Exam 202: Detailed Objectives

This is a required exam for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Each objective is assigned a weighting value. The weights range roughly from 1 to 10 and indicate the relative importance of each objective. Objectives with higher weights will be covered in the exam with more questions.

Web Services File Sharing Network Client Management E-Mail Services System Security Troubleshooting Thereare no updatesto the LPI-202 examin 2012.

Topic 208: Web Services

208.1 Implementing a web server

Weight: 3 Description: Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Key Knowledge Areas

Apache 2.x configuration files, terms and utilities Apache log files configuration and content Access restriction methods and files mod_perl and PHP configuration Client user authentication files and utilities Configuration of maximum requests, minimum and maximim servers and clients Terms and Utilities access logs error logs

.htaccess httpd.conf mod_auth htpasswd htgroup apache2ctl httpd

208.2 Maintaining a web server

Weight: 2 Description: Candidates should be able to configure a web server to use virtual hosts, Secure Sockets Layer (SSL) and customise file access. Key Knowledge Areas

SSL configuration files, tools and utilities SSL certificate handling Apache 2.x virtual host implementation (with and without dedicated IP addresses) Using redirect statements in Apache's configuration files to customise file access Terms and Utilities Apache2 configuration files /etc/ssl/* openssl

208.3 Implementing a proxy server

Weight: 2 Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage. Key Knowledge Areas

Squid 2.x configuration files, terms and utilities Access restriction methods Client user authentication methods

Layout and content of ACL in the Squid configuration files Terms and Utilities squid.conf acl http_access

Topic 209: File Sharing

209.1 SAMBA Server Configuration

Weight: 4 Description: Candidates should be able to set up a SAMBA server for various clients. This objective includes setting up Samba for login clients and setting up the workgroup in which a server participates and defining shared directories and printers. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested. Key Knowledge Areas

Samba 3 documentation Samba configuration files Samba tools and utilities Mounting Samba shares on Linux Samba daemons Mapping Windows usernames to Linux usernames User-Level and Share-Level security Terms and Utilities smbd, nmbd smbstatus testparm smbpasswd nmblookup smbclient net /etc/smb/*

/var/log/samba/

209.2 NFS Server Configuration

Weight: 4 Description: Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS. Key Knowledge Areas

NFS configuration files NFS tools and utilities Access restrictions to certain hosts and/or subnets Mount options on server and client tcpwrappers Terms and Utilities /etc/exports exportfs showmount nfsstat /proc/mounts /etc/fstab rpcinfo mountd portmapper

Topic 210: Network Client Management

210.1 DHCP configuration

Weight: 2 Description: Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

Key Knowledge Areas

DHCP configuration files, terms and utilities Subnet and dynamically-allocated range setup Terms and Utilities dhcpd.conf dhcpd.leases /var/log/daemon.log /var/log/messages arp dhcpd

210.2 PAM authentication

Weight: 3 Description: The candidate should be able to configure PAM to support authentication using various available methods. Key Knowledge Areas

PAM configuration files, terms and utilities passwd and shadow passwords Terms and Utilities /etc/pam.d pam.conf nsswitch.conf pam_unix pam_cracklib pam_limits pam_listfile

210.3 LDAP client usage

Weight: 2 Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users. Key Knowledge Areas

LDAP utilities for data management and queries Change user passwords Querying the LDAP directory Terms and Utilities ldapsearch ldappasswd ldapadd ldapdelete

Topic 211: E-Mail Services

211.1 Using e-mail servers

Weight: 3 Description: Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers. Key Knowledge Areas

Configuration files for postfix Basic knowledge of the SMTP protocol, sendmail, and exim Terms and Utilities postfix sendmail /etc/aliases /etc/mail/* /etc/postfix/* /var/spool/mail /var/log/

sendmail emulation layer commands

211.2 Managing Local E-Mail Delivery

Weight: 2 Description: Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail. Key Knowledge Areas

procmail configuration files, tools and utilities Usage of procmail on both server and client side Terms and Utilities ~/.procmail /etc/procmailrc procmail mbox and Maildir formats

211.3 Managing Remote E-Mail Delivery

Weight: 2 Description: Candidates should be able to install and configure POP and IMAP daemons. Key Knowledge Areas Courier IMAP and Courier POP configuration Dovecot configuration Terms and Utilities /etc/courier/* dovecot.conf

Topic 212: System Security

212.1 Configuring a router

Weight: 3 Description: Candidates should be able to configure a system to perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks. Key Knowledge Areas

iptables configuration files, tools and utilities Tools, commands and utilities to manage routing tables. Private address ranges Port redirection and IP forwarding List and write filtering and rules that accept or block datagrams based on source or destination protocol, port and address Save and reload filtering configurations Terms and Utilities /proc/sys/net/ipv4 /etc/services iptables routed

