Kanidm LDAP Auth Source for SimpleSAMLphp

This is an example /config/authsources.php when using Kanidm’s LDAP connector to provide user details and authentication.

The user needs to be posix-enabled and members of a posix-enabled group saml_admins will be marked as Administrators in SimpleSAMLphp.

<?php
$KANIDM_HOSTNAME = 'ldaps://kanidm.example.com';
$KANIDM_SEARCHBASE = 'dc=kanidm,dc=example,dc=com';
$KANIDM_LDAP_PORT = 636;

$config = [
	// admin creds, user needs to be part of the posix-enabled group "saml_admins"
    'admin' => [
        // The default is to use core:AdminPassword, but it can be replaced with any authentication source.
        'ldap:LDAP',

        // Give the user an option to save their username for future login attempts
        // And when enabled, what should the default be, to save the username or not
        'remember.username.enabled' => false,
        'remember.username.checked' => false,

        // The hostname of the LDAP server.
        'hostname' => $KANIDM_HOSTNAME,

        // Whether SSL/TLS should be used when contacting the LDAP server.
        'enable_tls' => true,

        // Whether debug output from the LDAP library should be enabled.
        // Default is FALSE.
        'debug' => false,

        // The timeout for accessing the LDAP server, in seconds. The default is 0, which means no timeout.
        'timeout' => 30,

        // The port used when accessing the LDAP server.
        // The default is 389.
        'port' => $KANIDM_LDAP_PORT,

        // Set whether to follow referrals. AD Controllers may require FALSE to function.
        'referrals' => true,

        // Which attributes should be retrieved from the LDAP server.
        // This can be an array of attribute names, or NULL, in which case
        // all attributes are fetched.
        'attributes' => array('uid'),

        // The pattern which should be used to create the users DN given the username.
        // %username% in this pattern will be replaced with the users username.
        //
        // This option is not used if the search.enable option is set to TRUE.
        'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',

        // As an alternative to specifying a pattern for the users DN, it is possible to
        // search for the username in a set of attributes. This is enabled by this option.
        'search.enable' => true,

        // The DN which will be used as a base for the search.
        // This can be a single string, in which case only that DN is searched, or an
        // array of strings, in which case they will be searched in the order given.
        // kanidm
        'search.base' => $KANIDM_SEARCHBASE,

        // The attribute(s) the username should match against.
        //
        // This is an array with one or more attribute names. Any of the attributes in
        // the array may match the value the username.
        'search.attributes' => [
            'name',
        ],

        // Additional LDAP filters appended to the search attributes
        'search.filter' => '(&(class=posixaccount)(memberof=saml_admins))',

        // The username & password the SimpleSAMLphp should bind to before searching. If
        // this is left as NULL, no bind will be performed before searching.
        'search.username' => null,
        'search.password' => null,

        // If the directory uses privilege separation, the authenticated user may not be able to retrieve
        // all required attribures, a privileged entity is required to get them. This is enabled with this option.
        'priv.read' => false,

    ],
	// normal users, account needs to be posix-enabled
    'ldap' => [
        'ldap:LDAP',

        // Give the user an option to save their username for future login attempts
        // And when enabled, what should the default be, to save the username or not
        'remember.username.enabled' => false,
        'remember.username.checked' => false,

        // The hostname of the LDAP server.
        'hostname' => $KANIDM_HOSTNAME,

        // Whether SSL/TLS should be used when contacting the LDAP server.
        'enable_tls' => true,

        // Whether debug output from the LDAP library should be enabled.
        // Default is FALSE.
        'debug' => false,

        // The timeout for accessing the LDAP server, in seconds. The default is 0, which means no timeout.
        'timeout' => 30,

        // The port used when accessing the LDAP server. The default is 389.
        'port' => $KANIDM_LDAP_PORT,

        // Set whether to follow referrals. AD Controllers may require FALSE to function.
        'referrals' => true,

        // Which attributes should be retrieved from the LDAP server.
        // This can be an array of attribute names, or NULL, in which case all attributes are fetched.
        'attributes' => array('uid', 'mail', 'memberOf', 'displayName'),

        // As an alternative to specifying a pattern for the users DN, it is possible to
        // search for the username in a set of attributes. This is enabled by this option.
        'search.enable' => true,

        // The DN which will be used as a base for the search.
        // This can be a single string, in which case only that DN is searched, or an
        // array of strings, in which case they will be searched in the order given.
        'search.base' => $KANIDM_SEARCHBASE,

        // The attribute(s) the username should match against.
        //
        // This is an array with one or more attribute names. Any of the attributes in
        // the array may match the value the username.
        'search.attributes' => [
            'name',
        ],

