Archive for the ‘ubuntu’ Category

Configuring shared network with DHCP

Monday, August 20th, 2012

Say you have a DHCP server in the LAN serving /24 network and one day you’re running out of IP addresses. You want to add additional /24 network that should be distributed in the same LAN. Ugly, but what to do.

According to man dhcpd.conf:

The shared-network statement is used to inform the DHCP server that some IP subnets actually share the same physical network. Any subnets in a shared network should be declared within a shared-network statement. Parameters specified in the shared-network statement will be used when booting clients on those subnets unless parameters provided at the subnet or host level override them. If any subnet in a shared network has addresses available for dynamic allocation, those addresses are collected into a common pool for that shared network and assigned to clients as needed. There is no way to distinguish on which subnet of a shared network a client should boot.

Here is how you add additional network to be included into DHCP scope. Done on Ubuntu 9.10 (karmic) and ISC DHCP v3.1.2.

  1. shared-network "officea01" {
  2.   option domain-name "officea01.domain.org";
  3.   option domain-name-servers 192.168.1.1;
  4.     subnet 192.168.1.0 netmask 255.255.255.0 {
  5.       authoritative;
  6.       option routers 192.168.1.1;
  7.       allow unknown-clients;
  8.       range 192.168.1.10 192.168.1.254;
  9.     }
  10.     subnet 192.168.2.0 netmask 255.255.255.0 {
  11.       authoritative;
  12.       option routers 192.168.1.1;
  13.       allow unknown-clients;
  14.       range 192.168.2.10 192.168.2.254;
  15.     }
  16.   }

Instructions below are not necessary, however I decided to add an alias to the LAN interface so I can see 192.168.2.0/24 addresses in the ARP table.

  1. ifconfig eth1:0 192.168.2.1 netmask 255.255.255.0 up

And to make it permanent edit /etc/network/interfaces:

  1. auto eth1:0
  2. iface eth1:0 inet static
  3. address 192.168.2.1
  4. netmask 255.255.255.0
  5. broadcast 192.168.2.255
  6. network 192.168.2.0

LDAP replication with syncrepl

Wednesday, July 25th, 2012

Say you want to benefit from LDAP replication so one OpenLDAP server acts as a Provider (aka Master) and another one acts as a Consumer (aka Slave).

Here is what you configure on the Provider. In my case it’s Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21. I’m using old school slapd.conf on both servers:

  1. moduleload syncprov
  2.  
  3. overlay syncprov
  4. syncprov-checkpoint 100 10
  5. syncprov-sessionlog 100

And the Consumer part of slapd.conf. Ubuntu 12.04 LTS (precise) and OpenLDAP 2.4.28:

  1. syncrepl rid=001
  2.         provider=ldaps://ldaps.domain.org:636
  3.         tls_reqcert=never
  4.         searchbase="dc=domain,dc=org"
  5.         filter="(objectClass=*)"
  6.         bindmethod=simple
  7.         binddn="cn=admin,dc=domain,dc=org"
  8.         credentials=xxxxxxx
  9.         retry="60 +"
  10.         type=refreshAndPersist
  11.         scope=sub
  12.         attrs="*,+"
  13.         schemachecking=off
  14.         interval=00:00:05:00

SharePoint 2010 with OpenLDAP authentication

Wednesday, July 18th, 2012

A relevant piece from web.config that worked for me allowing SharePoint 2010 authenticate against OpenLDAP. OpenLDAP is powered by Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21 (installed from packages).

  1. <membership>
  2.   <providers>
  3.   <add name="membership"
  4.     type="Microsoft.Office.Server.Security.LDAPMembershipProvider,Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,PublicKeyToken=71e9bce111e9429c"
  5.     server="ldaps.domain.org"
  6.     port="636"
  7.     useSSL="true"
  8.     connectionUsername="cn=agentname,ou=Agents,dc=domain,dc=org"
  9.     connectionPassword= "xxxxxxxxx"
  10.     useDNAttribute="false"
  11.     userNameAttribute="uid"
  12.     userContainer="ou=People,dc=domain,dc=org"
  13.     userObjectClass="person"
  14.     userFilter="(objectClass=person)"
  15.     scope="Subtree"
  16.     otherRequiredUserAttributes="uid,cn" />
  17.   </providers>
  18. </membership>

Three points to mention:

1. As you can see I’m using SSL — make sure to import your certificates through mmc.

2. agentname is allowed to search ‘ou=People,dc=domain,dc=org’. In ACL language:

  1.  access to dn.subtree="ou=People,dc=domain,dc=org"
  2.     by dn.regex="cn=(.*),ou=Agents,dc=domain,dc=org" read
  3.     by * none

3. I had to enable ‘allow bind_v2’ in slapd.conf to allow agentname to query OpenLDAP, otherwise I was getting ‘historical protocol version requested, use LDAPv3 instead‘.