212.2 Securing FTP servers

Weight: 2 Description: Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access. Key Knowledge Areas

Configuration files, tools and utilities for Pure-FTPd and vsftpd Awareness of ProFTPd Understanding of passive vs. active FTP connections Terms and Utilities vsftpd.conf Pure-FTPd command line

212.3 Secure shell (SSH)

Weight: 2 Description: Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login. Key Knowledge Areas

OpenSSH configuration files, tools and utilities Login restrictions for the superuser and the normal users Managing and using server and client keys to login with and without password Usage of XWindow and other application protocols through SSH tunnels Configuration of ssh-agent Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes Terms and Utilities

ssh sshd /etc/ssh/sshd_config Private and public key files ~/.ssh/authorized_keys PermitRootLogin PubKeyAuthentication AllowUsers PasswordAuthentication Protocol

212.4 TCP Wrapper

Weight: 1 Description: Candidates should be able to configure TCP Wrapper to allow connections to specified servers only from certain hosts or subnets. Key Knowledge Areas

TCP Wrapper configuration files, tools and utilities inetd configuration files, tools and utilities Terms and Utilities /etc/inetd.conf /etc/hosts.allow /etc/hosts.deny libwrap tcpd

212.5 Security tasks

Weight: 3 Description: Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes. Key Knowledge Areas

Tools and utilities to scan and test ports on a server Locations and organisations that report security alerts as Bugtraq, CERT, CIAC or other sources Tools and utilities to implement an intrusion detection system (IDS) Awareness of OpenVAS Terms and Utilities telnet nmap snort fail2ban nc iptables

Topic 213: Troubleshooting

213.1 Identifying boot stages and troubleshooting bootloaders

Weight: 4 Description: Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB and LILO are the bootloaders of interest. Key Knowledge Areas

boot loader start and hand off to kernel kernel loading hardware initialisation and setup daemon/service initialisation and setup Know the different bootloader install locations on a hard disk or removable device Overwriting standard bootloader options and using bootloader shells Terms and Utilities /boot/ /boot/grub/ GRUB grub-install initrd, initramfs Master boot record /etc/init.d lilo /etc/lilo.conf

213.2 General troubleshooting

Weight: 5 Description: Candidates should be able to identify and correct common boot and run time issues. Key Knowledge Areas

/proc filesystem Various system and daemon log files Content of /, /boot , and /lib/modules Screen output during bootup Kernel syslog entries in system logs (if entry is able to be gained) Tools and utilities to analyse information about the used hardware

Tools and utilities to trace software and their system and library calls Terms and Utilities dmesg /sbin/lspci /usr/bin/lsdev /sbin/lsmod /sbin/modprobe /sbin/insmod /bin/uname strace strings ltrace lsof lsusb

213.3 Troubleshooting system resources

Weight: 5 Description: Candidates should be able to identify, diagnose and repair local system issues when using software from the command line. Key Knowledge Areas

/etc/profile && /etc/profile.d/ /etc/init.d/ /etc/rc.* /etc/sysctl.conf /etc/bashrc /etc/ld.so.conf or other appropriate global shell configuration files Terms and Utilities /bin/ln

/bin/rm /sbin/ldconfig /sbin/sysctl

213.4 Troubleshooting environment configurations

Weight: 5 Description: Candidates should be able to identify common local system and user environment configuration issues and common repair techniques. Key Knowledge Areas

Core system variables init configuration files init start process cron configuration files Login process User-password storage files Determine user group associations SHELL configuration files of bash Analysing which processes or daemons are running Terms and Utilities /etc/ /etc/inittab /etc/rc.local /etc/rc.boot /var/spool/cron/crontabs/ /etc/login.defs /etc/syslog.conf /etc/passwd /etc/shadow /etc/group /sbin/init

/usr/sbin/cron /usr/bin/crontab

ation Programs LPIC-3 Exam304: DetailedObjectives

Exam 304: Detailed Objectives

The successful completion of this exam entitles candidates to the specialty designation: LPI 304: Virtualization and High Availability

Virtualization Load Balancing Cluster Management Cluster Storage

Topic 330: Virtualization

330.1 Virtualization Concepts and Theory

Weight: 10 Description: Candidates should know and understand the general concepts, theory and terminology of Virtualization. This includes Xen and KVM terminology. Key Knowledge Areas

Terminology Pros and Cons of Virtualization Variations of Virtual Machine Monitors Terms and Utilities Hypervisor HVM(HardwareVirtualMachine) PV(Paravirtualization)

domains emulation and simulation CPU flags

330.2 Xen

Weight: 10 Description: Candidates should be able to install, configure, maintain and troubleshoot Xen installations. Key Knowledge Areas

