Friday, May 7, 2010

Use smartd Smartmontools to prevent data loss

SkyHi @ Friday, May 07, 2010

Are you responsibly for one or more servers. Perhaps you have a computer at home that you worry about at night, "What happens if my hard drive fails?" If this is you, then you need SmartMonTools. Actually, it comes pre-installed on most flavours of Linux these days, but amazingly enough, it is not set to run automatically.


SmartMonTools will monitor your Self Monitoring And Reporting Technology (S.M.A.R.T.) enable hard drives for potential problems which can occur before a hard drive completely files. If properly setup, it will warn you of these potential issues and possibly save your data. Of course you have a proper backup system in case just such a disaster should occur.


I am assuming that SmartMonTools is already installed on your machine, but if not, you can get it here http://smartmontools.sourceforge.net/.


First step is to see if your hard drives are S.M.A.R.T. enabled. You can do this using the smartctl application that comes with SmartMonTools. Here is the output I get when I run 'smartctl -d ata -i /dev/sda'

# smartctl -d ata -i /dev/sda
smartctl version 5.36 [i686-redhat-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF INFORMATION SECTION ===
Device Model:     ST3500630AS
Serial Number:    3QG02JST
Firmware Version: 3.AAC
User Capacity:    500,107,862,016 bytes
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   7
ATA Standard is:  Exact ATA specification draft version not indicated
Local Time is:    Thu Jul 10 05:18:47 2008 PDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled


Those last two lines are what we are looking for. This drive is SMART enabled, so we are good to go. A couple of comments about the command I issued. If you want more information about your hard drive, try using the -a flag, which will show a lot about your hard drive. The '-d ata' flag was required for me to tell smartctl that I am going to check an ata drive. You may not require the -d flag.


The next step is to modify the /etc/smartd.conf file. Using your favourite editor, open up /etc/smartd.conf. The first thing you will do is remove the first line of the file. This line tells smartd that you have modified the file and not to over-write it. If you don't have a smartd.conf file, then you can auto-generate the first version simply by starting and stopping smartd with /etc/init.d/smartd start and then /etc/init.d/smartd stop.


Modify the conf file so that our drives will be monitored regularly. Here is my conf file:

# Remove the line above if you have edited the file and you do not want
# it to be overwritten on the next smartd startup.
<SNIP>
/dev/sda -d ata -H -m me@mydomain.ca -M test
/dev/sdb -d ata -H -m me@ mydomain.ca -M test
<SNIP>



First off, you will see that I defined the '-d ata' device flag. The -H flag is telling smartd to monitor the Health of the drive. -m is telling smartd to mail someone, in this case me, of any issues. The '-M test' flag can only be used in conjunction with the -m flag and in this case is telling smartd to send a test email to me on start up. I have added the -M flag as I want to be sure that smartd is really working and can email me.


At the bottom of this post is a partial list of flags that you can use with smartd.


If we try to start smartd right now, you will most likely be disappointed as nothing will happen. We first need to force smartd to see our drives by registering our hard drives with smartd. We can do this by running a quick CLI command for each drive:

echo /dev/sda -d ata -m me@mydomain.ca -M test | smartd  -c - -q onecheck


We are piping a string of commands to smartd. The commands should look familiar to you, so I won't go over them again. The flags for smartd in this example are a little different, so lets go over those now. The -c flag is telling smartd to use a specific configuration file. The next single dash, when used with the smartd -c flag, is telling smartd to not use any configuration file, but rather, just accept commands piped in. The -q flag is telling smartd when it should quit. In this case, we are telling smartd to register our drive, run one check on the drive, and then quit. This command line serves two purposes, it registers the device, then verifies that an email can be sent out.


Here is what I get when I run this command:

echo /dev/sda -d ata -m me@mydomain.ca -M test | smartd  -c - -q onecheck
smartd version 5.36 [i686-redhat-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
Opened configuration file <stdin>
Drive: /dev/sda, implied '-a' Directive on line 1 of file <stdin>
Configuration file <stdin> parsed.
Device: /dev/sda, opened
Device: /dev/sda, not found in smartd database.
Device: /dev/sda, is SMART capable. Adding to "monitor" list.
Monitoring 1 ATA and 0 SCSI devices
Executing test of mail to me@mydomain.ca ...
Test of mail to me@mydomain.ca: successful
Started with '-q onecheck' option. All devices sucessfully checked once.
smartd is exiting (exit status 0)


The important line here is:

Device: /dev/sda, is SMART capable. Adding to "monitor" list.

We have now registered /dev/sda with smartd, and smartd will now monitor this device. In my inbox I got this email:


This email was generated by the smartd daemon running on:
  host name: server.mydomain.ca
 DNS domain: mydomain.ca
 NIS domain: (none)
The following warning/error was logged by the smartd daemon:
TEST EMAIL from smartd for device: /dev/sda
For details see host's SYSLOG (default: /var/log/messages).



Once you have successfully run the command for all your devices, you can now fire up smartd with '/etc/init.d/smartd start'. If all went well you should have an email like above in your inbox for each device you set up in the config file. This is telling you that the daemon is running, and can send an email when an issue occurs. The last step is to remove the '-M test' flag from each device your /etc/smartd.conf file. Then restart smartd again with '/etc/init.d/smartd restart'.


