Patching OneOrZero Helpdesk Software (PHP/MySQL) to Support Multiple LDAP Base DN records in Novell NDS

This article demonstrates a working configuration of OneOrZero helpdesk that was setup to authenticate to Novell NDS via LDAP. I wrote a simple patch for OneOrZero that is designed to accept multiple Base DN records and search through each record for the requested username (uid).

Configuring OneOrZero to Authenticate to Novell NDS via LDAP

First, I should describe the customer’s tree. When viewing the tree from within Console One, I see something similar to the following:

[sourcecode language=”bash”]
NDS
ROOTNAME
Container1
User1
Container2
User2
User3
User4
Container3
User5
User6
[/sourcecode]

Unfortunately, OneOrZero is not compatible with this tree design. Instead, OneOrZero expects a tree desigin similar to the following. While the following is the recommended way of configuring an NDS tree, I occassionally see trees structured without a Base Container.

[sourcecode language=”bash”]
NDS
ROOTNAME
BaseContainer
Container1
User1
Container2
User2
User3
User4
Container3
User5
User6
[/sourcecode]

Here is the LDAP portion of the configuration file (configuration/website_settings.php) for the first example. This configuration should work for anyone using Novell eDirectory 8.7 with modifications only to ‘ldap_host’ and ‘ldap_rootdn’. This configuration does not require an ‘ldap_domain’ since this setting is only required for Active Directory. This config does not require an ‘ldap_binddn’ or an ‘ldap_bindpwd’ since these settings are not required for anonymous binding to the LDAP directory. If the tree had been created with a base container as shown in the second NDS example, I would change the ‘ldap_rootdn’ from ‘o=container1’ to ‘o=basecontainer’.

[sourcecode language=”bash”]
auth_method = “LDAP”
ldap_host = “10.128.1.1”
ldap_domain = “”
ldap_binddn = “”
ldap_bindpwd = “”
ldap_rootdn = “o=container1”
ldap_searchattr = “uid”
ldap_fname = “givenname”
ldap_lname = “sn”
ldap_uname = “uid”
ldap_email_add = “mail”
ldap_office = “l”
ldap_phone = “telephonenumber”
ldap_context = “dn”
[/sourcecode]

Patching OneOrZero to Search for Username in Multiple Root DN records

When using an tree structure similar to the first NDS example, this configuration will only allow users within Container1 to access the OneOrZero helpdesk website. I have written the following patch (for common/common.php) that will allow OneOrZero to accept multiple ‘ldap_rootdn’ records and will search through each Root DN for the username that is attempting to authenticate.

[sourcecode language=”bash”]
[root@web html]# diff common/common.php common/common.php.orig
167,186d166
< // 2006-07-25 : dni/jrk < // OoZ Patch : Support for multiple Root DN records, separated by ";" delimiter < // without modifying existing lines of code. Could do better job of recycling < // data retrieved from LDAP. We currently discard data and query a second time < // using the original code to search the correct Base DN. < < // If delimiter ";" exists in 'ldap_rootdn' setting, search for username in each DN < if ( strpos($ldap_rootdn , ";") ) { < $ldap_rootdn_recs = explode(";",$ldap_rootdn); < foreach( $ldap_rootdn_recs as $ldap_rootdn ) { < $sr = ldap_search($ldapconn, $ldap_rootdn, $filter, $justthese); < $info = ldap_get_entries($ldapconn, $sr); < if ( (!(!sr)) && ($info["count"] > 0) ) {
< // Username exists in current DN. Stop searching and use this DN. < break; < } < } < } < unset( $sr , $info , $ldap_rootdn_recs , $ldap_rootdn_rec ); < [/sourcecode] The diff above shows you that the following lines were added to common.php starting at line 167. If you backup your common.php file and run a similar diff command after patching the file, you should receive similar output. The LDAP section of the OneOrZero configuration was changed as follows to provide multiple Root DN records. When used in conjunction with the patch shown above, this new setting will cause OneOrZero to search for the username within each container listed (Container1, Container2, Container3, etc). Although the containers could be listed in any order, you should list containers with the most users first (for performance reasons), since the containers will be searched in the order listed until a username is found. [sourcecode language="bash"] auth_method = "LDAP" ldap_host = "10.128.1.1" ldap_domain = "" ldap_binddn = "" ldap_bindpwd = "" ldap_rootdn = "o=container2;o=container3;o=container1" ldap_searchattr = "uid" ldap_fname = "givenname" ldap_lname = "sn" ldap_uname = "uid" ldap_email_add = "mail" ldap_office = "l" ldap_phone = "telephonenumber" ldap_context = "dn" [/sourcecode] LDAP Agent for Novell eDirectory 8.7.3.7 (10554.24) OneOrZero v1.6.5.2 patch 2 (ooz_v165.zip) (ooz_v1652_patch_2.zip) 2006/07/25 - Jason Klein

