This post is password protected. To view it please enter your password below:

Password:

Share on Facebook

Snort is an opensource IDS (Intrusion Detection System) written and maintained by a company called sourcefire. It is one of the best IDS available and is free (Kinda).

Downloading Snort

Since we us Redhat Enterprise Linux 5 here go to the snort download page and select snort-2.8.5.2-1.RH5.i386.rpm. Since we will also be using the BASE web interface to view the alerts also download the snort-mysql-2.8.5.2-1.RH5.i386.rpm add-on that allows snort to log its alerts to a MySQL database.

Installing Snort

Installing Snort via the rpms is very easy. Just use the rpm command like the following.

[root@mytest src]# rpm -Uvh snort-2.8.5.2-1.RH5.i386.rpm snort-mysql-2.8.5.2-1.RH5.i386.rpm
Preparing...                ########################################### [100%]
  1:snort                    ########################################### [ 50%]
  2:snort-mysql          ########################################### [100%]

That’s it, Snort is installed and the rpm install script already configures Snort to start at boot.

[root@mytest src]# chkconfig --list |grep snort
snortd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

Configuring Snort

Here is where the real magic happens. He now need to configure Snort for use. Typicaly your server will have two NICs. One will be for remote administration and one will be dedicated to Snort. In our case I will use eth0 for remote administration and logging into the computer and I’ll use eth1 for Snort. We want to dedicate the whole interface to snort because we will be placing it in promiscus mode which will cause the network interface to take sniff all the traffic coming across its segment.

Configure Dedicated Network Interface

You don’t actually need to use a real IP for the Snort interface so when you configure the if-cfg file just leave out the actual IP info In redhat the network config files are located under /ettc/sysconfig/network-scripts/ so I’ll place the following in /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet

Then recycle the network service with the service network restart command.

[root@mytest network-scripts]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                        [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                  [  OK  ]
Bringing up interface eth1:                                 [  OK  ]

This will then turn on your network interface. You can verify that the interface is up and on with the ifconfig command.

[root@mytest network-scripts]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:C0:F2:01:16:73
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
         Interrupt:193 Base address:0xdde0

Snort Sysconfig file

So now that we have our network up it’s time to configure Snort to use the new network interface we just created. You can tell snorrt to either usee a certain NIC or ALL. In our case we only want it to use eth1 so edit /etc/sysconfig/snort find the line that has INTERFACE=eth0 and change it to INTERFACE=eth1

# What interface should snort listen on?  [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth1

Next since we will be logging to MySQL we need to shut off the standard flat file out by commenting out the ALERTMODE option. This step is actually really important. Without it no matter what you tell the snort config file, it will not send any logs to the MySQL database.

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast

Create and Configure the Database

We now need to create and configure our mysql database and tables where Snort’s events will be logged. The snort rpm you installed earlier placed a MySQL database scheme at /usr/share/snort-2.8.5.2/schemas/create_mysql Sso first we will need to manually create the MySQL database.

[root@mytest ~]# mysql
mysql> create database snort;
Query OK, 1 row affected (0.09 sec)
mysql> exit
Bye

Next we will import the database scheme to the snorrt database we just created with the following command.

[root@mytest ~]# mysql snort < /usr/share/snort-2.8.5.2/schemas/create_mysql

Last we need to create a snort user in mysql with full access to the database and tables we just created. In the following example replace secret password with an actual password.

[root@mytest ~]# mysql snort
mysql> grant all on snort.* to 'snort'@'%' identified by 'secret password';
Query OK, 0 rows affected (0.04 sec)
mysql> exit
Bye

Snort Configuration File

The actual Snort config file is located in /etc/snort and is called snort.conf’ Really the only things we should edit in this file are the VAR options that are specific to our network and the log line that defines our snort connection.

