Stuff I'm Up To

Technical Ramblings

mod_shared_roster_ldap — January 21, 2021

mod_shared_roster_ldap

Getting this shared roster from LDAP into my ejabberd config has been an absolute nightmare. Everything I find seems to be people asking the same question or the comments made are for old versions. I struggled to find examples of a known good working example that used OpenLDAP and LDAP attributes for groupOfUniqueNames.

First, let me post a working example of my config, just so those that find this can see what works:

mod_shared_roster_ldap:
    ldap_groupattr: "cn"
    ldap_groupdesc: ""
    ldap_memberattr: "uid"
    ldap_memberattr_format: "%u"
    ldap_useruid: "uid"
    ldap_userdesc: "cn"
    ldap_rfilter: "(&(objectClass=groupOfUniqueNames)(cn=Staff))"
    ldap_gfilter: "(&(objectClass=person)(memberOf=cn=Staff,ou=Groups,dc=domain,dc=tld))"
    ldap_ufilter: "(&(objectClass=person)(uid=%u))"
    # ldap_filter: "" This is purposely commented out because it causes a fail to start
    ldap_auth_check: on
Continue reading
Nautilus NFS Browser — January 19, 2021

Nautilus NFS Browser

When using Gnome Nautilus I’m not seeing any support for nfs shares. This means I can’t use it to browse my NAS.

I trawled the net for some time, being lead around various issues where Nautilus would crash whilst browsing nfs, but my Nautilus just doesn’t have nfs listed as a protocol I can use.

When I start typing nfs:// into the browser the input just goes red. If I click on the help icon it shows available protocols for AppleTalk, ftp, smb, ssh and webdav – but no nfs.

I’m missing one package, gvfs-nfs

sudo pacman -S gvfs-nfs

VMWare Horizon Client (manjaro) — January 18, 2021

VMWare Horizon Client (manjaro)

I’ve been playing with Manjaro and the package management is way different to Debian. I needed to get some work tools installed and the VMWare Horizon Client is needed for one of our support customers.

Initially I downloaded the bundle from VMWare and that failed miserably, but that’s not surprising as the only support they list is for Ubuntu and RedHat.

Then I came across the AUR.

I found the Horizon client in a package here: https://aur.archlinux.org/packages/vmware-horizon-client/

The steps required are clone the git and run makepkg and then install the generated tar file using pacman.

git clone https://aur.archlinux.org/vmware-horizon-client.git
cd vmware-horizon-client
makepkg
sudo pacman -U vmware-horizon-client-2012-1-x86_64.pkg.tar.zst

This failed as it was missing a dependency vmware-keymaps. It does say it’s a dependency on the AUR page.

Now it’s just a case of grabbing that package and making and installing it first. https://aur.archlinux.org/packages/vmware-keymaps/

cd ..
git clone https://aur.archlinux.org/vmware-keymaps.git
cd vmware-keymaps
makepkg
sudo pacman -U vmware-keymaps-1.0-1-any.pkg.tar.zst 

Then back to install the client:

cd ../vmware-horizon-client
sudo pacman -U vmware-horizon-client-2012-1-x86_64.pkg.tar.zst

I don’t want or need all the other stuff like multimedia redirection and usb redirection. The customers security setup doesn’t allow any of that anyway. Now all I have to do is launch it from my list of apps.

Gnome Background Colours — January 17, 2021

Gnome Background Colours

I rarely use pictures on my background wallpapers and like to use simple colors. There doesn’t appear to be an option in gnome-tweaks to allow me to attain this. It needs to be done from the command line.

gsettings set org.gnome.desktop.background picture-options 'none'
gsettings set org.gnome.desktop.background primary-color '#009999'
gsettings set org.gnome.desktop.background color-shading-type 'solid'

Other options for graduated tints:

gsettings set org.gnome.desktop.background picture-options 'none'
gsettings set org.gnome.desktop.background primary-color '#009999'
gsettings set org.gnome.desktop.background primary-color '#000000'
gsettings set org.gnome.desktop.background color-shading-type 'vertical'

step-ca and ACME — January 15, 2021

step-ca and ACME

We have a couple of hundred certs with Let’s Encrypt and it is a great service. Right now though we need to issue certs to internal systems and thought it would be great to use the same ACME method to do so.

Add to that we’d like to issue some user certificates to use for user authentication into our web services, we needed to find an Open Source solution to the problem.

