Tuesday, December 20, 2011

NS2 simulation for PIM-SM multicasting

I am going to show you how to perform traditional PIM-SM simulation in NS2. For those who doesn't know PIM-SM (Protocol Independent Multicast - Sparse Mode) check the RFC 4601.

Definition extracted from RFCs:
PIM-DM (RFC3973) is a multicast routing protocol that uses the underlying unicast routing information base to flood multicast datagrams to all multicast routers. Prune messages are used to prevent future messages from propagating to routers without group membership information.

PIM-SM (RFC4601) is a multicast routing protocol that can use the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a Rendezvous Point (RP) per group, and optionally creates shortest-path trees per source.

In simple language, -->PIM-DM uses a push model to flood multicast traffic to every corner of the network. This process is considered to be very “heavy”, since it floods its message to all sub-networks. In PIM-SM environments only sub-networks that have active receivers that have explicitly requested the data will be forwarded the multicast traffic. PIM-SM introduces the concept of Rendezvous Point (RP). The RP it is a appointed router where all the multicast messages flow and from witch it forward through the multipoint tree.

-->The Network Simulator2 (NS-2) is the most popular simulator in the scientific field and in the great telecommunications companies, allowing the creation of any network topology and analyze any kind of protocol.

SIMULATION SCENARIO:
-->
This simulation simulates PIM-SM environment based IP infrastructure with one multicast source, one group address and two nodes joining the group. Node0 thru Node7 are all routers. Source1 is attached to Router0. Receiver1 and Receiver2 are attached to Router6 and Router7 respectively. Router1 is defined as Rendezvous Point (RP).

Source1 starts at 0.5 sec
Receiver1 joins the group at 1.0 sec
Receiver2 joins the group at 1.5 sec
Receiver1 leaves the group at 6.0 sec
Receiver2 leaves the group at 6.5 sec
Source1 stops at 9.5 sec



Network Topology for multicast simulation


File: mulicast.tcl
-->
#//////////////////CODE STARTS HERE/////////////////////////////////
#Create an event scheduler wit multicast turned on
set ns [new Simulator -multicast on]
#$ns multicast
#Turn on Tracing

set tf [open output.tr w]
$ns trace-all $tf

# Turn on nam Tracing
set fd [open mcast.nam w]
$ns namtrace-all $fd

# Create nodes
set n0 [$ns node]
set n1 [$ns node]
set n2 [$ns node]
set n3 [$ns node]
set n4 [$ns node]
set n5 [$ns node]
set n6 [$ns node]
set n7 [$ns node]

# Create links
$ns duplex-link $n0 $n1 1.5Mb 10ms DropTail
$ns duplex-link $n1 $n2 1.5Mb 10ms DropTail
$ns duplex-link $n2 $n3 1.5Mb 10ms DropTail
$ns duplex-link $n3 $n4 1.5Mb 10ms DropTail
$ns duplex-link $n1 $n4 1.5Mb 10ms DropTail
$ns duplex-link $n3 $n5 1.5Mb 10ms DropTail
$ns duplex-link $n5 $n6 1.5Mb 10ms DropTail
$ns duplex-link $n5 $n7 1.5Mb 10ms DropTail


# Allocate group addresses
set group1 [Node allocaddr]
set group2 [Node allocaddr]


# Routing protocol: PIM-SM
$ns mrtproto BST
BST set RP_($group1) $n1


# UDP Transport agent for the traffic source
set udp0 [new Agent/UDP]
$ns attach-agent $n0 $udp0
$udp0 set dst_addr_ $group1
$udp0 set dst_port_ 0
set cbr1 [new Application/Traffic/CBR]
$cbr1 set packetSize_ 210
$cbr1 set rate_ 1000k
$cbr1 attach-agent $udp0

# Create receiver
set rcvr1 [new Agent/Null]
$ns attach-agent $n6 $rcvr1
set rcvr2 [new Agent/Null]

$ns attach-agent $n7 $rcvr2


$ns at 1.0 "$n6 join-group $rcvr1 $group1"
$ns at 1.5 "$n7 join-group $rcvr2 $group1"

$ns at 6.0 "$n6 leave-group $rcvr1 $group1"
$ns at 6.5 "$n7 leave-group $rcvr2 $group1"