Terms and Utilities

Xen w/Intel VT Xen w/AMD-V Dom0 DomU GuestOS HostOS xm /etc/xen xmdomain.cfg xentop

330.3 KVM

Weight: 7 Description: Candidates should be able to install, configure, maintain and troubleshoot KVM installations. Key Knowledge Areas

Terms and Utilities

/proc/cpuinfo kernel modules: kvm kvm-intel kvm-amd /etc/kvm/

kvm-qemu kvm_stat kvm netwoking kvm monitor kvm storage qemu

330.4 Other Virtualization Solutions

Weight: 3 Description: Candidates should have some basic knowledge and experience with alternatives to Xen and KVM. Key Knowledge Areas

Terms and Utilities

OpenVZ VirtualBox

Topic 331: Load Balancing

331.1 Linux Virtual Server

Weight: 5 Description: Candidates should know how to install, configure, maintain and troubleshoot LVS. This includes the configuration and use of keepalived. Key Knowledge Areas

IPVS VRRP keepalived configuration Terms and Utilities ipvsadm syncd LVS-NAT/Tun/DR/LocalNode

connection scheduling algorithms genhash

331.2 HAProxy

Weight: 3 Description: Exam candidates should be able to install, configure, maintain and troubleshoot HAProxy. Key Knowledge Areas

HAProxy Terms and Utilities ACLs load balancing algorithms

331.3 LinuxPMI

Weight: 1 Description: Candidates should understand the concepts of LinuxPMI. Basic experience in the installation of LinuxPMI is also expected. Key Knowledge Areas

kernel patching SSI vs MSI Terms and Utilities linuxPMI

Topic 332: Cluster Management

332.1 Pacemaker

Weight: 5 Description: Candidates should have experience in the installation, configuration, maintenance and troubleshooting of the Pacemaker cluster management set of technologies. This includes the use of heartbeat version 2.

Key Knowledge Areas

Essential cluster configuration resource agents Terms and Utilities crmd PEngine CIB ptest cibadmin crmadmin crm_* resource agents authkeys /usr/lib/heartbeat/ResourceManager /etc/ha.d/

332.2 Advanced Pacemaker

Weight: 3 Description: Candidates should have experience in advanced features of the Pacemaker cluster management set of technologies. This includes the use of OpenAIS and corosync. Key Knowledge Areas

fencing quorum data integrity integration with file systems Terms and Utilities STONITHd OCFS2 ldirectord softdog OpenAIS and corosync

332.3 Red Hat Cluster Suite

Weight: 3 Description: Candidates should have experience in the installation, configuration, maintenance and troubleshooting of the Red Hat Cluster Suite cluster management set of technologies. Key Knowledge Areas

Essential cluster configuration resource agents Terms and Utilities ccs OpenAIS rgmanager /etc/ais/ /etc/corosync/

332.4 Advanced Red Hat Cluster Suite

Weight: 1 Description: Candidates should have experience in advanced features of the Red Hat Cluster Suite cluster management set of technologies. This includes the use and integration with LVS and GFS. Key Knowledge Areas

fencing quorum data integrity integration with file systems integration with LVS Terms and Utilities qdiskd /etc/lvs.cf Piranha

GFS Conga

Topic 333: Cluster Storage

333.1 DRBD

Weight: 3 Description: Candidates are expected to have the experience and knowledge to install, configure, maintain and troubleshoot DRBD devices. This includes integration with Pacemaker and heartbeat. Key Knowledge Areas

Terms and Utilities

w/Pacemaker w/heartbeat

333.2 Global File System and OCFS2

Weight: 3 Description: Candidates should know how to install, maintain and troubleshoot installations using GFS and OCFS2. Key Knowledge Areas

Terms and Utilities

GFS2 Distributed Lock Manager

333.3 Other Clustered File Systems

Weight: 1 Description: Candidates should have an awareness of other clustered filesystems available in a Linux environment. Key Knowledge Areas

Terms and Utilities

Coda AFS GlusterFS

Exam 303: Detailed Objectives

The successful completion of this exam entitles candidates to the specialty designation: LPI 303: Security

Cryptography Access Control Application Security Operations Security Network Security

Topic 320: Cryptography

320.1 OpenSSL

Weight: 4 Description: Candidates should know how to configure and use OpenSSL. This includes creating your own Certificate Authority and issues SSL certificates for various applications. Key Knowledge Areas

certificate generation key generation SSL/TLS client and server tests Terms and Utilities openssl RSA, DH and DSA SSL X.509 CSR

CRL

320.2 Advanced GPG

Weight: 4 Description: Candidates should know how to use GPG. This includes key generation, signing and publishing to keyservers. Managing multiple private key and IDs is also included. Key Knowledge Areas

GPG encyption and signing private/public key management GPG key servers GPG configuration Terms and Utilities gpg gpgv gpg-agent ~/.gnupg/

