22.2.06

 

Enabling LDAP Authentication/Authorization in Apache 2.2

Easy as this:

-Configure with SSL Modules

# ./configure --prefix=path_to_apache/apache2 --enable-mods-shared=all --enable-ssl=shared --enable-authnz-ldap --with-ssl=/usr/local/ssl --with-ldap --enable-ldap

-Install apache

-Configure apache


AuthType Basic
AuthName "Realm Name"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap1.domain:389/o=Company?uid
require ldap-attribute ou=someValue
Order allow,deny
Allow from all



Apache will connect anonymously to the LDAP Server ldap, to check the existence of the uid. If OK, Apache will connect again to the LDAP Server using the Basic Auth Information from the web browser.

Additionally the require ldap-attribute checks if the user belongs to an ou (Organizational Unit).

That's all, folks!

PS: I have this nasty bug, that if an existing user provides a wrong password the server will create an internal error. This does not happen for non existing users. Strange things happen...

Technorati Tags:

 

Creating a self-signed SSL Certificate for Apache 2.2

This is a great link that describes how to create a self-signed certificate e.g. for apache.
http://www.tc.umn.edu/~brams006/selfsign.html

When using apache 2.2. you can include the file conf/extra/httpd-ssl.conf in your httpd.conf:

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf


There you have to set some parameters:

-Enable httpd listening port to 443 (default):

Listen 443

-Paths to keys and certificates:

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile path_to_apache/apache2/conf/server.key

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile path_to_apache/apache2/conf/server.crt


The browser will negotiate the key length using the SSL Cipher Suite. As the keylenght may be even 256bit, this could slow the connection down a lot. To lower the lenght if possible to 128bit, add/replace following line:

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite !ADH:!EXPORT56:!EXPORT40:RC4+RSA:+3DES:+MEDIUM:+HIGH:!LOW:+SSLv2:+EXP


!LOW e.g. means that 56bit keys are not allowed.
See http://httpd.apache.org/docs/2.0/mod/mod_ssl.html for a full explanation.

Don't forget to set the pseudo random number generator to /dev/urandom:

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512


After that, restart apache.

Technorati Tags:

 

Solaris ACLs

I can never ever remember how to set ACLs. So this is the way to go...

To narrow it down, I have three users apache, sysaudit, syslogng.

sysaudit and syslogng should be allowed to read and write into the directory (incl. sub-directories), apache should be only allowed to read.

# ls -la
.
.
.
drwxr-x--- 5 root root 512 Feb 17 16:18 auditlog
.
.
.

# getfacl auditlog
# file: auditlog
# owner: root
# group: root
user::rwx
group::r-x #effective:r-x
mask:r-x
other:---

The acl should look like this in the end:


# getfacl auditlog
# file: auditlog
# owner: root
# group: root
user::rwx
user:apache:r-x #effective:r-x
user:syslogng:rwx #effective:rwx
user:sysaudit:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:---
default:user::rwx
default:user:apache:r-x
default:user:syslogng:rwx
default:user:sysaudit:rwx
default:group::---
default:mask:rwx
default:other:---

Notice:
-default means, that all files created in this directory will inherit the same permissions.
-mask is the maximum permission allowed.
-#effective is calculated by using the AND function between the permission and the mask. As it says, it is the effective permission seen by the user.

I find it easier to edit the ACL using a textfile (once you have a template), than write complex setfacl commands (ugly syntax).

This acl-file can then be applied using setfacl [-r] -f acl_file file.

Another easy way to do this stuff is to use /usr/dt/bin/dtfile. Very usefull to apply the ACLs recursivly to subdirectories.

Technorati Tags:

 

OpenSSH Headache

Another chapter of stupid failures...

Publickey authentication does not work anymore...therefore:

Debugging OpenSSH with Level 3:

# ssh -vvv user@hostname
.
.
.
debug2: we sent a publickey packet, wait for reply
...
debug2: we did not send a packet, disable method
.
.
.

Client debugging shows no useful information...

After using snoop, dtrace and other debugging tools without any real hints, I finally found the reason, using sshd in debugging mode. Important detail: without the option -e, the failure can not be found. This was the reason for loosing a lot of time, because I tried the command already in an early debugging phase, without the option -e.

# sshd -ddd -e

.
.
.
User user not allowed because account is locked
.
.
.


Ahah. The user was locked...This was again a problem that would normally have been solved in a couple of minutes...

Technorati Tags:

This page is powered by Blogger. Isn't yours?