Syed Jahanzaib Personal Blog to Share Knowledge !

April 11, 2012

Howto Manage Active Directory using Webmin/Linux Customized Panel


Article by
~!~ Syed Jahanzaib ~!~

Dedicated to ALL Pakistani Soldiers who gave there Life in SIACHIN
Z@iB  

Following is one of  the simplest way to manage your Active Directory Using WEBMIN base customized panel. I always prefer to create my own in-house made solutions for daily routine tasks.

Using this method you can customize the options you want to use. For example, this panel access can be granted to support personnel or help-desk staff , so they will be limited to the features / options you provide them with.

For example, Support personnel can access your panel via using there browser
http://yourlinuxbox

and after entering his credentials, he will be redirected to command panel, Only those commands will appear here which you have granted access for.

A very basic example is showed in the image below . . . But you can create more advance, sophisticated functions with beautification using this panel to control every aspect of your network, whether its Microsoft, Linux or Mikrotik or any compatible device

To create this panel, you will need following components

1) Linux box with WEBMIN installed,

2) sshpass Utility on Linux box,

3) freeSSHD application installed on Windows AD Server .

4) Testing ssh connection to A.D from your Linux BOX

5) Create Scripts on Linux and Link them to WEBMIN

6) Create User in Webmin and Grant Custom Commands Rights

We will discuss above six topics in minimum details as following. . .

1) INSTALL WEBMIN ON YOUR LINUX BOX:

I assumed that you have installed and configure your Linux box (preferably Ubuntu, but any flavor can do the job, this is the main quality of Linux OS :)~
To install Webmin , first add its repositories to sources.list, to do this first open sources.list

nano /etc/apt/sources.list

Now paste the following lines in the end of this file.

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
deb http://archive.canonical.com/ lucid partner

Save & Exit.

Now update apt-get and install webmin using

apt-get update
apt-get install webmin

It will take some time to install webmin depend on your internet connection (usually less then 10 minutes) , afterward you can access it using

https://yourlinuxboxip:10000

(TIP: you can change the webmin port by editing in /etc/webmin/miniserv.conf and change the port number to any port you like, for example 443 or 1234)

Now moving to ahead . . .

2) INSTALL ‘ SSHPASS ‘ ON YOUR LINUX BOX

sshpass utility is required so that you can do ssh to your windows box with the provided password, otherwise if you do normal ssh it will stop and ask you  the password , which you can’t provide in automated way while using the webmin script, thus the script will stop on password function and will not perform as desired,
[However The best approach is to generate SSH keys and use them, but i am not going in that detail, just Google for it]

To install sshpass , use the below command . . .

sudo apt-get install sshpass

Done.

3) INSTALL freeSSHD SERVER ON WINDOWS Active Directory SERVER

First download freeSSHD server and install it. Installation procedure of this app is very simple , just clicking few next next button :p You can download it from

http://www.freesshd.com/freeSSHd.exe

At the end of the installation, it will ask you to run freeSSHD as Service, Select YES , so that it may run automatic when windows start as a windows service.

After Finishing setup, You will see its icon in your taskbar area , Right click on it and select SETTINGS,
Goto Users TAB, and add your users, (You can add local users in it , OR you can select NT Authentication for domain.
For domain, you wont have to enter password, choice is yours).
As shows in the image below . . .

4) TESTING SSH CONNECTION FROM LINUX BOX TO WINDOWS A.D SERVER

Now its time to test if your freeSSHD box is working. From your Linux box you can use the following command to test the connection.

sshpass -p ‘freessdh_password’ ssh userid@10.0.0.1

And if successful, you will see the windows command prompt
As shows in the image below . . .

If you are testing it from Windows, you can Use any sshclient tool, like PUTTY, and enter your freeSSHD Box IP and try to connect, if all goes OK, you will see the user id . Enter your id password you added in the freeSSHD , and you will see command prompt of windows.

