How to run Yubico YubiRadius on Microsoft Hyper-V

For anyone that might have read my blog posts in the past you would know I am an advocate of Yubico Yubikeys and in particular their implementation with YubiRadius.

YubiRadius allows the system administrator to host an in-house Radius server (I was about to write Yadius) that is the missing link between Yubikeys and anything that can interface with Radius.

Unfortunately YubiRadius only comes in OVF and VMware formats, which leaves anyone with Hyper-V infrastructure in a hole, but luckily its quite easy to get it up and running on Hyper-V



The Conversion Process

1. Download YubiRadius VMWARE edition from here http://yubico.com/yubiradius-vm


2. Grab the VMDK2VHD converter, it easily converts VMDK files directly to VHD for use in Hyper-V. You can download it from here http://vmtoolkit.com/files/folders/converters/entry8.aspx


4. Open VMDK2VHD, it will prompt you for a VMDK file, point it towards the YubiRadius VMDK file you downloaded in step 1. Select an output location for your VHD file and start the process.

3. Once the VHD has been created jump onto your Hyper-V box and create a new virtual machine, give it the following attributes.

Memory: 1024MB (or more if you want)
Legacy Network Adapater
and assign your newly created VHD file to the IDE controller.

The rest of the settings are up to your personal preference.

4. Take a snapshot before you start, just in case you hose something in the setup process. Then boot your new Hyper-V YubiRadius server.


5. Login with the default credentials.
Username: root
password: yubico

Once logged in the GUI may not load correctly, it didn't for me. A simple ctrl+alt+f2 will re-direct you to a working terminal. From here you can use update-rc.d -f remove to remove services you don't want to run at boot, such as the GUI X11.


6. We need to setup the network adapter so we can login via SSH for future configuration. Enter the following commands at the command prompt.

cd /etc/network
nano interfaces

Below are some example settings you can change and then paste directly into the interfaces file.

# The primary network interface
allow-hotplug eth0
iface eth2 inet static
        address 192.168.1.100
        netmask 255.255.254.0
        network 192.168.1.0
        broadcast 192.168.2.255
        gateway 192.168.1.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.168.1.1
        dns-search domain.internal

Make sure you hash out the #auto eth0 line, or you may have problems booting.

Press ctrl+x to exit, and type Y to save the changes.


7.  Next we need to add at least one DNS server to /etc/resolv.conf to enable DNS resolution. You can change the below IP address to reflect your DNS server.

echo 192.168.1.1 >> /etc/resolv.conf

8. Finally you can issue a reboot with the below command for the settings to activate.

shutdown -r now

9. After the system has rebooted, you should be able to SSH in and access the Webmin interface via http://IP:10000/

The default username is yubikey and the password is yubico.



It might be a good idea to setup an IPTables firewall and disable as many unrequired services as possible, YubiRadius is fairly loose by default.

If you hose the system (it doesn't reboot after you change the network settings) you can go back to the snapshot you took before you started. Ensure your network configuration is correct and you hashed out the #auto eth0 line after changing the interfaces file.

Compiling app_swift for AsteriskNOW or Fedora

For those building Asterisk interactive voice menus the app_swift plugin is a must. Giving the administrator the ability to directly interface with Cepstral voices from within the dial plans is a massive time saver. 


The problem 

Unfortunately many users are having issues with compiling the app_swift module on AsteriskNOW as the appropriate build tools are not included in the operating system.

If you don't have the correct tools installed you will probably see an output like this.

/usr/include/string.h:66: error: declaration for parameter âmemchrâ but no such parameter
/usr/include/string.h:62: error: declaration for parameter âmemcmpâ but no such parameter
/usr/include/string.h:59: error: declaration for parameter âmemsetâ but no such parameter
/usr/include/string.h:51: error: declaration for parameter âmemccpyâ but no such parameter
/usr/include/string.h:43: error: declaration for parameter âmemmoveâ but no such parameter
/usr/include/string.h:38: error: declaration for parameter âmemcpyâ but no such parameter
/usr/lib/gcc/i486-linux-gnu/4.3.2/include/stddef.h:214: error: declaration for parameter âsize_tâ
app_swift.c:569: error: expected â{â at end of input
make: *** [app_swift.o] Error 1

The result is no app_swift.o module and a frustrated administrator. 


Installing app_swift

The following instructions will work with Asterisk 1.6.x on AsteriskNOW or Fedora distributions.