#This should reflect all the subnets we have on our network.
var HOME_NET [10.0.0.0/24,10.0.10.0/24,10.0.23.0/24]
var EXTERNAL_NET any
# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
var DNS_SERVERS [10.0.0.42,10.0.23.42]
var SMTP_SERVERS $HOME_NET
#Any computer that was a webserver running should be in this list
var HTTP_SERVERS [10.0.0.23,10.0.23.42]
#Any Machine that is running any type of SQL server should be listed here
var SQL_SERVERS [10.0.0.60,10.0.0.61]
var TELNET_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
#Now we should define our database config
output database: log, mysql, user=snort password=secretpassword dbname=snort host=localhost

That’s it after that you can start snort with a simple service snortd start

Configuring Switches for Snort

In the old days of hubs every packet was always sent out every port. This was inefficient and a huge security risk. So Switches came along to make sure only the port that needed the data got the packet. It did this my keeping an internal list of which mac was on which port. Then it only sends out packets destine for the mac associated with each port. This is much more efficient and secure but for snort this actually causes a problem. In order to see every packet to inspect it, it needs the switch to treat it’s port like a hub. Luckily in managed Cisco switches you have the ability to mirror ports or vlans to another port or vlan.

On our vlan we will assume that we have two vlans. In reality we probably have many more but for our example it doesn’t matter we will also assume that our dedicated network interface is plugged in to port GigabitEtherrnet0/5.

Switch> conf t
Switch> monitor session 1 source vlan 1 - 2 rx
Switch> monitor session 1 destination interface gigabitEthernet0/5

This will tell your switch to take all traffic on vlan 1 & 2 and mirror them to gigabitEthernet port 0/5

after that write and save your config. Now snort should be getting all the traffic from your vlans. As stated above if you have multiple Vlans then add more monitor session 1 source statements. You can combine all sorts of interfaces and vlans.

Updating Scanning Signatures

Unfortunately updating snort rules requires an account on the snort.org website. Their are free and paid subscriptions based accounts. The free account gets new signatures 30 days after the paid account. For our purposes we will be using the free version for now. So create your free account via the Signup Page and after you do the whole email confirm thing login to the website at the Login Page When you login Click on the Get Rules button this will take you to a download page and show you two sections one for VRT Subscription users and one for Registered users (Free 30days late). Select the snortrules-snapshot-CURRENT.tar.gz from the registered users section, this file is usually about 25-30MB so be patient. Once you download this tar archive to your snort machine create a tmp dir and unarchive all the files with the tar command again.

[root@mytest src]# mkdir snort-rules-temp
[root@mytest src]# cd snort-rules-temp
[root@mytest snort-rules-temp]# tar -zxf ../snortrules-snapshot-CURRENT.tar.gz

Once you uncompressed the rules you need to copy only the normal rules. Copy the normal rules to the /etc/snort/rules directory.

[root@mytest snort-rules-temp]# cp rules/* /etc/snort/rules/

Test the so rules with

[root@mytest src]# snort -c /etc/snort/snort.conf -T

If everything looks good recycle snort with service snortd restart For best results you should update your snort rules every week.

References

• https://forums.snort.org/forums
• http://snort.org/

Share on Facebook

STS125_2009142_VIS_RL

STS125_2009142_GEM

20580_200137_AO_RLBD

20580_2008137_AO_PCID

STS125_2009142_SSTB_Resize

20580_2008137_AO_MFBD_RL

STS125_2009142_SSTB

20580_2008137_RLBD_Knox

Share on Facebook

VPN that use ipsec for a site to site connection encapsulate packets into udp packets.  These udp packets are then sent across the network to the other side where the receiving device unpacks the udp packet and then decrypts it.  Typically the carrier media that connects your two vpn devices is the internet.  But if your media connecting your two devices is a network that also uses a VPN you run into a major problem.  The carrier network will start to unpack your packets meant for the other side and start throwing icmp type 3 (Host Unreachable) errors back to the vpn device.

