Articles

QuickBooks 2011 installation Error 1920 on Windows XP

I received the following error while installing QuickBooks 2011 on Windows XP.

Error 1920: Service Intuit QuickBooks FCS (QBFCService) failed to start.

The service that was failing to start was actually “QBIDPService” (aka QBVSS). I tried to start the service manually via Windows Services (services.msc) but received a timeout error. I spent a while trying to figure out why the service wouldn’t start, but gave up once I realized that the service is only used for the Intuit Data Protection (online backup) feature.

I ended up replacing the “.exe” file for the offending service with a service that can start successfully. This effectively replaces the Intuit Data Protection service, so this is ONLY recommended if you do not plan to use the Intuit Data Protection (aka Online Backup) feature. Intuit will have to help you fix their DP service if you need to use their online backups.

Download “rfc868time-1.5.exe” from the following website…
http://unixwiz.net/tools/rfc868time.html

Replace the offending service with this small RFC868 time service.

cd C:\Program Files\Common Files\Intuit\DataProtect\
move QBIDPService.exe QBIDPService.exe.orig
copy rfc868time-1.5.exe QBIDPService.exe

This service opens port 37/tcp, so be sure to block this port if you don’t actually need the time service. You can also disable the service by opening Windows Services (Start, Run and execute “services.msc”), finding “QBIDPService” and changing the startup type from “Automatic” or “Manual” to “Disabled” to keep the service from running.

Once you’ve replaced the service, you should be able to start the service via Windows Services or by running the following command.

sc qbvss start

HTH, Jason

Moving a Windows 2000 (win2k) Physical Computer to a Xen 3.0.3 DomU running on CentOS 5.x or RHEL5

This article describes how to successfully migrate a physical host running Windows 2000 to a Xen 3.0.3 DomU. The Xen Dom0 is running Linux CentOS 5.2 on Intel Xeon CPUs with VT extensions. Other online discussions and examples led me to believe this would NOT work unless I was using Xen 3.0.4 or later. The process was fairly simple. The process works with Windows 2000 Professional as well as Windows 2000 Server variants.

IMPORTANT: I assume you can already create and view other DomU virtual hosts on your Xen server. I also assume you are using a system that supports Intel-VT extensions and that those extensions are properly enabled. Keep in mind that the CPU, the motherboard, and the BIOS all need to support VT extensions. You may also need to enable VT extensions within your BIOS.

First, prep your server as per Microsoft KB 314082. You will save the entire block of registry changes into a “.reg” file and merge with your own registry so that Win2K will recognize your Xen IDE adapter. You will extract the IDE related driver files that they list (Atapi.sys, Intelide.sys, Pciide.sys, and Pciidex.sys) into “system32\drivers\”. I installed a barebones Win2K PRO test DomU before spending a lot of time attempting a migration, so I simply copied the listed driver files from that working DomU to the physical system we were about to migrate. I only copied files that did not already exist. I did not overwite any existing files.

Second, you will want to copy each hard disk in your WIN2K system to an image of equal size. Our WIN2K system had a 20GB hard disk, which we cloned to a 20GB image file on the Xen server. If your WIN2K system has large disks and a lot of unnecessary disk space (ie: 500GB, of which 450GB is free), consider using some sort of tool to migrate the system to a smaller disk (ie: 100GB, of which 50GB would be free) before proceeding. Otherwise, the disk image you copy to your Xen server will be wasting a lot of space!

Our system had a single hard disk, so we only had to create one image using the command below. Repeat this for each hard disk in your system. In our example below, the hard disk from the original system was presented as “/dev/hde”, and the image was saved to “/vservers/win2k-example/win2k.img”. Adjust your paths accordingy. Copying our 20GB disk to an image took just over 10 minutes.

[sourcecode language=”bash”]
time dd if=/dev/hde of=/vservers/win2k-example/win2k.img bs=4k
[/sourcecode]

Lastly, we will create the file containing settings for this DomU. Our file was located at “/etc/xen/win2k-example” and had the following contents. I’m not sure that all of these settings are relevant, but this working config should give you a good starting point.

