Active Directory, jpegPhoto and PHP

Posted on 31 October, 2011 by gilrim

Outlook 2010, Ms SharePoint and other systems use AD to store profile-images per user. This data is pretty much a pain to get to, mostly because of weirdness in the php-functions made for accessing LDAP. After spending quite some time, I managed to put together a working script that takes one parameter, sAMAccountName. Based on that alone, it fetches the image from the defined ldap server and displays it if availiable. If it’s not, the script streams noPic.jpg so you give aresponse on that as well.

<?php
$host = "some.ldap.server.domain.com";
$ldapUserDN = "CN=userAllowedSearching,CN=Users,DC=domain,DC=com";
$ldapPwd = "cleverPassword";
$base_dn = "dc=domain,dc=com";

$sAMAccountToFind = $_GET["user"];

$ds=ldap_connect($host);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ds, LDAP_OPT_REFERRALS,0);
$r=ldap_bind($ds, $ldapUserDN, $ldapPwd);

$sr=ldap_search($ds, $base_dn, "(sAMAccountname=".$sAMAccountToFind.")", array("jpegPhoto"));
if ($sr) {
$ei=ldap_first_entry($ds, $sr);
if ($ei) {
$info = ldap_get_values_len($ds, $ei, "jpegPhoto");
header("Content-type: image/jpeg");
if(!$info) $info = readfile("noPic.jpg");
}
echo $info[0];
}
ldap_unbind($ds);
?>

Posted in Active Directory | Leave a comment

verb my subjective

Posted on 12 April, 2011 by gilrim
Photoshop my photoshop
can any subjective be verbed automatically?
Posted in Uncategorized | Leave a comment

Granting the least possible rights in Ax

Posted on 24 March, 2011 by gilrim

Say your asked to create a login for a few users, that basically need access to one function in Ax, but nothing else. First, you need to create a group for them, and remove all the “standard” rights under User group permissions. Our contractor also had been using creative solutions, as such I had to manually hunt down and reset the keys that weren’t created per Ms’ standards.

Cannot select a record in Employee (EmplTable). Access Denied: You do not have sufficient authorization to modify data in database.

Ax throws this error at login.

When you’ve removed all the permission entries defined, try starting Ax using a user that only is member of this new group. In my setup at least, I was given this error: Cannot select a record in Employee (EmplTable). Access Denied: You do not have sufficient authorization to modify data in database.

Basic -> Tables topnode. Grant Read Access

Basic -> Tables topnode. Grant Read Access

To get around this I once more had to resort to hunting down the security key in question.

 

Finally, I found out that granting read access at the Basic -> Tables top node, would do the trick. There is no need to “cascade” this right down the tree, as only the top tables node is checked….

Now you can get back to granting access to that one, needed function.

Posted in MS Dynamics Ax | Leave a comment

Microsoft Dynamics Ax 2009, grant access to rename utility

Posted on 3 February, 2011 by gilrim

We’ve been implementing Dynamics Ax 2009 at work now, for some time. One of the tasks that came to my desk, was to manage security and access rights in the application. dynamicsax_rename_util_highlighted

Ax is a fully dynamic application. It’s customized by a Ms partner for each customer, to meet it’s needs (the choice of a partner in this matter will decide if implementation are successful, and if it’s on time. If you land on acquiring this  software, spend some time evaluating the different providers available in your area.)

The Rename Utility that this issue refers to, are controlled by several access keys and rights. Basically, you need write/modify rights for the table in question (not always easy to figure out, but right clicking a element and going setup *might* provide some insights). When you’ve got that, you need to have modify rights to the Security keys below:

dynamicsax_rename_util_required_axx1

Administration->Miscellaneous = Modify. If you don’t have  this or more rights, the Rename button won’t show at all.

Posted in MS Dynamics Ax | Leave a comment

VMtools @ Mandriva 2010.1

Posted on 30 November, 2010 by gilrim

urpmi gcc kernel-devel
mount vmtools cd
unpack tar.gz to /tmp
enter /tmp as root
execute /tmp/vmware-tools/vmtools-install.pl
no - no - no - no

Posted in Uncategorized | Leave a comment

vConverter esx kernel panic

Posted on 23 November, 2010 by gilrim

So I’ve had to migrate a couple of machines from physical Linux hosts, to VMware powered guests. Pretty straight forward, no?

