Author: Marquis, Dylan

Trying to contribute….CLAMAV issues

Posted on by

This month has been busy with CLAMAV disturbances to mail flow. Problem was verified by tailing the /var/log/maillog file on any of the 3 MTA’s and seeing entires related to “camav-milter.sock” file being locked due to permissions, or “NOQUEUE: milter-reject” entries due to memory issues.

We are attempting to solve the milter issues by croning a reload of clamav-milter daily to free up some memory. If that fails we will give servers more RAM.

The Permissions issue was solved by editing the /etc/clamav-milter.conf file to ensure proper file permissions on the sock file.

CASify PSI-Probe

Posted on by

PSI-Probe is an extended Tomcat manager.  This post outlines how to place it behind CAS and specify permissions based on an LDAP attribute.  The method outlined in this post has been adapted from documentation from Jasig on Tomcat Container Authentication, written by Marvin S. Addison.

Although the current stable build of PSI-Probe cannot be placed behind CAS (the role names are hard coded into the program), the current source code allows for flexible role names.

Check out the source code (SVN). The command can be found on psi-probe’s website.  A readme is included in the source, follow the instructions found there (an Oracle driver must be imported into Maven to properly build psi-probe).  The readme explains how to package the source into a .war which can then be deployed on the server.

The process of modifying the configuration files to support CAS authentication can either be done in the source code before building the .war or afterward on the server (by modifying the unpacked files).  My preference, for the sake of flexibility, is to put in a place holder for the attribute names (role names) before building the .war, then use a script to string replace the placeholder with the attribute name within the modified configuration files on the server.

Before modifying any configurations, you must obtain several .jar files and place them in your $TOMCAT_HOME/lib directory.

Found in CAS-Client under modules (can be downloaded from Jasig) :

  • cas-client-core-$VERSION.jar
  • cas-client-integration-tomcat-common-$VERSION.jar
  • cas-client-integration-tomcat-v6-$VERSION.jar
  • commons-logging-$VERSION.jar
  • xmlsec-$VERSION.jar
  • commons-codec-$VERSION.jar

Can be obtained from Apache and OpenSAML

  • log4j-$VERSION.jar
  • opensaml-1.1b.jar

The first file that must me modified is the context.xml.  It can be found at the following locations:

Source: $SOURCE_DIR/web/src/main/conf/META-INF/context.xml
Server: $TOMCAT_HOME/conf/Catalina/localhost/probe.xml

The file should read:

<?xml version="1.0" encoding="UTF-8"?>
<Context path="/probe" privileged="true" >
<!--
 The following configuration uses the SAML 1.1 protocol and role data
 provided by the assertion to enable dynamic server-driven role data.
 The attribute used for role data is "memberOf".
 -->
<Realm
 className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm"
 roleAttributeName="memberOf"
 />
 <Valve
 className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator"
 encoding="UTF-8"
 casServerLoginUrl="https://login.example.com/cas/login"
 casServerUrlPrefix="https://login.example.com/cas/"
 serverName="your.server.example.com"
 />
<!-- Single sign-out support -->
<Valve
 className="org.jasig.cas.client.tomcat.v6.SingleSignOutValve"
 artifactParameterName="SAMLart"
 />
 </Context>

The attribute does not have to be memberOf, any attribute name can be specified here.

Next the roles have to be specified in the application.  This is done in spring-probe-security.xml

Source: $SOURCE_DIR/web/src/main/webapp/WEB-INF/spring-probe-security.xml
Server: $TOMCAT_HOME/webapps/probe/WEB-INF/spring-probe-security.xml

The following section should be modified to read as outlined below.  ROLE_ must be followed by the name of the attribute or entitlement you set up to grants permission.

<sec:filter-invocation-definition-source>
     <sec:intercept-url pattern="/adm/**" access="ROLE_ATTRIBUTE"/>
     <sec:intercept-url pattern="/sql/**,/adm/restartvm.ajax" access="ROLE_ATTRIBUTE"/>
     <sec:intercept-url pattern="/app/**" access="ROLE_ATTRIBUTE"/>
     <sec:intercept-url pattern="/**" access="ROLE_ATTRIBUTE"/>
</sec:filter-invocation-definition-source>

Finally, the web.xml must be modified to properly filter access.

Source: $SOURCE_DIR/web/src/main/webapp/WEB-INF/web.xml
Server: $TOMCAT_HOME/webapps/probe/WEB-INF/web.xml
<context-param>
     <description>Role that can view session attribute values</description>
     <param-name>attribute.value.roles</param-name>
     <param-value>ROLE_ATTRIBUTE</param-value>
</context-param>
<auth-constraint>
     <role-name>$attribute_name</role-name>
</auth-constraint>
<security-role>
     <role-name>$attribute_name</role-name>
</security-role>

You will notice that there are several entries for ROLE and security-role within web.xml.  These provide levels of access, which can be specified (you will have to modify spring-probe-security.xml to reflect permission levels set in web.xml).  If you don’t deem them necessary, you can remove them completely from web.xml and simply leave a single entry (as shown above).

External Mapping of LDAP attributes in CAS

Posted on by

One of the features that is attractive about CAS is it’s ability to pass LDAP attributes to a specified application via SAML. This functionality is starting to become more heavily used by our web developers, creating demand for more and more attributes to mapped. An issue arose from this; CAS must be rebuilt every time a new attribute is to be mapped. The solution was to externalize the resultAttributeMapping property to a configuration file. This can be achieved through the use of the util schema.