Be sure that you have added smartd to your init levels 3, 4 and 5 with this command:

chkconfig --level 345 smartd on


That's it for today. Hopefully it will help you sleep better at night.

# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE
#   -d TYPE Set the device type to one of: ata, scsi
#   -T TYPE set the tolerance to one of: normal, permissive
#   -o VAL  Enable/disable automatic offline tests (on/off)
#   -S VAL  Enable/disable attribute autosave (on/off)
#   -H      Monitor SMART Health Status, report if failed
#   -l TYPE Monitor SMART log.  Type is one of: error, selftest
#   -f      Monitor for failure of any 'Usage' Attributes
#   -m ADD  Send warning email to ADD for -H, -l error, -l selftest, and -f
#   -M TYPE Modify email warning behavior (see man page)
#   -p      Report changes in 'Prefailure' Normalized Attributes
#   -u      Report changes in 'Usage' Normalized Attributes
#   -t      Equivalent to -p and -u Directives
#   -r ID   Also report Raw values of Attribute ID with -p, -u or -t
#   -R ID   Track changes in Attribute ID Raw value with -p, -u or -t
#   -i ID   Ignore Attribute ID for -f Directive
#   -I ID   Ignore Attribute ID for -p, -u or -t Directive
#   -v N,ST Modifies labeling of Attribute N (see man page)
#   -a      Default: equivalent to -H -f -t -l error -l selftest
#   -F TYPE Use firmware bug workaround. Type is one of: none, samsung
#   -P TYPE Drive-specific presets: use, ignore, show, showall
#    #      Comment: text after a hash sign is ignored
#    \      Line continuation character
# Attribute ID is a decimal integer 1 <= ID <= 255
# All but -d, -m and -M Directives are only implemented for ATA devices



REFERENCES
http://www.outofcontrol.ca/2008/07/10/use-smartd-smartmontools-to-prevent-a-disaster/

Thursday, May 6, 2010

Sendmail Config

SkyHi @ Thursday, May 06, 2010

The first layer of spam defense is sendmail itself, because that's the first piece of software to touch each message. Sendmail has a number of different config options that can help you block spam and keep your machine stable.


SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveslow
Maintenancelow
Effectivenesshigh

greet_pause

As of version 8.13, sendmail added an anti-spam feature called "greet_pause". It is both simple and clever.

In a normal SMTP transaction, first the client connects, then the server sends back a "220" greeting message, then the client sends its HELO command. Some spam programs, however, don't wait for the greeting message. They just send their commands immediately without listening.

The greet_pause feature detects this misbehavior by pausing briefly before sending out the "220" greeting message. If any commands arrive during that pause, then the connection is marked bad and anything coming over it is ignored.

This one is interesting because it actually cuts down on the number of spam attempts, not just the spam deliveries. I figure when the spammers hit the pause they are somehow getting stuck. I'll have a graph of this later - before I enabled greet_pause, I was getting a couple million spam attempts per day; after, only 600,000.

To enable the feature, you need to make two changes. First, in your sendmail.mc file:

FEATURE(access_db)dnl
FEATURE(`greet_pause',5000)
You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:
GreetPause:localhost    0
The second change prevents the pause from applying to connections from your local machine, which would otherwise be annoying when you're sending mail. If you're doing this on a server which accepts mail from multiple machines, you'll want to do the same for the whole local network.

I've heard from a few folks that greet_pause can block some legitimate sites. Those sites should probably fix their mailers, but until that happens you can always whitelist them by adding more entries to your access file.



SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveslow
Maintenancelow
Effectivenessunknown

PIPELINING=0

This is the same basic idea as greet_pause: it disallows connections which slam their bytes out without waiting for responses. While greet_pause operates only at the start of the connection, PIPELINING=0 operates throughout the entire connection.

I tried this for a while and didn't see any effect, aside from some "Broken pipe" messages in the mail log. Only about one per minute, not enough to base a new blacklist on. Since I'm also using greet_pause, I figure that has already weeded out the unauthorized pipeliners. Unless there are some extra-semi-clever spammers who don't do pipelining before the 220 but do do it afterwards even if the greeting says not to, PIPELINING=0 isn't going to add anything. It's possible that if you use PIPELINING=0 and don't use greet_pause, you'll get a benefit; but why would you?

Anyway, if you want to try it, you have to re-compile sendmail. (Supposedly there's a way to disable pipelining without recompiling but I haven't figured that out yet.) Start by adding this to your devtools/Site/site.config.m4:

<a name="pipelining">APPENDDEF(`confENVDEF', `-DPIPELINING=0')</a>
Then remove your obj.* directory so that the Makefiles get regenerated with the new PIPELINING setting. (Just doing a 'make clean' is not sufficient.) Do a make, make install, and restart sendmail.

SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveslow
Maintenancelow
Effectivenessunknown

BAD_RCPT_THROTTLE

This feature tells sendmail to slow down any connections that try to send to lots of non-existent usernames. Some spammers do dictionary attacks, trying to send to thousands of different usernames on your system just to see which ones exist. This throttle tries to deter that behavior. It's unclear how effective it is, but it doesn't harm legitimate mail so why not.

