upr00ted

I recently attended “An Event Apart, Boston.” While there someone asked for my thoughts on a jquery problem which intrigued me. Mostly I was interested because I couldn’t come up with a solid solution in the 5 minutes or so we had left before the next session started.

The troubling spot for me was executing an animation on a link click before redirecting to the href of the link. I’ve seen the $("#content").animate({ opacity:1}, 100); trick to add delays within a queue, but for some reason that doesn’t work when applied to the document.

My proposed solution actually uses settimeout() which is what was suggested by the person asking the question. My question to the greater community is: Is there a better way to delay a call to document.location.href?

Here’s my proposed jquery page redirect delay solution.

Zipped for easy consumption

One note: I’m using jquery to move the content box off to the left and then bring it back in, so that people without javascript enabled will still see the content, but it seems to add an annoying flash of content sometimes. To avoid this, just remove the jquery line $("#content").css('left', '-3000%'); and add left: 3000%; to your css file.

These scripts allows for remote incremental daily snapshot backups of linux, mac, and windows based servers.
The theory is that we want a full snapshot of any given day without taking up the full disk space required. The solution us to use rsync with hard links.
In addition I’ve made it backup to an encrypted disk image stored on a usb drive in OS X.
This makes it fairly portable and secure.
So far the only down-side is that the password for the encrypted drive must be stored in the script (or in another text file) as plain text. To avoid prying eyes the script has been chmod’ded 700, and is owned by root.

The setup:

1. Create a public and private key pair and distribute the public to all linux servers to be backed up, and make sure sudo rsync can be run by the local backup user without requiring a password.
2. Create an encrypted disk image using Disk Utility under Mac OS X. Ours is on a 250GB removable USB drive, but if you have access to a RAID drive with more space make it as large as you like.

Our setup creates a daily snapshot and maintains the last 30 days, rotating out the oldest to save space, adjust to the availability of your space.

4. Because rsync doesn’t run natively or easily on Windows I’m using XCOPY to backup windows servers to an intermediary Samba share on a linux box and then rsync’ing that. While not perfect, it does allow for hard-linking, and daily snapshots.

The script:
#!/bin/sh

# Tell the log file we're done:
echo "Backup Finished: "
echo "==========================================="
echo " "
date

Backing up the Windows to a Samba share is relatively straight forward. For security purposes I created Samba shares that are only accessible to one user, the account that runs the script on the Windows servers.

Samba Share:
[global]
workgroup = yourdomain
security = user
wins support = yes
[WinBackups]
path = /var/winbackups
comment = Windows Backups
public = no
write list = administrator

The Window script:
echo off
:: variables
set drive="\\linux-box\sambashare\backupfolder"
set backup1="E:\FirstLocation"
set backup2="E:\SecondLocation"
set backupcmd=xcopy /s /c /d /e /h /i /r /k /y

echo ### Backing up Second Location...
%backupcmd% %backup2% %drive%

I’ve scheduled the xcopy script to run nightly well before the rsync script, with large sets of data you might have to run them on different days.

I’ve also scheduled the rsync backup script to run nightly and send me an email detailing what it wrote to the log.
MAILTO=" email@yourdomain.com"
30 22 * * * /private/var/root/backup-scripts/backup-daily.sh 2>&1 | tee -a /private/var/root/backup-scripts/logs/backup-daily.log | mail -s "Daily Backup" email@yourdomain.com

If you wish to make a backup of your backup, simply copy the entire disk image to another drive. Make sure the image isn’t mounted when you copy it.

Creating ssh keys:

This is based on this article.

create a key pair on your backup server machine.

This section should only be done once.

ssh-keygen -t rsa -f ~/rsync-key

This creates two files public and private keys.

place the private key into /etc/ssl/private/rsync.key and secure it.
mv rsync-key /etc/ssl/private/rsync.key
chown root:root /etc/ssl/private/rsync.key
chmod 600 /etc/ssl/private/rsync.key

The public key is the file that you place in the /home/(rsync_user)/.ssh/authorized_keys file on all your clients so that they know to allow you to use rsync as that user without a password. (Note that (rsync_user) should be replaced with the user you are using to connect with so a command that looks like this: rsync -avz -e “ssh -i /etc/ssl/private/rsync.key” user@server:/files/to/backup /backup/location, you would replace it with eanders.

Before you place it on your client machines you’ll want to tell it that it should only be valid if used from your backup server and that it is only valid for the rsync command. This is security for your client not your server. Having this public key means that anyone on a machine with the private key can connect and execute stuff on your machine without a password.