# Schedule events
$ns at 0.5 "$cbr1 start"
$ns at 9.5 "$cbr1 stop"

#post-processing
$ns at 10.0 "finish"
proc finish {} {
global ns tf
$ns flush-trace
close $tf
exec nam mcast.nam &
exit 0
}

# For nam
#Colors for packets from mcast packets
$ns color 10 red

#udp0 traffic has flow ID 10
# Group 0 source

$udp0 set fid_ 10
$n0 color red
$n0 label "Source 1"

$n6 label "Receiver 1"
$n6 color blue
$n7 label "Receiver 2"
$n7 color blue

# Animation rate
$ns set-animation-rate 3.0ms
$ns run
#//////////////////CODE ENDS HERE/////////////////////////////////

Make sure that you make your .tcl file executable
#chmod 700 multicast.tcl

Execute the .tcl file as
#ns multicast.tcl

If you run into any issues, refer to NS2 documentation. It's really nice documentation.

Thursday, December 1, 2011

Apache2.2: Defining Virtual Hosts, Re-direction and LDAP authentication uncovered

I usually put references at the bottom of the article. But this time I want to put it in the beginning of the article. If you are Apache beginner, trust me you want to go through these references before you start doing anything.

References:
Apache Directives: http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context
Name-Based Virtual Hosts: http://httpd.apache.org/docs/2.2/vhosts/name-based.html
LDAP directory for authentication: http://httpd.apache.org/docs/2.3/mod/mod_authnz_ldap.html
LDAP and Active Directory Terminologies: http://rapidtechguide.blogspot.com/2011/07/directories-terminology-active.html


Practice Scenario:

Windows Server
Web Server: Apache2.2
IP add: 192.168.1.10
Port: 80
Websites hosted:
www1.test.org
www.mytest.org
www.urtest.org
www.ourtest.org
www.everyonetest.org
www.lovetest.org



Before you start testing your apache setup make sure that DNS is configured properly, hosts file is configured properly.

STEP1:
File: C:\Windows\System32\drivers\etc\hosts
192.168.1.10 www1.test.org
192.168.1.10 www.mytest.org
192.168.1.10 www.urtest.org
192.168.1.10 www.ourtest.org
192.168.1.10 www.everyonetest.org
192.168.1.10 www.lovetest.org


#everyonetest.org and lovetest.org are alias of ourtest.org

STEP2:
Configure DNS server to point those domains 'mytest.org, urtest.org, ourtest.org,everyonetest.org,lovetest.org' to 192.168.1.10. You can contact your DNS administrator

STEP3:
Say Apache2.2 is installed in C: drive
C:\apache

and you are publishing your web contents at C:\website
C:\website\mytest
C:\website\urtest
C:\website\ourtest

STEP4:
C:\apache\conf\httpd.conf# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
Listen 192.168.1.10:80

#uncomment these for LDAP authentication support
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

ServerName www1.test.org

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.htm index.html index.shtml index.html.var index.php index.pl default.html default.htm
</IfModule>

#Set LogLevel to debug if you are configuring Apache for first time so that you can collect enough logging information for troubleshooting purpose
LogLevel debug

<IfModule mime_module>
#Uncomment this line to have shtml MIME support
AddType text/html .shtml
</IfModule>

# Uncomment following line to add Virtual hosts in different file
Include conf/extra/httpd-vhosts.conf
STEP5:
C:\conf\extra\httpd-vhosts.conf
#
# Use name-based virtual hosting.
#
NameVirtualHost 192.168.1.10:80
#Regular Virtual Host Configuration Example# WWW.MYTEST.ORG BEGIN
# mytest.org is published at C:/website/mytest

<VirtualHost 192.168.1.10:80>
ServerName www.mytest.org
DocumentRoot C:/website/mytest

<Directory C:/website/mytest>
AllowOverride None
Order deny,allow
Allow from all
</Directory>

ErrorLog "logs/www.mytest.org-error.log"
CustomLog "logs/www.mytest.org-access.log" common

ErrorDocument 401 /unauth.shtml
ErrorDocument 403 /forbid.shtml
ErrorDocument 404 /notfound.shtml
ErrorDocument 500 /error.shtml
</VirtualHost>

# WWW.MYTEST.ORG END
#Re-Direction Configuration Example
# WWW.URTEST.ORG BEGIN
# urtest.org is simply re-directed to www.wikipedia.org