Windows Terminal Server Printer Driver Compatibility

We are often asked to assist with printer configuration in Terminal Server environments. This article provides a brief list of the native printer drivers we have successfully used with numerous “unsupported” printers. This driver compatibility list is helpful since Microsoft and others recommend you avoid using third-party printer drivers on your Terminal Server. You should only use the native printer drivers provided by Microsoft to ensure system stability (ie: avoid blue screens and other unnecessary errors).

Physical Printer Client Compatible Driver Server Confirmed
Canon PC1200/iC D700 WinXP had to use redirection Win2003 2006/07/20
HP PSC 1400 WinXP hp deskjet 3320 series Win2003 2006/07/20

If you find a native driver that is compatible with the printer AND is available on both the RDP server as well as the RDP client, then you should install a second printer on the client that uses this driver. We normally rename this second printer to match the original printer name and then add a “(TS)” suffix to the printer name. Remember that you must also install this printer driver on the Terminal Server before automatic printer mapping will occur. The simplest way of doing this is to create a printer with this driver on an unused port (ie: LPT3) and then remove the printer. The necessary driver files will be installed during creation of the printer.

2006/07/21 – Jason Klein

Setup Solomon IV client in Terminal Server 2003

We are often hired to assist customers with application compatibility issues on Windows Terminal Server. We use a variety of methods to determine why an application is not working (properly) on a Terminal Server. Today, I was tasked with configuration of the Solomon IV client on Windows Terminal Server 2003. The application was returning numerous errors, mostly while trying to use Print or Print Preview functionality. The Solomon IV server had already been properly installed and configured and had already been used to successfully install the Solomon IV client on standard Windows workstations. This article assumes you are also to this point and only addresses installation of the Solomon IV client onto a Terminal Server.

Begin by mapping a drive to the Solomon IV share on your file server. We setup our login script to map the “S:” drive to the “\\exfs01\sol32” share.

Next, we will install the Solomon IV client on the Terminal Server by opening “Add/Remove Programs” and clicking the “CD or Floppy” button. Then, we browse to the SETUP.EXE file on the mapped drive. In our case, the path was “s:\rms\sol32\wrkstn\setup.exe”. We HIGHLY recommend you reboot the terminal server immediately after any software installation. Traditionally, it has been important to use the “Add/Remove Programs” menu while installing software on a Terminal Server to automatically enable INSTALL mode. You can manually change to INSTALL mode with the change command (run “change user /?” for details).

At this point, you will most likely receive the following error when you try to click Print or Print Preview within Solomon IV.


Crystal Reports Helper Application for Solomon IV

Cannot start print job.
Report: s:\rms\sol32\ao610dp.rpt
Crystal Print Engine Error: 0 - Error in formula ,
'ToNumber(RIPARAM("BaseCuryDecPl"))'
The ) is missing.

