Optional NTLM authentication for a website on Apache with PHP

This article shows how to configure the Apache webserver and a PHP website to optionally use NTLM authentication (Integrated Windows Authentication) to authenticate the website’s users. That means, a user may log in via his or her Windows account but does not have to. If he cannot be logged on (automatically), he just gets shown the basic website without the content for only logged on users.

First of all, you need to configure your Apache webserver to use NTLM authentication against your Windows domain. I followed this step-by-step guide to make it work: Using the NTLM part of Samba for Apache on Linux.

Then you need to configure the webserver so that access to the file auth.php is restricted to authenticated Windows users:
<Files "auth.php"> # require the user to login via his Windows account when accessing auth.php NTLMAuth on AuthType NTLM AuthName "NTLM Authentication" NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on Require valid-user # if the user cannot be authenticated he gets redirected to the main page ErrorDocument 401 /index.php </Files>

If the user gets authenticated, auth.php stores the Windows username in the user’s session like this:
session_start(); // NTLM sets REMOTE_USER to the current Windows username automatically $_SESSION['username'] = $_SERVER['REMOTE_USER']; header("Location: index.php");

Now, if the user opens the main page of the website (index.php) for the first time he needs to be redirected to auth.php to authenticate. If the authentication fails, he gets re-redirected to index.php (via ErrorDocument 401 index.php in the Apache config) and is not logged on but may browse the content of the site that is visible to everybody. But if he got authenticated correctly he is now able to see the complete content of the website.

session_start(); $username = ""; $user_is_logged_in = false; // when the user visits the site for the first time // he has not yet been authenticated and his session is empty if (!isset($_SESSION['username'])) { // initialize the username so the user does not get // redirected over and over again $_SESSION['username'] = ""; header("Location: auth.php"); } else { $username = trim($_SESSION['username']); // if the user got authenticated, auth.php stored the // username in the session if ($username != "") { $user_is_logged_in = true; } } if (!$user_is_logged_in) { echo 'not logged in<br/>'; echo '<a href="auth.php">login</a><br/>'; } else { echo 'logged in as: ' . $username . '<br/>'; echo 'content only visible for logged in users<br/>'; } echo 'content visible for all users<br/>';

Download example website

Oracle: enable UTL_FILE.PUT_LINE to write output to a file

Today I wanted to log some database output to a text file with UTL_FILE.PUT_LINE but when I called this procedure:
CREATE OR REPLACE PROCEDURE writeLog(line varchar2) iS file utl_file.file_type; BEGIN file := utl_file.fopen('/tmp', 'test.txt', 'A'); utl_file.put_line(file, line); utl_file.fflush(file); utl_file.fclose(file); dbms_output.put_line(line); END writeLog;
it produced an ORA-29280 error: invalid directory path:

ORA-29280: invalid directory path
ORA-06512: in "SYS.UTL_FILE", line 29
ORA-06512: in "SYS.UTL_FILE", line 448
ORA-06512: in "AOM.WRITELOG", line 5

Apparently, you need to set the list of file system directories Oracle is allowed to write to (parameter UTL_FILE_DIR) in the database’s configuration. I found this article describing the needed action: Initialization Parameter files: PFILEs vs. SPFILEs.

After entering this simple command and restarting the database it worked:
ALTER SYSTEM SET utl_file_dir='/tmp' SCOPE=BOTH;

Is Punk Rock already mainstream?

Today during my morning break I read the following headline from wasteofmind.de:

Rise Against hits German charts
(Rise Against hits the top of the German album charts)

So it seems as if “good music” finally made it into the German charts 😉 What I don’t know is whether to be happy about it or not. “Endgame” surely is a great album (with catchy songs like Disparity By Design or Satellite), but not as “punk rocky” as the older ones (e.g. my favourite: Revolutions per Minute). You can definitely hear the difference (e.g. slower rhythms, “easier” song structures). I heard through the complete album almost ten times up until now and most of the songs in the second half of the album needed quite a few times of hearing to get into my head (they seem to have put the killer songs on the first half), but I still like most of them (Broken Mirrors and This is letting go are the two exceptions).

