DEV Community: Bidhan Khatri

Inside Linux TCP: From Handshake to Reset or Close

Bidhan Khatri — Mon, 05 Jan 2026 17:28:49 +0000

TCP is the backbone of network communication in Linux systems. It’s a connection-oriented protocol that ensures reliable data exchange between a sender and a receiver over a network. Operating at Layer 4 (the Transport Layer) of the OSI model, TCP guarantees that data is delivered in the correct order and without loss.

Understanding TCP is not just theoretical. It’s critical for real-world troubleshooting. For example, when an application fails to connect, or data transfer stalls, knowing how TCP establishes, maintains, and closes connections helps you pinpoint issues like dropped packets, RSTs, or handshake failures. This insight can save hours when diagnosing network problems, firewall misconfigurations, or application-level errors.

In this post, we’ll explore real-world Linux scenarios using tools such as ncat, ss, and tcpdump to observe TCP connections from start to finish, from SYN to FIN or RST. By understanding the basic concepts of TCP, troubleshooting becomes much faster and more effective.

https://bidhankhatri.com.np/system/inside-linux-tcp/

RabbitMQ Monitoring: Pushing Queue Metrics to Elasticsearch with Python script

Bidhan Khatri — Mon, 15 Dec 2025 17:28:09 +0000

Monitoring RabbitMQ queues is critical for maintaining the health and performance of the RabbitMQ distributed system. This post is about a Python script that will collect the RabbitMQ queue metrics through it’s API and send them to an Elasticsearch in a data stream. I wrote the script so that I can keep the record of consumers nodes history for the queues.

https://bidhankhatri.com.np/system/rabbitmq-queue-monitoring-with-python-script/

Implementing Mutual TLS (mTLS) Authentication with OpenSSL: A Step-by-Step Guide

Bidhan Khatri — Wed, 14 May 2025 18:52:42 +0000

This article explores mutual Transport Layer Security (mTLS) authentication and how OpenSSL can facilitate its implementation. Also known as client-server authentication, mTLS is a robust security mechanism that requires both the client and server to present valid digital certificates before establishing a secure connection. This additional layer of authentication ensures that only trusted entities can access protected resources.

We will set up mutual TLS (mTLS) using two intermediate CAs—one for server certificates and another for client certificates—both signed by the same root CA.

https://bidhankhatri.com.np/system/implementing-mutal-tls-authentication-with-openssl/

Scalable CI/CD with Jenkins and Docker Cloud Agents

Bidhan Khatri — Wed, 14 May 2025 18:50:13 +0000

A Jenkins cloud agent using Docker refers to dynamically provisioning Jenkins build agents (also called slaves or nodes) in Docker containers—typically on demand—rather than using pre-provisioned static nodes. This allows Jenkins to scale efficiently and cleanly by creating isolated environments for each build. Today, I will show you how to configure Docker cloud on Jenkins.

https://bidhankhatri.com.np/system/jenkins-and-docker-cloud-agents/

Unassigned shards in Elasticsearch 7 and 8

Bidhan Khatri — Fri, 28 Jun 2024 16:46:03 +0000

There are multiple reasons why shards might get unassigned, ranging from misconfigured allocation settings to lack of disk space.

To reassign all unassigned shards in Elasticsearch, you can use the following steps:

https://bidhankhatri.com.np/system/unassigned-shards-in-elasticsearch/

Percona XtraDB Multi-Master Replication cluster setup between 3 nodes

Bidhan Khatri — Sun, 02 Jun 2024 03:03:28 +0000

This guide describes the steps to establish a Percona XtraDB Cluster v8.0 among three Ubuntu 22.04 nodes.

