In busy production systems, there will be lot of accounts which may not be using from longer intervals. Finding them we have standard linux utilities like "last" and "lastlog".
The "last" command display the audit details of the users who were logged in the system with time frame. On the other hand "lastlog" display all the user's last logged in details with time frame.
last command uses the log file /var/log/wtmp for getting the user data. As in the modern linux systems, the wtmp file is rotating monthly basis the last command gives only the current month's statistics.
If we want to have the last command output with an yearly statistics, we need to change the rotation configuration in /etc/logrotate.conf as below,
/var/log/wtmp {
missingok
monthly <= change it to "yearly"
create 0664 root utmp
rotate 1
}
The following script will display the users who are not logged in the last 3 calendar months including the current month. I am sure this will be usefull for people like me to get a clear idea of who are not active on the system.
#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 3 calendar months including the current one.
#
umask 077
THIS_MONTH=`date +%h`
LAST_MONTH=`date --date="1 month ago" +%h`
LLAST_MONTH=`date --date="2 months ago" +%h`
last | grep "$THIS_MONTH \|\ $LAST_MONTH \|\ $LLAST_MONTH" | awk '{print $1}' | sort -u > /tmp/users1$$
cat /etc/passwd | awk -F: '{print $1}' | sort -u > /tmp/users2$$
comm -13 /tmp/users[12]$$
rm -f /tmp/users[12]$$
The above script assumes the last command can show the user statistics of more than 3 months.
Using "lastlog"
The simple and dirty way to find the dormant accounts on a linux system is using the"lastlog" command. The following script will do the trick.
#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 90 days.
#
PATH=/bin:/usr/bin;export PATH
umask 077
lastlog -b 90 |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users1$$
lastlog |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users2$$
comm -2 /tmp/users[12]$$ | grep -v Username
rm -f /tmp/users[12]$$
Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts
Thursday, May 19, 2011
Saturday, May 9, 2009
Apache authentication against Active Directory
Apache is the world's most wanted and #1 web server on internet. Almost 50 percent of total web servers in internet running on Apache in various flavors of Operating systems.
For protecting the contents, apache support various types of authentication, which includes basic htpasswd, MySql, NTLM, LDAP, AD etc. Here I am mentioning how we can use Active Directory as a user/password database for Apache server.
Assuming we have an existing Active Directory Domain which holds the company's user informations. As part of Single Sign on, we want to use AD as the source of User credentials for accessing corporate wiki running on Apache server. Also assumes the Wiki and apache server running on GNU/Linux for documentation purpose.
For protecting the contents, apache support various types of authentication, which includes basic htpasswd, MySql, NTLM, LDAP, AD etc. Here I am mentioning how we can use Active Directory as a user/password database for Apache server.
Assuming we have an existing Active Directory Domain which holds the company's user informations. As part of Single Sign on, we want to use AD as the source of User credentials for accessing corporate wiki running on Apache server. Also assumes the Wiki and apache server running on GNU/Linux for documentation purpose.
The following are the steps needed to complete the integration of Apache with AD.
- Create one user in AD which we can use as the LDAP bind user for accessing the AD database as read only. Go to Active Directory Users and Computers in the DC and create a domain user say "apache" with a strong password "xxxxxxxxx".
- If we want to use ldaps (ldap+ssl) we need to export the certificate from AD and import it in to the web server machine. This export and import can be done in a single step using the openssl command as follows from webserver.
Save the certificate as "domain.cer" in web server machine in /etc/httpd/conf.d directory.
- Go to the Linux Server and create a file namely "authz_ldap.conf" under the directory /etc/httpd/conf.d with the following parameters.
LDAPTrustedMode SSL
<"Location "/" ">
order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldaps://dc.mydomain.com:636/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN apache@mydomain.com
AuthLDAPBindPassword xxxxxxxx
AuthType Basic
AuthName "Only for trusted users"
require valid-user
<"/Location">
Here all the AD users will get access to the website as we using the option as "require valid-user". If you want to give access to only a specific group of users, you need to use the following option instead of "valid-user".
require ldap-group CN=mygroup,OU=groups,DC=mydomain,DC=com
Note: Ignore the quotes used within Angle brackets <> for specifying "Location" and "/Location".
- Also make sure the following modules are loaded in the apache's configuration file httpd.conf
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_host_module modules/mod_authz_host.so
- Add the following line in /etc/openldap/ldap.conf, this is very important for the working configuration.
REFERRALS off
- Finally restart apache server by issueing the following command.
Check the result by accessing the Wiki by pointing to the correct URL and enjoy !!!!!!
Subscribe to:
Posts (Atom)