Quick Blurb

LDAP Authentication RPI Tutorial (Part 1)

After writing about how to use CAS with PHP, I thought I would write a post about how to use LDAP(Lightweight Directory Access Protocol) at RPI but these methods can be used anywhere. LDAP is a protocol to query user databases, this is a protocol that can be sed along with Active Directory, or another directory system for computers and user accounts. This protocol is widely used to allow different applications to interact with your user database. Here I will be showing how to implement search with LDAP to a web application. This guide will be using LDAP with PHP, this requires the LDAP module to be enabled within PHP; that will be the purpose of this article, then the next one will discuss how to actually query LDAP.

LDAP Linux (Debian/Ubuntu) Install

Linux is easy to get LDAP working with PHP, as long as you have a standard installation of Apache, with PHP 5 working.

  1. Install the LDAP module onto the machine, using either aptitude or apt-get
    • “sudo aptitude install php5-ldap”
    • OR “sudo apt-get install php5-ldap”
  2. PHP should now be able to use LDAP, if it is not working yet, you will need to restart Apache.
    • “sudo service apache2 restart”

LDAP Windows (XAMPP) Install

Xampp for Windows comes with LDAP, but there is a bug in their implementation and a file needs to be copied before LDAP will work. I am going to use “C:\xampp”, the default directory for Xampp in this example.

  1. Go into the PHP folder, C:\xampp\php\
  2. Edit the file “php.ini” with any text editor
  3. Find the line “;extension=php_ldap.dll”, and remove the semi-colon. “extension=php_ldap.dll”
  4. Now if you were to reboot Apache it should be working, but its not! Why not? There is a missing DLL. You need to
    copy libsasl.dll from c:\xampp\php\libsasl.dll to C:\xampp\apache\bin\.
  5. Now restart Apache

LDAP Search

Now that PHP can search LDAP we are going to want to start creating queries in PHP; but it is much easier to tweak the search in the command line, and then put that query into PHP. The following are steps that can be taken on a Linux computer (again Ubuntu/Debian) to install and use a ldap command line search.

  1. First we need to install the OpenLDAP utilities that will give us the “ldapsearch” command
    • “sudo aptitude install openldap-utils”
    • OR “sudo apt-get install openldap-utils”
  2. Now we are making our query
    • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
    • ldapsearch -h “ldap.rpi.edu” -x -b “dc=rpi, dc=edu” “uid=berk*”
    • Now this gives one result, and this can be used to see what data will be returned from this server. You can also try “ldap1.server.rpi.edu” this returns a entirely different list of variables, and sometimes more users.
    • If you are interested in researching this command more, die.net has a great resource. http://linux.die.net/man/1/ldapsearch
    • Troubleshooting: For those of you here at RPI trying to follow this guide specifically, if you do not get any results or a error connecting, RPI firewalls the LDAP servers heavily. I have found a lot of the time I have to be in the VCC to make this work, you can also VPN in, then your network connection is within the VCC and it will work. I have VPNed in, while on campus in the Union to get LDAP to work.

UPDATE: I added a little about what LDAP is

Adding Strict Standards, (Or Removing)

I have been developing on a Debian Apache system for a long time, for one of the projects I have been working on I had to run on a Windows Server. After installing XAMPP I noticed that by default, XAMPP sets the developer settings of Strict Standards. Meanwhile the Linux system didn’t have that enabled. I went out wanting to set the Linux server to have the Strict settings to force me to code properly. I found many places that would tell me how to disable strict standards (because users found it bothersome), but after a little searching I didn’t find a clear guide so I thought I would write one for PHP5.

  1. Find “php.ini”
    • Windows (XAMPP): The file is kept under C:/xampp/php/php.ini
    • Linux: For php5 (at least in debian) /etc/php5/apache2/php.ini
  2. Open the file and scroll to;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; Error handling and logging ;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  3. The line you want to edit iserror_reporting =…
  4. Copying the line below will enable strict settings, while other combinations listed below will enable different values.
    • Development Value: E_ALL | E_STRICT

My Linux box configured itself as  “error_reporting = E_ALL & ~E_DEPRECATED”, which is the standard for production.

