Somewhere is an Apache running a smal set of custom Scripts. Now you need to limit the access to this bunch of quick and dirty Apps. Typical solution: put an htaccess file and some htpasswd manages passwords on it. This works but everyone needs to remember his windows login and his Application password. What happens if a user leaves the company? You disable the Windows account. But did you remember to remove him from all the htaccess files?
Goal is to have only one user/password. For everything in the Company and only one central usermanagement. This is your Active Directory. It has the users and LDAP is the interface to use it.
Make sure your apache supports mod_authnz_ldap. If it is compiled into the binary you can use httpd -L to list it. Otherwise it is in the modules directory as mod_authnz_ldap.so. Maybe you need to install it from your Distributions repository. If you compile from source, use these switches during configure
--enable-ldap \ --enable-authnz-ldap \ --with-included-apr \ --with-ldap
Authentication consists of
For the first Step (finding the user) we already need access to the Active Directory. As AD won't allow anonymous acces, you need a username and a password just to do the search. This is not
your administration account! Create a new account with minimal rights.
So what is the username? Depends on your AD Layout. This should give you a pretty good hint
CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com
Let's start with an example
<Location /protected> # Using this to bind AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" AuthLDAPBindPassword "XXX" # search user AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "USE YOUR WINDOWS ACCOUNT" AuthBasicProvider ldap # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" AuthUserFile /dev/null require valid-user </Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
Next we need to find the users, this is AuthLDAPURL. It looks like AD won't allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?mail?sub?(objectClass=*)"
AuthType, AuthName should be known.
Important is the AuthUserFile directive.
# specific user # Require ldap-user "john.doe" # specific user by DN # Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com # member of group # Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com]]>
Well, flash games need to store highscores somewhere on the server. So on some point during the game, scores are posted. And this happens via http. As http is a well known easy protocoll and most games don't think about protecting the scores someone just posted his score.
For simple cases firebugs net log is enough. For more complicated stuff add a local proxy and capture the traffic. There is no way flash games can prevent you from this.
If you know the score you just submitted, it is in most cases enough to grep the traffic log and find the http POST request that submits it.
write a five line python to submit the same request again but this time submit a different score.
#!/usr/bin/python
import urllib2
import urllib
url = 'http://example.com/submit.php'
values = {
'score': 1234,
}
cookies = ['a=b',]
headers = {
'User-Agent': 'python',
'cookie': '; '.join(cookies)
}
data = urllib.urlencode(values)
req = urllib2.Request(url, data, headers)
response = urllib2.urlopen(req)
print response.read()
Flash might encode or encrypt the submitted data. Use a actionscript decompiler and read the code
simply play the game to have fun and not to reach a highscore ;)
]]>
I used to check if some services (like http, smtp) are working by telnetting into them. Then i could just execute commands as needed. Usefull for example to check if an apache normaly accessed by a loadbalancer is serving something for a virtual host.
echo -e "GET / HTTP/1.1\nhost:www.example.com\n\n" |\ nc physical.example.com 80
But as encryption is on the raise i need to check https services. And that is something i can't do by hand.
openssl comes to the rescue.
openssl s_client -connect www.example.com:443
To make the same example as before, you can't simply replace the echo. openssl will terminate the connection as soon as the EOF ist sent via stdin. That is before the response is retrieved. So we make the echo in a subshell and add a sleep
(echo -e "GET / HTTP/1.1\nhost:www.example.com\n\n"; sleep 5) |\ openssl s_client -connect physical.example.com:443
Another nice thing is the check of certifcates. For example expiration date.
echo "" |\ openssl s_client -connect www.example.com:443 |\ openssl x509 -noout -enddate
Here the immediate termination by openssl is fine, we already got the cert.
]]>Goal: Using a Linux (Debian 3.1, sarge) as a Fileserver for a Windows Network
To do this the Linux machine will access the Windows Domain Controller to get
username and passwords. This is done using the winbind daemon. The daemon will also map
linux-userids and groups to windows-sids (A windows Account has a unique SID that
will differ even if you recreate an account with the same name).
Used Software: Debian, Samba 3, Kerberos Kerberos packages:
apt-get install krb5-config krb5-user libkrb53 libpam-krb5Samba packages:
apt-get install samba-common samba winbind smbclientUtility packages
apt-get install ntpdateList of package version at the time of writing
krb5-config 1.6 krb5-user 1.3.6-2sarge2 libkrb53 1.3.6-2sarge2 libpam-krb5 1.0-12 samba-common 3.0.14a-3 samba 3.0.14a-3 winbind 3.0.14a-3 smbclient 3.0.14a-3
Kerberos Configuration sits in /etc/krb5.conf, we add a default_realm and a server to the realm (write Uppercase Text also in uppercase).
# file /etc/krb5.conf
[libdefaults]
default_realm = MY.ACTIVE.DIRECTORY
...
[realms]
MY.ACTIVE.DIRECTORY = {
kdc = dc1.active.directory
kdc = dc2.active.directory
kdc = dc3.active.directory
...
admin_server = dc1.active.directory
}
...
Now we can check if we can Authenticate a user against the Active Directory
debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~#
The Winbind Daemon will map users and groups from the Active Directory to Linux. To do this we will tell winbind which ID-Range and which prefix it should use. The mapping is set up on use and stored in a file-database in the samba lock-dir /var/lib/samba/winbindd_idmap.tdb
The Configuration sits in the smb.conf
# file /etc/samba/smb.conf [global] workgroup = ADGROUP security = ADS realm = MY.ACTIVE.DIRECTORY winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes auth methods = winbind ... # the share we will use to test it, make sure path is # valid and writeable [testshare] comment = Test Share using Active Directory read only = no path = /data/test valid users = @"ADGROUP+domain users"
Start the winbind daemon (/etc/init.d/winbind start) and now we can list the users from the Active Directory
debian:~# wbinfo -u ADGROUP+administrator ADGROUP+guest ADGROUP+chandel ...
Next we will get a kerberos Ticket and join our Server to the active directory
debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~# net ads join Using short domain name -- ADGROUP Joined 'DEBIAN' to realm 'MY.ACTIVE.DIRECTORY'
# File /etc/pam.d/samba auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so
And we tell the system that it can get information about userdata (id, name, homedir, etc.) not only from /etc/passwd but also from winbind
# File /etc/nsswitch.conf ... passwd: compat winbind group: compat winbind shadow: compat ...
Test it by listing the accounts known to the system
debian:~# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh ... ADGROUP+administrator:x:10001:10000:Administrator:/home/ADGROUP/administrator:/bin/false ADGROUP+guest:x:10002:10001:Guest:/home/ADGROUP/guest:/bin/false ...
Test it using our own server as a linux client. We will
get a ticket, and connect to the share using this ticket. Than we place
a file there and check in the filesystem who owns the file.
debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~# touch hello_world.txt debian:~# smbclient //fileservername/testshare -k OS=[Unix] Server=[Samba 3.0.14a-Debian] smb: \> put hello_world.txt putting file hello_world.txt as \hello_world.txt (0.0 kb/s) (average nan kb/s) smb: \> quit debian:~# ls -l /data/testshare/hello_world.txt -rwxr--r-- 1 ADGROUP+administrator ADGROUP+domain users 0 2005-07-22 13:37 /data/test/hello_world.txt debian:~#