<VirtualHost 192.168.1.10:80>
ServerName www.urtest.org
Redirect permanent / https://www.wikipedia.org
</VirtualHost>

# WWW.URTEST.ORG END


#LDAP Authentication Configuration Example
# WWW.OURTEST.ORG BEGIN
# ourtest.org is published at C:/website/ourtest
# LDAP authentication is required to access the conents of C:/website/ourtest

<VirtualHost 192.168.1.10:80>
ServerName www.ourtest.org
ServerAlias everyonetest.org lovetest.org
DocumentRoot C:/website/mytest

<Directory C:/website/mytest>
AllowOverride None
Order deny,allow
Allow from all

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on

AuthLDAPBindDN "cn=ldapuser,ou=\"Super Accounts\",DC=ad,DC=test,DC=org"
AuthLDAPBindPassword ipassword

AuthName "Only for registered users"

AuthLDAPURL "ldap://ldap.test.org:389/ou=students,ou=toefl,dc=ad,dc=test,dc=org?name"

#Syntax for AuthLDAPRUL ldap://host:port/basedn?attribute?scope?filter
#For more info refer to page 3 of https://www.ietf.org/rfc/rfc2255.txt
require valid-user
</Directory>

ErrorLog "logs/www.mytest.org-error.log"
CustomLog "logs/www.mytest.org-access.log" common

ErrorDocument 401 /unauth.shtml
ErrorDocument 403 /forbid.shtml
ErrorDocument 404 /notfound.shtml
ErrorDocument 500 /error.shtml
</VirtualHost>

# WWW.OURTEST.ORG END
Some other tips:
I would prefer to use Internet Explorer(IE) for testing webpages as lots of users are using IE. In IE go to Tools--> Internet Options and Check 'Delete Browsing History on Exit". Sometimes Internet Browser displays webpages from it's temp files, so even if your apache/web server is stopped you might see webpages working (I have seen it and it took me quite a time to get around with it). Or sometimes if you make some content changes, your browser may not reflect those changes. So, while perfoming apache setup and testing 'Delete Browsing History' really helps. Close the browser. Re-open the browser and see if you got ur desired output.
Sometime you might have to flush local DNS cache. If you have to you can use following command
> ipconfig /flushdns

Good Luck!!!

Additional References:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html


Also read per-User web directories documentation from Apache
http://httpd.apache.org/docs/2.0/howto/public_html.html

Tuesday, November 22, 2011

Write Startup scripts in Linux Environment?

Explanation is based on SLES (SUSE Enterprise Linux). It could be related to other distributions of Linux as well.
There are various situations where you write your own script and want it to run at system startup. In Linux environment you have to place your script in /etc/init.d and use 'insserv' command or 'chkconfig' config to insert those script in various runlevels.

[By default, insserv insert the script in runlevel 3 and 5. You can check that by running #chkconfig --list ]

Let's say I want to run 'asterisk' program automatically at startup and I want to make sure that it starts only when all the services of OS are up.

  • 'which' command returns me the location of the program or application#which asterisk
/usr/bin/asterisk

  • Create a script file in /etc/init.d directory
#vi /etc/init.d/asteriskStartupScript
#!/bin/bash
#Copyright (c) 2011 DShah
# All rights reserved
#
#Author: DShah, 2011
# /etc/init.d/asterisk
#PLEASE READ /etc/init.d/skeleton to understand various parameters in startup scripts
#
### BEGIN INIT INFO
# Provides: asterisk
# Required-Start: $ALL
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Starts Asterisk
### END INIT INFO

#Start service
/usr/sbin/asterisk

Save and close the script file.

  • 'chmod' command can be use to add executable permission
#chmod 744 /etc/init.d/aseriskStartupScript

  • 'insserv' command can be used to insert the script in desired runlevel as specified in script file
#insserv asteriskStartupScript

  • 'chkconfig' command can be used to check if the script will run in next startup
#chkconfig --list asteriskStartupScript


Reference:
http://www.novell.com/coolsolutions/feature/15380.html

Friday, October 14, 2011

PERL scripting: Export data from MySQL database in XML format

I have a MySQL database containing all the data but the application I am trying to use only supports XML. How can I export data from MySQL database in XML format?

Here is your answer. You need to select a programming language that support MySQL connection and does pretty good string manipulation. I found PERL programming very easy and powerful doing both MySQL connection and String Manipulation.

