Author: Sean Chang

Background

If you would like to join different systems and combine wireless accounts in your current non-Microsoft Active Directory environment by a single auth server, the low-priced easiest way surely is using open source projects to setup your own LDAP Directory service.

The most popular open source LDAP Directory server project is OpenLDAP. However, We can find many OpenLDAP examples on net. But when it comes to back-sql, especially when you need to integrate authentication by existing user accounts of current system, which were stored in MSSQL backend, you can find only MySQL and PostgreSQL success stories.

We wish this document can deliver some useful hints on how to deal with OpenLDAP with backend MSSQL.

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Different than RDBMS, such as Oracle, MSSQL, MySQL. LDAP is a tree structure planned for best searching performance. We do not recommend using RDBMS as LDAP backend, unless you have a MUST-TO reason.

Resources

You can learn more about LDAP Directory service through these websites.

• Network Working Group RFC 4511 - IETF.org
• Lightweight Directory Access Protocol - WIKIPEDIA
• OpenLDAP - OpenLDAP open source project site

Table of Contents

1. Components Installation
2. freeTDS Installation
3. Configuration of each component
4. Setting Up OpenLDAP
5. Verify OpenLDAP Configurations
6. Misc.
7. Further Readings

Components and Software Version

• OpenLDAP Server
  • OS: CentOS 6.5 (64-bit)
  • OpenLDAP: 2.4.23
  • unixODBC: 2.2.14
  • freeTDS: 0.91
• Remote Database
  • OS: Microsoft Windows 2008 Server R2
  • Database: Microsoft SQL Server 2012

Basic Scenario

To use OpenLDAP with backend Microsoft SQL Server, you have to find a correct way to link them together. The following is our scenario:

• Using freeTDS driver to link Microsoft SQL Server, and set freeTDS as an ODBC datasource
• OpenLDAP using unixODBC driver to link with freeTDS ODBC
• The logical structure:

Before We Start

The following processes begin after you finish the installation of operation system. We setup our OS using CentOS Minimal Installation, and then wget tool has been installed.

You can learn how to install CentOS Minimal in this article: How to install CentOS 6.5 minimal by rasho on LINTUT

1. Components Installation

Because we are so lazy hope this document can more clean and clear, we install our components using yum with root account in the following processes.

Of course, you can finish same procedures by using sudo with user account. And to install all components using rpm is definitely ok too.

#yum install openldap openldap-clients openldap-servers openldap-devel openldap-servers-sql
#yum install unixODBC unixODBC-libs unixODBC-devel

2. freeTDS Installation

2.1 Set Environment variable

Use vi or nano to edit /etc/profile, adding this section at the end of file:

# TDS
    SYBASE=/usr/local
    LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib
    export SYBASE LD_LIBRARY_PATH

2.2 Download and unpack freeTDS

You can find the download link in freeTDS Project Site. Generally they will not modify the link of stable version.

ps. You may switch to /tmp dictionary first

#wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz
#tar -zxf freetds-stable.tgz
#cd freetds-0.91 ||REPLACE WITH YOUR VERSION NUMBER

2.3 Install freeTDS

#./configure --with-tdsver=8.0 --with-unixodbc=/usr/local
#make
#make install

The general freeTDS installation paths is:

• Library： /usr/local/lib
• Configuration： /usr/local/etc

3. Configuration of each component

3.1 Prepare LDAP Database on your MSSQL Server

Before we start to config all components, the first step is to create sample database and data for LDAP service in your SQL Server.

You can find these samples at the latest version of OpenLDAP on OpenLDAP Project site. Download and unpack it, the sample scripts are located in \servers\slapd\back-sql\rdbms_depend\mssql. Of course, you can download Sample MSSQL Schema from here.

We recommend you execute these scripts through SQL Server Management Studio:

• Create LDAP database

  We assume the database name is LDAP

• Execute backsql_create.sql in LDAP database

  Create OpenLDAP Schama

• Execute testdb_create.sql in LDAP database

  Create Sample Data Tables

• Execute testdb_metadata.sql in LDAP database

  Create Sample Metadata

• Execute testdb_data.sql in LDAP database

  Create Sample Data

3.2 freeTDS to Microsoft SQL Server

Use vi or nano to edit /usr/local/etc/freetds.conf, adding this section at the end of file:

[MSSQL]
#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
host = 192.168.1.100

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
port = 1433

tds version = 8.0  
client charset = UTF-8  

3.3 Confirm freeTDS Configuration

You can test the connectivity between freeTDS and SQL Server using this command:

#tsql -S MSSQL -U username -P password

If your settings were correct, you will see a reponse like this:

Type exit to leave.

3.4 unixODBC to freeTDS

3.4.1 odbcinst.ini

Use vi or nano to edit /etc/odbcinst.ini.

• There are default PostgreSQL and MySQL settings. We will not use these database, you can mark them as unused.

• Adding this section at the end of file:

[FreeTDS]
Description=ODBC for SQL Server  
Driver=/usr/local/lib/libtdsodbc.so  
UsageCount=1  

3.4.2 odbc.ini

Use vi or nano to edit /etc/odbc.ini, adding this section at the end of file:

[MSODBC]
Driver=FreeTDS  
Description=Mikotek SQL Server  
Trace=No

#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
Server= 192.168.1.100

#REPLACE WITH YOUR LDAP DATABASE NAME
Database= LDAP

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
Port=1433

TDS_Version = 8.0  
Charset = UTF-8  

3.5 Confirm unixODBC Configuration

You can test the connectivity between unixODBC and SQL Server using this command:

#isql -v MSODBC username password

If your settings were correct, you will see a reponse like this:

Type quit to leave。

4. Setting Up OpenLDAP

4.1 Generate a Secure Password

In later section, we will set up an OpenLDAP administrator and an administrative password. OpenLDAP supports plaintext password, and an encrypted password like MD5, SHA, CRYPT is supported too.

We are going to use CRYPT password this time, you can generate a secure password by slappasswd -h {crypt}:

#slappasswd -h {crypt}
New password:  
Re-enter new password:  
{CRYPT}4kXX4T1wXj3Zc

The {CRYPT}4kXX4T1wXj3Zc is the encrypted password. Copy it, we will need it later.

4.2 Copy slapd.conf from OpenLDAP Template

#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4.3 Remove and Backup Default BDB Database

#mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

4.4 slapd.conf Configuration

Use vi or nano to edit /etc/openldap/slapd.conf.

4.4.1 Section: include

We will need only the following LDAP schemas in this practice:

include    /etc/openldap/schema/core.schema  
include    /etc/openldap/schema/cosine.schema  
include    /etc/openldap/schema/inetorgperson.schema  

You can mark other schemas as unused.

4.4.2 Section: module

We are using 64-bit system, and use only back_sql module, you can mark other modules as unused.

modulepath /usr/lib64/openldap  
moduleload back_sql.la  

4.4.3 Section: TLS Certificate Configuration

OpenLDAP supports SSL connection, you can set up TLS configuration in this section.

However, we DO NOT include the know-how of SSL setup in this practice. You can mark the TLS section as unused for now. If you were interested in OpenLDAP SSL configuration, you may find some useful hint in this document: Configure OpenLDAP with SSL/TLS

4.4.4 Section: ACL Configuration

ACL 1: Alow Users view and change their own password

access to attrs=userpassword  
    by self write
    by anonymous auth
    by * none

ACL 2: Allow Authenticated Users to View, Limit Anonymous Users to Auth

access to *  
    by self write
    by users read
    by anonymous auth
    by * none

4.4.5 Section: Database Definitions

There is a default BDB database definition in template config file. We are going to set up a SQL database, so mark whole default BDB database section as unused.