1. Before you install app_swift you need to download and build the Cepstral swift package. Start by downloading the Allison voice package, alternatively you can choose a voice you prefer from Cepstral.com.
wget http://downloads.cepstral.com/cepstral/i386-linux/Cepstral_Allison-8kHz_i386-linux_5.1.0.tar.gz

2. Extract the package .
tar -zxvf Cepstral*

3. Enter the directory.
cd Cepstral_Allison-8kHz_i386-linux_5.1.0

4. Run the installer.
./install.sh

5. Load the library into ld.
echo /opt/swift/lib > /etc/ld.so.conf.d/cepstral.conf

6. Now run ldconfig to finish the ld configuration process.
ldconfig

7. Its time to get app_swift compiled, first start by downloading the source.
wget http://pbxinaflash.net/source/app_swift/app_swift-1.6.2.tar.gz

8. Before we can compile swift, the appropriate build tools and libraries must be installed into the OS. Issue the following commands sequentially to install the tools with yum.
yum install gcc
yum install build-essential
yum install asterisk-devel
yum install kernel-devel
yum groupinstall "Development Tools"

9. Extract app_swift in preparation of compiling.
tar -zxvf app_swift-1.6*

10. Go into the app_swift directory.
cd app_swift-1.6.2

11. Now we can make the package.
make ; make install

12. Copy the configuration file to the asterisk directory.
cp swift.conf.sample /etc/asterisk/swift.conf

13. We also need to make a symbolic link to the swift binary for easier access.
ln -s /opt/swift/bin/swift /usr/bin/swift

14. Finally you need to edit swift.conf to reflect the voice you have installed. I always choose Allison, but the choice is yours.
sed -i 's|David-8kHz|Allison-8kHz|' /etc/asterisk/swift.conf

15. We finish with restarting Asterisk
/etc/init.d/asterisk restart  


Confirming all is well

Once the installation is complete the module should be loaded into Asterisk. You can check this by starting asterisk console and issuing the show application command.

1. asterisk -cr
2. core show application swift

If everything is running smoothly you should see an output similar to below.

asterisk*CLI> core show application swift
  -= Info about application 'Swift' =-

You can now start swift()'ing your way to a flexible, intuitive and interactive dial plan that suites your requirements.

Home automation possibilities using X10 and Asterisk

A couple of years ago I was seriously sick, I knew I was going to be in hospital and then couch bound for several months and decided a home automation project was going to help me get through the tougher times.

After looking at all the automation options, I decided on using the X10 standard. It's affordable, extremely flexible and most importantly I don't need to make any physical modifications to my rental house to implement it. X10 using existing power lines to communicate by using adapters that sit between the power socket and the device to remotely turn devices on and off. Also available among a huge list of optional adapters are light socket adapters that similarly interface between the light socket and the light, providing remote control lighting.

I purchased and quickly implemented a number of X10 power and lighting adapters and a remote to control them. They worked great, but I wanted more. I wanted to control more devices and I wanted to do it remotely, these are all things that X10 does not offer.



X10 is cool, but I need more

Enter Asterisk, the open source, Unix based, PABX solution. I had worked with Asterisk before for several businesses I supported, but only with simple dial plans and voice mail. While Asterisk is designed as a PABX, it has all the required framework to be a great automation conduit. The key features I want to leverage are  the support for complex menus, ability to trigger Unix scripts and most importantly the ability accept remote commands via a VOIP dial-in number.

My plan was to setup Asterisk to handle all the triggering of the automation, then if I was at home I could use my portable VOIP phone or off-site I could dial in with my mobile.



The first steps to home automation

The first step is to setup your Linux based PC with the X10 computer interface module, install and setup Asterisk and register your VOIP phone number with the Asterisk box. I have been using VOIP at home for a number of years, so it was easy for me to connect my handset to Asterisk and then let Asterisk connect to my VOIP provider.

What I love most about Linux is the way things so easily connect together with scripting tools such as grep and awk. I set about making a number of scripts that when requested from the Asterisk dial plan, would go about performing my tasks. I was able to automate the following tasks via Asterisk.