        // Additional LDAP filters appended to the search attributes
        'search.filter' => '(class=posixaccount)',

        // The username & password the SimpleSAMLphp should bind to before searching. If
        // this is left as NULL, no bind will be performed before searching.
        'search.username' => null,
        'search.password' => null,

        // If the directory uses privilege separation,
        // the authenticated user may not be able to retrieve
        // all required attribures, a privileged entity is required
        // to get them. This is enabled with this option.
        'priv.read' => false,

    ],
];
[Read More]

mkdocs and Python Libraries

Documentation for libraries is handy. Automatically generating most of it from source code is even more handy.

Here’s a quick how-to on setting up mkdocs with the mkdocstrings plugin to automagically build docs for your project.

mkdocs.yml

This goes in the root directory of your project.

It sets various things like the Name of the site, theme etc.

site_name: aussiebb
theme:
  name: "material"

plugins:
  - search:
  - mkdocstrings:
      default_handler: python
      handlers:
        python:
          rendering:
            show_source: true
      watch:
        - "aussiebb/"

nav:
  - "Home": README.md
  - "aussiebb": aussiebb.md

Relevant documentation:

[Read More]

NBN and Physics, or Why My Internet Is Slow

As an Australian, I’m afflicted with two things:

  1. Living in a deadly paradise full of Drop Bears, Hoop Snakes and Cassowaries. Only one of these is fake.
  2. Terrible internet, crippled by the ridiculous decisions of multiple corrupt governments.

They installed “Fibre to the Node”, or VDSL. The technology that New Zealand had had for decades and nobody in their right mind would deploy these days.

Second-generation systems (VDSL2; ITU-T G.993.2 approved in February 2006)[5] use frequencies of up to 30 MHz to provide data rates exceeding 100 Mbit/s simultaneously in both the upstream and downstream directions. The maximum available bit rate is achieved at a range of about 300 metres performance degrades as the local loop attenuation increases.

[Read More]

Cisco Switch S_sn and S_tc in Logs

If you see things like this:

[syslog@9 s_sn="306" s_tc="330"]: Aug 23 22:15:22.268: %SYS-5-CONFIG_I: Configured from console by yaleman on vty0 (10.0.0.155)

In your Cisco Switch logs, it’s because you’ve got the config entry:

logging message-counter log

Ew.

conf t
no logging message-counter log
end
write mem
[Read More]

Nagios, Kanidm and LDAP Authentication

Here’s an example Apache configuration file for using Kanidm’s LDAP server to authenticate access to Nagios.

The below file is also available as a github gist

<IfModule mod_ssl.c>
   <VirtualHost *:443>
      ServerName monitoring.example.com
      ServerAdmin admin@example.com

      SSLEngine on
      SSLCertificateFile   /etc/letsencrypt/live/monitoring.example.com/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/monitoring.example.com/privkey.pem

   ScriptAlias /cgi-bin "/usr/local/nagios/sbin/"
   <Directory "/usr/local/nagios/sbin">
      Options ExecCGI
      AllowOverride None
         <RequireAll>
         Require all granted
         AuthName "Nagios Access"
         AuthType Basic
         AuthLDAPURL "ldaps://kanidm.example.com:636/dc=kanidm,dc=example,dc=com?name?sub?(name=*)" TLS
         AuthBasicProvider ldap
         Require valid-user
         </RequireAll>
   </Directory>

   Alias / "/usr/local/nagios/share/"
   <Directory "/usr/local/nagios/share">
      Options None
      AllowOverride None
         <RequireAll>
         Require all granted
         AuthName "Nagios Access"
         AuthType Basic
         AuthLDAPURL "ldaps://kanidm.example.com:636/dc=kanidm,dc=example,dc=com?name?sub?(name=*)" TLS
         AuthBasicProvider ldap
         Require valid-user
         </RequireAll>
   </Directory>
</VirtualHost>
</IfModule>
[Read More]

rust openssl-src panic on install

I was trying to cargo install wasm-pack on an OpenSUSE Tumbleweed docker container and getting fucking stupid errors… turns out error handling is hard, let’s just assume everything’s going to work and .unwrap() all the things!

error: failed to run custom build command for `openssl-sys v0.9.65`

Caused by:

ared" "no-ssl3" "no-unit-test" "no-comp" "no-zlib" "no-zlib-dynamic" "no-md2" "no-rc5" "no-weak-ssl-ciphers" "no-camellia" "no-idea" "no-seed" "linux-x86_64" "-O2" "-ffunction-sections" "-fdata-sections" "-fPIC" "-m64"
  Configuring OpenSSL version 1.1.1k (0x101010bfL) for linux-x86_64
  Using os-specific seed configuration
  Creating configdata.pm
  Creating Makefile