Now if you are using cisco routers for the carrier network fiber you can actually tell it that traffic from your vpn devices should be excluded from the vpn tunnel and instead be sent in clear.  This way those packets to the other side of the vpn and never get double encrypted, fragmented or any other bad ness.  A great article explaining crypto acls for Cisco routers is http://www.thebryantadvantage.com/CCNPCertificationBCRANExamVPNCryptoAccessLists.htm

Share on Facebook

This is a list of links and tips I discovered to make it easier to do.  By default it shouldn’t be that card in OS X 10.5.6 or higher to get your CAC to work.  In factApple already has support for CAC readers built into the OS.  I have found though that often times you need to flash your CAC reader with the most current firmware version to make it work right.  The worst part about this is that you have to use a windows XP computer to do this.  I found the firmware for my cCAC reader and the flash tool at this site http://www.txsystems.com/cac.html  Once I installed it on a Windows XP machine and flashed it to the most current version I got my cac to start seeing it.

To test if your mac can see you CAC reader plug it into your computer and place you CAC in the reader. Then open terminal and type ’sudo pcsctool’.  After you input your admin password if will tell you sucess or failure.  THis is the immeditae indicator of weather or not your computer can use your CAC reader.

Once you know your computer will see it you can start configuring certain programs to use it/.  So far I’ve gotten Safari and Firefox working with the CAC reader.  The best instructions you can find for getting Safari to use your CAC is from http://militarycac.com/apple.htm  I’ve included it here for archive puproses.

Step 1: Update your system.  (10.5.6 is the minimum required for Leopard, though 10.5.8 is currently available and recommended)

Step 2: Plug in your CAC Reader to the USB Port

Step 3: Click the Apple Icon in the upper left corner of your desktop and select “About This Mac”

Step 4: Click the “More Info” Button within the window that pops up. (This open System Profiler)

Step 5: Within the “Hardware” Category select the “USB” Section.  On the right hand side of the screen the window will display all hardware plugged into the USB ports on your Mac.  Within this should be a Smart Card Reader.  If the Smart Card reader is present here it is installed on your system, and no further hardware changes are required, i.e. additional drivers / Firmware upgrades.  Unplug the CAC Reader from your system.

Step 6: Open Keychains Access from the Utilities Folder within the Applications folder; Open the “Edit” Menu, and select “Keychain List”, click the “+” button in the lower left of the window opened, navigate to the location: System / Library / Keychains (Select the local hard drive i.e “Macintosh HD” on the left, followed by the System folder, within that the Library folder, and within that the Keychains folder), and select X509Anchors.  Check the Box to the left of the name under “Shared” as well as the System Box.  Click “Ok”.

Step 7: Plug in your CAC Reader and insert your CAC into the CAC Reader.  If in the upper left of the Keychain Access window, under “Keychains” your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC. (If your CAC does not appear remove it from the reader, unplug the CAC Reader, close and re-open keychains, plug in the Card Reader, and insert your CAC)

Step 8: Click the “Padlock” icon in the upper left corner of the program window, which will prompt you for your CAC PIN.  Enter your PIN to unlock your CAC.

Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window.  Right Click (Control Click) and select “New Identity Preference”

Step 10: Enter the URL for the appropriate website you wish to access, select the appropriate certificate and click “Add”:

Step 11: Close Keychains, remove your CAC, and re-insert it.  Open Safari and begin navigating to your CAC enabled site.  (Air Force Users: remove your CAC card and re-insert it prior to opening Safari.)

If you want to use your CAC with firefox it’s a little more complicated.  This is because the plugin that used to be hosted on the mozilla addons page is nolonger active.  Now the project is hosted under the Department of Defensess forge.mil site.  This site requires a department of defense CAC to get in and download it.  It also has great documentation on how to setup firefox.  It’s all focused on the DOD Certs though.

If you are looking to get your mac to play nicely in a AD envronment then you should look at centrify’s solution.  I have to be honest, I haven’t tried it but I have read a lot about it and it appears to be the perfect way to authenitcate to an active directory domain via CAC.

Share on Facebook

We start with Solaris. Not much has changed in this OS over the years. Most of the following was stolen from http://timesync.gmu.edu/wordpress/?p=30 It was customized to account for increasing the partition sizes.

