Month: August 2019

firewalld: open port for single ip (or how to limit access to checkmk-agent to a single ip)

Newer versions of checkmk-agent for linux started to use systemd instead of xinetd to spawn the agent. So you loose the ability to limit access through a simple config file.

My Solution was with a rule in firewalld. You have to use a rich rule. Sadly thats not as easy as the usual firewalld stuff…

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.22.33.44/32" port protocol="tcp" port=6556 accept'

Afterwards simply restart firewalld or reload rules.

Use Powershell to read data from LDAP and create a modify-LDIF

I just stumbled about a problem to get a list of all users with a telephonenumber from LDAP to create an LDIF for those users. So I decided to use Powershell because it gave me an easy way to create this LDIF file to add an value to every user.

The first script just dumps the DN and the phone number of all objects

$Server= "LDAP://ldpahost.domain.local:389/DC=domain,DC=local"
#BindDN
$DN="CN=LDAPuser,DC=domain,DC=local"
$Filter="(telephoneNumber)"
$Pw="secretLDAPUserPassword"
$DirEntry =New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $Server, $DN, $Pw, "FastBind"
$DirSearcher =New-Object -TypeName System.DirectoryServices.DirectorySearcher -ArgumentList $DirEntry, $Filter
$DirSearcher.FindAll() | Select -ExpandProperty Properties | ForEach {
    $ldapDN=$_["distinguishedName"]
    $ldapPhone=$_["telephoneNumber"]
    Write-Output $ldapDN
    }
$DirSearcher.Dispose()

The second script writes an ldif file to modify a a field on every user:

$Server= "LDAP://ldpahost.domain.local:389/DC=domain,DC=local"
$BindDN
$DN="CN=LDAPuser,DC=domain,DC=local"
$Filter="(telephoneNumber)"
$Pw="secretLDAPUserPassword"
$destfile="test.ldif"
Remove-Item -Path $destfile
$DirEntry =New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $Server, $DN, $Pw, "FastBind"
$DirSearcher =New-Object -TypeName System.DirectoryServices.DirectorySearcher -ArgumentList $DirEntry, $Filter
$DirSearcher.FindAll() | Select -ExpandProperty Properties | ForEach {
    $ldapDN=$_["distinguishedName"] 
    Out-File -FilePath $destfile -InputObject "dn: $ldapDN" -Append
    Out-File -FilePath $destfile -InputObject "changetype: modify" -Append
    Out-File -FilePath $destfile -InputObject "add: ldapfield" -Append
    Out-File -FilePath $destfile -InputObject "ldapfield: newContent" -Append
    Out-File -FilePath $destfile -InputObject "" -Append
    }
$DirSearcher.Dispose()

The resulting file can be used to import it to the directory using LDAPAdmin. But be aware that Powershell generates utf8-files and LDAPAdmin needs ASCII to import. The encoding-Option of OutFile didn’t work out because it killed german umlauts. So I converted it afterwards with notepad.