[sourcecode language=”bash”]
import os, re
arch = os.uname()[4]
if re.search(’64’, arch):
arch_libdir = ‘lib64’
else:
arch_libdir = ‘lib’

kernel = “/usr/lib/xen/boot/hvmloader”
builder=’hvm’

memory = 512
shadow_memory = 8
name = “win2k-example”
vif = [ ‘type=ioemu, bridge=xenbr0’ ]

vcpus=1
disk = [ “file:/vservers/win2k-example/win2k.img,hda,w”, “phy:/dev/hda,hdc:cdrom,r” ]

vnc = 1
vncunused = 1
vncconsole=1

boot=”dc”
#boot=”c”

acpi = 1
apic = 1
device_model = ‘/usr/’ + arch_libdir + ‘/xen/bin/qemu-dm’
stdvga=0
serial=’pty’

usbdevice=’tablet’
[/sourcecode]

Now we can boot our new Windows 2000 DomU virtual host. Be prepared to reconfigure TCP/IP settings for your “new” network card and to resolve other driver issues after the migration.

[sourcecode language=”bash”]
xm create win2k-example
[/sourcecode]

 

2008/09/14 – Jason Klein

Using BackupPC with mobile Windows XP clients via OpenVPN and Cygwin Rsync Server

BackupPC assumes your mobile hosts will occassionally visit your network and allows backup of those hosts while they are on your local network. But what if you need to backup mobile Windows hosts that NEVER connect to your BackupPC LAN? We will use OpenVPN to build a VPN connection between the client and the BackupPC server. We will configure BackupPC server to backup via an Rsync Server on the BackupPC client. This solution is working well for several remote PCs (Windows XP) and Servers (Windows 2000).

Due to the nature of mobile users, the BackupPC server may not be able to reliably locate and connect to the SSH service on these PCs. Besides, numerous users have reported problems with BackupPC via SSH, due to an alleged bug in the Cygwin SSH server. If your Windows PC is accessible via SSH, running BackupPC via rsync over an SSH tunnel works fine. Simply write pre-backup and post-backup scripts to initiate an SSH tunnel and tear down the SSH tunnel when you are finished.

I have found that using a combination of OpenVPN and Cygwin Rsync Server works well when performing backups of mobile Windows PCs. We use OpenVPN to maintain a secure connection between the PC and the BackupPC server. We then configure BackupPC to connect to the Rsync Server on the Windows PC via the VPN connection. The ONLY problem we have had with this is reminding users to make sure their OpenVPN connection is always working. The Windows GUI for OpenVPN does not always automatically reconnect to the BackupPC server between suspend-power operations on laptops. It generally does fine between reboots, though.

The documentation below assumes you are already successfully using BackupPC to backup local hosts. The documentation does not cover installation or configuration of BackupPC for local hosts.

Preparing SSL Certificates for OpenVPN server

OpenVPN requires one SSL certificate for your OpenVPN server and one SSL certificate for each OpenVPN client. We will assume you do not already have a public key infrastructure in place. We will begin by creating a Certificate Authority (CA) key, then we will create a key for the server (signed by CA key) and a key for the first client (also signed by the CA key). You will need to create an additional key for each additional client.

NOTE: If you are managing a large number of hosts, you should replace the example common names and file names with actual hostnames for the BackupPC server (ie: backuppc.example.com) and each BackupPC client (ie: laptop3241.example.com). This will make it much easier for you to manage a large number of certificates.

[sourcecode language=”bash”]
# Create a directory for storing your certificates
mkdir /opt/ssl
chmod 700 /opt/ssl
cd /opt/ssl

# Generating Certificate Authority Keys (Common Name: “ca”)
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.cer

# Generating OpenVPN Server Keys (Common Name: “server”)
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl ca -policy policy_anything -cert ca.cer -in server.csr \
-keyfile ca.key -days 365 -out server.crt

# Generating OpenVPN Client Keys (Common Name: “client1”)
openssl req -new -out client1.csr
openssl rsa -in privkey.pem -out client1.key
openssl ca -policy policy_anything -cert ca.cer -in client1.csr \
-keyfile ca.key -days 365 -out client1.crt
[/sourcecode]

