Friday, February 6, 2009

Minimal IP Filter rules for OpenSolaris 2008.11

IP Filter is disabled by default on OpenSolaris 2008.11. Edit the following file then enable ipfilter with 'svcadm enable -r ipfilter'. If the file below is modified after ipfilter has been started, 'svcadm refresh ipfilter' may be used to reload the rules.

Here's what I used as a minimal configuration on my workstation:
/etc/ipf/ipf.conf

# Allow all traffic on loopback device lo0
pass in quick on lo0 all
pass out quick on lo0 all

# Actively refuse connections to IDENT port
block return-rst in quick proto tcp to port = 113

# block all other traffic by default unless something below passes
block in log all
block out all

# Allow incoming ping
pass in quick proto icmp from any to any icmp-type 8 code 0 keep state
# Allow incoming ssh
pass in quick proto tcp from any to any port = 22 flags S keep state
# Allow incoming VNC
pass in quick proto tcp from any to any port = 5900 flags S keep state
# Necessary for FTP client to work properly (passive mode) active mode still doesn't work
pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep state

# Allow outgoing icmp
pass out quick proto icmp from any to any keep state
# Allow outgoing tcp/udp
pass out quick proto tcp/udp from any to any keep state keep frags

Wednesday, February 4, 2009

Reverse Domain Name

There may be an easier way to do this, but I was in need of a reversed domain-name for another script and this is what I whipped-up. It behaves kinda like rev(1) but with words.

# 1 required argument and one optional argument:
# First argument is the string you want reversed on a word-by-word basis
# Second argument is optional field separator
reverse_words() {
local out
IFS=$2
for word in $1
do
[ -n "$out" ] && out="${word}${IFS}${out}"
[ -z "$out" ] && out="${word}"
done
unset IFS
echo $out
}

for dn in "$@"
do
result=$(reverse_words "$dn" ".")
echo $result
done

Saturday, January 24, 2009

Filtering LDAP entries on an OpenSolaris 2008.11 client

Configuring LDAP on an OpenSolaris system to talk to AD with SFU3.5 requires a command something like this:

ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=sasl/gssapi \
-a defaultSearchBase=dc=company,dc=com \
-a domainName=company.com \
-a defaultServerList="192.168.1.7 192.168.1.6" \
-a serviceSearchDescriptor=passwd:cn=Users,dc=company,dc=com?one \
-a serviceSearchDescriptor=group:cn=Users,dc=company,dc=com?one \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos="displayName" \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:cn=users,dc=company,dc=com?one \
-a serviceSearchDescriptor=group:cn=users,DC=company,DC=com?one

OpenSolaris 2008.11, Windows 2003 Server, and MS SFU 3.5

According to the BigAdmin article Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory it is pretty straight-forward getting a Solaris box to authenticate with Active Directory R2 if you have the Unix ID management schema extensions, but interoperability with AD/SFU 3.5 has one major flaw: group mapping.

In a few words, SFU 3.5 does add a UNIX Attributes tab to Windows groups and it does allow mapping UNIX user accounts to that group. Where it fails is in populating the msSFU30MemberUid attribute when a user is added to the group. Instead, the field that's populated is msSFU30PosixMember which for our purpose is worthless as it contains an array of AD user DNs, not the shorter sAMAccountName that we need for UNIX group mapping.

I found a few articles which I neglected to bookmark so I can't easily reference at the moment that recognized this shortcoming as well and recommended manually updating group membership via Microsoft's ADSIEdit mmc snap-in. That would be OK, I guess, for limited changes once in a while, but not reliable by any stretch of the immagination.

What I've come up with (with the help of the good folks at ActiveXperts.com) is a short VBScript that reads the msSFU30PosixMember attributes for a group and populates the msSFU30MemberUid attributes accordingly. Ideally, this script should be executed any time group membership changes. If anyone has suggestions on how to make this better or automated, I'd love to hear them.

If you use this script, keep in mind that it performs a replacement of any existing msSFU30MemberUid attributes. You have been warned.


On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ADS_PROPERTY_REPLACE = 2
Set objOUGroups = GetObject _
("LDAP://cn=Users,dc=jetheaddev,dc=com")

ObjOUGroups.Filter = Array("group")

For Each objGroup in objOUGroups
Set hasPosxiMembers = objGroup.GetEx _
("msSFU30PosixMember")
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "Updating group " _
& objGroup.msSFU30Name & "..."
arrMembers = objGroup.GetEx("msSFU30PosixMember")

Dim numMembers
numMembers = -1
Dim members()
For Each User in arrMembers
numMembers = numMembers + 1
redim preserve members(numMembers)
Set objUser = GetObject ("LDAP://" & User)
members(numMembers) = objUser.sAMAccountName
Next
objGroup.PutEx ADS_PROPERTY_REPLACE, _
"msSFU30MemberUid", members
objGroup.SetInfo
numMembers = -1
Else
Err.Clear
End If
Next