

Provide a password:

# ldapadd -x -W -D "cn=admin,dc=lofyer,dc=org" -f user.ldif
New password:
Re-enter new password:
Enter LDAP Password:

Add or delete a member from group(myteam)


dn: cn=myteam,ou=Groups,dc=lofyer,dc=org changetype: modify add: member member: uid=user1,ou=People,dc=lofyer,dc=org
# ldapmodify -x -D "cn=admin,dc=lofyer,dc=org" -W -f add.ldif


dn: cn=myteam,ou=Groups,dc=lofyer,dc=org
changetype: modify
delete: member
member: uid=user1,ou=People,dc=lofyer,dc=org
# ldapmodify -x -D "cn=admin,dc=lofyer,dc=org" -W -f delete.ldif


Here’s the original article.


Follow this script.

#Change to the directory and clear out the old certs
cd /etc/openldap/certs
rm -rf *
#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help
#automate the process. This will be the password for your certificate. Change this as appropriate
echo "mypassword" > /etc/openldap/certs/password
export PATH=/usr/bin/:$PATH
echo falkdjfdajkasdndwndoqndwapqmhfaksj >> noise.txt

#Associate the password with the certificates which will be generated in the current directory
certutil -N -d . -f /etc/openldap/certs/password
certutil -G -d . -z noise.txt -f /etc/openldap/certs/password

#Generate a CA certificate for the 389 server
certutil -S -n "CA certificate" -s "cn=CACert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

#anwsers are Y, , Y
#This builds the server cert
certutil -S -n "OpenLDAP Server" -s "" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

#This exports the cacert in case you need it
pk12util -d . -o cacert.p12 -n "CA certificate"

#This exports the server-cert which you will need on the windows AD
pk12util -d . -o servercert.p12 -n "OpenLDAP Server"

#This exports the CA cert for ldap clients
certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem

#Make the files in here readable
chmod 644 *

#Set the system to use LDAPS
sed -i 's/SLAPD_LDAPS=no/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap

#Add a firewall exception in case the user has not configured their firewall properly
#iptables -I INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT
#/etc/init.d/iptables save

#Restart slapd to make the changes take effect
#/etc/init.d/slapd restart

I think you should notice that the private key password is “mypassword”.
Then you will get three files: cacert.p12, cacert.pem, servercert.p12.
And, that’s all.

2. Add SASL to OpenLDAP

OKay, we’ll add SASL to our ldap connections.

Install cyrus-sasl package.

# yum install cyrus-sasl-gssapi
# yum install cyrus-sasl-ldap

Hosts:, 2 hard drive disks, two ethernet ports, almost same as ha1

Server host, this is the IP of heartbeat service:


The repos you need in centos

name=Extra Packages for Enterprise Linux 6 - $basearch

[elrepo] Community Enterprise Linux Repository - el6
# yum install drbd84 kmod-drbd84 heartbeat mysql-server


1. Drbd configuration both hosts

Add following content to file: /etc/hosts

Disable selinux and iptables

# sed -i 's/enforcing/permissive/' /etc/selinux/config
# setenforce 0
# chkconfig iptables off
# service iptables stop

Prepare the disk partion

# fdisk /dev/sdb << EOF


Configuration for mysql
# mkdir db
# sed -i 's/datadir=\/var\/lib\/mysql/datadir=\/db/' /etc/my.cnf
Configuration for drbd
file: /etc/drbd.conf

