Using PHP to connect to an Active Directory

I am looking into authenticating users on Solaris 9 via Active Directory (AD) as an LDAP server. To chop the problem into smaller problems I started to try and connect to the LDAP interface of the AD from a platform which I know. I’m no Solaris expert :)

So I installed Ubuntu edgy (server install from alternative CD) and a evaluation Windows 2003 R2 server in the free VMware Server product. Then I install an Active Directory (and a DNS server) on the Windows Server. The I tried to connect to the AD with PHP scripts to test how it worked. I found a good article on www.developer.com about PHP LDAP connections to AD. I also found an article about various handy LDAP search filters for Active Directory.

First create a normal Windows user in the AD which you use to connect to the AD with. You don’t need to add this user to any special groups to allow it to connect to the AD. Just a plain normal user. You might wanna disable password expiration if you are gonna use it in a production environment :)

The I made a php script on my Ubuntu server somewhat like the following:

#!/usr/bin/php

Trouble shooting

49: Invalid credentials

Remember when you tell PHP script which user you want to connect with, also supply the realm in which the user resides. In my test setup I used my own user je (Jacob Emcken), and my realm testdomain.com which means I’m connecting with to LDAP with the following user:

je@testdomain.com

1: Operations error

This error can come from to things:

  1. You have used DN instead of DC in you distinct name:

    DN=testdomain,DN=com (didn't work for me)
    

    This worked for me:

    DC=testdomain,DC=com
    
  2. You get this if you are trying to search the root of the tree and you haven’t set the following:

    ldap_set_option($ldap_connect_resource, LDAP_OPT_REFERRALS, 0);
    

New infrastructure at home

Trough the last year I have been really wanting to do something to my home infrastructure :) I got wires running all over, and my little trusty server makes to much noice. I would like to hook up all my clients (2 workstations and a laptop) to a wireless network, maybe even my server, to get rid of all the wires cluttering my floor. I have been playing around with the thought of of trashing my current server totally, and find a new one wich is more home friendly (less power and noise). Even though webalizer tells me I have 1.5G traffic to emcken.dk each month, its not like I need a 2.0GHz processor and 1GB ram for it.

I have searched the net for devices which could help me do what I want with a minimum of devices. Beneath I have gathered all I found out so far but first I want to sum up my list of my requirements.

Here is what I want my home network and computers to do:

  • Linux server
    • Minimum noise
    • Minimum power consumption
    • Fair amount of disk space (minimum 60GB)
    • Apache / PHP / MySQL (for my website / blog)
    • Samba server (to share files to my Windows machines)
  • Wireless access
  • IP telephony
  • A firewall
    • Preferable Linux
    • With the possibility for QoS / traffic shaping to make IP phone work under heavy network load.

In the future I might want the following:

Wireless

My first wireless was a Zyxel 2000. Spec’s was what I needed and the design of the actual access point was good. Random disconnects and the need for power cycling the acces point made me look for something new. Then I bought a Linksys WRT54GL on Fon’s website and tried that one out. FON is a really cool wireless community. Go read about them… you might like it.

I wasn’t able to open port ranges in the firewall on the Linksys using the FON firmware. So I tried a firmware from the OpenWRT project which FON actually builds upon for their Linksys WRT54GL devices. Linux on small devices rocks.

For some reason I had a high latency when playing World of Warcraft on the wireless… I never got the time to look into this before I stumbled upon another project using the OpenWRT project as base: Coova. Coova is a really cool project even though I had some issuses with it. Before I found the solution to the problem, which I later learned was caused by mysellf my colleague Tomas Krag had already introduced me to “La Fonera”, the latest access point from Fon. It is small, looks really slick and the wireless connections is very stable… so I’m gonna stick with this one for now.

The server

I have been looking a various possible server alternatives to my current “slim desktop PC” server.

First I thought about building a micro-atx machine. Though I would really like to make my server as small, noise free and with as low power consumption as possible. Then I thought I’d use my Lynksys WRT54GL, but it doesn’t have enought diskspace for my websites. Then I looked at different NAS solutions like Thecus N2100, and in the end I stumbled upon the Linksys NSLU2. You can install linux on the Linksys NSLU2, you can attach USB disks, its small and it is cheap :-D

I’m not sure if the processor is powerful enough. One of my mates reminded me that might be able to use alternatives to Apache which is more lightweight. Anyways I think I’m gonna buy one and find out for my self. For disk space I’d buy a laptop disk (2,5”). Perhaps a Seagate disk in a RaidSonic Icybox closure. It seems people have made the slimserver run on it which is cool. Don’t know if it can run a Teamspeak and it can’t run as a MythTV box for sure. But I might wanna make a separate box for all that multimedia stuff later on, perhaps based on micro or nano ATX motherboard.