Go and visit their Myspace page and listen to some of the new songs and then (of course) go and BUY the album:

Job interview questions for system administrators

During the last few weeks I interviewed quite a few candidates for the position as a system administrator in our company (job ad here). But what questions do you ask a prospective administrator to check whether he or she has the needed skills for the job? We needed someone who could administer a Windows domain and some Linux servers, all virtualized by VMWare. For me, it was almost instantly clear that theoretical questions alone would not suffice to form an opinion of the candidate’s skills.

The developers I interviewed for another position needed to “pair program” (although in fact they were the only ones to write a line of code) some small applications with me. There are tons of example programs out there for this task. For example, I chose FizzBuzz, a linked list, and a prime factors generator. By watching the contestants program “live” you can get a good grasp of their programming and analytical skills very quickly.

So, a colleague and I tried to come up with a small test for our new administrator and ended up with a scenario in a virtualized Windows/Debian environment. We provided a W2K8 domain controller and two Windows 7 clients, of which one had direct network access to the DC and the other one was in another virtual network. The Debian server was in the same network as the DC but had the wrong IP configuration. In this environment the candidate had to work through a bunch of tasks right at the keyboard/screen so we could watch if and how he managed the tasks, whether he used keyboard shortcuts or the online help, knew the needed tools (e.g. ping, nslookup), etc. By doing so, we were able to objectively rate the contestants’ results opposed to each other and quickly found our new colleague 🙂

Here are some of the tasks the candidates needed to perform:

  • connect to the DC via RDP
  • add some OUs, users and groups to the Active Directory
  • configure the ACLs of a network share
  • assign a network share to a user as a network drive
  • add a machine to the domain
  • find network configuration errors and reconfigure the machine
  • add a new harddisk to the DC (in VMWare and in Windows)
  • add and configure a GPO
  • configure a user to use a roaming profile
  • configure and activate a NIC under Debian
  • mount a network share
  • share a directory with samba
  • find common mistakes in a given Word document (e.g. manual page numbers and table of contents)

The fastest contestant took the test in about an hour without any bigger problem. The slowest contestant didn’t even know how to connect to the DC. As with developers, it all comes down to the tiny problems…

Silent PC with WEI 7,4 and low power consumption for under 800 EUR

Last week I’ve assembled my newly bought PC. I didn’t want to spend more than 800 EUR so it doesn’t contain the latest bleeding edge technology but on the Windows Experience Index (WEI) it scores 7,4 out of 7,9:

QuietPC Windows 7 WEI 7,4

The boot time from “power on” to “Windows 7 desktop” is 37 seconds due to the SSD 🙂

My wife and I will both work a lot with the new PC so it runs almost all day. Because of that I wanted hardware that is both silent and has a low power consumption. I ended up buying the following pieces which cost me exactly 780,89 EUR. I bought everything from Mindfactory, except the SSD (Amazon) which wasn’t available.

The PC is almost completely silent even if the case is open. The loudest noise is the harddisk (not the SSD!) access. If I put it under the table you cannot hear a thing (except for the harddisk). On average, the PC consumes 80 Watts under “normal” load (Windows, Office, etc.). Under full load (Gothic Arcania, 1920×1680 pixels, full details) the power consumption goes up to 250 Watts but it remains almost as silent as before. Here are two photos of the PC’s hardware. The CPU cooler is humongous, between the heatsinks and the case there is only about a centimer of space.

Hardware of my silent PC 1
Hardware of my silent PC 2

Thanks to Torsten Weber, Scott Hanselman, and PC Games for the inspiration on silent and powerful hardware respectively.

Windows 2003: Logon script for user Administrator is not executed

In our Active Directory we’ve configured a logon script for the user Administrator but it wasn’t executed after logon. The script’s path was accessible via the network and could successfully be executed manually.

However, the problem was that somebody changed the script’s path in the Active Directory account from a simple logon.cmd to %LOGONSERVER%\netlogon\logon.cmd. Although the latter is the correct path for the script it wasn’t executed. After changing back the path to only the filename, it magically worked again 🙂

The problem with the absolute path above is, that the environment variable %LOGONSERVER% is not set until the logon script runs so the path could not be resolved beforehand to call the script.