To enable it, add the following code to your sendmail.mc file:

define(`confBAD_RCPT_THROTTLE', `1')dnl
The number is how many bad recipients is takes to trigger the throttle, so 1 is the strictest setting.

SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveslow
Maintenancelow
Effectivenessunknown

MAX_RCPTS_PER_MESSAGE

This setting limits the number of recipients allowed on each message. Some spammers try to deliver messages to thousands of recipients at once; this prevents that. If a message comes in with more than the allowed number, the excess recipients are rejected. The recipients under the limit are accepted and get delivered; the excess recipients get retried later, assuming the sending system is a real standards-conforming mailer. Of course the spammers are not running real mailers, so they won't retry.

I set the limit to only ten per message:

define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
I can go this low because there's really only one user on the site: me. Most sites will probably want to use a higher limit. But again, if the sending system is working properly, the mail will eventually get through to all recipients regardless of this setting.

One downside to this setting is that it applies to outgoing mail too, so I can't send mail to more then ten people at a time because my mail program isn't smart enough to retry the excess recipients. There's probably some way to configure things so this only applies to incoming mail, but I haven't looked into it.


SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveslow
Maintenancelow
Effectivenessunknown

CONNECTION_RATE_THROTTLE

This sets a limit on the number of new connections per second. It helps protect you against mail-bombs and similar denial-of-service attacks.

define(`confCONNECTION_RATE_THROTTLE', `100')dnl
If the rate goes above the limit, new connections are rejected and the sending mailers have to retry later.

MAX_DAEMON_CHILDREN

This setting helps you keep your system from running out of memory due to too many processes. It lets you set the maximum number of child processes that sendmail will spawn. Putting a limit on the number of processes will keep you from running out of memory. If you figure that each sendmail process uses about two megabytes of memory, then decide how much total memory you want to spend on mail handling and do the division. I have two gigabytes on my current machine, and I figure I can waste half of that on mail, so one gigabyte divided by 2 megabytes is 500:

define(`confMAX_DAEMON_CHILDREN', `500')dnl
Typically I have more like 200 sendmail processes going, but I have run into the 500-process limit on occasion. When that happens, sendmail just stops accepting new connections until some of the existing processes finish.

QUEUE_LA / REFUSE_LA

These two settings help you guard your system against running out of CPU cycles. If the load-average goes above QUEUE_LA, sendmail will stop processing mail. Incoming messages will still be accepted but they'll just get put in a queue to be handled later. If the load-average goes above REFUSE_LA, then sendmail refuses all new connections until the load is lower.

Here are the settings I use:

define(`confQUEUE_LA', `5')dnl<br />define(`confREFUSE_LA', `20')dnl
Since loadav numbers are not really comparable from one system to another, you'll have to come up with your own numbers.

There's also DELAY_LA, which tells sendmail to sleep for one second on each new connection while the loadav is over the specified value. I haven't found this to be useful, especially since I'm already having sendmail sleep for five seconds on every connection regardless of the loadav (see greet_pause).


timeouts

Sendmail lets you specify timeouts for various phases of the mail transaction. Some of the default values are ridiculously high. For instance, up to an hour waiting for the next command to be issued. This can result in a bunch of sendmail processes sitting around twiddling their thumbs, using up memory. I lower the command timeout to a minute, and a lot of the other timeouts too.

My settings:

define(`confTO_ICONNECT', `15s')dnl<br />define(`confTO_CONNECT', `3m')dnl<br />define(`confTO_HELO', `2m')dnl<br />define(`confTO_MAIL', `1m')dnl<br />define(`confTO_RCPT', `1m')dnl<br />define(`confTO_DATAINIT', `1m')dnl<br />define(`confTO_DATABLOCK', `1m')dnl<br />define(`confTO_DATAFINAL', `1m')dnl<br />define(`confTO_RSET', `1m')dnl<br />define(`confTO_QUIT', `1m')dnl<br />define(`confTO_MISC', `1m')dnl<br />define(`confTO_COMMAND', `1m')dnl<br />define(`confTO_STARTTLS', `2m')dnl<br /><br /><b>REFERENCES</b><br /><a href="http://www.acme.com/mail_filtering/sendmail_config.html">http://www.acme.com/mail_filtering/sendmail_config.html</a><br />


Tuesday, May 4, 2010

Slow SSH Logins on CentOS 5

SkyHi @ Tuesday, May 04, 2010

Following any of the usual how-to’s didn’t leave me with a successfully speedy login.. I eventually tracked down the problem to a particularly monumental bug in RedHat’s OpenSSH server (apparently fixed up stream.. it does us all now no good)..


The fix


  1. edit /etc/ssh/sshd_config
  2. Find and change the lines (or add if missing):
    GSSAPIAuthentication yes

    ...

    #UseDNS yes

    to


    GSSAPIAuthentication no

    ...

    UseDNS no

  3. Enjoy

Side Note


If you use CentOS you’re probably unable to reboot your SSH server and you don’t know it.


I also experienced this problem while attempting to restart the ssh server. Everything seemed to work but when checking the logs it showed serious errors. It complained about being unable to bind to port 22. To see if you have the same problem follow these steps..


