Welcome to zewaren.net. This site presents myself and mostly archives the solutions to some problems I once had.

How to allow non-administrator users to use RDP on a domain controller

Not so frequently asked questions and stuff: 

Situation

Your Windows Server 2008 is now a domain controller. Since you installed that role, you can't access the server through RDP/TSE.

Allow the users to use the service

If you are a non-administor user, you need to be authorized to use the service.

  • Run gpedit.msc
  • Browse to Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment
  • Edit "Allow log on through terminal services"
  • Run gpupdate /force

gpedit_domaincontroller_remotedesktop

Log-in with the right FQDN

Prior to installing your domain controller, you could login using only your username.

Now, when connecting, use the format user@f.q.d.n.example.net, or you won't be able to login.

Image

How to boot Linux Mint 13 using PXE

Prepare the tftp folder

  • Download pxelinux.0
  • Copy initrd.lz and vmlinux from the iso (casper folder)
  • pxelinux's config file (pxelinux.cfg/default):
    DEFAULT Linux-Mint-13-x86
    
    LABEL Linux-Mint-13-x86
    MENU LABEL Linux-Mint-13-x86
    KERNEL vmlinuz
    APPEND boot=casper netboot=nfs nfsroot=IP.ADD.RE.SS:/ initrd=initrd.lz quiet splash --
    

Which gives:

# ls tftproot
initrd.lz     pxelinux.0    pxelinux.cfg  vmlinuz

Prepare the NFS folder

  • Copy the required files from the casper folder

Which gives:

# ls nfsroot
casper

# ls nfsroot/casper
filesystem.manifest          filesystem.size
filesystem.manifest-desktop  filesystem.squashfs
filesystem.manifest-remove

Boot

Set up your DHCP, NFS and TFTP servers and boot your target.

Boot Kon-Boot 2.0 using PXE

PXE: 

What you need:

How to know which resources are called after using apache's http server's mod_rewrite.

Not so frequently asked questions and stuff: 

The situation

You set up rewrite rules in your apache configuration.

RewriteEngine On
RewriteRule    ^products/([A-Za-z0-9-]+)/([A-Za-z0-9-]+)/?$    product.php?category=$1&product=$2    [NC,L]
RewriteRule    ^blog/([A-Za-z0-9-]+)/([A-Za-z0-9-]+)/?$    blog.php?what=$1&post=$2    [NC,L]

If you have a problem, you would like to be able to see what urls are really called (after the rewriting).

Solution

Create a new log file, containing only the requested URL and the rewrited one.

    LogFormat "%r -> %f%q" rewriting
    CustomLog /var/log/apache2/access_rewriting.log rewriting

Content:

GET /products/cake/kouignamann/ HTTP/1.1 -> /var/www/product.php?category=cake&product=kouignamann
GET /products/beverages/cider/ HTTP/1.1 -> /var/www/product.php?category=beverages&product=cider
GET /blog/life/4269/ HTTP/1.1 -> /var/www/blog.php?what=life&post=4269

You can then know which scripts are actually called, along with their arguments.

smbldap-tools' "Failed to add entry for user"

Not so frequently asked questions and stuff: 

Situation

smbldap-populate populated the LDAP server correctly, but I didn't seem to be able to add users.

server# smbpasswd -a testuser1
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=NETBIOSNAME))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
New SMB password:
Retype new SMB password:
ldapsam_getsampwnam: Unable to locate user [testuser1] count=0
Warning: homedirectory /home/testuser1 already exist. Check manually
_samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -m testuser1' gave 0
Could not find user testuser1, add script did not work
Failed to add entry for user testuser1.

Here is what was added into the LDAP server:

dn: uid=testuser1,ou=people,dc=example,dc=net
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: inetOrgPerson
cn: testuser1
gidnumber: 513
homedirectory: /home/testuser1
sn: testuser1
uid: testuser1
uidnumber: 1012
gecos: System User
givenname: testuser1
loginshell: /bin/sh
userpassword: {crypt}x

You can see that the NT fields (sambaSID, sambaNTPassword, etc.) are missing, i.e. that the command did not complete.