• Getting a temperature reading from inside my house remotely by using a USB based temperature probe
• Turning on/off lightning and my coffee machine
• Inputting scheduled recordings into my Media Center by the use of a small C++ MCE tool I coded (available here)
• Starting and controlling my air conditioner via the use of a USB infrared transmitter
• Activating a web cam in my house and triggering an iptables port forward of the webcam. I could then view the RTSP feed via my mobile phone.
• Accepting all commands via voice input using the Sphinx speech recognition framework
• Voice based SSH port knocking
• Getting the Asterisk box to tell me my IP address for remote access
• Controlling the current state of my house via external scripting. For example, after 10:30PM, my house would set it self to a sleep state, redirect all incoming VOIP calls to voice mail.
• The ability to schedule wake up calls
• All incoming numbers would be announced over a speaker before the phone rings

What you need to build a similar setup

• A Unix based system - I went with Debian Linux and a MSI Titan 700 Via C7 based system
• Asterisk PABX installed with swift installed if you want text 2 voice
• X10 power/light modules
• X10 to rs232 adapter for PC based control of X10 devices
• A TEMPer USB temperature logger for temperature awareness
• External speakers for announcements
• The Sphinx speech recognition toolkit and sphinx.agi for Asterisk if you want speech recognition
• The Linux heyu X10 control software installed

The beauty of Asterisk is that via the "asterisk -rx" command, you can issue commands directly to Asterisk via the Linux command line. For example you could have a X10 movement sensor setup with the heyu daemon listening to trigger a specific script when any movement is detected. That script could then initiate a dial-plan that calls you and reports there has been movement detected. You could then, via Asterisk and your VOIP number, remotely dial in and trigger your webcam stream to be started which you could view on your mobile phone.

To tie everything together I wrote two sets of scripts that worked in separate ways.

One set of scripts are triggered by Asterisk events. Any time I call Asterisk and speak or dial a command, these scripts are triggered to perform tasks such as turning on a light or reading back the current temperature via text to voice.

The second set of scripts are triggered by events such as time of day, a motion sensor being triggered or an iptables logging event. This second set of scripts then initiate Asterisk commands via "asterisk -rx" or performed other tasks such as turning light on or off.

I took things a step further by creating an Asterisk variable called "house mode". I included lists of settings for modes such as phone, night, day, sleep and do no disturb. Based on the current house mode, speaker volume can be automatically adjusted, asterisk can choose whether to ring the phone or send the call directly to voice mail and lights can be dimmed or toggled.

You can potentially store any variables you want in Asterisk via the database put function, but for reliability it is best to store them somewhere more "permanent". For example I keep the current house mode in a flat file and use that file to populate the database as per the example below.

asterisk -rx "database put x10 housemode `cat /etc/heyu/state/housemode.curr`"

Some code examples

This is by no means a small project, it requires extensive bash scripting to link everything together. I have included some code examples below that will hopefully give you some ideas and help get you started.

• Asterisk Extensions.conf examples - this is where all the magic takes place
• A bash script that Asterisk uses to check current house temperature and announce it
• A bash script that Asterisk uses to make an announcement over the speakers
• A bash script that Asterisk uses to open a port no the firewall, VOIP based port knocking
• A bash script to schedule Asterisk to make a phone call
• A bash script that gets the current IP and converts it to a WAV file, ready for Asterisk to play back

This system worked amazingly well for me and was both challenging and fun to build. While I was in hospital I could keep watch of my empty house and when I returned home I hugely benefited from the automation while I was confined to my bed.

Hopefully you can use some of these ideas to get started but please don't hesitate to contact me for more information.

Building a bootable Citrix Xendesktop USB with enterprise wireless support

Citrix Xendesktop gives us an unbelievable amount of flexibility in our environment, one of the great possibilities is "secure" bring your own device scenarios.

I would love students and staff to be able to bring their own devices and securely connect to our network without configuration and IT support, which has been impossible in the past. We have considered scenarios of users installing clients and configuring settings but all of these have potential problems. What happens if an end user breaks their personal system while trying to connect to our network? Who is responsible for the support?

Enter the idea of a Linux bootable USB stick with the Citrix client preloaded, no user settings are ever changed and all configuration is taken care of. I have chosen Ubuntu 10.04 LTS as my OS of choice as it is flexible, easy to configure and is known to boot well from a USB.

For this to work in our environment, it needs to boot up, connect to the network and launch a Citrix login prompt automatically. As I don't want to open any "public" networks at this stage, I am using a secondary wireless network I already have in production, this network requires WPA2-Enterprise authentication. This will add some extra complexity to my set-up as I will need to load certificates into my image and configure WPA_Supplicant to automatically connect to my network using those certificates.

I am also going to load the latest Adobe Flash package and of course the Citrix client package.

Finally I am going merge back the casper-rw persistent changes into the live boot USB's squash file system so the USB's can be reused over and over again without being re-imaged.



