On another note, I got my 3rd FiOS bill – still running a credit. That’s $43 for 3.5 months of great service. Good luck competing with that, Optimum.

MAYBE!!!

Step 1: Build a list of hosts to monitor

For this I used an nmap ping test to generate a list of “up” hosts:

nmap -sP 10.0.0.0/24 -oG 10.0.0.0-255.255.255.0

This creates a list of IPs that are up in a format like this:


Host: 10.0.0.60 () Status: Up
Host: 10.0.0.61 () Status: Up
Host: 10.0.0.63 () Status: Up
Host: 10.0.0.64 () Status: Up
Host: 10.0.0.65 () Status: Up


Step 2: Parse out the IP address and run cfgmaker

Here’s the command I ran:

$ for i in `perl -ne 'chomp; next if $_ =~ /^#/; my @a = split(/ /); print "$a[1]\n";' 10.0.0.0-255.255.255.0`; do /usr/bin/cfgmaker --global 'LogFormat: rrdtool' --global 'WorkDir: /mrtg/data/mrtg' --global 'Options[_]: growright,bits' --global 'XSize[_]: 600' --global 'YSize[_]: 400' public@$i > /etc/mrtg/mrtg-$i ; done

This parses out the IP address from the input file and for each address, runs cfgmaker and puts the output in /etc/mrtg/mrtg-[ipaddress] .

Taking this a step further, I used gethostbyaddr to resolve the IPs to hostnames, so the MRTG files have the proper hostnames in them:

$ for i in `perl -MSocket -ne 'chomp; next if $_ =~ /^#/; my @a = split(/ /); my $ip = inet_aton($a[1]); my $host = gethostbyaddr($ip, AF_INET); print "$host\n";' 10.0.0.0-255.255.255.0`; do /usr/bin/cfgmaker --global 'LogFormat: rrdtool' --global 'WorkDir: /mrtg/data/mrtg' --global 'Options[_]: growright,bits' --global 'XSize[_]: 600' --global 'YSize[_]: 400' public@$i > /etc/mrtg/mrtg-$i ; done

Then all of the mrtg .cfg config files are in /etc/mrtg/, but who wants to put in all those cron entries to run each one? Not me. Simple fix?

cat /etc/mrtg/*.cfg > /etc/mrtg-all.cfg

Then you only have one cron entry.

That is all.

#!/usr/bin/perl
#
# Evan Hoffman (evanhoffman@evanhoffman.com)
# 13 January, 2010
#
# Base functionality from: http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#..._in_MS_Active_Directory_?

print "Content-Type: text/html\n\n";

use Net::LDAP;
use Unicode::Map8;
use Unicode::String qw(utf16);
use MIME::Base64;
use CGI::Lite;

# build the conversion map from your local character set to Unicode
my $charmap = Unicode::Map8->new('latin1')  or  die;

my $host = 'ldaps://activedirectory.example.com';	

my $bind_dn = 'CN=ldapuser,OU=Utility,OU=Users,DC=example,DC=com';
my $bind_pw = 'secret';
my $base_dn = 'DC=example,DC=com';
my $search_filter = '(!(userAccountControl:1.2.840.113556.1.4.803:=2))';

my $ldap = Net::LDAP->new($host)  or  die "$@";

print '<html><title>Active Directory Password Changer $Id$</title><body>';

die "REMOTE_USER not set.\n" unless $ENV{'REMOTE_USER'};

unless ( $ENV{'HTTPS'} eq 'on' ) {
	print "<b>This script requires HTTPS.</b>\n";
	die;

}

print "Logged in as <b>$ENV{REMOTE_USER}</b>.  LDAP URI is <b>$host</b>.<br>\n";

$cgi = new CGI::Lite;

%form = $cgi->parse_form_data;

if ($form{'op'} eq 'submit') {
	my $user_dn = $form{'dn'};
	my $user_pw = $form{'oldpassword'};
	my $newpw1 = $form{'newpw1'};
	my $newpw2 = $form{'newpw2'};

	die 'Password mismatch.'  unless ( $newpw1 eq $newpw2 );
	die 'No DN specified.' unless $user_dn;

	print "Attempting to bind as <b>$user_dn</b> ... ";

	my $mesg = $ldap->bind($user_dn,
			password => $user_pw);
	if ($mesg->is_error) {
		my $err = "Error attempting to bind as $user_dn: ". $mesg->error;
		print "<pre>$err</pre>";
		die $err;
	}

	print " OK.<br>\n";

	my $oldUniPW = $charmap->tou('"'.$user_pw.'"')->byteswap()->utf16();
	my $newUniPW = $charmap->tou('"'.$newpw1.'"')->byteswap()->utf16();

	print "Attempting to modify password for <b>$user_dn</b> ... ";

	$mesg = $ldap->modify($user_dn,
			changes => [
			delete => [ unicodePwd => $oldUniPW ],
			add    => [ unicodePwd => $newUniPW ] ]);

	print "OK<br>\n";

#	$mesg->is_error && die ('Modify error: '. $mesg->error);
	if ($mesg->is_error) {
		my $err = 'Modify error: '. $mesg->error;
		print "<pre>$err</pre>\n";
		die $err;
	}

	$ldap->unbind();
	print "<blink>VICTORY!!</blink> Successfully changed password for user $ENV{REMOTE_USER}, DN <b>$user_dn</b>, msg ID: ".$mesg->mesg_id ."\n";

} else {

# bind as dummy to lookup the user's DN
	my $mesg = $ldap->bind($bind_dn, password => $bind_pw );
	$mesg->is_error && die ('Bind error: '. $mesg->error);