Retrying with more debugging output (-D 10) showed:

smbldap_search_ext: base => [dc=example,dc=net], filter => [(&(uid=testuser1)(objectclass=sambaSamAccount))], scope => [2]
ldapsam_getsampwnam: Unable to locate user [testuser1] count=0

This is normal;

what is not is:

Get_Pwnam_internals didn't find user [testuser1]!

What the problem was

nss_ldap was not working. Apparently, samba can not work with LDAP without it.

Maybe I'd have known this if I had read the manual.

You know that nss_ldap is working if you can see samba's group in your system:

mmnas# getent group
[...]
Domain Admins:*:512:root
Domain Users:*:513
Domain Guests:*:514
Domain Computers:*:515
Administrators:*:544
Account Operators:*:548
Print Operators:*:550
Backup Operators:*:551
Replicators:*:552

Serve Clonezilla with PXE using TFTP on a legacy BIOS computer

AttachmentSize
Package icon pxe-clonezilla-live.zip118.74 KB
PXE: 

The system used here is a Windows XP.

Fetch the required files

What you need:

  • Clonezilla's zip file: clonezilla-live-1.2.12-10-amd64.zip
  • pxelinux.0
  • pxelinux's config file (pxelinux.cfg/default):
    DEFAULT Clonezilla-live
    
    LABEL Clonezilla-live
     MENU LABEL Clonezilla Live (Ramdisk)
     KERNEL vmlinuz
     APPEND initrd=initrd.img boot=live config noswap nolocales edd=on nomodeset ocs_live_run="ocs-live-general" ocs_live_extra_param="" ocs_live_keymap="" ocs_live_batch="no" ocs_lang="" vga=788 nosplash noprompt fetch=tftp://[INSERT YOUR IP HERE]/filesystem.squashfs
    

Extract the files

Extract the required files from the zipfile.

live/vmlinuz live/initrd.img live/filesystem.squashfs

Configure

Edit pxelinux.cfg and insert your IP. You can also preset parameters (see http://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/99_Misc.

Boot

Set up your DHCP and TFTP servers and boot your target.

Sources

Boot the BIOS update tools of MSI's K9N2 SLI Platinum / K9N2 Zilent using PXE

AttachmentSize
Package icon pxe-bios-msi-7374v39.zip881.84 KB

The system used here is a Debian Squeeze.

Create the image:

You will need:

  • 7374v39.zip (or newer)
  • FreeDOS
zwm-server:~/msi# wget "http://download1.msi.com/files/downloads/bos_exe/7374v39.zip"
zwm-server:~/msi# wget "ftp://ftp.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/fdboot.img"

Mount the FreeDOS image and unzip the utility:

zwm-server:~/msi# mkdir fdboot ourimage
zwm-server:~/msi# unzip 7374v39.zip
zwm-server:~/msi# mount -o loop fdboot.img fdboot

Create and mount a 3MB fat image:

zwm-server:~/msi# dd if=/dev/zero of=ourimage.img bs=1M count=3
zwm-server:~/msi# apt-get install dosfstools
zwm-server:~/msi# mkfs.msdos ourimage.img
zwm-server:~/msi# mount -o loop ourimage.img ourimage

Copy the FreeDOS files and the CD contents to the newly created image disk:

zwm-server:~/msi# cp -r fdboot/* ourimage/
zwm-server:~/msi# mkdir ourimage/msi
zwm-server:~/msi# cp -r 7374v39/* ourimage/msi/

Umount eveything:

zwm-server:~/msi# umount ourimage/
zwm-server:~/msi# umount fdboot/

Copy the boot sector from the original FreeDOS image to ours:

zwm-server:~/western# dd if=fdboot.img of=ourimage.img bs=1 count=446 seek=62 skip=62 conv=notrunc

Boot the image:

What you need:

  • pxelinux.0
  • memdisk
  • pxelinux's config file (pxelinux.cfg/default):
    DEFAULT msi_bios
    
    LABEL msi_bios
      KERNEL memdisk
      INITRD ourimage.img
    

Boot your computer, start FreeDOS and run the BIOS update utility from the MSI folder.

