Tuesday, February 21, 2012

Apache LDAP Authentication

This is how to authenticate Microsoft Windows Active Directory users with Apache:

vi /etc/httpd/conf/httpd.conf

Make sure the following 3 lines are NOT hashed out:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so

Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html">

Options Indexes FollowSymLinks
Order deny,allow
Deny from All
AuthName "AD Username Password please"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://your_dc_fqdn:389/OU=SOME_OU,DC=yourdomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=your_AD_user,CN=Users,DC=yourdomain,DC=com"
AuthLDAPBindPassword your_AD_user_password
Require valid-user
Satisfy any

</Directory>
vi /etc/openldap/ldap.conf

Hash everything out and add the following line:

REFERRALS off

Restart Apache
/etc/init.d/httpd restart

Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.

Monday, February 20, 2012

Bulk User Account Migration - RedHat/CentOS

Here are two scripts to transfer user accounts from one RedHat/CentOS server to another. All home directory files, mail, group settings, passwords stays in tact. The first script needs to be executed on the source server and the second script needs to be executed on the destination server:
#!/bin/bash
#Run on Source Server

DESTSERVER=<destination_server_ip>
export UGIDLIMIT=500
mkdir /root/usersmigrate

awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/usersmigrate/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/usersmigrate/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/usersmigrate/shadow.mig
cp /etc/gshadow /root/usersmigrate/gshadow.mig

scp -rp /root/usersmigrate root@$DESTSERVER:/root/

tar zcvf - /home/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '
tar zcvf - /var/spool/mail/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '

#!/bin/bash
#Run on Destination Server

export UGIDLIMIT=500

awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/passwd > /etc/passwdnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/group > /etc/groupnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /etc/shadownew

cat /root/usersmigrate/passwd.mig >> /etc/passwdnew
mv -f /etc/passwdnew /etc/passwd
cat /root/usersmigrate/group.mig >> /etc/groupnew
mv -f /etc/groupnew /etc/group
cat /root/usersmigrate/shadow.mig >> /etc/shadownew
mv -f /etc/shadownew /etc/shadow
cp /root/usersmigrate/gshadow.mig /etc/gshadow

Sunday, February 19, 2012

Asterisk - Registered Useragent Audit

Here is a quick script I put together to get a list of all phones currently registered to our Asterisk box:
#!/bin/bash

for i in `asterisk -rx "sip show peers" | grep -av Unspecified | grep -a "/" | grep -a "^[0-9]" | cut -f 1 -d '/'`
do
user=`asterisk -rx "sip show peer $i" | grep -a "Useragent"`
echo $i = $user |awk '{ print $1","$5 }'
done

Saturday, February 18, 2012

FIX OSX Lion Not Resolving DNS Addresses Over VPN

Problem: While connected to VPN, I was not able to resolve hostnames on the remote site.

Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
sudo mkdir /etc/resolver

vi /etc/resolver/yourdomain.com
Add the following content and save the file:
nameserver x.x.x.x <- your DNS server to resolve hosts on this domain
domain yourdomain.com
port 53
You can create as much as needed custom domain resolver files, one for each domain.

"On-the-Fly" Read-Write Compressed Filesystem

I recently had a problem where "SARG" (SQUID Proxy reporting tool) completely chew up all root filesystem space as reports was generated daily and stored under /var/www/html/sarg. Quick solution... I thought this can also come in handy for future reference... "On-the-Fly read-write compressed filesystem"

I did this on CentOS 5.5:

rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

yum -y install squashfs-tools fuse-unionfs

mv /var/www/html/sarg /root/sarg-old
mkdir /var/www/html/sarg

mksquashfs /root/sarg-old /.sarg-compressed.sqfs -check_data

mkdir -p /var/squashed/{ro,rw}

Add the following to /etc/fstab:
/.sarg-compressed.sqfs  /var/squashed/ro  squashfs  loop,ro  0 0
unionfs#/var/squashed/rw=rw:/var/squashed/ro=ro /var/www/html/sarg fuse default_permissions,allow_other,use_ino,nonempty,suid,cow 0 0

mount -all

touch /var/www/html/sarg/test
rm -rf /var/www/html/sarg-old

Check that your new fuse filesystem is mounted:

df -h

By doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.

Sunday, February 12, 2012

Mac OS X Lion and Cisco IPSEC VPN Pitfalls

The Mac OS X Lion, Native VPN client, with Cisco IPSEC EasyVPN Server was NOT working properly for myself. The problem I faced was that traffic was NOT passed to the remote LAN when connected to VPN. Split-tunnel and normal EasyVPN setups did NOT work.

1)  When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
                        i.e.  VPN IP address of A
                                    split ACL of:
                                                            permit B
                                                            permit C
                                                            permit D

                        You would see an ipsec sa from A to B, A to C, and A to D.

2)  When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
                        i.e. A to any

            However the client will only route traffic to B, C, D over the tunnel.

This is fine and has no problems when using a crypto map style setup for ezvpn.

However when you configure the use of dVTI this becomes difficult.  This is because the VTI can only support 1 ipsec sa built to it.  As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.

This leaves you with two options here:

1)  Switch to a tunnel-all configuration
2)  Switch back to the crypto map configuration rather than the virtual-template configuration.

Reference: https://supportforums.cisco.com/thread/2095921

I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:

ip nat inside source route-map NAT interface Dialer0 overload

route-map NAT permit 10
match ip address 111
exit

access-list 101  remark ----------------------------------------------
access-list 101  remark *****VPN Access-list*****
access-list 101  permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
!
access-list 111  remark ----------------------------------------------
access-list 111  remark *****DENY Local LAN to VPN Traffic*****
access-list 111  deny ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15 
access-list 111  remark ----------------------------------------------
access-list 111  remark *****PERMIT Networks Internet Access*****
access-list 111  permit ip 172.16.20.0 0.0.0.255 any
access-list 111  permit ip any any

aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local

username myusername password 0 mypassword

crypto isakmp policy 3
encryption 3des
authentication pre-share
group 2
lifetime 86400
exit

crypto isakmp client configuration group my_vpn
key mysecretgroupkey
dns 172.16.20.1 8.8.8.8
domain my.domain
pool my_vpn_pool
acl 101
max-logins 10
max users 10
save-password
split-dns my.domain
include-local-lan
exit

crypto ipsec transform-set my_set esp-3des esp-md5-hmac
exit

crypto dynamic-map dynmap 10
set transform-set my_set
set security-association idle-time 900
reverse-route
exit

crypto map clientmap client authentication list userauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

ip local pool my_vpn_pool 172.16.40.2 172.16.40.8

interface Dialer0
ip nat outside
crypto map clientmap

interface vlan1
no autostate
ip nat inside 
I have tested this setup with Mac OS X Lion VPN client and with iPhone IOS 5.0.1. All is working well now. Yeeaay!