We needed a helpdesk and a knowledgebase system and we prefer that it be opensource. We have found OneOrZero HelpDesk and KnowledgeBase to be a good candidate. We decided to take a look at it and see for ourselves. Installation was tad easy. All you need is an Apache server, PHP, and MySQL and voila! We have been running it using MySQL for sometime but we didn’t as of yet let users use the system.

We have been mulling over the idea of integrating OneOrZero HelpDesk and KnowledgeBase authentication with our existing LDAP server which also authenticates our Windows domain users via our Samba PDC. OneOrZero is pretty much convenient for us since it already has LDAP authentication capability. Or so we thought.

Setting up LDAP for OneOrZero HelpDesk, required us to modify its settings. You can do this using its own control panel, by logging in as an administrator, or you can go brute it out by going to where the OneOrZero configuration files are located. In my case it is in

/srv/www/onezero/configuration/website_settings.php

Please note that the location may not be the same in your case, depending on where you extracted your files, and where your Apache DocumentRoot is located. Make the necessary adjustments.

After locating the file, make a copy first of the existing file (you dont want to lose working settings do you? then edit website_settings.php by opening your favorite text editor - which in my case is VI.

vi website_settings.php

Navigate your way down towards near the end of the file, and review the LDAP-related parameters. Please note, I’ll be using my own LDAP parameters as examples and yours might be different depending on your LDAP server flavor (AD, OpenLDAP, Netware/OES/others).

# Enable LDAP authentication. This is DB by default.
auth_method = "LDAP"

# IP address of your LDAP server
ldap_host = "192.168.10.10"

# If you are using AD, specify the domain name. I'm using OpenLDAP so, I ignored this.
ldap_domain = ""

# Specify the user that will be used to bind to your LDAP server. Not needed if anonymous bind is allowed
ldap_binddn = "cn=ldapbinder,dc=mydomain,dc=com"

# Specify the password for the binding user
ldap_bindpwd = "secret"

# Set the location in your LDAP schema where the search will start from. In my case, I have an OU called "Users"
ldap_rootdn = "ou=Users,dc=mydomain,dc=com"

# Provide here the search attributes. Note though that this might be different on your particular flavor of LDAP.
# Use an LDAP browser utility to double check.
ldap_searchattr = "uid"
ldap_fname = "givenname"
ldap_lname = "sn"
ldap_uname = "uid"
ldap_email_add = "mail"
ldap_office = "l"
ldap_phone = "telephonenumber"
ldap_context = "dn"


Save your file after editing.

We then tried logging in using our LDAP accounts, however it seems that OneOrZero cannot find our accounts, or rather LDAP cannot find the accounts passed by OneOrZero to it. So, I then looked at the LDAP log and checked what the problem is. Sure enough, I found the culprit.

Jan 14 11:18:15 x2100 slapd[4044]: conn=5857 op=1 SRCH base="ou=Users,dc=mydomain,dc=com" scope=2 deref=0 filter=”(uid=minime)”

No wonder LDAP cannot locate the user. Even though it is searching on the right section of the LDAP tree, it doesn’t know which one to pick up. Remember, we use our LDAP server as authentication for our Windows users via Samba as well. Heck, we even authenticate our SSH users via LDAP also.

Another challenge!

How do I hack the filter in OneOrZero so that it works for my LDAP server ? (GOD I LOVE THIS WORK!)

Simple, I have to locate the filter string deep in the vowels of OneOrZero’s source code and insert my own filter or manipulate it so that the output filter will meet what my LDAP server really needs.

OK OK! Enough suspense, how did I do it? Simple.

Navigate yourself to where you extracted OneOrZero - in my case /srv/www/onezero/common , and edit the file common.php . When you open the file, navigate yourself towards line 164 . There you will find the $filter variable which receives the value from the LDAP search attribute that was set in website_settings.php .

When you locate the $filter variable, comment the existing one, and replace it so that it looks like this:

// $filter = "($ldap_searchattr=$name)"; //This is the default filter string

$filter = "(&(objectClass=posixAccount)($ldap_searchattr=$name))" // This is my new filter string to fit my LDAP server.

Save the file and do a test login. That’s it!

If you still have trouble setting it up (which I doubt), feel free to look at the Administration guide at http://www.oneorzero.com/wiki/index.php?title=OneOrZero_Settings

Enjoy!

