Require client-SSL certificate for certain content.

On a kind of “intranet” website, which is secured with username/password combinations and HTTPS I’ve implemented the next feature:

– Authorized users can read everything on the website

– Files with in their filename “classified” requires a valid SSL-Client certificate…

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
  Options Indexes MultiViews
  AllowOverride Authconfig
  Order allow,deny
  Allow from all
  AuthName “intranet”
  AuthType “Basic”
  AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
  require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLOptions +OptRenegotiate
</LocationMatch>

 

I still have to sort out some issues, like directories having a directory with the name “classified” in them.

Linux SUDO-hack

It can happen, you have sudo-access to another account (most of the time it will be access to the root account). But most of the time the NOPASSWD option is not used due to security reasons. But there are moments you want to have sudo-credentials available, think about a script or something else…. I had the same issue, so I found the next “hack” to get the timestamp refreshed every 60 seconds.

(Please note the script will use user “root” but it can be another user, please modify the scripts so it fits your needs).

Step 1)

Create a script in you $HOME/bin with the next content (I call it sudo-hack.sh):


#!/bin/bash 
while [ true ];
do
sudo -u root /bin/true > /dev/null 2> /dev/null
sleep 60
done


Step 2)

Get a valid sudo-timestamp:

$ sudo -u root /bin/true
Password:
$

Step 3)

Start sudo-hack.sh in the background:

$ $HOME/bin/sudo-hack.sh &
$

That’s all!

Passed – RH423 Red Hat Enterprise Directory Services and Authentication

This week I had the “Red Hat Enterprise Directory Services and Authentication” course and exam in Amsterdam.

In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA… all very cool… but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won’t do it)… but a few hours after the exam I received my results… and I passed the exam :-D

Why is the script slow…

For a project I am working on migrating UNIX applications to Linux. Most of the scripting work supposed to be done in India, and that is where the issues came in. First you have a developer who knows how to work with M$ Technet and never worked with PERL before (at least 80% of the scripts is written in PERL).

First of all I introduced the user Net::LDAP within PERL, because they first did a ldapsearch, put the output into a ASCII file… and with a PERL script they structured the data… and loaded it into a Oracle database… so that was the first improvement.

Next there were several issues, like not good reading or understanding LDAP/PERL at all…

But at a certain moment, they start complaining about the fact that one of the scripts was slow… on the old system the script had a run time of 4 hours… and now it is up to 28 hours(!!!) :-( So they requested me to investigate this.

First I found a ‘main’ kornshell script doing the next thing:


for VAR in a b d e f g i j k m n o p q r s t u v w x y z
do
   for NAME in “‘” a b c d e f g h i j k l m n o p q r s t u v w x y z
   do
     ldap_script.pl $NAME $VAR
   done
done


The content of the ldap_script.pl was something like:


#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new($LDAP_SERVER);
$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;
$LDAP_FILTER=”(&(sn=$ARGV[0]*)(OfficeName=$ARGV[1]*))”;
$mesg = $ldap->search(base=>$LDAP_BASE,
                      filter=>$LDAP_FILTER,
                     ) or die “Cannot connect”;
push(@ENTRIES,$mesg->entries);
$ldap->unbind;


I thought that this costs a lot… loading PERL script, connecting to server, binding to it… et cetera… :-( And this was done in the original script > 2000 times :-|

So… I removed the loop out of the mainscript… and implemented it into the PERL-script, like this:


#!/usr/bin/perl

use Net::LDAP;

$ldap = Net::LDAP->new($LDAP_SERVER);
@LOOP=(“a”,”b”,”c”,”d”,”e”,”f”,”g”,”h”,”i”,”j”,”k”,”l”,”m”,”n”,”o”,
       “p”,”q”,”r”,”s”,”t”,”u”,”v”,”w”,”x”,”y”,”z”, “‘”);

$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;

foreach $LOOP1 (@LOOP)
{
  foreach $LOOP2 (@LOOP)
  {
     $LDAP_FILTER=”(&(sn=$LOOP1*)(OfficeName=$LOOP2*))”;
     $mesg = $ldap->search(base=>$LDAP_BASE,
                           filter=>$LDAP_FILTER,
                          ) or die “Cannot connect”;
     push(@ENTRIES,$mesg->entries);
  }
}

$ldap->unbind;


And this runs within 3 hours!!! And it is flying! :-D

There can be done more performance tuning… but that will be another project!