320.3 Encrypted Filesystems

Weight: 3 Description: Candidates should be able to setup and configure encrypted filesystems. Key Knowledge Areas LUKS dm-crypt and awareness of CBC, ESSIV, LRW and XTS modes Terms and Utilities dm-crypt cryptmount cryptsetup

Topic 321: Access Control

321.1 Host Based Access Control

Weight: 2 Description: Candidates should be familiar with basic host based access control such as nsswitch configuration, PAM and password cracking. Key Knowledge Areas

PAM and PAM configuration files password cracking nsswitch Terms and Utilities nsswitch.conf john

321.2 Extended Attributes and ACLs

Weight: 5 Description: Candidates are required to understand and know how to use Extended Attributes and Access Control Lists. Key Knowledge Areas

ACLs EAs and attribute classes Terms and Utilities getfacl setfacl getfattr setfattr

321.3 SELinux

Weight: 6 Description: Candidates should have a thorough knowledge of SELinux.

Key Knowledge Areas

SELinux configuration and command line tools TE, RBAC, MAC and DAC concepts and use Terms and Utilities fixfiles/setfiles newrole setenforce/getenforce selinuxenabled semanage sestatus /etc/selinux/ /etc/selinux.d/

321.4 Other Mandatory Access Control Systems

Weight: 2 Description: Candidates should be familiar with other Mandatory Access Control systems for Linux. This includes major features of these systems but not configuration and use. Key Knowledge Areas

SMACK AppArmor Terms and Utilities SMACK AppArmor

Topic 322: Application Security

322.1 BIND/DNS

Weight: 2

Description: Candidates should have experience and knowledge of security issues in use and configuration of BIND DNS services. Key Knowledge Areas

BIND vulnerabilities chroot environments Terms and Utilities TSIG BIND ACLs named-checkconf

322.2 Mail Services

Weight: 2 Description: Candidates should have experience and knowledge of security issues in use and configuration of Postfix mail services. Awareness of security issues in Sendmail is also required but not configuration. Key Knowledge Areas

Postfix security centric configuration securing Sendmail chroot environments Terms and Utilities /etc/postfix/ TLS

322.3 Apache/HTTP/HTTPS

Weight: 2 Description: Candidates should have experience and knowledge of security issues in use and configuration of Apache web services. Key Knowledge Areas

Apache v1 and v2 security centric configuration Terms and Utilities SSL

.htaccess Basic Authentication htpasswd AllowOverride

322.4 FTP

Weight: 1 Description: Candidates should have experience and knowledge of security issues in use and configuration of Pure-FTPd and vsftpd FTP services. Key Knowledge Areas

Pure-FTPd configuration and important command line options vsftpd configuration chroot environments Terms and Utilities SSL/TLS vsftp.conf

322.5 OpenSSH

Weight: 3 Description: Candidates should have experience and knowledge of security issues in use and configuration of OpenSSH SSH services. Key Knowledge Areas

OpenSSH configuration and command line tools OpenSSH key management and access control Awareness of SSH protocol v1 and v2 security issues Terms and Utilities /etc/ssh/ ~/.ssh/ ssh-keygen

ssh-agent ssh-vulnkey

322.6 NFSv4

Weight: 1 Description: Candidates should have experience and knowledge of security issues in use and configuration of NFSv4 NFS services. Earlier versions of NFS are not required knowledge. Key Knowledge Areas

NFSv4 security improvements, issues and use NFSv4 pseudo file system NFSv4 security mechanisms (LIPKEY, SPKM, Kerberos) Terms and Utilities NFSv4 ACLs nfs4acl RPCSEC_GSS /etc/exports

322.7 Syslog

Weight: 1 Description: Candidates should have experience and knowledge of security issues in use and configuration of syslog services. Key Knowledge Areas

syslog security issues chroot environments Terms and Utilities remote syslog servers

Topic 323: Operations Security

323.1 Host Configuration Management

Weight: 2 Description: Candidates should be familiar with the use of RCS and Puppet for host configuration management. Key Knowledge Areas

RCS Puppet Terms and Utilities RCS ci/co rcsdiff puppet puppetd puppetmasterd /etc/puppet/

Topic 324: Network Security

324. 1Intrusion Detection

Weight: 4 Description: Candidates should be familiar with the use and configuration of intrusion detection software. Key Knowledge Areas

Snort configuration, rules and use Tripwire configuration, policies and use Terms and Utilities snort snort-stat /etc/snort/ tripwire twadmin

/etc/tripwire/

324.2 Network Security Scanning

Weight: 5 Description: Candidates should be familiar with the use and configuration of network security scanning tools. Key Knowledge Areas