Assumptions: I will be running my PERL script on the same server with MySQL database. MySQL Username and Password are 'username' and 'password' respectively. Database name is 'phonesDB' and table name is 'phones'.

MySQL

Database: phonesDB
Table: phones



full_name phone_number department
Peter Griffin 25962 Technology
Stewie Griffin 25963 Finance
Sam Burns 25234 HR

You should have some basic concept of XML, MySQL and PERL programming knowledge.

[Note: Make sure that you have perl-DBD-mysql, perl-DBI and perl installed. If those package are missing, you can use YaST, YUM, ZYPPER, APT-GET to install those missing packages based on your distro.]

Let's write the PERL script that will access our MySQL database and generate XML file for us.

#vi myPerlscript.pl
#!/usr/bin/perl
use strict;
use DBI;
use DBD::mysql;

#connect to the database phonesDB using login credentials
my $dbh = DBI->connect("DBI:mysql:phonesDB","username","password",{RaiseError => 1, PrintError => 0});

#run the SELECT query
my $sth = $dbh->prepare("SELECT full_name,phone_number,department FROM phones");
$sth->execute();

print "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n";
print "<directory>\n";
print " <local>true</local>\n";
print " <sorted>true</sorted>\n";
print " <name>Company_Name</name>\n";
while (my ($full_name,$phone_number,$department) = $sth->fetchrow_array ())
{

print " <user>\n";

#Using string manipulation techniques available in PERL scripting
#Extract first and last name from full name
#index() function returns the occurrence of $myspace in $full_name
#substr() function allows to copy part of a string from another by specifying beginning position and the length of string
my $myspace =" ";
my $myindex =index($full_name,$myspace);
my $last_name=substr($full_name,$myindex+1);
my $first_name=substr($full_name,0,$myindex);

print " <name>$last_name, $first_name</name>\n";
print " <company>$site_name</company>\n";
print " <contact>\n";
print " <type>phone</type>\n";
print " <uri>sip:$phone_number</uri>\n";
print " </contact>\n";
print " </user>\n";
}

#Disconnect the database connection
$dbh->disconnect ();
print "</directory>\n";



Let's make the script executable
#chmod u+w myPerlscript.pl

Now run the script, you will get output in XML format
#./myPerlscript.pl

If you want to save the output of the script to the file,
#./myPerlscript.pl > myXMLfile.xml


Output:

Monday, October 10, 2011

Configured server with multiple NICs on different subnet. Can't PING IP add on second NIC? Here's the solution

Let's say we have a network problem as shown below (User can't access 10.1.1.10 from the workstation. User fails to ping 10.1.1.10 from workstation):


Note: In Linux, usually NIC1 is presented as eth0 and NIC2 is presented as eth1

How to fix the problem associated with accessing 10.1.1.10 from workstation?

You must configure multiple default routes in the server.
You can possibly achieve this in different ways, however I prefer the use of IP ROUTE and IP RULES. It's easy to implement and understand.

Step 1: Create a new policy routing table
# echo "1 TenNetwork" >> /etc/iproute2/rt_tables

Routing tables are declared in rt_tables. Here we declared TenNetwork table as we are going to write a set of rules associated with 10 network. You can give it any name you want.

Step2: Define routes in the table
#ip route add 10.1.0.0/16 dev eth1 src 10.1.1.10 table TenNetwork

#ip route add default via 10.1.1.1 dev eth1 table TenNetwork

Here we simply declared that NIC2(eth1) is associated with 10.1.0.0 subnet and it's IP address is 10.1.1.10. We also defined the default route via 10.1.1.1 on eth1 interface. (This is second default route. The first one is defined in 'main' routing table and the default route is via 192.168.2.1 on eth0 interface. OS automatically picks the first default route from eth0. You can check that by executing #ip rule show or #netstat -anr command)

#ip rule show

Since we haven't defined any rule associated with TenNetwork table yet, we can't see TenNetwork table in the rules.

Step3: Define the rules associated with TenNetwork table

#ip rule add from 10.1.1.10/32 table TenNetwork
#ip rule add to 10.1.1.10/32 table TenNetwork

Here we are defining a rule that says, if any packet is FROM/TO to 10.1.1.10, lookup the TenNetwork table.