Technorati : oneorzero, helpdesk, linux, ldap, authentication
Site Search Tags: oneorzero, helpdesk, linux, ldap, authentication

I’ve somehow finished implementing Samba as primary domain controller (PDC) with OpenLDAP working as authentication backend both running on top of SuSE Linux Enterprise Server. Workstations and users are being added properly into Samba and OpenLDAP and users are able to authenticate seamlessly. However, I just ran into a snag. Some users need to be Administrators in their own computer, while being common users in the domain.

It really is no sweat implementing Samba and OpenLDAP on SLES since it already includes both packages stabilized and ready to run. Novell engineers already did the grunt work of tweaking and hardening both packages plus with the help of YAST, I don’t have to use the smbldap tools to synchronize accounts on Samba and OpenLDAP. No sweat eh?

What I had trouble was how can I select only specific users from Samba PDC/OpenLDAP and make them Administrators to their own machines. I’ve looked for solutions however many of them were not fitting to what I want. So I decided to use KiXtart and CPAU instead.

In a nutshell, KiXtart replaces your standard batch file logon script and give you more flexibility and power than you normally get from batch files. CPAU on the other hand replaces the traditional Run As command on Windows. The main difference is that although Run As allows you to run a command as another user (or admin), however, you will be prompted with that user’s password in the same manner that you use SU on Linux/Unix. CPAU allows you to speficy the user and password inline giving you more flexibility with your scripts.

So to add users to the local machine’s Administrators group, I put the KiXtart binary (WKiX32.exe) and CPAU.EXE in Samba’s NETLOGON folder and modified smb.conf to reflect the following:

logon script = logon.bat

In logon.bat, put the line:

%0\..\wkix32.exe %0\..\kixtart.kix

The next part does all the grunt work in identifying the user’s domain group, and checking if the user is a part of the local machine’s Administrators group.

kixtart.kix

Break on

$loffmsg = "Hello "+@USERID+CHR(10)+"This is your first time to logon to the domain."+CHR(10)+"Since @WKSTA is your own computer, you will be added immediately to the local"+CHR(10)+"Administrator group."+CHR(10)+"You will need to log on again afterwards."+CHR(10)+CHR(10)+"Username: "+@USERID+CHR(10)+"Host: "+@WKSTA+CHR(10)+"Group: "+@PRIMARYGROUP

; Check user domain group membership

IF INGROUP("Domain Admins")=1

; Check user local group membership

IF INGROUP("\\"+@WKSTA+"\Administrators")

; Do nothing.
MessageBox("Hello "+@USERID,"Greetings!",,)

ELSE
; Hide the console KiXtart is running on

SETCONSOLE("HIDE")=1

; Run CPAU tool with admin priv to add user to local admin group
MessageBox($loffmsg,"Reminder",64,)

shell '\\MYPDC\netlogon\cpau -u administrator -p admin-password -ex "net localgroup Administrators /add DOMAIN\@USERID" -lwop'
; If there's error, show it.

IF @ERROR MessageBox(@ERROR+@USERID,"Error!") ENDIF

;Force the user to logoff after being added so the change will take effect next log on.
LogOff(1)
ENDIF
ELSE
ENDIF

Further development
I’m still far from done with this little project. I still have to modify the script, or add some more subscripts, to be able to check if the local machine is the user’s own machine. I will need to implement that the user will only be admin on his own machine and none other. And yes, you can also use KiXtart to modify the registry if you need to.

Security? You can compile your kixtart script into an EXE executable using the KiX2EXE tool.

I’m just glad that I get to make Windows XP machines play nicely with Samba and OpenLDAP.

Resources:
KiXtart Online Manual
KiX2EXE Tool Homepage

Technorati samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc
Site Search Tags: samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc

We have been using eDirectory for quite a while on Linux now and the time has come that a client would like to use eDirectory to authenticate other Linux services through LDAP to eDirectory. We have been tasked to integrate the authentication of Postfix, Dovecot, Squid, and SquirrelMail via LDAP to Novell’s eDirectory.

The approach that we have decided to use for Postfix was to do virtual email hosting, while letting Postfix pull user accounts from LDAP, and store the emails on virtual mailboxes in the Linux machine. Dovecot will also do a password lookup, while using a global user account on Linux that will have exclusive access to the “home” directory of virtual email users. Squid will do direct LDAP access via the squid_ldap_auth helper. SquirrelMail on the other hand will just pull off authentication via Dovecot.