Install Percona XtraDB Cluster on all hosts that you are planning to use as cluster nodes and ensure you have root access to the MySQL server on each node. In this setup, Multi-Master replication is implemented.

https://bidhankhatri.com.np/system/percona-xtradb-multi-master-replication-cluster-setup-between-3-nodes/

Site-to-Site VPN between Mikrotik router and Ubuntu 22.04 through strongSwan using IPsec IKEv2

Bidhan Khatri — Sun, 02 Jun 2024 03:02:21 +0000

We will configure a site-to-site IPsec IKEv2 tunnel between the Mikrotik Router and the StrongSwan server. This will enable secure communication between devices connected behind the Mikrotik router and the StrongSwan server.

https://bidhankhatri.com.np/vpn/site-to-site-vpn-between-mikrotik-router-and-ubuntu-22.04-through-strongswan-using-ipsec-ikev2/

Monitor HA Cluster running Pacemaker and Corosync using Prometheus and Grafana using Docker

Bidhan Khatri — Sun, 02 Jun 2024 02:58:57 +0000

We will use Grafana with prometheus in container to monitor High availability cluster running by Pacemaker and Corosync.

Grafana dashboard which we will be using shows the details of a HA cluster running Pacemaker/Corosync. It is built on top of ha_cluster_exporter but it also requires Prometheus node_exporter to be configured on the target nodes, and it also assumes that the target nodes in each cluster are grouped via the job label.

https://bidhankhatri.com.np/monitoring/monitor-ha-cluster-running-pacemakr-and-corosync/

GFS2 Filesystem setup in RHEL8 with Pacemaker and Corosync

Bidhan Khatri — Tue, 18 Jul 2023 12:19:42 +0000

We will configure Pacemaker/Corosync to enable the sharing of a disk between two nodes through the GFS2 clustered filesystem.

https://bidhankhatri.com.np/system/gfs2-filesystem-setup-in-rhel8-with-pacemaker-and-corosync/

SAML Authentication for AWS OpenSearch with Okta and Role mapping

Bidhan Khatri — Tue, 23 May 2023 08:07:35 +0000

We are going to set up IdP-initiated (Okta) SAML authentication for AWS OpenSearch. We will create two Okta groups: "opensearch-admin" and "opensearch-user," and define different roles for OpenSearch.

https://bidhankhatri.com.np/cloud/saml-authentication-for-aws-opensearch-with-okta-and-role-mapping/

Adding custom attributes in Active Directory

Bidhan Khatri — Mon, 25 Jan 2021 02:18:20 +0000

Schema is an Active Directory component, that defines Active Directory database structure. The schema consists of Object Class and Object Attributes. In this article, we will discuss how to modify the Active Directory Schema attribute.

In the Active Directory schema, it is allowed to add custom attributes. In organizations, there are situations where this option is useful. It is most of the time related to application integration requirements with active directory infrastructure.

Schema
The schema is the blueprint for data storage in Active Directory. Each object in Active Directory is an instance of a class in the schema. A user object, for example, exists as an instance of the user class. Attributes define the pieces of information that a class, and thus an instance of that class, can hold. Syntaxes define the type of data that can be placed into an attribute. As an example, if an attribute is defined with a syntax of Boolean, it can store True or False as its value, or it can be null. A null value has an implementation-specific meaning; it could mean True or False depending on the application using the value.

X.500 and OID Namespace
Active Directory is based on LDAP, which was originally based on the X.500 standard created by the ISO (International Organization for Standardization) and ITU (International Telecommunications Union) organizations in 1988.
The X.500 standard specifies that individual object classes in an organization can be uniquely defined using a special identifying process. The process has to be able to take into account the fact that classes can inherit from one another, as well as the potential need for any organization in the world to define and export a class of their own design.
To that end, the X.500 standard defined an Object Identifier (OID) to uniquely identify every schema object. This OID is composed of two parts:

The first part indicates the unique path to the branch holding the object in the X.500 tree-like structure. 
The second part uniquely indicates the object in that branch.

OID notation uses integers for each branch and object, as in the following example OID for an object:
1.3.6.1.4.1.3385.12.497
This uniquely references object 497 in branch 1.3.6.1.4.1.3385.12. The 1.3.6.1.4.1.3385.12 branch is contained in a branch whose OID is 1.3.6.1.4.1.3385, and so on.

Every object and attribute within Active Directory has a unique OID (Object Identifiers). Object Identifiers (OIDs) are unique numeric values (with dotted notations) issued by Microsoft and other issuing authorities to uniquely identify objects within Active Directory. When you plan to add a custom attribute, you have to ensure that the OID that you will use is unique, to avoid any possible conflict with any other object’s OID. Conflict of OID within Active Directory can result in replication issues or in the worst case, data loss.

