Unity Migration Blog

I've made some changes to wds00 so that the web servers can securely deliver the WDS iso files.

Apache is now mapping /download/installation to the share "//wds00.unity.ad.ncsu.edu/wdsboot"

This share has been created, and given ntfs read rights for the group "ITD_Web Servers"

This allows apache to deliver the ISOs without granting excessive rights to \\wds00\distribution$ which has some private stuff on it that might be readable should the ntfs permission be assigned there.

For things that we want to download, please make an Apache alias for /download/whatever to a share where you keep the "whatever" files, and grant read rights in ntfs for the "ITD_Web Servers" group. This should prove much easier to secure that publishing all of DFS. :-)

I've done a quick peek on the Apache configuration on web00.

We "include" other config files in this order:

Include conf.d/*.conf

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Include conf/php5.conf

I would suggest that we do the following:

1. Include the conditional ssl.conf in the main config file, so that we can refer to ssl things in our specific config files in conf.d


2. Move php5.conf into conf.d


3. Move the inclusion of conf.d to the end of the main config file.

Anybody object to this course?

Using mod_auth_sspi, WEB00 was configured with to serve the new pilot workstation installaion ISO file to certain authenticated users.

The ISO download page is HERE. The download page doesn't require authentication. The URL where the ISO file resides does. It is located HERE.

The ISO file actually resides on WDS00. I created an alias directly to this location rather than copying the ISO somewhere else because the ISO is generated automatically in this location. I will eventually link this into DFS.

The Apache conf file is called download-install-sspi.conf and resides in the conf.d directory on WEB00. This is what it looks like (Note: the greater than and less than signs were removed because the blog wouldn't allow them):

Alias /download/installation "//wds00.unity.ad.ncsu.edu/distribution$/boot"

IfModule !mod_auth_sspi.c
LoadModule sspi_auth_module modules/mod_auth_sspi.so
/IfModule

# Use SSL
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/download/installation/(.*) https://microsys.unity.ncsu.edu/download/installation/$1 [L,R]

IfModule mod_auth_sspi.c
Location /download/installation/
AuthName "the Unity Active Directory domain"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
# SSPIBasicPreferred
# SSPIUsernameCase lower
require group "UNITY\Domain local group name"
/Location
/IfModule

I created an alias on WEB00 to the Applications directory in DFS. The URL is:
http://microsys.unity.ncsu.edu/download/applications

Application data and ISO files shouldn't be stored with the web content. It should all be stored under Applications.

The download-applications.conf file on WEB00 controls the alias and the access list. Microsys staff are the only ones who can currently get to the link. The default Apache index is being used.

This was pretty much just a test and the URL name or other details can change when we have a chance to discuss this.

Woo Hoo!

I finally got web authorization based on AD groups working, and it's pretty close to my "ideal" configuration.

The mod_auth_ldap stuff was never really stable enough under Win32, and even if it was, it didn't understand AD "nested" groups inside of groups.

Well, mod_auth_sspi does everything we want, and nothing we don't. :-) It implements Microsoft's Security Services Provider Interface, so it negotiates the strongest cryptography that it can use with a particular client (in our case, NTLMv2 or Kerberos). It understands nested groups. If we ever add authentication methods to our AD, like "smart" cards, it will understand that as well, right away. Nerdvanna!

There's no content here particularly, but I do have three secured web pages up for testing

http://microsys.unity.ncsu.edu/only/ncsu/
http://microsys.unity.ncsu.edu/only/remedy/
http://microsys.unity.ncsu.edu/only/microsys/

Do note the trailing slashes -- if you omit them, you'll get prompted to authenticate twice. There is no index.html in these directories, so your first request gets "bonunced" and you get a second login prompt.

Because I've got a fall back "basic" authenticator all these URLS will redirect to https:// so we can send the clear text (but ssl encrypted) password for non-Windows clients.

The ../ncsu address will allow anyone with an active Unity ID, the ../remedy will allow anyone in any Remedy workgroup access, and the ../microsys will only allow Microsys staff.

As we get more autogroups going, this is going to be amazingly useful!

Folks,

In working with WebDAV, it worked out to be somewhat of a problem to have the pretty php generated index files. I've moved the fancy indexing so that it only takes effect on /documentation and /internal-documentation. Other dirs will get the standard apache indexing.

Right now, I have the permissions set so that http://microsys.unity.ncsu.edu/dfs is forbidden to all, so we don't let anything out we shouldn't. My plan is to secure this dir with "allow valid-user" so that we can provide file downloads (like the mmc plugins). I can't wait to set up some authorizations based on Remedy workgroup membership. :-)

Anyway, hopefully we'll have secure (https://) authenticated access that works with Dreamweaver up shortly.

As decided in our 2/9/2007 meeting, I've renamed the following accounts in unity.ad.ncsu.edu to conform to the desired naming conventions:

• itd-scripter --> itd.scripter
• itd-web-server --> itd.web-server
• wolf-copy --> itd.wolfcopy
• wp-manage --> itd.wp-manage

I've reset the scheduled tasks on scripts00 and restarted apache on web00 to use these new account names, but we need to be on the alert for issues that may creep in from this change.

I've moved the forum and the blog out of the htdocs folder, and into their own seperate directories off of \\web00\d$

I've added a line in Apache's httpd.conf to include any .conf files kept in \\web00\d$\Apache2\conf.d and added a blog.conf and forum.conf there. This will let us make smaller, more specific changes, rather than always editing the main httpd.conf and potentially growing it to an unmanagable size.

The end result of all of this is that now you can use Dreamweaver to manage the \\web00\web space, and DW won't be tempted to mess with things it doesn't really understand.

I have made a minor change to the web template and some major changes to the documentation part of the website.

READ MORE

Web00 can now read active directory groups (via LDAP) for authentication and authorization. We've got two sample group-only URLS available now, and will add more as we begin auto-generating more groups.

The URLs are
http://microsys.unity.ncsu.edu/only/ncsu
http://microsys.unity.ncsu.edu/only/microsys

These will redirect to SSL when they request your password.

READ MORE