Enter https://smallstep.com/certificates/

Continue reading
PAM and OAuth2 — January 13, 2021
Installing Ansible Public Key Not Available — November 30, 2020

Installing Ansible Public Key Not Available

When trying to install Ansible on Debian following the install guide here:

https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian

We get an error:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
 Executing: /tmp/apt-key-gpghome.rg65w1DpOn/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
 gpg: connecting dirmngr at '/tmp/apt-key-gpghome.rg65w1DpOn/S.dirmngr' failed: IPC connect call failed
 gpg: keyserver receive failed: No dirmngr

Then the apt install fails with the expected NO_PUBKEY error.

Err:1 http://ppa.launchpad.net/ansible/ansible/ubuntu trusty InRelease
   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 93C4A3FD7BB9C367
Continue reading
Icinga2 Downtime Script — November 9, 2020

Icinga2 Downtime Script

I wanted to automatically trigger downtime when we ran maintenance tasks on our client systems. For this I wanted to add in a bash script to make the call to Icinga2 when we start and finish the process.

In order to do this I used a could of additional command line JSON utilities jo for creating JSON from parameters and jq for reading and processing JSON responses.

The script is flexible enough to accept parameters to control duration and either trigger a host or service downtime.

Continue reading
Bash Script Template —

Bash Script Template

As I find myself writing a few scripts these days I thought I’d sate the template I use to build with. It includes parameter collection.

#!/bin/bash
EXAMPLE="example default"
# Plugin variable description
PROGNAME=$(basename $0)
RELEASE="Revision 1.0.0"
AUTHOR="(c) 2020 Warlord0"
# Functions plugin usage
print_release() {
echo "$RELEASE $AUTHOR"
}
print_usage() {
echo ""
echo "$PROGNAME $RELEASE – Bash Script Template"
echo ""
echo "Usage: $PROGNAME"
echo ""
echo " -h Show this page"
echo ""
echo " -e | –example Example argument"
echo ""
echo "Usage: $PROGNAME –help"
echo ""
exit 0
}
print_help() {
print_usage
echo ""
echo "Bash script template"
echo ""
exit 0
}
# Parse parameters
while [ $# -gt 0 ]; do
case "$1" in
-h | –help)
print_help
exit 0
;;
-v | –version)
print_release
exit 0
;;
-e | –example)
shift
EXAMPLE=$1
;;
*)
echo "Unknown argument: $1"
print_usage
;;
esac
shift
done
if [[ -z "${EXAMPLE}" || -z "${EXAMPLE}" ]]; then
echo "Missing argument"
exit 1
fi
# Script body goes after here
view raw template.sh hosted with ❤ by GitHub
LDAP Indexes — October 19, 2020
Nginx SSL Certificate Error — October 14, 2020

Nginx SSL Certificate Error

We’re using client side certificates on an Nginx host to ensure the credentials of the connecting users and haven’t used the site for a while.

I tried to logon with a known good client certificate and know that nothing on the site config has changed and all I get in return is a 400 error with the message “SSL Certificate Error”, which is not at all helpful.

First I thought I’d regenerate my client certificate, no joy there. Still the same error. So I went through the process of verifying the CA cert matched my source and was still valid. Use openssl to verify my client certs, all looked good. Nothing I did allowed me to access the site unless I turned client certificate verification off.

ssl_verify_client off;

So what was my problem? I checked the nginx.conf and our logging was set to push out to a syslog server:

error_log syslog:server=logserver:515,severity=debug;

But I wasn’t seeing anything in the log about any errors. I checked the syntax of the config entry and found it to be missing the debug option – confusing I know, it looks like it should be using debug logging, but that’s just the severity setting for the syslog server, not Nginx. I added debug onto the end of the line:

error_log syslog:server=logserver:515,severity=debug debug;

Now I can see what the problem is with the certificates – there is no problem with the certificates, it’s a problem with my certificate revocation list being too old! I just need to regenerate and reissue a new one.

<190>Oct 14 20:38:22 proxy3.domain.tld nginx: 2020/10/14 20:38:22 [info] 12373#12373: *83301603 client SSL certificate verify error: (12:CRL has expired) while reading client request headers, client: 81.8.151.23, server: server.domain.tld, request: "GET /favicon.ico HTTP/1.1", host: "server.domain.tld", referrer: "https://server.domain.tld/web/database/selector"

By using openssl I can check the validity of my crl using:

$ openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = myCA
Last Update: Oct 14 19:40:03 2020 GMT
Next Update: Apr 12 19:40:03 2021 GMT

Now all I need to do is make sure I automate this process and dump a new crl onto the server at least every 6 months – I’ll probably do it monthly to be sure.

References

https://www.djouxtech.net/posts/nginx-the-ssl-certificate-error/

DRBD and LVM — October 13, 2020