Adding our SQL database definition at the end of file:

###################################################
# sql database definitions
###################################################

database        sql  
suffix          "dc=example,dc=com"  
rootdn          "cn=Manager,dc=example,dc=com"

#REPLACE WITH YOUR SECURE PASSWORD
rootpw          {CRYPT}4kXX4T1wXj3Zc

#ODBC DATASOURCE NAME
dbname          MSODBC

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER
dbuser          username

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER PASSWORD
dbpasswd        password

subtree_cond    "ldap_entries.dn LIKE '%'+?"

has_ldapinfo_dn_ru      no  
###################################################

4.5 ldap.conf Configuration

Use vi or nano to edit /etc/openldap/ldap.conf.

Define LDAP base, and set the LDAP uri according to your environment:

BASE    dc=example,dc=com  
URI    ldap://ldap.example.com  

5. Verify OpenLDAP Configurations

5.1 OpenLDAP Config Testing

You can verify your config file using this command:

#slaptest -u

If your settings were correct, you will see a reponse like this:

config file testing succeeded  

5.2 Launch the Slap Daemon

#service slapd start

5.3 Test Connectivity and Data with LDAP client

You can perform a LDAP search by ldapsearch, using this command to verify LDAP working functionally:

#ldapsearch -x -D cn=Manager,dc=example,dc=com -w YOUR_LDAP_ROOTPW -b dc=example,dc=com

REPLACE YOUR_LDAP_ROOTPW with your definition

If your settings were correct, you will see a reponse like this:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: sn=Kovalev
# requesting: ALL
#

# Mitya Kovalev, example.com
dn: cn=Mitya Kovalev,dc=example,dc=com  
objectClass: inetOrgPerson  
cn: Mitya Kovalev  
sn: Kovalev  
seeAlso: documentTitle=book1,dc=example,dc=com  
seeAlso: documentTitle=book2,dc=example,dc=com  
givenName: Mitya  
userPassword:: bWl0  
telephoneNumber: 222-3234  
telephoneNumber: 332-2334

# search result
search: 2  
result: 0 Success

# numResponses: 2
# numEntries: 1

6. Misc.

6.1 Automatic Launch OpenLDAP service on system boot

#chkconfig --add ldap
#chkconfig ldap on

7. Further Readings

For now, you are successfully integrate OpenLDAP with backend Microsoft SQL Server.

If you were interested in LDAP data design and metadata planning, you may find some useful information in these websites:

• Setting up LDAP with back-sql - Flat Mountain
• Sample MySQL schema for OpenLDAP with back-sql - WingFOSS
• Common LDAP schemas - oav.net

Author: Sean Chang

Background

If you would like to join different systems and combine wireless accounts in your current non-Microsoft Active Directory environment by a single auth server, the low-priced easiest way surely is using open source projects to setup your own LDAP Directory service.

The most popular open source LDAP Directory server project is OpenLDAP. However, We can find many OpenLDAP examples on net. But when it comes to back-sql, especially when you need to integrate authentication by existing user accounts of current system, which were stored in MSSQL backend, you can find only MySQL and PostgreSQL success stories.

We wish this document can deliver some useful hints on how to deal with OpenLDAP with backend MSSQL.

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Different than RDBMS, such as Oracle, MSSQL, MySQL. LDAP is a tree structure planned for best searching performance. We do not recommend using RDBMS as LDAP backend, unless you have a MUST-TO reason.

Resources

You can learn more about LDAP Directory service through these websites.

• Network Working Group RFC 4511 - IETF.org
• Lightweight Directory Access Protocol - WIKIPEDIA
• OpenLDAP - OpenLDAP open source project site

Table of Contents

1. Components Installation
2. freeTDS Installation
3. Configuration of each component
4. Setting Up OpenLDAP
5. Verify OpenLDAP Configurations
6. Misc.
7. Further Readings

Components and Software Version

• OpenLDAP Server
  • OS: CentOS 6.5 (64-bit)
  • OpenLDAP: 2.4.23
  • unixODBC: 2.2.14
  • freeTDS: 0.91
• Remote Database
  • OS: Microsoft Windows 2008 Server R2
  • Database: Microsoft SQL Server 2012

Basic Scenario

To use OpenLDAP with backend Microsoft SQL Server, you have to find a correct way to link them together. The following is our scenario:

• Using freeTDS driver to link Microsoft SQL Server, and set freeTDS as an ODBC datasource
• OpenLDAP using unixODBC driver to link with freeTDS ODBC
• The logical structure:

Before We Start

The following processes begin after you finish the installation of operation system. We setup our OS using CentOS Minimal Installation, and then wget tool has been installed.

You can learn how to install CentOS Minimal in this article: How to install CentOS 6.5 minimal by rasho on LINTUT

1. Components Installation

Because we are so lazy hope this document can more clean and clear, we install our components using yum with root account in the following processes.

Of course, you can finish same procedures by using sudo with user account. And to install all components using rpm is definitely ok too.

#yum install openldap openldap-clients openldap-servers openldap-devel openldap-servers-sql
#yum install unixODBC unixODBC-libs unixODBC-devel

2. freeTDS Installation

2.1 Set Environment variable

Use vi or nano to edit /etc/profile, adding this section at the end of file:

# TDS
    SYBASE=/usr/local
    LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib
    export SYBASE LD_LIBRARY_PATH

2.2 Download and unpack freeTDS

You can find the download link in freeTDS Project Site. Generally they will not modify the link of stable version.

ps. You may switch to /tmp dictionary first

#wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz
#tar -zxf freetds-stable.tgz
#cd freetds-0.91 ||REPLACE WITH YOUR VERSION NUMBER

2.3 Install freeTDS

#./configure --with-tdsver=8.0 --with-unixodbc=/usr/local
#make
#make install

The general freeTDS installation paths is:

• Library： /usr/local/lib
• Configuration： /usr/local/etc

3. Configuration of each component

3.1 Prepare LDAP Database on your MSSQL Server

Before we start to config all components, the first step is to create sample database and data for LDAP service in your SQL Server.

You can find these samples at the latest version of OpenLDAP on OpenLDAP Project site. Download and unpack it, the sample scripts are located in \servers\slapd\back-sql\rdbms_depend\mssql. Of course, you can download Sample MSSQL Schema from here.

We recommend you execute these scripts through SQL Server Management Studio:

• Create LDAP database

  We assume the database name is LDAP

• Execute backsql_create.sql in LDAP database

  Create OpenLDAP Schama

• Execute testdb_create.sql in LDAP database

  Create Sample Data Tables

• Execute testdb_metadata.sql in LDAP database

  Create Sample Metadata

• Execute testdb_data.sql in LDAP database

  Create Sample Data

3.2 freeTDS to Microsoft SQL Server

Use vi or nano to edit /usr/local/etc/freetds.conf, adding this section at the end of file:

[MSSQL]
#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
host = 192.168.1.100

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
port = 1433

tds version = 8.0  
client charset = UTF-8  

3.3 Confirm freeTDS Configuration

You can test the connectivity between freeTDS and SQL Server using this command:

#tsql -S MSSQL -U username -P password

If your settings were correct, you will see a reponse like this:

Type exit to leave.

3.4 unixODBC to freeTDS

3.4.1 odbcinst.ini

Use vi or nano to edit /etc/odbcinst.ini.

• There are default PostgreSQL and MySQL settings. We will not use these database, you can mark them as unused.

• Adding this section at the end of file:

[FreeTDS]
Description=ODBC for SQL Server  
Driver=/usr/local/lib/libtdsodbc.so  
UsageCount=1  

3.4.2 odbc.ini

Use vi or nano to edit /etc/odbc.ini, adding this section at the end of file:

[MSODBC]
Driver=FreeTDS  
Description=Mikotek SQL Server  
Trace=No

#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
Server= 192.168.1.100

#REPLACE WITH YOUR LDAP DATABASE NAME
Database= LDAP

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
Port=1433

TDS_Version = 8.0  
Charset = UTF-8  

3.5 Confirm unixODBC Configuration

You can test the connectivity between unixODBC and SQL Server using this command:

#isql -v MSODBC username password

If your settings were correct, you will see a reponse like this:

Type quit to leave。

4. Setting Up OpenLDAP

4.1 Generate a Secure Password

In later section, we will set up an OpenLDAP administrator and an administrative password. OpenLDAP supports plaintext password, and an encrypted password like MD5, SHA, CRYPT is supported too.