Nessus configuration, NASL and use Wireshark filters and use Terms and Utilities nmap wireshark tshark tcpdump nessus nessus-adduser/nessus-rmuser nessusd nessus-mkcert /etc/nessus

324.3 Network Monitoring

Weight: 3 Description: Candidates should be familiar with the use and configuration of network monitoring tools. Key Knowledge Areas

Nagios configuration and use ntop Terms and Utilities ntop

nagios nagiostats nagios.cfg and other configuration files

324.4 netfilter/iptables

Weight: 5 Description: Candidates should be familiar with the use and configuration of iptables. Key Knowledge Areas Iptables packet filtering and network address translation Terms and Utilities iptables-save/iptables-restore

324.5 OpenVPN

Weight: 3 Description: Candidates should be familiar with the use of OpenVPN. Key Knowledge Areas OpenVPN configuration and use Terms and Utilities openvpn server and client

Exam 301: Detailed Objectives

Exam 301 is the sole exam for LPIC-3 designation. It tests skills in authentication, troubleshooting, network integration and capacity planning. Capacity planning is the art and science of not running out of resources in the foreseeable future. It's often done informally, by measuring the resources that a program needs, commonly after having just run out of something.

If you make a table of how much CPU, memory and I/O bandwidth a program needs to do some unit of work, you can estimate how much it will need at some higher load in the future. Alternatively, you can use the measurements for sizing a new machine for the program, or for estimating how big a machine will be needed to consolidate your other programs. Informal spreadsheet estimates are often sufficient for simple sizing and future planning, but they do not have any correctness guarantees and they don't tell you:

at what load the program will be overloaded, nor how much the response time of the program will balloon under load.

For that, you use one of the programs which solve the problem using queuing theory. There are commercial products which will do so on Linux, but at least one free queuing network solver exists, Perl::PDQ by Neil Gunther. These generate proper mathematical models, so you can predict the performance of the program under load, and calculate the drop-off in performance as the program becomes overloaded.

Concepts, Architecture and Design Installation and Development Configuration Usage Integration and Migration Capacity Planning

Topic 301: Concepts, Architecture and Design

301.1 LDAP Concepts and Architecture

Weight: 3 Description: Candidates should be familiar with LDAP and X.500 concepts. Key Knowledge Areas LDAP and X.500 technical specification Attribute definitions Directory namespaces Distinguished names LDAP Data Interchange Format Meta-directories Changetype operations Terms and Utilities

LDIF Meta-directory changetype X.500 /var/lib/ldap/*

301.2 Directory Design

Weight: 2 Description: Candidates should be able to design and implement an LDAP directory, while planning an appropriate Directory Information Tree to avoid redundancy. Candidates should have an understanding of the types of data which are appropriate for storage in an LDAP directory. Key Knowledge Areas

Define LDAP directory content Organize directory Planning appropriate Directory Information Trees Terms and Utilities Class of Service Directory Information Tree Distinguished name Container

301.3 Schemas

Weight: 3 Description: Candidates should be familiar with schema concepts, and the base schema files included with an OpenLDAP installation. Key Knowledge Areas

LDAP schema concepts Create and modify schemas Attribute and object class syntax Terms and Utilities

Distributes schema Extended schema Object Identifiers /etc/ldap/schema/* Object class Attribute include directive

Topic 302: Installation and Development

302.1 Compiling and Installing OpenLDAP

Weight: 3 Description: Candidates should be able to compile and install OpenLDAP from source and from packages. Key Knowledge Areas

Compile and configure OpenLDAP from source Knowledge of OpenLDAP backend databases Manage OpenLDAP daemons Troubleshoot errors during installation Terms and Utilities make gpg rpm dpkg bdb slapd slurpd

302.2 Developing for LDAP with Perl/C++

Weight: 2 Description: Candidates should be able to write basic Perl scripts to interact with an LDAP directory. Key Knowledge Areas

Syntax of Perl's Net::LDAP module Write Perl scripts to bind, search, and modify directories Terms and Utilities Net::LDAP Perl C++

Topic 303: Configuration

303.1 Access Control Lists in LDAP

Weight: 2 Description: Candidates should be able to plan and implement access control lists. Key Knowledge Areas Plan LDAP access control lists Grant and revoke LDAP access permissions Access control syntax Terms and Utilities ACL slapd.conf anonymous users self none auth compare search

read write

303.2 LDAP Replication

Weight: 5 Description: Candidates should be familiar with the various replication strategies available with OpenLDAP. Key Knowledge Areas

Replication concepts Configure OpenLDAP replication Execute and manage slurpd Analyze replication log files Understand replica hubs LDAP referrals LDAP sync replication Terms and Utilities slurpd slapd.conf master / slave server consumer replica hub one-shot mode referral syncrepl refreshOnly and refreshAndPersist replog pull-based / push-based synchronization

