Connecting the world…

filter

FortiGate – Outbound OSPF filtering

Just a quick post on filtering outbound OSPF advertisements. I had some struggle with this config today.

config router prefix-list
  edit “filter-outbound”
  config rule
    edit 1
      set prefix 10.10.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 2
      set prefix 10.20.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 3
      set action deny
      set prefix any
      unset ge
      unset le
    next
  end
 next
end
!
config router ospf
 set router-id 1.1.1.10
  config area
    edit 1.1.1.1
      config filter-list
        edit 1
          set list “filter-outbound”
          set direction out
        next
end

Like a said: a quick-and-dirty  note

eSafe license expires

I just received the following interesting question:

What happens if our eSafe license expires?……Because it expires this weekend!!!!!!!!

Interesting question, because I never encountered such a situation. Normally the license is renewed in a timely fashion or a trial is stopped before the license expires. I searched the Knowledge Base from eSafe and found an article. This article tells the following:

Evaluation license: when an evaluation license expires, eSafe allows all traffic to pass through without any scanning at all.

Registered license: when a registered license expires, eSafe scans and blocks traffic, but stops receiving updates. Important note: if there are any licensed add-on’s installed (URL filter, Advanced Anti-Spam), they will stop functioning after the registered license expires.

RSA LDAP query failed

While configuring a LDAP mapping for a RSA Authentication Manager 6.1 with an Active Directory Domain Controller, I received the following error while running the Synchronisation task

c:\RSA\prog\sdldapsync.exe -j 102

“[LDAP search] Search failed (check Base DN)”

At first I thought about a typo while configuring the Synchronisation task. To test the LDAP connection with the domain controller I installed Softerra’s LDAP Browser. With this tool the LDAP connection is working perfectly when using the same credentials, BaseDN and LDAP Query Filter.

After searching the internet I found the MaxPageSize issue in Windows. I reported the same issue in a blog about eSafe and LDAP. When running the sdaceldap command you can see that the MaxPageSize is reached by the LDAP query.

Correct usage: sdaceldap <-h hostname> <-p port> [-b basedn] [-s scope] [-d import|compare] [-o output file] [-m schema map file] <-D binddn -w passwd> <-Z -P path> filter

 

C:\RSA\utils\toolkit>sdaceldap.exe -h 10.1.1.100 -p 389 -b ou=Users,dc=booches,=nl -s sub -d import -o AD_Users.csv -m active.map -D SA_LDAP@booches.nl -w LDAP_passwd “objectclass=user”

 

Host: 10.1.1.100
Port: 389
Distinguished Name: ou=Users,dc=booches,dc=nl

Scope: sub
Mode: import
Output Filename: AD_Users.csv
Mapfile: active.map
Bind: SA_LDAP@booches.nl
Filter: objectclass=user

Starting Import:

ldap_search_s Sizelimit exceeded

The output shows that the Sizelimit is exceeded. I find a tool on the internet which can be used to retrieve the MaxPageSize from a Windows machine. This tool is called AdFind.

Executing this tool on the Domain Controller tells me the MaxPageSize is set to 2000.

c:>adfind -e -config -f “&(objectcategory=querypolicy)(name=default quer
y policy)” ldapadminlimits

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc01.booches.nl:389
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=booches,DC=nl

dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
CN=Services,CN=Configuration,DC=booches,DC=nl
>lDAPAdminLimits: MaxPageSize=2000
>lDAPAdminLimits: MaxReceiveBuffer=10485760
>lDAPAdminLimits: MaxDatagramRecv=1024
>lDAPAdminLimits: MaxPoolThreads=4
>lDAPAdminLimits: MaxResultSetSize=262144
>lDAPAdminLimits: MaxTempTableSize=10000
>lDAPAdminLimits: MaxQueryDuration=120
>lDAPAdminLimits: MaxNotificationPerConn=5
>lDAPAdminLimits: MaxConnIdleTime=900
>lDAPAdminLimits: InitRecvTimeout=120
>lDAPAdminLimits: MaxConnections=5000

1 Objects returned

To minimize the number of objects that are returned in a single search I configured a LDAP Query Filter, which is shown below:

(&(&(&(objectClass=user)(objectClass=person))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(!(objectClass=computer)))

or the equivalent

(&(objectClass=user)(objectClass=person)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=computer))

This query has the following properties. The object should have the objectClasses user AND person AND the account should NOT be disabled AND should not contain the objectClass computer. This already excludes some objects, like workstations and servers.

More information about the MaxPageSize and the way to change the value can be found here. More information about Limiting LDAP Searches with MaxPageSize can be found here.