I will only be providing the steps on how to authenticate Postfix and Dovecot to eDirectory via LDAP. In order to perform the following outlined steps, it will be helpful to already have Novell eDirectory/NDS running on one server. It must listen on either port 389 or 636 by default. However, if you’ve modified the ports, make sure you take note of them for later use. Also on the eDirectory/NDS, we will need to have one user that will act as a proxy user for LDAP lookups. Though this can also be achieved by assigning [Public] as a Trustee with “browse” rights to the root of your tree (eg. “o=your-context” ). How to install eDirectory on Linux is beyond the scope of this article. Feel free to visit the Novell Documentation.

We have used SuSE Linux Enterprise Server 10 SP 1 to perform all of the steps. It doesn’t matter though which Linux distribution you’ll be using or if you’ll be accessing NDS on Netware, as long as the backend LDAP server will be eDirectory/NDS.

POSTFIX CONFIGURATION

A. main.cf
Postfix already comes with SLES10 SP1 built-in. It only requires a little tweaking to allow it to authenticate to eDirectory via LDAP. We will then throw in virtual email hosting configuration for good measure.

If you need to compile Postfix, configure and compile it as standard. However in the main.cf, we will be adding a couple of parameters to make Postfix work with LDAP. The following parameters are what we need. The rest not included here are standard Postfix configs, including restrictions and UCEs.

inet_protocols = all
inet_interfaces = all
biff = no
mail_spool_directory = /var/spool/mail
myhostname = your-server-hostname
mydomain = put-a-dummy-domain-here.
mydestination = localhost.$mydomain,localhost,$mydomain,$myhostname
mynetworks = 192.168.100.0/24 127.0.0.1
mynetworks_style = subnet

Modify myhostname and mynetworks to reflect your own settings. Put a dummy domain name in mydomain. We will put our real domain in the virtual_mailbox_domains parameter.


local_recipient_maps = ldap:/etc/postfix/ldap-user-auth.cf
local_transport = virtual
virtual_mailbox_domains = your-real-domain-here
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes
virtual_minimum_uid = 106
virtual_uid_maps = static:106
virtual_gid_maps = static:12

local_recipient_maps will point to our LDAP authentication routines contained in ldap-user-auth.cf. virtual_mailbox_domains will have our real domain since we will be using virtual email users that will be pulled off from eDirectory via LDAP later. virtual_mailbox_maps will point to our hash file which is actually a mapping of email addresses to their associated virtual mail boxes relative to the default directory assigned in virtual_mailbox_base.

virtual_uid_maps and virtual_gid_maps will point to the only mail-related user in the entire SLES10 system — the global user which will be used by Postfix and Dovecot to drop emails to the mailboxes of our virtual email users. The global user, in our case is called “vmail” as assigned a uid of 106 and a gid of 12 (mail). It was created using the terminal by typing the following as root:

useradd -u 106 -g 12 -d /var/spool/vmail -s /bin/bash vmail

You will also need to create /var/spool/vmail and change ownership (chown) to vmail:mail.

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


Enable SASL authentication by setting smtpd_sasl_auth_enable = yes. We will be using Dovecot SASL therefore, we will need to set smtpd_sasl_type = dovecot and smtpd_sasl_path = private/auth.

B. ldap-user-auth.cf
Here are the things we need to put for LDAP authentication for Postfix.

server_host = your-LDAP-server-ip
search_base = o=context
version = 3
query_filter = (&(objectClass=Person)(uid=%s))
result_attribute = uid

bind = yes
bind_dn = cn=ProxyLDAPUser.o=context
scope = sub

C. virtual_mailboxes
Since Postfix will be looking for “real” users, we will need to map email addresses to actual directory locations for each user using the virtual_mailboxes mapping. Arguments for the mapping will take the form of:

email address username/Maildir

Example:
user1@mydummydomain.com user1/Maildir
user2@mydummydomain.com user2/Maildir
:

Save the file, and generate the Postfix database by running postmap virtual_mailboxes in the terminal.

DOVECOT CONFIGURATION (pertinent only)

A. dovecot.conf
Dovecot can be compiled off the bat using ./configure, and then following it with make and make install respectively. However, since we will be letting Dovecot authenticate through LDAP, we will need to compile it with LDAP support therefore do this by typing ./configure --with-ldap and proceed as usual.

Here are the pertinent parameters that we will need to declare in dovecot.conf to enable it to work with LDAP. The rest of the configs (not shown) are standard Dovecot config.

mail_location = maildir:/var/spool/vmail/%u/Maildir
first_valid_uid = 106
last_valid_uid = 106
auth_username_format = %Lu

auth default {
mechanisms = plain login

passdb ldap {
args = /etc/dovecot/dovecot-ldap_passdb.conf
}

userdb static {
args = uid=106 gid=12 home=/var/spool/vmail/%u
}

socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
}
}
}

B. dovecot-ldap_passdb.conf

hosts = LDAP-server-ip
base = o=context
ldap_version = 3
scope = subtree

#for LDAP Bind
auth_bind = yes
pass_filter = (&(objectClass=Person)(uid=%u))

Replace LDAP-server-ip with the server ip of the eDirectory server. Replace o=context with your eDirectory context.

