Setting up LDAP Authentication on Debian in an Active Directory environment

It takes a lot to run a Cyber Defense Competition beyond just a large VMware cluster, and many of those systems aren’t Windows boxes. I’ve seen solutions to bind *nix boxes to Active Directory using Kerberos, but that wasn’t really necessary. Here’s a solution for Debian that only requires LDAP.

Note that this requires you to install Identity Management for UNIX on your domain controllers; see this Technet article for instructions on how to do it.

First, install the necessary packages:

apt-get install libnss-ldapd libpam-ldapd

Now edit /etc/nslcd.conf:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://windc1.example.com ldap://windc2.example.com

# The search base that will be used for all queries.
base dc=example,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn ldap@example.com
bindpw <password>

# The DN used for password modifications by root.
# Leave this blank unless you want to allow password changes from your debian systems
# If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root
#rootpwmoddn cn=admin,dc=example,dc=com

# The search scope.
scope sub

# Mappings for Active Directory
# This is the important bit; these fields match up with the fields added by Directory Services for UNIX
pagesize 1000
#referrals no
filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
# If you wish to override the shell given by LDAP, uncomment the next line
#map    passwd loginShell       "/bin/bash"
filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
#map    group  gid              member

# SSL options
tls_reqcert never
#ssl start_tls
#ssl on
#tls_cacertfile /etc/ssl/ca.pem

In /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Make sure LDAP authentication is enabled by running

pam-auth-update

In /etc/pam.d/common-session add the following at the bottom of the file:

# make home directories
session required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.

If you wish to restrict who can login, edit /etc/pam.d/sshd and uncomment the following line:

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so

You can do the same in /etc/pam.d/login for console logins.

Then edit /etc/security/access.conf and add the following lines at the bottom:

#these users can always log in
+ : root : ALL
+ : localadmin : ALL
#anyone in the local ssh-users group can login
+ : (ssh-users) : ALL
#deny everyone else : ALL
- : ALL : ALL

Be sure to add users to the ssh-users group in /etc/group.

Reboot (or restart nslcd, nscd, and sshd) and you should be good to go!

A great guide to setting up VMware’s vCenter

I recently set up vCenter as the front-end for teams competing in the Cyber Defense Competitions to manage their virtual systems. Unlike vCenter’s intended use of maybe a dozen people managing hundreds of VMs, we have over 100 people logged in to vCenter at once during the competition. I elected to use a true Microsoft SQL Server (as opposed to the bundled SQL Server Express) as vCenter’s database, and this guide was extremely helpful to me.

Since the server hosting vCenter also serves as the RDP hopping point for getting in to the internal ISEAGE network, we had to ensure that there was sufficient resources allocated to it, as this server was itself virtualized. So far this solution has worked extremely well!

Converting Nearly Any Media File With ffmpeg

The open-source community has created this amazing audio/video conversion tool called ffmpeg (windows download available here) that will take just about any filetype and convert it to another type, including stripping the audio from video.

In order to facilitate mass conversion, I ended up making a nice batch script that accepts multiple arguments (in the form of multiple files dragged onto it at once). You can download my example script here (you will need to change its extension to .bat).

ffmpeg looks at the filename to determine what it will output (my script, for example, outputs MP3 files). In addition, the most important flags are

-b NNNNk (video bitrate)

and

-ab NNNk (audio bitrate)

BONUS: you can use ffmpeg to convert downloaded embedded videos to formats usable by other devices. I found a handy extension for Firefox, Video DownloadHelper, that works nicely for most sites. You’ll probably want to output either a .mov, .mp4, or .avi file. Don’t forget the bitrate flags!