You may also receive missing file errors for “p2lodbc.dll”, “p2sodbc.dll”, and/or “u2fodbc.dll” when you try to run certain queries and/or printing filters.

If you receive either of these errors, execute the following batch file while logged into Terminal Server as a Solomon IV user. Each user must execute this script. We made the script available through the user Start Menu within Terminal Server sessions as “Repair Solomon IV” and instructed each user to run the script if/when they encountered the above errors. The script simply copies required files from the Solomon IV network share to the necessary directory within each user profile.


@echo off

%HOMEDRIVE%
cd \
mkdir "%HOMEPATH%windows\"

mkdir "%HOMEPATH%windows\crystal\"
copy /y c:\system\sol32\crystal\* "%HOMEPATH%windows\crystal\"

mkdir "%HOMEPATH%windows\system32\"
copy /y c:\system\sol32\system32\* "%HOMEPATH%windows\system32\"

The contents of the CRYSTAL directory in this example were copied from “s:\rms\sol32\wrkstn\windows\crystal\”, and the contents of the SYSTEM32 directory in this example were copied from “s:\rms\sol32\wrkstn\windows\winsys\” AND from “s:\rms\sol32\wrkstn\windows\winsys\register\”. You could modify the script to copy all files directly from these directories into the corresponding directories in the user profile. You could also modify the script to copy files only if they are missing and then launch the Solomon IV application. The Solomon IV icon could then be pointed to the script (instead of the .exe) and automatically resolve this missing file problem for new users.

The errors listed above were immediately prevented / resolved after copying these files to the user profile.

Solomon IV version 4.21SP2.1465

2006/07/20 – Jason Klein

Mapping any RDP printer in Terminal Services w/ REDMON

I have always felt that RDP printer mapping within Windows Terminal Services has been much more difficult than it should be. Especially since articles I have read from Microsoft and other sources in the past do not recommend using ANY third party printer drivers on your terminal server. These articles claim that third party printer drivers are the #1 cause for blue screen situations on a terminal server. As a result, I would often try to find a “compatible” driver in the existing Windows printer list. Sometimes I simply could not get a printer to work within a terminal server session.

This article demonstrates how to map ANY working client printer within a terminal server session. Although I would still recommend settling on a compatible driver when possible (ie: Use “HP LaserJet 1100” driver on both ends if you have an LJ 1200), this method allows black and white (and possibly color) printing on any working client printer from within an RDP session.

Setup the printer on the client and confirm it is working by printing a test page. This article assumes the printer is working properly on the client computer. You can use any driver you need to at this point. The driver does not need to be supported by Windows Terminal Server!

We are going to setup a generic postscript printer on the client that accepts jobs and then prints them to the desired destination printer using a combination of RedMon, Ghostscript, and GSview. Once this is working, we can easily configure the terminal server to recognize this postscript printer.

Download and install the most recent version of AFPL Ghostscript and GSview available for your client computer. Make note of the installation directory you use for GSview (usually c:\program files\ghostgum\gsview\gsprint.exe). The default install options are sufficient. At the time of this article, I used AFPL Ghostscript 8.54 Win32 and GSview 4.8 Win32 on a Windows XP SP2 client.

Download and install the most recent version of RedMon – Redirection Port Monitor. This will add a “Redirected Port” to the list of port types you see when you try to add a new printer port to your computer. No install options are presented when you run SETUP.EXE. At the time of this article, I used RedMon 1.7 Win32 on a Windows XP SP2 client.

Create a new printer on the Windows client. After you click “Add a Printer”, choose “Local Printer” (do not auto detect), then choose “Create a new port” (type of port: Redirected Port, port name: use the default), then choose the “Apple LaserWriter II NT v47.0” printer driver, then name the printer “Terminal Services Printer”. Do not make this your default printer. Do not print a test page (yet).