We are going to use CRYPT password this time, you can generate a secure password by slappasswd -h {crypt}:

#slappasswd -h {crypt}
New password:  
Re-enter new password:  
{CRYPT}4kXX4T1wXj3Zc

The {CRYPT}4kXX4T1wXj3Zc is the encrypted password. Copy it, we will need it later.

4.2 Copy slapd.conf from OpenLDAP Template

#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4.3 Remove and Backup Default BDB Database

#mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

4.4 slapd.conf Configuration

Use vi or nano to edit /etc/openldap/slapd.conf.

4.4.1 Section: include

We will need only the following LDAP schemas in this practice:

include    /etc/openldap/schema/core.schema  
include    /etc/openldap/schema/cosine.schema  
include    /etc/openldap/schema/inetorgperson.schema  

You can mark other schemas as unused.

4.4.2 Section: module

We are using 64-bit system, and use only back_sql module, you can mark other modules as unused.

modulepath /usr/lib64/openldap  
moduleload back_sql.la  

4.4.3 Section: TLS Certificate Configuration

OpenLDAP supports SSL connection, you can set up TLS configuration in this section.

However, we DO NOT include the know-how of SSL setup in this practice. You can mark the TLS section as unused for now. If you were interested in OpenLDAP SSL configuration, you may find some useful hint in this document: Configure OpenLDAP with SSL/TLS

4.4.4 Section: ACL Configuration

ACL 1: Alow Users view and change their own password

access to attrs=userpassword  
    by self write
    by anonymous auth
    by * none

ACL 2: Allow Authenticated Users to View, Limit Anonymous Users to Auth

access to *  
    by self write
    by users read
    by anonymous auth
    by * none

4.4.5 Section: Database Definitions

There is a default BDB database definition in template config file. We are going to set up a SQL database, so mark whole default BDB database section as unused.

Adding our SQL database definition at the end of file:

###################################################
# sql database definitions
###################################################

database        sql  
suffix          "dc=example,dc=com"  
rootdn          "cn=Manager,dc=example,dc=com"

#REPLACE WITH YOUR SECURE PASSWORD
rootpw          {CRYPT}4kXX4T1wXj3Zc

#ODBC DATASOURCE NAME
dbname          MSODBC

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER
dbuser          username

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER PASSWORD
dbpasswd        password

subtree_cond    "ldap_entries.dn LIKE '%'+?"

has_ldapinfo_dn_ru      no  
###################################################

4.5 ldap.conf Configuration

Use vi or nano to edit /etc/openldap/ldap.conf.

Define LDAP base, and set the LDAP uri according to your environment:

BASE    dc=example,dc=com  
URI    ldap://ldap.example.com  

5. Verify OpenLDAP Configurations

5.1 OpenLDAP Config Testing

You can verify your config file using this command:

#slaptest -u

If your settings were correct, you will see a reponse like this:

config file testing succeeded  

5.2 Launch the Slap Daemon

#service slapd start

5.3 Test Connectivity and Data with LDAP client

You can perform a LDAP search by ldapsearch, using this command to verify LDAP working functionally:

#ldapsearch -x -D cn=Manager,dc=example,dc=com -w YOUR_LDAP_ROOTPW -b dc=example,dc=com

REPLACE YOUR_LDAP_ROOTPW with your definition

If your settings were correct, you will see a reponse like this:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: sn=Kovalev
# requesting: ALL
#

# Mitya Kovalev, example.com
dn: cn=Mitya Kovalev,dc=example,dc=com  
objectClass: inetOrgPerson  
cn: Mitya Kovalev  
sn: Kovalev  
seeAlso: documentTitle=book1,dc=example,dc=com  
seeAlso: documentTitle=book2,dc=example,dc=com  
givenName: Mitya  
userPassword:: bWl0  
telephoneNumber: 222-3234  
telephoneNumber: 332-2334

# search result
search: 2  
result: 0 Success

# numResponses: 2
# numEntries: 1

6. Misc.

6.1 Automatic Launch OpenLDAP service on system boot

#chkconfig --add ldap
#chkconfig ldap on

7. Further Readings

For now, you are successfully integrate OpenLDAP with backend Microsoft SQL Server.

If you were interested in LDAP data design and metadata planning, you may find some useful information in these websites:

• Setting up LDAP with back-sql - Flat Mountain
• Sample MySQL schema for OpenLDAP with back-sql - WingFOSS
• Common LDAP schemas - oav.net

Author: Sean Chang

Background

If you would like to join different systems and combine wireless accounts in your current non-Microsoft Active Directory environment by a single auth server, the low-priced easiest way surely is using open source projects to setup your own LDAP Directory service.

The most popular open source LDAP Directory server project is OpenLDAP. However, We can find many OpenLDAP examples on net. But when it comes to back-sql, especially when you need to integrate authentication by existing user accounts of current system, which were stored in MSSQL backend, you can find only MySQL and PostgreSQL success stories.

We wish this document can deliver some useful hints on how to deal with OpenLDAP with backend MSSQL.

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Different than RDBMS, such as Oracle, MSSQL, MySQL. LDAP is a tree structure planned for best searching performance. We do not recommend using RDBMS as LDAP backend, unless you have a MUST-TO reason.

Resources

You can learn more about LDAP Directory service through these websites.

• Network Working Group RFC 4511 - IETF.org
• Lightweight Directory Access Protocol - WIKIPEDIA
• OpenLDAP - OpenLDAP open source project site

Table of Contents

1. Components Installation
2. freeTDS Installation
3. Configuration of each component
4. Setting Up OpenLDAP
5. Verify OpenLDAP Configurations
6. Misc.
7. Further Readings

Components and Software Version

• OpenLDAP Server
  • OS: CentOS 6.5 (64-bit)
  • OpenLDAP: 2.4.23
  • unixODBC: 2.2.14
  • freeTDS: 0.91
• Remote Database
  • OS: Microsoft Windows 2008 Server R2
  • Database: Microsoft SQL Server 2012

Basic Scenario

To use OpenLDAP with backend Microsoft SQL Server, you have to find a correct way to link them together. The following is our scenario:

• Using freeTDS driver to link Microsoft SQL Server, and set freeTDS as an ODBC datasource
• OpenLDAP using unixODBC driver to link with freeTDS ODBC
• The logical structure:

Before We Start

The following processes begin after you finish the installation of operation system. We setup our OS using CentOS Minimal Installation, and then wget tool has been installed.

You can learn how to install CentOS Minimal in this article: How to install CentOS 6.5 minimal by rasho on LINTUT

1. Components Installation

Because we are so lazy hope this document can more clean and clear, we install our components using yum with root account in the following processes.

Of course, you can finish same procedures by using sudo with user account. And to install all components using rpm is definitely ok too.

#yum install openldap openldap-clients openldap-servers openldap-devel openldap-servers-sql
#yum install unixODBC unixODBC-libs unixODBC-devel

2. freeTDS Installation

2.1 Set Environment variable

Use vi or nano to edit /etc/profile, adding this section at the end of file:

# TDS
    SYBASE=/usr/local
    LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib
    export SYBASE LD_LIBRARY_PATH

2.2 Download and unpack freeTDS

You can find the download link in freeTDS Project Site. Generally they will not modify the link of stable version.

ps. You may switch to /tmp dictionary first

#wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz
#tar -zxf freetds-stable.tgz
#cd freetds-0.91 ||REPLACE WITH YOUR VERSION NUMBER

2.3 Install freeTDS

#./configure --with-tdsver=8.0 --with-unixodbc=/usr/local
#make
#make install

The general freeTDS installation paths is:

• Library： /usr/local/lib
• Configuration： /usr/local/etc

3. Configuration of each component

3.1 Prepare LDAP Database on your MSSQL Server

Before we start to config all components, the first step is to create sample database and data for LDAP service in your SQL Server.

