Friday, May 29, 2009

LDAP Authentication in Debian

Steps for getting LDAP authentication working on Debian

This post brought to you courtesy of SzlWzl

Sources:
http://www.adminspotting.net/articles/windows/linux-and-active-directory.html
http://moduli.net/sysadmin/sarge-ldap-auth-howto.html

Aim:
To get all linux users authenticating from our Active Directory implementation which is running on Windows 2003R2.

On the Active Directory Server:
From Add/remove programs->Add/Remove Windows Componenets->Active Directory Services. Install Identity Management for UNIX and reboot

Create an user which we're going to use to bind. I have called mine adlookup which sits in our Service Accounts OU.
CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com


It is very important that the password doesn't have any special characters in, I had to change the domain policy to set it as apparently there can only be one password policy per domain.
In Active Directory Users/Computers either create a new group or choose an existing group for your users, right click and choose properties.
Add your users
Choose Unix Attributes and select the correct NIS domain.

Now select a user, right click on them and select properties
Choose Unix Attributes
Select the NIS domain, Home Directory, shell and primary group name

Linux Client:
apt-get install ldap-utils openssl libpam-ldap libnss-ldap nscd

edit the /etc/ldap/ldap.conf to look like this
run
ldapsearch -x -W -D "cn=AD Lookup,OU=Service Accounts,dc=DOMAIN,dc=com" -LLL "(sAMAccountName=adlookup)"

then enter your password and it should return the correct details, if it does then you're brilliant :)
mv /etc/libnss-ldap.conf /etc/libnss-ldap.old
nano -w /etc/libnss-ldap.conf
and make it look like this:

host IPOFADSERVER #Important - it must be the IP and not the dns entry
ldap_version 3
binddn CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com
bindpw PASSWD #nospecialcharacters
scope sub
timelimit 30
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
base OU=YOUROU,dc=DOMAIN,dc=com # make sure you limit this to only what is required as I had strange errors
rootbinddn CN=ADMINUSER,CN=Users,DC=DOMAIN,DC=com #What user should root join as to enable passwd change etc
pam_groupdn CN=WHATGROUPAREUSERSIN,CN=Users,DC=DOMAIN,DC=com #what group must users be in to enable login

The contents of libnss-ldap.conf and pam_ldap.conf are identical in my setup so just link them together to save any additional work:
mv /etc/pam_ldap.conf /etc/pam_ldap.old && ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
nano -w /etc/libnss-ldap.secret # enter in your admin password
ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret #same passwords
chmod 600 /etc/libnss-ldap.secret # make sure this is readable by only that user

Edit your /etc/nscd.conf file and change the following parameters:
I have chosen an arbitrary size of 500MB but I found that there were some crazy assertion errors coming in if I left the defaults such as this openldap-2.4.11/libraries/liblber/sockbuf.c. I think it must be to do with the size of the cache in nscd but am not sure. I also got an error about "invalid persistent database" when this was set too large.

max-db-size passwd 524288000
max-db-size group 524288000
max-db-size services 524288000

Now you have to tell pam how to get it's users so make your /etc/nssswitch.conf look like the below, it is very important to get the order right, compat must come first and then ldap. I found that my machine wouldn't boot if it was trying to do the ldap first.

#passwd: compat
#group: compat
#shadow: compat
passwd: compat ldap
group: compat ldap
shadow: compat

You must now make nsswitch readable by all so:
chmod 644 /etc/nsswitch.conf


Now you can test this is working by doing:
getent passwd USER.NAME # this must be a username you have enabled up there ^

/etc/pam.d Common Files

Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files.

In /etc/pam.d/common-password, comment out and replace:

password required pam_unix.so nullok obscure min=4 max=8 md5

or:

password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5

with:

# try password files first, then ldap. enforce use of very strong passwords.
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so

Read the pam_passwdqc man page for more about parameters you can give to it. In /etc/pam.d/common-auth comment:
auth required pam_unix.so nullok_secure

replace with:

# try password file first, then ldap
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

In /etc/pam.d/common-account comment:
account required pam_unix.so

replace with:
# try password file first, then ldap
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so

And this line to /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

This should now be it, I haven't quite got automatic sudo working yet or auto mount of the home dir from an nfs source but that is the next step :)

Troubleshooting:
Password you bind with must not have special characters
In nscd.conf you must have a decent sized cache file
Your unix attributes must be correct
check that your getent passwd is working and that your ldapsearch is working