The other stuff

I already go an IP telephone, or an IP2analog converter. Which works okay, good enough for me anyway. About the firewall I might want to use my current Linksys WRT54GL as firewall behind my Zyxel 650 router provided by ISP. The Zyxel 650 doesn’t use a normal RJ45 plug for the wan interface. I hope I will be able to find a device with a decent firewall and QoS / traffic shaping that can replace my Zyxel 650. So I don’t have to use 2 devices to get router and firewall functionality.

More encryption in Ubuntu

For those who found my post about encryption of USB devices interesting yesterday… you might wanna keep an eye on this one which I stumbled upon it today. A feature request for the next Ubuntu release, Feisty Fawn:

Transparent encryption og homedir

Update: The link was moved. I have now updated the URL. Thanks Steffen.

Encrypted USB drive in Ubuntu

Today I went to the Linuxforum BOF day where I attended a session about encrypting your personal files. This made me remember a post read some time ago (check out the screen cast). I guessed that this functionality would be in Ubuntu Edgy by now so I just went ahead and tried to make my USB pen drive encrypted.

This is how I did it:

  1. First install the needed software

    sudo apt-get install cryptsetup
    
  2. Make sure your USB disk isn’t mounted. Then partition the USB pendrive the way you want it, if it isn’t already partitioned (I made one big partition on mine /dev/sda1). Note: Don’t mount the disk afterwards!
  3. If you havn’t rebooted your computer since you installed the cryptsetup package, you might have to load the device mapper crypt module manually:

    sudo modprobe dm-crypt
    
  4. Now make the partition encrypted:

    $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda1
    
    WARNING!
    ========
    This will overwrite data on /dev/sda1 irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:
    Command successful.
    

    If you get the error:

    Failed to setup dm-crypt key mapping.
    Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda1 contains at least 133 sectors.
    

    Make sure that the disk isn’t mounted. And make sure you are using the right device. You can use dmesg to check which device the disk have been assigned. You might also wanna check that the the module dm-crypt is loaded (lsmod | grep dm).

  5. Now attach the encrypted partition.:

    $ sudo cryptsetup luksOpen /dev/sda1 sda1
    Enter LUKS passphrase:
    key slot 0 unlocked
    Command successful.
    
  6. Now create a filesystem on the new encryptet device:

    sudo mkfs.ext3 /dev/mapper/sda1
    
  7. Remove the tempoary device mapped to the encrypted partition:

    sudo cryptsetup luksClose sda1
    
  8. Now remove the your usbdisk from the USB plug, and reinsert it and Ubuntu should find it and ask for the passphrase.

Update: I tried to insert my USB pen into a Ubuntu Dapper (which this guide also would work on I guess). I just thought it was cool that is atcually told me which package it needed to for it to work:

Playing around with software raid

And you don’t even need any physical disks for it….

I don’t use Linux software raid tool mdadm that often so I quickly forget how it works. This is something I used on several occasions, when trying to refresh my mind. The cool thing is that you don’t need physical disks or a lot of space for it to work. The following might vary a bit depending on you system (mine is Ubuntu Edgy Eft on IBM x40).

First create a few “disks”… by creating some empty files and making them into block devices:

dd if=/dev/zero of=disk1 bs=1M count=1 seek=30
dd if=/dev/zero of=disk2 bs=1M count=1 seek=30
dd if=/dev/zero of=disk3 bs=1M count=1 seek=30
losetup /dev/loop0 disk1
losetup /dev/loop1 disk2
losetup /dev/loop2 disk3

This creates 3 files (disk1, disk2 and disk3) with the size of 1MB in the current directory and makes them into block devices (just like normal disks is).

Now create your raid, example:

mdadm --create /dev/md0 --level=5 --raid-devices=2 --spare-devices=1 /dev/loop0 /dev/loop1 /dev/loop2

If you get the error:

mdadm: error opening /dev/md0: No such file or directory

Add the parameter --auto=md to the raid create command.

Now you can see you raid status with:

cat /proc/mdstat

Now play around with it all you want

Cleanup

When you are done you stop the raid and remove it with the following:

mdadm --stop /dev/md0
mdadm --remove /dev/md0

Perhapes you want to remove the md0 device again with (only if you needed the --auto=md parameter:

rm /dev/md0

Cleanup the “disks”:

losetup -d /dev/loop2
losetup -d /dev/loop1
losetup -d /dev/loop0
rm disk3
rm disk2
rm disk1

Now you computer wont have a trace of you your software raid disks… besides you shell history :)