Thursday, December 06, 2012

SSH Tunnel with auto reconnect

If you want to make your SSH Tunnel automatic reconnect when it is disconnected, you can use autossh.
This is an examples how to configure autossh to make tunnel on port 10088 in local server and on port 10087 in yourserver.com and only accessible from yourserver.com

Put these codes in the rc.local :

AUTOSSH_POLL=600
AUTOSSH_GATETIME=30
export AUTOSSH_POLL AUTOSSH_GATETIME
autossh -2 -M 20000 -fN username@yourserver.com -R 10087:localhost:10088 -N

Friday, November 16, 2012

Multidomain with realurl

To set up a realurl config for multidomain and with different template, you can adapt this example for your realurlconf.php.

$RootPID = array(
    
'www.domain1.com' => '1',
    
'www.domain2.com' => '2',
    
'intranet.domain1.com' => '3'
);     

$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['realurl']=array (
    
'_DEFAULT' => array (
        
'init' => array (
            
'enableCHashCache' => true,
            
'appendMissingSlash' => 'ifNotFile,redirect'
      ...
        'pagePath' => array (
            
'type' => 'user',
            
'userFunc' => 'EXT:realurl/class.tx_realurl_advanced.php:&tx_realurl_advanced->main',
            
'spaceCharacter' => '-',
            
'languageGetVar' => 'L',
            
'expireDays' => 7,
            
'rootpage_id' => $RootPID[$_SERVER['HTTP_HOST']],
        ), 

      ...
   ),

Monday, November 12, 2012

pdf_generator2 in tt_news single view

With pdf_generator2, we can produce pdf format of our web page. To use this extension in tt_news single view, we need to setup the typoscript configuration. This typoscript example will show the pdf link beside the tt_news single view title and put the web url as header and page number and date as footer in the pdf document.

1. Put this definition in constants section of the main template:

pdf_generator2 {
  size = A4
  top = 15
  bottom = 15
  left = 15
  right = 15
  cssmedia = print
  max_execution_time = 10000
  renderfields = 1
  string_search1 = /*<![CDATA[*/
  string_replace1 = /* <![CDATA[ */
  string_search2 = /*]]>*/
  string_replace2 = /* ]]> */
  string_search2 = <body>
  string_replace2 = <body> <!-- PDF VERSION -->
}

remember that we need to use cssmedia = print to hide the pdf link in the pdf version.

Monday, July 30, 2012

Shibboleth SP part 4 (MediaWiki Configuration)

Integrating Shibboleth login with Mediawiki

Installation

  • This extension will not create a new user if the user is not exist, the mediawiki user must be created first before they can login using shibboleth, if the user is not exist, the mediawiki will report an error after the user authenticated with shibboleth.
  • Create file ShibAuthPlugin.php in mediawiki extensions directory, and put the code like in this link.
  • Create file wiki_login.php in mediawiki root directory, and put the code like in this link, and add header("Location: /Shibboleth.sso/Logout"); so the code looks like the following:
if(isset($_REQUEST['logout']))
{
 $obj_user = new User();
 $obj_user->logout();
 header("Location: /Shibboleth.sso/Logout");
}
  • For mediawiki lower than 1.13 version change in both files this directive:
specials/SpecialUserlogin.php to SpecialUserlogin.php
  • and in file ShibAuthPlugin.php change this line:
ShibUserLoadFromSession($user, true); to ShibUserLoadFromSession($user, $result);

above line is a hack for mediawiki prior 1.13 version, that hack is work but need to refresh the browser after login via shibboleth.

Shibboleth SP part 3 (Moodle & Wordpress Configuration)

Integrating Shibboleth login with Moodle

Installation

  • In Moodle, Shibboleth plugin is already installed. We only need to activate the plugin.
  • To use this plugin, the authentication method of the existing users must be changed to shibboleth, if not, they won't be able to login using shibboleth. This can be done by modify the value directly via database for all existing user. Thus, we must disable the login using another authentication method such as LDAP because moodle can not check the user using another autentication method after fail to login using shibboleth.
  • This plugin will import a new user from Shibboleth when user not exist in the moodle database.