	$mesg = $ldap->search(
			base => $base_dn,
			scope => 'sub',
			attrs => ['dn','cn','mail'],
			filter => "(&(samaccountname=$ENV{REMOTE_USER})$search_filter)"
			);
	$mesg->is_error && die ( 'Search failed: '. $mesg->error );

	$mesg->count || die ("Search for user '$ENV{REMOTE_USER}' returned no results.");

	my $entry = $mesg->entry( 0 );

	$ldap->unbind();

	print "LDAP DN for user '$ENV{REMOTE_USER}': <b>".$entry->dn.'</b>';

	print "<form action='$ENV{REQUEST_URI}' METHOD='POST'>\n";
	print "<input type='hidden' name='op' value='submit'>\n";
	print "<input type='hidden' name='dn' value='".$entry->dn."'>\n";

	print "<table border='0'>\n";
	print "<tr><td>Current password for <b>$ENV{REMOTE_USER}</b>:</td><td><input type='password' name='oldpassword' size='30'></td></tr>\n";
	print "<tr><td>New password for <b>$ENV{REMOTE_USER}</b>:</td><td><input type='password' name='newpw1' size='30'></td></tr>\n";
	print "<tr><td>New password for <b>$ENV{REMOTE_USER}</b> <i>again</i>:</td><td><input type='password' name='newpw2' size='30'></td></tr>\n";
	print "<tr><td colspan='2'><input type='submit' name='submit' value='Change Password'><input type='reset' value='Reset Form'></td></tr>\n";
	print "</form>\n";
	print "</table>\n";

}

print '</body></html>';

With that piece of the puzzle largely solved, I moved on to another: how will users change their passwords (which are all stored in Active Directory)? For users running Windows this is pretty trivial — they can do it right in Windows when they’re logged into the domain. But what about Linux users? I figured the easiest thing to do would be to make a web form to do this. The user would login (with the http/LDAP auth I previously setup) and the form would ask for their password (twice) and update it in Active Directory. Sounds pretty simple to me. I think if this were OpenLDAP it probably would be, but being AD, it’s not.

I’d already spent an hour or two writing the script (in PHP) when I was able to test its basic functionality. What I got was this:

Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access in /home/evan/public_html/authtest/index.php

After some hair pulling I realized that I was binding with my “dummy” user when attempting to change the password. I figured the solution would be to re-bind as the user whose password I was attempting to change, which is what I did. I verified that the new bind worked, but I still couldn’t change the password. I decided to fall back to command line and started issuing some ldapmodify commands to see what I could and couldn’t do as the user. For whatever reason, it appears that even though the user CAN change his password in AD (the “user cannot change password” setting is NOT selected — I checked), the user cannot change his password through LDAP.


$ ldapmodify -vv -x -d8 -D "CN=Boba Fett,OU=Utility,OU=Users,DC=example,DC=com" -w secret -H ldaps://activedirectory.example.com -f bfett.ldif
ldap_initialize( ldaps://activedirectory.example.com )
TLS certificate verification: Error, unable to get local issuer certificate
request done: ld 0x9dd86e8 msgid 1
replace unicodePwd:
"
modifying entry "CN=Boba Fett,OU=Utility,OU=Users,DC=example,DC=com"
modify complete
request done: ld 0x9dd86e8 msgid 2
ldapmodify: Insufficient access (50)
additional info: 00000005: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


I Googled for the error code – DSID-031A0F44 – and found a couple of threads about people with the same problem, but no solutions.

The LDIF file I fed in looks like this:


dn: CN=Boba Fett,OU=Utility,OU=Users,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBhAGIAYwBkAGUAZgBnAGgAIgA=
-


When I run the same command with my own DN/password for binding it works fine (though I did discover that you can assign multiple values to unicodePwd, meaning that, until I fixed it, the test user had two valid passwords, which seems like a bug on Microsoft’s part), I assume because I’m a domain admin. An “easy” out would be simply to have the script bind as a domain admin, but that means I’d be hardcoding a Domain Admin password in the script, which I’m against. I’ll have to put some more thought into this. Maybe Linux users will just have to log in to a Windows workstation to change their passwords. That’s not ideal, but it does already work.

Grr…

In your .htaccess file:

AuthBasicProvider ldap
AuthType basic
AuthName "AD LDAP Test"
AuthLDAPURL     "ldap://activedirectory.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
AuthzLDAPAuthoritative On
AuthLDAPGroupAttribute member
AuthLDAPBindDN ldapuser@example.com
AuthLDAPBindPassword password
Require ldap-group CN=Sysadmins,OU=Internal Groups,OU=Groups,DC=example,DC=com

The key here is this LDAP filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2)). This is the bitwise “AND” of the userAccountControl field and the decimal number 2, which is Microsoft’s value for “account is disabled.” The codes are listed here: http://support.microsoft.com/kb/305144

In httpd.conf (or some other server config file – I did it in /etc/httpd/conf.d/mod_authz_ldap.conf inside the section), add this directive:

LDAPOpCacheEntries 0

This tells Apache not to cache the results of the LDAP op. If you don’t put this in there, the server will cache the result of the user’s login for whatever the TTL is, and the user will be able to login even after you disable the account (until the cache expires). There may be other ways around this issue, but this works for me.

This works pretty well so far. Now I can create a “SVN Users” group in Active Directory, put the people I want in that group, use the above method for authentication and everyone’s SVN login will be the same as their domain login. Single sign-on one step closer. Yay!