Wednesday, November 23, 2011

Compile and install latest version of Digikam on Ubuntu 11.10

This process initially gave me a lot of trouble, but it really is pretty simple.  Here are the steps requried to build and install the latest version of Digikam (2.5.0 is the latest version available as of December 8, 2011) on Ubuntu 11.10 (Oneiric Ocelot).  I used a fresh install of 32-bit Ubuntu to test this process.

All of these steps will be done from a terminal, so start off by launching a terminal with <ctrl + alt> T.

  1. Install Git (sudo apt-get install git).
  2. Download the source code as follows:
    • From your home directory, run git clone git://anongit.kde.org/digikam-software-compilation digikam-software-compilation
    • That will create a folder with some files inside.  Move into the new folder with cd digikam-software-compilation/
    • Execute perl download-repos to download the source code.
  3. Install cmake (sudo apt-get install cmake).
  4. Install the dependencies for DigiKam (sudo apt-get build-dep digikam).  This will install all the dependencies for the packaged version of DigiKam, which shouldn't be much different from the latest version we just downloaded.
  5. Create a subdirectory named "build" (mkdir build).
  6. Move into the build directory (cd build).
  7. Configure the build paramaters using cmake (cmake -DCMAKE_BUILD_TYPE=debugfull -DCMAKE_INSTALL_PREFIX=`kde4-config --prefix` ..) NOTE!!  kde4-config --prefix is NOT surrounded by apostrophes - you can generate that character using SHIFT + ~ on most keyboards.  Also, don't forget the ".." at the end.  This should complete successfully.  If not, let me know what problem you ran into!
  8. Build it (make -j 4).  The "-j 4" tells the compiler to use 4 threads, to take advantage of multiple CPUs.  If you don't have more than 1 processing core, just leave that out.
  9. Install it (sudo make install -j 4).
  10. Run it! ALT+F2, then type in digikam.
Let me know what problems you encounter, if any!

NOTE!! If you want to update your version of Digikam after following the steps above, this process is even easier, assuming you didn't delete any of the downloaded code:

  1. Delete all of the files in the build directory you previously created (navigate into the build directory, and execute rm * -rf.  CAUTION!  Don't use this anywhere OTHER than the build directory unless you know what you're doing - it's a dangerous command.
  2. Run perl gits pull from the "digikam-software-compilation" folder.  This will compare your files with the latest versions from the repository.
  3. Follow steps 6-10 above, and your software will be updated to the latest available version!

Cisco ASA 5500 Active Directory Integration

Today I needed to enable an extra layer of security for a Cisco ASA VPN (ASA 5500 series appliance - should work on 5505, 5510, 5520, 5540, 5550, etc...).  I needed to require the user to enter their Active Directory domain credentials to connect to a Cisco IPsec VPN, for better security.

I worked this out from inside the ASA's ASDM software.


  1. Add an AAA server group for Active Directory authentication (under Configuration --> Remote Access VPN --> AAA/Local Users --> AAA Server Groups).
  2. Choose a name, and pick protocol: LDAP. Everything else here is fine.
  3. Now that you have your server group, highlight it in ASDM, and in the bottom half of the screen, add a server to the group.  This is where things get tricky!
    • Choose what interface the server is off of, put in the server's IP, and fill out the rest of the details as shown below.  This server must be a domain controller!
    • For Base DN, you should enter your AD domain name, in the format DC=DOMAIN,DC=COM (or local, or whatever)
    • Scope should be set to All levels beneath the Base DN, if you want it to be able to find all of your user accounts.
    • Naming attribute should be sAMAccountName
    • For Login DN, enter the path to an account with the correct privliges to read the required information.  I don't have specific details on this - I just used a domain admin account (I know, I know).  The format should be CN=UserAccount,CN=ThisUsersOU,DC=YourDomain,DC=COM (if the user account is several OUs deep, you'll need to add a CN= entry for each OU, in the correct order - starting with the one that the user is in).
    • Test the server using the Test button, after you click OK!
  4. Now that the group is set up, we need to configure some profiles to use this group!  Inside ASDM, navigate to Configuration --> Remote Access VPN --> Network (Client) Access --> IPsec Connection Profiles.
  5. Edit the profile you want to change to require AD authentication.
    • On the first page (Basic), change the Server Group (under the User Authentication section on the right side) to the group you just created.
    • On the Advanced --> General page, Make sure nothing is checked here - everything should be unchecked and set to --None--
    • Under Advanced --> IPsec --> IKE Authentication, set the Default Mode to XAUTH (Extended user authentication).  This is what forces a login prompt when users connect.  The checkbox here doesn't need to be checked.
    • Nothing else should need to be changed (from defaults) in any other pages.  Click OK, then test it using a VPN client!!!
  6. That's it.  Let me know if you run into any issues or have any suggestions!