Configuration

  • Go to Settings -> Site Administration -> Plugins -> Authentication -> Manage Authentication.
    • Click on the eye icon to activate it.
    • To make Shibboleth the only way to login, set the value of Alternate login URL to http://DOMAIN_NAME/auth/shibboleth/index.php
    • To make Shibboleth an alternative way to login, put a link to http://DOMAIN_NAME/auth/shibboleth/index.php in the instructions input field
    • Click on the Shibboleth Setting
      • On the data mapping, put the attribute name from Shibboleth SP that we want to use.

Shibboleth SP part 2 (Typo3 Configuration)

Integrating Shibboleth login with Typo3

Extension installation

  • Go to extension manager and install Shibboleth Authentication (shibboleth_auth) extension. The extension is not automatically loaded, you must set the extension configuration first.
  • For frontend login, this extension can automatically import user information from Shibboleth IdP but not for backend login.
  • This extension will not propagate to another authentication mechanism (eg. LDAP or typo3 login) if the user is not found in the Shibboleth IdP but can be enabled with other authentication mechanism as long as in different function (eg. Shibboleth handles the frontend login and LDAP handles the backend login)
  • In this example, we only configure Shibboleth for frontend login.

Extension configuration

  • Open the extension configuration and check Frontend and Auto Import to enable frontend login and import user information from Shibboleth.
In the Others section:
  • Define the storage Pid. This value is based on the folder id where we store the Frontend Users.
  • Define the attribute name from the Shibboleth.

Shibboleth SP part 1 (Installation)

SP Installation

  • In debian 6, Installation of Shibboleth SP can be done using these steps:
apt-get update
apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas
  • Enable Shibboleth SP module:
a2enmod shib2
and restart apache.

SP Configuration

Apache module

  • Add the following entry in to file /etc/apache2/mods-enabled/shib2.conf
ShibConfig /etc/shibboleth/shibboleth2.xml

# Used for example logo and style sheet in error templates.
<IfModule mod_alias.c>

 <Location /shibboleth-sp>
   Allow from all
 </Location>

 Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg

</IfModule>

<Files *.sso>
   SetHandler shib-handler
</Files>

Shibboleth IdP SLO part 3 (Configuration)

LDAPS Connection

  • To be able to connect to LDAPS, the shibboleth must already has the LDAP SSL certificate. To do so, get the LDAP SSL certificate from the administrator or export it from another server which already have the certificate.
To export:
keytool -export -keystore /etc/java-1.5.0-sun/security/cacerts -alias ldap -file ldap.cer
To import into the new Shibboleth IdP, we must import in to the current java keystore file:
keytool -import -trustcacerts -alias "ldap" -file ldap.cer -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts

login.config

  • Edit IDP_HOME/conf/login.config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.example.com"
      port="636"
      ssl="true"
      base="ou=users,o=myorg"
      serviceCredential="PASSWORD"
      serviceUser="cn=ldap_proxy,ou=misc,o=myorg"
      subtreeSearch=true
      userField="cn"

Friday, July 20, 2012

Mapping Kerberos principal to existing eDirectory user


To create kerberos principal for existing eDirectory user, we need to export the user data from ldap using the tool from http://ldapwiki.willeke.com/wiki/DumpEdirectoryPasswordInformationTool. This tool should be executed using ldap user which has permission to see universal password.

Example:

java -jar DumpPasswordInformation.jar -h ldap.company.com -Z SSL -p 636 -D cn=admin,o=novell -w adminpassword -dvAL -b "ou=people,o=novell"

The tool will create output in the file dumppasswordinformation.ldif.
The following script will read from above ldif file and map the existing user with the kerberos principal. This script uses keytab from admin/admin kerberos principal with filename admin.keytab

Tuesday, July 10, 2012

Single Sign On (SSO) with Novell Client and Shibboleth


Server requirement:
  1. Novell eDirectory + LDAP.
  2. Kerberos Server.
  3. Shibboleth IDP with Kerberos Auth Plugin.

