LDAP User Add Script

A bug with phpldapadmin in Ubuntu 10.04 has forced me to find other ways to add a generic Linux account to LDAP.

This consists of three files; I keep them in /root/ldap and have a symlink to add_ldap_user.sh in /usr/local/bin

add_ldap_user.sh Script

last.uid The last used UID, auto-incriments

user.ldif Sample linux account in LDIF format

add_ldap_user.sh


#!/bin/bash
NEWUID=`cat /root/ldap/last.uid`
echo -ne "First Name: "
read FIRST
echo -ne "Last Name: "
read LAST
echo -ne "User Name: "
read USERNAME

sed “s/FIRST/`echo $FIRST`/g” /root/ldap/user.ldif > /root/ldap/temp
sed “s/LAST/`echo $LAST`/g” /root/ldap/temp > /root/ldap/temp2
sed “s/USERNAME/`echo $USERNAME`/g” /root/ldap/temp2 > /root/ldap/temp
sed “s/USERUID/`echo $NEWUID`/g” /root/ldap/temp > /root/ldap/temp2

ldapadd -x -w`cat /etc/ldap.secret` -D “cn=admin,dc=YOUR,dc=HOSTNAME” < /root/ldap/temp2
echo `expr $NEWUID + 1` > /root/ldap/last.uid
rm /root/ldap/temp
rm /root/ldap/temp2
passwd $USERNAME

user.ldif


dn: cn=FIRST LAST,ou=People,dc=YOUR,dc=HOSTNAME
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: FIRST
sn: LAST
cn: FIRST LAST
uid: USERNAME
userPassword: {MD5}QaJUwABOZ6gUsv/xOD/FOQ==
gidNumber: 100
homeDirectory: /home/USERNAME
loginShell: /bin/bash
uidNumber: USERUID

last.uid

1900

Note that because the LDIF contains a place-holder password, you must be able to run ‘passwd LDAP-USER’ on the host you are running this on.

OpenSolaris mod_bw Apache2 Bandwidth Limiting

Install needed software

pkg install gsed wget SUNWapch22 sunstudioexpress

Yes, sunstudioexpress is really necessary. gcc will NOT work with mod_bw.
Download mod_bw

cd /tmp
wget http://ivn.cl/files/source/mod_bw-0.8.tgz
gunzip mod_bw-0.8.tgz
tar xf mod_bw-0.8.tar
cd mod_bw

Build/install the module. We need to make sure the SunStudioExpress binaries are chosen before anything else, so add it to the beginning of PATH.

export PATH=/opt/SunStudioExpress/bin:$PATH

We also need to make a symlink to /usr/ucb/echo (this is a bug with the apxs included in opensolaris, not with mod_bw)

mkdir /usr/ucb
ln -s /usr/bin/echo /usr/ucb/echo

Now cross your fingers and build the module

/usr/apache2/2.2/bin/apxs -i -a -c mod_bw.c

If it complains about .h files, you can find them here:

/usr/apache2/2.2/include
/usr/apr/1.3/include
/usr/apr-util/1.3/include

Once apxs finishes, it should automatically add the following entry to /etc/apache2/2.2/conf.d/modules-32.load

LoadModule bw_module          /var/apache2/2.2/libexec/mod_bw.so

Add the following to /etc/apache2/2.2/httpd.conf

BandWidthModule On

BandWidth all 40000

MinBandWidth all 10000

ForceBandWidthModule On

Restart apache2 and check on it’s status

svcadm restart apache22

svcs -a | grep apache22

online          1:55:27 svc:/network/http:apache22

If it’s in maintenance mode, check the log file

/var/svc/log/network-http:apache22.log

Merge Sort in Bash

Thanks to Adam Vite for this.

So, during spring break, I was extremely bored and implimented merge sort into a language that doesn’t really need it: Bash. I got inspiration to do this from seeing  merge sort implimented in Prolog. As of right now, it merely sorts integers, but can sort anything, given that a compareTo method of what you want sorted is written into the merge method (bash isn’t object oriented, so it’s not really so adaptable to adaptability.) I doubt I’m the first person to do this, but it’s a nice thought experiment to see how limited languages can still allow the performance of advanced operations. I don’t guarantee that this algorithm performs in n*log(n) time as I’m not sure of the individual costs of bash operations or the cost of reading and executing this, but I tested it with 1330 numbers and it sorted them in about 35 seconds on my 1.6 Ghz laptop.