#ip rule show
#netstat -anr

Now you can see the active routing rules associated with TenNetwork table as well.

You should be able to ping 10.1.1.10 from workstation now. (However I can't guarantee). If you are lucky, it will work like charm. If you are more lucky, you will discover more on routing and fix the problem by yourself. Good Luck!!!

Run WireShark on the server before and after applying the rule. You can visualize the problem and see how the problem is resolved. I love WireShark. I think people can find and fix more then 90% network problems using WireShark.


Warning!!!! :
1. Restarting the server will loose the configuration
2. Restarting the network will loose the configuration

Let's solve the problem associated with restarting the server. We will write startup script.

#vi /etc/init.d/TenNetwork
#!/bin/bash
#Copyright (c) 2011 DShah
# All rights reserved
#
#Author: DShah, 2011
# /etc/init.d/TenNetwork
#PLEASE READ /etc/init.d/skeleton to understand various parameters in startup scripts
#
### BEGIN INIT INFO
# Provides: TenNetwork
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Fixes 10 Network routing issue
### END INIT INFO

$logFile=/var/log/ten-network-log
ip route add 10.1.0.0/16 dev eth1 src 10.1.1.10 table TenNetwork
ip route add default via 10.1.1.1 dev eth1 table TenNetwork
ip route show 2>&1 >> $logFile
ip rule add from 10.1.1.10/32 table TenNetwork
ip rule add to 10.1.1.10/32 table TenNetwork
ip rule show 2>&1 >> $logFile
ip route show 2>&1 >> $logFile

Save and close the file

#chmod 700 /etc/init.d/TenNetwork

'insserv' command can be used to insert the script in desired runlevel as specified in script file
# insserv TenNetwork

You can go to /etc/init.d/rc3.d and /etc/init.d/rc5.d and look the startup order of TenNetwork.

Restart your server and see if it is working as you expected.


Updated info on 03/28/13 [Easy fix ]:

Multiple NICs routing issue can be resolved by making some modification in systctl.conf

/etc/sysctl.conf
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 0
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1
# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536
# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1



#sysctl -p   (to reload the changes done on the sysctl config)



Reference:
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

Tuesday, September 27, 2011

How to install flash player for firefox/mozilla in Linux (CentOS, RedHat, SuSE, SLES etc)

Just installed linux and can't play YOUTUBE or other flash based programs...... No more scratching heads.
Go to adobe website to download the flashplayer: http://get.adobe.com/flashplayer/

Download the appropriate file based on your OS. (32-bit or 64-bit linux).

I would recommend you to download .tar.gz file of the flashplayer.

Once the file is downloaded, you simply need to extract it. Extract is within the folder.

#mkdir myFlashdir
#cd myFlashdir

copy flashplayer.tar.gz in this folder

#tar xvzf flashplayer.tar.gz

Now you will see libflashplyer.so plugin-file for mozilla. You simply need to copy this file to

/usr/lib64/mozilla/plugins ==> If your linux is 64-bit

/usr/lib/mozilla/plugins ==> If your linux is 32-bit

#cp libflasplayer.so /usr/lib64/mozilla/plugins


You are done. Now have fun with you Youtube or other flash programs.


You can check the plugins installed by typing following in the URL field.

about:plugins

Wednesday, July 27, 2011

Dell Latitude + Linux : Easy to solve the problem with Wireless setup

Step 1: Download the linux based driver for your NIC card in your Dell Latitude laptop. My laptop has Broadcom Wireless controller. You can check yours by running the command

#lspci |grep -i 802.11

Mine is: Network controller: Broadcom Corporation BCM4321 802.11a/b/g/n (rev 03)
Luckily I found the driver at Broadcom website.

Check if your system has 32-bit Linux or 64-bit Linux and download the appropriate driver. You can check that via

#uname -a

Mine is 64-bit SUSE Linux: Linux devsuse 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux


Step2: Follow README.txt for that driver. It has clear instruction.