Correct path to the logon script for user Administrator

References:

Stellenangebote: Softwareentwickler/-in und Systemadministrator/-in in Vechta

Wir bei der ALTE OLDENBURGER sind mal wieder auf der Suche nach neuen Kollegen im IT-Bereich (bei uns gern auch “EDV” genannt ;-)). Aktuell suchen wir sowohl eine/n Softwareentwickler/-in als auch eine/n Systemadministrator/-in für eine Festanstellung in Vechta (in unserem schicken Neubau).

Auch in 2012 suchen wir wieder neue Mitarbeiter: Stellenangebot: Softwareentwickler/in und Systemadministrator/in in Vechta gesucht.

Die Anforderungen kurz zusammengefasst:

  • Softwareentwickler/-in
    • Abgeschlossene Ausbildung zum Fachinformatiker Anwendungsentwicklung oder ein abgeschlossenes (FH-)Studium im Bereich (Wirtschafts-)Informatik oder Software-Engineering
    • Idealerweise 2 Jahre Berufserfahrung in der Softwareentwicklung in mind. einer der Programmiersprachen Natural, Java oder C#
    • Breites Interessenspektrum und die Bereitschaft zur selbstständigen Einarbeitung in verschiedene technologische Bereiche
  • Systemadministrator/-in
    • Abgeschlossene Ausbildung zum Fachinformatiker Systemintegration oder ein abgeschlossenes (FH-)Studium der (Wirtschafts-)Informatik
    • Idealerweise 2 Jahre Berufserfahrung in der Netzwerkadministration im Bereich Windows (Active Directory, Gruppenrichtlinien) und Linux (Webserver, Samba) sowie in der Administration von Oracle-Datenbanken
    • Optional Berufserfahrung in der Administration von Citrix- und VMWare-Infrastrukturlösungen
    • Breites Interessenspektrum und die Bereitschaft zur selbstständigen Einarbeitung in verschiedene technologische Bereiche

Mehr Informationen gibt es auf der Website: Stellenangebote bei der ALTE OLDENBURGER.

Also dann nix wie los und schnell bewerben! Dann sind wir vielleicht bald Kollegen 😉

MySQL: Host ist not allowed to connect to this MySQL server

When connecting to a (development) MySQL server from a remote machine (e.g. with Oracle SQL Developer) I got the following error message:

Host [my host name] is not allowed to connect to this MySQL server.

All user permissions in the mysql.user table were set correctly (host % for user root) and bind-address in my.conf was set to 0.0.0.0 (I don’t recommend these settings on a production machine!).

I found the solution in the MySQL Reference Manual in Chapter 5.4.7. Causes of Access-Denied Errors: I needed to update my glibc library. After a simple apt-get install libc6 everything worked perfectly.

PowerShell: Uninstall programs on a remote PC

Today I wanted to roll out Microsoft Office 2010 to a few clients but I needed to get rid of old Office installations on these systems because those could lead to problems while installing the new version. Instead of uninstalling them manually I wrote the following short PowerShell script UninstallOffice.ps1 for the task, which takes a computer name as its only parameter.

Param($pc = ""); if ($pc -eq "") { write-host ("Usage: UninstallOffice.ps1 PC") -foregroundcolor "red"; exit; } $programsToUninstall = @( "Microsoft Office Word Viewer 2003", "Microsoft Office Excel Viewer 2003", "Microsoft Office PowerPoint Viewer 2003", "Microsoft Office Visio Viewer 2003 (Deutsch)", "Microsoft Office XP Professional", "Microsoft Office Standard Edition 2003", "Microsoft Office Professional Edition 2003", "Microsoft Office Professional Plus 2007" ); $products = get-wmiobject -class "Win32_Product" -namespace "root\CIMV2" -ComputerName $pc; if ($products.length -gt 0) { $products | % { if ($programsToUninstall -contains $_.caption) { write-host ("Uninstalling " + $_.caption + " on " + $pc) -foregroundcolor "red"; $_.uninstall(); } }; }

You could replace the array $programsToUninstall with a list of the programs you would like to uninstall. The following snippet gives you a list of the installed programs’ names you could use in the array.
get-wmiobject -class "Win32_Product" -namespace "root\CIMV2" -ComputerName $pc | select caption

Update: If you get an error message when trying to uninstall the software, you may want to install this hotfix from Microsoft: Error message when you query Win32_Product class after you install applications by using Microsoft Windows Installer (MSI) 4.5 with “Per-User” option in Windows XP: “0x80041001 – Generic failure”.