/etc/init.d/sshd reload

tail /var/log/secure

If you find something like the following:


sshd[20213]: Server listening on :: port 22.

sshd[20213]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

then you’ve got problems.. It’s basically saying that the localhost IPv6 address (represented as “::”) is hogging port 22 instead of 0.0.0.0 (means ANY IPv4 address). If that’s what you want, then great! If not..


edit


/etc/ssh/sshd_config

and change it to look as follows from


#ListenAddress 0.0.0.0

#ListenAddress ::

to


ListenAddress 0.0.0.0

#ListenAddress ::

Hope this helps!



================================================

[root@home]# cat disableipv6.sh

#!/bin/sh
#http://usalug.org/phpBB2/viewtopic.php?t=13265
# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
  # Set the default policies (drop everything).
  $IP6TABLES -P INPUT DROP 2>/dev/null
  $IP6TABLES -P FORWARD DROP 2>/dev/null
  $IP6TABLES -P OUTPUT DROP 2>/dev/null

  # The mangle table can pass everything through unaltered (we don't use it).
  $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

  # Delete all rules.
  $IP6TABLES -F 2>/dev/null
  $IP6TABLES -t mangle -F 2>/dev/null

  # Delete all (non-builtin) user-defined chains.
  $IP6TABLES -X 2>/dev/null
  $IP6TABLES -t mangle -X 2>/dev/null

  # Zero all packet and byte counters.
  $IP6TABLES -Z 2>/dev/null
  $IP6TABLES -t mangle -Z 2>/dev/null
fi

REFERENCE

http://www.dbaranski.net/2010/03/slow-ssh-logins-on-centos-5/

Ubuntu 9.10: network-manager-Openvpn "vpn service failed to start"

SkyHi @ Tuesday, May 04, 2010

So this is quite frustrating:


Background:


In Ubuntu 9.04 I had a VPN connection configured in order to use
Witopia. It worked.


Under Ubuntu 9.04 I used these
instructions to set everything up.


I upgraded to Ubuntu 9.10 and now it doesn't work.



Problem:


In Network Manager, under VPN Connections, when I select my "openvpn"
connection I get this error message:


The vpn connection 'openvpn' failed because the VPN
service failed to start.


More Info:


Here is what it says in Sys Log:


(notice what I have highlighted in red)


Nov  7 21:05:21 ubuntu-laptop NetworkManager:
<info>  Starting VPN service
'org.freedesktop.NetworkManager.openvpn'...


Nov  7 21:05:21 ubuntu-laptop NetworkManager: <info>  VPN
service 'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 1974


Nov  7 21:05:22 ubuntu-laptop NetworkManager: <info>  VPN
service 'org.freedesktop.NetworkManager.openvpn' just appeared,
activating connections


Nov  7 21:05:22 ubuntu-laptop NetworkManager: <info>  VPN
plugin state changed: 1


Nov  7 21:05:22 ubuntu-laptop NetworkManager: <info>  VPN
plugin state changed: 3


Nov  7 21:05:22 ubuntu-laptop NetworkManager: <info>  VPN
connection 'openvpn' (Connect) reply received.


Nov  7 21:05:22 ubuntu-laptop
NetworkManager: <WARN>  nm_vpn_connection_connect_cb(): VPN
connection 'openvpn' failed to connect: 'No VPN secrets!'.


Nov  7 21:05:22 ubuntu-laptop
NetworkManager: <WARN>  connection_state_changed(): Could not
process the request because no VPN connection was active.


Nov  7 21:05:22 ubuntu-laptop NetworkManager: <info>  Policy
set 'Auto eth0' (eth0) as default for routing and DNS.


Nov  7 21:05:35 ubuntu-laptop NetworkManager: <debug>
[1257624335.001600] ensure_killed(): waiting for vpn service pid 1974 to
exit


Nov  7 21:05:35 ubuntu-laptop NetworkManager: <debug>
[1257624335.001766] ensure_killed(): vpn service pid 1974 cleaned up


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  Starting
VPN service 'org.freedesktop.NetworkManager.openvpn'...


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  VPN
service 'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 1978


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  VPN
service 'org.freedesktop.NetworkManager.openvpn' just appeared,
activating connections


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  VPN
plugin state changed: 3


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  VPN
connection 'openvpn' (Connect) reply received.


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <WARN>
 nm_vpn_connection_connect_cb(): VPN connection 'openvpn' failed to
connect: 'No VPN secrets!'.


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <WARN>
 connection_state_changed(): Could not process the request because no
VPN connection was active.


Nov  7 21:05:40 ubuntu-laptop NetworkManager: <info>  Policy
set 'Auto eth0' (eth0) as default for routing and DNS.


Nov  7 21:05:53 ubuntu-laptop NetworkManager: <debug>
[1257624353.002543] ensure_killed(): waiting for vpn service pid 1978 to
exit


Nov  7 21:05:53 ubuntu-laptop NetworkManager: <debug>
[1257624353.002711] ensure_killed(): vpn service pid 1978 cleaned up


What I have tried so far:


Reading through the Ubuntu forums, and searching Google, it seems
many people are having this problem. It also doesn't appear to be a new
problem (although I did not experience it in Ubuntu 9.04).