Sources:

Things you might try to restore your windows networking after malware cleaning.

Not so frequently asked questions and stuff: 

Introduction

Here is the situation: you removed a malware manually since any anti malware could not do anything beyond detecting the corrupted files. In the process, you deleted some infected system files, including some which were part of the networking stack.

Symptoms

  • You can ping both local and internet IPs, so this mean ICMP and your hardware is working.
  • You cannot open any TCP/UDP connection (they all fail instantly (i.e. no timeout)).
  • DHCP does not work either.

Things you might try

Check that your LSP stack is correct and not damaged

Run LSP-Fix

Resetting the networking stack

> netsh int ip reset reset.log
> netsh winsock reset catalog

Restoring any missing or corrupted system files

> sfc /scannow

Checking that the AFD service is started

> sc qc afd
> sc query afd

If AFD is not started, check that its service definition and its device exist in the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="AFD"
"Description"="Environnement de prise en charge de réseau AFD"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\Control]
"ActiveService"="AFD"

Also, be sure to have a correct version of afd.sys in your system32/drivers/ folder.

Checking that other important services are started

Read the instructions at: http://www.smartestcomputing.us.com/topic/49542-cant-start-windows-firewall%3B-windows-firewall-service-missing-fix/

[Attached].

Run WinSockXPFix (XP Only)

Download and run WinSockXPFix.

Reset Internet Settings

Reset all the settings to default.

  • Control Panel -> Internet Options
  • Advanced tab
  • Reset Internet Explorer

Check connection settings and remove any proxy.

  • Control Panel -> Internet Options
  • Connections -> LAN Settings
  • Check all params

How to authenticate ProFTPd against a LDAP server with client certificates

AttachmentSize
File mod_ldap_ssl_cert.patch10.09 KB
Not so frequently asked questions and stuff: 

Problem

If you are the paranoid type, you might have restricted connections to your LDAP server to clients with SSL client certificates.

Unfortunately, the support of client certificate is missing in a lot of implementation of LDAP clients.

Solution

Go to mod_ldap and download the sources.

Apply the following patch:

--- mod_ldap.c.orig 2012-02-01 12:34:22.587267553 +0100
+++ mod_ldap.c   2012-02-01 12:34:04.636276785 +0100
@@ -161,7 +161,14 @@
             *ldap_attr_memberuid = "memberUid",
             *ldap_attr_ftpquota = "ftpQuota",
             *ldap_attr_ftpquota_profiledn = "ftpQuotaProfileDN",
-            *ldap_attr_ssh_pubkey = "sshPublicKey";
+            *ldap_attr_ssh_pubkey = "sshPublicKey",
+            *ldap_tls_ca_cert_dir,
+            *ldap_tls_ca_cert_file,
+            *ldap_tls_cert_file,
+            *ldap_tls_cipher_suite,
+            *ldap_tls_crl_file,
+            *ldap_tls_dh_file,
+            *ldap_tls_key_file;
 #ifdef HAS_LDAP_INITIALIZE
 static char *ldap_server_url;
 #endif /* HAS_LDAP_INITIALIZE */
@@ -171,7 +178,9 @@
            ldap_forcedefaultuid = 0, ldap_forcedefaultgid = 0,
            ldap_forcegenhdir = 0, ldap_protocol_version = 3,
            ldap_dereference = LDAP_DEREF_NEVER,
-           ldap_search_scope = LDAP_SCOPE_SUBTREE;
+           ldap_search_scope = LDAP_SCOPE_SUBTREE,
+           ldap_tls_crl_check = -1,
+           ldap_tls_require_cert = -1;
 static struct timeval ldap_querytimeout_tp;
 
 static uid_t ldap_defaultuid = -1;
@@ -214,6 +223,86 @@
   struct berval bindcred;
 #endif
 
