The Menace of a 4.5″ Screen

There are only a handful of things in this world I’m certain have a lasting impact on ourselves and our world.

Our Relationships with Our Families

Probably my greatest regret in life is the lack of patience, and sometimes borderline tyrannical way I interacted with my children when they were very little.  My recollection is that this was maybe between their ages of four and nine.  I did not handle well the stress and pressures of starting a career, struggling with money, trying to be a decent spouse and the challenges of little children.

I never physically harmed them, but there were times when I raised my voice at them with a tyrannical wrath that leaves me ashamed.  For a time, those diminutive persons would cower and withdraw at any hint of agitation.  Thankfully, I had enough self awareness to see this happening and make conscientious choices to act differently.  I would also wager that there was some prodding to that realization from my wife and mother as well.  I simply expected far too much from such small people at the time.

There are days when I see similar behaviors from other fathers, in similar circumstances, with that familiar tinge of wrath in their voice, and it lays bear my shame and regret for having done likewise.

This experience is forefront on my mind as I struggle with an ongoing challenge in our household.  My hope in writing this is to help find clarity of thought and purpose as I proceed.

Where the Mind Goes, the Rest Will Follow

There’s a reason driving instructors tell their students to focus on the outside line striping of a two lane highway rather than the lights of an on-coming car.  It’s the same reason experienced cyclists and race car drivers keep their vision focused down the road rather than on obstacles inches from their wheels.  Your body naturally follows in the direction your mind focuses on.  Though the venue is one of satire and comedy, I find David Wong’s Cracked articles right on the money regarding this topic (example 1, example 2).  Essentially the thesis is, if a substantial portion of my daily pursuit is spent at video games, I likely will be good at video games.  Likewise, with any other endeavor.  The old adage of ‘as you reap, so shall ye’ sow’ always applies.

Thus, the Menace of the 4.5″ Screen

I do not think many parents would disagree with me that the influence  and pervasiveness of smart phones and social media apps present a relatively new, or at least a vastly evolved set of challenges in the last 10 years.

Frankly, as a parent I find the influence of these two elements overwhelmingly negative.  It’s as though I’m fighting a rising tide of influences that generally serve no constructive or positive purpose.  Lately, it’s seems to be at such high saturation levels as to completely drown any recreational or entertainment merit, and consequently morphs into a defining and consuming influence.

On one hand, for better or worse, these devices have become the tools and medium for communications and socialization.  I’m not interested in raising Amish children.  I don’t want them to be too weird in their social circles, but settling on an appropriate age has been a challenge.

For certain, steps like defining hard lights out / lock down times with the devices have helped.  The assistance of parental control software makes this much more convenient if not just making it possible.  Putting the same  restrictions on having smart phones in bedrooms as with computers is essential in my view.  Children should not be camping out, out of site, in a bedroom while consuming the various flavors of Internet and social media content.

Beyond this, the question is really an issue of what, when and how much.

???
Thoughts
???

Take Away from First Presidential Debate

Well… my take away from this first presidential debate only confirms what I expected at the outset.  This is a choice between a bologna sandwich and a shit sandwich.

First, I’m not a Hillary Clinton fan.  My opinion is that her choices with the private email server as Secretary of State amount to deliberate actions to avoid freedom of information act requirements based on what I’ve read from several different sources.  I can sympathize with her reasons for making those choices because I’ve worked with email services and users enough to understand the issues that motivated her choices.  She said in the debate, and I agree, it was a poor choice.  Also, I don’t like the prevailing attitudes she and the left wing seem have about government needing to solve societies problems and narrow the curve between the haves and the have-nots down to a greatest common factor.

Next, I strongly dislike Donald Trump.  Everything I’ve seen from him tells me he’s a shallow, racist, blowhard.  I can understand, and sympathize to some extent, with the tribalist underpinnings of what makes his hollow message appeal to some.  I don’t think it’s wrong to give priority to taking care of your own family and community.  I’ve just never heard one idea come from his message that sounds like it would remotely work.

