The Menace of a 4.5″ Screen

There are only a handful of things in this world I’m certain have a lasting impact on ourselves and our world.

Our Relationships with Our Families

Probably my greatest regret in life is the lack of patience, and sometimes borderline tyrannical way I interacted with my children when they were very little.  My recollection is that this was maybe between their ages of four and nine.  I did not handle well the stress and pressures of starting a career, struggling with money, trying to be a decent spouse and the challenges of little children.

I never physically harmed them, but there were times when I raised my voice at them with a tyrannical wrath that leaves me ashamed.  For a time, those diminutive persons would cower and withdraw at any hint of agitation.  Thankfully, I had enough self awareness to see this happening and make conscientious choices to act differently.  I would also wager that there was some prodding to that realization from my wife and mother as well.  I simply expected far too much from such small people at the time.

There are days when I see similar behaviors from other fathers, in similar circumstances, with that familiar tinge of wrath in their voice, and it lays bear my shame and regret for having done likewise.

This experience is forefront on my mind as I struggle with an ongoing challenge in our household.  My hope in writing this is to help find clarity of thought and purpose as I proceed.

Where the Mind Goes, the Rest Will Follow

There’s a reason driving instructors tell their students to focus on the outside line striping of a two lane highway rather than the lights of an on-coming car.  It’s the same reason experienced cyclists and race car drivers keep their vision focused down the road rather than on obstacles inches from their wheels.  Your body naturally follows in the direction your mind focuses on.  Though the venue is one of satire and comedy, I find David Wong’s Cracked articles right on the money regarding this topic (example 1, example 2).  Essentially the thesis is, if a substantial portion of my daily pursuit is spent at video games, I likely will be good at video games.  Likewise, with any other endeavor.  The old adage of ‘as you reap, so shall ye’ sow’ always applies.

Thus, the Menace of the 4.5″ Screen

I do not think many parents would disagree with me that the influence  and pervasiveness of smart phones and social media apps present a relatively new, or at least a vastly evolved set of challenges in the last 10 years.

Frankly, as a parent I find the influence of these two elements overwhelmingly negative.  It’s as though I’m fighting a rising tide of influences that generally serve no constructive or positive purpose.  Lately, it’s seems to be at such high saturation levels as to completely drown any recreational or entertainment merit, and consequently morphs into a defining and consuming influence.

On one hand, for better or worse, these devices have become the tools and medium for communications and socialization.  I’m not interested in raising Amish children.  I don’t want them to be too weird in their social circles, but settling on an appropriate age has been a challenge.

For certain, steps like defining hard lights out / lock down times with the devices have helped.  The assistance of parental control software makes this much more convenient if not just making it possible.  Putting the same  restrictions on having smart phones in bedrooms as with computers is essential in my view.  Children should not be camping out, out of site, in a bedroom while consuming the various flavors of Internet and social media content.

Beyond this, the question is really an issue of what, when and how much.

???
Thoughts
???

Apache, LDAP Authentication, and Active Directory

Recently I’ve been working on moving a common web application hosted in a LAMP stack from an Ubuntu box I’d like to retire to CentOS box.  The outgoing server has Apache 2.2 configured for LDAP authentication with an LDAP filter to limit access to a particular group in Active Directory.  That configuration amounted to only a few lines in an Apache configuration file.  Moving it over to the new server should have been simple, but I ran into a few snags along the way.  These details may be an interesting point of clarification an element of the documentation.

First, while trying to configure the same authentication and authorization pieces on the new server, I was running into issues with the LDAP authorization phase not working when using the DN for the root of the domain.  Next, I was having challenges with the authorization phase for anything more than “Require valid-user” once the authentication phase issue was resolved.

The Search Base

For starters, our AD users who need access to the application are in different OUs that don’t share a common parent object other than the root of the domain.  For reasons that I don’t understand yet, when I use the DN for the root of the domain in the AuthLDAPURL I would have problems in the authentication phase.  I could see this changing my LDAP URL to ldap:// instead of ldaps:// so I could watch the traffic with WireShark on the domain controller.

After the initial ldap bind with the credentials used in AuthLDAPBindDN and AuthLDAPBindPassword there’s a ‘searchResEntry’ for the DN of the user logging in. Next are three successful bind requests followed by ‘wholeSubtree’ search requests for ‘CN=Configuration’, ‘DC=DomainDnsZones’, ‘DC=ForestDnsZones’ DNs.  Three operationErrors with a comment of, ‘In order to perform this operation a successful bind must be completed on the connection’ follow the search requests.  Finally, I get a 500 error from Apache on the browser.