I tried to remove openvpn and network-manage-openvpn packages and to
add them again and to create new connection profiles.


Unfortunately without success.


Any ideas?


Update:


Apparently the following method has worked for some, can anyone
confirm?


  • In the VPN settings, uncheck the option "Available
    to all users"
  • Enable MPPE

Doing so will apparently solve the issue. I have not
yet tested this.


Update 2009.12.09:


The proposed fix did not work for me.


At this moment in time, I am of the assumption that
this problem is occurring mainly on machines that had a previous VPN set
up and were then updated?


Update 2009.12.25:


Two new solutions have been proposed. Before you try
them consider these points to see which option is better: Solution 1
allows network manager to use pptp encryption, this is a little less
secure than ssl. So I would recommend that you try Solution 2
first, if that doesn't work for you, undo the changes and try Solution
1
.


Solution 1:


Install the package network-manager-pptp


The command would be: sudo apt-get install
network-manager-pptp


Then it should work as has been reported in the
comments section.


Solution 2:


Edit your /etc/network/interfaces file.


Change it from this:


auto lo
iface lo inet loopback


To this:


auto eth0
iface eth0 inet dhcp


This has also been reported to
work for some.


REFERENCES

http://www.cognitivecombine.com/2009/11/ubuntu-9-10-network-manager-openvpn-vpn-service-failed-to-start/

Monday, May 3, 2010

LDAP Authentication for IPPlan (Apache / Linux)

SkyHi @ Monday, May 03, 2010

As you may have read, I’m testing with an IP management tool, called IPPlan.

Since I’m not the only one at our company, that need access to
IPPlan and I wasn’t planning in doing a lot of user management, I
did a try to connect IPPlan to our Active Directory (LDAP) environment.


It took me a while to figure it out, maybe cause the lack of
“good” documentation or my experience. It doesn’t
matter, because it is working now. This is what I did to get it working.


Go to the subdirectory “user” in the
“ipplan” directory, the full path (here) is:
“/var/www/ipplan/user” and create a file with the name
“.htacces”. Edit the file with the following information.


AuthType basic

AuthName “IP Plan LDAP Authentication”

AuthBasicProvider ldap

AuthLDAPURL ldap://ldapserver:389/ou=accounts,dc=robmaas,dc=eu?cn

AuthLDAPRemoteUserIsDN off

require valid-user


The “ldapserver” is just the IP or DNS name of your
LDAP(AD) server. After the URL you can use a standard LDAP query
(don’t forget to replace the domain name).


If your LDAP server needs authentication like mine does, you need to add the following two variables.


AuthLDAPBindDN “ldap@robmaas.eu”

AuthLDAPBindPassword “secret”


Make sure, your Apache configuration does support the including of
“.htaccess” files. This can be done by setting the
“AllowOverride” to All, like this.


AllowOverride All


Don’t forget this; it took me about 2 hours, before I got it.

Also don’t forget to include the LDAP module in to Apache.


a2enmod authnz_ldap


After this we need to edit “config.php”, find the following line:


define(“AUTH_INTERNAL”, TRUE);


and change it to:


define(“AUTH_INTERNAL”, FALSE);


The last change I had to make, was changing this line:


define(“AUTH_VAR”), ‘PHP_AUTH_USER’);


into


define(“AUTH_VAR”), ‘REMOTE_USER’);


That’s it, after restarting the Apache (httpd) service, it should all work.


Don’t forget, the authentication is done through LDAP, but you still have to create the users in IPPlan.


Sidenote: If the webpage is running on HTTP the
username(s) and password(s) are sent in plain text to the webserver. In
this case you should think about migrate it to HTTPS.


REFERENCES
http://www.progob.nl/robmaaseu/?cat=6

Freeware Tools For Linux

SkyHi @ Monday, May 03, 2010
,

Freeware
Tools For Linux


Know
your ipaddress at

itsyourip




DNS related


Dnsstuff


Global Whois Tool

Dnsreport

Dnstools


Online nslookup tool


CheckDNS

squish.net dns
checker


DNScheck

Zonecheck

Pingability

DNSdoctor


Name Server Zone Transfer Tool


MyDNSConfig

Lookup Server





Online dig tool
for dns




Online DNS Dig Tool



Web host select online Dig Tool





Network
management tools



Nagios

Cacti

Mrtg

Munin

Rtg

Argus

Jffnms

Zabbix


Healthmonitor


nPulse

BandwidthD


Backup


Bacula

Amanda

Rdiff

Rsnapshot

Rsync


Flexbackup


Dump


Abakt

BackupPC

Dirvish



Ip Management
Software



Phpip

IPplan





Centralized
syslog




Syslog-NG


Rsyslog

Modular
Syslog





ISP Control
Panel Software




VHCS


ISPConfig

Syscp

Ravencore

Alternc

Hostingsoftware

ISPman

Yupapa


Acctmgr

Domain
Technologie Control (DTC)



