Tuesday, February 21, 2012
Apache LDAP Authentication
This is how to authenticate Microsoft Windows Active Directory users with Apache:
vi /etc/httpd/conf/httpd.conf
Make sure the following 3 lines are NOT hashed out:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
Hash everything out and add the following line:
REFERRALS off
Restart Apache
/etc/init.d/httpd restart
Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.
vi /etc/httpd/conf/httpd.conf
Make sure the following 3 lines are NOT hashed out:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
Order deny,allow
Deny from All
AuthName "AD Username Password please"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://your_dc_fqdn:389/OU=SOME_OU,DC=yourdomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=your_AD_user,CN=Users,DC=yourdomain,DC=com"
AuthLDAPBindPassword your_AD_user_password
Require valid-user
Satisfy any
</Directory>Hash everything out and add the following line:
REFERRALS off
Restart Apache
/etc/init.d/httpd restart
Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.
Monday, February 20, 2012
Bulk User Account Migration - RedHat/CentOS
Here are two scripts to transfer user accounts from one RedHat/CentOS server to another. All home directory files, mail, group settings, passwords stays in tact. The first script needs to be executed on the source server and the second script needs to be executed on the destination server:
#!/bin/bash
#Run on Source Server
DESTSERVER=<destination_server_ip>
export UGIDLIMIT=500
mkdir /root/usersmigrate
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/usersmigrate/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/usersmigrate/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/usersmigrate/shadow.mig
cp /etc/gshadow /root/usersmigrate/gshadow.mig
scp -rp /root/usersmigrate root@$DESTSERVER:/root/
tar zcvf - /home/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '
tar zcvf - /var/spool/mail/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '#!/bin/bash
#Run on Destination Server
export UGIDLIMIT=500
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/passwd > /etc/passwdnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/group > /etc/groupnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /etc/shadownew
cat /root/usersmigrate/passwd.mig >> /etc/passwdnew
mv -f /etc/passwdnew /etc/passwd
cat /root/usersmigrate/group.mig >> /etc/groupnew
mv -f /etc/groupnew /etc/group
cat /root/usersmigrate/shadow.mig >> /etc/shadownew
mv -f /etc/shadownew /etc/shadow
cp /root/usersmigrate/gshadow.mig /etc/gshadowSunday, February 19, 2012
Asterisk - Registered Useragent Audit
Here is a quick script I put together to get a list of all phones currently registered to our Asterisk box:
#!/bin/bash
for i in `asterisk -rx "sip show peers" | grep -av Unspecified | grep -a "/" | grep -a "^[0-9]" | cut -f 1 -d '/'`
do
user=`asterisk -rx "sip show peer $i" | grep -a "Useragent"`
echo $i = $user |awk '{ print $1","$5 }'
doneSaturday, February 18, 2012
FIX OSX Lion Not Resolving DNS Addresses Over VPN
Problem:
While connected to VPN, I was not able to resolve hostnames on the remote site.
Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
sudo mkdir /etc/resolver
vi /etc/resolver/yourdomain.comnameserver x.x.x.x <- your DNS server to resolve hosts on this domain
domain yourdomain.com
port 53"On-the-Fly" Read-Write Compressed Filesystem
I recently had a problem where "SARG" (SQUID Proxy reporting tool) completely chew up all root filesystem space as reports was generated daily and stored under /var/www/html/sarg. Quick solution... I thought this can also come in handy for future reference... "On-the-Fly read-write compressed filesystem"
I did this on CentOS 5.5:
Check that your new fuse filesystem is mounted:
By doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.
I did this on CentOS 5.5:
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum -y install squashfs-tools fuse-unionfs
mv /var/www/html/sarg /root/sarg-old
mkdir /var/www/html/sarg
mksquashfs /root/sarg-old /.sarg-compressed.sqfs -check_data
mkdir -p /var/squashed/{ro,rw}
Add the following to /etc/fstab:
/.sarg-compressed.sqfs /var/squashed/ro squashfs loop,ro 0 0
unionfs#/var/squashed/rw=rw:/var/squashed/ro=ro /var/www/html/sarg fuse default_permissions,allow_other,use_ino,nonempty,suid,cow 0 0
mount -all
touch /var/www/html/sarg/test
rm -rf /var/www/html/sarg-oldCheck that your new fuse filesystem is mounted:
df -hBy doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.
Sunday, February 12, 2012
Mac OS X Lion and Cisco IPSEC VPN Pitfalls
The Mac OS X Lion, Native VPN client, with Cisco IPSEC EasyVPN Server was NOT working properly for myself. The problem I faced was that traffic was NOT passed to the remote LAN when connected to VPN. Split-tunnel and normal EasyVPN setups did NOT work.
1) When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
permit B
permit C
permit D
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you with two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration.
Reference: https://supportforums.cisco.com/thread/2095921
I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:
1) When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
permit B
permit C
permit D
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you with two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration.
Reference: https://supportforums.cisco.com/thread/2095921
I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:
ip nat inside source route-map NAT interface Dialer0 overload
route-map NAT permit 10
match ip address 111
exit
access-list 101 remark ----------------------------------------------
access-list 101 remark *****VPN Access-list*****
access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
!
access-list 111 remark ----------------------------------------------
access-list 111 remark *****DENY Local LAN to VPN Traffic*****
access-list 111 deny ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
access-list 111 remark ----------------------------------------------
access-list 111 remark *****PERMIT Networks Internet Access*****
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip any any
aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local
username myusername password 0 mypassword
crypto isakmp policy 3
encryption 3des
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp client configuration group my_vpn
key mysecretgroupkey
dns 172.16.20.1 8.8.8.8
domain my.domain
pool my_vpn_pool
acl 101
max-logins 10
max users 10
save-password
split-dns my.domain
include-local-lan
exit
crypto ipsec transform-set my_set esp-3des esp-md5-hmac
exit
crypto dynamic-map dynmap 10
set transform-set my_set
set security-association idle-time 900
reverse-route
exit
crypto map clientmap client authentication list userauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
ip local pool my_vpn_pool 172.16.40.2 172.16.40.8
interface Dialer0
ip nat outside
crypto map clientmap
interface vlan1
no autostate
ip nat inside
Subscribe to:
Posts (Atom)