Again, I’m not sure why this is a problem on the CentOS 6 box this application is being migrated to, and it wasn’t a problem on the Ubuntu box the application is being moved away from.  I have seen similar behavior to this before when using LDAP for authentication on Dovecot.  A simple work around is to change the AuthLDAPURL to use the DN of the OU containing the users needing access instead of the DN for the root of the domain, which leads me to the learning experience I’d like to share.

Using AuthnProviderAlias

The Apache mod_authn_alias was the work around I chose to address using different AuthLDAPURL values for users in different OUs.  This module allows Apache to check multiple sources to authenticate users against.   First, I verified Apache is configured to load the authn_alias_module.  Next, I added a few AuthnProviderAlias blocks to an auth_ldap.conf file I added to the /etc/httpd/conf.d directory.  Each block contained a different AuthLDAPURL for the DN of each OU that contain the users I need to accommodate.

Additionally, this directive will not work inside a VirtualHost definition. There is an indicator for this in the comment section of the module documentation, and Apache will complain about it if you put an AuthnProviderAlias block in a VirtualHost definition.

Example:

<AuthnProviderAlias ldap ldap-Company>
AuthLDAPURL "ldaps://dc01.corp.example.com/OU=Company,DC=corp,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN "srvcldap@corp.example.com"
AuthLDAPBindPassword "somePassword"
</AuthnProviderAlias>

authn vs. authz

With the issue of using multiple LDAP search bases in my directory taken care of for the authentication phase, I was then running into an issue with the authorization phase not working.  Neither a ‘require ldap-group’ or ‘require ldap-filter’ directives would work.  However, a ‘require valid-user’ directive did work.

First I turned up the LogLevel in Apache to debug so I could watch for ldap errors.  With debug turned on  I was seeing the following in the Apache error log:

[error] [client 10.10.67.6] access to / failed, reason: require directives present and no Authoritative handler.

Next, I went back to WireShark to watch the ldap traffic on the domain controller.  In WireShark I wouldn’t see any sort of comparison query in the ldap traffic when using either of the ‘require ldap-*’ directives set in Apache.  Yet, if I used the ‘require valid-user’ directive, I would see a comparison query for the DN of the user being authenticated.

Ultimately, this post to the Apache mail lists led me to the solution after fighting with this problem for several hours. Also, this Stack Overflow post helps clarify the root of the issue.

They key point here is in the difference between authn and authz elements of Apache modules.  The documentation for the mod_authn_alias modules says, “This directive has no affect on authorization, even for modules that provide both authentication and authorization.”  Essentially, Apache didn’t have any information for making an authorization comparison via ldap when using either of the ‘require ldap-*’ directives with the AuthnProverAlias blocks added to the configuration and only specifying those aliases in the AuthBasicProvider directive for the directory  block.

The Solution

The problem was solved by adding AuthLDAPURL, AuthLDAPBindDN, and AuthLDAPBindPassword directives to the directory block to specify how the ldap module should make an ldap comparison for the authorization phase (authz).

Example:

<DirectoryMatch (/usr/lib/nagios/cgi-bin/|/usr/share/nagios/html)>
AuthName "Enter Company Domain User Name: (first.last)"
AuthType Basic
# AuthnProverAlias for different OUs
AuthBasicProvider ldap-Company ldap-OtherCompany ldap-ServiceAccounts
# Values needed for authz component of mod_authnz_ldap module
# Otherwise, authorization phase will fail if these are missing
AuthLDAPURL "ldaps://dc01.corp.example.com/OU=ServiceAccounts,DC=corp,DC=example,DC=com?sAMAccountName?sub"
AuthLDAPBindDN "srvcldap01@corp.example.com"
AuthLDAPBindPassword "somePassword"
Require ldap-group CN=Nagios_Web_Access,OU=ServiceAccounts,DC=corp,DC=example,DC=com
# Require valid-user
</DirectoryMatch>

Some other potentially helpful links:

 

Customizing the AD FS 3.0 Sign-in Page Logo

One of my recent projects was to customize the appearance of the Active Directory Federation Services (AD FS) 3.0 sign-in page to give it a look specific to the company associated with the user who’s logging in.  This article describes how I was able to dynamically customize the AD FS 3.0 sign-in page logo to provide a company specific logo and help text on our AD FS sign-in page based on the domain part of the UPN when logging into AD FS to access Office 365 resources using a federated domain. Continue reading “Customizing the AD FS 3.0 Sign-in Page Logo”

Science Fair

I have come to the conclusion that science projects aren’t for the student still in school. They are in fact the public education system’s way of forcing a continuing education program on the adults who choose to have children. It’s essentially the man’s way of trying to bolster STEM competency in adults responsible for the raising of our youth.