VALIDATING
Run Postfix by typing rcpostfix start and run Dovecot by typing /usr/local/sbin/dovecot. You will then be able to try and connect via telnet on port 25, 143 and/or 110 to test Postfix and Dovecot. You can test Dovecot if the user can authenticate by going:

telnet server-ip 143

You will then receive the server header/reply. You can proceed to initiate authentication by going:

1 login user password

If you’ll receive an OK message, congratulations!

You can monitor Postfix by looking at /var/log/mail using the command tail -f /var/log/mail.

Feel free to post your questions and comments. Good Luck!

technorati tags: Postfix, Dovecot, eDirectory, LDAP, authentication, Linux, Novell, SLES10, Netware

Whew, it certainly is a very busy week for me. Just this week, my trip to Manila and Baguio is confirmed. However, I’m not going for a vacation.

Despite the destination being a known vacation spot and all that, I’m not going to Baguio to relax. This coming January 29th I’m going to conduct a training for Philex Mining on how to deploy and use Novell ZENworks Desktop Management. For the whole week, I’ve been busy preparing training and discussion materials and doing simulations. There’s nothing better than making sure that your material works everytime you do the training. Sadly, as much as I wanted to, this training is not open source-related. However, there’s a big chance I can swing them over to give Linux and open source a try. The one thing I appreciate with ZENworks despite it being a proprietary product is that it does install on top of Linux, either SLES or Red Hat.

It really is a full week for me. For one, we just finished checking the mail server of a big client. They’ve had issues with POP3 authentication. Turns out its a DNS problem. All their machines point to external DNS servers owned by an ISP. Everytime their Outlooks authenticate to their POP3 server, their workstations shoot the hostname requests to the ISP DNS. If the requests push through and are received by the POP3 server, it then shoots the reply back to the ISP DNS. No wonder their POP3 accesses are having timeouts. We’ve recommended having an internal DNS server and they’ve already put it into their own development plan which will be put into action by February. We’ve checked traffic from the internet to their mail server and so far incoming mails are received and we can send mail through IMAP without any problems.

That very same ISP I was talking about, is having problems with their network and they are currently suffering from intermittent connections. It is also a mobile services carrier. Just last week, they’ve had big problems with mobile phone signals wherein calls and SMS not going through.

For my trip, I’ll be stopping by Manila for a day to take the Certified Linux Professional practicum exam. I’m hoping to be able to pass. The sad thing is that with my very hectic schedule, I did not find any time to do any review nor got the time to study throughly. It’s anybody’s guess whether I’ll pass this or not. I’ll give myself a 25% chance of passing. My regular daily schedule by the way is consumed by doing client visits, reviewing products from Novell and Alcatel-Lucent, doing product presentations, planning and doing SLES deployments and Alcatel-Lucent OmniPCX Office IP-PBX deployments, planning for technical demos, and if a little time could be spared, keeping watch of the company mail server and proxy server. Yeah, its quite a handful. But I get by somehow.

Before I go on the trip, I’ll be giving a talk about Linux at the Quantum and Information Technology Convention organized by Xavier Computer Enthusiasts League (XCEL) and the Ateneo Information Management Society (AIMS) of Xavier University. That’s going to be tomorrow January 25th (26th in the US).

Along with members of various Linux and opensource enthusiasts, I’ll be meeting with Ms. Yolynne Medina, Channel Consultant and Networking Staff for the International OpenSource Network (IOSN) on January 26th to talk about the current status of the local groups and their plans and directions. I’d be happy to help out in this arena.

On the 27th, after arrival in Manila if time permits, I’ll be meeting Greg Moreno and hopefully also Bobby Santiago of the Philippine Ruby Users Group. I just hope there’s going to be a Ruby meeting so I can also attend .

This week alone is quite tiring with all the things I need to do to resolve some pending works and preparing for the trip. Hopefully the training will go seamlessly so I can relax and enjoy the trip. I also hope that I’ll have a little more extra time later, should some Ubuntu Philippines guys would like to meet up (hint, hint).

Enjoy!