Note that in order to garuntee the best results use the

Say the original drive is c1t0d0 and the new drive is c1t4d0

Note that in order to guarantee the best results use the prtvtoc & df commands to look at what the old partition table is. This Will let you know what partitions you need to create and the minimum sizes for each one. When formatting the partitions can be bigger but must be at least the same size.

   prtvtoc /dev/rdsk/c1t0d0s2 > /root/OldPartitionTable
   df -k >> /root/OldPartitionTable

Once you know the current partition sizes use the format command to setup your new drive.

Now, this script will build new file systems on the partitions of the new disk…matching those on the original. Then it will run ufsdump, copying data from the original to the new drive…then unmount the new “clone” drive. Finally it makes the new clone bootable. Note that this jazzy blog format wraps lines on the installboot line of the script…a “man installboot” will give you a clean copy of the syntax.

   #! /bin/ksh
   # script assumes:
   # c1t0d0 is original
   # c1t4d0 is drive we’ll turn into a clone
 
   partlist=$(prtvtoc /dev/rdsk/c1t4d0s2 | awk ‘!/\*/ {print $1}’)
 
   for p in $partlist
   do
   if [ "$p" != "1" -a "$p" != "2" ]
   then
   newfs /dev/rdsk/c1t4d0s$p < /dev/null
   mount /dev/dsk/c1t4d0s$p /mnt
   cd /mnt
   ufsdump 0uf - /dev/dsk/c1t0d0s$p | ufsrestore rf -
   cd /
   umount /mnt
   fi
   done
 
   mount /dev/dsk/c1t4d0s0 /mnt
   installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk \
   /dev/rdsk/c1t4d0s0
   umount /mnt
 
   exit 0

How to CLONE AN IRIX SYSTEM DISK. I use IRIX-disk cloning as a backup strategy. It is a bit expensive perhaps because I have to keep 2 SCSI disks (cloned copies of my combined user/root disk) in the closet as backups. In the list below I assume you are running your IRIX system on (i.e. booted from) disk #1 and you want to clone it to spare disk #3. The first time (with an uninitialised disk) cloning takes about 10 steps. A second time (when the disk is already prepared), one may start at step 7 to make a backup-clone.

1) BECOME SUPERUSER:

   su

2) FIRST THOROUGHLY TEST THE DRIVE THAT HAS TO BECOME THE CLONE:

   fx -x
    fx: "device-name" = (dksc)                       <enter>
    fx: ctlr# = (0)                                  <enter>
    fx: drive# = (1)                                 3
    fx: lun# = (0)                                   <enter>
     fx>                                             exercise
     fx/exercise>                                    butterfly
  	modifier = (rd-only)                           wr-cmp
  	starting block# = (0)                          <enter>
  	nblocks = (143374744)                          <enter>
  	nscans = (1)                                   <enter>
  	about to destroy data on disk dksc(0,3,0)! ok? yes
     ..
    ..
    label info has changed for disk dksc(0,3,0).
    write out changes?                               yes
   exit

3) ADD SGI LABEL:

   fx -x
   fx: "device-name" = (dksc) 
    fx: ctlr# = (0) 
    fx: drive# = (1) 3
    fx: lun# = (0)
     auto
     about to destroy data on disk dksc(0,3,0)! ok? yes
     (Several tests... may take a long long time, you can
      abort them.)
   exit

It is perhaps easier to do this via the Disk Manager desktop-interface: just initialise the disk. This only takes a few seconds and also puts a SGI label on the disk.