Install and Configure OpenVPN on the BackupPC server

[sourcecode language=”bash”]
cd /opt/
wget http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el4.rf.i386.rpm
wget http://dag.wieers.com/packages/lzo/lzo-1.08-4.2.el4.rf.i386.rpm
rpm -ivh lzo-1* openvpn*

cd /etc/openvpn/
vi server.conf
cp /opt/ssl/ca.crt .
cp /opt/ssl/server.crt .
cp /opt/ssl/server.key .
openssl dhparam -out dh1024.pem 1024

chkconfig openvpn on
service openvpn restart
[/sourcecode]

If you are running an IPtables Firewall, you must accept OpenVPN traffic (1194/udp) on the BackupPC server. Edit your iptables script and the rule shown below right above or right below similar UDP rules. Afterwards, restart iptables to force changes to take effect.

[sourcecode language=”bash”]
vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT

service iptables restart
[/sourcecode]

Install and Configure OpenVPN on the BackupPC client

Download and install the newest Windows OpenVPN GUI package with TAP interface from the following website. During installation, accept all of the default options. You MUST reboot after installation, or else the VPN connections will not work properly. When you are finished, you should have a new OpenVPN GUI icon in your tray and a new TAP interface in you list of Network Connections.

Website Link: http://openvpn.se/

For this example, we used OpenVPN 2.09 GUI 1.0.3. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link: http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

COMMON PROBLEM: The TAP interface does not appear in your Network Connections. If this happens, your registry is missing one of the following keys/folders that is required for TAP interface installation (who knows why, it doesn’t appear to be used). Simply create an empty key/folder in it’s place, then uninstall OpenVPN, then reinstall OpenVPN.

[sourcecode language=”bash”]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[/sourcecode]

After installing the OpenVPN GUI, you need to copy several files to the following directory. Be sure to rename the client files to client.crt and client.key. This allows you to use the same OpenVPN config file (.ovpn) on each mobile computer.

[sourcecode language=”bash”]
C:\Program Files\OpenVPN\config\

ca.crt # copied from /opt/ssl/ca.crt on your BackupPC server
client.crt # copied from /opt/ssl/client1.crt on your BackupPC server
client.key # copied from /opt/ssl/client1.key on your BackupPC server
server.ovpn # download via link below
[/sourcecode]

Download Link: server.ovpn

You must edit “server.ovpn” and change “backuppc.example.com” (see line 41) to the actual hostname of your BackupPC server. Your mobile PCs should be able to PING the BackupPC server via this hostname.

FIREWALL NOTE: If you are using firewall(s), you will need to allow OpenVPN traffic (1194/udp) from the mobile PCs to the server. Be sure to update firewalls that may restrict outbound traffic on the mobile PC network as well as firewalls that may restrict incoming traffic on the BackupPC server network. Most importantly, be sure to update your host based firewall on your BackupPC server so that it does not block these incoming connections. An example for updating the iptables firewall running on your BackupPC server was shown above.

When you are finished, you should be able to ping your BackupPC server (10.8.0.1) from your BackupPC client. You should also be able to ping your BackupPC client from your BackupPC server. The IP address assigned by the VPN should appear in a balloon popup window when your OpenVPN GUI tray icon changes to a green color.

NOTE: If you can ping the server from the client, but not vice-versa, check your Windows Firewall. You may need to allow Incoming Echo Requests under ICMP Settings on the Advanced firewall configuration tab.

Configure OpenVPN to Start Connection Automatically

OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:

[sourcecode language=”bash”]
–connect client1.ovpn
[/sourcecode]

In Windows, you need to append it to the following registry key: OpenVPN-Startup.reg (right-click, save, and run)

[sourcecode language=”bash”]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“openvpn-gui”=”C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe –connect client1.ovpn
[/sourcecode]

Change client1 as needed for the name of each client config file.

Configure OpenVPN server Static IP for “client1” (first client)

You must assign a static IP address to each VPN client so that the BackupPC server can locate the correct client each time it performs a backup of the client.

