Re: Router project on OpenBSD questions

[Christoph Leser]

On Feb 28, 2012, Stuart Henderson wrote:


List:   openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2
Subject:Re: Router project on OpenBSD
questionshttp://marc.info/?t=13303717306r=1w=2
From:   Stuart Henderson stu () spacehopper !
orghttp://marc.info/?a=10397134052r=1w=2
Date:   2012-02-28
13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202
Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper !
orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20!
%20org
[Download message
RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw]


IPsec is mostly compatible but there's a bit of breakage if the ipsec
gateways are behind NAT (because Cisco still follows a very old nat-t draft
rather than the standard).



I think I have read similar remarks about NAT-T and Cisco interoperability.
But I have found no details about what the problem is with cisco.


I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of
NAT-T trouble with cisco. I described my experience in a message to this list
'ISAMPD NAT trouble with openBSD 5.2


Any hints to information about interoperabilty issues with cisco ( and
possible solutions ) would be highly welcome




Mit freundlichen Grüßen

Christoph Leser

SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof

EMail: le...@sup-logistik.de

Re: Router project on OpenBSD questions

[Stuart Henderson]

Search the archives for the cisco nat-t problem, I sent a mail with more
details and I think there was a patch with it. Pretty sure that would have
affected older OpenBSD versions too though.

Christoph Leser le...@sup-logistik.de wrote:




On Feb 28, 2012, Stuart Henderson wrote:


List:   openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2
Subject:Re: Router project on OpenBSD
questionshttp://marc.info/?t=13303717306r=1w=2
From:   Stuart Henderson stu () spacehopper !
orghttp://marc.info/?a=10397134052r=1w=2
Date:   2012-02-28
13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202
Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper !
orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20
!%20org
[Download message
RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw]


IPsec is mostly compatible but there's a bit of breakage if the ipsec
gateways are behind NAT (because Cisco still follows a very old nat-t
draft
rather than the standard).



I think I have read similar remarks about NAT-T and Cisco
interoperability. But I have found no details about what the problem is
with cisco.


I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2,
because of NAT-T trouble with cisco. I described my experience in a
message to this list 'ISAMPD NAT trouble with openBSD 5.2


Any hints to information about interoperabilty issues with cisco ( and
possible solutions ) would be highly welcome




Mit freundlichen Grüßen

Christoph Leser

SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof

EMail: le...@sup-logistik.de

Ldaps authentication from a php web page

[Mik J]

Hello,


I'm trying to get a php script to authenticate with ldaps but I can't
make it work for some reason.

A basic ldap query works in command line
$
ldapsearch -x -H ldaps://myserver.mydomain.fr -W -D cn=admin,dc=mydomain,dc=fr
-b '' -s base '(objectclass=*)' namingContexts

So I'm 90% sure that my
openldap server is properly configured more over I read that TLSVerifyClient
never

I think so the problem is on the client side. When I use the command
line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that
file I have:
URI ldaps://myserver.mydomain.fr
TLS_CACERT  
/etc/openldap/ssl/CA.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3

On the server
side I have in /etc/openldap/slapd.conf
TLSRandFile /dev/urandom
TLSCipherSuite  HIGH:MEDIUM:+SSLv3
TLSCACertificateFile   
/etc/openldap/ssl/CA.crt
TLSCertificateFile 
/etc/openldap/ssl/openldap.crt
TLSCertificateKeyFile  
/etc/openldap/ssl/private/openldap.key
I use a self signed certificate


The
problem comes when I use a php script inside my chrooted Apache

?php
 
$server = ldaps://192.168.1.1;
  $racine = dc=mydomain,dc=fr;
  $rootdn =
cn=myadmin,dc=mydomain,dc=fr;
  $rootpw = mypassword;
  echo
Connexion...br;
  $ds=ldap_connect($server) or die(Can't connect to LDAP
$server2);
  if ($ds) {
    $r=ldap_bind($ds,$rootdn,$rootpw);
    if ($r) {
echo LDAP Sucess...; }
    else { echo LDAP Failed...; }
   
echo(msg:'.ldap_error($ds).'/br);
    echo Disconnect...br;
   
ldap_close($ds);
  }
?
If I use ldap://192.168.1.1 instead of
ldaps://192.168.1.1, it works.
When I use ldaps://192.168.1.1

I have the
following message in slapd
conn=1005 fd=14 ACCEPT from IP=192.168.1.1:45750
(IP=0.0.0.0:636)
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
conn=1005 fd=14 closed (TLS
negotiation failure)

And that message in 

PHP Warning:  ldap_bind(): Unable
to bind to server: Can't contact LDAP server in /htdocs/ldap.php on line 17
If I add in the begining of my script
putenv('LDAPTLS_REQCERT=never') or
die('Failed to setup the env');
It works, so to me it shows that the problem
was on the client side.