You can find these samples at the latest version of OpenLDAP on OpenLDAP Project site. Download and unpack it, the sample scripts are located in \servers\slapd\back-sql\rdbms_depend\mssql. Of course, you can download Sample MSSQL Schema from here.

We recommend you execute these scripts through SQL Server Management Studio:

• Create LDAP database

  We assume the database name is LDAP

• Execute backsql_create.sql in LDAP database

  Create OpenLDAP Schama

• Execute testdb_create.sql in LDAP database

  Create Sample Data Tables

• Execute testdb_metadata.sql in LDAP database

  Create Sample Metadata

• Execute testdb_data.sql in LDAP database

  Create Sample Data

3.2 freeTDS to Microsoft SQL Server

Use vi or nano to edit /usr/local/etc/freetds.conf, adding this section at the end of file:

[MSSQL]
#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
host = 192.168.1.100

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
port = 1433

tds version = 8.0  
client charset = UTF-8  

3.3 Confirm freeTDS Configuration

You can test the connectivity between freeTDS and SQL Server using this command:

#tsql -S MSSQL -U username -P password

If your settings were correct, you will see a reponse like this:

Type exit to leave.

3.4 unixODBC to freeTDS

3.4.1 odbcinst.ini

Use vi or nano to edit /etc/odbcinst.ini.

• There are default PostgreSQL and MySQL settings. We will not use these database, you can mark them as unused.

• Adding this section at the end of file:

[FreeTDS]
Description=ODBC for SQL Server  
Driver=/usr/local/lib/libtdsodbc.so  
UsageCount=1  

3.4.2 odbc.ini

Use vi or nano to edit /etc/odbc.ini, adding this section at the end of file:

[MSODBC]
Driver=FreeTDS  
Description=Mikotek SQL Server  
Trace=No

#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
Server= 192.168.1.100

#REPLACE WITH YOUR LDAP DATABASE NAME
Database= LDAP

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
Port=1433

TDS_Version = 8.0  
Charset = UTF-8  

3.5 Confirm unixODBC Configuration

You can test the connectivity between unixODBC and SQL Server using this command:

#isql -v MSODBC username password

If your settings were correct, you will see a reponse like this:

Type quit to leave。

4. Setting Up OpenLDAP

4.1 Generate a Secure Password

In later section, we will set up an OpenLDAP administrator and an administrative password. OpenLDAP supports plaintext password, and an encrypted password like MD5, SHA, CRYPT is supported too.

We are going to use CRYPT password this time, you can generate a secure password by slappasswd -h {crypt}:

#slappasswd -h {crypt}
New password:  
Re-enter new password:  
{CRYPT}4kXX4T1wXj3Zc

The {CRYPT}4kXX4T1wXj3Zc is the encrypted password. Copy it, we will need it later.

4.2 Copy slapd.conf from OpenLDAP Template

#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4.3 Remove and Backup Default BDB Database

#mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

4.4 slapd.conf Configuration

Use vi or nano to edit /etc/openldap/slapd.conf.

4.4.1 Section: include

We will need only the following LDAP schemas in this practice:

include    /etc/openldap/schema/core.schema  
include    /etc/openldap/schema/cosine.schema  
include    /etc/openldap/schema/inetorgperson.schema  

You can mark other schemas as unused.

4.4.2 Section: module

We are using 64-bit system, and use only back_sql module, you can mark other modules as unused.

modulepath /usr/lib64/openldap  
moduleload back_sql.la  

4.4.3 Section: TLS Certificate Configuration

OpenLDAP supports SSL connection, you can set up TLS configuration in this section.

However, we DO NOT include the know-how of SSL setup in this practice. You can mark the TLS section as unused for now. If you were interested in OpenLDAP SSL configuration, you may find some useful hint in this document: Configure OpenLDAP with SSL/TLS

4.4.4 Section: ACL Configuration

ACL 1: Alow Users view and change their own password

access to attrs=userpassword  
    by self write
    by anonymous auth
    by * none

ACL 2: Allow Authenticated Users to View, Limit Anonymous Users to Auth

access to *  
    by self write
    by users read
    by anonymous auth
    by * none

4.4.5 Section: Database Definitions

There is a default BDB database definition in template config file. We are going to set up a SQL database, so mark whole default BDB database section as unused.

Adding our SQL database definition at the end of file:

###################################################
# sql database definitions
###################################################

database        sql  
suffix          "dc=example,dc=com"  
rootdn          "cn=Manager,dc=example,dc=com"

#REPLACE WITH YOUR SECURE PASSWORD
rootpw          {CRYPT}4kXX4T1wXj3Zc

#ODBC DATASOURCE NAME
dbname          MSODBC

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER
dbuser          username

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER PASSWORD
dbpasswd        password

subtree_cond    "ldap_entries.dn LIKE '%'+?"

has_ldapinfo_dn_ru      no  
###################################################

4.5 ldap.conf Configuration

Use vi or nano to edit /etc/openldap/ldap.conf.

Define LDAP base, and set the LDAP uri according to your environment:

BASE    dc=example,dc=com  
URI    ldap://ldap.example.com  

5. Verify OpenLDAP Configurations

5.1 OpenLDAP Config Testing

You can verify your config file using this command:

#slaptest -u

If your settings were correct, you will see a reponse like this:

config file testing succeeded  

5.2 Launch the Slap Daemon

#service slapd start

5.3 Test Connectivity and Data with LDAP client

You can perform a LDAP search by ldapsearch, using this command to verify LDAP working functionally:

#ldapsearch -x -D cn=Manager,dc=example,dc=com -w YOUR_LDAP_ROOTPW -b dc=example,dc=com

REPLACE YOUR_LDAP_ROOTPW with your definition

If your settings were correct, you will see a reponse like this:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: sn=Kovalev
# requesting: ALL
#

# Mitya Kovalev, example.com
dn: cn=Mitya Kovalev,dc=example,dc=com  
objectClass: inetOrgPerson  
cn: Mitya Kovalev  
sn: Kovalev  
seeAlso: documentTitle=book1,dc=example,dc=com  
seeAlso: documentTitle=book2,dc=example,dc=com  
givenName: Mitya  
userPassword:: bWl0  
telephoneNumber: 222-3234  
telephoneNumber: 332-2334

# search result
search: 2  
result: 0 Success

# numResponses: 2
# numEntries: 1

6. Misc.

6.1 Automatic Launch OpenLDAP service on system boot

#chkconfig --add ldap
#chkconfig ldap on

7. Further Readings

For now, you are successfully integrate OpenLDAP with backend Microsoft SQL Server.

If you were interested in LDAP data design and metadata planning, you may find some useful information in these websites:

• Setting up LDAP with back-sql - Flat Mountain
• Sample MySQL schema for OpenLDAP with back-sql - WingFOSS
• Common LDAP schemas - oav.net

Author: Sean Chang

Background

If you would like to join different systems and combine wireless accounts in your current non-Microsoft Active Directory environment by a single auth server, the low-priced easiest way surely is using open source projects to setup your own LDAP Directory service.

The most popular open source LDAP Directory server project is OpenLDAP. However, We can find many OpenLDAP examples on net. But when it comes to back-sql, especially when you need to integrate authentication by existing user accounts of current system, which were stored in MSSQL backend, you can find only MySQL and PostgreSQL success stories.

We wish this document can deliver some useful hints on how to deal with OpenLDAP with backend MSSQL.