Technorati Tags: Baguio, Manila, trip, Linux, OpenSource, Ruby, SLES, Ubuntu,
Philippine+Ruby+Users+Group, Novell, Alcatel-Lucent, IOSN, QITC,
Site Search Tags: Baguio, Manila, trip, Linux, Ubuntu, SLES,OpenSource, Ruby, Philippine+Ruby+Users+Group, Novell, Alcatel-Lucent, IOSN, QITC,

I finally made the switch to Ubuntu 5.10 “Breezy Badger” and ditched “Hoary Hedgehog”. For starters, there were quite some changes between Breezy and Hedgehog.

When I shifted, I didn’t do the “apt-get way” where one only needs to change “Hoary” to “Breezy” in your /etc/apt/sources.list declaration. I considered going that path to be time consuming, and a bandwidth waster specially since I only have a not so modest broadband link. Good thing a friend got hold of 5.10 ahead of me (sir botp already gave me a copy but didn’t try it. The one I got was the 5.10 distro set sent via snail mail/parcel.)

So, off I go backing up some important files, bookmarks and proceeded doing a complete re-install. I even used my ATI-Radeon 9200 SE (which by the way gathered dust on the shelf) for this experiment. You might be asking why I didn’t use the Radeon before in my Hoary. Well, the system hangs when I used the Radeon on Hoary, and acceleration isn’t a big issue for me so I did not use it. But this time, since Breeezy is new, I thought they might have fixed some bugs so I decided to put the Radeon in.

Everything about the pre-install phase went on smoothly as always until the time the system had to reboot to complete the installation. I expected a login screen to appear, but lo and behold, nothing happened. All I saw was a light grey screen with my mouse cursor displayed at the center. I tried to move the mouse, and it responded. However, I pressed the NumLock key several times and no response. Technicians know that kf the NumLock indicator doesn’t respond, chances are, your system already hanged. Though this problem is new to me, I suspected the Radeon, or perhaps the driver (ati) that came with Breezy might be the culprit. I remember the problem I had with this card when I used it with Hoary that caused me to ditch it in the first place.

What I did is reboot, press ESC while Grub is trying to load and went to Recovery Mode. I logged in using my account and tried su root but it keeps telling me “Authentication Failed” so I fired up sudo passwd root, changed the password to root and poof!, I’m on root. What I did next is to update, the driver for my Radeon. The default driver loaded was “ati” when I checked /etc/X11/xorg.conf.

Section “Device”
Identifier “ATI Technologies, Inc. Radeon 9200 SE (RV280)”
Driver “ati”
BusID “PCI:1:0:0″
EndSection

Next step is I did the following:

root@Ubuntu:/$ apt-get update
root@Ubuntu:/$ apt-cache search fglrx

apt-get update will update the package list that are present in the repositories declared in your /etc/apt/sources.list file.

apt-cache search fglrx will search for fglrx which is the driver package for ATI Video Accelerators.

After identifying the packages I need for my distro, I did the rest:

root@Ubuntu:/$ apt-get install xorg-driver-fglrx
:
:
root@Ubuntu:/$ apt-get install fglrx-control
:
root@Ubuntu:/$ dpkg-reconfigure xserver-xorg

Putting it short, I downloaded and installed xorg-driver-fglrx, fglrx-control, and then used dpkg-reconfigure to choose and use the newly installed driver for the graphics card and also make changes to some settings for X.

That’s the only hardware problem I encountered so far. And I think that problem’s solved.

What I found out also with Breezy default install is that a lot fo the icons were new, the Terminal is found on Accessories and not in the System Tools, there’s no Root Terminal in the System Tools menu that leaves the user only the Terminal to use with, added also is Serpentine Audio-CD Creator in the Sound and Video menu. Another obvious change is you can now add applications by clicking “Add Applications” button in the Applications menu which obviously is the “Add/Remove Programs” in System Tools in Hoary and it is now where “Run Application…” used to be in Hoary, you can now also edit the Applications Menu by using Applications Menu Editor found in System Tools menu, you can also now choose your language by using “Language Selector” in System/Administration menu, “Disks” and “Add Application” are also newcomers in the System/Administration menu.

One last observation I have with Breezy default is that it now comes with OpenOffice.org 2.0 which is good news for me.

So far those are still the only things I’ve observed to be obvious changes with breezy from Hoary. Perhaps a lot of fixes underneath the hood, but I seldom venture that far. I have so much things to do besides tinkering under the hood. As long as Breezy will be doing good, I’ll be sticking with it.

As soon as I’ll find some more oddities, new features, and I’ll problems with Breezy, I’ll put that in Part II. But for now, lets just wait, see, and keep using Ubuntu.