Prerequisites

• The Ubuntu 10.04 iso
• Any required CA, private keys and user certificates
• An internet connection
• An empty USB stick (primary)
• A second USB stick for storing the created file (secondary)

Lets get into it!

1. Copy Ubuntu onto the primary USB stick, I won't include a tutorial here, but the Ubuntu site has great tutorials. I used their Windows based Universal USB Installer tutorial. Ensure you create the USB stick with a persistent storage of at least 512MB. This "persistent storage" allows us to make changes that are kept after a reboot.

2. Boot Ubuntu off the primary USB stick.

3. Start by setting the wallpaper you want, I have set a wallpaper that says "Please be patient as a connection is established..."

4. If you are connecting to an open wireless network you can simply configure it in Network Manager and let it take care of the rest, but WPA2-Enterprise networks are slightly different. If you are using WPA2-Enterprise authentication then continue, otherwise you can skip to step 5.

Depending on your luck, the current humidity and if your shirt is purple or green, Network Manager may work with a WPA2-Enterprise network and your certificates or it may not. For this reason I use the more robust WPA_Supplicant and get my hands dirty on the command line.

First we need to remove Network Manager

apt-get remove network-manager

Now lets configure WPA_Supplicant, first create a certificates folder under /etc/wpa_supplicant and give it the appropriate permissions.

sudo mkdir /etc/wpa_supplicant/certs

sudo chmod 700 /etc/wpa/supplicant/certs

Then copy your CA certificate, client certificate and client key in PEM format to the /etc/wpa_supplicant/certs directory. If your certificates have come from Active Directory in PFX format you will need to convert them to PEM. This can be a difficult step in the process, but the WPA_Supplicant.conf man pages has some great tips on this one. You can use the below command to convert PFX certificates to PEM, but anything more is outside the scope of this tutorial.

Converting your client certificate and private key

openssl pkcs12 -in example.pfx -out user.pem -clcerts

Converting PFX CA certificate
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys

Next create a config file under /etc/wpa_supplicant called config.conf and enter the following information

          network={
            ssid="networkname"
            key_mgmt=WPA-EAP
            scan_ssid=1
            eap=TLS
            pairwise=CCMP TKIP
            group=CCMP TKIP
            identity="username@domain"
            ca_cert="/etc/wpa_supplicant/certs/ca.pem"
            client_cert="/etc/wpa_supplicant/certs/client.pem"
            private_key="/etc/wpa_supplicant/certs/client-key.pem"
            private_key_passwd="test"
        }

As you can see from the above configuration you need to customize your SSID, thename of the certificates, identity and private_key_passwd if there is one.

5. Install the Adobe Flash and Citrix packages, both are available from their respective websites and both are very easy to install on Ubuntu (you should open them from within Firefox straight to the package manager which handles the rest).

6. Now open Firefox and set your home page as your Citrix address. I have my Citrix Access Gateway available in this wireless network so I set the address of my Access Gateway as the home page.

7. Now we are going to put a very simple bash script into our home folder called go, which reads as follows.

sudo killall -9 wpa_supplicant
sudo /sbin/wpa_supplicant -c /etc/wpa_supplicant/config.conf -iwlan0 -B
sudo /sbin/wpa_supplicant -c /etc/wpa_supplicant/config.conf -iwlan1 -B
sudo /sbin/dhclient wlan0
sudo /sbin/dhclient wlan1
/usr/bin/firefox

Notice I have listed wlan0 and wlan1, this is to cover the fact my target system might have totally different hardware (or multiple adapters) and by specifying two interfaces we are covering our bases (at least one should work).

This script will establish a wireless connection, grab a DHCP IP address and then start Firefox, which should open to your Citrix homepage.

8. If you are connecting to a SSL site (which I hope you are since this is on a "public" network) then we need to copy the Firefox trusted certificates into the Citrix store. If we don't perform this operating Citrix won't trust the SSL certificate on your site and will fail to launch a desktop.

sudo cp /usr/share/ca-certificates/mozilla/* /usr/lib/ICAClient/keystore/cacerts/

If you are using a self generated or certificate generated by a private CA then your need to import the CA certificate into the Citrix store.

9. Lastly we need to set our go script to launch on user login.

Go to the System menu > Preferences > Startup Applications, then click "Add", Name it "Citrix" and in the command field enter "/home/ubuntu/go" and then click "Add".

10. Shut-down Ubuntu and the changes will be written to the persistent file (casper-rw in the root of the USB stick).

At this point it might be worth re-booting into Ubuntu again to ensure it does indeed connect to the wireless network and launch Firefox with your Citrix login page before proceeding.



