Random bits, Week 2

• My beard has a lot of gray now. I should loose it.
• Reading RFC’s is worse then the bible. At least the bible reads like a fantasy novel.

Encrypted subversion authentication storage with mdconfig

Once I converted my personal repository to subversion the first thing that bugged me was the unencrypted storage of passwords. This was similar to how cvs worked, but at least with cvs you could log out and the password was removed. Additionally, once could use ssh and skip storage of passwords all together. While it’s possible to use subversion with ssh, it adds a number of issues that I didn’t like about cvs in the first place, most notably the requirement of having a real (possibly restricted shell) account on the server side. Thus, I decided to look in to options to encrypt that storage.
Continue reading →

Random bits, week 1

• I should write an e-book on the Openldap C API. After wrestling with it for a few days, it’s all coming together and the beauty of the API is showing through. The problem is that that there really isn’t a guide out there that gives you the big picture and with all deprecations and subtle function name differences, it’s tough to see the road to wander.
• If I didn’t approve your comment, it’s because it doesn’t contribute anything. The thank you note is however appreciated. So is pushing the like button.
• Yoghurt drink from Mona is really good. Those of you not familiar, should import it.
• My best friend is going to be a father. He does not want to be a father. His girlfriend knew that. He’s trying to redefine the relationship thinking things might still work out. I admire, but not share, his optimism.
• Watching season one of Bones again, I can see why I liked it. I suspect that I stopped liking it because gradually the squints turn into normal people and loose their charm.
• Instant gratification in gaming is killing the industry. I keep hoping one will rise that gets that and is capable of making effort/reward feel at it should and not as a collection of time sinks.

 

Working with Openldap results

After much digging through the client tools sources in the Openldap distribution, I’ve finally figured out how to process results. In this particular case, I am not interested in the DN, nor am I interested in the attribute names. I just need the values so I can store them in a linked list. Looking at ldapsearch(1) sources, I got sucked into low level BER decoding routines, which are undocumented. However – there’s a documented way to do what I need to do.
Continue reading →

Openldap binding via C API

I completely agree with this post. The main problem being that it’s not obvious that ldap_sasl_bind(_s) can actually perform simple binds. Once you’ve looked at how ldap_simple_bind is implemented inside the Openldap source tree (sbind.c) you learn about the LDAP_SASL_SIMPLE flag that is defined in ldap.h to NULL and serves as an SASL mechanism. When you want your program to support both SASL and simple binds, this is actually convenient. All you have to do is to make sure that a mechanism is set when other SASL properties are set. A simple bind, without using deprecated functions then becomes:

// xFlag is set via command line
if( xFlag )
    authcMech = LDAP_SASL_SIMPLE;
res = ldap_sasl_bind_s(
    ld, // LDAP *, ldap handle
    authcUser, // char *, authentication user, dn in case of simple binds
    authcMech, // char *, mechanism
    &authcPw, // struct berval **, password in BER value
    NULL, // or specify client controls
    NULL, // or specify server controls
    &authcServerPw // not useful for simple binds, SASL server challenge
);

But, if your SASL mechanism requires several stages, you may actually need to use ldap_sasl_interactive_bind and that makes things complex again, mostly cause it’s not clear from the manpages whether the interact parameter is just for providing defaults and that the SASL library or LDAP library does the prompting, or that your program has to do the prompting.
Guess I’ll find out soon enough.

Running out of series

I’m slowly running out of TV series to watch. Perhaps if I were into sitcoms there would be a lot more, but I’m not. There’s a few I have steered clear of after reading the general outline of the series and there are some shows I used to watch, that I missed entire seasons of, but clearly running out of stock.
Continue reading →

Filling a new LDAP directory

I’m currently working on moving parts of my home network to LDAP based storage. Testing with two directories in a master slave replication is successful, pam_ldap, pam_mkhomedir, nss_ldap all configured with some imaginary users who can log in using ssh. So now I’d like to setup the real LDAP db and fill it with actual data. In doing so I discovered that reading through the different schemata that make up my user object in order to see what attribute fits best for a given piece of data is quite time consuming. Continue reading →

Openssh LPK patch

We’ve all dealt with the catch-22 of needing to get into a machine, but the machine does not have the public key of your current computer. If you’re security conscious you don’t have password authentication enabled and as such may be unable to log in. However, there’s a patch for Openssh that allows you to store your public keys in an LDAP server known as LPK – LDAP Public Keys. When properly implemented, you only need to add the trouble machine to the allowed hosts in the LDAP server and you’re good to go. Additionally, management of keys you have lost or thrown away on purpose is much easier across a server park.
Continue reading →

Democracy under the microscope – Part 1

When people think democracy one of the first things associated is the right to vote. But how important is that right in modern society? Have we ever considered a new form of government all together or maybe an updated version? What are the things that still hold true for a democracy and what does not?
Continue reading →

Porstnap exit hooks

Whenever I start a new machine in a new environment, I try to simply use the vanilla port tree. It will only be hours before I start patching things. Mostly minutes, because there’s one annoying feature in portmaster that I immediately get rid of. However, when you modify ports and don’t want to deal with cvsup, cvs or heaven forbid, downloading the ports tree from your local FreeBSD mirror via FTP you use portsnap.
Continue reading →