+  if (ldap_tls_ca_cert_dir) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, ldap_tls_ca_cert_dir);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_CACERTDIR option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_CACERTDIR to %s", ldap_tls_ca_cert_dir);  
+  }
+  
+  if (ldap_tls_ca_cert_file) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_tls_ca_cert_file);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_CACERTFILE option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_CACERTFILE to %s", ldap_tls_ca_cert_file);  
+  }
+  
+  if (ldap_tls_cert_file) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, ldap_tls_cert_file);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_CERTFILE option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_CERTFILE to %s", ldap_tls_cert_file);  
+  }
+  
+  if (ldap_tls_cipher_suite) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, ldap_tls_cipher_suite);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_CIPHER_SUITE option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_CIPHER_SUITE to %s", ldap_tls_cipher_suite);  
+  }
+  
+  if (ldap_tls_dh_file) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_DHFILE, ldap_tls_dh_file);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_DHFILE option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_DHFILE version to %s", ldap_tls_dh_file);  
+  }
+  
+  if (ldap_tls_key_file) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, ldap_tls_key_file);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_KEYFILE option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": pr_ldap_connect(): set LDAP_OPT_X_TLS_KEYFILE to %s", ldap_tls_key_file);  
+  }
+
+  if (ldap_tls_crl_check != -1) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CRLCHECK, (void *)&ldap_tls_crl_check);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_CRLCHECK option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_CRLCHECK to %d", ldap_tls_crl_check);  
+  }  
+  
+  if (ldap_tls_require_cert != -1) {
+    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, (void *)&ldap_tls_require_cert);
+    if (ret != LDAP_OPT_SUCCESS) {
+      pr_log_pri(PR_LOG_ERR, MOD_LDAP_VERSION ": pr_ldap_connect(): Setting LDAP_OPT_X_TLS_REQUIRE_CERT option failed: %s", ldap_err2string(ret));
+      pr_ldap_unbind();
+      return -1;
+    }
+    pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": set LDAP_OPT_X_TLS_REQUIRE_CERT to %d", ldap_tls_require_cert);  
+  }
+
 #ifdef HAS_LDAP_INITIALIZE
   pr_log_debug(DEBUG3, MOD_LDAP_VERSION ": attempting connection to %s", ldap_server_url ? ldap_server_url : "(null)");
 