303.3 Securing the Directory

Weight: 4 Description: Candidates should be able to configure encrypted access to the LDAP directory, and restrict access at the firewall level. Key Knowledge Areas

Securing the directory with SSL and TLS Firewall considerations Unauthenticated access methods User / password authentication methods Maintanence of SASL user DB Client / server certificates Terms and Utilities SSL / TLS Security Strength Factors (SSF) SASL proxy authorization StartTLS slapd.conf iptables

303.4 LDAP Server Performance Tuning

Weight: 2 Description: Candidates should be capable of measuring the performance of an LDAP server, and tuning configuration directives. Key Knowledge Areas

Measure LDAP performance Tune software configuration to increase performance Understand indexes Terms and Utilities index slapd.conf DB_CONFIG

303.5 OpenLDAP Daemon Configuration

Weight: 2 Description: Candidates should have knowledge of the common slapd.conf configuration directives, and be familiar with the basic slapd command line options. Key Knowledge Areas

slapd.conf configuration directives slapd.conf database definitions slapd and its command line options Analyze slapd log files Terms and Utilities slapd.conf slapd /var/lib/ldap/* loglevel

Topic 304: Usage

304.1 Searching the Directory

Weight: 2 Description: Candidates should be able to use advanced options for searching the LDAP directory. Key Knowledge Areas

Use OpenLDAP search tools with basic options Use OpenLDAP search tools with advanced options Optimize LDAP search queries Knowledge of search filters and their syntax Terms and Utilities ldapsearch index search filter syntax

slapd.conf

304.2 LDAP Command Line Tools

Weight: 4 Description: Candidates should be familiar with the OpenLDAP command line tools. Key Knowledge Areas Use the ldap* tools to access and modify the directory Use the slap* tools to access and modify the directory Terms and Utilities ldap.conf ldapsearch ldapadd ldapmodify ldapdelete ldapmodrdn slapindex slapadd slapcat

304.3 Whitepages

Weight: 1 Description: Candidates should be able to build and maintain a whitepages service. Key Knowledge Areas Plan whitepages services Configure whitepages services Configure clients to retrieve data from whitepages services Terms and Utilities whitepages Outlook

Topic 305: Integration and Migration

305.1 LDAP Integration with PAM and NSS

Weight: 2 Description: Candidates should be able to configure PAM and NSS to retrieve information from an LDAP directory. Key Knowledge Areas

Configure PAM to use LDAP for authentication Configure NSS to retrieve information from LDAP Configure PAM modules in various Unix environments Terms and Utilities PAM NSS /etc/pam.d/* /etc/nsswitch.conf

305.2 NIS to LDAP Migration

Weight: 1 Description: Candidates should be able to plan and implement a NIS migration strategy, including a NIS to LDAP gateway. Key Knowledge Areas

Analyze NIS structure prior to migration to LDAP Analyze NIS structure prior to integration with LDAP Automate NIS to LDAP migration Create a NIS to LDAP gateway Terms and Utilities NIS NIS to LDAP gateway slapd.conf /etc/yp/*

305.3 Integrating LDAP with Unix Services

Weight: 1 Description: Candidates should be able to integrate LDAP authentication with a number of common Unix services. Key Knowledge Areas

Integrate SSH with LDAP Integrate FTP with LDAP Integrate HTTP with LDAP Inegrate FreeRADIUS with LDAP Integrate print services with LDAP Terms and Utilities sshd.conf ftp httpd.conf radiusd.conf cupsd.conf ldap.conf

305.4 Integrating LDAP with Samba

Weight: 2 Description: Candidates should be able to integrate LDAP with Samba services. Key Knowledge Areas Migrate from smbpasswd to LDAP Understand OpenLDAP Samba schema Understand LDAP as a Samba password backend Terms and Utilities smb.conf smbpasswd samba3.schema

slapd.conf

305.5 Integrating LDAP with Active Directory

Weight: 2 Description: Candidates should be able to integrate LDAP with Active Directory Services. Key Knowledge Areas Kerberos integration with LDAP Cross platform authentication Single sign-on concepts Integration and compatibility limitations between OpenLDAP and Active Directory Terms and Utilities Kerberos Active Directory single sign-on DNS

305.6 Integrating LDAP with Email Services

Weight: 1 Description: Candidates should be able to integrate LDAP with email services. Key Knowledge Areas Plan LDAP schema structure for email services Create email attributes in LDAP Integrate Postfix with LDAP Integrate Sendmail with LDAP Terms and Utilities Postfix Sendmail schema SASL

POP IMAP

Topic 306: Capacity Planning

306.1 Measure Resource Usage

Weight: 4 Description: Candidates should be able to measure hardware resources and network bandwidth usage. Key Knowledge Areas

Measure CPU usage Measure memory usage Measure disk I/O Measure network I/O Measure firewalling and routing throughput Map client bandwidth usage Terms and Utilities iostat vmstat pstree w lsof top uptime sar

306.2 Troubleshoot Resource Problems

Weight: 4 Description: Candidates should be able to identify and troubleshoot resource problems.