4) MAKE ROOTDRIVE PARTITIONING: List the disk partitioning of the system (root) disk:

   prtvtoc

List the disk partitioning of the option disk that is to be the clone:

   prtvtoc /dev/rdsk/dks0d3vh

Compare the disk partitioning of the two disks. They must have the same layout for the root and (if used) the usr partition. If they are not the same, repartition the option disk to match the system disk. In the easiest case:

   fx "dksc(0,3)"
    repartition
    rootdrive
    type of data partition = (xfs)
    ..
    exit

Then compare the prtvtoc outputs again. 5) ADD STAND-ALONE SHELL (AND OTHER PROGRAMS) TO VOLUME HEADER: If necessary, first copy the appropriate sash (on your systemdisk, SCSI ID=1) to the /stand directory:

   dvhtool /dev/rdsk/dks0d1vh                          (CAREFUL!)
   vd                                                  (volume directory)
   l                                                   (list)
   g sash /stand/sash_Octane
   g ide /stand/ide_Octane
   g IP30prom /stand/IP30prom_Octane
   quit

Then add the required programs to a volume header:

   dvhtool /dev/rdsk/dks0d3vh                      (SCSI ID=3)
   vd                                              (volume directory)
   l                                               (list)
   a /stand/sash_Octane sash                       (add to volume header)
   a /stand/ide_Octane ide
   a /stand/IP30prom_Octane IP30prom
   l
   quit
   write
   quit

6) MAKE FILESYSTEM: To make an XFS root filesystem with a 4 KB block size and a 1000 block internal log (the default values), give this command:

   mkfs /dev/dsk/dks0d3s0

7) SWITCH TO SINGLE USER MODE AND MOUNT:

   single
 
   mkdir /clone
   mount /dev/dsk/dks0d3s0 /clone
   cd /clone

XFSDUMP:

   xfsdump -l 0 - / | xfsrestore - .

Notice the 0, it is a NULL character, not an O!

9) UNMOUNT AND SHUTDOWN:

   cd ..
   umount /clone 
   rmdir /clone 
   shutdown

10) TEST Swap drives (in an Octane) and try if your clone is really bootable.

Share on Facebook

In linux it is very simple prefix any command with strace and it will give you lots of system trace info.

In Solaris use the truss command.

In Irix use the par command.

Share on Facebook

First you need to download this file ldap_auth.php to your ‘app/controllers/components/’ directory.

Then just like the original auth component you add that component to a model. I followed the usual auth example and created a model called Users.php like so

<?php 
class User extends AppModel {
	var $name = 'User';
	var $useDbConfig = 'ldap';
	var $primaryKey = 'uid';
	var $useTable = 'ou=people';
}
?>

If some of these options are odd looking please have a look at my ldap data source post.

Next you are going to need your controller. Here is the one I used It defines the required functions like login, logout & authorize.

<?php
class UsersController extends AppController {
 
	var $name = 'Users';    
        var $components = array('RequestHandler', 'LdapAuth');
        var $helpers = array('Form','Html','Javascript', 'Ajax');
 
	function login() {
	}
 
	function logout() {
		$this->redirect($this->LdapAuth->logout());
	}
 
        function isAuthorized() {
                return true;
        }
 
}
?>

7

Share on Facebook

When I first started, I realized that CakePHP didn’t have an LDAP data source officially supported yet. I did find two articles about some good attempts. One by euphrate, unfortunately this one was only for reading from ldap. The second one was by Gservat, this one was a bit more complete, but was not really working for me and as i read from his comments many others. I think we wrote his for CakePHP 1.1. Since I wanted to use Current cake 1.2.8xxx I set out to use this as my start and fix/extend it.

Before we get started I want to state the environment I was using to do my work was Redhat Enterprise 5.2 & Fedora 10 (Work requirement) with redhat directory server 8.1 and Fedora directory server 1.2. Now while LDAP is a standard protocol, some of the driver may have become centric to those platforms, so if this is the case, please leave me a comment and I will try to correct the ldap data source I’m working on. My hope is to get ldap as an offical CakePHP data source. With that said the reason i call this a living example is because I’ve continued to upgrade and improve this data source as well as this article. Some of the next features I want to implement is data associations. Basically has and belongs to many relations. This way when you look up an user account it also shows you all the groups that user is in. This will take some time but I’ll get there. This work is all being done in the hopes that I can use this data source and CakePHP to build a really user friendly web interface for managing enterprise LDAP infrastructures without a whole lot of LDAP knowledge.