You should place the following at the beginning of the rsync-key.pub file:
from="ip.of.backup.server",command="/home/(rsync_user)/.rsync/validate-rsync.sh"
The file would then look something like this:
from="10.0.100.5",command="/home/(rsync_user)/.rsync/validate-rsync.sh" ssh-rsa AAAAB3NzaC1yc2...

Repeat the following section as needed:

In most circumstances you will only be backing up information that the user you connect as has permission to. In these cases you should copy the edited rsync-key.pub file to the users home directory and place it in the .ssh/authorized_keys file. If your user was eanders you would move the file to eanders’ home directory and do something like this:

mkdir /home/(rsync-user)/.ssh
cat rsync-key.pub >> .ssh/authorized_keys
This will place the key at the end of the authorized_keys file. It is now safe to delete the key.
Finally you’ll need to place the validate-rsync script in the /home/(rsync-user)/.rsync/ directory on your client computer so that you can allow rsync to be run without a password, but nothing else will work.
You can just create the .rsync directory and then paste the following into validate-rsync.sh within that file.
mkdir /home/(rsync-user)/.rsync
vi /home/(rsync-user)/.rsync/validate-rsync.sh

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
rsync*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Then we tell it that the validate-rsync.sh file should be executable
chmod 755 /home/(rsync-user)/.rsync/validate-rsync.sh

At this point you should be able to run an rsync command from your backup server as root to backup anything that (rsync-user) has permission to backup. Something like:
rsync -avz -e "ssh -i /etc/ssl/private/rsync.key" (rsync-user)@client_ip_address:/files/to/backup /backup/location

If you want to backup a machine which contains files that are only readable by root you need to do the following

This will be the case where you have a file server that hosts files which are only readable by inidividual users (root always has access) but your administrator user can’t access their files without the use of sudo.

First you will create an unprivileged user on the client machine, we are using the username rsync:
adduser rsync
Give this user whatever password you want.

Then follow the instructions above replacing (rsync-user) with the user rsync.

Next you will need to login and gain root access to the server and we’ll move the rsync application and replace it with a script.
mv /usr/bin/rsync /usr/bin/rsync_real
vi /usr/bin/rsync

Fill the file with this script:

#!/bin/sh
/usr/bin/sudo /usr/bin/rsync_real "$@"

Then make it executable:

chmod 755 /usr/bin/rsync

This tells the computer that when you ask it to run rsync it should actually run it as root, so issuing:
rsync
will result in this command actually running:
sudo rsync_real

Finally you need to tell your client computer that the (rsync-user) should be able to run rsync_real as sudo without a password since we’ll be running it without an interactive shell. To do this run, as root:
visudo
and add the following line:
(rsync-user) ALL= NOPASSWD: /usr/bin/rsync_real

For our purposes we are making a single script that will run various rsync commands to backup servers across the wan, this script will reside in /var/usb1/backup-district.sh
In addition we will rsync /var/usb1 to /var/usb2 each night with an rsync command.

If you are having problems where it is continually asking for your password (even though you’ve done all the key stuff) make sure that the line you added to visudo is at the bottom. That file appears to be processed from the top down instead of going from broad to granular.
This is especially a problem when your user is also an administrator and already has an entry in visudo.

This is the functioning post that allowed us to be able to reset user’s Active Directory passwords via a php page hosted on a linux box. Combine this with the password resetting delegation of a previous post for a bit more security. We’re also going to set this up to figure out what group someone is in and let teachers reset thier students passwords.

Before you do this you need to generate an ssl certificate on the windows box and import it into the linux box, see a previous post.

This information was mostly gleaned from here:
———————————————————
The post: http://forums.devshed.com/ldap-programming-76/modifying-active-directory-passwords-through-php-and-iis-74683-7.html
———————————————————

