curl -b '/tmp/cookie' -o partial-downloaded-file.zip -C - http://full.url.to/original_file.zip

You’ll have to replace “username” and “passwd” with whatever the login form HTML names are.

I had the requirement to authenticate a website using SSO (pass-through domain authentication) and restrict access to certain groups in Active Directory. This is how I achieved it.

Components used:

• Redhat RHEL 5
• Apache 2.2
• mod_perl
• mod_auth_kerb
• Apache2::AuthZLDAP

Kerberos Service Principle setup

(Using this grolmsnet.de tutorial as guidance.)

Edit/Additions to krb5.conf

[libdefaults]
 default_realm = FULL-AD-DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

Test Basic Kerberos Functionality

username@linux [~]$ kinit username@FULL-AD-DOMAIN.COM

AD Service Principal Setup

• Create a dummy user account in the Active Directory domain. It must be enabled, with “password never expires” and NOT having “force change password at next login.” It should not have any administrative privileges. Assume the username is apache-kerberos-user for the next command.
• From the domain controller, or another machine with the ktpass.exe utility, run the following

C:\>ktpass -princ HTTP/fqdn-of-webserver.domain.com@FULL-AD-DOMAIN.COM
 -mapuser apache-kerberos-user -crypto rc4-hmac-nt
 -ptype KRB5_NT_SRV_HST -pass SECRET_PASSWORD_GOES_HERE
 -out c:\apache.keytab

• Move the outputted keytab file to the webserver (possibly located at /etc/httpd/conf)

Test AD Service Principal

username@linux [~]$ kinit -k -t /etc/httpd/conf/apache.keytab HTTP/fqdn-of-webserver.domain.com

Apache Setup

# yum install mod_auth_kerb mod_perl

Install Apache2::AuthZLDAP perl module

Instructions for this step vary based on your Perl installation standards. I use cpan2rpm to build Perl modules as RPM packages

httpd.conf additions

<Directory "/var/www/html/topsecret">
AuthType Kerberos
KrbAuthRealms FULL-AD-DOMAIN.COM
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf/apache.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthoritative off
PerlSetVar LDAPURI      ldap://fqdn-of-ad-domaincontroller.com:389
PerlSetVar LDAPbaseDN   DC=FULL-AD-DOMAIN,DC=com
PerlSetVar LDAPuser         ldap-bind-user@full-ad-domain.com
PerlSetVar LDAPpassword     ldap-bind-password
PerlSetVar LDAPfilter       &(userPrincipalName=[uid])(memberOf=CN=LDAPGROUPNAME,OU=Department,DC=FULL-AD-DOMAIN,DC=com)
PerlAuthzHandler Apache2::AuthZLDAP
require valid-user
</Directory>

This circuit emulation configuration could be used in a DR situation. rtr1 is at the HQ site, rtr2 is at the remote site. rtr3 is at the disaster/failover site for HQ. It utilizes EEM with object tracking as an event source, so it requires IOS 12.4(2)T or above. Given a fault-tolerant, routable IP connection, this provides a fault tolerant analog circuit, especially useful in legacy telephony and utility applications. Click “read more” for configuration details.

HQ Router: rtr1 Cisco 3845. NM-CEM-4TE1 installed in slot 3

Remote Router: rtr2 Cisco 3845. NM-CEM-4TE1 installed in slot 3

Disaster Recovery HQ Router: rtr3 Cisco 3845. NM-CEM-4TE1 installed in slot 3

rtr1: HQ

card type t1 3
controller T1 3/0
 framing esf
 cem-group 0 timeslots 1-24
 cablelength long 0db
!
interface Loopback0
 description HQ IP
 ip address 10.0.0.1 255.255.255.255
!
cem 3/0/0
payload-compression
xconnect 10.0.0.2 0 encapsulation udp
 local ip addr 10.0.0.1
 local udp port 16002
 remote udp port 16001

rtr2: Remote

card type t1 3
controller T1 3/0
 framing esf
 cem-group 0 timeslots 1-24
 cablelength long 0db
!
track 1 ip route 10.0.0.1 255.255.255.255 reachability
!
interface Loopback0
 description REMOTE IP
 ip address 10.0.0.2 255.255.255.255
!
cem 3/0/0
payload-compression
xconnect 10.0.0.1 0 encapsulation udp
 local ip addr 10.0.0.2
 local udp port 16001
 remote udp port 16002
!
event manager applet CEM-HQ-DOWN
 event track 1 state down
 action 1.0 cli command "enable"
 action 1.1 cli command "configure term"
 action 1.2 cli command "cem 3/0/0"
 action 1.3 cli command "xconnect 10.0.0.3 0 encapsulation udp"
event manager applet CEM-HQ-UP
 event track 1 state up
 action 1.0 cli command "enable"
 action 1.1 cli command "configure term"
 action 1.2 cli command "cem 3/0/0"
 action 1.3 cli command "xconnect 10.0.0.1 0 encapsulation udp"

rtr3: Disaster Recovery HQ Site

card type t1 3
controller T1 3/0
 framing esf
 cem-group 0 timeslots 1-24
 cablelength long 0db
!
track 1 ip route 10.0.0.1 255.255.255.255 reachability
!
interface Loopback0
 description DR IP
 ip address 10.0.0.3 255.255.255.255
!
cem 3/0/0
payload-compression
xconnect 10.0.0.2 0 encapsulation udp
 local ip addr 10.0.0.3
 local udp port 16002
 remote udp port 16001
 shutdown
!
event manager applet CEM-HQ-DOWN
 event track 1 state down
 action 1.0 cli command "enable"
 action 1.1 cli command "configure term"
 action 1.2 cli command "cem 3/0/0"
 action 1.3 cli command "no shutdown"
event manager applet CEM-HQ-UP
 event track 1 state up
 action 1.0 cli command "enable"
 action 1.1 cli command "configure term"
 action 1.2 cli command "cem 3/0/0"
 action 1.3 cli command "shutdown"

My work has been published in a Cisco case study: Click here to read about it.

I recently had the need to build a test installation of MeetingPlace Express on our VMware environment. The process is not officially supported by Cisco as it is for Communications Manager, Unity, and Presence. Here are the modifications I made ot the installation to trick it into installing on VMware:

1. Create a VM for MeetingPlace express. I created mine with 4 GB of RAM, 2 processors, 2 NICs, and a 90GB hard drive.

2. Extract a MeetingPlace installation DVD into a directory on a Linux machine # mount /media/cdrecorder # mkdir /scr/MPX # cd /scr/MPX # tar -cf – /media/cdrecorder | tar -xvf -

3. Edit the following files to short-circuit the platform and hard drive checks: Cisco/base_scripts/check_platform.sh Cisco/vendor/misc/bin/hw_setup.sh In both cases, I simply put an “exit 0″ on its own line immediately after the #!/bin/bash at the top of each file. The exit 0 immediately exits the script with a successful error code and avoids the nasty “Platform not Supported” message.

4. Re-roll an .iso file with your new information # cd /scr/MPX # chmod a+w isolinux/isolinux.bin # mkisofs -r -T -J -b isolinux/isolinux.bin \ -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 \ -boot-info-table -o /scr/MPX-VMWARE.iso /scr/MPX/ When you get through the OS installation, the VM will reboot. The firstboot script will prompt you to insert the Cisco Application DVD to install the MeetingPlace application. For me, I couldn’t use my “custom” DVD for this step. My original MeetingPlace Express installation DVD was recognized and installed the application successfully.

Best Cake Ever! 12-28-2008

My Wife made this for my birthday — it’s so cool it deserves to be shared with the world.