Plone, Apache, Kerberos and AD

Hi All,
during these weeks I work around an interesting thing: SSO.
The SSO, or Single Sing On, is the procedure that allow you to put a password on a system and inherit authorization on all services (in that system).
In our case, we have a Plone with no public areas, so for access to contents every user have to make login on Plone. What our customer ask was a way to inherit the pc authentication, to allow user to bypass login form keeping his name and roles.
This is possible having an Active Directory Server.
The complete procedure for setup is readable following this link: SSO for Plone.
In my case, I didn’t use Likewise or NTLM, but I’d like to see the difference between mod_ntlm2 and mod_auth_kerb.

2010
02/03
CATEGORY
Uncategorized
TAGS


Write comment

Easy script for easy lan… ever more easy

Hi all,
remember the previous post about an easy way to transform a netbook in a router for hsdpa connections? Well, I decided to make a new version of the script that i proposed in that post.
The new version is a little bit wide. I mean, on netbook I have four network interfaces: ethernet, wireless, pan and dun. Sometimes I use bridge, tap, etc. In this situation that script needs to edited every time, changing internal and external interface… very boring, i know.

So this is the rule: the script is callable with a list of interfaces, the first is the gateway and others are the sources. Simple, don’t you?

#!/bin/sh
echo -e "\n Configuring NAT:"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
if [ ! -n "$2" ]; then
  res=65 #bad arguments
  msg="Usage: `basename $0` extif intif[s]"
else
  msg="done.\n"
  res=0
  echo -en " - loading modules: "
  echo -en "ip_tables, "
  $MODPROBE ip_tables
  echo -en "ip_conntrack, "
  $MODPROBE ip_conntrack
  echo -en "ip_conntrack_ftp, "
  $MODPROBE ip_conntrack_ftp
  echo -en "ip_conntrack_irc, "
  $MODPROBE ip_conntrack_irc
  echo -en "iptable_nat, "
  $MODPROBE iptable_nat
  echo -en "ip_nat_ftp, "
  $MODPROBE ip_nat_ftp
  echo ""
  echo " - Enabling forwarding "
  echo "1" > /proc/sys/net/ipv4/ip_forward
  echo " - Enabling DynamicAddr"
  echo "1" > /proc/sys/net/ipv4/ip_dynaddr
  echo " - Clearing any existing rules and setting default policy"
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -F INPUT
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -F OUTPUT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F FORWARD
  $IPTABLES -t nat -F
  EXTIF=$1
  echo -n " - Forwarding: "
  for int in "$@"; do
    if [ "$int" != "$EXTIF" ]; then
      echo -n "$int, "
      $IPTABLES -A FORWARD -i $EXTIF -o $int -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -i $int -o $EXTIF -j ACCEPT
    fi
  done
  $IPTABLES -A FORWARD -j LOG
  echo ""
  echo " - Masquerade: $EXTIF"
  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
fi
if [ -n "$msg" ]; then
  echo -e "$msg"
fi
exit $res

Actually, I use this script to manage virtualbox lan connections, but this is another story.
Cheers to all.

2010
01/08
CATEGORY
System Administration
TAGS


Write comment

A big Off-topic in the sky: my bride

Campidoglio Roma

Rome May 29th 2010 at 17:00, I will get married in Campidoglio!!!!

I love my future wife!

2009
12/16
CATEGORY
Uncategorized
3 comments

X throu the net

Hi all,

today i want to talk about a interesting feature of a xserver. Using linux (or bsd, etc) we discovered how is very powerful using ssh to work on another server. A command line shell (bash for me) is the most usage program for a system administrator, and it has a big suite of tools and programs to avoid any graphical needs.

But some cases may required to use a program who needs X to run. So in those cases we have two choices: setup X on server and use a remote/share desktop program or use X throu the net.

It is very simple: first of all, you needs a pc with xorg (or xfree) with listener for tcp.

$ ps aux | grep X

show you the situation.

root      3001  2.9  6.2 211968 129320 tty7    Ss+  08:36   0:55 /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-5QdGTF

In my case, I see X is running without listening its tcp port, so we have to found where are stored the option of X.

- Step one:

$ cd /etc

$ grep ‘listen’ -r *

is a way to find it. For me is in /etc/kde4/kdm/kdmrc.Then open the file and remove the option ‘-nolisten tcp’.

Now we have to restart the X server: make logout, access by a tty, restart our login manager, back to tty. Before proceed, we check if X is running correctly, as the beginning

$ ps aux |grep X

root      3001  2.9  6.2 211968 129320 tty7    Ss+  08:40   0:55 /usr/bin/X -br :0 vt7 -auth /var/run/xauth/A:0-5QdGTF

The result may be something like this. Using netstat we could see the port of xserver

$ netstat -nptl | grep 6000

tcp     0   0   0.0.0.0:6000        0.0.0.0:*      LISTEN    1535/X

Well, if that is what we get, the first step is finished.

REMEMBER: next steps needs to be repeated every time you, but they are very simple do not fear.

- Step two:

On our pc, the one with xserver in listening,  we have to allow other servers to connect to our xserver.

Someone use the following command:

$ xhost +

This one, enable everyone to connect to our pc…. may be not a good idea.

$ xhost + 192.168.2.106

In this way, we enable only the server with ip 192.168.2.106… a right way to do that.

- Step three:

We have to connect throu ssh to the server, in example case 192.168.2.106.

$ ssh 192.168.2.106

user@192.168.2.106# export DISPLAY=192.168.2.108:0.0

The second row is on server. We have to tell it which is the pc with X, in example is 192.168.2.108.

Well now you can start your graphical program on server with echo on your pc.

For example:

user@192.168.2.106# kwrite notsobad.txt

I hope you enjoy about that.

Cheers.

2009
12/04
CATEGORY
Uncategorized
TAGS



Write comment

Off topic

This is a real off topic for this blog.

I only want to tell about my deviantart home page.

http://cippino.deviantart.com

Bye bye.

2009
11/27
CATEGORY
Uncategorized
Write comment

Recent entry

Archive

Category