[extract from README.txt]

# lsmod | grep "b43\|ssb\|wl"


If any of these are installed, remove them:
# rmmod b43
# rmmod ssb
# rmmod wl

To blacklist these drivers and prevent them from
loading in the future:
# echo "blacklist ssb" >> /etc/modprobe.d/blacklist.conf
# echo "blacklist b43" >> /etc/modprobe.d/blacklist.conf

>>1. Unzip, build and install the driver
Setup the directory by untarring the proper tarball:

For 32 bit: hybrid-portsrc_x86-32_v5.100.82.38.tar.gz
For 64 bit: hybrid-portsrc_x86-64_v5.100.82.38.tar.gz

Example:
# mkdir hybrid_wl
# cd hybrid_wl
# tar xzf /hybrid-portsrc_x86-32_v5.100.82.38.tar.gz

Build the driver as a Linux loadable kernel module (LKM):

# make clean (optional)
# make

When the build completes, it will produce a wl.ko file in the top level
directory.


>>2: Insmod the driver.

Otherwise, if you have not previously installed a wl driver, you'll need
to add a security module before using the wl module. Most newer systems
use lib80211 while others use ieee80211_crypt_tkip. See which one works for
your system.

# modprobe lib80211
or
# modprobe ieee80211_crypt_tkip

Then:
# insmod wl.ko

wl.ko is now operational. It may take several seconds for the Network
Manager to notice a new network driver has been installed and show the
surrounding wireless networks.
Step3. Check if you can see the wireless card detected.
#ifconfig
#iwconfig

or Go to yast2 --> Network Devices --> Network Settings --> Overview
You should see your wireless network card listed.

Step4: Configure your wireless as you do with your regular wireless setup. Good Luck!!!
(You can refer to Novell Documentation if you need any help to configure your Wireless network)

If your internet/network connectivity doesn't wok, check if the routing table is good.

#route -n

You can define the default route for 0.0.0.0 (any) through your wireless interface ( in my case it's eth1). For that you can go to YAST2-->Network Devices-->Network Settings-->Routing

Also make sure that you have DNS servers defined. If not, you can go to YAST2 -->Network Devices-->Network Settings-->Hostname/DNS
or you can also edit /etc/resolv.conf


NOTE: Upgrading the kernel and drivers requires removing ssb, b43 and adding them to the blacklist again.

Wednesday, July 6, 2011

Directories Terminology: Active Directory, eDirectory, Lotus Domino Directory

LDAP is very often used to access the directories. Directory could be Active Directory, eDirectory/Novell NDS, Lotus Domino Directory and more.
There are too many acronyms like DN, DC, OU, CN, GPO and they are easy to understand

AD: Active Directory
DN : Distinguished Name
DC: Domain Controller/Component
OU: Organizational Unit
CN: Common Name
GPO: Group Policy


Fig. Organization tree structure depicted by AD heirarchy

In Active Directory , eDirectory or any LDAP compliant directory , objects are referred to by Distinguished Name (DN) . The parts of a distinguished name, delimited by commas, represent where in AD hierarchy the object exists.

Monikers in a DN are:

CN Common Name cn=Joe Dirt
OU Organization Unit ou=Staff
DC Domain Controller/Component dc=UPS

An example of the Distinguished Name of a user object could be:

cn=Joe Dirt, ou=Staff, ou=Finance, ou=Dept, ou=UPS, dc=ad, dc=ups, dc=com

In this case, the object with Common Name 'Joe Dirt' is in the Organizational Unit 'Staff', which in turn is in the Organizational Unit 'Finance', which in turn is in the Organizational Unit 'Dept', which in turn is in Organization Unit 'UPS', which is in the domain 'ad.ups.com'.

You can use various free LDAP browsers like Softerra , JXplorer to browse directories.

More examples to clarify the concept:
If you want to refer to all the objects under UPS Organizational Unit/Container, you should use

BASE DN:
ou=UPS, dc=ad, dc=ups, dc=com

If you want to refer to all the objects under Finance Organizational Unit/Container, you should use

BASE DN:
ou=Finance, ou=Dept, ou=UPS, dc=ad, dc=ups, dc=com

If you want to login as Joe Dirt to make LDAP query, you should use following DN

USER DN: cn=Joe Dirt, ou=Staff, ou=Finance, ou=Dept, ou=UPS, dc=ad, dc=ups, dc=com


CN is used for the default system based containers. OU is also used for containers. One major difference between a CN container and a OU container is that GPOs can be applied only to OUs, not to CNs.