Planning for Schema Update
Microsoft designed Active Directory to hold the most common objects and attributes we will require. However, organizations need an additional field to store custom attributes that are not available by default in Active Directory. Hence the need for Schema Extension arises.

Before we plan for Schema extension, we should consider the below points:

Schema is common for the entire AD Forest, any change in Schema structure would reflect in the entire forest.
Schema modification cannot be reverted; any new class or attribute that we create in the schema is a permanent addition. We can disable or redefine schema extensions, but we can never remove them completely.
If there is an alternate solution available, we should always consider that. For example, we need a custom field called “Roll Number” in our Active Directory. By default, there is no attribute available called “Roll Number”, but there is an attribute called “Employee ID”. So we should consider if some existing attribute can solve the purpose and if yes we should go for that solution instead of extending schema.
For a large enterprise, we should always involve all stakeholders before we extend the Schema. Also, it should be first deployed in a Test / Dev environment and should be observed for few weeks, before deploying in production.
Active Directory database should be backed up before modifying Schema.
Rather than directly adding a custom attribute in the existing class, we should always create an Auxiliary Class and add the attribute there. Then this Auxiliary Class can be linked to the class where the new attribute is required.
We should always obtain a unique OID, using the script or directly from IANA. Also, we should carefully plan for OID branching. Improper OID branching can lead to a Replication Issue or in the worst case, data loss.
The Schema can be extended only from that Domain Controller which is holding Schema Master FSMO Role. Also, it requires Schema Admin privilege to modify the Schema.
During Schema extension, all Domain Controllers in the forest should be available and there should not be any Replication issue. This is because Active Directory wants to ensure that no other Domain Controller has seized the Schema Master FSMO role, and this Domain Controller (from where we are extending the Scheme is indeed the real Schema Master. So if we have any Domain Controller which is not available but still there in AD database, we may encounter a problem during Schema modification.

Please backup Active Directory Database before you proceed.

In order to create custom attributes:

There are three ways to modify the schema:

Through the Active Directory Schema MMC snap-in,
Using LDIF files
Programmatically using ADSI or LDAP.

We will use the first method, using Active Directory Schema MMC snap-in

Step 1: Login to Schema Master Domain Controller, with Schema Admin privilege.
Step 2: Register Schema Management Snap-in.

The Schema Management MMC snap-in is not available from the Administrative Tools menu, like the other Active Directory snap-ins. To use it, we need to first register the Dynamic Link Library (DLL) file for the snap-in by typing the following command at the command prompt:

regsvr32.exe schmmgmt.dll

Click OK

Step 3: Open the Active Directory Schema MMC

Now, go to MMC and open Active Directory Schema.

Win + r > MMC > File > Add/Remove Snap-in > choose Active Directory Schema > Add > Ok

Step 4: Obtain Unique OID.

Each and every attribute in the active directory schema has a unique OID value. There is a script developed by Microsoft to generate these unique OID valves. It can be found here.

Download that script and execute it through Powershell.
This script Generates an object identifier (OID) using a GUID and the OID prefix 1.2.840.113556.1.8000.2554

When you run a "Generate-OID.ps1" PowerShell script you might get the message saying “Generate-OID.ps1 is not digitally signed. The script will not execute on the system.”
To fix it you have to run the command below to run Set-ExecutionPolicy and change the Execution Policy setting.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

This command sets the execution policy to bypass for only the current PowerShell session after the window is closed, the next PowerShell session will open running with the default execution policy. “Bypass” means nothing is blocked and no warnings, prompts, or messages will be displayed.

Step5: Add new attribute: In my case I’m adding 2 new attributes

secret_key=string

enable2FA=true/false

Rick click on “Attributes” and click on “Create Attribute”. Click “Continue” on the warning message.
Supply all the required values. Select the Syntax very carefully.
If you would like to replicate this attribute to the Global Catalog, then select the option “Replicate this attribute to the Global Catalog”. This would make this attribute searchable from other domains in the same forest, but it would also put some additional load on the global catalog. So do not select this option unless it is not required.
Finally, click “Apply” and “OK”.

