Victory! Change Active Directory Password via LDAP through browser

I had to give up on PHP and go to Perl, but it turned out not to be so bad. Users can now change their Active Directory passwords via a self-service web page that doesn’t require admin credentials. The Perl code is below.  Authentication to the script is done via .htaccess LDAP authentication, so the REMOTE_USER env variable is assumed to contain the user’s username (sAMAccountName) by the time this script is called.  There is a simple check for $ENV{HTTPS} to ensure the script is called via SSL, and AD requires password changes to be done via ldaps, so the whole thing should be encrypted end to end.

(Edited 5/14/2010 to replace the inlined Perl script with a link to the script as a text file.)

changeadpasswd.pl

LDAP-Active Directory authentication, Part 3

So I got everything working with .htaccess and AD/LDAP authentication. Just add LDAPVerifyServerCert Off to the httpd config to let Apache authenticate against an AD server with a self-signed certificate (without dealing with the annoyance of putting the cert on each Apache server).

With that piece of the puzzle largely solved, I moved on to another: how will users change their passwords (which are all stored in Active Directory)? For users running Windows this is pretty trivial — they can do it right in Windows when they’re logged into the domain. But what about Linux users? I figured the easiest thing to do would be to make a web form to do this. The user would login (with the http/LDAP auth I previously setup) and the form would ask for their password (twice) and update it in Active Directory. Sounds pretty simple to me. I think if this were OpenLDAP it probably would be, but being AD, it’s not.

Continue reading “LDAP-Active Directory authentication, Part 3”

Single sign-on with Linux clients and Active Directory LDAP, Part 1

One project we’ve been working on for a while is single sign-on across all our servers and other services (e.g. SVN repository, a few other things). One thing I wanted to avoid, I guess for mostly religious reasons, was reliance on a Windows instance for any of our production environment. The logical part of my brain knows that people build huge websites with Windows farms and AD, but my gut still doesn’t trust it. So what I wanted to do was setup OpenLDAP as a “slave” to an Active Directory “master” and have all the LDAP info propagate over the slave whenever any changes were made in the master. I’ve done this with DNS – setup Bind as a slave to an AD server and everything basically works as I expect in a Bind-Bind master/slave scenario. Well, it turns out that it doesn’t work like that when it comes to LDAP. Apparently AD doesn’t follow the RFC for LDAP (surprise!) so many things that would be expected to work with OpenLDAP won’t.

Continue reading “Single sign-on with Linux clients and Active Directory LDAP, Part 1”

iptables rules for rate-limiting SSH connections

This is what I use on my CentOS boxes/VMs, it rate-limits the connections and also rate-limits the log messages (to prevent attacks that attempt to fill up the server’s disk).

iptables -F
iptables -X
iptables -N LOGDROP #Create the LOGDROP chain
iptables -A LOGDROP -m limit --limit 1/s -j LOG --log-prefix "LOGDROP: " # Rate-limit the logging so the logs don't fill up the server
iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/16 -j ACCEPT # Allow everything from the internal network
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set # create the "bucket"
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP # if there are more than 4 connection attempts in 60 seconds from a given address, log-drop it.

After issuing these commands I run /etc/init.d/iptables save, that persists the rules to … somewhere. Alternatively I sometimes put all the above commands in some bash script and just call it from /etc/rc.local.

VMWare is pretty cool.

Over the past few months I’ve gotten to love VMWare. We had purchased a SAN around May 2008 for one project, and all the SAN vendors kept asking us if we did anything with virtualization. The first few times we kind of furrowed our brows and said no, but eventually I started wondering if this was something I should be looking into.

Continue reading “VMWare is pretty cool.”

The SAN Scam

It’s time to buy some more disks for the SAN we have at work. The SAN is made by Compellent and we’ve had it for a year and it’s been great. One of the selling points was the ability to add disks however we wanted – one at a time is possible, which apparently isn’t the case with other SAN products. The one we looked at from LeftHand expanded by purchasing entire nodes, so the incremental cost was pretty high. Compellent seemed to have a higher initial cost but cheaper incrementally.

Well, that wasn’t really the case, as I’ve come to discover. The way they license features on the SAN requires “expansion licenses” for each set of 8 disks you add on. As it happens, I would like to add 8 SATA disks to our SAN, bumping us into a license expansion. The net result of this is that purchasing these disks costs over $16,000.

If that sounds like a lot of money, well, it is. I expected some markup for enterprise-class hardware, but this is ridiculous. A quick search on Newegg shows that hard drives are readily available at about $0.09 – $0.10 per gigabyte, and even Seagate drives are only around $0.14 per gig. At the price I was quoted for the Compellent drives, the price per gig is over $2.00 per gig! The markup is over 1500%, and that’s not even factoring in the discount they likely get for buying disks in bulk – I doubt they pay retail. They claim this is due to the disks being “certified” but I don’t imagine they’re opening up each disk and checking its platters. They probably just make sure the firmware is correct and then ship it out. Their quote also includes 1 year of support on the disks, with 4-hour on-site replacement, but still, as someone who’s basically “cheap,” this just pisses me off.

Now, in Compellent’s defense, their product is amazing, and I would wholeheartedly recommend it to anyone with the need for it and the means to get it, but it is very pricey, moreso than I was led to believe. The fact that I rarely have to think about the SAN probably means it’s money well spent, but as I said, I’m a cheap bastard, so this bothers me.