My questions are these:
- Where should I put this
instruction LDAPTLS_REQCERT=never (I tried php.ini, ldap.ini) so that I won't
have to add putenv in all my scripts ?
- Where should I put some kind of TLS
CACERT so that the client side will consider my certificate valid ?

I hope
someone will have an idea, thank you

ipsec / ospf / multihoming - looking for recommendations

[Dewey Hylton]

hi all. i'm currently using two openbsd boxes to provide redundant site-to-site 
vpn connectivity between two geographically distant sites. each has both 
private (mpls ethernet handoff) and public (standard internet) connectivity. i 
have a pair of gif tunnels, one over each network, ospf to decide which route 
to take, and ipsec laid on top. this works so well that on more than one 
occasion we've been called by our provider (att for mpls) and given an apology 
for their circuit being down - our primary circuit - and we didn't even realize 
it had been down. we are thrilled  with this.

we are on the verge of rolling out several more remote sites, each with 
multiple network connections (one has three - one mpls and two separate isps). 
i want to cluster openbsd at each site for redundancy. i believe i can do this 
with relative ease by just extending my current   method (doubling the gifs at 
each site). but i just received a request to allow the remote sites to talk 
directly with each other as well. that points to gifs between each site, adding 
further complexity. now this is starting to look like a mesh, and i've never 
attempted that before - so i'm here asking for recommendations from those of 
you who are experienced with this and have the time to help. 

just trying to extend my current method ... each cluster will have two openbsd 
boxes. with main office having a single isp and mpls, and one remote site 
having two isps and mpls - that alone yields 12 gif tunnels. and that's just 
two sites. suddenly i'm not so sure i'm headed in the right direction. so now i 
have lots of questions ...

am i going about this all wrong?

do i need separate route tables for each isp connection at the remote site so 
that the gif tunnels are assured of going out the correct path?

should i be using (private) bgp instead of ospf?

and if bgp, should i be using it to push out the ipsec stuff? (i just read that 
openbgp has ipsec-related capability, but haven't dug into that yet.)

specific recommendations will be warmly welcomed, as i have a short timetable 
and a lot of these new requirements just came to light (scope creep at the last 
minute - gotta love that).

thanks in advance!

[PATCH: pkg_add]: Sort ambiguous package names

[richhguard-monotone]

Sort ambiguous package names from 'pkg_add' when not in
interactive mode
(which already sorts); e.g. `pkg_add autoconf`.

Patch provided inline below
based on OpenBSD 5.1 (i386).

--- /usr/libdata/perl5/OpenBSD/AddDelete.pm
+++
/usr/libdata/perl5/OpenBSD/AddDelete.pm
@@ -326,7 +326,7 @@
return
$h{$result};
} else {
$state-errsay(Ambiguous: #1 could be #2,
-
$name, join(' ', keys %h));
+   $name, join(' ', sort keys %h));
return
undef;
}
 }

Re: How to stress (performance?) test my PF rules?

[Nicolai]

On Fri, Sep 21, 2012 at 09:33:04AM -0700, Ed Flecko wrote:
 Does anyone have any suggestions on how to best test the performance
 of my PF ruleset? Maybe iperf?

Well, the traffic to your machine will be highly unique based on what
you use it for, so pre-made testing tools will not be adapted to
your situation.

Type pfctl -vs rules.  You'll get some useful output that tells how
often each rule is checked etc. based on your actual network traffic.

Although, pf is pretty lightweight.  IMO you should first learn correct
rule syntax and making good rules (eg, don't block all of icmp because
you're scared of it -- this will break things).  You'll get far greater
returns.  The pf.conf manpage is a Unix treasure and incidentally it
explains what you're looking for.

Nicolai

no output from /etc/daily

[Robert Connolly]

Hello.

For several days I have not been getting mail from /etc/daily, including
when I run it manually.

/var/log/security.out* are empty.

What could cause this?

Re: no output from /etc/daily

[Alexander Hall]

On 09/22/12 20:45, Robert Connolly wrote:

Hello.

For several days I have not been getting mail from /etc/daily, including
when I run it manually.