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Different than RDBMS, such as Oracle, MSSQL, MySQL. LDAP is a tree structure planned for best searching performance. We do not recommend using RDBMS as LDAP backend, unless you have a MUST-TO reason.

Resources

You can learn more about LDAP Directory service through these websites.

• Network Working Group RFC 4511 - IETF.org
• Lightweight Directory Access Protocol - WIKIPEDIA
• OpenLDAP - OpenLDAP open source project site

Table of Contents

1. Components Installation
2. freeTDS Installation
3. Configuration of each component
4. Setting Up OpenLDAP
5. Verify OpenLDAP Configurations
6. Misc.
7. Further Readings

Components and Software Version

• OpenLDAP Server
  • OS: CentOS 6.5 (64-bit)
  • OpenLDAP: 2.4.23
  • unixODBC: 2.2.14
  • freeTDS: 0.91
• Remote Database
  • OS: Microsoft Windows 2008 Server R2
  • Database: Microsoft SQL Server 2012

Basic Scenario

To use OpenLDAP with backend Microsoft SQL Server, you have to find a correct way to link them together. The following is our scenario:

• Using freeTDS driver to link Microsoft SQL Server, and set freeTDS as an ODBC datasource
• OpenLDAP using unixODBC driver to link with freeTDS ODBC
• The logical structure:

Before We Start

The following processes begin after you finish the installation of operation system. We setup our OS using CentOS Minimal Installation, and then wget tool has been installed.

You can learn how to install CentOS Minimal in this article: How to install CentOS 6.5 minimal by rasho on LINTUT

1. Components Installation

Because we are so lazy hope this document can more clean and clear, we install our components using yum with root account in the following processes.

Of course, you can finish same procedures by using sudo with user account. And to install all components using rpm is definitely ok too.

#yum install openldap openldap-clients openldap-servers openldap-devel openldap-servers-sql
#yum install unixODBC unixODBC-libs unixODBC-devel

2. freeTDS Installation

2.1 Set Environment variable

Use vi or nano to edit /etc/profile, adding this section at the end of file:

# TDS
    SYBASE=/usr/local
    LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib
    export SYBASE LD_LIBRARY_PATH

2.2 Download and unpack freeTDS

You can find the download link in freeTDS Project Site. Generally they will not modify the link of stable version.

ps. You may switch to /tmp dictionary first

#wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz
#tar -zxf freetds-stable.tgz
#cd freetds-0.91 ||REPLACE WITH YOUR VERSION NUMBER

2.3 Install freeTDS

#./configure --with-tdsver=8.0 --with-unixodbc=/usr/local
#make
#make install

The general freeTDS installation paths is:

• Library： /usr/local/lib
• Configuration： /usr/local/etc

3. Configuration of each component

3.1 Prepare LDAP Database on your MSSQL Server

Before we start to config all components, the first step is to create sample database and data for LDAP service in your SQL Server.

You can find these samples at the latest version of OpenLDAP on OpenLDAP Project site. Download and unpack it, the sample scripts are located in \servers\slapd\back-sql\rdbms_depend\mssql. Of course, you can download Sample MSSQL Schema from here.

We recommend you execute these scripts through SQL Server Management Studio:

• Create LDAP database

  We assume the database name is LDAP

• Execute backsql_create.sql in LDAP database

  Create OpenLDAP Schama

• Execute testdb_create.sql in LDAP database

  Create Sample Data Tables

• Execute testdb_metadata.sql in LDAP database

  Create Sample Metadata

• Execute testdb_data.sql in LDAP database

  Create Sample Data

3.2 freeTDS to Microsoft SQL Server

Use vi or nano to edit /usr/local/etc/freetds.conf, adding this section at the end of file:

[MSSQL]
#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
host = 192.168.1.100

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
port = 1433

tds version = 8.0  
client charset = UTF-8  

3.3 Confirm freeTDS Configuration

You can test the connectivity between freeTDS and SQL Server using this command:

#tsql -S MSSQL -U username -P password

If your settings were correct, you will see a reponse like this:

Type exit to leave.

3.4 unixODBC to freeTDS

3.4.1 odbcinst.ini

Use vi or nano to edit /etc/odbcinst.ini.

• There are default PostgreSQL and MySQL settings. We will not use these database, you can mark them as unused.

• Adding this section at the end of file:

[FreeTDS]
Description=ODBC for SQL Server  
Driver=/usr/local/lib/libtdsodbc.so  
UsageCount=1  

3.4.2 odbc.ini

Use vi or nano to edit /etc/odbc.ini, adding this section at the end of file:

[MSODBC]
Driver=FreeTDS  
Description=Mikotek SQL Server  
Trace=No

#REPLACE WITH YOUR MSSQL SERVER IPv4 ADDRESS
Server= 192.168.1.100

#REPLACE WITH YOUR LDAP DATABASE NAME
Database= LDAP

#REPLACE WITH YOUR MSSQL SERVER LISTENING PORT
Port=1433

TDS_Version = 8.0  
Charset = UTF-8  

3.5 Confirm unixODBC Configuration

You can test the connectivity between unixODBC and SQL Server using this command:

#isql -v MSODBC username password

If your settings were correct, you will see a reponse like this:

Type quit to leave。

4. Setting Up OpenLDAP

4.1 Generate a Secure Password

In later section, we will set up an OpenLDAP administrator and an administrative password. OpenLDAP supports plaintext password, and an encrypted password like MD5, SHA, CRYPT is supported too.

We are going to use CRYPT password this time, you can generate a secure password by slappasswd -h {crypt}:

#slappasswd -h {crypt}
New password:  
Re-enter new password:  
{CRYPT}4kXX4T1wXj3Zc

The {CRYPT}4kXX4T1wXj3Zc is the encrypted password. Copy it, we will need it later.

4.2 Copy slapd.conf from OpenLDAP Template

#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4.3 Remove and Backup Default BDB Database

#mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

4.4 slapd.conf Configuration

Use vi or nano to edit /etc/openldap/slapd.conf.

4.4.1 Section: include

We will need only the following LDAP schemas in this practice:

include    /etc/openldap/schema/core.schema  
include    /etc/openldap/schema/cosine.schema  
include    /etc/openldap/schema/inetorgperson.schema  

You can mark other schemas as unused.

4.4.2 Section: module

We are using 64-bit system, and use only back_sql module, you can mark other modules as unused.

modulepath /usr/lib64/openldap  
moduleload back_sql.la  

4.4.3 Section: TLS Certificate Configuration

OpenLDAP supports SSL connection, you can set up TLS configuration in this section.

However, we DO NOT include the know-how of SSL setup in this practice. You can mark the TLS section as unused for now. If you were interested in OpenLDAP SSL configuration, you may find some useful hint in this document: Configure OpenLDAP with SSL/TLS

4.4.4 Section: ACL Configuration

ACL 1: Alow Users view and change their own password

access to attrs=userpassword  
    by self write
    by anonymous auth
    by * none

ACL 2: Allow Authenticated Users to View, Limit Anonymous Users to Auth

access to *  
    by self write
    by users read
    by anonymous auth
    by * none

4.4.5 Section: Database Definitions

There is a default BDB database definition in template config file. We are going to set up a SQL database, so mark whole default BDB database section as unused.

Adding our SQL database definition at the end of file:

###################################################
# sql database definitions
###################################################

database        sql  
suffix          "dc=example,dc=com"  
rootdn          "cn=Manager,dc=example,dc=com"

#REPLACE WITH YOUR SECURE PASSWORD
rootpw          {CRYPT}4kXX4T1wXj3Zc

#ODBC DATASOURCE NAME
dbname          MSODBC

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER
dbuser          username

#REPLACE WITH YOUR MSSQL LDAP DATABASE USER PASSWORD
dbpasswd        password

subtree_cond    "ldap_entries.dn LIKE '%'+?"

has_ldapinfo_dn_ru      no  
###################################################

4.5 ldap.conf Configuration

Use vi or nano to edit /etc/openldap/ldap.conf.