Additional customizations

We have done the bulk of the configuration, but we still need to make a few changes to the boot loader.

Lets edit the text.cfg to cut down on the options presented to the end user. The only option I want presented is the ability to boot the Ubuntu Live CD, this should help cut down on any potential accidents.

To do this insert the USB stick into your Windows system, open the /syslinux/text.cfg file and make it read as follows.

    default live
    label live
      menu label ^Run Ubuntu from this USB
      kernel /casper/vmlinuz
      append noprompt cdrom-detect/try-usb=true persistent file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd.lz splash --

We can take this a step further by making a change to /syslinux/syslinux.cfg that will totally surpress the boot menu, but you don't need to do this if you don't want. If you want to remove the boot menu, just remove the following line from syslinux.cfg.

default vesamenu.c32

Save the changes and continue to the next section.



Merging the casper-rw changes back

1. Open the primary USB stick in windows and rename casper-rw to casper1

2. Boot Ubuntu from the USB stick again, you will notice when you get back into Ubuntu the changes are all missing, don't worry, we have done that on purpose.

3. Install the mksquashfs package, this will allow us to re-create the squash file system with our merged changes.

sudo apt-get install squashfs-tools

4. We need to make some temporary directories and mount the files we plan to merge. The following commands will create the temporary directories, mount the persistent changes file, mount the read-only operating system file and then overlay them both in the /tmp/tmp-squash directory.

cd /tmp
mkdir -p tmp-squash tmp-rw tmp-sqfs
sudo mount -o loop /cdrom/casper1 tmp-rw
sudo mount -o loop /cdrom/casper/filesystem.squashfs tmp-sqfs
mount -t aufs -o br:tmp-rw:tmp-sqfs none tmp-squash

5. Insert your secondary USB drive. My USB is named "USB" so it mounted under /media/USB/

6. There is one last configuration change we need to make before we write the changes back and that is to remove the "Install Ubuntu 10.04" icon from the Desktop. We don't want users accidentally installing Ubuntu over their current operating system.

rm -f /tmp/tmp-squash/home/ubuntu/Desktop/Install*

6. Now we need to "squash" the contents of these folders into a single file. This will mean when we boot this USB in the future, the changes we previously made are always present and reset after every reboot.

sudo mksquashfs tmp-squash /media/USB/filesystem.squashfs

7. When the process is complete shut-down Ubuntu and move back to your Windows machine and insert both USB sticks.

8. On the primary USB drive you can remove the casper1 file, it might be worth backing up in case you want these changes in the future.

9. Copy the filesystem.squashfs file you created in step 6 from the root of the secondary USB to the /casper folder on the primary USB. You should be prompted to override the file, click yes.

You all done! You now have a read-only boot-able Linux based Citrix client that should work on a large number of devices. I have tried 5 devices in my network and they all work beautifully.

You can now image multiple Ubuntu USB flash drives and copy your custom filesystem.squashfs to make them instant Citrix access drives.

OpenVPN config(FAILED) error on PowerPC based Linux hosts

OpenVPN is one of the heroes of the open source world, a product that has enterprise capabilities, great flexibility and amazing support. One of the bonuses of OpenVPN is that it is lightweight, so running on a low powered integrated system is no problem, just compile and go.

Recently I started work on a project to convert an old set top box (STB) into a home server, one of my requirements was the ability use it as an OpenVPN server, acting as a conduit to my home network.

The particular STB I have has an IBM PowerPC, which is very common amongst STB's. It also allows me to use PowerPC binaries on my unit and avoid the definite headaches of compiling on a low power and library light system.

/var/bin > uname -a
Linux imagine 2.6.9 #1 Tue Mar 10 10:17:56 CEST 2011 ppc unknown

The Problem


After setting up OpenVPN as I normally would, I started to get a repeated, very general, error message.

/var/bin > ./openvpn.sh start
Starting virtual private network daemon: config(FAILED).

This indicated that perhaps the configuration was a problem, but after redoing my configuration I found there to be no issues and no resolution to my problem.



The Resolution

Fortunately the resolution is very simple. This OpenVPN PPC binary doesn't seem to like the headers in OpenSSL generated certificates, the same certificates that work perfectly if I run them on a x86 Linux or Windows machine. So I simply removed the headers.

