Monday, March 7, 2011

apache & openldap group authentication

For Apache 2.2, check your mod-enabled and mods-available directory. Make certain your ls in mods-available have the following symlinked from mods-enabled; e.g.:

 alias.load -> ../mods-available/alias.load
 auth_basic.load -> ../mods-available/auth_basic.load
 authnz_ldap.load -> /etc/apache2/mods-available/authnz_ldap.load
 authz_default.load -> ../mods-available/authz_default.load
 authz_user.load -> ../mods-available/authz_user.load
 ldap.load -> ../mods-available/ldap.load

In your site-available file, load these two loaded mods, with the following:

 LoadModule ldap_module           /usr/lib/apache2/modules/mod_ldap.so
 LoadModule authnz_ldap_module    /usr/lib/apache2/modules/mod_authnz_ldap.so

In the directory structure where you'd like to have LDAP authentication to take place, add the following stanza:

 AuthBasicProvider ldap
 AuthType Basic
 AuthzLDAPAuthoritative on
 AuthName "restricted site access"
 AuthLDAPURL ldap://www.xxx.yyy.zzz/ou=users,dc=your,dc=com?uid
 AuthLDAPGroupAttribute memberUid
 AuthLDAPGroupAttributeIsDN off
 Require ldap-group cn=agroup,ou=groups,dc=your,dc=com
 Require ldap-user adude anotherdude
 Satisfy any

If you have a round-robin LDAP setup, place the FQDN of your OpenLDAP server in the AuthLDAPURL section. The uid condition means that your authentication control is via uid. AuthLDAPGroupAttribute and its allied Require ldap-group, states that you're checking for membership in a specific group "agroup", and those members have the attribute "memberUid". You can tack on an individual user (or users on the same line), by specifying "Require ldap-user". And, To allow for both groups and users, have the "Satisfy any" directive set; otherwise no one will be able to log on and use your web-resource.
Posted by at No comments:

Monday, January 24, 2011

a bind slave configuration on ubuntu is sometimes vexing

while installing a slave dns server with bind on an ubuntu box, i found that the slave zone would not synchronize. logs are your friends. in /var/log/daemon.log , I saw the following:
named[4402]: dumping master file: /etc/bind/tmp-xxxxxxx: open: permission denied
named[4402]: transfer of 'www.xxx.yyy.zzz/IN' from master#53: failed while receiving responses: permission denied
it appears that named was unable to write to /etc/bind/ .
after some digging and using strace, i discovered that ubuntu is shipped with slave zone files residing here:
/var/cache/bind/
in /etc/bind/named.conf the zone definition ought to have the following format:
zone "mydomain.com" IN {
        type slave;
        file "/var/cache/bind/db.mydomain.com";
        masters { www.xxx.yyy.zzz; };
};
(or no path to the file)

and have the correct permissions:
# chown -R bind:bind /var/cache/bind/
# chmod -R g+w /var/cache/bind/
bind also needs permissions to write to various zone files, in:
/etc/default/bind9
add:  ENABLE_ZONE_WRITE=yes
however, my slave zone would still not synchronize. this was due to apparmor (sure, i knew that); edit:
/etc/apparmor.d/usr.sbin.named 

change: /etc/bind/** r,
to: /etc/bind/** rw,
some other excitement is to actually resolve things on the localhost.
/etc/network/interfaces
add:
dns-nameservers 127.0.0.1
and in /etc/bind/named.conf.options include the following stanza:
        forwarders {
                8.8.8.8; <- our friend google for ext lookups
                8.8.8.4; <- our friend google for ext lookups
                10.6.6.6; <- an internal server for internal lookups
        };
Posted by at No comments:

Monday, January 17, 2011

ubuntu host, let's rename you, shall we?

easy peasy.

to change an ubuntu system's hostname, do the following:
# /bin/hostname new.name
# vi /etc/hosts
# grep -r old.name /etc
# /etc/init.d/cron restart
on a debian system, do the following:
# /bin/hostname new.name
# vi /etc/hostname
# vi /etc/hosts
# grep -r old.name /etc
# sysctl kernel.hostname=new.name
# /etc/init.d/cron restart
Posted by at No comments:

Wednesday, December 22, 2010

resetting windows local security policy is annoying

sometimes you just need to remove a system from one ad domain and add it to another. a problem is that the other domain's registry settings get tattooed. yuck.

well, i like to just reset everything, because i'm lazy that way. as administrator at the command prompt...

for xp & server 2003:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

for vista:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
Posted by at No comments:

Friday, December 17, 2010

solaris 10, mount those automounts, please?

Solaris and failing mounts get me depressed sometimes. After you've rebooted a machine your nice UDP NFS mounts just don't go or you've made a change in one of your auto defs and your brain is addled because you work with so many variants of Solaris it just isn't funny anymore.

Solaris 8 and 9 were pretty easy. To restart the service (which wasn't one) after you've mucked about in /etc/auto_master &c.:
# /etc/init.d/autofs stop; /etc/init.d/autofs start

Solaris 10 is different. The init script is no longer there, and autofs has become a service. To figure out if is running and to (re)start it after doing what you need to do, follow this sequence:
# svcs | grep auto
legacy_run     14:14:53 lrc:/etc/rc2_d/S72autoinstall
online          9:51:27 svc:/system/filesystem/autofs:default
# svcadm -v restart svc:/system/filesystem/autofs:default
Action restart set for svc:/system/filesystem/autofs:default.
cd to your newly mounted dirs and away you go.
Posted by at No comments:

Tuesday, December 14, 2010

sometimes root needs quick gui action

Really? As much as I loathe to do it, sometimes root needs kde console access in ubuntu.

# sed -i 's/AllowRootLogin=false/AllowRootLogin=true/g' /etc/kde4/kdm/kdmrc

When you're done. Undo it.

Oh, if root's not enabled:
# usermod -U root
Posted by at No comments:

Friday, December 10, 2010

missile command and mac addresses

Network access blocking using MAC addresses is sometimes like missile command or whack-a-mole depending... you find an errant client, and you tell your firewall-router to block said MAC. What do you do if you're on the receiving end? Change the MAC programmatically, of course.

My ethernet controller is eth0 and has MAC address (or Hardware Address) is 00:0f:1f:f7:b1:64 . I know that there are no MACs with HWaddr 00:0f:1f:f7:b1:65 on the network. Let's change that MAC address.
# ifconfig eth0 down
# ifconfig eth0 hw ether 00:0f:1f:f7:b1:65
# ifconfig eth0 up
Take that! Now, you can very very easily have a little tee script and substitute away every time you're disallowed. But, come on, what tomfoolery are you up to that'd make you programatically denied network access?
Posted by at No comments:
Subscribe to: Posts (Atom)