ISP Billing Software



gcdb

cwISPy

MiniBill

ispbs

MadBMS

Freeside

CitrusDB



Mail servers



Qmail

Postfix

Sendmail

Exim


DNS servers


Bind

Djbdns

Dents

Xyria

Powerdns


Groupware


Simplegroupware


Moregroupware

Synergy

Conflux

eGroupware

Hipergate

Tent

Opengroupware

Groupoffice

Trac



Proxy Servers



Proxy


Oops

Squid


Phpwebproxy


FFproxy


Anti-Virus



Clamav

F-port


Bitdefender


Openantivirus

Aegisantivirus


HTML Editors



Quanta Plus

Nvu


FTP servers



PureFTP

ProFTPD

mtftpD

bftpd

MySecureShell

moftpd

vsftpd

TwoFTPd

WU-FTPD


FTP Clients




PHP FTP Client


Kasablanca

Secure FTP

Web-FTP

net2ftp

phpftp

WTP


Web Servers

Apache

japach

Lighttpd

thttpd

Mathopd

Boa

Jigsaw

CERN httpd

Webrick

CL-HTTP

Cherokee

Yaws


Hard Disk Cloning



Ghost for Linux

PartitionImage

g4u

SystemImager


CloneIt


hdimage


Wiki software



ChuWiki

DokuWiki


ErfurtWiki

Flexwiki

Instiki

Kwiki

MediaWiki


MoinMoin

OpenWiki

PmWiki


PhpWiki

PikiPiki

TiddlyWiki

TikiWiki

Twiki

UseModWiki

WackoWiki

WikkaWiki

XWiki

Zwiki


ERP And CRM Software



Tiny ERP

FacturaLUX


CK-ERP


OpenAspect

Dolibarr

EGS

ONess

Sequoia

Compiere


OneMaxx


FreerP


Instant messaging servers



ejabberd

IServerd

xmppd.py


Web browsers



Amaya

Epiphany


ELinks

Galeon

Konqueror

Links


Lynx

Mozilla Firefox


Mozilla
SeaMonkey



Publishing



Passepartout


Scribus


Password management



Ked Password Manager


KeePass

Password Safe


PINs


Password generators



APG

SPG

Mpm

Pwg


Password Creator


Passook


Antispam Software




AntiSpam-filter



tarpit_antispam


Sagator

POPMail

CRM114 Discriminator

Quick Spam Filter



Maildrop Spam Filter


DSPAM

Spamikaze

SpamAssassin


CAE



CAELinux


Code-Aster


Elmer

Impact


Salome


jCAE


Encryption



CrossCrypt

GnuPG

NeoCrypt

Seahorse

TrueCrypt

bcrypt


PGP


Text Editors



Acme


Bluefish


Elvis

Gedit

GNU Emacs


gPHPEdit

jEdit

Katoob


KWrite

Nano

NEdit

Vim


Middleware



Geronimo

Jakarta Tomcat

JBoss

JBoss jBPM

Mule

ObjectWeb JOnAS

ObjectWeb JORAM

ObjectWeb C-JDBC

ObjectWeb Celtix

ObjectWeb Shark

ObjectWeb JOTM

ObjectWeb OSCAR


ObjectWeb ProActive


ObjectWeb Speedo


Image viewers



Cat-Photo

imgSeek

Imgv

Java Image
Browser and Sorter


JImageView

Image Viewer

views


IDS (Intrusion Detection System)