Client requirement:

  1. Kerberos Client.
  2. Novell Client.
  3. Mozilla Firefox. (Tested browser)

Tested Structure:


SSO Structure

Wednesday, May 16, 2012

Shibboleth IdP SLO part 2 (Installation)

Installation

Download

Download Shibboleth IdP SLO from http://software.niif.hu
curl -L -O http://software.niif.hu/maven2/edu/internet2/middleware/shibboleth-identityprovider/2.3.5-slo10/shibboleth-identityprovider-2.3.5-slo10-bin.tar.gz
and extract
tar zxvf shibboleth-identityprovider-2.3.5-slo10-bin.tar.gz

Modify the login page

  • We should modify the login page before installing, it can be done later but we must run the install script again to apply the change to the current running IdP, modify login.jsp in shibboleth-identityprovider-2.3.5-slo10/src/main/webapp directory.

Tuesday, April 24, 2012

Shibboleth IdP SLO part 1 (preparation)

Prerequisite

Jdk with version > 1.6.0

In debian older than 6, we must download the jdk manually (cannot use apt-get install openjdk-6-jdk)
download and install jdk from sun website in to /usr/lib/jvm/ 
curl -L -O http://download.oracle.com/otn-pub/java/jdk/6u30-b12/jdk-6u30-linux-i586.bin
chmod +x jdk-6u30-linux-i586.bin
./jdk-6u30-linux-i586.bin

Change default jvm

To change the default jvm, use this command:
idp:~# update-alternatives --config java

Es gibt 2 Alternativen, die »java« bereitstellen.

Auswahl      Alternative
-----------------------------------------------
*         1    /usr/lib/jvm/java-1.5.0-sun/jre/bin/java
 +        2    /usr/lib/jvm/java-6-openjdk/jre/bin/java

Drücken Sie die Eingabetaste, um die Vorgabe[*] beizubehalten,
oder geben Sie die Auswahlnummer ein: 2
Verwende »/usr/lib/jvm/java-6-openjdk/jre/bin/java«, um »java« bereitzustellen.

Monday, April 16, 2012

Active Directory with Samba 4 part 2

Next step is to compile and install Samba 4.

The process of compiling and installing Samba 4 is already described in the Samba 4 Howto. The Howto is very straightforward and easy to follow, my compilation was done in one step without more dependencies. I just want to add some Tips and Troubleshooting from that Howto.

From the 4th step, if you install a new samba domain, you can directly follow that procedure. For example, if you want to use EXAMPLE.COM as kerberos realm and the domain name SAMBA the provision command is as follow:

Active Directory with Samba 4 part 1

Samba 4 is developed to be a replacement of Microsoft Active Directory, it provides kerberos and directory service.With samba 4, you will have a free copy of Microsoft Active Directory.

Please remember that Samba 4 is still in alpha stage, so use it with your own risk.

Installation


Before you follow installation procedure from Samba 4 wiki, I suggest you to install bind (DNS Server) first, here is the steps:

Build Single Sign On Implementation (using computer login) for Intranet or Campus network.

In recent years, web application is rapidly developing. The development of web application is preferred because of its flexibility and accessibility. With this type of application, a company or an organization with a huge number of employee can easily maintain and improve the functionality because they can immediately implement the change into the current system without needed any adjustment in the client environment.

There are so many useful web application developed by open source community, but because the web applications are developed by different group, they use different kind of authentication system. For users, typing username and password every time they use different kind of web application are some kind of pain even though they have the same username and password. There is also a security risk, this gives a greater probability to get the typed username and password for trojan or attacker.