Key Knowledge Areas

Match / correlate system symptoms with likely problems Identify bottlenecks in a system Terms and Utilities swap processes blocked on I/O blocks in blocks out

306.3 Analyze Demand

Weight: 2 Description: Candidates should be able to analyze capacity demands. Key Knowledge Areas Identify capacity demands Detail capacity needs of programs Determine CPU / memory needs of programs Assemble program needs into a complete analysis Terms and Utilities PDQ CPU usage memory usage appropriate measurement time trend model what-if validate performance equation

306.4 Predict Future Resource Needs

Weight: 2 Description: Candidates should be able to monitor resource usage to predict future resource needs. Key Knowledge Areas

Predict capacity break point of a configuration Observe growth rate of capacity usage Graph the trend of capacity usage Terms and Utilities diagnose predict growth average resource exhaustion

Exam 302: Detailed Objectives

The successful completion of this exam entitles candidates to the specialty designation: LPI 302: Mixed Environments

Concepts, Architecture and Design Installation and Development Configuration User and Group Management Working with CIFS, NetBIOS, and Active Directory Security and Performance

Topic 310: Concepts, Architecture and Design

310.1 Concepts

Weight: 1 Description: Candidates should be familiar with the fundamental concepts surrounding SMB/CIFS, file sharing and print services in a mixed environment. Key Knowledge Areas

Understand SMB/CIFS concepts

Understand file sharing concepts Understand print services concepts Terms and Utilities SMB CIFS smb.conf

310.2 Samba Roles

Weight: 1 Description: Candidates should be aware of Samba's security modes, and the key roles of the Samba daemons. Key Knowledge Areas

Understand Samba security modes Identify roles of core Samba daemons Manage Samba daemons Terms and Utilities User Level Security Share Level Security Domain Security Mode ADS Security Mode smb.conf smbd nmbd winbindd smbcontrol

310.3 Trivial Database Files

Weight: 2

Description: Candidates should understand the structure of trivial database files and know how to troubleshoot problems. Key Knowledge Areas

Backup TDB files Restore TDB files Identify TDB file corruption Edit / list TDB file content Terms and Utilities pdbedit secrets.tdb tdbbackup tdbdump tdbtool smbpasswd

Topic 311: Installation and Development

311.1 Compile and Install Samba

Weight: 1 Description: Configure and Build From Source. Key Knowledge Areas Identify key Samba packages and content Identify and resolve dependencies Describe Samba software structure Knowledge of common Samba compilation options Terms and Utilities gzip gpg make

311.2 Install and Upgrade Samba

Weight: 1 Description: Candidates should be able to install and upgrade Samba from source and from packages. Key Knowledge Areas

Install Samba from packages Install Samba from source Upgrade Samba gpg dpkg rpm Terms and Utilities

Topic 312: Configuration

312.1 Configure Samba

Weight: 6 Description: Candidates should be able to configure the Samba daemons for a wide variety of purposes. Key Knowledge Areas

Knowledge of Samba server configuration file structure Knowledge of Samba variables and configuration parameters Identify key TCP/UDP ports used with SMB/CIFS Configure Samba logging Troubleshoot and debug problems with Samba Terms and Utilities smb.conf parameters smb.conf variables /etc/services /var/log/samba/* log level debuglevel testparm

smbtar strace

312.2 File Services

Weight: 4 Description: Candidates should be able to create and configure file shares in a mixed environment. Key Knowledge Areas

Create and configure file sharing Plan file service migration Hide IPC$ Create scripts for user and group handling of file shares smbcquotas smbsh Terms and Utilities smb.conf [homes] browseable, writeable, valid users IPC$ mount, smbmount

312.3 Print Services

Weight: 2 Description: Candidates should be able to create and manage print shares in a mixed environment. Key Knowledge Areas

Create and configure printer sharing Configure integration between Samba and CUPS Manage Windows print drivers and configure downloading of print drivers Configure [print$] Understand security concerns with printer sharing Setup and manage print accounting

Terms and Utilities

smb.conf [print$] CUPS cupsd.conf /var/spool/samba print accounting smbprngenpdf smbspool

312.4 Domain Control

Weight: 4 Description: Candidates should be able to setup and maintain primary and backup domain controllers, and manage Windows/Linux clients' access to the domain. Key Knowledge Areas

