Wednesday, June 27, 2007

Access is denied for all accounts after migrating Drupal website

We recently migrated the site from internal hosting to external. All users, including the first user with super admin rights get access is denied on all administrative actions.

It looks like its a php version problem, where the new host was running 5 and the drupal site version was 4.6.1....

Yep, that was it.

Saturday, June 23, 2007

Dreamhost Drupal Sub-directory with clean urls

Trying to consolidate hosts and need to have multiple drupal installations under an existing drupal installation. Clean urls were not working by default - they threw 404 errors on the parent drupal site. The sites themselves worked fine, just not clean urls.

Also interesting was that .htaccess file did not exist in the root of the subdir site - i'm not sure why - maybe it gets created when cleanurls are turned on in drupal 5.

So, i edited the parent .htaccess file to uncomment RewriteBase /[subdir desired], ftp'd it up to the subdir root installation and wala, clean urls now work in Dreamhost subdir installed drupal 5 apps.

Securing Active Directory for Drupal LDAP access

I don't yet have the ldap authentication working on SSL or TLS, as i need to learn how to install the certificate root and certificate on the drupal server. but that will be a different post.

First, I need to tighten down security on the AD. I want the binddn reader and updater accounts to have no rights beyond that specific purpose. You would think that would be a very easy thing to specify... ehem.

Looking here (don't you love msft's refusal to adopt clean urls?):
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.
http://technet2.microsoft.com/WindowsServer/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx


Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.
http://technet2.microsoft.com/WindowsServer/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx

Promote a secure operating environment by running your computer without administrative credentials except when required.
http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx

this is crap - user rights assignment on AD is useless for my purpose. there are far too few rights defined, and they seem way to blunt.

found a new way-

by default, any authenticated account can scan the directory. attempting to use a plain user account as the reader account with no additional rights.... it seems to work

updater account settings:
create a new security group and put the updater account in it
right click domain in ad users and computers
choose delegate control
add the group that contains the updater account
create a custom task to delegate
only the following objects in the folder/User objects
Read all properties/Write E-Mail Address (Others)/Change Password/Reset Password
how do you edit/update those delegated rights? i've been just rerunning the wizard, hoping its smart enough to delete the prior policy.

Testing...

Unfortunately, the following error is generated when an attempt is made to modify the password. I'm assuming this is because we're not yet running TLS:
warning: ldap_modify() [function.ldap-modify]: Modify: No such attribute in /home/.martin/icsadmin/events.icstars.org/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 226.

Need to define some policies about locking out accounts after a number of password attempts are made.

Monday, June 18, 2007

phpSupport

Found this today and plan to incorporate into our environment thanks to:
http://aplawrence.com/Reviews/bghelpdesk.html

http://phpsupport.jynx.net/?a=inuse

Dreamhost Drupal with LDAP

http://drupal.org/node/62217

When we tried to connect we got an error message:
Fatal error: Call to undefined function ldap_connect() in D:\Program Files\wamp\www\drupal\modules\ldap_integration\ldap_integration\LDAPInterface.php

We needed to modify our php.ini to uncomment
extension=php_ldap.dll

In order to customize the php.ini we had to do some hacking:
http://wiki.dreamhost.com/index.php/PHP.ini

The php.ini file is working, but the dll list in it is for windows machines, not linux. need to find out how to configure php to load modules on linux. of course, you don't - you recompile php with the modules you need - which means this direction will orphan our php installation from future updates from dh.


Background/not followed: This gives details on how to do this from scratch:

http://us2.php.net/manual/en/ref.ldap.php

http://www.rpmfind.net/linux/rpm2html/search.php?query=php-ldap

This provides pre-compiled versions for use on a select group of linux distro's

To test the configuration you attempt to login as an account found in the ldap directory, but not in the drupal system.

--

Note from php.net (http://us2.php.net/manual/en/ref.ldap.php):

Chasing referrals in Active Directory (ie: searching across domains), can be slow. You can look up the object instead in the GC (Global Catalog) as follows:


Remove any reference to ldap:// when you use ldap_connect, ie: use "serv1.mydom.com" NOT "ldap://serv1.mydom.com"

Connect to port 3268 (not 389, the default)

Set the Base DN for the search to null ie: "" (empty quotes).

AD will then run the search against the GC which holds a copy of all objects in the Forest. You can also retrieve a subset of attributes (including group membership, except local groups).