[sourcecode language=”bash”]
cd /etc/openvpn/
vi ccd/client1 # file name MUST match the Common Name on client SSL certificate
ifconfig-push 10.9.0.1 10.9.0.2

vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate
10.9.0.1 client1
[/sourcecode]

Configure OpenVPN server Static IP for “client2” (additional clients)

Routing for the static IP above had already been configured. You must configure routing for each new static IP block as shown below.

[sourcecode language=”bash”]
cd /etc/openvpn/
vi ccd/client2 # file name MUST match the Common Name on client SSL certificate
ifconfig-push 10.9.0.5 10.9.0.6

vi server.conf # configure routing for new static IP (near similar line 152)
route 10.9.0.4 255.255.255.252

vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate
10.9.0.5 client2
[/sourcecode]

Download Link: server.conf

Install and Configure Cygwin Rsync Server on the BackupPC client

CYGWIN NOTE: If you are only using Cygwin to run an Rsync Server on your client PC, they you can use the standalone installation package for the Cygwin Rsync Server below. If you are using other Cygwin items on the client PC, you need to install the Rsync Server through the standard Cygwin setup menu. We will assume no other Cygwin software is installed.

Download and install the newest Cygwin Rsync Server (cwRsync Server) package from the following website. During installation, accept all of the default options. You can ignore the service account password. No need to reboot after installation. When you are finished, confirm that you have a new Rsync Server service in your list of Windows Services. Configure the service for “automatic” startup rather than “manual” startup.

Website Link: http://www.itefix.no/phpws/

For this example, we used Cygwin Rsync Server 2.0.10. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link: http://superb-west.dl.sourceforge.net/sourceforge/sereds/cwRsync_Server_2.0.10_Installer.zip

COMMON PROBLEM: The “Rsync Server” service would not appear in the service list. Conflicting versions of Cygwin software on a system WILL cause you problems, so uninstall other Cygwin software packages if possible. We had to uninstall an older Cygwin-based SSH tools we previously used to backup these Windows PCs before we could successfully install a working copy of the Cygwin Rsync Server.

After installing the Cygwin Rsync Server, you need to copy several files to the following directory. I recommend you generate a new randon password for the rsyncd.secrets file on each client computer. Each line of the rsyncd.secrets file contains a valid username/password for the Rsync Server.

[sourcecode language=”bash”]
C:\Program Files\cwRsyncServer\

rsyncd.conf # downloaded via link below
etc\rsyncd.secrets # downloaded via link below
[/sourcecode]

Download Link: rsyncd.conf
Download Link: rsyncd.secrets

After you have finished configuring rsync (above), start/restart the Rsync Server service. You can do this through Windows Services or by using the following commands.

[sourcecode language=”bash”]
net stop rsyncserver
net start rsyncserver
[/sourcecode]

NOTE: You can confirm that the Rsync Server is running via “netstat -an” and confirming that TCP port 873 is LISTENING. You can also confirm that the Rsync Server is running via “telnet localhost 873” which should show you “@RSYNCD: 29” (press CTRL+] to exit, then type “quit” to close telnet). If either of these tests fail, restart Rsync Server and test again.

You should be able to connect to the Rsync Server from the BackupPC server over the VPN. If you cannot, you will need to allow an exception for “Rsync Server” port “873” protocol “TCP” in your Windows Firewall.

[sourcecode language=”bash”]
[root@backuppc backuppc]# telnet 10.9.0.1 873
Trying 10.9.0.1…
Connected to client1 (10.9.0.1).
Escape character is ‘^]’.
@RSYNCD: 29
[/sourcecode]

Once you have confirmed you can connect to the Rsync Server on the Windows client from the BackupPC server, you can configure of client backups on the BackupPC server.

Configure client on the BackupPC server

Edit the following files within your BackupPC directory.

[sourcecode language=”bash”]
conf/hosts # add host entry similar to example below.
pc/client1/config.pl # downloaded via link below

Example Host Entry:
client1 0 admin@example.com client1user
[/sourcecode]

Download Link: config.pl

You must update the client IP address in config.pl (line 8, line 16) to reflect the VPN address you assigned to the client. BackupPC will connect to the Rsync Server on this IP address.

You must update the client password in config.pl (line 19) to reflect the password you assigned in “rsyncd.secrets” file.