Reference: wiki, forums and various text books

Sunday, June 5, 2011

DHCP IPv4 vs IPv6 : Basic concept

Most of us are familiar with DHCP (Dynamic Host Configuration Protocol). We use it all the time to get an IP address and network configurations for our devices like laptop, computers, handheld IP devices, IP TV and more... It makes our life easy as we don't have to manually define the IP address for our system and we also don't have to worry about IP address duplication problem. DHCP takes care all of those for us.

We all know that IPv6 is drilling our internet world and it's going to replace IPv4. There is going to be revolution. DHCP is one of those areas. Architecture of DHCPv4 (IPv4 system) and DHCPv6 (IPv6) are totally different. I will try my best to explain the differences in very easy language.

1. In IPv4 systems, hosts send broadcast traffic requesting an IP address in hope to get reply from the DHCP server, thus network doesn't know how far to send the request.

But all IPv6 systems support multicasting and DHCPv6 servers are ready to receive DHCPv6 multicast packets. Thus network knows where to send the DHCP requests from clients. (FF02::1:2 is a link-scoped multicast address used by a client to communicate with neighboring i.e on-link, relay agents and server. All servers and relay agents are members of this multicast group)

[Wireshark capture for DHCPv6: notice a link-scoped multicast address. I intentionally hid my link-local address(IPv6) of my laptop which acts as IPv6 host ]




2. In IPv4 systems, clients doesn't have any valid IP address to start with. It uses 0.0.0.0 as it's initial IP address and sends request (requesting IP address and network configuration ) broadcast traffic to 255.255.255.255 in hope to get response from DHCP servers.

(Here is the complete DHCPv4 request-reply messaging in IPv4 environment: captured by wireshark using filter BOOTP. DHCPv4 uses BOOTP)



In IPv6 systems, each hosts have valid link-local address that can be used to send traffic on the link it is connected to, thus makes it possible to send request to DHCP server for REAL address.

There are more to talk... But I have to watch NBA finals: MAVS vs Heat. :D
I will keep on updating this article.


Reference:
http://www.ietf.org/rfc/rfc3315.txt
http://www.isc.org/community/blog/201104/isc-dhcp-and-ipv6-dhcpv6-story
http://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration

Wednesday, May 25, 2011

Centralized LogServer in SuSE Linux

LogServer: ServerA [IP address: 192.168.1.5]
NetworkServers: ServerB, ServerC... and more

ServerB-------send log files-----> ServerA[LogServer] <-----------send log files---- ServerC

Here we want ServerB, Server C to send it's log file to ServerA for centralized access of log files.

Daemon: syslog-ng
Files:
/etc/sysconfig/syslog
/etc/syslog-ng/syslog-ng.conf

Commands:
/etc/init.d/syslog start|restart|stop

ps aux|grep syslog --> to see if syslog-ng is running or not

SuSEconfig --module syslog-ng --> to reload the change done on /etc/syslog-ng/syslog-ng.conf


Configure LogServer i.e ServerA to accept the log files from NetworkServers

Edit /etc/syslog-ng/syslog-ng.conf on ServerA(Log Server)

source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();

#
# the default log socket for local logging:
#
unix-dgram("/dev/log");

#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
#I uncommented above line telling ServerA to accept the log files from network
};


At the bottom of this file, I defined the destination and log

#
#Added by DShah 05/25/11
#
destination std { file("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};

log { source(src);
destination(std);
};

Over here I am telling ServerA to process the log files coming source src to destination std.
Destination std tells ServerA to save log messages from each host in a separate directory called /var/log/HOSTS/YEAR-MONTH/hostname/.

Now run the command
#SuSEconfig --module syslog-ng --> to reload the config changes done

#/etc/init.d/syslog restart OR
#syslog-ng restart

#ps aux|grep syslog --> to check if syslog-ng is running

If you need to kill syslog-ng process for any reason, you can simply run the command

#killall syslog-ng
or
#kill -9 [PID-of-syslog-ng]

Configure NetworkServers (Server B, ServerC... ) to send log files to LogServer(ServerA):

Edit /etc/syslog-ng/syslog-ng.conf or /etc/syslog-ng/syslog-ng.conf.in (preffered) on ServerB, ServerC

#
#Added by DShah 05/25/2011
#
destination logserver {
udp("192.168.1.5" port(514));
#Note: here 192.168.1.5 is an IP add of LogServer i.e ServerA
};

log {
source(src);
destination(logserver);
};

Now run the command
#SuSEconfig --module syslog-ng --> to reload the config changes done

#/etc/init.d/syslog restart OR
#syslog-ng restart

#ps aux|grep syslog --> to check if syslog-ng is running


ServerA should be already collecting the log files. You can go to /var/log/HOSTS directory on ServerA to see the log files from different Network Servers.