 global {
   minor-count 64;
   usage-count yes;
 common {
   syncer { rate 1000M; }
 resource ha {
   protocol C;
   handlers {
     pri-on-incon-degr "/usr/lib/drbd/; /usr/lib/drbd/; echo b > /proc/sysrq-trigger ; reboot -f";
     pri-lost-after-sb "/usr/lib/drbd/; /usr/lib/drbd/; echo b > /proc/sysrq-trigger ; reboot -f";
     local-io-error "/usr/lib/drbd/; /usr/lib/drbd/; echo o > /proc/sysrq-trigger ; halt -f";
     fence-peer "/usr/lib/heartbeat/drbd-peer-outdater -t 5";
     pri-lost "/usr/lib/drbd/; /usr/lib/drbd/; echo b > /proc/sysrq-trigger ; reboot -f";
     split-brain "/usr/lib/drbd/ root";
     out-of-sync "/usr/lib/drbd/ root";
   startup {
     wfc-timeout 60;
     degr-wfc-timeout 120;
     outdated-wfc-timeout 2;
   disk {
     on-io-error detach;
     fencing resource-only;
   syncer {
     rate 1000M;
   on {
     device /dev/drbd0;
     disk /dev/sdb1;
     meta-disk internal;
   on {
     device /dev/drbd0;
     disk /dev/sdb1;
     meta-disk internal;

Chmod for drbd

 # chgrp haclient /sbin/drbdsetup
 # chmod o-x /sbin/drbdsetup
 # chmod u+s /sbin/drbdsetup
 # chgrp haclient /sbin/drbdmeta
 # chmod o-x /sbin/drbdmeta
 # chmod u+s /sbin/drbdmeta

Resource for drbd

 # modprobe drbd
 # dd if=/dev/zero of=/dev/hdb1 bs=1M count=100
 # drbdadm create-md ha
 # service drbd start
 # chkconfig drbd on 

Watch drbd status

# watch -n 1 service drbd status

You can see that both hosts are Secondary/Secondary.

2. Drbd configuration on one of hosts, like ha1

Make ha1 Primary

 # drbdadm -- --overwrite-data-of-peer primary ha
 # service drbd status

Then you should see Primary and wait for both hosts are UpToDate.
Initialization for Mysql
Make a

# mkfs.ext4 /dev/drbd0
# mount /dev/drbd0 /db
# service mysqld start

Now you should see what you have got in /db, then umount /db, stop mysql-server and make ha1 Secondary.

# service mysqld stop
# umount /dev/drbd0
# drbdadm secondary ha

3. Heartbeat configuration on both hosts

cluster authkey

# (echo -ne "auth 1\n1 sha1 "; dd if=/dev/urandom bs=512 count=1 | openssl md5) > /etc/ha.d/authkeys
# cat /etc/ha.d/authkeys
 auth 1
 1 sha1 71461fc5e160d7846c2f4b524f952128
# chmod 600 /etc/ha.d/authkeys
# scp /etc/ha.d/authkeys node2:/etc/ha.d/

file: /etc/ha.d/

debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
autojoin none
ucast eth0
ucast eth1
respawn hacluster /usr/lib64/heartbeat/ipfail
respawn hacluster /usr/lib64/heartbeat/dopd
apiauth dopd gid=haclient uid=hacluster
udpport 694
warntime 5
deadtime 15
initdead 60
keepalive 2
auto_failback off    

The service will be serve on IP
file: /etc/ha.d/haresources drbddisk::ha Filesystem::/dev/drbd0::/db::ext4 mysql

If you just wanna a virtual ip, use this IPaddr::

Add mysql entry to heartbeat
file: /etc/ha.d/resource.d/mysql

. /etc/ha.d/shellfuncs
case "$1" in
  res=`/etc/init.d/mysqld start`
  ha_log $res
  exit $ret
  res=`/etc/init.d/mysqld stop`
  ha_log $res
  exit $ret
  if [[ `ps -ef | grep '[m]ysqld'` > 1 ]]; then
     echo "running"
     echo "stopped"
  echo "Usage: mysqld {start|stop|status}"
  exit 1
exit 0

Add excute permission to it.

# chmod 755 /etc/ha.d/resource.d/mysql 

Add heartbeat service to system

# chkconfig --add heartbeat
# chkconfig heartbeat on
# service heartbeat start

You may need modify order of drbd and heartbeat service.
In /etc/init.d/, the number 85 and 15 represent the order number which the script is to be
run at start up time and shutdown time.
# chkconfig: - 85 15

Test HA