Here is the description that comes with php.ini,

;Default Value: E_ALL & ~E_NOTICE
; Development Value: E_ALL | E_STRICT
; Production Value: E_ALL & ~E_DEPRECATED
; http://php.net/error-reporting

Time Tracker

Recently I have been working on an hour keeping system for my work at RPI; we have an old time card system that is running on a Windows 2000 server. The code no longer works, as in the JavaScript is not supported by modern browsers. The old system has been running for over 11 years, and it is time to let it retire.

The new system is at version 0.1 right now, with basic functionality working. The system is split into groups, so while one server runs separate departments can run a “group” and have their employees under there. Once a user is given privileges to one group in the system, when that user logins in, that group will automatically come up.

The old system had a html page that managers could edit, to give announcements to workers. This was a bit of a tedious process to go in and manually edit these pages, now there is a field for the manager of each group to drop html to edit their page. The system has two levels of accounts and privileges, there is the privilege within a group, and the privilege for the entire system. While a user can be administrator of a group and edit their group, they may not have administrative rights over the entire server. By having administrative rights to the entire server, a user can change the splash page before a user is logged on, or create new groups in the system.

The system allows for templates to be made of weeks, so if a student worker works the same hours every week, then they can save it and deploy it easily. I am working on integrating email reminders by using a .Net application that integrates with MySQL. By having the application read who has yet to enter logs this pay period  I can use the students CAS login to get their email.

Below are some photos of the system, and it is all open source at the attached link.

Source: https://github.com/daberkow/RPI_timetracker

Recovering WIM Images

A user came in to helpdesk with a laptop that had a dying hard drive. A coworker was able to recover part of the LENOVO_RECOVERY partition to a new drive that was installed in the laptop, with a intact .WIM image, yet the partition would not boot. We tried rewriting the MBR, rebuilding BCD and other tricks but nothing would work. To make a very long story of us trying everything to get this drive to restore with no avail; we were able to manually make a partition then use GImageX to recover the image.

The new hard drive had the 10gb recovery partition we had copied over, and nothing else on it. So first using DiskPart, we made our new partition for windows.

  1. Boot from a Windows Vista, or 7, or later installation disc
  2. Go to Recovery Mode, and then get to the command prompt (dont do a system restore)
  3. Run diskpart
  4. “list disk” and then “select disk #” for the disk you want
  5. “list partition” will list what is on the hard drive, we then did “add” to make a new partition
  6. “select partition #” will select the new partition if you put the correct number in
  7. Finally “assign” will give the new drive a drive letter

Now that the new partition exists, we used http://www.autoitscript.com/site/autoit-tools/gimagex/. This tool will recover the standard WIM windows images to a partition. To make life easy we copied it to a thumb drive and then launched it on the recovery disc. If your windows disc is 64 bit, you will need the 64 bit version of the app. Once we had the app it was just a matter of launching it and going to the second tab of “Apply” to install the image. The laptop we were working on had the recovery image hidden, in a folder called “FactoryRecovery”. By running “dir /AHS” the computer will list all files in a directory, including hidden and system files. While navigated to the directory you know the images are in, running “attrib -S -H /S /D” will remove system and hidden attributes from the files and folders. Now GImageX can see the image and recover it.

That was the end of a long recovery, if anyone has questions post a comment.

Windows Mobile 6.1 PopUp Work Around

WM6.1 Internet Explorer does not have support for multiple tabs/windows. So naturally, it blocks all popups. However, some sites require a popup to authenticate or to advance on in whatever you are trying to do. Here is an example situation from http://www.everythingwm.com/forum/threads/wm-6-1-internet-explorer-popup-blocker.33238/

WM 6.1 Internet Explorer Popup Blocker?

Hope that someone can help me…. I have Q9c running Mindows Mobile 6.1 and I need to disable the pop up blocker but don’t know how to. I’ve been all through the phone settings etc. but can’t see whether the phone even has it!! I use online banking alot and when I get into it, and after introducing my username and password, a new window is supposed to open but this pop up window does not show up. Instead of this a message shows up saying ” your pop up blocker is activated”…
Any sugestions?? Thanks a lot.:wink:

Many suggestions were download a different browser. But nowadays, WM6.1 is being phased out and the browsers have become unsupported. A work around that I stumbled upon requires that you have a physical keyboard.

  • Use the arrow keys to highlight the button that will initiate the popup.
  • Hold down the return key (enter key) until the popup opens within a new window.

Internet explorer will look like it’s freaking out, but hey you’ve been advanced to the next step. Note this has only been tested out on the Motorola MC9090 Inventory Handhelds.