Friday, September 30, 2011

PowerShell for Creating Secure User Folders via AD

Today I needed to create a user folder structure for every non-disabled user in a specific Active Directory OU (and sub-OUs).  The folders needed to match the username exactly, and have security so that the user has modify permissions, and Domain Admins have full control - no other permissions!  Sounds simple, until you consider that there are hundreds of users.

I found a few PowerShell examples online, but nothing that I found could do everything I needed, so I tweaked and modified until I came up with these two simple scripts.

To start with, I manually created a base folder (in my example, named PSTs, sigh..).  I gave Domain Users read-only permission and Domain Admins full control of this folder.  No other permissions were present on this folder - if there are other permissions on your base folder, the permissions portion of this script will not work properly for you.

The first script just prints a list of usernames found in Active Directory (under the OU you specify) to the screen:


$strFilter = "(&(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2))"


$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=YourOU,dc=YourDomain,dc=local")


$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"


$colProplist = "samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}


$colResults = $objSearcher.FindAll()


foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.samaccountname}

This first script searches all OUs underneath the OU specified by the LDAP:// line for user accounts that are not disabled (the userAccountControl:1.2.840.113556.1.4.803:=2 identifier specifies disabled users), then pulls the sAMAccountName attribute and prints it to the screen.  This gives us a list of all the non-disabled usernames we need.


Copy this list and paste it into a text file, so that there is one username per line (just a simple copy paste).


Run the following script against the text file, and your directories will be created with the permissions discussed above:



$users = Get-Content "C:\userlist.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "C:\PSTs" -childpath $user
New-Item $newPath -type directory


$acl = Get-Acl $newpath
$acl.SetAccessRuleProtection($true,$true)
$acl | Set-Acl $newpath


$acl = Get-Acl $newPath
# This removes all access for the group in question
$group = "YourDomain\Domain Users"
$acl.Access |where {$_.IdentityReference -eq $group} |%{$acl.RemoveAccessRule($_)}


$account="POMONACH.LOCAL\$user"
$rights=[System.Security.AccessControl.FileSystemRights]::Modify
$inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation=[System.Security.AccessControl.PropagationFlags]::None
$allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

$accessRule=New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)


$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}

This will set create the user folders, remove security inheritance, and remove Domain Users from the security tab.  It will also add the user to the security tab with modify permissions.  I'm not a PowerShell expert, so there are some parts here that I don't quite "get", even though I wrote some of it, but I get the general idea and it worked for me!

Tuesday, March 1, 2011

Traffic monitoring (port mirroring) on Cisco Catalyst 4500 series

Earlier today I was tasked with discovering who (in our network) was causing traffic spikes on our internet connection.  We have two load-balanced firewalls attached to our Cisco Catalyst 4507 core switch.  Here is what I had to do in order to monitor the traffic flow.  I'm going to assume you already have some packet capture software, like WireShark.

First of all, you need to know what ports you want to monitor (mirror).  For me it happened to be both of the ports attached to the two load-balanced firewalls.  So, I need both of the ports mirrored to a single monitoring port that my laptop is hooked up to.

Here's how:



4507#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

4507(config)#monitor session 1 source interface g2/40
4507(config)#monitor session 1 source interface g2/42

The two monitor commands above tell the switch which ports I want to capture traffic on.  These are my two firewall ports.  Now, I need to tell it where to mirror the traffic:

4507(config)#monitor session 1 destination interface g2/9

If you are running these commands from a device attached to port g2/9, you will immediately lose connection with the switch, because the port is no longer accepting traffic from your device and is just sending out everything from the two source ports.  If you run your packet capture software it should go crazy with traffic, and you can start tracking down your bandwidth hog.

We can verify that the monitoring (mirroring) is set up correctly with this command (drop the "do" if you aren't  in configuration mode):

4507(config)#do show monitor
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi2/40,Gi2/42
Destination Ports      : Gi2/9
    Encapsulation      : Native
          Ingress      : Disabled
         Learning : Disabled
Filter Pkt Type        :
    RX Only       : Good

When you're done, don't forget to run the following command to remove your monitoring session:

SCH0C1(config)#no monitor session 1

That's all there is to it!