  **********************************************************************
  ***                                                                ***
  ***   OpenSSL has been successfully configured                     ***
  ***                                                                ***
  ***   If you encounter a problem while building, please open an    ***
  ***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
  ***   and include the output from the following command:           ***
  ***                                                                ***
  ***       perl configdata.pm --dump                                ***
  ***                                                                ***
  ***   (If you are new to OpenSSL, you might want to consult the    ***
  ***   'Troubleshooting' section in the INSTALL file first)         ***
  ***                                                                ***
  **********************************************************************
  running "make" "depend"

  --- stderr
  thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-src-111.15.0+1.1.1k/src/lib.rs:469:39
  stack backtrace:
     0: rust_begin_unwind
               at /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/std/src/panicking.rs:515:5
     1: core::panicking::panic_fmt
               at /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/panicking.rs:92:14
     2: core::result::unwrap_failed
               at /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs:1355:5
     3: core::result::Result<T,E>::unwrap
     4: openssl_src::Build::run_command
     5: openssl_src::Build::build
     6: build_script_main::find_vendored::get_openssl
     7: build_script_main::find_openssl
     8: build_script_main::main
     9: core::ops::function::FnOnce::call_once
  note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `wasm-pack v0.10.0`, intermediate artifacts can be found at `/tmp/cargo-install6Ag73g`

Turns out I needed to install make. 🤦🏼‍♂️

[Read More]

Splunk, LDAP and Kanidm

This is an example LDAP configuration for Splunk connecting to Kanidm via LDAP.

The configuration goes into /opt/splunk/etc/system/local/authentication.conf

  • Replace kanidm.example.com with the hostname of the Kanidm server
  • Replace dc=kanidm,dc=example,dc=com with the LDAP-format domain name of the system.
  • Map your groups to your users. I’ve got two groups in Kanidm, splunk_users and splunk_admins
[authentication]
authSettings = kanidm.example.com
authType = LDAP

[kanidm.example.com]
SSLEnabled = 1
anonymous_referrals = 1
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = dc=kanidm,dc=example,dc=com
groupBaseFilter = (class=group)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = name
host = kanidm.example.com
nestedGroups = 1
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = dc=kanidm,dc=example,dc=com
userBaseFilter = (class=account)
userNameAttribute = name

[roleMap_kanidm.example.com]
admin = splunk_admins
user = splunk_users
[Read More]

🪵 The 🪵 Great 🪵 Log 🪵 Post 🪵

So… this started out as me trying to start a discussion about logging on kanidm/kanidm and once I started, I couldn’t stop. Awkward.

Is this about lots of logs, or great quality logs, or just ✨big✨ logs?

Yes. 🪵

Ok, so everyone should like their logs, and making logs likeable requires them to be usable. What makes a usable log?

Note: I’m not necessarily talking about platform metrics here; they’re related but not the focus.

[Read More]

Tokyo Neopolitan - Japanese Pizza

I’ve been reading a lot of Craig Mod’s writing lately, and his article in Eater “Tokyo Neapolitan: The New Wave of Japanese Pizza” makes me really want to fly there. Right now. I feel like that most days, but … the art they bring to crafting things is just.. needed right now.

But Kakinuma is adamant that his pizzas aren’t, in fact, Neapolitan. “Absolutely not,” he said. “They’re Kakinuma-style pizzas. Look, Japanese people are really free. What I mean by that is, Japanese pray on New Year’s Day at a Shinto shrine, get married in a Christian church, and hold their funerals at a Buddhist temple. They’re beholden to no single point of view.” Kakinuma feels a freedom to push and pull within the general cosmos of Neapolitan-style, disregarding Italian tradition at will. “What’s wonderful about pizza is that it really is a bit like sushi,” he said. “You don’t touch the base ingredients. Your goal is to pull the richest inherent flavor from the ingredients at hand.”

[Read More]

IPv6 With Docker and Ansible

Please note: This is not authoritative information; if you use it and kittens pop out of your router or there’s some way simpler/better way to do things:

  1. don’t blame me for the kitten thing
  2. please document it and send me a link so I can learn from you.

The Problem.

IPv6. It’s a thing. Who even wants NAT anyway? Docker’s neat, it lets you run containers and stuff. The docs about enabling IPv6 on Docker make it look so simple. Just assign an IP range, right?

[Read More]