Here is the final script I am using for a user to change his or her password.
The form to submit to the script:
<form method="post" action="change_password.php">
username: <input type="text" name="uid" />
<br />
password: <input type="password" name="password" />
<br />
new password: <input type="password" name="newpass1" />
<br />
confirm new password: <input type="password" name="newpass2" />
<br />
<input type="submit" name="submit" value="Change Password" />
</form>
Config File:
< ?PHP
/*** Variable Settings ***/
// administrative bind user
// Admin account with permission to reset passwords
$adminUID = 'adminusername';
$adminPass = 'AdministrativePassword';
// ldap server info, moved to config file
$ldapserver = 'ldapserver.mydomain.com';
$baseDN = 'DC=mydomain,DC=com';
?>
Script:
< ?PHP
require_once('/var/www_config_files/secure/change_password.inc.php');
/*** Variable Settings ***/
$uid = $_POST['uid']; // Should be something like jsmith
$userbindDN = $uid . '@yourdomain.com'; // jsmith@yourdomain.com
//existing password
$userbindPass = $_POST['password'];
// new password
$passwd1 = $_POST['newpass1'];
$passwd2 = $_POST['newpass2'];
// administrative bind user
// Admin account with permission to reset passwords
$authbindDN = $adminUID . '@yourdomain.com';
$authbindPass = $adminPass;

$result = ldap_mod_replace($ldap, $userDn , $userdata);
if($result)
{
// echo "User modified!<br />" ;
}else{
echo "There was a problem!<br />";
echo ldap_error($ldap)."<br />";
}
/** Now try to bind with the username and new password to
ensure change**/
echo "Now testing new password to insure change<br />";
ldap_bind($ldap, $userbindDN, $passwd1);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}else{
echo "Password Verified.<br />Password change complete.<br />";
echo "<p>You may now close this window, your password for
your computer, email, and web access has been updated.</p>";
}
}
?>

In addition I have modified this script to allow teachers to reset student passwords:
The page that requests information:
<html>
<head>
<title>Reset Student Password</title>
</head>
<body>
<h2>Reset a Student Password</h2>
<p>Teachers may use this form to reset the password of a student in their class. Simply fill out all of the fields and click the "Reset Student Password" button.</p>
<form method="post" action="change_password.php">
Teacher Username: <input type="text" name="uid" />
<br />
Teacher Password: <input type="password" name="password" />
<br />
Student Username: <input type="text" name="student_uid" />
<br />
New Student Password: <input type="password" name="newpass1" />
<br />
Confirm Student Password: <input type="password" name="newpass2" />
<br />
<input type="submit" name="submit" value="Reset Student Password" />
</form>
</body>
</html>

Uses the same config file from above.

The script:
< ?PHP
require_once('/var/www_config_files/secure/change_password.inc.php');
/*** Variable Settings ***/
$uid = $_POST['uid']; // Should be something like jsmith
$student_uid = $_POST['student_uid'];
$userbindDN = $uid . '@yourdomain.com'; // jsmith@yourdomain.com
//existing password
$userbindPass = $_POST['password'];
// new password
$passwd1 = $_POST['newpass1'];
$passwd2 = $_POST['newpass2'];
// administrative bind user
// Admin account with permission to reset passwords
$authbindDN = $adminUID . '@yourdomain.com';
$authbindPass = $adminPass;
// ldap server info, moved to config file
//$ldapserver = 'ldapserver.yourdomain.com';
//$baseDN = 'DC=yourdomain,DC=com';
/**************************/
/*
The theory: Bind as the teacher to verify password and get group membership
Bind as the admin
Grab student dn and group membership
if the teacher is a member of teachers and the student is a member of students
check to see that they are both a member of another group (other than Domain Users)
If they are: reset the student password

}
}
else {
echo "Sorry we could not verity that you are a teacher.";
}
?>
</p></pre></body>
</html>


To assign a network printer via GPO you can either assign them to the user or to a computer. Scripting Printer installation for a user is fairly simple and straight forward.

1. Create a script to map the appropriate printer:
   Option Explicit
   Dim objNetwork

   Set ObjNetwork=CreateObject("Wscript.Network")
objNetwork.addWindowsPrinterConnection"\\serveripaddress\printername"
Wscript.Quit

2. In windows explorer copy the file. Open GPMC.
3. Create a GPO for the appropriate user OU. Edit the settings and navigate to:
   User Configuration->Windows Settings->Scripts->Logon
4. Add a script, just type the name of the file, not the path.
5. Click the Show Files button and Paste your script into the Folder that opens.

If you login as a user within this OU you should now see the printer is available to you.

To assign a printer by computer, such as in a lab situation where anyone who logs in should have access to the printer follow the previous steps, but make the GPO on the OU that contains the computers. Note that you are making a GPO that targets users, but applying it to computers. To make this work you need to add one more setting to your GPO.

1. Navigate to:
   Computer Configuration->Administrative Templates->System->Group Policy
2. Set the value of “User Group Policy loopback processing mode” to Enabled and use the “Merge” option.

