Home » Archives for Pieter de Rijk

Apache – Access based on an IP or Username/password

Posted on: | By: Comments Off

Recently I came along the need of having access to some intranet site based on IP or if the IP was outside the LAN apache should prompt for a username/password.

It took me some time to figure out, but this can be done by the satisfy
option. So I now have in my apache-config the next configuration:

<Directory “/usr/local/www/intranet”>
  Options Indexes FollowSymlinks MultiViews
  AllowOverride None
  order deny,allow
  deny from all
  # Allow LAN Location A
  allow from 172.16.2.0/24
  # Allow LAN Location B
  allow from 172.16.3.0/24
  # Allow VPN-subnet
  allow from 172.16.250.0/24

  # Username/password request
  AuthType Basic
  AuthName “Example.Com Intranet”
  AuthUserFile /usr/local/etc/intranet/webusers.pwl
  require valid-user

  # Allow or require must be satisfied
  Satisfy any
</Directory>

And it is working well, if you’re from outside the defined subnets… you need to enter your username/password.

Read More

NSCD speeds up 4.1 times fetching user information from LDAP

Posted on: | By: Comments Off

At this moment I am setting up LDAP in a test environment, for usermanagement. One of my collegues suggested to use nscd together with LDAP to increase performance. So I did a small test with nscd turned off and nsdc turned on:

# service nscd stop
Stopping nscd: [ OK ]
# time for x in `seq 1 10000`; do X=`id pieter`; done
real    1m39.024s
user    0m19.467s
sys     0m40.919s
# service nscd start

Starting nscd: [ OK ]
# time for x in `seq 1 10000`; do X=`id pieter`; done
real    0m23.735s
user    0m4.645s
sys     0m18.829s

As you can see… nscd speeds up 4.1 times the lookups. There might be some other issues pop up with the use of nscd, but that’s what we will notice in the future.

Read More

The YubiKey

Posted on: | By: Comments Off

In the last issue of the Linux Journal, there is an article about the YubiKey. The YubiKey is providing One-Time-Passwords login, in a way Vasco and RSA do as well with their tokens. Although the YubiKey is working on (almost) any operating system…

Read More

I guess I did something wrong…

Posted on: | By: Comments Off

Last Friday I was playing around with one of my FreeBSD production servers. On that server I’ve a number of users for e-mail and other services.I was playing around as root, because I wanted to update/install some new stuff. But at a certain momen…

Read More

Linux SUDO-hack

Posted on: | By: Comments Off

It can happen, you have sudo-access to another account (most of the time it will be access to the root account). But most of the time the NOPASSWD option is not used due to security reasons. But there are moments you want to have sudo-credentials available, think about a script or something else…. I had the same issue, so I found the next “hack” to get the timestamp refreshed every 60 seconds.

(Please note the script will use user “root” but it can be another user, please modify the scripts so it fits your needs).

Step 1)

Create a script in you $HOME/bin with the next content (I call it sudo-hack.sh):

#!/bin/bash 
while [ true ]; 
do 
  sudo -u root /bin/true > /dev/null 2> /dev/null 
  sleep 60 
done 




Step 2)


Get a valid sudo-timestamp:


$ sudo -u root /bin/true
Password:
$


Step 3)


Start sudo-hack.sh in the background:


$ $HOME/bin/sudo-hack.sh &
$


That’s all! 

		

		
	

		
			Read More		
	


	 






	

		
Passed – RH423 Red Hat Enterprise Directory Services and Authentication
		


	Posted on:  | By: Comments Off

	


	
			

			
This week I had the “Red Hat Enterprise Directory Services and Authentication” course and exam in Amsterdam.


In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA… all very cool… but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won’t do it)… but a few hours after the exam I received my results… and I passed the exam :-D





		

		
	

		
			Read More		
	


	 






	

		
Issues with connectivity on MORPHEUS
		


	Posted on:  | By: Comments Off

	


	
			

			
    As you might have noticed, the last few weeks we had issues with the connectivity of morpheus.adslweb.net. We changed the contract (so we got physical connected to another network, but still from XS4ALL) and we installed a new ADSL-modem (a Fritz!…

		

		
	

		
			Read More		
	


	 






	

		
Why is the script slow… (part 2)
		


	Posted on:  | By: Comments Off

	


	
			

			
    In my previous post I wrote some about a script which was running slow. After a chat with a colleague he pointed me on the paging and there is a PERL module for LDAP-paging. So I implemented this in the script I was working on. See the next result…

		

		
	

		
			Read More		
	


	 






	

		
Why is the script slow…
		


	Posted on:  | By: Comments Off

	


	
			

			


For a project I am working on migrating UNIX applications to Linux. Most of the scripting work supposed to be done in India, and that is where the issues came in. First you have a developer who knows how to work with M$ Technet and never worked with PERL before (at least 80% of the scripts is written in PERL).


First of all I introduced the user Net::LDAP within PERL, because they first did a ldapsearch, put the output into a ASCII file… and with a PERL script they structured the data… and loaded it into a Oracle database… so that was the first improvement.


Next there were several issues, like not good reading or understanding LDAP/PERL at all…


But at a certain moment, they start complaining about the fact that one of the scripts was slow… on the old system the script had a run time of 4 hours… and now it is up to 28 hours(!!!) :-( So they requested me to investigate this.


First I found a ‘main’ kornshell script doing the next thing:




for VAR in a b d e f g i j k m n o p q r s t u v w x y z
do
   for NAME in “‘” a b c d e f g h i j k l m n o p q r s t u v w x y z
   do
     ldap_script.pl $NAME $VAR
   done
done




The content of the ldap_script.pl was something like:




#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new($LDAP_SERVER);
$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;
$LDAP_FILTER=”(&(sn=$ARGV[0]*)(OfficeName=$ARGV[1]*))”;
$mesg = $ldap->search(base=>$LDAP_BASE,
                                               filter=>$LDAP_FILTER,
                     ) or die “Cannot connect”;
push(@ENTRIES,$mesg->entries);
$ldap->unbind;




I thought that this costs a lot… loading PERL script, connecting to server, binding to it… et cetera… :-( And this was done in the original script > 2000 times :-|


So… I removed the loop out of the mainscript… and implemented it into the PERL-script, like this:




#!/usr/bin/perl


use Net::LDAP;


$ldap = Net::LDAP->new($LDAP_SERVER);
@LOOP=(“a”,”b”,”c”,”d”,”e”,”f”,”g”,”h”,”i”,”j”,”k”,”l”,”m”,”n”,”o”,
       “p”,”q”,”r”,”s”,”t”,”u”,”v”,”w”,”x”,”y”,”z”, “‘”);



$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;


foreach $LOOP1 (@LOOP)
{
  foreach $LOOP2 (@LOOP)
  {
        $LDAP_FILTER=”(&(sn=$LOOP1*)(OfficeName=$LOOP2*))”;
     $mesg = $ldap->search(base=>$LDAP_BASE,
                           filter=>$LDAP_FILTER,
                          ) or die “Cannot connect”;
     push(@ENTRIES,$mesg->entries);
  }
}


$ldap->unbind;




And this runs within 3 hours!!! And it is flying! :-D


There can be done more performance tuning… but that will be another project!







		

		
	

		
			Read More