You will still need to follow referals for a full set of attributes.

another:
http://greg.cathell.net/php_ldap_ssl.html

following the script from dh: http://wiki.dreamhost.com/PHP5_installscript

DOWNLOAD AND EXTRACT PACKAGES
used openldap source code and did a test run on the prep script with only ldap to ensure it worked properly. to do this i simply added:
LDAP="openldap-stable" to the version information list. this is a symbolic link maintained by openldap to get you the most recent stable version

then in the get section i added (don't be alarmed that the suffix is different from the other packages):
wget -c ftp://ftp.openldap.org/pub/OpenLDAP/${LDAP}.tgz

then to extract it i added this at the end (again needing to focus on the suffix to match openldap convention):
echo Extracting ${LDAP}...
tar xzf ${DISTDIR}/${LDAP}.tgz > /dev/null
echo Done.

INSTALL
I looked in the source directory via my ftp client and found that openldap had given me v2.3.32.
I used this as my LDAP variable in the install sh file:
LDAP="openldap-2.3.32"

I modified the PHPFEATURES list to include:
--with-ldap
note that you need to add a \ to the line above, and move the closing quote to after with-ldap

The openldap doc/install/configure file said generic installs run ok with just ./configure.

This approach bombed out on the script prior to getting to ldap - failed on cclient.

Started process over with the script at
http://wiki.dreamhost.com/PHP5_installscript/dev

This script ran ok on its own. When i modified to include ldap, it said:

checking Berkeley DB version for BDB/HDB backends... no
configure: error: BDB/HDB: BerkeleyDB version incompatible

This link explains more:

http://www.openldap.org/faq/data/cache/44.html

Same error message during ldap ./configure...
The berkeleydb and openssl installed without any error messages.
Many people posting this question to the openldap forum with rtfm responses...
Trying with env CPPFLAGS=-I${INSTALLDIR}/include LDFLAGS=-L${INSTALLDIR}/lib ./configure --prefix=${INSTALLDIR}

The flags are supposed to tell the openldap configure where to look... same result.

At this point, I'm wondering if the berkeleydb install didn't put things where i intended...
The first attempt at making the db i forgot the prefix, then ran the process again, i received an odd message about not replacing a .h file, which made me wonder how the file could be in two places from two runs. The berkeley docs state if you want to change anything, you need to run make realclean first - which removes everything...
Nope, now berkeley configures but crashes on make install, attempting to re-create the install subdirectory and getting a permission denied. ??

Trying again with the same env flags used above on openldap configure....ok, i got an install.

This is insane.

The openldap configure can see db.h, and it knows the version, why does it still say there is a version mismatch? Ehem. nosing up the tree, it looks like dh has db.h installed in the usr directory, indeed, the lib folder contains all the way up to 4.3. Given the openldap is telling me it has version 4.5, i imagine that means it does know about my version. Do i need to exclude all the prior versions in my configure statement? Argh! And why won't it run with the versions already installed? maybe the same reason - since so many are installed, maybe this step is lazy and stops with the first one it finds?

Analyzing the configuration.log - the conftest file has a strict test for DB_VERSION_MAJOR among others down to the patch level, but its not clear where these get defined. Also, the configuration.log shows an actual error message that does not make sense - this file exists in my lib folder:
./conftest: error while loading shared libraries: libdb-4.5.so: cannot open shared object file: No such file or directory

grep DB_VERSION_STRING db.h from within usr/local/include returns 3.2.9.

At a complete loss - need to find out what file contains the DB_VERSION_MAJOR check and put a print line to see what version it thinks it found. This code does not exist in the openldap directory!!! Somehow, when i searched all the files in the source directory, i could not find the source code file that contained the version check - i wanted to echo what version it found in order to understand who its finding and whether its stopping at the lowest or highest or what. unreal?

This http://www.openldap.org/lists/openldap-software/200308/msg00553.html makes it sound like i can hack the configure script in openldap to remove the hardcoded usr/lib searches...

Found this interesting discussion about the intricacies of library paths:
http://www.webservertalk.com/archive100-2005-3-945657.html

Colleague suggested using LD_CONFIG which will tell gcc where to get libraries from. Is this the same as LDFLAGS? Do we need to compile bdb with this flag or openldap?...

OMG I found it:
http://forums.devshed.com/ldap-programming-76/configure-error-berkeley-db-version-mismatch-181705.html
the flag you need is: export LD_LIBRARY_PATH="/build_unix/.libs"

Onward to make...

Got clean install of openldap...

php5 configure got:
configure: error: Cannot find ldap.h
needed to modify the following to include =path
--with-ldap=${INSTALLDIR}"

got clean install of php...

now on to the drupal integration challenges
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Can't contact LDAP server ...


later on will need this regarding sasl:
supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
ok, when all security is turned off, and the ad accounts for reading and writing are domain admins, everything works!! and we wonder why systems are so vulnerable - the first thing to work is the least secure, shouldn't it be the other way around?
Current issues:
- retrieve password does not find the user
- new users do not appear in LDAP

to run the sh script:
chmod +x filename.sh
./filename.sh