Kinda – the conversion itself; getting the machine configured and the data from the disks pushed into the image files, is not a problem. Booting the machine after this is done might be though.

Loading sd_mod.ko module
Loading jbd.ko module
Loading ext3.ko module
Mounting /proc filesystem
Mounting sysfs
Creating device files
Mounting tmpfs on /dev
Creating root device
Trying to resume from /dev/sda5
Unable to access resume device (/dev/sda5)
echo: cannot open /proc/suspend2/do_resume for write: 2
Mounting root filesystem /dev/root
mount: error 6 mounting ext3 flags defaults
well, retrying without option flags
mount: error 6 mounting ext3
well, retrying without any flags
mount: error 6 mounting ext3
switch to new root
ERROR opening /dev/console!!!!: 2
unmounting old /proc
unmounting old /sys
switchroot: mount failed: 22
Initrd finished
Kernel panic - not syncing: Attempted to kill init!
_

Mandriva 2007 crashing dunring inital boot after conversion to virtual environment

Mandriva 2007 crashing during initial boot after conversion to virtual environment

So after googling the issue a bit and getting some assistance from my goto Guy with all Linux, it was clear that the issue revolved around missing SCSI controller settings.

Now that I’ve got it booting, the required steps was the following:

  1. Boot the machine to rescue environment from the distribution disks. I used the old 2007 disks from Mandriva, hoping it would be a matching environment.
  2. Mount your local disks to /mnt etc – in Mandriva there’s a menu option to mount existing partitions, I used that.
  3. Enter console and chroot into your local environment.
  4. vi /etc/modprobe.conf
  5. Find any and all occurrences of scsi_hostadapter and change the line to reflect what your using.  My final file looks like this:
    alias eth0 pcnet32
    alias sound-slot-0 snd-hda-intel
    alias scsi_hostadapter BusLogic
    remove snd-hda-intel /sbin/modprobe -r snd-pcm-oss; /sbin/modprobe --first-time -r --ignore-remove snd-hda-intel
    install snd-hda-intel /sbin/modprobe --first-time --ignore-install snd-hda-intel &amp;&amp; { /sbin/modprobe snd-pcm-oss; /bin/true; }
    install usb-interface /sbin/modprobe uhci-hcd; /sbin/modprobe ehci-hcd; /bin/true
    install scsi_hostadapter /sbin/modprobe ata_piix; /sbin/modprobe ahci; /sbin/modprobe BusLogic; /bin/true
    alias eth1 pcnet32
  6. Then we need to make a new boot image:
    cd /boot
    mkinitrd -v -f /boot/initrd-2.6.17-5mdv.img 2.6.17-5mdv
    (mkinitrd -v -f /boot/initrd-2.x.y-zz.img 2.x.y-zz)
  7. Finally, Mandriva 2007 installs are a blast from the past; using lilo. So for it to be happy, enter lilo, hit enter and watch as it’s updating your MBR.
  8. You VM should now be able of booting, leave it to finish scanning the file systems and such.

references:

http://virtualaleph.blogspot.com/2007/05/virtualize-linux-server-with-vmware.html

Posted in esx, linux, vmware | Leave a comment

oneliner for clearing your outlook image cache

Posted on 2 November, 2010 by gilrim

FOR /F %B IN ('DIR/B "%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\OLK*"') DO DEL/S/F/Q "%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\%B\*.*"

Posted in Uncategorized | Leave a comment

Huldt & Lillevik Lønn / Aditro, Personec og hvordan de suger…

Posted on 22 October, 2010 by gilrim

Personec, Huldt og Lillevik, Aditro: hva har de til felles? De er alle sammen forvirringer fra en norsk “leverandør” av HR-programvare. Når jeg sier leverandør, med hermetegn; er det fordi de ikke engang evner å supportere sin egen programvare. Og når de så blir satt i en situasjon hvor de må forklare seg, drar de ned smekken og lar det stå til mens de forteller deg at det regner…

Eksempel:
Jeg satt akkurat på telefon med Mette på “supporten” dems – 09102 (hvor det koster “fire hundre og tjue kroner for hvert påbegynte tjue minutter” = 1260/time å ringe). Hun skulle forklare hvorfor en påkrevd funksjon i nyeste versjon, Altinn Innsending, ikke fungerte.