#!/bin/bash

mrgsrt() {
# This function impliments the merge sort algorithm into bash.
#
# @Author: Adam Vite

if [ $# = 1 ]; then
echo $1;
# There is only one arguement, list is sorted
elif [ $# -gt 1 ]; then
i=0;
unset left;
unset right;
for x in $@ ; do
if [ $i -lt $(($# / 2)) ]; then
left=$( echo $left $x );
i=$(($i + 1));
else
right=$( echo $right $x );
fi;
done;
# The arguments have been split in half

left=$( mrgsrt $left );
right=$( mrgsrt $right );
# each half has been sorted recursively

mrg $left $right;
# The two halves have been merged together with a helper method
else
echo “Usage: mrgsrt <series of numbers seperated by spaces>”;
fi;
}

mrg() {
# This method sorts two sorted lists of numbers by adding the lowest of
# firstmost unsorted number into a new list until all numbers have been
# added and then returns that list.
#
# @Author: Adam Vite

l=1; # Begining index of left half
r=$(($# / 2 + 1)); # Begining index of right half
unset list;
while [ $l -ne $(($# / 2 + 1)) ] || [ $r -ne $(($# + 1)) ]; do
if [ $l = $(($# / 2 + 1)) ]; then
list=$( echo $list ${!r} );
r=$(($r+1));
# Left half has been sorted

elif [ $r = $(($# + 1)) ]; then
list=$( echo $list ${!l} );
l=$(($l+1));

# Right half has been sorted

elif [ ${!l} -lt ${!r} ]; then
list=$( echo $list ${!l} );
l=$(($l+1));
# Firstmost unsorted left is less than firstmost unsorted right
else
list=$( echo $list ${!r} );
r=$(($r+1));
# Firstmost unsorted right is less than firstmost unsorted left
fi;
done;
echo $list;
}

Automate Restart of D-Link DCS-900 Cameras

I have some older D-Link DCS-900 cameras being used with ZoneMinder for a security system at home.

While these cameras are normally very stable (no lock-ups for weeks or months at a time) it still happens. To make things work more smoothly, I decided to find a way to restart the devices with cron.

I decided to have the cameras be reset twice a month (on the 1st and 15th of each month at 4am).


crontab -e

0 4 1,15 * * wget –http-user=admin –http-password=YOUR-PASSWORD -O /dev/null –post-data=”Reset= Yes ” http://camera1/Reply.html

 

You can remove the –http-user and –http-password sections if you do not have an admin user/password set.

Ubuntu 9.10 PXE Boot

Ubuntu 9.10 uses initrd.lz instead of initrd.gz, so PXE booting like you did in previous versions does not work.

This article assumes you’ve already downloaded the iso and have a working PXE boot server.

First, copy the contents of the iso to a directory we can work with


mkdir /tmp/910

mount -o loop ubuntu-9.10-desktop-i386.iso /tmp/910

cp -r /tmp/910 /tftpboot

Convert initrd.lz to initrd.gz


cd /tftpboot/910/casper

mkdir initrd

cp initrd.lz initrd

cd initrd

lzma -dc -S .lz initrd.lz | cpio -id

rm initrd.lz

find . | cpio –quiet –dereference -o -H newc | gzip -9 > initrd.gz

cp initrd.gz /tftpboot/910/casper

Now add the appropriate lines to pxelinux (Example: /tftpboot/pxelinux.cfg/default)


LABEL Ubuntu 9.10 i386 Unmodified Livecd
KERNEL 910/casper/vmlinuz
APPEND root=/dev/nfs boot=casper netboot=nfs nfsroot=192.168.0.1:/home/tftpboot/910 initrd=910/casper/initrd.gz quiet splash --

Make sure /tftpboot is shared via nfs; in /etc/exports add the following line


/tftpboot/910 192.168.0.0/24(rw,async,no_subtree_check)

Reload the NFS server

/etc/init.d/nfs-kernel-server reload

OpenSolaris LDAP Client to Linux OpenLDAP Server

The following outlines how to set up a OpenSolaris client to work with a Linux OpenLDAP server.

The following is one line

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=admin,dc=server -a proxyPassword=yourpassword -a defaultSearchBase=dc=server -a defaultServerList=192.168.1.1:389 -a serviceSearchDescriptor=passwd:ou=People,dc=server -a
serviceSearchDescriptor=group:ou=Groups,dc=server

Add the following lines to their appropriate sections in /etc/pam.conf

login   auth required           pam_ldap.so.1
other   auth required           pam_ldap.so.1
passwd  auth required         pam_ldap.so.1

Test LDAP with

ldaplist -l passwd

Test user authentication using the following steps

mkdir /export/home/ldapuser

chown ldapuser /export/home/ldapuser

Edit /etc/auto_home and add the following BEFORE “+auto_home”

ldapuser localhost:/export/home/ldapuser

SSH to test

ssh ldapuser@localhost

You should be in! If not, you may have to change the following in /etc/ssh/sshd_config

PAMAuthenticationViaKBDInt no

#Change from yes to no

Restart SSH

svcadm restart ssh

If you are still unable to log in, your userPassword attribute probably needs to be changed from md5/md5crypt to crypt.

su – ldapuser

passwd

After changing your password you should be able to log in.

View processes (PID) using disk I/O

Install the sysstat package

apt-get install sysstat

# iostat -m
Linux 2.6.27-14-generic (slowaris)      07/28/2009      _x86_64_

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
4.88    6.65    3.03    1.49    0.00   83.95

Device:            tps    MB_read/s    MB_wrtn/s    MB_read    MB_wrtn

md0             221.24         0.64         0.78    1765002    2159490

We can see that I/O isn’t terribly high here, but there are 221 transfers per second going on.