Fedora directory server

Yesterday evening I start playing with Fedora Directory Server

So first I setup Fedora Core 8 as a VMWare-instance… But after some playing around, I had the next message:

“Server failed to start !!! Please check errors log for problems”

And guess what… no information at all in the logs :-( So removed the packages and the next directories:

/etc/dirsrv
/etc/sysconfig/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv

So no information… then strace will be your best friend :-D

So I started:

[[email protected] debug]# strace -o ~/debug/setup -ff /usr/sbin/setup-ds.pl

And guess what… I had the error again… So I went to the ~/debug folder on another terminal and did:

[[email protected] debug]# grep “failed” *
setup.31676:read(4, “Server failed to start !!! Pleas”…, 4096) = 64
setup.31676:write(2, “Server failed to start !!! Pleas”…, 64) = 64
setup.31711:write(1, “Server failed to start !!! Pleas”…, 64) = 64
[[email protected] debug]#

When I digged into setup.31711 I found:
read(255, “if test ! -f $STARTPIDFILE ; the”…, 2220) = 663
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
stat64(“/var/run/dirsrv/slapd-fedora-ds.startpid”, 0xbfcd8eb8) = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8-) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, …}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f7c000
write(1, “Server failed to start !!! Pleas”…, 64) = 64

So this is a nice clue… /var/run/dirsrv… and guess what… the owner of this directory was fedora-ds (a user I set up initially for testing purposes for the Directory Server :-( ) With the comment chown I corrected the owner of this folder… and now service dirsrv start works :-P

Conclusion… strace is your best friend :-D

Did pass ITIL, LPIC201 and LPIC202

As I wrote before, I did pass RHCE, RHCT and LPIC1. After a few weeks of study I also passed LPIC2 and ITIL :-P

The results for ITIL:


Passing score: 65
Your score…: 67
Grade……..: PASSED

Section Title                          Score
————————————– —–
General                                 66
Service Desk                            66
Incident Management                     25
Problem Management                      80
Change Management                       80
Configuration Management                75
Release Management                     100
Service Level Management                66
Availability Management                  0
Capacity Management                     50
IT Service Continuity Management       100
Financial Management for IT Services   100
Other ITIL Topics                      100
Relationships                           50


During the exam I start mixing up ‘Availability management’ and ‘IT Service Continuity Management’, which resulted into a score of 0 for Availability management :-|

But I also passed LPIC 201 en LPIC 202.

LPIC 201 results:


Required score: 500
Your score….: 750
Status……..: PASS

Section                              Percent Correct
———————————— —————
Linux Kernel                               90%
System startup                             87%
Filesystem                                100%
Hardware                                   75%
File and Service Sharing                   87%
System Maintenance                         83%
System Customization & Automation          66%
Troubleshooting                            50%


LPIC 202 results:


Required score: 500
Your score….: 740
Status……..: PASS

Section                              Percent Correct

———————————— —————
Networking configuration                 85%
Mail & News                              92%
DNS                                      80%
Web Services                            100%
Network Client Management                66%
System Security                          80%
Network Troubleshooting                 100%


Maintain config-files using subversion

Every sysop might recognize this… I changed a config file some while ago… but what did I change and what is the history of that file. Besides of the changes, I want to have them in a backup :-)

So I decided to setup a config-file repository, where the servers can commit automaticly their changes using SVN over SSH. I use SSH to have no password prompts but certificates. Only the user svn-backup can commit files to the repository. On both server I only checked out the repository-part concerning them.

[[email protected]] svn co
svn+ssh://[email protected]/repos/config-files/tank
/usr/data/svn-config

And in the crontab for the user root, we have the next entry:

45 * * * */usr/local/backup/svn-backup.sh

And in the svn-backup script we have the next lines:


#!/bin/bash
#
# Subversion script to backup configfiles
#
# Written by Pieter de Rijk <pieter -at- de-rijk.com>

SVN_BACKUP_PATH=”/usr/local/svn-backup”

cp -R /usr/local/etc/ $SVN_BACKUP_PATH/usr/local/etc/ > /dev/null 2> /dev/null
cp -R /etc/
$SVN_BACKUP_PATH/etc/ > /dev/null 2> /dev/null
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/errors
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.jpg
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.gif
cd $SVN_BACKUP_PATH
/usr/local/bin/svn up > /dev/null 2> /dev/null
for files in “`/usr/local/bin/svn status $SVN_BACKUP_PATH | grep ^?`”;
do
   ADD_FILE=`echo $files | awk ‘{ print $2 }’`
   if [ ! -z $ADD_FILE ];
   then
     /usr/local/bin/svn add $ADD_FILE
   fi
done
/usr/local/bin/svn commit -m “[`hostname -s`] Config changes `date`”


And when something change I receive a message :-P

Only users in the wheel group can checkout the repositories, but are not allowed to commit :-D

make -j 32 bzImage

As I wrote before some vendor promissed me a 16-core machine…. and indeed we received it. Now I have my ‘toy’ placed in the basement. Besides of some trouble putting a modified version of RHEL 4.5 on it, it works fine. At this moment I’ve insta…