If you now login to a computer in the OU that you just applied the policy to you will have access to that printer, but if you move to a computer outside the OU it won’t be available to you.

The Group Policy Loopback processing mode of merge essentially means that policies should be applied to the computer at startup, the user at login, and then the user section of the computer policy afterward (still at login.)

Here is a relatively concise set of information on GPO loopback.

This is a modified version of Alistapart’s PHP styleswitcher. The idea was to take a site that is both in English and Spanish and allow someone to make a semi-permanent decision on which language they would like to use. This project came through a friend of mine, and with few details, so I figured I’d pick a method that could be easily changed if it didn’t fit his current setup.

Here is a rudimentary example if you want to see it in action. (After you’ve chosen your language just try going to the other page in the address bar!)

My idea was that the english pages would be named something like index_en.html and the spanish pages would be named index_es.html. This means that to switch from one to the other, all you need to do is swap out the bit at the end of the filename. (You could modify this so that it swapped out a directory name instead, and then you could have a /en/ directory and a /es/ directory in the path name and essentially maintain two different folder structurers.) Okay, enough hypotheticals. Here is how to do it.

The first page you need to build is a modified version of the alistapart styleswitcher. Place this code in a file called switcher.php:
< ?php
setcookie ('sitelang', $set, time()+31536000, '/', 'yourdomain.com', '0');
header("Location: $HTTP_REFERER");
?>
This simply takes an argument passed to it through the url bar and redirects the user back to the same page but with a cookie set that contains the information passed to it. (Don’t forget to change the domain name.)

Next you need to put the following snippets of code a the very top of each of your pages, one for the Spanish pages and one for the English pages:

< ?php
if ($sitelang == '_en') {
$location = $_SERVER["PHP_SELF"];
$goto = str_replace("_es", "_en", "$location");
header("Location: $goto");
die();
}
?>
The first one goes in the top of your Spanish pages, an simply checks to see if the cookie says you should be on an english page, if it does, it replaces the _es in the page you are currently on with _en and then redirects you to the English page.
< ?php
if ($sitelang == '_es') {
$location = $_SERVER["PHP_SELF"];
$goto = str_replace("_en", "_es", "$location");
header("Location: $goto");
die();
}
?>
The English version works exactly the same way, except that it replaces _en with _es.

Finally you need to have some way for your browsers to choose their preferred language. In this case I chose to pass the argument through the URL, but you could create a form on your page that had a submit button and some radio buttons to make your choice. The following two links should be present somewhere on every page.
Oprima aquí para español!
<br />
Click here for English!
The first line lets you choose Spanish as your language and the second lets you choose English.
Sorry if my Spanish is a little out of practice. . .
Post a comment if you find this useful.

Update 3-28-05

After a little more discussion about the specifics of what my friend wanted, we came to the conclusion that while this works really well, it wasn’t quite what he was looking for.

The site he was looking to use this is actually 3 sites, where the first is a splash site for the other two.
So, the final decision was made to have the splash site allow a user to choose their language and to choose if that language is permanent or not. Were still working out the specifics, but here’s a way to set the language and forward people to the correct url based on their decision.

The index page for the splash site would contain the following code:
< ?PHP
if ($sitelang == '_es') {
header("Location: http://www.thespanishsite.org");
die();
}
if ($sitelang == '_en') {
header("Location: http://www. thesenglishsite.org");
die();
}
?>
Then within the body you need a form:
<form action="switcher.php" method="post" name="radio">
<label for="set">Español</label>
<input name="set" id="set" type="radio" value="_es" checked="checked" />
<br />
<label for="set">English</label>
<input name="set" id="set" type="radio" value="_en" />
<br />
<label for="length">Remember this setting</label><input name="length" id="length" type="checkbox" value="year" />
<br />
<input type="submit" value="Set Language"/>
</form>
Then the switcher needs to be changed so that it knows about temporary and long term cookies:
< ?php
if ($length == 'year') {
setcookie ('sitelang', $set, time()+31536000, '/', 'yoursplashdomain.com', '0');
}
else {
// this cookie just needs to survive long enough to get the user to the right place
// one time.
setcookie ('sitelang', $set, time()+60, '/', 'yoursplashdomain.com', '0');
}
header("Location: $HTTP_REFERER");
?>
That should do it.
You can try out a demo here.

Don’t expect it any time soon, but I plan to add a style switcher ala ALA via some basic PHP. In the meantime, check out my last PHP project of a redesign of my Picture Album, now called Gallery.