[hr]

Tonight’s debate, as they all are, was very lean in terms of communicating specifics about policy ideas.  Here’s what I recall from tonight:

From Mr. Trump:
  1. “We need stop and frisk” and “Law and order”
  2. Our military equipment is too old
  3. Our airports are run down. Build and rebuild infrastructure
  4. The POTUS needs stamina
  5. Cut corporate taxes from 35% to 15% to get corporations to repatriate their cash holdings
  6. Large tax cuts for the wealthy so they can create jobs
  7. Bring back manufacturing jobs
From Mrs. Clinton:
  1. Student Loan reform in the forms of:
    1. Allow for the refinance of student loans
    2. Facilitate education so the loans are necessary in the future
  2. Criminal justice reforms
  3. Raise taxes on the wealthy

Continue reading “Take Away from First Presidential Debate”

Apache, LDAP Authentication, and Active Directory

Recently I’ve been working on moving a common web application hosted in a LAMP stack from an Ubuntu box I’d like to retire to CentOS box.  The outgoing server has Apache 2.2 configured for LDAP authentication with an LDAP filter to limit access to a particular group in Active Directory.  That configuration amounted to only a few lines in an Apache configuration file.  Moving it over to the new server should have been simple, but I ran into a few snags along the way.  These details may be an interesting point of clarification an element of the documentation.

First, while trying to configure the same authentication and authorization pieces on the new server, I was running into issues with the LDAP authorization phase not working when using the DN for the root of the domain.  Next, I was having challenges with the authorization phase for anything more than “Require valid-user” once the authentication phase issue was resolved.

The Search Base

For starters, our AD users who need access to the application are in different OUs that don’t share a common parent object other than the root of the domain.  For reasons that I don’t understand yet, when I use the DN for the root of the domain in the AuthLDAPURL I would have problems in the authentication phase.  I could see this changing my LDAP URL to ldap:// instead of ldaps:// so I could watch the traffic with WireShark on the domain controller.

After the initial ldap bind with the credentials used in AuthLDAPBindDN and AuthLDAPBindPassword there’s a ‘searchResEntry’ for the DN of the user logging in. Next are three successful bind requests followed by ‘wholeSubtree’ search requests for ‘CN=Configuration’, ‘DC=DomainDnsZones’, ‘DC=ForestDnsZones’ DNs.  Three operationErrors with a comment of, ‘In order to perform this operation a successful bind must be completed on the connection’ follow the search requests.  Finally, I get a 500 error from Apache on the browser.

Again, I’m not sure why this is a problem on the CentOS 6 box this application is being migrated to, and it wasn’t a problem on the Ubuntu box the application is being moved away from.  I have seen similar behavior to this before when using LDAP for authentication on Dovecot.  A simple work around is to change the AuthLDAPURL to use the DN of the OU containing the users needing access instead of the DN for the root of the domain, which leads me to the learning experience I’d like to share.

Using AuthnProviderAlias

The Apache mod_authn_alias was the work around I chose to address using different AuthLDAPURL values for users in different OUs.  This module allows Apache to check multiple sources to authenticate users against.   First, I verified Apache is configured to load the authn_alias_module.  Next, I added a few AuthnProviderAlias blocks to an auth_ldap.conf file I added to the /etc/httpd/conf.d directory.  Each block contained a different AuthLDAPURL for the DN of each OU that contain the users I need to accommodate.

Additionally, this directive will not work inside a VirtualHost definition. There is an indicator for this in the comment section of the module documentation, and Apache will complain about it if you put an AuthnProviderAlias block in a VirtualHost definition.

Example:

<AuthnProviderAlias ldap ldap-Company>
AuthLDAPURL "ldaps://dc01.corp.example.com/OU=Company,DC=corp,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN "srvcldap@corp.example.com"
AuthLDAPBindPassword "somePassword"
</AuthnProviderAlias>

authn vs. authz

With the issue of using multiple LDAP search bases in my directory taken care of for the authentication phase, I was then running into an issue with the authorization phase not working.  Neither a ‘require ldap-group’ or ‘require ldap-filter’ directives would work.  However, a ‘require valid-user’ directive did work.

First I turned up the LogLevel in Apache to debug so I could watch for ldap errors.  With debug turned on  I was seeing the following in the Apache error log:

[error] [client 10.10.67.6] access to / failed, reason: require directives present and no Authoritative handler.

Next, I went back to WireShark to watch the ldap traffic on the domain controller.  In WireShark I wouldn’t see any sort of comparison query in the ldap traffic when using either of the ‘require ldap-*’ directives set in Apache.  Yet, if I used the ‘require valid-user’ directive, I would see a comparison query for the DN of the user being authenticated.

Ultimately, this post to the Apache mail lists led me to the solution after fighting with this problem for several hours. Also, this Stack Overflow post helps clarify the root of the issue.