Define LDAP base, and set the LDAP uri according to your environment:

BASE    dc=example,dc=com  
URI    ldap://ldap.example.com  

5. Verify OpenLDAP Configurations

5.1 OpenLDAP Config Testing

You can verify your config file using this command:

#slaptest -u

If your settings were correct, you will see a reponse like this:

config file testing succeeded  

5.2 Launch the Slap Daemon

#service slapd start

5.3 Test Connectivity and Data with LDAP client

You can perform a LDAP search by ldapsearch, using this command to verify LDAP working functionally:

#ldapsearch -x -D cn=Manager,dc=example,dc=com -w YOUR_LDAP_ROOTPW -b dc=example,dc=com

REPLACE YOUR_LDAP_ROOTPW with your definition

If your settings were correct, you will see a reponse like this:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: sn=Kovalev
# requesting: ALL
#

# Mitya Kovalev, example.com
dn: cn=Mitya Kovalev,dc=example,dc=com  
objectClass: inetOrgPerson  
cn: Mitya Kovalev  
sn: Kovalev  
seeAlso: documentTitle=book1,dc=example,dc=com  
seeAlso: documentTitle=book2,dc=example,dc=com  
givenName: Mitya  
userPassword:: bWl0  
telephoneNumber: 222-3234  
telephoneNumber: 332-2334

# search result
search: 2  
result: 0 Success

# numResponses: 2
# numEntries: 1

6. Misc.

6.1 Automatic Launch OpenLDAP service on system boot

#chkconfig --add ldap
#chkconfig ldap on

7. Further Readings

For now, you are successfully integrate OpenLDAP with backend Microsoft SQL Server.

If you were interested in LDAP data design and metadata planning, you may find some useful information in these websites:

• Setting up LDAP with back-sql - Flat Mountain
• Sample MySQL schema for OpenLDAP with back-sql - WingFOSS
• Common LDAP schemas - oav.net

微軟 MICROSOFT 知名瀏覽器 INTERNET EXPLORER (IE) 驚爆重大安全漏洞，

美國及英國政府資安當局罕見地聯手呼籲民眾應立即停用該瀏覽器。

率先發現這個資安漏洞的資安公司 FireEye 指出，駭客可經由 IE 的安全漏洞銜接 Flash 技術進行零時差攻擊(zero-day exploit)，雖然目前僅發現駭客利用 IE9、IE10 及 IE11 對美國國防及金融機構進行零時攻擊，然而這個安全漏洞自 IE6 版以上就已存在。

根據《CNET》報導，美國國家安全部轄下的電腦緊急應變小組 (US-CERT) 及英國政府對等單位雖然定期會發布網路瀏覽器安全性建議，但像這次聯手呼籲民眾停用特定瀏覽器，則非常罕見。

一般民眾要怎麼自我保護? 永磐科技提供您下列兩種建議：

1. 於微軟修復該漏洞前，暫時停用 Internet Explorer 瀏覽器

2. 若因為種種原因，非得使用 Internet Explorer 瀏覽器不可，你可以選擇：

   • 停用 IE 的 Flash 外掛程式

   • 安裝微軟 EMET (Enhanced Mitigation Experience Toolkit) 安全防禦應用程式，並於 IE 中啟用

微軟 MICROSOFT 知名瀏覽器 INTERNET EXPLORER (IE) 驚爆重大安全漏洞，

美國及英國政府資安當局罕見地聯手呼籲民眾應立即停用該瀏覽器。

率先發現這個資安漏洞的資安公司 FireEye 指出，駭客可經由 IE 的安全漏洞銜接 Flash 技術進行零時差攻擊(zero-day exploit)，雖然目前僅發現駭客利用 IE9、IE10 及 IE11 對美國國防及金融機構進行零時攻擊，然而這個安全漏洞自 IE6 版以上就已存在。

根據《CNET》報導，美國國家安全部轄下的電腦緊急應變小組 (US-CERT) 及英國政府對等單位雖然定期會發布網路瀏覽器安全性建議，但像這次聯手呼籲民眾停用特定瀏覽器，則非常罕見。

一般民眾要怎麼自我保護? 永磐科技提供您下列兩種建議：

1. 於微軟修復該漏洞前，暫時停用 Internet Explorer 瀏覽器

2. 若因為種種原因，非得使用 Internet Explorer 瀏覽器不可，你可以選擇：

   • 停用 IE 的 Flash 外掛程式

   • 安裝微軟 EMET (Enhanced Mitigation Experience Toolkit) 安全防禦應用程式，並於 IE 中啟用

微軟 MICROSOFT 知名瀏覽器 INTERNET EXPLORER (IE) 驚爆重大安全漏洞，

美國及英國政府資安當局罕見地聯手呼籲民眾應立即停用該瀏覽器。

率先發現這個資安漏洞的資安公司 FireEye 指出，駭客可經由 IE 的安全漏洞銜接 Flash 技術進行零時差攻擊(zero-day exploit)，雖然目前僅發現駭客利用 IE9、IE10 及 IE11 對美國國防及金融機構進行零時攻擊，然而這個安全漏洞自 IE6 版以上就已存在。

根據《CNET》報導，美國國家安全部轄下的電腦緊急應變小組 (US-CERT) 及英國政府對等單位雖然定期會發布網路瀏覽器安全性建議，但像這次聯手呼籲民眾停用特定瀏覽器，則非常罕見。

一般民眾要怎麼自我保護? 永磐科技提供您下列兩種建議：

1. 於微軟修復該漏洞前，暫時停用 Internet Explorer 瀏覽器

2. 若因為種種原因，非得使用 Internet Explorer 瀏覽器不可，你可以選擇：

   • 停用 IE 的 Flash 外掛程式

   • 安裝微軟 EMET (Enhanced Mitigation Experience Toolkit) 安全防禦應用程式，並於 IE 中啟用

微軟 MICROSOFT 知名瀏覽器 INTERNET EXPLORER (IE) 驚爆重大安全漏洞，

美國及英國政府資安當局罕見地聯手呼籲民眾應立即停用該瀏覽器。

率先發現這個資安漏洞的資安公司 FireEye 指出，駭客可經由 IE 的安全漏洞銜接 Flash 技術進行零時差攻擊(zero-day exploit)，雖然目前僅發現駭客利用 IE9、IE10 及 IE11 對美國國防及金融機構進行零時攻擊，然而這個安全漏洞自 IE6 版以上就已存在。

根據《CNET》報導，美國國家安全部轄下的電腦緊急應變小組 (US-CERT) 及英國政府對等單位雖然定期會發布網路瀏覽器安全性建議，但像這次聯手呼籲民眾停用特定瀏覽器，則非常罕見。

一般民眾要怎麼自我保護? 永磐科技提供您下列兩種建議：

1. 於微軟修復該漏洞前，暫時停用 Internet Explorer 瀏覽器

2. 若因為種種原因，非得使用 Internet Explorer 瀏覽器不可，你可以選擇：

   • 停用 IE 的 Flash 外掛程式

   • 安裝微軟 EMET (Enhanced Mitigation Experience Toolkit) 安全防禦應用程式，並於 IE 中啟用

2014年4月7日 OPENSSL 發布了一個重大資安漏洞發現

弱點編號：CVE-2014-0160，代號「HEARTBLEED」。

OpenSSL針對此弱點說明如下：

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSLNOHEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

這個漏洞能讓攻擊者從伺服器記憶體中讀取 64 KB 的資料，被竊取的資料可能包含 ssl private key、session cookie、使用者密碼等，因此最嚴重可能因此導致伺服器遭到入侵或被盜取使用者帳號、密碼。

由於OpenSSL憑證加解密被廣泛應用於網站及應用服務，大多數安全需求性較高的網路服務，諸如：網路銀行、線上交易、會員系統等都採用OpenSSL HTTPS加密。因此該漏洞將導致全球使用OpenSSL的線上金融服務面臨重大衝擊。