Monday, May 11, 2009

Database Mirroring for Non Domain MS SQL Servers

Configuration of Database Mirroring for Non-Domain based SQL Servers

Assumptions
2 SQL Servers running SQL 2005 SP1 (or greater)
Network connectivity between them
System privileges to create user accounts and change service log on credentials
Databases to be mirrored set to FULL recovery model

Initial decision is which server is going to be your primary

Once this is decided, create a new account with a strong password, that you will run SQL Server and the SQL Server Agent with
Add this account to the group SQLServer2005MSSQLUser$SERVER-NAME$SQLINSTANCE

Set the services "SQL Server ($SERVERINSTANCE)" and "SQL Server Agent ($SERVERINSTANCE)" to run under this account

This should be done on BOTH SQL Server Machines

On BOTH machines, run the following T-SQL queries to build the Mirroring Endpoints
CREATE ENDPOINT mirror
STATE = STARTED
AS TCP
(LISTENER_PORT = 5022)
FOR DATABASE_MIRRORING
(AUTHENTICATION = WINDOWS, ENCRYPTION = SUPPORTED,ROLE = ALL)

Now, on the PRIMARY, select the database to be mirrored and back it up (Full Backup), copy this backup to the SECONDARY server and restore using the "WITH NORECOVERY" option This will leave the SECONDARY database in the Restoring state.

Back on the PRIMARY server, right click on the database and select Tasks > Mirror

Run through the "Configure Security..." wizard
Do not use a witness server
You may need to log on to the SECONDARY SQL Server using appropriate credentials. It will automatically detect the endpoint created earlier.
When prompted for a user for the principal and Mirror, DO NOT ENTER ANY DETAILS
The Mirroring Configuration Wizard will complete with 0 errors or Warnings.
Select Do Not Start Mirroring

Still on the primary server, select the Principal server address and change it so it is a FQDN (including a domain)
for example server1.sqltesting.com:5022
For the most likely to succeed option inspect the Mirror server address.

Once this is set, hit Start Mirroring. You will get an error message that the mirror database has insufficient transaction log data to preserve the log backup chain of the principal database...
Hit OK on this BUT do not ok or cancel off the datbase properties page for the PRIMARY database. This indicates that they can successfully communicate.

On Management Studio on the PRIMARY, right click on the database and select tasks> Backup
In the backup type, select Transaction Log and back it up to an appropriate location.

On the SECONDARY server,right click on the database to be mirrored and select Tasks > Restore Transaction Log
Select the path to the transaction log backup from the PRIMARY server.
Restore this ensuring to select the WITH NORECOVERY option on the options screen.

On the PRIMARY server, on the still open properties page, do not change the Operating mode unless you know what you are doing, then click Start Mirroring

There will be a slight delay and the Status will change to Synchronizing, hit refresh and as long as not too many transactions have gone through, it should change to Synchronized.

You can now close this window and have mirrored databases.

Anonymous Internet Browsing

(Or How BT Mobile Broadband can make you feel like a criminal)

This post was inspired by the despicable means that BT use to try and prevent you from doing what you want on the internet whilst using one of their mobile dongles. Some people (myself included) don't like other's seeing what they do on the internet, this is how you get around it.

**DISCLAIMER**

This can be used to get around proxy services and servers that your friendly neighbourhood SysAdmin might have put in place for the safety of their network. If you get caught using this and violating your employer's acceptable use policy, on your own head be it.

A SysAdmin will probably beat on you with a spanner for just discussing this, Yes I am a SysAdmin and Yes I would.

So enough of that nonsense and thinly veiled threats, let's get down to getting you on the internet.

Go and download FirefoxPortable from portableapps.com
Install this to your USB Thumbdrive or to a location on your hard drive

Download TOR from www.torproject.org

when installing TOR/Vidalia, Select a "Base" install and expand out the Torbutton option, deselect "Add to Firefox"
Change the destination folder to be a folder on your USB Drive, I called mine Vidalia.
Don't run the Installed components just yet.

Go to the installed folder and browse to the Torbutton folder, right click on the torbutton-1.2.0-fx.xpi and select "open with..." point this to your portable firefox installation and run it, then restart firefox portable. Open up the add-ons options for Torbutton and ensure that "Use Privoxy" is enabled

When you want to browse anonymously, run Vidalia from your USB drive, open up firefox portable, and down in the bottom right, click on Tor Disabled to start Tor and browse to your hearts content, relatively safe in the knowledge that no one can see your browsing activity.

To add Flash to this, copy flashplayer.xpt and NPSFW32.dll from c:\windows\system32 into FirefoxPortable\App\DefaultData\plugins and restart firefox. This doesn't work with all flash video players but youTube works.