Now we need to install the same driver to your server. We will create an identical printer (on a fake/unused port) and then remove the printer. You may be asked if you want to remove the printer drivers from the terminal server. Be sure to answer NO, because we will need to keep the drivers! Once these drivers are available on the terminal server, automatic printer mapping can occur for any client that is using the exact same driver.

Create a new printer on the Windows Terminal Server. Use the same method and same driver as described for the Windows client (above). It is extremely important that the driver shown in the “Advanced” printer properties tab is IDENTICAL on the client and server, otherwise automatic printer mapping will not occur. If the LaserWriter driver mentioned above is not available on both systems, find/use another common PostScript driver that is available on both systems.

Now that your generic postscript printer has been created on the client and on the server, we need to configure the Redirected Port on the Windows client. Open the properties window for this new printer, then click “Configure Port” on the Ports tab. Redirect this port to the program gsprint.exe (located in c:\program files\ghostgum\gsview\gsprint.exe). Arguments for this program should be simlar to the following example. The printer name provided must EXACTLY match the name of the destination printer! Very important! The “-color” parameter would allow color printing in this particular example (assuming the printer was capable of printing in color). And the final dash “-” is REQUIRED or else the postscript data will not be received by gsprint.exe.

-printer “HP DeskJet 720C Series” -color –

The default settings for the other options will usually work fine. The “Output” default setting should be “Program handles output”. The “Printer” setting is unused/unavailable in this configuration. As a personal preference, I change the “Run” option from NORMAL to HIDDEN so that the GhostScript window does not appear. I also enable the “Run as User” option so that I am prompted for a filename if I send jobs to my local PDF writer. The shutdown delay could be increased from 300 seconds if you find that it takes more than five minutes for your computer to redirect an incoming job to the destination printer.

At this point, you should be able to print a test page through this new postscript printer. The test page should be redirected to your destination printer driver and successfully printed on your printer. If it is not, review your settings and/or review instructions for Emulating a PostScript printer on a Windows host. This article is partially based on instructions from that page.

Attempt to login to the Windows Terminal Server with your RDP client. If the local postscript printer does not appear (pre-Windows 2003 client?), the local RDP client is preventing redirection because it does not recognize the port type. You can resolve this problem by forcing the client to redirect all ports. You should add a DWORD value named “FilterQueueType” with value “FFFFFFFF” to “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR”. Refer to Microsoft Knowledgebase Article # Q302361 for more information regarding this configuration update.

2006/07/20 – Jason Klein

Using Sprint PCS internet (PPP) via Samsung SPH-A680 w/ USB cable

If you use Sprint PCS and you have a Samsung SPH-A680 handset, you can likely use your phone to dialin to the Internet from anywhere you receive a reasonable (2-4 bars) Sprint PCS signal. Depending on your account, your usage may be unmetered (ie: vision plan) or may consume minutes as if the connection were any other phone call. I can receive SMS (text) messages while I am dialed into the Internet through my handset, but I cannot make calls or send SMS messages. You only need to install the necessary driver and dial into the Sprint PCS PPP phone number (see below).

First, you will need to purchase a compatible USB cable (generic) at your local Radio Shack for $10-20. When you connect the phone to your system, Windows XP will fail to locate a compatible driver. I managed to find a driver (9x,NT,2k,XP) that works with the Samsung SPH-A680. Download and extract samsung-sph-a680-usb-drivers.zip, then point the hardware detection wizard toward the extracted files. Windows XP users may receive a warning that their driver is not signed. This is normal and can be ignored.

You do not need to install a proprietary dialer. Once the phone is recognized by Windows as a USB modem, create a new PPP dialup internet connection that uses this modem and dial into “#777” (#ppp) with any username and password. This Sprint PCS dialup number does not seem to require authentication.

While connected to the internet through my Sprint PCS phone, I experienced 300-400ms ping times to google.com. Although I did not run any type of bandwidth tests, my max throughput seemed to range from 32-64k (seemed comparable to 33.6k – 56k dialup).

2006/06/26 – Jason Klein