受影響的OpenSSL版本為 1.0.1 ~ 1.0.1f 及 1.0.2-beta，目前OpenSSL已發布對應的修復更新版本 1.0.1g 、1.0.2-beta1。

採用OpenSSL加密的企業可透過 Heartbleed test 網站自我檢測內部的系統是否有受到影響

若有受到影響請務必立即更新OpenSSL版本！

更多關於Heartbleed漏洞可參考 http://heartbleed.com

2014年4月7日 OPENSSL 發布了一個重大資安漏洞發現

弱點編號：CVE-2014-0160，代號「HEARTBLEED」。

OpenSSL針對此弱點說明如下：

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSLNOHEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

這個漏洞能讓攻擊者從伺服器記憶體中讀取 64 KB 的資料，被竊取的資料可能包含 ssl private key、session cookie、使用者密碼等，因此最嚴重可能因此導致伺服器遭到入侵或被盜取使用者帳號、密碼。

由於OpenSSL憑證加解密被廣泛應用於網站及應用服務，大多數安全需求性較高的網路服務，諸如：網路銀行、線上交易、會員系統等都採用OpenSSL HTTPS加密。因此該漏洞將導致全球使用OpenSSL的線上金融服務面臨重大衝擊。

受影響的OpenSSL版本為 1.0.1 ~ 1.0.1f 及 1.0.2-beta，目前OpenSSL已發布對應的修復更新版本 1.0.1g 、1.0.2-beta1。

採用OpenSSL加密的企業可透過 Heartbleed test 網站自我檢測內部的系統是否有受到影響

若有受到影響請務必立即更新OpenSSL版本！

更多關於Heartbleed漏洞可參考 http://heartbleed.com

2014年4月7日 OPENSSL 發布了一個重大資安漏洞發現

弱點編號：CVE-2014-0160，代號「HEARTBLEED」。

OpenSSL針對此弱點說明如下：

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSLNOHEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

這個漏洞能讓攻擊者從伺服器記憶體中讀取 64 KB 的資料，被竊取的資料可能包含 ssl private key、session cookie、使用者密碼等，因此最嚴重可能因此導致伺服器遭到入侵或被盜取使用者帳號、密碼。

由於OpenSSL憑證加解密被廣泛應用於網站及應用服務，大多數安全需求性較高的網路服務，諸如：網路銀行、線上交易、會員系統等都採用OpenSSL HTTPS加密。因此該漏洞將導致全球使用OpenSSL的線上金融服務面臨重大衝擊。

受影響的OpenSSL版本為 1.0.1 ~ 1.0.1f 及 1.0.2-beta，目前OpenSSL已發布對應的修復更新版本 1.0.1g 、1.0.2-beta1。

採用OpenSSL加密的企業可透過 Heartbleed test 網站自我檢測內部的系統是否有受到影響

若有受到影響請務必立即更新OpenSSL版本！

更多關於Heartbleed漏洞可參考 http://heartbleed.com

2014年4月7日 OPENSSL 發布了一個重大資安漏洞發現

弱點編號：CVE-2014-0160，代號「HEARTBLEED」。

OpenSSL針對此弱點說明如下：

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSLNOHEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

這個漏洞能讓攻擊者從伺服器記憶體中讀取 64 KB 的資料，被竊取的資料可能包含 ssl private key、session cookie、使用者密碼等，因此最嚴重可能因此導致伺服器遭到入侵或被盜取使用者帳號、密碼。

由於OpenSSL憑證加解密被廣泛應用於網站及應用服務，大多數安全需求性較高的網路服務，諸如：網路銀行、線上交易、會員系統等都採用OpenSSL HTTPS加密。因此該漏洞將導致全球使用OpenSSL的線上金融服務面臨重大衝擊。

受影響的OpenSSL版本為 1.0.1 ~ 1.0.1f 及 1.0.2-beta，目前OpenSSL已發布對應的修復更新版本 1.0.1g 、1.0.2-beta1。

採用OpenSSL加密的企業可透過 Heartbleed test 網站自我檢測內部的系統是否有受到影響

若有受到影響請務必立即更新OpenSSL版本！

更多關於Heartbleed漏洞可參考 http://heartbleed.com

Author: Jerry Chen

Cisco最近推出一些新款的無線AP與無線網路解決方案，其中最特殊的是新型態的雲端無線網路架構：Cisco Meraki，以下簡單說明：

CISCO MERAKI的無線網路解決方案

Meraki 雲端無線網路架構

• Meraki無線控制器是雲端平臺架構（Cloud-based Wireless Controller）， IT單位可透過網頁瀏覽器進入雲端後臺，集中管理企業所部署的Wi-Fi網路環境，節省控制器佈建成本。

• 企業採購時需購買AP設備和控制器軟體授權，其中控制器軟體的授權費用採維護服務方式，以年為單位銷售。

• 多據點的無線網路管理。在部署上，管理者可從單一系統管理各分據點的無線網路，管理方式較為簡易。

• 即使是雲端服務斷線，Meraki AP本身仍保有網路的功能，無線網路仍可持續運行。唯雲端服務斷線時，不能異動設定及檢視報表。

除了雲端式AP架構的特性，Cisco Meraki 還有3個特點：

1. 具有應用程式感知功能，可辨識連線使用者的應用程式特徵

能封鎖特定應用群組或特定應用程式，像是：

• 電子郵件：Gmail、Hotmail、Webmail等）
• 檔案分享網站：Dropbox、SkyDrive、Box等）
• 社群網站：Facebook、Flickr、Twitter等）
• 其他如部落格、P2P、遊戲、新聞、影音、VoIP等

2. 提供Facebook Wi-Fi登入功能，使提供的無線網路可以結合Facebook粉絲專頁利用行銷

管理者可將企業的Facebook粉絲專頁，設定為登入無線網路時的起始頁面，讓使用者在打卡後，始可使用企業店家所提供的免費Wi-Fi無線網路。

結合Facebook粉絲專頁打卡機制目前僅有Cisco Meraki無線路由器可支援。

3. 內建Wi-Fi分析功能，可分析顧客行為

可分析每日上網人數、訪客數與經過人數。另外，還能分析訪客的停留時間，甚至是經常到來或首次來訪數。

Cisco Meraki 以簡單易懂的圖表呈現分析統計具商業價值的資訊。

• Cisco Meraki 可提供 AP 與 Client 的詳細資訊記錄，管理者可設定每日、每周或每月將報表寄至電子信箱，快速掌握無線網路的使用狀況。

• 整合 Google 地圖資訊於介面中，便於大範圍、大量 AP 部署的管控。

Meraki無線網路路由器產品規格一覽表

CISCO 3650 SWITCH，具無線控制器功能！

3650 是取代 3560-X 的產品。3560-X不支援堆疊與無線控制器功能，而3650可當無線控制器使用，支援25 AP與1000個使用者。

• Cisco 3650 支援堆疊功能，160G的堆疊頻寛，最多可堆疊9台。

  註：Cisco 3650堆疊需另外購買Stack模組
  

• 現在如果要採購 Cisco 3750-X 或 3560-X，建議可選擇Cisco 3850與 Cisco 3650。

  只有必需要使用12或24個光纖介面才建議 Cisco 3750-X，因為 Cisco 3850目前沒有光纖介面的型號。
  

• Cisco 3560-X 與 Cisco 3650 的功能比較：

CISCO AP 3700 支援802.11AC

Cisco推出的最新802.11ac AP，傳輸速度1.3Gbps(Wave1)。

未來可加裝802.11ac(Wave2)模組，傳輸速度可提升到3.5Gbps。

提供內建天線與外接天線二種選擇。

Cisco AP 3600加裝 802.11ac(Wave1)的模組也可以支援802.11ac，但成本會比 Cisco AP 3700高。
如果規劃會使用到802.11ac，建議現在就規劃使用 Cisco AP 3700。