4) Create Scripts on Linux and Link them to WEBMIN

Now that we have finished configuring base requirements, It is time to create various Scripts to perform our desired functions and link them to webmin GUI user interface (Usermin?) 😀

On your Linux box, Create an folder

mkdir /scripts
cd /scripts

Now create first script which will ssh to A.D Server and will fetch the DISABLED USERS list.

touch viewdisabledusers.sh
chmod +x viewdisabledusers.sh
nano viewdisabledusers.sh

and paste the following line

sshpass -p '123' ssh zaib@10.0.0.1 'dsquery user -disabled'

Now Save & Exit.You can test it by execute it by ./viewdisabledusers.sh and you will see its result on your screen.

Now its time to link it with the webmin GUI Interface.

Login to Webmin.
Goto OTHERS / CUSTOM COMMANDS and click on Create a new custom command.
As showed in the image below . . .

After Entering Command Details as showed in the image above, Click on SAVE
Now you will see your newly created command box on Custom Commands Menu, click on it and you will see the result 🙂

# VIEW USER INFO SCRIPT

I will show you howto create custom command for specific User Info with input box.

Create a new Custom Command ,
As showed in the image below . . .

After entering all details, click on SAVE.

Now you will see View User Info Box on Custom Commands menu, Enter any valid user id (which exists on AD Users) and click on view user info button.
As showed in the image below . . .

Result . . .
As showed in the image below . . .



6) CREATE USER IN WEBMIN USERS & Grant Custom Command Rights

Now we will create a support staff user account and grant Custom Commands rights only , so when the support staff logged in to webmin, they see only Custom Commands Box, (Not all webmin access)

Goto Webmin / Webmin Users
Click on Create a new Webmin user
As showed in the image below . . .


In User name, type your user name
In Password field, select SET TO  and enter password in the box.
In Available Webmin modules section, select Custom Commands
Click SAVE to finish.

As showed in the image below . . .

Now logout Webmin and again login with the new user id you just created in above step.

After successfully logedin . . .

User will see only Custom Commands Menu . . .

TIP: You can replace WEBMIN default logo with your company logo , default image location is/usr/share/webmin/images/webmin-blue.png

To change webmin default 10000 port

To change webmin default port which is 10000, you have to edit minisev.conf , following is an example. Open it and change port (usually appears in 1st line to one required)

sudo nano -w /etc/webmin/miniserv.conf

SCRIPTS EXAMPLES

</pre>
<pre>root@linux:/scripts# cat viewpcname.sh
sshpass -p 'freesshd_passowrd' ssh zaib@10.0.0.1 dsquery computer  -limit 1000 | sort >  /scripts/temp.txt
sed -e 's/"CN=//g' -e 's/,CN=Computers,DC=YOURDOMAINNAME"//g' -e 's/,OU=WSUS,DC=agp1"//g' /scripts/temp.txt

cat alluserinfo.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 'cmd /c dsquery user -limit 0 | dsget user -dn -disabled -display -email -dept -title' > /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat disableuser.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /DOMAIN /active:NO

root@linux:/scripts# cat inactiveusers.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1  'cmd /c dsquery user "dc=YOURDOMAINNAME" -inactive 2 | dsget user -display -email -dept -title'> /scripts/temp.txt
sort /scripts/temp.txt -o /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat viewdisabledusers.sh
sshpass -p 'freesshd_password' ssh ssh@10.0.0.1 'cmd /c dsquery user -disabled | dsget user -display -email -dept -title' > /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat enableuser.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /DOMAIN /active:YES

root@linux:/scripts# cat userinfo.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /domain

More commands references are available here.

https://aacable.wordpress.com/2013/01/16/active-directory-dsquery-miscellenous-commands-with-syntax/

Regard’s

SYED JAHANZAIB
aacable [at] hotmail . com

August 9, 2011

July 5, 2011

A Success story with Mikrotik and DMASoftlab RADIUS MANAGER [Glass Line Pvt Ltd.] June, 2011


Article by Syed Jahanzaib !

Recently I was contacted by a friend who was really passionate in starting a mini-ISP type network setup for about 3000 users in the interior area of city. (soon it may expand up to 5000+ users). He asked my help to setup a scratch card base fully automatic system where user purchase scratch card, & using User self care portal web site, user may create his new ID or refresh his previous ID or change the service package according to the card package offers. I had previously setup this kind of scenario in a cable.net environment using Mikrotik built-in radius server called ‘User Manager’, but it have very limited basic features and all it can offer was a pre-paid type option and it doesn’t have many accounting features. So I thought I should give a try to more rich feature radius server and after a lot of googling i decided to go with  (FREERADIUS base ) DMASOFTLAB RADIUS MANAGER. A very famous radius server with all the option that a mini-ISP would required at unbelievably low price.