/var/log/security.out* are empty.


Unless there are security related issues detected, it should be.


What could cause this?


Maybe

- VERBOSESTATUS=0 in /etc/daily.local
- misconfigured mailer

Check /var/mail/* if it ends up there

/Alexander

Re: Ldaps authentication from a php web page

[Philip Guenther]

On Sat, Sep 22, 2012 at 7:55 AM, Mik J mikyde...@yahoo.fr wrote:
...
 I think so the problem is on the client side. When I use the command
 line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that
 file I have:
 URI ldaps://myserver.mydomain.fr
 TLS_CACERT  /etc/openldap/ssl/CA.crt
...
 The problem comes when I use a php script inside my chrooted Apache
...
 - Where should I put some kind of TLS
 CACERT so that the client side will consider my certificate valid ?

Since you have a working set up outside of the chroot, I would think
the easiest thing would be to copy that set up into the chroot, with
/etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot.


Philip Guenther

Re: no output from /etc/daily

[Robert Connolly]

My local mail is not working, and I don't know how to diagnose it. I'm
using OpenSMTP.

On Sat, Sep 22, 2012 at 11:50 AM, Alexander Hall alexan...@beard.se wrote:

 On 09/22/12 20:45, Robert Connolly wrote:

 Hello.

 For several days I have not been getting mail from /etc/daily, including
 when I run it manually.

 /var/log/security.out* are empty.


 Unless there are security related issues detected, it should be.

  What could cause this?


 Maybe

 - VERBOSESTATUS=0 in /etc/daily.local
 - misconfigured mailer

 Check /var/mail/* if it ends up there

 /Alexander

Re: Ldaps authentication from a php web page

[Mik J]

 De : Philip Guenther guent...@gmail.com

 On Sat, Sep 22, 2012 at 7:55
AM, Mik J mikyde...@yahoo.fr wrote:
 ...
  I think so the problem is on
the client side. When I use the command
  line, I think that
/etc/openldap/ldap.conf is used by ldapsearch and in 
 that
  file I have:
  URI ldaps://myserver.mydomain.fr
  TLS_CACERT     
/etc/openldap/ssl/CA.crt
 ...
  The problem comes when I use a php script
inside my chrooted Apache
 ...
  - Where should I put some kind of TLS

CACERT so that the client side will consider my certificate valid ?
 
 Since
you have a working set up outside of the chroot, I would think
 the easiest
thing would be to copy that set up into the chroot, with

/etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot.
 

Philip Guenther

Hello Philip, I've tried that but no success. I'm wondering
if there could be something done in httpd.conf

Seems my previous message didn't get though.

[Pierre ANCELOT]

Test.
Sorry

Re: Ldaps authentication from a php web page

[Philip Guenther]

On Sat, Sep 22, 2012 at 3:33 PM, Mik J mikyde...@yahoo.fr wrote:
 De : Philip Guenther guent...@gmail.com
 Since you have a working set up outside of the chroot, I would think
 the easiest thing would be to copy that set up into the chroot, with
 /etc/openldap/ldap.conf and /ec/openldap/ssl/CA.crt inside the chroot.

 Hello Philip, I've tried that but no success.

Same errors or different?  What were the results when you tried using
the CLI ldapsearch tool from inside the chroot, via
 chroot -u www /var/chroot
?


 I'm wondering if there could be something done in httpd.conf

What's your hypothesis about why it's not finding the CA.crt that you
put in the chroot?  How are you going to test it?


Philip Guenther

XVIII Ateneo 2012 : Hoy no tengo ganas, mañana tampoco

[difusion]

Escuela Sistémica Argentina
Institución dedicada a la formación, asistencia e investigación
psicológica.
Hoy nos acercamos a Uds. para invitarlos a la realización del XVIII
Ateneo 2012



Hoy no tengo ganas, mañana tampoco

Problemas del deseo sexual. 

Día: Viernes 28 de Septiembre de 2012, 19hs.



Coordina: Guido Fischer

Presentador: Lic. Claudio Fontana

ENTRADA LIBRE Y GRATUITA (Sin inscripción previa)



Escuela Sistémica Argentina
Fray J. S. María de Oro 1843 (C1414DBC)
Telf: (5411) 4774-2875/ 6112  / 4899-1053

ATENEOS 2012

Fecha

Nombre de Ateneo

Disertante

Presentador

19-oct

La capacidad del terapeuta para recrearse

Equipo Adherentes

Lic. Marina Perrone