DC540 Defcon Group

If you’re like me and you’ve linked many, many applications to FreeIPA, you probably have a pretty good sense of how to go about it, and in some cases you can use an app’s authentication subsection without even consulting the Great Oracle Of Grand, Legitimate Experience.

At least, this is usually the case with me.

Not so much with Zabbix. The interface was so deceptively simple that it threw me off.

Here’s what I discovered. Some from forums, some from less-than-obvious documentation, and some from twiddling knobs.

1. To even get an LDAP configuration to pass a test and authenticate a user, the bind user needs to be described in a full DN. This isn’t completely out of left field, I’ve seen a few implementations require this, although I prefer just providing a username and password.
2. You also need to add “cn=compat” preceding your base dn in the LDAP configuration page.
3. Here’s where it screwed me. I expected, after passing a test, that if I switched to LDAP authentication it would just work. Not so. There’s a brief mention of it in the docs: “Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.” So here I was trying to authenticate an LDAP user after switching to LDAP authentication, and wondering why it doesn’t work. It’s because this implementation doesn’t sync users.
4. Also the internal Admin user no longer works after you switch to LDAP. I went through a couple rounds of resetting it by MySQL (“update config set authentication_type =0 where configid=1;”) before the light bulb turned on — just uncheck “Case sensitive login” and you can use your LDAP admin user. At that point I created local users to match my LDAP users, and gave them the rights I needed. In the end, it seems like the Zabbix implementation is only using LDAP for authentication. Nothing as fancy as something like Zammad’s LDAP implentation, which maps LDAP groups to roles in the application.
5. One more thing when creating a user, the UI says the password is optional when it’s an external user. This isn’t exactly true. Maybe it won’t be used, but it wouldn’t let me complete the form without a password. So make it a strong one.

Anyhow, I hope this helps someone someday. I found precious little online, and if I had it spelled out for me like this when I was looking, I would have been finished much faster.

Friend of mine ground-scored a laptop that was left in a college locker at the end of the school year. Visible screen glass damage from a violent corner drop, but still powered up and displayed just fine. Cute little unit, a Lenovo Flex 3. The screen flips around 360 to turn it into a tablet.

Anyhow it hadn’t been wiped. Windows 10, one known username, password unknown. A quick Google gave me something to try. Boot Windows 10 USB installer, go to command prompt, copy c:\windows\system32\cmd.exe into c:\windows\system32\sethc.exe (the sticky-keys notifier).

Boot the machine normally, and when it gets to the login, hit left-shift five times. Instead of the sticky-keys notifier, you get a command prompt. All I had to do at that point was change the user’s password:

net user (username) (new password)

I could immediately login as that user. Not much in terms of payload immediately visible. Hardly anything in documents, fewer than 30 photos saved, no custom apps. Oh wait, let’s launch mail (this machine is not connected to the Internet). Bingo, user’s complete historical Gmail up until the machine was last used. Conveniently saved to the laptop for me to rifle through looking for other useful data.

Moral of the story? Encrypt your home directory.

I suspect if I gave it internet access it would try to reach out to Google and raise an alarm for suspicious login and force reauthentication. Would that cause me to lose the existing emails I have already correct: That’s a question for another day.

Per group vote, and also because I have another meeting tonight, this evening’s weekly DC540 meetup will be virtual. See you in the Discord @ 1830.

My daughter is obsessed with planners. Her class notes are works of art. She’s done bullet journaling. Her last planner was a Passion Planner. She’s home from school for a couple of days and showed me her latest acquisition. It’s a Hobonichi Techo Cousin. It’s got pages for viewing a month at a time, a week at a time, and then a page per day. Every page is high-quality bleed-resistant paper with small graphs, which is very conducive to writing neatly with small handwriting. I was instantly attracted to it.

https://amzn.to/3C8NLqV (affiliate link, obvs)

Then she showed me how the cover is already starting to bend, so everyone usually gets covers for it.

The journal is $54 on Amazon. This seems like a lot, but with so many pages of very thin high-quality paper, it’s probably still a good price. But the covers — my god, there are covers people are charging over $100 for. I guess in the planner cult, you’re judged on how elite your planner cover is. 🙂

There is also a five-year version of the Hobonichi. Can you imagine a five-year planner? I cannot.

I’ve been taming my homelab network. All the VMs I’ve installed to try out software that I eventually deploy at work, the few administrative VMs I need for my own “stuff,” etc., and I was pleasantly surprised. Turns out that most of my stuff is reasonably up to date, a bunch of CentOS 8 VMs, a few recent Rocky 8 instances, a few Ubuntu servers, and one lone CentOS 7 instance.

So I decided I no longer want to support CentOS 7, and since everything’s on ESXi, it’s easy to attempt the CentOS 7 to 8 update I found here: https://www.tecmint.com/upgrade-centos-7-to-centos-8/

Everything sailed smoothly until the actual package update step. Obviously it’s a lot of packages, etc., a lot of opportunities for things to go wrong. And a couple wrinkles did expose themselves. One was MariaDB and the other was the FreeIPA client. And since I took a snapshot before starting, I felt pretty free to experiment.

So fuck it. I backed up the MariaDB database itself just in case, and deleted the package.

The fuck it, I can recreate the FreeIPA config if need be. Deleted the package.

Some other minor stuff came up as blockers, the rpmconf package, etc., deleted them too.

Ran the upgrade, it went all the way through. Then I simply reinstalled the MariaDB server and the FreeIPA client using dnf, and they both picked up their original configurations and just worked. I love it when that happens. No there’s no more CentOS 7 on my network.

Hope y’all can make it. How’d you spend your weekend? I worked a bunch Saturday, made some hellacious progress on a project I’m involved in. Then I saw Dune with my kid on Sunday. Spent all the in-between time laser-burning holiday ornaments and taming my home network with Ansible, Zabbix and Observium.

An unnamed member left his bottle of Four Roses Single Barrel last week, and it’s taking a bit of restraint for me to ignore it. But the way I see it, liquor that’s brought to an in-person meetup is not a donation; it stays where it was left until the next in-person meetup.

These are the blanks I chose for the holiday ornaments:

https://amzn.to/3BWO4Ff

It’s a nice set, it comes with 100 ornament-shaped blanks that burn pretty evenly. On my engraver I have S-MAX set to 325 and a speed of 1000. The set also comes with string. Here’s an example of an ornament I burned with a photo of the UU Church in Leesburg:

Now that’s got me thinking I should make some DC540 ornaments. Open to suggestions for design.

We’re meeting this evening in the usual space. You know, that place where we put that thing that time. Costumes are encouraged. Someone will probably live-stream it on Discord for those who can’t make it, but come on out.

Here’s the current CDC guidance on gatherings:

https://www.cdc.gov/coronavirus/2019-ncov/your-health/gatherings.html