Snort

Tripwire


Rule-based IDS


Tiger
security tool


AIDE

ViperDB

Integrit

Armed


Protocols analysing,sniffing

Ethereal

Tcpdump

Etherape

Ntop

Snort


Security scanner



Nessus

Nmap

Network Security Analysis
Tool


Sussen

SystemSearcher


IP-telephony



GNU
Bayonne


Openh323


P2P file sharing



Azureus

BitTorrent

BitTornado

DC++

eMule

Freenet

giFT

Gnucleus

GNUnet

Hydranode

Lime Wire


Mortgage Calculators



Mortgage & Loan
Calculator


PHP Mortgage
Calculator


Mortgage
Calculator Plus



mcalc



Forums



Forums

vtiger

SiteNet BBS

Quicksilver

GrimForum

phpBB

vbulletin

punBB

Sniz Forums 2000


RSS Feed Generators



RSS Builder

Tiny Tiny RSS

RSS Mix Tape

RSS Writer class

instantRSS

FeedCreator


Video editing



Avidemux

Cinelerra


GNU VCDImager

Jahshaka

Kino

VirtualDub

LiVES


Television



Freevo

K!TV

MythTV

tvtime

xawtv


PDF Viewers and Creators



Evince

Kpdf

ViewPDF.app

ghostscript


pdfcreator


pdftk

reportlab

xpdf


Insurance Software



CC-Manager

Home Insurance
Inventory Wizard


Freemed-YiRC


Todo List managers



Motodo

Tudu Lists

ukolovnik

phpTodo

ToDo Manager

PHP 2
Do


TAF

QTodo

Tux ToDo

Agnostos

ackerTodo

PHP TODO

WebTodo


File Splitters



TkSplit

KJSplit

Psplit


Software License Management




phpLicenseWatcher



Application Distribution Licensing System


Software
License Audit


License Tracker

lGen


Mind Mapping



Freemind

View your Mind

KDissert


Astronomy



XEphem


Xplns


Qastrocam

avsomat


KAstrHorloge


Lin4Astro


PhotoAlbum



Simple Photo Album

Web Photo Album

Atomic Photo Album

iPhotoAlbum

Slooze PHP Web Photo Album


yappa-ng


zphoto

A-Gen


Plotting



Gnuplot

Grace

LabPlot

QtiPlot


SciGraphica

XyVue

pyglplot




DVD Rippers



QuickRip DVD


Lxdvdrip



DVDRipper


FooRipper

Thoggen


Learning support



ATutor

Dokeos

ILIAS

Moodle

OLAT

Sakai


Webcam Software



webcamserver

sn-webcam

Cacam

eCam

camE


Workflow Engine



Bonita

OpenWFE

OpenSymphony

SWAMP

con:cern

Taverna

Bossa


Expenses Management



Simple Expenses
Manager


j2Wallet

Cash2ME


Money Share



SharedExpenses


Sigma Expense


Document Management



DM

SmartDms

WDMS

yaDMS

DocumentManager

Eidetic DMS

openPro


Screen savers



Electric Sheep

Flurry


XScreenSaver

Boinc


Journal Software




eJourn


Article System

atengine

Discloser


Build Management



luntbuild

Invicta

Vesta


Caterpillar


HR(Human Resource) Management



Electronic HR Management
System


OrangeHRM

Open Source HR Information
System


Scanning probe microscopy

Gxsm

Gwyddion


window managers



Blackbox

Evilwm

CTWM

Fluxbox

HaZe

IceWM

Ion

Openbox


TeX software



AUCTeX


ArabTeX


Beamer (LaTeX)

MiKTeX

PdfTeX



 


Last Updated 24th September 2006


Radius Servers


Freeradius

Cistron


Dtc


GNUradius

Radiator


Openradius




Weblog analizers



Analog

Webalizer

Awstats

Lire

Logminer

Yaalr

WebDruid

Logrep

PhpMyVisites




Load balanced and High-Availability
services



Ultramonkey

Pound

Linux-ha

Drbd




Websites counter




WWWcounter


Phpcounter




Online IP Subnet calculator




Subnet-Calculator



Subnet


Subnetmask



Linux Data Recovery Tools




Linuxrecovery



Testdisk


SystemrescueCD

KnoppixliveCD

dvdisaster


Stellar


Mondo Rescue

mkCDrec

ReaR


Change
log Management



Elog


Change
Control Request Manager


Brage-CM







Inventory and Help desk
software's





Helpdeskreloaded


F2w


Phphelpdesk



Helpmeict



Networkmanagementcenter



Freehelpdesksoftware


H-inventory


Assettracker



Irm

Cowtacular



partition
software


Parted

Partlogic


Sformat



Firewalls

Bgsec

Netprotect

Fiaif

TurtleFirewall

Shorewall

Efw

Lutelwall

IPcop

Smoothwall

M0n0

Gibraltar


CD Burning
software



DVDtools

Bashburn

Bbb

K3b

CDbakeoven

Burgner


Database Servers



Mysql

Postgresql

Sqlite

BerkeleyDB

Firebird

Picosql

Hsqldb

GNUsql

DB4o

Ingres

GT.M


Office Software
Suites




Gnome
Office


KOffice

OpenOffice

Siag Office


SOT Office


Concurrent
Versioning System (CVS) server





CVS


DCVS

CVSNT


LysCVS


Concurrent
Versioning System (CVS) Client




CVS Web
Client


SandWeb

gCVS

LinCVS


cvsweb


Cervisia


cvsphpview


Router
Management





jRouter


Telconi


File managers



emelFM

emelFM2

Konqueror

Krusader


Midnight Commander



Nautilus



Rox-Filer



Content
management system(CMS)




