Posted on

Setting up InspIRCd as an internal IRC server for companywide chat

I got this idea (from this blog post) that it would be cool and great if we had an IRC server to facilitate communication within our team.  I started checking out some different IRC servers to see which ones supported the main features I wanted (LDAP auth & SSL).  I started out with ratbox but I didn’t really like it.  I found InspIRCd and after some config tweaking it’s working well.  Here’s the info from modules.conf for authentication against Active Directory (so people login with their AD usernames):
<module name="m_ldapauth.so">
<ldapauth baserdn="OU=Users,DC=did"
attribute="sAMAccountName"
server="ldap://activedirectory.example.com"
killreason="LDAP auth failed"
searchscope="subtree"
binddn="CN=binduser,OU=Users,DC=example,DC=com"
bindauth="password"
verbose="yes"
userfield="yes">
Here’s the configure line (since I had to build from source):
./configure --prefix=/usr/local/inspircd --enable-gnutls --uid 101 --enable-extras=m_ldapauth.cpp --enable-extras=m_ldapoper.cpp

I still have some more customization to do to make ChanServ work, but since this is internal I don’t know if that even matters.  Also I can’t seem to get SSL working – I tried compiling with –enable-openssl but that failed, so I went with –enable-gnutls, which worked, but I can’t connect via ircs:// in my client.  If it looks like people are interested in this I may fix it up, but I have a feeling most people won’t be as enthused about it as I am.

Posted on

ldapsearch on Active Directory

Just putting this here for safekeeping since I couldn’t remember the exact syntax.

[evan@ehoffman 10:35:50 ~]$ ldapsearch -x -LLL -D "ldapuser@example.com" -w password -b "OU=Users,DC=example,DC=com" -s sub -H ldaps://activedirectory.example.com "(sn=hoffman)" cn mail displayName samaccountname
dn: CN=Evan Hoffman,OU=Tech,OU=Users,DC=example,DC=com
cn: Evan Hoffman
displayName: Evan D. Hoffman
sAMAccountName: ehoffman
mail: Evan.Hoffman@example.com
Posted on

ldapsearch example on Active Directory

Just putting this here for safekeeping since I couldn’t remember the exact syntax.

[evan@ehoffman 10:35:50 ~]$ ldapsearch -x -LLL -D "ldapuser@example.com" -w password -b "OU=Users,DC=example,DC=com" -s sub -H ldaps://activedirectory.example.com "(sn=hoffman)" cn mail displayName samaccountname
dn: CN=Evan Hoffman,OU=Tech,OU=Users,DC=example,DC=com
cn: Evan Hoffman
displayName: Evan D. Hoffman
sAMAccountName: ehoffman
mail: Evan.Hoffman@example.com

Explanation: Connect to activedirectory.example.com using ldaps (SSL) with simple authentication, binding as ldapuser@example.com with password password; search for (sn=hoffman) within the OU=Users,DC=example,DC=com search base (branch), and search the subtree. Return the cn, displayName, and samaccountname fields.

Refer to the ldapsearch man page for more options.

Posted on

Changing Active Directory Password in Browser through OWA 2010

A few months ago I was on a quest to figure out how to change my Active Directory password via a browser (for Linux/Mac users). I finally figured it out, but since I’ve been working on this Exchange 2010 migration I noticed one of the features of OWA (Outlook Web App) in Exchange 2010 is that you can change the AD password right in the browser from within the app:

The new OWA has a zillion other awesome features, my favorite being that Firefox and Chrome are no longer second-class-citizens and can use the “full version” now, even on Linux. So anyway, I guess all my work was for nothing. Not the first time (or the last). 🙂

Posted on

Generate a report of Exchange mailbox sizes broken out by department and location

I found a script a few months ago that generated a CSV report of mailbox size, which included the Mailbox Name (usually the user’s name), size in Kbytes, number of items, which server it’s on, etc. This was very helpful, but I wanted to see which department within the company used the most space on the mail server, and the department wasn’t one of the pieces of data included in the report. It took a while but I figured out how to do LDAP lookups in vbscript and was able to add that info, so the report now has the user’s department, office location, and quota limit in it as well as the other fields. This makes it very easy to do a PivotChart in Excel to generate a pie chart of the size by department. The script is attached – change the extension to .vbs to run it. You’ll need to plug in your Exchange server and domain controller where the placeholders currently are.

EmailSizeByDepartment.vbs

Posted on

Victory! Change Active Directory Password via LDAP through browser

I had to give up on PHP and go to Perl, but it turned out not to be so bad. Users can now change their Active Directory passwords via a self-service web page that doesn’t require admin credentials. The Perl code is below.  Authentication to the script is done via .htaccess LDAP authentication, so the REMOTE_USER env variable is assumed to contain the user’s username (sAMAccountName) by the time this script is called.  There is a simple check for $ENV{HTTPS} to ensure the script is called via SSL, and AD requires password changes to be done via ldaps, so the whole thing should be encrypted end to end.

(Edited 5/14/2010 to replace the inlined Perl script with a link to the script as a text file.)

changeadpasswd.pl

Posted on

LDAP-Active Directory authentication, Part 3

So I got everything working with .htaccess and AD/LDAP authentication. Just add LDAPVerifyServerCert Off to the httpd config to let Apache authenticate against an AD server with a self-signed certificate (without dealing with the annoyance of putting the cert on each Apache server).

With that piece of the puzzle largely solved, I moved on to another: how will users change their passwords (which are all stored in Active Directory)? For users running Windows this is pretty trivial — they can do it right in Windows when they’re logged into the domain. But what about Linux users? I figured the easiest thing to do would be to make a web form to do this. The user would login (with the http/LDAP auth I previously setup) and the form would ask for their password (twice) and update it in Active Directory. Sounds pretty simple to me. I think if this were OpenLDAP it probably would be, but being AD, it’s not.

Continue reading “LDAP-Active Directory authentication, Part 3”

Posted on

Single sign-on with Linux clients and Active Directory LDAP, Part 1

One project we’ve been working on for a while is single sign-on across all our servers and other services (e.g. SVN repository, a few other things). One thing I wanted to avoid, I guess for mostly religious reasons, was reliance on a Windows instance for any of our production environment. The logical part of my brain knows that people build huge websites with Windows farms and AD, but my gut still doesn’t trust it. So what I wanted to do was setup OpenLDAP as a “slave” to an Active Directory “master” and have all the LDAP info propagate over the slave whenever any changes were made in the master. I’ve done this with DNS – setup Bind as a slave to an AD server and everything basically works as I expect in a Bind-Bind master/slave scenario. Well, it turns out that it doesn’t work like that when it comes to LDAP. Apparently AD doesn’t follow the RFC for LDAP (surprise!) so many things that would be expected to work with OpenLDAP won’t.

Continue reading “Single sign-on with Linux clients and Active Directory LDAP, Part 1”