To check what processes are causing I/O

echo 1 > /proc/sys/vm/block_dump

tail -f /var/log/syslog | grep md0

Jul 28 08:20:12 server kernel: [2752582.434647] kvm(17362): READ block 1017744552 on md0
Jul 28 08:20:12 server kernel: [2752582.502401] kvm(17362): READ block 615283608 on md0
Jul 28 08:20:13 server kernel: [2752582.634622] kvm(17362): READ block 1017744576 on md0
Jul 28 08:20:14 server kernel: [2752583.964709] kvm(17362): READ block 1017744608 on md0
Jul 28 08:20:14 server kernel: [2752584.372889] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0
Jul 28 08:20:14 server kernel: [2752584.372908] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0

We see that kvm is causing some disk I/O; now where know where to start investigating!

To turn off these messages

echo 0 > /proc/sys/vm/block_dump

OpenVZ on Ubuntu 8.10

Other OpenVZ Ubuntu 8.10 guides that I’ve seen have you use the old lenny repository; since this no longer exists let’s try another way!

I used a 64-bit machine; steps will be the same for 32-bit. If you have 64-bit and just want to download the kernel I used: http://bbis.us/~will/openvz-ubuntu810.tar.gz

Now let’s build the kernel.

cd /usr/src
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.tar.bz2
tar xjf linux-2.6.27.tar.bz2
cd linux-2.6.27

wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/patches/patch-briullov.1-combined.gz
gunzip patch-briullov.1-combined.gz

wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-x86_64.config.ovz
#OR
wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-i686.config.ovz

cp kernel-2.6.27-*.config.ovz .config
patch -p1 < patch*

make oldconfig

make
make modules_install install

cd /boot
mkinitramfs -o /boot/initrd.img-2.6.27 2.6.27

vi /boot/grub/menu.lst

#Replace uuid entries with your disks uuid
title           Ubuntu 8.10 OpenVZ 2.6.27
uuid            2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8
kernel          /boot/vmlinuz-2.6.27 root=UUID=2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8 ro quiet splash
initrd          /boot/initrd.img-2.6.27
quiet

grub-install /dev/sda

apt-get install vzctl vzquota

reboot

If everything went according to plan, you’ll boot into your new kernel. If you get a kernel panic, or things are not working as expected, you may have to

make menuconfig

Once the kernel is working, let’s create a container.

cd /var/lib/vz/private

mkdir 1

debootstrap hardy 1

When you see:

#I: Base system installed successfully.

You can continue.

vi /etc/vz/dists/default
#Change redhat to debian OR copy ubuntu.conf to default

Create the container and set an IP

vzctl set 1 –applyconfig vps.basic –save
vzctl set 1 –ipadd 192.168.100.7 –save
vzctl set 1 –nameserver 192.168.100.1 –save

vzctl start 1

At this time you cannot enter the container. You will receive the error

Unable to open pty: No such file or directory

To fix this:

vzctl exec 1 update-rc.d -f udev remove

Restart and enter the container

vzctl restart 1

vzctl enter 1

If network doesn’t work add to /etc/sysctl.conf on server (not container):

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

Ubuntu 8.10 LDAP Server with TLS

This should also work with Ubuntu 9.04

apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools

Much like Debian, we must perform an extra step to make our changes permanent.

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name: your-server
Organization name: whatever
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Admin password: <password>
Confirm: <password>
Allow LDAPv2 protocol: No

Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.

adduser test
cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN

./migrate_base.pl > /tmp/base.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

Remove the top section of /tmp/base.ldif

dn: dc=dev
dc: dev
objectClass: top
objectClass: domain

Restart LDAP and add our information to LDAP


/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

To enable PAM I suggest


cd /tmp
wget http://st0rage.org/files/pam.d.tar
tar xf pam.d.tar -C /etc

Alternativly, you can try the following Ubuntu specific method:


auth-client-config -t nss -p lac_ldap
pam-auth-update ldap

Please note that I was unable to change user passwords with ‘passwd’ using this method.

Remove the test user

userdel test

Set up TLS Certificate

mkdir /etc/ldap/ssl
cd /etc/ldap/ssl

openssl req -new -nodes -out req.pem -keyout key.pem
#No challenge password, leave empty
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem

Enable TLS on server

ldapmodify -x -D cn=admin,cn=config -W

Paste in the following:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem

Press ENTER a few times to finish modifying and then Control+C when you see:

modifying entry "cn=config"

Edit /etc/default/slapd and add

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart slapd

/etc/init.d/slapd restart

If it fails, try:


chown -R openldap /etc/ldap/ssl
/etc/init.d/slapd restart

Client configuration

vi /etc/ldap.conf

uri ldaps://server
port 636
ssl start_tls
ssl on
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/server.pem


vi /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap

Now test! Make sure to stop nscd if you’re using it

/etc/init.d/nscd stop

Test LDAP

$ id test
uid=1001(test) gid=1001(test) groups=1001(test)

Remember to keep an eye on /var/log/auth.log if you run into any problems