Geeklog

Metadot Portal Server


MODx

myPHPNuke

PHP-Nuke

phpWebSite


Scoop

SPIP

Typo3

WebGUI


Xaraya

Drupal

Xoops


Portal Server




JBoss Portal Server


Jetspeed
2 Portal Server


Joomla

Liferay

Metadot Portal Server


PHP-Nuke

PostNuke

Rainbow Portal


uPortal



Media players



AmaroK


Beep Media Player


CoolPlayer

Kaffeine



Media Player Classic



MPlayer


musikCube

SkiTunes


Totem


VLC media player


Xine

XMMS

Zinf



Remote access



FreeNX


GenControl


Synergy


VNC

Karoshi

OCS
Inventory NG



Operating
systems




DragonFly
BSD


FreeBSD

NetBSD

OpenBSD


Contiki


ECos

GNU

Haiku


Inferno


Linux


List of Linux distributions


NewOS

OpenSolaris


Plan 9 from
Bell Labs



ReactOS


Syllable


Sunsolaris



Mailing List
Managers




Mailman

Mailing List

jclement

mlmmj

PHPMyList

Dada Mail


Majordomo


Minimalist

ezmlm-idx


CAD



freeCAD

JCad

QCad

BRL-CAD

VariCAD

CADSM


FREEdraft


Engy CAD

CYCAS


Webmail



SquirrelMail

WebMail

Personal
Python


Simple
Webmail



Null Webmail



oMail-Webmail


Decimail Webmail

PixMail

Dolda Webmail

Open WebMail

PHlyMail


Email Client



Ascension Email

My Mail Client

Kmail

Mahogany Mail

Mozilla
Thunderbird


Mutt


Novell Evolution


Phoenix Mail

Sylpheed



Download Manager



Download
Manager


Mtdownload

Konan


GDownloader


PHP
Download Manager


Claros Downloader

UrlGfe

KMAGO

QuickDownloader


Personal
information managers




Chandler


KAddressBook



GNOME-PIM


yq

PackRat

My Personal Home
Page



XNotesPlus


Booby


Fax Related



HylaFax

Efax


Kphonecenter


efax


Video/audio
conference




GnomeMeeting

vat/vic/wb


rat/wbd/nte



NeVoT


IVS


Instant
Messaging




Licq

Centericq

Alicq

Micq

Gaim

Ayttm

Kopete

Everybuddy

Simple Instant
Messenger


Ickle

aMSN

Kicq



Sharing
data/files




NFS

Samba

Samba-TNG


Memory testing



Memtest86


memtest



Rumt


Memwatch


Memcheck


Finance



GnuCash

Grisbi

JMoney

KMyMoney


PayThyme

QuantLib


QuotesViewer


SQL Ledger

TurboCASH

phpfin

jgnash


Real Estate
Management





REMS


Abitare


Realty Manager


Open-Realty


Blogs



Nucleus

pLog

Serendipity

phpBB Blog

BLOG:CMS

blur6ex


pppBLOG



PolkaDot Blog


Guestbook



Advanced
Guestbook


guestbook


mySQL-Guestbook


FG
Guestbook


Big Sam

Achims Guestbook

phpGB

Simple Posting
System


KISGB


2D Animation



F4L

KToon

Synfig Studio



3D Animation




3DLDF


Aqsis

ArtofIllusion

K-3D

Blender

Image
galleries




Album
shaper


Camera Life


Coppermine
Gallery


Gallery

Open Clip Art
Library


KIG

MIG

DivePix

TFT Gallery


Virtual Private
Servers




User
Mode Linux (UML)



Xen


Linux-VServer

Qemu

Plex86

Bochs

FreeVPS


Data mining



Weka

YALE

bang


Weka-Parallel


Ferda Data Miner

Content-Based
Cross-Site Web Data Mining


Dental Software



LinuDent


OdontoLinux!


Open Dental Software


FAQ Management
and Generators




phpMyFAQ

FAQ-U

FAQ PLAIN

Faq-O-Matic


FAQ-Pool


Self Serve
FAQ


@1 FAQ Publisher


phpFAQ


FAQtor


FAQman


ODFaq

FaqMaker


StandardFAQ



KnowledgebasePublisher


Multimedia
codecs,containers and splitters




FLAC

LAME

Matroska

Musepack

Ogg Vorbis

Xvid

MP3
Splitter


splitmastream


Management
Information Systems (MIS)




FreeMIS

Schooltool


Centre


Class

MRBS


Video
Surveillance





Net-Cam



eLViS


Devolution
Security


motion

Zoneminder


Geographic
information system




GRASS GIS

gvSIG


JUMP

NASA
World Wind


OpenMap

Quantum GIS

TerraLib

uDig



Accounting
Software




CTB

Tiny Accounting

XIWA

OBA

SQL-Ledger
Accounting



PHPBalanceSheet


Muhasebeci

AccWhizz

Fruity Banking!

phpRechnung


Foreign Language
Learning Software



Klang

VocableTrainerX

Flare

Pere


Vocabulary Trainer



Nihon-go Flash


JLearner


Project
Management





Incyte Project Manager



Project Manager


phpEasyProject


Complex Project Manager



ProjectButler



ProjectBench


Sigma Six


Movie Editors



Open
Movie Editor


medi8

Jubler

Kino

Gazelle Movie
Editor


Subtitle
Processor


Cluster Software




CDS Cluster


openMosix

YACI

Ka Clustering
toolkit


EZHA


Beowulf

Debian Cluster Components


MOSIX Cluster



Timesheet
Software





Timesheet.php


Horde Hermes

Ultrize
TimeSheet


A Simple
TimeSheet



TTraq


Multiple Time
Sheets



Code generators



Bison


CodeWorker

Flex lexical
analyser


Kodos


phpCodeGenie



Ragel State Machine Compiler


Redet

PHP Code Builder



Nutrition
software




nut


Diet Monger Ass Kicker


CRON-O-Meter


RPM Management



PyRPM

OPRPM

APT-RPM


RPMAutoUpdate


GnoRPM

easyRPM

kRPM


Library
Management



Elidune

Nalanda

Koha

PhpMyLibrary

Media
Library


Books

Library Manager

Campus-wide
Library Access System


Desktop
environments




GNOME

KDE

GNUstep


ROX Desktop


Xfce

EDE


Tango Desktop Project


Windowing
systems




X Window System

X.Org Server

XFree86

XGGI

Fresco


Xgl


Y Window System


REFERENCES
http://www.debianhelp.co.uk/tools.htm