NOTE: Use WordPad to edit these files (not NotePad). Be sure that you have several blank lines at the end of your “rsyncd.secrets” file. Due to a bug with the Cygwin Rsync Server, it cannot read a username/password pair if it is in the last line of the secrets file.

Afterwards, reload the BackupPC server so that it will read these new configuration settings.

[sourcecode language=”bash”]
[root@backuppc pc]# service backuppc reload
[/sourcecode]

The new client should appear in your BackupPC interface and can now be backed up!

2006/12/01 – Jason Klein

Configuring Sipura SPA-3000 as trunk within Asterisk VoIP PBX Server

This article describes how I successfully configured the Sipura SPA-3000 (fw 2.0.13) for use as a single line inbound/outbound trunk within Asterisk at Home (asterisk 1.2.1). Unlike the other examples I found, this configuration is fairly simple and does NOT require configuration of special extensions, etc. This configuration should be fairly secure, but any suggestions and/or feedback are very welcome!

When incoming calls are received by the SPA-3000, they are forwarded to the Asterisk PBX with CALLER ID information and can be routed like any other POTS trunk (ie: as per Incoming Calls config and/or Inbound Routing config by CID). When outgoing calls are placed through the SPA-3000, this device dials the number and connects the call. The person making the call WILL hear the DTMF tones (aka touch tones) that are dialed by the SPA-3000 just before the call is connected. I have not been able to find a way of preventing this (yet).

Configuring Trunk within Asterisk PBX using AMP

Login to AMP (Asterisk Management Portal). Navigate to Setup, Trunks, and choose “Add SIP Trunk”.

General Settings

[sourcecode language=”bash”]
Outbound Caller ID: (leave blank – cannot be used by POTS line)
Maximum Channels: 1 (required – see note below)
[/sourcecode]

NOTE: Each SPA-3000 supports a single channel. You need to setup multiple trunks for multiple SPA-3000 devices.

Outgoing Dial Rules

[sourcecode language=”bash”]
Dial Rules:
1+NXXNXXXXXX ; prefix 10 digit dialing with “1”
1NXXNXXXXXX ; allow all 11 digit dialing as-is
NXXXXXX ; allow all 7 digit dialing as-is
[/sourcecode]

Outgoing Settings

[sourcecode language=”bash”]
Trunk Name: pstn_spa01

Peer Details:
auth=md5
context=from-pstn
dtmfmode=inband
fromuser=asterisk
host=10.10.10.21 ; IP address of SPA device
insecure=very
nat=yes ; omit if no NAT exists between PBX and SPA
port=5061
secret=012345678901
type=peer
username=asterisk
[/sourcecode]

Incoming Settings

[sourcecode language=”bash”]
User Context: spa01

User Details:
allow=ulaw
context=from-pstn
disallow=all
dtmfmode=inband
host=10.10.10.21 ; IP address of SPA device
insecure=very
nat=yes ; omit if no NAT exists between PBX and SPA
secret=KzBTALezmG1a
type=friend
[/sourcecode]

Registration

[sourcecode language=”bash”]
Register String: ; omit – not necessary to register w/ SPA device?
[/sourcecode]

Configuring Outbound Routing within Asterisk PBX using AMP

Login to AMP (Asterisk Management Portal). Navigate to Setup, Outbound Routing, and choose “Add Route”.

Add Route

[sourcecode language=”bash”]
Route Name: ; user preference, avoid special characters here?
pstnspa1

Dial Patterns: ; dial 5 plus 11 digit, 10 digit, and 7 digit numbers
; omit each “5|” to use trunk without dialing prefix
5|1NXXNXXXXXX ; accept 5 + 11 digit dialing
5|NXXNXXXXXX ; accept 5 + 10 digit dialing
5|NXXXXXX ; accept 5 + 7 digit dialing

Trunk Sequence: ; add each available SPA-3000 trunk
SIP/pstn_spa01
SIP/pstn_spa02
SIP/pstn_spa03
[/sourcecode]

Configuring the Sipura SPA-3000

The following example only illustrates changes to default settings. Start by performing a factory reset of your SPA-3000. Connect a handset to the PHONE jack on the SPA-3000 and dial “****” to access the configuration menu, then dial “73738#” (aka “RESET#”) to perform a factory reset.