The hardware that I have used for this setup.

*Main Mikrotik = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd , This MT is serving as a PPPoE Server + NAT + bandwidth shaping. It also redirects HTTP traffic to Proxy server.

* Mikrotik RB750 = Just for HOTSPOT to redirect users to self care portal.
(This can be done on Main MT also, but I prefer it this way)

* Radius Server = DMASoftlab RM v3.9 installed on Fedora v10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB x2 Sata Hdd

* SQUID PROXY GW = SQUID v2.7 on UBUNTU Karmic Koala v9.10 / Xeon 3.6Ghz Dual / 8 GB Ram / WD 500 GB x3 SATA HDD (2 HDD reserved for Cache), This server acts as a proxy + Gateway machine for the Mikrotik, It also do URL Filtering blocking ads, it also have ZPH enabled so content available in squid cache should be downloaded at full speed (without package limitation) at user end. It also cache youtube videos using VIDEOCACHE.

* Linux Transparent BRIDGE firewall + DHCP + DNS + MRTG + WEB Server on FEDORA V10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB SATA HDD, This server sits between Mikrotik and Users , filtering unwanted traffic, ports and do some other stuff like lightweight DNSMASQ DNS Server,  DHCP server providing ips to users , Web Site with MRTG , Psychostats ranking system for Counter Strike Game, Server Monitoring Scripts and Alerts, PHPBB Forums for Users, and some other cool stuff. DNS+DHCP is hosted on this server to minimize load on main mikrotik machine, alos this machine filters unwanted traffic from passing by to main mikrotik.

In this setup , I have configured HOTSPOT on extra RB750 only to redirect user to my advertisement page, where he is informed that he is not logged in via dialer, either create / refresh his ID from RM User Self Care Portal, or if he already have an id, connect it via dialer. I don’t prefer HotSpot authentication due to various security reasons, mainly due to I had a very bad experience having HOTSPOT hit by ARP-POISONING and many virus flooder that requires default gateway.

When user first login , his PC MAC address is binded with his ID to prevent accessing it from different pcs. Multiple session of same ID is NOT allowed , I provide user with scratch card (with refill code) , which he can use to refill his account according to card amount/package from RM User self care portal. RM demo can be viewed at http://www.dmasoftlab.com/cont/radman

When users with pppoe dialer tries to connect to main Mikrotik, MT verifies its credentials by asking Radius Server for the account validity, if the ID is valid, user connects okay and can use internet , otherwise he gets disconnected. When the User account is expired, he still can login via dialer, but then he is redirect to my local web server page where he is informed that his account is expired and he should visit billing.local page to renew his account using the card.

Please find along with attachment is my Network Diagram (This was initially designed, I made few changes afterward, I removed FTP from MT DMZ to user subnet lan to avoid load on MT , I moved ftp OS from windows to Linux and integrate it with radius authentication using APACHE.

Some other entertainment services that I setup here were:
2 FTP Media Sharing Servers ( 4 TB of data )
2 Live TV Channel streaming over LAN using VLC Media Player Broadcasting
1 Counter Strike 1.6 Dedicated Server with Psychostats Ranking System and adminmod/amxmod
1 Web Server (Ubunut) hosting site u-dear . com , an entertainment portal and hosting other features. It also features monitoring system with MRTG / SMS Alerts via attached Mobile.

About RM: Radius Manager uses a nice web interface for administering the users and the whole system (traffic accounting, tracking of online users, display statistics, maintenance ,account management etc.).

and to add that DMASoftlab customer support guys (specially Mr. Viktor.K) have excellent support and respond instantly even to the dumbest of questions. It is real value for money especially for those who do not have big wallet$.

Network Diagram Layout : (Complete setup guide can found at
https://aacable.wordpress.com/2011/07/19/mikrotik-squid-zph-complete-guide-incomplete-post-i-will-edit-it-later/

GLASSLINE-Network-Presentation-by-zaib Update 03/08/2001

%d bloggers like this: