December 2008 Archives

Use db2ldif to backup LDAP configuration and user data.

cd /var/ds5/slapd-global
./db2ldif -n "NetscapeRoot" -a /var/tmp/prod_backup_NetscapeRoot.ldif

cd /var/ds5/slapd-global

./db2ldif -n "userRoot" -a /var/tmp/prod_backup_userRoot.ldif

To allow VPN PPTP traffic through your Cisco ASA, use inspect pptp.

asa# conf t
asa(config)# policy-map global_policy
asa(config-pmap)#  class inspection_default
asa(config-pmap-c)# inspect pptp 
asa(config-pmap-c)# exit
asa(config-pmap)# exit
asa(config)# exit

For all the iPhone owners out there, I highly recommend you pick up the Zagg InvisibleSHIELD. With the InvisibleSHIELD, my iPhone is completely protected from scratching while maintaining the original iPhone look and feel. Prior to using the InvisibleSHIELD, I was using a hard shell case from Griffin which made the iPhone slightly more bulky and less attractive.

Take a look at the demo video from Zagg to see how the iPhone looks with the InvisibleSHIELD applied - http://www.zagg.com/support/demovideo.php

Zagg also provides a video on how to install the InvisibleSHIELD - http://www.zagg.com/support/installvideo.php

Here are some examples on how to use the Net::LDAP filter.

Method 1 - Search for both person & mail:

(& (objectClass=person) (objectClass=mail))

filter   => "(&             

	     (objectclass=person)                 

             (objectclass=mail)   

             )",

Method 2 - Search for either (or) person or mail:

filter   => "(|             

	     (objectclass=person)                 

             (objectclass=mail)   

             )",                            

To allow any of the devices inside your network to perform a traceroute on the Internet. You'll need to enable setup a access-list which allows icmp echo-reply & time-exceeded.

access-list outside_to_inside permit icmp any any echo-reply

access-list outside_to_inside permit icmp any any time-exceeded

access-group outside_to_inside in interface outside

user@host ~ $ traceroute -I www.google.com

traceroute: Warning: www.google.com has multiple addresses; using 64.233.169.99

traceroute to www.l.google.com (64.233.169.99), 64 hops max, 60 byte packets

<removed some hops here on purpose>

 9  216.239.48.108 (216.239.48.108)  14.780 ms  19.313 ms  16.400 ms

10  64.233.175.111 (64.233.175.111)  16.388 ms 64.233.175.109 (64.233.175.109)  18.220 ms  17.279 ms

11  216.239.49.149 (216.239.49.149)  16.927 ms 216.239.49.145 (216.239.49.145)  18.281 ms 216.239.49.149 (216.239.49.149)  19.312 ms

12  yo-in-f99.google.com (64.233.169.99)  15.279 ms  15.314 ms  20.127 ms


Note: Use -I to use ICMP ECHO instead of UDP. You can also use -n to avoid dns lookups for each hop.

Below is an example of configuring the Sun T5220 ILOM Hostname & Network. Once you have configured the network, you can then ssh to the console on the Sun T5220. There is an example below. In summary:

1. Console in via serial, my recommendation is you run `tip hardwire` from another box so you do not need to attach a machine
2. Login as root
3. Password is changeme
4. Change the hostname from its default hostname of SUNSPxxxxxxxx
5. Configure the IP address

$ tip hardwire
connected

SUNSPxxxxxxxxxx login: root
Password:
Waiting for daemons to initialize...

Daemons ready

Sun(TM) Integrated Lights Out Manager

Version 2.0.4.20.c

Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.

Warning: password is set to factory default.

-> cd /SP
/SP

-> set hostname=console
Set 'hostname' to 'console'

-> cd /SP/network
/SP/network

-> set pendingipdiscovery=static
Set 'pendingipdiscovery' to 'static'

-> set pendingipaddress=10.10.10.50
Set 'pendingipaddress' to '10.10.10.50'

-> set pendingipnetmask=255.255.255.0
Set 'pendingipnetmask' to '255.255.255.0'

-> set pendingipgateway=10.10.10.1
Set 'pendingipgateway' to '10.10.10.1'

-> set commitpending=true
Set 'commitpending' to 'true'

-> set state=enabled
Set 'state' to 'enabled'

You can use the capture command on the Cisco ASA for some simple traffic analysis.

access-list capture_ip_traffic permit ip any any
capture capture_ip_traffic access-list capture_ip_traffic interface outside
show capture capture_ip_traffic

You can also copy the pcap file to a system and use Wireshark to analyze the traffic.

For more information, visit Cisco MIBs

cd
wget ftp://ftp-sj.cisco.com/pub/mibs/v2/v2.tar.gz
cd /usr/share/snmp/mibs
tar xvfz ~/v2.tar.gz

Your syslog is showing "Flow terminated by TCP Intercept" when a VPN user attempts to ssh to the ASA. To allow ssh and also ADSM to the ASA, you will need to enable management access.

management-access inside

Here's the syntax you need to use to add a default gateway on a NetApp filer. Don't forget the metric.

route add 0.0.0.0 IP_GATEWAY_ROUTER 1

If your a consultant or business owner, Borders offers up to 25% off any "business or organization" related purchase on mainly books. Other items may qualify but I have only purchased books with my discount card from Borders. Sign up, it's FREE.

Borders for Business & Educators - Apply Online for FREE

Example where we are permitting all smtp traffic from Postini to reach the internal smtp mail server.

static (inside,outside) tcp interface smtp 10.10.10.5 smtp

access-list outside_to_inside extended permit tcp 64.18.0.0 255.255.240.0 interface outside eq smtp

access-group outside_to_inside in interface outside

So you have the VPN setup but for some reason you can't communicate with any of the devices on the internal network. It is possible you may need to setup spilt tunneling.

access-list split_tunnel_list permit 10.10.10.0 255.255.255.0
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
tunnel-group DefaultRAGroup general-attributes
default-group policy DefaultRAGroup

• PXEboot TFTP Server
• Kickstart Server

yum install tftp-server -y

cat > /etc/xinetd.d/tftp << EOF

service tftp

{

        socket_type             = dgram

        protocol                = udp

        wait                    = yes

        user                    = root

        server                  = /usr/sbin/in.tftpd

        server_args             = -s /tftpboot

        disable                 = no

        per_source              = 11

        cps                     = 100 2

        flags                   = IPv4

}

EOF


cp /usr/lib/syslinux/pxelinux.0 /tftpboot/.

chmod 644 /tftpboot/pxelinux.0

mkdir /tftpboot/pxelinux.cfg

cat > /tftpboot/pxelinux.cfg/default << EOF

default install

prompt 1

display pxeboot.msg

label install

        kernel vmlinuz

        append initrd=initrd.img

label kickstart-server01

        kernel vmlinuz

        append ksdevice=eth0 console=ttyS0,38400 console=tty0 load_ramdisk=1 initrd=initrd.img network ks=http://10.10.10.10/server01.cfg

EOF

cd /tftpboot

wget http://mirrors.atlanticmetro.net/centos/5/os/i386/isolinux/vmlinuz

wget http://mirrors.atlanticmetro.net/centos/5/os/i386/isolinux/initrd.img

wget http://mirrors.atlanticmetro.net/centos/5/os/i386/isolinux/memtest

wget http://mirrors.atlanticmetro.net/centos/5/os/i386/isolinux/boot.msg

wget http://mirrors.atlanticmetro.net/centos/5/os/i386/isolinux/splash.lss

mv boot.msg pxeboot.msg

service xinetd restart

Terms of Use

Intended Audience / Use

This site provides this web site to you, subject to these Terms of Use. The Terms of Use may be updated by This site from time to time without notice to you. This web site and other This site web sites that are linked to this site or affiliated with this site (collectively “the Site”) and all the information, communications, software, scripting, photos, text, video, graphics, music, sounds, images and other materials and services found on the Site (collectively “Content”), is intended for the lawful use of This site’s customers, employees and members of the general public. The Site is controlled and operated in whole or in part by This site. This site makes no representation that these materials are appropriate or available for use in other locations. Those who access the Site from other locations do so at their own risk and are responsible for compliance with applicable local laws. You acknowledge that This site reserves the right in its sole discretion to refuse or terminate access to the Site by you at any time.

Acceptance of terms

You acknowledge you have read, and agree to be bound by these Terms of Use and to comply with all applicable laws and regulations. You further agree to comply with all local laws, regulations and rules regarding online conduct and acceptable Content. You represent you have the legal authority to accept these Terms of Use on behalf of yourself or any party you represent. If you do not agree to these terms, please do not use the site.

Disclaimer of Warranty

This site does not warrant or make any representations regarding the availability, use, timeliness, security, validity, accuracy, or reliability of, or the results of the use of, or otherwise respecting, the content of the site or any other web sites linked to or from the site. Any material downloaded or otherwise obtained through the use of the site is done at your own discretion and risk and you are solely responsible for any damage to your computer system or loss of data that results from the download of any such material, or use of this site. The content of the site is provided “as is” and on an “as available” basis, without warranties of any kind either express or implied. To the fullest extent possible pursuant to applicable law, This site disclaims all warranties, express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, non-infringement or other violation of rights. Some jurisdictions do not allow the exclusions or limitations on how long an implied warranty lasts, so the above limitations or exclusions may not apply. No advice or information, whether oral or written, obtained by you from This site shall be deemed to alter this disclaimer of warranty, or to create any warranty.

Limitation of Liability

This site will not be liable for any damages of any kind arising out of or relating to the use or the inability to use this site, its content or links, including but not limited to damages caused by or related to errors, omissions, interruptions, defects, delay in operation or transmission, computer virus, line failure, and all other direct, indirect, special, incidental, exemplary or consequential damages even if This site has been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you. Notwithstanding the foregoing, This site’s total liability to you for all losses, damages, and causes of action, including but not limited to those based on contract, tort or otherwise, arising out of your use of this site, its content or links, shall not exceed the amount you paid to access this site.

Starting up a VNC session on Solaris using the Solaris Companion VNC distribution.

export PATH=$PATH:/usr/openwin/bin:/opt/sfw/bin
/opt/sfw/bin/vncserver
/opt/sfw/bin/vncpasswd

If you bump into the following message on your box.

Checking configuration files for slapd:  

bdb_db_open: unclean shutdown detected; attempting recovery.

bdb_db_open: Recovery skipped in read-only mode. 

Run manual recovery if errors are encountered.

Change the ownership of /var/lib/ldap/DB_CONFIG to be owned by the user ldap and group ldap, then restart ldap.

chown ldap:ldap /var/lib/ldap/DB_CONFIG

service ldap restart

If you do have a issue with your database, you can try to repair it.

/usr/sbin/slapd_db_recover -v -h /var/lib/ldap