Login to the web interface of your SPA-3000, click “Admin”, then click “Advanced”. Configuration changes for each tab/page are shown below.

SYSTEM

[sourcecode language=”bash”]
USER PASSWORD: secretpwd ; secures the SPA web interface
; username ‘user’ or ‘admin’?

DHCP: no ; recommend static ip address
STATIC IP: 10.10.10.21
NETMASK: 255.255.255.240
GATEWAY: 10.10.10.30

HOSTNAME: voip-spa1 ; optional
DOMAIN: example.net ; optional
PRIMARY DNS: 10.10.10.2 ; optional
SECONDARY DNS: 10.10.10.3 ; optional
PRI NTP: ntp1.example.net ; optional
SEC NTP: ntp2.example.net ; optional
[/sourcecode]

SIP

[sourcecode language=”bash”]
RTP Packet Size: 0.020 ; improves sound quality (was 0.030)?
[/sourcecode]

REGIONAL

[sourcecode language=”bash”]
TIME ZONE: GMT-05:00 ; Central Time Zone
[/sourcecode]

PSTN LINE

[sourcecode language=”bash”]
NAT Mapping Enable: yes ; only change if NAT exists between PBX and SPA
NAT Keep Alive Enable: yes ; only change if NAT exists between PBX and SPA

PROXY: 10.10.10.24 ; IP address of Asterisk PBX
USE OUTBOUND PROXY: yes
REGISTER: no
REGISTER EXPIRES: 3600
MAKE CALL W/O REG: yes
ANSW CALL W/O REG: yes

DISPLAY NAME: ; leave blank
USER ID: 3501 ; optional?
PASSWORD: ; leave blank

DTMF Process INFO: Yes ; default value
DTMF Process AVT: No ; resolve issues with DTMF
DTMF Tx Method: Auto ; default value

DIAL PLAN 8: (S0<:s@10.10.10.24:5060>)
; forwards incoming PSTN calls to PBX
; resolve issues with DTMF

VOIP-TO-PSTN GW ENABLE: yes
VOIP CALL AUTH METHOD: http digest
ONE STAGE DIALING: yes
LINE1 VOIP CALLER DP: none
VOIP CALLER DEFAULT DP: none
LINE1 FALLBACK DP: none

VOIP USER 1 AUTH ID: asterisk
VOIP USER 1 DP: none
VOIP USER 1 PASSWORD: 012345678901

PSTN-TO-VOIP GW ENABLE: yes
PSTN CALL AUTH METHOD: none
PSTN RING THRU LINE 1: no ; incoming calls do not ring LINE1
PSTN CID FOR VOIP CID: yes
PSTN CALLER DEFAULT DP: 8

PSTN ANSWER DELAY: 5 ; answer incoming PSTN call in X sec
; need to allow time for CALLER ID
; if no CID, you can safely set to 0
; was set to 16
[/sourcecode]

Note regarding FAX transmissions

We have not been able to successfully receive fax transmissions using this configuration, but not for lack of trying. We were also attempting to use a Digium TDM card to accept faxes for a while, with mixed results. We finally concluded that faxing capabilities of Asterisk were not reliable enough for production. Rather than moving to an Asterisk Fax solution, we moved from our older *NIX fax server to an online fax provider who accepts our faxes and forwards them as PDF images.

2006/10/15 – Jason Klein

Patching OneOrZero Helpdesk Software (PHP/MySQL) to Support Multiple LDAP Base DN records in Novell NDS

This article demonstrates a working configuration of OneOrZero helpdesk that was setup to authenticate to Novell NDS via LDAP. I wrote a simple patch for OneOrZero that is designed to accept multiple Base DN records and search through each record for the requested username (uid).

Configuring OneOrZero to Authenticate to Novell NDS via LDAP

First, I should describe the customer’s tree. When viewing the tree from within Console One, I see something similar to the following:

[sourcecode language=”bash”]
NDS
ROOTNAME
Container1
User1
Container2
User2
User3
User4
Container3
User5
User6
[/sourcecode]

Unfortunately, OneOrZero is not compatible with this tree design. Instead, OneOrZero expects a tree desigin similar to the following. While the following is the recommended way of configuring an NDS tree, I occassionally see trees structured without a Base Container.