Common Name – This is the name of the object. It is only allowed to use letters, numbers and hyphen for the CN.

LDAP Display Name – When object is referring in script, program or command line utility it need to call using the LDAP Display name instead of the Common Name. when you define the CN, it will automatically create the LDAP Display name.

X500 Object ID – Each and every attribute in active directory schema has unique OID value. There is script develop by Microsoft to generate these unique OID valves.

Syntax – It define the storage representation for the object. It is only allowed to use syntaxes defined by Microsoft. One attribute can only associate with one syntax. In below I listed few common used syntaxes in attributes.

Syntax	Description
Boolean	True or False
Unicode String	A large string
Numeric String	String of digits
Integer	32-bit Numeric value
Large Integer	64-bit Numeric value
SID	Security Identifier Value
Distinguished Name	String value to uniquely identify object in AD

As the next step, we need to add it to the user class. In order to do that go to classes container, double click on user class, and click on the attributes tab. In there by clicking the add button can browse and select the newly added attribute from the list.

Add newly created attributes "enable2FA" and "secretKey" to "User class".

Do the same for another attributes "sectetkey"

Now close the "Active Directory Users and Computers" and open again. when you look at the user account we can see the new attribute and we can add the new data to it.

Also, check the second attribute.

You can set values for those attributes and check through PowerShell whether that value is shown or not.

NOTE: If the value of your attribute is empty then that empty attribute will not be shown if you query through powershell or any application but if it has value then it will be reflected.

In PowerShell

Get-ADUser -Identity bdn -Properties *

Get-ADUser -Identity bdn -Properties secretkey,enable2FA

You have successfully added custom attributes to your Active Directory.

References:

FreeRADIUS with the rlm_sql_oracle module

Bidhan Khatri — Wed, 06 Jan 2021 15:43:24 +0000

We are going to build FreeRADIUS version 3.0.21 with ORACLE Module rlm_sql_oracle.

Download ORACLE Instant Client

Visit ORACLE official site and download oracle instant client. For that, you may need to log in. I'm downloading v12.2

Here is the link for oracle instant client. https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html

mkdir /opt/oracle
cp instantclient-* /opt/oracle/
unzip instantclient-basic-linux.x64-12.2.0.4.0.zip
unzip instantclient-sdk-linux.x64-12.2.0.4.0.zip

Add below lines to file .bash_profile
vim ~/.bash_profile

export ORACLE_HOME=/usr/lib/oracle/12.2/client64
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/oracle/instantclient_12_2

source ~/.bash_profile

Now verify the environment.

env | grep -i oracle

LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2:/usr/local/lib:/usr/local/lib64
ORACLE_HOME=/usr/lib/oracle/12.2/client64

Create a symlink for client shared library libclntsh.so. As, while compiling FreeRADIUS look for that oracle library.

cd /opt/oracl/instantclient_12_2

ln -s libclntsh.so.12.1 libclntsh.so

Download FreeRADIUS

Install dependency first.

yum install libtalloc-devel

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.21.tar.gz

tar xvf freeradius-server-3.0.21.tar.gz
cd freeradius-server-3.0.21

Compile FreeRADIUS with the below parameters.

./configure --with-oracle-home-dir=/opt/oracle/instantclient_12_2 --with-oracle-lib-dir=/opt/oracle/instantclient_12_2 --with-oracle-include-dir=/opt/oracle/instantclient_12_2/sdk/include

make
make install

Now configure Radius with oracle module.

vim /usr/local/etc/raddb/mods-available/sql

dialect = "oracle"
driver = "rlm_sql_oracle"

## your db credential here.
login = "wifiradius_admin"      
password = "xxxxxxxx"


radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=XXX.XXX.XXX.XXX)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=dbname)))"

cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/sql sql

Launch FreeRADIUS in debug mode and if everything looks ok then start the service.

radiusd X

Here, you can see radius module being loaded.

rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked.

systemctl start radiusd

Now your FreeRADIUS service should be running with ORACLE module.