@@ -1876,6 +1965,130 @@
   return PR_HANDLED(cmd);
 }
 
+MODRET
+set_ldap_tls_ca_cert_dir(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_ca_cert_file(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_cert_file(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_cipher_suite(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_crl_check(cmd_rec *cmd)
+{
+  int value;
+  config_rec *c;
+
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  if (strcasecmp(cmd->argv[1], "none") == 0) {
+    value = LDAP_OPT_X_TLS_CRL_NONE;
+  } else if (strcasecmp(cmd->argv[1], "peer") == 0) {
+    value = LDAP_OPT_X_TLS_CRL_PEER;
+  } else if (strcasecmp(cmd->argv[1], "all") == 0) {
+    value = LDAP_OPT_X_TLS_CRL_ALL;
+  } else {
+    CONF_ERROR(cmd, "LDAPTLSCrlCheck: expected a valid LDAP_OPT_X_TLS_CRLCHECK option (none, peer, all).");
+  }
+
+  c = add_config_param("LDAPTLSCrlCheck", 1, NULL);
+  c->argv[0] = pcalloc(c->pool, sizeof(int));
+  *((int *) c->argv[0]) = value;
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_dh_file(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_crl_file(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_key_file(cmd_rec *cmd)
+{
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  add_config_param_str(cmd->argv[0], 1, cmd->argv[1]);
+  return PR_HANDLED(cmd);
+}
+
+MODRET
+set_ldap_tls_require_cert(cmd_rec *cmd)
+{
+  int value;
+  config_rec *c;
+
+  CHECK_ARGS(cmd, 1);
+  CHECK_CONF(cmd, CONF_ROOT | CONF_VIRTUAL | CONF_GLOBAL);
+
+  if (strcasecmp(cmd->argv[1], "never") == 0) {
+    value = LDAP_OPT_X_TLS_NEVER;
+  } else if (strcasecmp(cmd->argv[1], "hard") == 0) {
+    value = LDAP_OPT_X_TLS_HARD;
+  } else if (strcasecmp(cmd->argv[1], "demand") == 0) {
+    value = LDAP_OPT_X_TLS_DEMAND;
+  } else if (strcasecmp(cmd->argv[1], "allow") == 0) {
+    value = LDAP_OPT_X_TLS_ALLOW;
+  } else if (strcasecmp(cmd->argv[1], "try") == 0) {
+    value = LDAP_OPT_X_TLS_TRY;    
+  } else {
+    CONF_ERROR(cmd, "LDAPTLSRequireCert: expected a valid LDAP_OPT_X_TLS_REQUIRE_CERT option (never, hard, demand, allow, try).");
+  }
+
+  c = add_config_param("LDAPTLSRequireCert", 1, NULL);
+  c->argv[0] = pcalloc(c->pool, sizeof(int));
+  *((int *) c->argv[0]) = value;
+  return PR_HANDLED(cmd);
+}
+
 static int
 ldap_getconf(void)
 {
@@ -2059,6 +2272,22 @@
         "(&(", ldap_attr_memberuid, "=%v)(objectclass=posixGroup))", NULL);
     }
   }
+  
+  ldap_tls_ca_cert_dir =  (char *)get_param_ptr(main_server->conf, "LDAPTLSCACertDir", FALSE);
+  ldap_tls_ca_cert_file = (char *)get_param_ptr(main_server->conf, "LDAPTLSCACertFile", FALSE);
+  ldap_tls_cert_file =    (char *)get_param_ptr(main_server->conf, "LDAPTLSCertFile", FALSE);
+  ldap_tls_cipher_suite = (char *)get_param_ptr(main_server->conf, "LDAPTLSCipherSuite", FALSE);
+  ldap_tls_crl_file =     (char *)get_param_ptr(main_server->conf, "LDAPTLSCrlFile", FALSE);
+  ldap_tls_dh_file =      (char *)get_param_ptr(main_server->conf, "LDAPTLSDHFile", FALSE);
+  ldap_tls_key_file =     (char *)get_param_ptr(main_server->conf, "LDAPTLSKeyFile", FALSE);
+  ptr = get_param_ptr(main_server->conf, "LDAPTLSCrlCheck", FALSE);
+  if (ptr) {
+    ldap_tls_crl_check = *((int *) ptr);
+  }
+  ptr = get_param_ptr(main_server->conf, "LDAPTLSRequireCert", FALSE);
+  if (ptr) {
+    ldap_tls_require_cert = *((int *) ptr);
+  }  
 
   return 0;
 }
@@ -2092,7 +2321,15 @@
   { "LDAPGenerateHomedirPrefixNoUsername", set_ldap_genhdirprefixnouname, NULL },
   { "LDAPForceGeneratedHomedir", set_ldap_forcegenhdir, NULL },
   { "LDAPDefaultQuota", set_ldap_defaultquota, NULL },
-  { "LDAPGroups", set_ldap_grouplookups, NULL },
+  { "LDAPTLSCACertDir", set_ldap_tls_ca_cert_dir, NULL },
+  { "LDAPTLSCACertFile", set_ldap_tls_ca_cert_file, NULL },
+  { "LDAPTLSCertFile", set_ldap_tls_cert_file, NULL },
+  { "LDAPTLSCipherSuite", set_ldap_tls_cipher_suite, NULL },
+  { "LDAPTLSCrlCheck", set_ldap_tls_crl_check, NULL },
+  { "LDAPTLSCrlFile", set_ldap_tls_crl_file, NULL },
+  { "LDAPTLSDHFile", set_ldap_tls_dh_file, NULL },
+  { "LDAPTLSKeyFile", set_ldap_tls_key_file, NULL },
+  { "LDAPTLSRequireCert", set_ldap_tls_require_cert, NULL },
   { NULL, NULL, NULL },
 };

Then, configure ProFTPd ([/usr/local]/etc/proftpd.conf), for example:

LDAPServer ldaps://aaa.bbb.ccc.ddd:636/??one
LDAPAuthBinds on
LDAPBindDN "cn=user,dc=example,dc=net" "password"
LDAPUsers "ou=people,o=organisation,dc=example,dc=net"
LDAPTLSCACertFile /usr/local/etc/certs/example-ca-crt.pem
LDAPTLSCertFile /usr/local/etc/certs/example-ftp-crt.pem
LDAPTLSKeyFile /usr/local/etc/certs/exemple-key.pem

The available options are:

  • LDAPTLSCACertDir
  • LDAPTLSCACertFile
  • LDAPTLSCertFile
  • LDAPTLSCipherSuite
  • LDAPTLSCrlCheck
  • LDAPTLSCrlFile
  • LDAPTLSDHFile
  • LDAPTLSKeyFile
  • LDAPTLSRequireCert

You can find more information about what they do by typing "man 3 ldap_set_option".