They key point here is in the difference between authn and authz elements of Apache modules.  The documentation for the mod_authn_alias modules says, “This directive has no affect on authorization, even for modules that provide both authentication and authorization.”  Essentially, Apache didn’t have any information for making an authorization comparison via ldap when using either of the ‘require ldap-*’ directives with the AuthnProverAlias blocks added to the configuration and only specifying those aliases in the AuthBasicProvider directive for the directory  block.

The Solution

The problem was solved by adding AuthLDAPURL, AuthLDAPBindDN, and AuthLDAPBindPassword directives to the directory block to specify how the ldap module should make an ldap comparison for the authorization phase (authz).

Example:

<DirectoryMatch (/usr/lib/nagios/cgi-bin/|/usr/share/nagios/html)>
AuthName "Enter Company Domain User Name: (first.last)"
AuthType Basic
# AuthnProverAlias for different OUs
AuthBasicProvider ldap-Company ldap-OtherCompany ldap-ServiceAccounts
# Values needed for authz component of mod_authnz_ldap module
# Otherwise, authorization phase will fail if these are missing
AuthLDAPURL "ldaps://dc01.corp.example.com/OU=ServiceAccounts,DC=corp,DC=example,DC=com?sAMAccountName?sub"
AuthLDAPBindDN "srvcldap01@corp.example.com"
AuthLDAPBindPassword "somePassword"
Require ldap-group CN=Nagios_Web_Access,OU=ServiceAccounts,DC=corp,DC=example,DC=com
# Require valid-user
</DirectoryMatch>

Some other potentially helpful links:

 

Going Off the Rails on Your Eating Plan

While talking about summer eating strategies during the Weight Watchers meeting I attended last night, one person mentioned that sometimes it’s ok to basically go off the rails on occasion and eat whatever you want in whatever amount. Our leader sort of glossed over the comment and moved on with what was a constructive meeting suggesting that she’d come back to that comment with the member later after the meeting.

I’ve been thinking about that idea myself lately, because frankly I have gone off the rails on my eating plan a few times in the last couple months, and here’s my take on it.

First, I’ve earned a lot of success with the Weight Watchers program. I’m currently down about 98lbs from my first weigh-in a little more than two years agos. However, over the last couple of months, I’ve backslid about 10lbs from my maximum weight loss. The simple reason for this is that I stopped tracking what I’ve been eating and been less diligent about portion control. The chaos of life has been a bit accute lately, and I’ve reached a weight loss plateau that will take further change to get through.

I’ve let some frustration get me off track from making healthy eating choices and reaching my goals. Probably one or two times a week for the last couple months situations have come up where I made really poor food choices in excessive quantities. I’ve gone off the rails too many times lately and need to get back on track.

So what’s my take on the comment that it’s ok to eat whatever you feel like on occasion? I would say, “yes, but…be ready for the consequences”. Here’s what my experience has taught me the consequences are:

  1. About half of the time it can reset a week or two worth of progress. Early on, I averaged about 1.5lbs lost per week. If I had a weekend gathering with too much food and too much booze, I’d usually be up on the scale that week about 2 or 3 pounds. That can be frustrating, and when it happens every two or three weeks, you make no progress over time. All the effort and good choices you made during the preceding weeks gets unwound, and that’s super frustrating.
  2. It distorts your palate and what you train your body to expect in portions and content. Eating healthy choices over time trains my palet about what I think tastes good, and tracking helps train my appetite for healthy portion control. Eating an Awful Awful burger, a basket of french fries, and cheese poppers with a tall glass of dark beer errodes as the training I give myself to enjoy the taste of fresh vegetables and lean meats in sensible portions.

So… on occasion when I’ve eaten whatever I wanted, in whatever amount, my experience has been that the weight loss journey will be one of two steps forward and one or two steps back.  Also, it makes it more difficult to make good choices for the few days following the day of indulgence. Both of these consequences lead to frustration due to a lack of progress and dissatisfaction with eating options. For me, I can easily get past the frustration when it’s once or twice a year. Lately, when it’s been once or twice a month it’s brought me to the point to say enough is enough, and it’s time to get back with the program.

Customizing the AD FS 3.0 Sign-in Page Logo

One of my recent projects was to customize the appearance of the Active Directory Federation Services (AD FS) 3.0 sign-in page to give it a look specific to the company associated with the user who’s logging in.  This article describes how I was able to dynamically customize the AD FS 3.0 sign-in page logo to provide a company specific logo and help text on our AD FS sign-in page based on the domain part of the UPN when logging into AD FS to access Office 365 resources using a federated domain. Continue reading “Customizing the AD FS 3.0 Sign-in Page Logo”