Illustration by Additional applications:
Let's say I want remote asterisk server to dump it's log file /var/log/asterisk/full in the centralized log server
Edit /etc/syslog-ng/syslog-ng.conf or /etc/syslog-ng/syslog-ng.conf.in (preffered) on remote Asterisk Server

#
# Added by DShah
#
source asterisklog { pipe("/var/log/asterisk/full");
};

destination logserver { udp("192.168.1.5" port(514));
};

log { source(asterisklog); destination(logserver); };


and run the command

#syslog-ng restart

Now please check /var/log/HOSTS , you should see log file from asterisk server.


If you need any help on Linux/Unix systems, you can email me at erdevendra@gmail.com with subject title rapidtechguide.

For more info: http://www.novell.com/coolsolutions/feature/18044.html
20 minutes video on syslog-ns : http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/overview#
Syslog-ns to collect apache logs: http://peter.blogs.balabit.com/2010/02/how-to-collect-apache-logs-by-syslog-ng/

Monday, April 4, 2011

SCREEN command: Handy tool for multi-screen session and remote interaction

Screen is the Multi-Screen utility that allows the users to access the multiple screen in single SSH session that allows user to do different tasks on different screens. User doesn't require to open multiple SSH session. However, you need to learn some keyboard short-cuts.

How to start Screen?
# screen -S mySessionName

e.g screen -S rapidlinux

Common screen commands

screen command Task
Ctrl+a c Create new window
Ctrl+a k Kill the current window / session
Ctrl+a w List all windows
Ctrl+a 0-9 Go to a window numbered 0 9, use Ctrl+a w to see number
Ctrl+a Ctrl+a Toggle / switch between the current and previous window
Ctrl+a S Split terminal horizontally into regions and press Ctrl+a c to create new window there
Ctrl+a :resize Resize region
Ctrl+a :fit Fit screen size to new terminal size. You can also hit Ctrl+a F for the the same task
Ctrl+a :remove Remove / delete region. You can also hit Ctrl+a X for the same taks
Ctrl+a tab Move to next region
Ctrl+a D (Shift-d) Power detach and logout
Ctrl+a d Detach but keep shell window open
Ctrl-a Ctrl-\ Quit screen
Ctrl-a ? Display help screen i.e. display a list of commands


Play with above listed commands. Once you are comfortable with those commands, let's learn one more thing: REMOTE INTERACTION

Scenario: Let's say you SSHed into your client's machine. Your client want to see what commands you are running. You can do that via SCREEN :)

1. SSH into client's machine with your support user ID on client's machine.
e.g #ssh rapidsupport@client.machine

2. Run Screen command with session name
e.g #screen -S rapidsupportSession

3. You have to allow multiple user access in screen session. So, Press Ctrl + a followed by :multiuser on

4. You have to grant permission to client to access your screen session. So, Press Ctrl + a followed by :acladd clientname where clientname is the client's user ID

5. Now client can connect to your screen session using the command syntax #screen -x username/session

e.g #screen -x clientname/rapidsupportSession

6. Now your screen is shared with your client.


Done!!!!

Let's say ur client's machine is behind NAT (i.e client's machine doesn't have public IP ) and you want to provide remote support to your client. Your workstation should have public IP address to support it as ur client.

We can use Reverse SSH to achieve that.

To permit you to access your client's machine through Reverse SSH (Secure Shell protocol), client should execute the following command as root user (superuser) on his machine:

Example:

#ssh -fN -R 5099:localhost:22 rapidsupport@public-ip-address-of-rapidsupport -p 443

where, rapidsupport is an user id on your workstation

If successful, this command will set up an SSH tunnel between client's machine and rapidsupport's workstation, and will display a new command-line prompt on your server.

Note: This method of connecting is called "reverse" SSH because the connection is initiated from client's machine, not from rapidsupport.

Now, rapidsupport can SSH in client's machine using credential of client's machine.

#ssh localhost -p 5099



For more:

http://www.linux.com/archive/feed/56443
http://www.cyberciti.biz/tips/linux-screen-command-howto.html