How to install FreeBSD 90 via PXE from anywhere (i.e. without a NFS server)

Not so frequently asked questions and stuff: 

The situation

You want to install FreeBSD on another machine. You don't want to use a NFS server, because you are either on a Windows computer or because you simply want to boot the installer using pxeboot or gpxe.

From FreeBSD 9.0, the bootonly CD does not use a mfs file system anymore, so instead of just copying the existing one, you either need to make one yourself or find one on the internet.

We will be using one from mfsbsd, from Martin Matuška.
http://mfsbsd.vx.sk/

[2014-06-15] Update: I've been told by email that mfsbsd now provides images directly from their website:
http://mfsbsd.vx.sk/files/images/
Thanks to Roman Makarov for the information.

Step 1: build the FreeBSD image disk

Create some dirs:

# mkdir /tmp/build
# mkdir /tmp/build/iso.mnt
# mkdir /tmp/build/hd.mnt
# cd /tmp/build

Get the image:

fetch http://mfsbsd.vx.sk/iso/mfsbsd-9.0-amd64.iso
mfsbsd-9.0-amd64.iso                          100% of   28 MB 3904 kBps

Mount the image:

# mdconfig -a -t vnode -f /tmp/build/mfsbsd-9.0-amd64.iso
md0
# mount_cd9660 /dev/md0 /tmp/build/iso.mnt/

Create a hard disk image. Be sure to choose the right size.

# dd if=/dev/zero of=/tmp/build/FreeBSD-9.0-RELEASE-amd64-bootonly-mfsbsd.hd bs=1m count=30
30+0 records in
30+0 records out
31457280 bytes transferred in 0.371249 secs (84733651 bytes/sec)
# mdconfig -a -t vnode -f /tmp/build/FreeBSD-9.0-RELEASE-amd64-bootonly-mfsbsd.hd
md1
# fdisk -B -I /dev/md1
******* Working on device /dev/md1 *******
fdisk: invalid fdisk partition table found
fdisk: Class not found
# bsdlabel -B -w /dev/md1
# bsdlabel -e /dev/md1
# /dev/md1:
8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:    61424       16    4.2BSD        0     0
  c:    61440        0    unused        0     0         # "raw" part, don't edit
/tmp/EdDk.LJ3WUbdhRH: 5 lines, 212 characters
# newfs /dev/md1a
/dev/md1a: 30.0MB (61424 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 7.50MB, 480 blks, 960 inodes.
super-block backups (for fsck -b #) at:
 160, 15520, 30880, 46240
# mount /dev/md1a /tmp/build/hd.mnt

Copy the boot files from the iso to the disk image:

# cp -r iso.mnt/* hd.mnt/

Umount everything:

# umount /tmp/build/hd.mnt
# mdconfig -d -u 1
# umount /tmp/build/iso.mnt
# mdconfig -d -u 0

You now have a bootable mfsBSD image disk.

Step2: Boot the image disk

Download pxelinux.0.
Download memdisk. You can find it packaged with syslinux: http://www.kernel.org/pub/linux/utils/boot/syslinux/

Create pxelinux config file (pxelinux.cfg/default):

DEFAULT fbsd
 
LABEL fbsd
 kernel memdisk
 append initrd=/FreeBSD-9.0-RELEASE-amd64-bootonly-mfsbsd.hd harddisk raw

Setup your DHCP and TFTP servers to serve the directory and you're good.

Once booted, login as root and launch the usual installer:

bsdinstall

Sources

Pages

Subscribe to Front page feed