Example:

/var/etc/openvpn > cat certificate.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
..truncated..
-----BEGIN CERTIFICATE-----
..truncated..
-----END CERTIFICATE-----

Simply becomes

/var/etc/openvpn > cat certificate.cer

-----BEGIN CERTIFICATE-----
..truncated..
-----END CERTIFICATE-----

So just remove everything above the BEGIN CERTIFICATE line in your certificate, and of course ensure your key is unencrypted. Don't forget to CHOWN and CHMOD 700 your OpenVPN key directories appropriately also.

Adding Joomla users with bash script

For our Intranet page we use the Joomla content management system in conjunction with IIS and the single sign on plug ins available. This gives us a very flexible Intranet page and our users love the SSO.

Obviously to enable to SSO on a product like Joomla there needs to be some configuration, especially when you use a package such as "Docman" which is a document manager with its own group system. This was becoming an administrative burden, having to run our Active Directory add user script and then go independently to the Joomla configuration, add the user them add them into the appropriate Docman group(s).

To fix this problem I put together a simple bash script that can handle the adduser task and placed the script on a Debian box with SSH enabled. Then I used the plink (command line) functionality of the famous putty SSH tool and paired it with our existing powershell add user script to trigger the Joomla add user process.


The bash script

The below script assumes the mysql server is on the local host and the table is called "joomla". You can set the mysql username and password in the top variables "mysqlusername" and "mysqlpassword". If you are not using Docman you can comment replace the follow line;

mysql --user=$username --pass=$password -e "use joomla; $string1 $string2 $string3 $string4"

with

mysql --user=$username --pass=$password -e "use joomla; $string1 $string2 $string3"

This will only add the user to Joomla instead of touch any Docman tables.

In short, the script looks for the next available ID to use, then adds the user and assigns them to the "20" or Editor group (this is the group I want my staff in, but you could change the 20 to another number such as 19 for Author or 25 for Super Administrator).

 name=$1
 username=$2
 mysqlusername=joomla
 mysqlpassword=joomla
 domain=blah.local
 email=$2@$domain

if [ -z "$2" ]; then
  echo syntax: ./joomlaadd \"real name\" \"username\"
  exit
fi

id_users=$((`mysql --user=$mysqlusername --pass=$mysqlpassword -e "use joomla; select ID from jos_users" | tail -n 1`+1))
id_core_acl_aro=$((`mysql --user=$mysqlusername --pass=$mysqlpassword -e "use joomla; select ID from jos_core_acl_aro" | tail -n 1`+1)) 

docmangrouptemp=`mysql --user=$mysqlusername --pass=$mysqlpassword -e "use joomla; select groups_members from jos_docman_groups;"`
docmangroup=`echo $docmangrouptemp | awk -F " " '{ print $2 }'`
docmangroupfinal="$docmangroup,$id_users"

echo
echo
echo Joomla + docman adduser script
echo
echo name: $name
echo username: $username
echo email: $email
echo users id will be $id_users
echo users acl aro id will be $id_core_acl_aro

echo
echo
echo adding user to joomla...
echo
echo

string1="INSERT into jos_users VALUES ('$id_users','$name','$username','$email','1','Editor','0','0','20','2010-01-01 00:00:01','0000-00-00 00:00:00','','admin_langu"
string2="INSERT into jos_core_acl_aro VALUES ('$id_core_acl_aro','users','$id_users','0','$name','0');"
string3="INSERT into jos_core_acl_groups_aro_map VALUES ('20','','$id_core_acl_aro');"
string4="REPLACE into jos_docman_groups VALUES ('4','staff','','1','$docmangroupfinal');"

mysql --user=username --pass=password -e "use joomla; $string1 $string2 $string3 $string4"

echo
echo
echo adding complete...

Triggering the script

The way you trigger the script is up to you. As I eluded to above, I am using a powershell script to do the active directory configuration, adding the users email account, setting up their home directory, adding them to the appropriate groups and allocating print credits. To trigger my script I simply added the following code to my powershell script. Obviously in my below example you need to set your password in place of "Testpassword" and replace "adduser@debianhostname" with your "username@hostname" of the server where the joomlaadd script is located.

    #adding user to joomla and docman groups
    invoke-expression '.\plink.exe -pw Testpassword adduser@debianhostname ~/joomlaadd \`"$DisplayName\`" \`"$samAccountName\`"'

For the above code to work correctly you need to have $DisplayName set as the users full name, e.g. James Trevaskis and the $samAccountName as the SAM account name you used to add them to AD. You will also need putty.exe and plink.exe available in the powershell script directory, both are available from here.

You will more than likely need to do a bit of moulding to make this code fit your requirements, but hopefully this is at least a start, so get scripting!