[sourcecode language=”bash”]
NDS
ROOTNAME
BaseContainer
Container1
User1
Container2
User2
User3
User4
Container3
User5
User6
[/sourcecode]

Here is the LDAP portion of the configuration file (configuration/website_settings.php) for the first example. This configuration should work for anyone using Novell eDirectory 8.7 with modifications only to ‘ldap_host’ and ‘ldap_rootdn’. This configuration does not require an ‘ldap_domain’ since this setting is only required for Active Directory. This config does not require an ‘ldap_binddn’ or an ‘ldap_bindpwd’ since these settings are not required for anonymous binding to the LDAP directory. If the tree had been created with a base container as shown in the second NDS example, I would change the ‘ldap_rootdn’ from ‘o=container1’ to ‘o=basecontainer’.

[sourcecode language=”bash”]
auth_method = “LDAP”
ldap_host = “10.128.1.1”
ldap_domain = “”
ldap_binddn = “”
ldap_bindpwd = “”
ldap_rootdn = “o=container1”
ldap_searchattr = “uid”
ldap_fname = “givenname”
ldap_lname = “sn”
ldap_uname = “uid”
ldap_email_add = “mail”
ldap_office = “l”
ldap_phone = “telephonenumber”
ldap_context = “dn”
[/sourcecode]

Patching OneOrZero to Search for Username in Multiple Root DN records

When using an tree structure similar to the first NDS example, this configuration will only allow users within Container1 to access the OneOrZero helpdesk website. I have written the following patch (for common/common.php) that will allow OneOrZero to accept multiple ‘ldap_rootdn’ records and will search through each Root DN for the username that is attempting to authenticate.

[sourcecode language=”bash”]
[root@web html]# diff common/common.php common/common.php.orig
167,186d166
< // 2006-07-25 : dni/jrk < // OoZ Patch : Support for multiple Root DN records, separated by ";" delimiter < // without modifying existing lines of code. Could do better job of recycling < // data retrieved from LDAP. We currently discard data and query a second time < // using the original code to search the correct Base DN. < < // If delimiter ";" exists in 'ldap_rootdn' setting, search for username in each DN < if ( strpos($ldap_rootdn , ";") ) { < $ldap_rootdn_recs = explode(";",$ldap_rootdn); < foreach( $ldap_rootdn_recs as $ldap_rootdn ) { < $sr = ldap_search($ldapconn, $ldap_rootdn, $filter, $justthese); < $info = ldap_get_entries($ldapconn, $sr); < if ( (!(!sr)) && ($info["count"] > 0) ) {
< // Username exists in current DN. Stop searching and use this DN. < break; < } < } < } < unset( $sr , $info , $ldap_rootdn_recs , $ldap_rootdn_rec ); < [/sourcecode] The diff above shows you that the following lines were added to common.php starting at line 167. If you backup your common.php file and run a similar diff command after patching the file, you should receive similar output. The LDAP section of the OneOrZero configuration was changed as follows to provide multiple Root DN records. When used in conjunction with the patch shown above, this new setting will cause OneOrZero to search for the username within each container listed (Container1, Container2, Container3, etc). Although the containers could be listed in any order, you should list containers with the most users first (for performance reasons), since the containers will be searched in the order listed until a username is found. [sourcecode language="bash"] auth_method = "LDAP" ldap_host = "10.128.1.1" ldap_domain = "" ldap_binddn = "" ldap_bindpwd = "" ldap_rootdn = "o=container2;o=container3;o=container1" ldap_searchattr = "uid" ldap_fname = "givenname" ldap_lname = "sn" ldap_uname = "uid" ldap_email_add = "mail" ldap_office = "l" ldap_phone = "telephonenumber" ldap_context = "dn" [/sourcecode] LDAP Agent for Novell eDirectory 8.7.3.7 (10554.24) OneOrZero v1.6.5.2 patch 2 (ooz_v165.zip) (ooz_v1652_patch_2.zip) 2006/07/25 - Jason Klein