Understand domain membership Create and maintain a primary domain controller Create and maintain a backup domain controller Add computers to an existing domain Configure logon scripts Configure roaming profiles Configure system policies Terms and Utilities primary domain controller backup domain controller domain membership roaming profiles system policies logon scripts

Active Directory LDAP trust relationships

312.5 SWAT Configuration

Weight: 1 Description: Candidates should be able to install and configure the Samba web administration tool, and be comfortable with configuring changes to Samba within it. Key Knowledge Areas

Knowledge of SWAT features Install and configure SWAT Configure the Samba server via the SWAT interface Terms and Utilities smb.conf /usr/sbin/swat internationalization SSL SWAT wizard

312.6 Internationalization

Weight: 1 Description: Candidates should be able to work with internationalization character codes and code pages. Key Knowledge Areas

Understand internationalization character codes and code pages Patch and build appropriate code conversion libraries Understand the difference in the name space between Windows and Linux/Unix with respect to user and group naming in a non-English environment Understand the difference in the name space between Windows and Linux/Unix with respect to computer naming in a non-English environment Terms and Utilities

internationalization character codes code pages smb.conf code conversion libraries

Topic 313: User and Group Management

313.1 Managing User Accounts and Groups

Weight: 4 Description: Candidates should be able to manage user and group accounts in a mixed environment. Key Knowledge Areas

Manager user and group accounts Understand user and group mapping Knowledge of user account management tools Use of the smbpasswd program Force ownership of file and directory objects Terms and Utilities smb.conf /usr/bin/smbpasswd /etc/passwd /etc/group force user, force group idmap

313.2 Authentication and Authorization

Weight: 8

Description: Candidates should understand the various authentication mechanisms and configure access control. Key Knowledge Areas

Setup a local password database Knowledge of the smbpasswd file format Perform password synchronization Knowledge of alternative backend storage for passwords Integrate Samba with LDAP Understand access control lists Terms and Utilities smb.conf smbpasswd passdb backend security mask PAM NSS password synchronization LDAP

313.3 Winbind

Weight: 2 Description: Candidates should be able to install and configure the Winbind service. Key Knowledge Areas Install Winbind Configure Winbind Terms and Utilities smb.conf winbindd PAM NSCD

SID /etc/passwd /etc/group foreign SID

Topic 314: Working with CIFS, NetBIOS, and Active Directory

314.1 CIFS Integration

Weight: 3 Description: Candidates should be comfortable working with CIFS in a mixed environment. Key Knowledge Areas Understand SMB/CIFS concepts Mount remote CIFS shares from a Linux client Understand features and benefits of CIFS Terms and Utilities SMB CIFS mount, smbmount smbclient smb.conf /etc/fstab

314.2 NetBIOS and WINS

Weight: 7 Description: Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing . Key Knowledge Areas

Understand WINS concepts

Understand NetBIOS concepts Understand the role of a local master browser Understand the role of a domain master browser Understand the role of Samba as a WINS server Understand name resolution Configure Samba as a WINS server Configure WINS replication Understand NetBIOS browsing, service announcements and elections Terms and Utilities NetBIOS WINS local master browser domain master browser service announcements elections node types smbclient findsmb name resolve order lmhosts smbtree

314.3 Integrating with Active Directory

Weight: 2 Description: Candidates should be able to integrate Linux servers into an environment where Active Directory is present. Key Knowledge Areas

List remove Active Directory / LDAP users Configure Samba in ADS security mode Knowledge of the DNS requirements for Active Directory

Terms and Utilities

Active Directory ADS Security Mode DNS LDAP Windows' net command Kerberos domain smb.conf smbcalcs

314.4 Working with Windows Clients

Weight: 4 Description: Clients should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers. Key Knowledge Areas

Knowledge of Windows clients Explore browse lists and SMB clients from Windows Share file / print resources from Windows Use of the smbclient program Use of the Windows net utility Terms and Utilities Windows' net command smbclient mount, smbmount control panel rdesktop workgroup smbget

Topic 315: Security and Performance

315.1 Linux File System and Share/Service Permissions

Weight: 3 Description: Candidates should understand file permissions on a Linux file system in a mixed environment. Key Knowledge Areas

Knowledge of file / directory permission control Understand how Samba interacts with Linux file system permissions Terms and Utilities smb.conf chmod chown mount, smbmount create mask directory mask

315.2 Samba Security

Weight: 2 Description: Candidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves. Key Knowledge Areas

Configure access to and from a Samba server at the firewall level Configure security relate parameters in the smb.conf file Terms and Utilities iptables smb.conf /etc/services security modes

315.3 Performance Tuning

Weight: 1 Description: Candidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance. Key Knowledge Areas

Measure Samba performance Optimize Samba memory usage Improve file transfer speed in a SMB/CIFS environment Terms and Utilities smb.conf 'max *' parameters netstat smbstatus socket options