All in all it was a hell of an exercise!

LDAP authentication with Squid

Wednesday, December 14th, 2011

A snippet from squid.conf allowing LDAP authentication from Mon-Fri business hours. Done on Ubuntu 10.04.2 (lucid) and Squid 2.7.STABLE7.

  1. # Configure LDAP auth helper
  2. auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b "ou=Int,ou=People,dc=domain,dc=org" -u "uid" -h ldaps.domain.org
  3.  
  4. acl int-lan src 192.168.11.0/24
  5. acl daytime time M T W H F 08:30-12:30
  6. acl evening time M T W H F 13:30-17:30
  7.  
  8. http_access allow ldapauth int-lan daytime evening

fprobe with ipsec running

Tuesday, August 30th, 2011

We’re using fprobe to collect and send NetFlow data to our NetFlow collector in HQ. The collector is configured with the private IP (192.168.11.252) and NetFlow traffic is supposed to be sent via IPSEC tunnel.

Here is the issue: once the remote site is restarted no flows are received anymore. IPSEC tunnel is up and we can access the remote server without any issues. fprobe daemon is up and running as well and we can ping the IP of NetFlow collector. Everything looks normal with no flows received though.

  1. netstat -an | grep 5067
  2. udp        0      0 10.8.81.1:53264         192.168.11.252:5067        ESTABLISHED

There is one thing worth mentioning: once the remote server is up and I restart fprobe daemon we start getting flows alright until the next system restart. So that leaded me to the question of services boot order in Ubuntu. fprobe is obviously started prior to ipsec — what if this is the cause? It came out that it was indeed related to the boot order and moving fprobe to be started as the last service fixed the whole thing! Here is how you change the service boot order in Ubuntu:

  1. update-rc.d -f fprobe remove
  2. update-rc.d fprobe defaults 99

this will modify all runlevels of fprobe to be executed (started/stopped) with the lowest priority (99).

I think changing fprobe to be started after ipsec would probably be enough, however to be on a safe side, I fire fprobe as the last service.

Forwarding outgoing http requests to another server

Sunday, August 7th, 2011

In this article I’ll show iptables rule to forward outgoing http requests from one server to another. Both servers are single connected, in the same subnet and running Ubuntu with iptables. In my case I needed to forward or reroute outgoing http requests from one server to a server running Squid.

In the net you’ll find a lot of articles for dual connected servers (read gateways) on how to forward incoming traffic to the internal servers, or how to do port rewriting (forwarding a local port to another local port on the same server), or how to do transparent proxying and so on. My case is trivial: all outgoing http request should be forwarded to the server with Squid running in transparent mode. Nothing needs to be rewrited or changed in terms of source/destination/port.

  1. iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 1.2.3.4:3128

where 1.2.3.4 is the server running Squid and 3128 is the port it’s listening on.

On the server running Squid make sure that it’s in transparent mode:

  1. #cat /etc/squid/squid.conf | grep transparent
  2. http_port 3128 transparent

I didn’t realize OUTPUT could be used with DNAT, but guess what — it works!

LDAP authentication with Apache

Monday, January 10th, 2011

A snippet from httpd.conf allowing LDAP authentication. Done on Ubuntu.

  1. AuthType Basic
  2. AuthBasicProvider ldap
  3. AuthName "LDAP Secure Area"
  4. Require valid-user
  5. AuthLDAPBindDN "cn=username,ou=People,dc=domain,dc=org"
  6. AuthLDAPBindPassword XXXXXXXX
  7. AuthzLDAPAuthoritative off
  8. AuthLDAPCompareDNOnServer On
  9. AuthLDAPURL ldaps://ldaps.domain.org/ou=Internal,ou=People,dc=domain,dc=org?uid

Selective NAT with iptables

Thursday, January 6th, 2011

Here is a quick note on how to exclude one particular network from the NAT while the rest to be remained NATed. Done on Ubuntu with iptables running.

  1. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

In case you need one more network to be excluded:

  1. iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j RETURN
  2. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

Injecting multiple networks into VPN tunnel

Wednesday, January 5th, 2011

We have a number of IPSec tunnels running on Linux Ubuntu with Openswan installed. Here is the typical configuration for a site:

(more…)