8/20/2009 – New Home for the source. I’ve got this datasource in my github tree now http://github.com/analogrithems/idbroker/tree/master/models/datasources enjoy, and feel free to submit bugs or request there.

6/20/2009 – Updated ldap_source.php to work with OpenLDAP 2.3 schema system. First it will try ‘cn=schema’, if that doesn’t return any results then it looks for schemas in ‘cn=subschema’ this make sure the code will work with OpenLDAP as well as the Netscape based versions like iPlanet, Redhat Directory Server, Fedora Directory Server etc.

First things first, here is my ldap data source for CakePHP. You will need to download this ldap_source.php to your ‘app/models/datasources/’ directory.

So lets dive right in below is the database config we will use.

<?php
class DATABASE_CONFIG {
 
	// if using ssl set 'host' => ldaps://hostname and 'port' => 636
        // If using tls set 'tls' => true and 'port' => 389
 
	var $ldap = array (
		'datasource' => 'ldap',
		'host' => 'localhost',                
		'port' => 389,                        
		'basedn' => 'dc=examnple,dc=com',
		'login' => '', 
		'password' => '',                
		'database' => '',
                'tls'         => false,
		'version' => 3                    
	);     
}
?>

You notice that the variables database, login and password are blank. Keep at least database this way. You can populate login and password if don’t want your ldap connections to be anonymous. I keep mine blank because I have written my own auth component that uses ldap, So once I’m authed that gets passed to the datasource instead. This is a ugly hack that I’ve written another post about.

Here is our people model for accessing the users in your LDAP tree.

 <?php 
class People extends AppModel {
 
	var $name = 'People';
 
	var $useDbConfig = 'ldap';
 
	// This would be the ldap equivalent to a primary key if your dn is 
	// in the format of uid=username, ou=people, dc=example, dc=com
	var $primaryKey = 'uid';     
 
	// The table would be the branch of your basedn that you defined in 
	// the database config
	var $useTable = 'ou=people'; 
 
	var $validate = array(
		'cn' => array(
			'alphaNumeric' => array(
				'rule' => array('custom', "/^[a-zA-Z]*$/"),
				'required' => true,
				'on' => 'create',
				'message' => 'Only Letters and Numbers can be used for Display Name.'
			),
			'between' => array(
				'rule' => array('between', 5, 15),
				'on' => 'create',
				'message' => 'Between 5 to 15 characters'
			)
        ),
        'sn' => array(
			'rule' => array('custom', "/^[a-zA-Z]*$/"),
			'required' => true,
			'on' => 'create',
			'message' => 'Only Letters and Numbers can be used for Last Name.'
        ),
        'userpassword' => array(
			'rule' => array('minLength', '8'),
			'message' => 'Mimimum 8 characters long.'
        ),
        'email' => array(
			'rule' => 'email',
			'required' => true,
			'on' => 'create',
			'message' => 'Must Contain a Valid Email Address.'
		),
        'uid' => array(
			'rule' => 'alphaNumeric',
			'required' => true,
			'on' => 'create',
			'message' => 'Only Letters and Numbers can be used for Username.'
        ),
    );
 
 
}
?>

Here is a very basic controller to accompany our people model. It demonstrates the important core functions and should get you started on using this data source with your own application.

<?php
class PeoplesController extends AppController {
 
	var $name = 'Peoples';    
	var $components = array('RequestHandler');
	var $helpers = array('Form','Html','Javascript', 'Ajax');
 
 
	function add(){
            if(!empty($this->data)){
			$this->data['objectclass'] = array('top', 'organizationalperson', 'inetorgperson','person','posixaccount','shadowaccount');
 
			if($this->data['password'] == $this->data['password_confirm']){
				$this->data['userpassword'] = $this->data['password'];
				unset($this->data['password']);
				unset($this->data['password_confirm']);
 