Add the schema to deployerConfigContext.xml:

xmlns:util="http://www.springframework.org/schema/util"

Append the following to schemaLocation:

http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd

The resultAttributeMapping property (in deployerConfigContext) will look like this:

<property name="resultAttributeMapping">
<util:properties id="attr" location="file:/etc/cas/ldap.attributes" />
</property>

Your attributes file cannot contain other property configurations, due to how the file is referenced.  It is a collection that follows the form: key=value, with each entry placed on its own line.  Here is an example ldap.attributes property file:

cn=cn
uid=ssoid
givenname=givenName
mail=email

External Mapping of LDAP attributes in CAS

Posted on by

One of the features that is attractive about CAS is it’s ability to pass LDAP attributes to a specified application via SAML. This functionality is starting to become more heavily used by our web developers, creating demand for more and more attributes to mapped. An issue arose from this; CAS must be rebuilt every time a new attribute is to be mapped. The solution was to externalize the resultAttributeMapping property to a configuration file. This can be achieved through the use of the util schema.

Add the schema to deployerConfigContext.xml:

xmlns:util="http://www.springframework.org/schema/util"

Append the following to schemaLocation:

http://www.springframework.org/schema/util

http://www.springframework.org/schema/util/spring-util-3.0.xsd

The resultAttributeMapping property (in deployerConfigContext) will look like this:

<property name="resultAttributeMapping">
<util:properties id="attr" location="file:/etc/cas/ldap.attributes" />
</property>

Your attributes file cannot contain other property configurations, due to how the file is referenced.  It is a collection that follows the form: key=value, with each entry placed on its own line.  Here is an example ldap.attributes property file:

cn=cn
uid=ssoid
givenname=givenName
mail=email

OpenLDAP: Bootstrapping a minimal cn=config

Posted on by

Here is how to bootstrap OpenLDAP’s slapd with an absolutely minimal configuration, without needing an intermediate slapd.conf, with one feature — the local root user (uid=0/gid=0) has “manage” access.  From this point, ldapmodify can be used via ldapi to continue making configuration changes.  This is a good way to start a new server configuration.

Bootstrap:

$> echo 'dn: cn=config
objectClass: olcGlobal
cn: config

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: to dn.subtree="cn=config" by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * none
' | slapadd -n0 -F slapd.d

Start slapd:

#> slapd -F slapd.d -h ldapi://foo

Make changes via ldapmodify:

#> ldapmodify -Y EXTERNAL -H ldapi://foo ...

Need a quick proxy via SSH?

Posted on by

Need access to a web site, tucked behind a firewall?  Do you already have a public SSH server set up to allow access, but not sure how to tunnel your HTTP session?  It’s easy!

ssh -N -D 127.0.0.1:8000 <user>@<ssh server fqdn>

That command sets up a SOCKS4/SOCKS5 proxy.  Just configure your Browser/OS settings to use 127.0.0.1:8000 as a SOCKS proxy, and you can now access any site that your SSH server can reach.

July 1 2012 Linux problems? High CPU/Load? Probably caused by the Leap Second!

Posted on by

(Update posted, see below)

As posted in multiple places around the web:

Debian

/etc/init.d/ntp stop
date `date +"%m%d%H%M%C%y.%S"`

Red Hat

/etc/init.d/ntpd stop
date `date +"%m%d%H%M%C%y.%S"`

Update:

This first manifested itself for us in our Java stacks — all of our (dual processor) Tomcat servers were running at a load of 30-40.  However, this is a known (and fixed) kernel bug:

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b43ae8a619d17c4935c3320d2ef9e92bdeed05d

Apparently, simply forcing a reset of the date is enough to fix the problem:

date -s "`date`"

Build a PaaS using Open Source Software

Posted on by

Discussion about OpenShift.  OpenShift has been fully open-sourced, available on GitHub for local deployment, or directly usable as a hosted solution.

Rule #1: IaaS != PaaS

Virtual machines : Application is not necessarily 1:1

Rule #2: PaaS is not a silver bullet

Great for Self-service deployment of applications, varied volatile workloads (development, testing, scale-up/out), with tightly constrained application rules — which implies standardized deployments from template.

Rule #3: PaaS is about developers — AND OPERATIONS!!!!

Operations becomes about capacity planning, not ticket-drive activities.

Rule #4: Be ready to learn

Developers want languages variety, scaling models, integration models — and they want it automagically

Operations want multi-tenancy, familiar installation, and sane configurations — all reproducible.

What is an application?

Runtime (OpenShift cartridges)

Code (One Git repository per application)

Creating an App

The rhc tools are used to create a namespace (domain), then an application space which includes a name and cartridge type, and push the code.

What do you get from public OpenShift?

A slice of the server, a private Git repository, deployment access.

The PaaS service is comprised of a Broker (director front-end, RESTful) and Nodes.  Each node has multiple “gears” (containers secured with SELinux, constrained with cgroups, and isolated with Kernel namespaces and Bind Mounts).

Extending OpenShift

Custom DNS plugins, auth plugs, security policies, and community cartridges.  Quick-start frameworks can be offered to community too.

LXC and SELinux are the future for isolating and securing OpenShift…

… but right now, there are a many moving parts being used to provide isolation and security.

PaaS demans a new security model

DAC just won’t cut-it, too complicated for PaaS.  MAC (SELinux!) is necessary.

Step 1 – Unlearn this (and embrace SELinux)!

setenforce 0

Step 2 – Learn the ‘Z’ (to see SELinux contexts)

ls -lZ
ps -efZ

(Review of SELinux contexts and syntax provided)

http://fedoraproject.org/wiki/SELinux

Demo – deployment of WordPress to OpenShift, in a VirtualBox LiveCD

The OpenShift QuickStart is available here: https://github.com/openshift/wordpress-example