目前Cisco AP及Controller的版本支援

註：部分Cisco Meraki內容參考資料來源為：IThome

Author: Jerry Chen

Cisco最近推出一些新款的無線AP與無線網路解決方案，其中最特殊的是新型態的雲端無線網路架構：Cisco Meraki，以下簡單說明：

CISCO MERAKI的無線網路解決方案

Meraki 雲端無線網路架構

• Meraki無線控制器是雲端平臺架構（Cloud-based Wireless Controller）， IT單位可透過網頁瀏覽器進入雲端後臺，集中管理企業所部署的Wi-Fi網路環境，節省控制器佈建成本。

• 企業採購時需購買AP設備和控制器軟體授權，其中控制器軟體的授權費用採維護服務方式，以年為單位銷售。

• 多據點的無線網路管理。在部署上，管理者可從單一系統管理各分據點的無線網路，管理方式較為簡易。

• 即使是雲端服務斷線，Meraki AP本身仍保有網路的功能，無線網路仍可持續運行。唯雲端服務斷線時，不能異動設定及檢視報表。

除了雲端式AP架構的特性，Cisco Meraki 還有3個特點：

1. 具有應用程式感知功能，可辨識連線使用者的應用程式特徵

能封鎖特定應用群組或特定應用程式，像是：

• 電子郵件：Gmail、Hotmail、Webmail等）
• 檔案分享網站：Dropbox、SkyDrive、Box等）
• 社群網站：Facebook、Flickr、Twitter等）
• 其他如部落格、P2P、遊戲、新聞、影音、VoIP等

2. 提供Facebook Wi-Fi登入功能，使提供的無線網路可以結合Facebook粉絲專頁利用行銷

管理者可將企業的Facebook粉絲專頁，設定為登入無線網路時的起始頁面，讓使用者在打卡後，始可使用企業店家所提供的免費Wi-Fi無線網路。

結合Facebook粉絲專頁打卡機制目前僅有Cisco Meraki無線路由器可支援。

3. 內建Wi-Fi分析功能，可分析顧客行為

可分析每日上網人數、訪客數與經過人數。另外，還能分析訪客的停留時間，甚至是經常到來或首次來訪數。

Cisco Meraki 以簡單易懂的圖表呈現分析統計具商業價值的資訊。

• Cisco Meraki 可提供 AP 與 Client 的詳細資訊記錄，管理者可設定每日、每周或每月將報表寄至電子信箱，快速掌握無線網路的使用狀況。

• 整合 Google 地圖資訊於介面中，便於大範圍、大量 AP 部署的管控。

Meraki無線網路路由器產品規格一覽表

CISCO 3650 SWITCH，具無線控制器功能！

3650 是取代 3560-X 的產品。3560-X不支援堆疊與無線控制器功能，而3650可當無線控制器使用，支援25 AP與1000個使用者。

• Cisco 3650 支援堆疊功能，160G的堆疊頻寛，最多可堆疊9台。

  註：Cisco 3650堆疊需另外購買Stack模組
  

• 現在如果要採購 Cisco 3750-X 或 3560-X，建議可選擇Cisco 3850與 Cisco 3650。

  只有必需要使用12或24個光纖介面才建議 Cisco 3750-X，因為 Cisco 3850目前沒有光纖介面的型號。
  

• Cisco 3560-X 與 Cisco 3650 的功能比較：

CISCO AP 3700 支援802.11AC

Cisco推出的最新802.11ac AP，傳輸速度1.3Gbps(Wave1)。

未來可加裝802.11ac(Wave2)模組，傳輸速度可提升到3.5Gbps。

提供內建天線與外接天線二種選擇。

Cisco AP 3600加裝 802.11ac(Wave1)的模組也可以支援802.11ac，但成本會比 Cisco AP 3700高。
如果規劃會使用到802.11ac，建議現在就規劃使用 Cisco AP 3700。

目前Cisco AP及Controller的版本支援

註：部分Cisco Meraki內容參考資料來源為：IThome

Author: Jerry Chen

Cisco最近推出一些新款的無線AP與無線網路解決方案，其中最特殊的是新型態的雲端無線網路架構：Cisco Meraki，以下簡單說明：

CISCO MERAKI的無線網路解決方案

Meraki 雲端無線網路架構

• Meraki無線控制器是雲端平臺架構（Cloud-based Wireless Controller）， IT單位可透過網頁瀏覽器進入雲端後臺，集中管理企業所部署的Wi-Fi網路環境，節省控制器佈建成本。

• 企業採購時需購買AP設備和控制器軟體授權，其中控制器軟體的授權費用採維護服務方式，以年為單位銷售。

• 多據點的無線網路管理。在部署上，管理者可從單一系統管理各分據點的無線網路，管理方式較為簡易。

• 即使是雲端服務斷線，Meraki AP本身仍保有網路的功能，無線網路仍可持續運行。唯雲端服務斷線時，不能異動設定及檢視報表。

除了雲端式AP架構的特性，Cisco Meraki 還有3個特點：

1. 具有應用程式感知功能，可辨識連線使用者的應用程式特徵

能封鎖特定應用群組或特定應用程式，像是：

• 電子郵件：Gmail、Hotmail、Webmail等）
• 檔案分享網站：Dropbox、SkyDrive、Box等）
• 社群網站：Facebook、Flickr、Twitter等）
• 其他如部落格、P2P、遊戲、新聞、影音、VoIP等

2. 提供Facebook Wi-Fi登入功能，使提供的無線網路可以結合Facebook粉絲專頁利用行銷

管理者可將企業的Facebook粉絲專頁，設定為登入無線網路時的起始頁面，讓使用者在打卡後，始可使用企業店家所提供的免費Wi-Fi無線網路。

結合Facebook粉絲專頁打卡機制目前僅有Cisco Meraki無線路由器可支援。

3. 內建Wi-Fi分析功能，可分析顧客行為

可分析每日上網人數、訪客數與經過人數。另外，還能分析訪客的停留時間，甚至是經常到來或首次來訪數。

Cisco Meraki 以簡單易懂的圖表呈現分析統計具商業價值的資訊。

• Cisco Meraki 可提供 AP 與 Client 的詳細資訊記錄，管理者可設定每日、每周或每月將報表寄至電子信箱，快速掌握無線網路的使用狀況。

• 整合 Google 地圖資訊於介面中，便於大範圍、大量 AP 部署的管控。

Meraki無線網路路由器產品規格一覽表

CISCO 3650 SWITCH，具無線控制器功能！

3650 是取代 3560-X 的產品。3560-X不支援堆疊與無線控制器功能，而3650可當無線控制器使用，支援25 AP與1000個使用者。

• Cisco 3650 支援堆疊功能，160G的堆疊頻寛，最多可堆疊9台。

  註：Cisco 3650堆疊需另外購買Stack模組
  

• 現在如果要採購 Cisco 3750-X 或 3560-X，建議可選擇Cisco 3850與 Cisco 3650。

  只有必需要使用12或24個光纖介面才建議 Cisco 3750-X，因為 Cisco 3850目前沒有光纖介面的型號。
  

• Cisco 3560-X 與 Cisco 3650 的功能比較：

CISCO AP 3700 支援802.11AC

Cisco推出的最新802.11ac AP，傳輸速度1.3Gbps(Wave1)。

未來可加裝802.11ac(Wave2)模組，傳輸速度可提升到3.5Gbps。

提供內建天線與外接天線二種選擇。

Cisco AP 3600加裝 802.11ac(Wave1)的模組也可以支援802.11ac，但成本會比 Cisco AP 3700高。
如果規劃會使用到802.11ac，建議現在就規劃使用 Cisco AP 3700。

目前Cisco AP及Controller的版本支援

註：部分Cisco Meraki內容參考資料來源為：IThome