				if(!isset($this->data['homedirectory'])&& isset($this->data['uid'])){
					$this->data['homedirectory'] = '/home/'.$this->data['uid'];
				}
 
				if ($this->People->save($this->data)) {
					$this->Session->setFlash('People Was Successfully Created.');
					$id = $this->People->id;
					$this->redirect(array('action' => 'view', 'id'=> $id));
				}else{
					$this->Session->setFlash("People couldn't be created.");
				}
			}else{
				$this->Session->setFlash("Passwords don't match.");
			}
                }
		$this->layout = 'people';
	}
 
	function view( $id ){
		if(!empty($id)){
			$filter = $this->People->primaryKey."=".$id;
			$people = $this->People->find('first', array( 'conditions'=>$filter));
			$this->set(compact('people'));
		}
		$this->layout = 'people';
	}
 
	function delete($id = null) {
		$this->People->id = $id;
		return $this->People->del($id);
	}
 
}
?>

So lets talk about somethings here, in our model we define $primaryKey & $useTable variables. The $useTable is the branch of the ldap server. For this models purpose we define our table as ‘ou=people’. This makes sure that objects we create (I.E. Users/people) will be added under the organization unit people. It also makes sure that when you pass something like ‘jdoe’ to the delete action it will search that branch for the user object to delete. The $primaryKey also helps in the creation and deleting of users. It makes sure that the dn is created as uid, this is helpful to make sure that a user doesn’t already have that user name. Also since ldap is case insensitive you don’t have to worry about the possible variations of the object names when checking the existence.

Now your model isn’t limited to one branch or object type. If you wanted to create a browser for example your could define a model like the following.

<?php 
class Browser extends AppModel {
    var $name = 'Browser';
    var $useDbConfig = 'ldap';
    var $primaryKey = 'dn';
    var $useTable = '';
}
?>

You’ll notice here we set our $useTable to nothing (important, you get errors about no db defined from CakePHP if this missing). The really interesting part here is that we set $primaryKey to dn. This is the ultimate primary key for our type or data source. The difference here is that when we create/delete an object we have to pass it the full dn.

Our new data source also adds some new options to the find function.
$options['targetDN'] : This is more like the point in the tree we want to start our search. If you don’t define it it defaults to the $useTable.$config[$useDbConfig]['basedn'] if your $useTable variable is empty it defaults to the basedn configured in your database config.

$options['scope'] : If you’ve worked with ldap before then you are familiar with the concept of search scopes. You have three search scopes, ’sub’, ‘one, & ‘base’. Basically sub means search from this point down the tree. one means search one level below this point and base means search just this point. For example if you wanted to see if a user already existed you could set the targetDn to uid=jdoe,ou=people,dc=example,dc=com and it will check if this object already exists. The default scope is sub

Share on Facebook

From what I’ve discovered about nscd this issue is a design flaw in nscd. Several people have just recommended disabling nscd. While this is a solution, it isn’t an acceptable solution in an enterprise environment. Especially if you are using oracle. Several oracle tools and apps will freeze or crash if they can’t talk to the nscd socket. Lame I know, but I’ve observed this in at least Oracle 10i.

Solutions

Now there are tow ways to get around this. One is to make your LDAP service load balanced and highly available. You can do replication in OpenLDAP with slurpd and then use something like balance to make the service highly available. Another option though is to fix nscd so it doesn’t bomb your machine when it dies.

In this article we are going to go over the fix nscd solution.  nscd comes with a config file located in ‘/etc/nscd.conf’ This file tells the nscd daemon how long to cache which name service.  See the man page to understand what each option means. The quick way to fix nscd is to tell the service here not to cache passwd and group info.  This will make nscd not go to LDAP and freak out if LDAP is not available.  Randomly I also came across a drop in replacement for nscd that dosen’t suffer from this issue. unscd-033.c The compile instructions are in the file. I can’t guarantee this safe, but I’ve used it for a while in an enterprise environment and seem haven’t had any nscd issues since

Refferences:

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248271

Share on Facebook