Kort forklart, endte det opp med at programmet er søppeldårlig programmert. Faktisk til de grader at selv om du endrer innholdet i en inputboks, så er det ikke før du trykker på [Enter] med fokus i den boksen, at variabel i programmet endrer seg.

Med andre ord: Hvis du skulle være så SINNSYK at du bruker copy/paste fra skjema på Altinn (hvor man registrer inn bruker og klient), fyller inn alle felter og klikker på [Bekreft] og så på [Oppdater alle klienter] – så gjør det INGENTING.

Du får ingen feilmelding. du får ingen indikasjon på at verdiene ikke er lagret (faktisk, så de jo rent teknisk bli lagret – en eller annen plass, ettersom verdiene står der når du går ut/inn av programmet.). De blir bare ikke satt aktive….

Når de så konfronteres med at dette er sprøtt og counterintuitivt, på tvers av normal arbeidsflyt og hva det skulle være, da logges det sikkert til utviklingavdelingen at dette er en quirk (for å si det mildt), som de må rydde opp i? Neida. Mette setter seg i stede ned å LYVER om grunnen til at ting er som de er. Hun presterer å lire av seg at “vel, det er mulig det ikke er så selvforklarende at man MÅ trykke enter for å sette hvert felt aktiv – men det er Windows standard.”

HERREGUD.

Ikke nok med at de er inkompetente og lager et ELENDIG system (dette er tross alt bare EN quirk i greia), men de sitter rett og slett å skylder fra seg utbedringsansvar til Microsoft. Den store, stygge slemme IT-giganten som ikke bryr seg om småfolk. right…

ps: Aditro, System4, Lønn5, Personec, Huldt og Lillevik er alle navn for samma oppgulpet av systemleveranser. Antar de har gjort som UPC/get – flyktet fra dårlig rykte blandt forbrukere ved å bytte navn…

Posted in Uncategorized | Leave a comment

gotchas from likewise @ubuntu

Posted on 27 April, 2010 by gilrim

Today I learned that to get likewise5 working on ubuntu, you should:

  1. sudo aptitude install likewise-open5 likewise-open5-lsass
  2. sudo joe /etc/samba/lwiauthd.conf
    add the line
    winbind use default domain = yes
    so you can login without specifying domain in the domainname slash fashion.
  3. sudo joe /etc/sudoersadd %DOMAIN.dns.NAME\\Group^name ALL=(ALL) ALL
    at the bottom to allow logins
  4. sudo lw-update-dns

    registerns the dns name with you logonserver
Posted in Uncategorized | Leave a comment

fileupdater.vbs

Posted on 30 March, 2009 by gilrim

localproxypac.png
I mentioned earlier that I’m using a loginscript to sync the pac files to the local drive, but didn’t upload it at the time. Here it is anyhow – it’s probably not the most elegant solution, nor the one with least code; but it works for me. Used with a GPO that sets the path locally, it’s a fairly flexible way of controlling internet access.

Basically, you call it like this:

fileupdater.vbs /i:input.txt /o:target.txt

The locations can be anything the vbScript FileSystemObject is able of accessing with the credentials running it – both local drives and unc-paths.

fileupdater.vbs
I also use the script to push any changes in the PAC file into the netlogon directory (runas domain admin):

C:\scripting>fileupdater.vbs /v /i:C:\conf\proxy.pac /o:\\%USERDNSDOMAIN%\netlogon\proxypriv.pac
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

output file created: 27.03.2009 11:04:17 modified: 27.03.2009 11:17:15
input file created: 16.12.2008 03:24:19 modified: 28.03.2009 14:54:51
updating file
Posted in Active Directory, Group Policies, VBscript | 2 Comments