MacOS LDAP Authentication

I configured iMac to use My OpenLDAP server. There were several problems.

I will not talk about configuring ‘Directory Utility’. (If you know how to configure LDAP server and the basic method of configuring LDAP client, you will not have much difficulty in configuring LDAP client using ‘Directory Utility’)

  1. First, try to switch user using sudo su command like ‘sudo su – dgkim’, there was problem accessing dgkim’s home directory. no such directory.
    1. /home directory is reserved by mac os, so you need to change home directory to ‘/Users’
      1. Change mapping for ‘Users/NFSHomeDirectory’ using ‘Directory Utility’ : Change Users/NFSHomeDirectory from ‘homeDirectory’ to ‘#/Users/$uid$’
      2. See the page [1]
      3. there were several other topics, to use auto_mount NFS volume as home directory(this case I need NFS server that I don’t have), or disable auto_mount and symlink /Users to /home (but it wasn’t the answer what I was looking for.)
    2. /Users/dgkim directory will not be created automatically
      1. Use LoginHook to create user’s home directory. login hook can be created with ‘defaults write com.apple.loginwindow LoginHook /path/to/hookscript.sh’
      2. I followed instructions on page [1] YOU SHOULD KNOW WHAT THE SCRIPT DOING.
      3. This only works with login screen, it means if you try to access via ssh for the first time, it will not work.
  2. Second, try to su from local user like ‘su – dgkim’, the password authentication failed.
    1. The mac os tries to authenticate the user with mechanism that can’t be used at server. It may not be the problem of mac os, It may caused by openldap. I don’t exactly know clean answer. [2]
    2. This problem was long unsolved problem for me. When I change olcSaslSecProps, the EXTERNAL method is blocked. (it isn’t acceptable.)
    3. I tried first method of [2], I configured ‘olcSaslSecProps’, then the local command like ‘ldapsearch -Y EXTERNAL’, stopped working. It means the root user can’t change or control, the server configuration(by ldapmodify). It took several hours, I researched “How can I disable only ‘*-MD5’ and use only ‘LOGIN or PLAIN'”
    4. but the answer was below, in the page [2], there is a instruction to change access control list.
    5. The page [2] shows static config (like ‘slapd.conf’), but I uses dynamic(?) configuration ‘/etc/ldap/slapd.d/cn=config’. Modifying using ldif file can’t be difficult.
    6. The page [3] is similar answer.

[1] : https://docs.foxpass.com/docs/mac-os-x-logins-over-ldap
[2] : https://serverfault.com/questions/916745/unable-to-authenticate-openldap-users-on-macos-clients-user-not-found-no-secre
[3] : https://www.chriscantwell.co.uk/2009/12/mac-osx-authentication-against-openldap/


Mac OS ldap client testing scripts

# this will clear cache?
dscacheutil -flushcache
# Query user name
dscacheutil -q user -a name dgkim

ldapsearch, and ldapwhoami command

# to check login methods
# Run from server, using EXTERNAL mech, to login as root(uid=0)
ldapsearch -H ldapi:/// -Y EXTERNAL -s base -b "" -LLL "+" | grep -i sasl

# on the other machine, If you configured [2] instructions, it will print nothing
ldapsearch -H ldaps://ldap.domain/ -x -W -s base -b "" -D uid=yourusername,ou=Users,dc=domain -LLL "+" | grep -i sasl
# ldapwhoami
# Run from server, using EXTERNAL mech
ldapwhoami -H ldapi:/// -Y EXTERNAL
# will display 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

# On the other machine, I use simple bind method to login
ldapwhoami -H ldaps://ldap.domain/ -x -D uid=yourusername,ou=Users,dc=domain -W
# will display
dn:uid=yourusername,ou=Users,dc=domain

 

 

The year 2020

TL;DR; AWS/Infra engineer/Dev/Ops …

Dev – Python3, Django, NodeJS, EDA

Ops – AWS, Docker, Container, deployment.

others – APM, ElasticSearch, AWS Lambda, AWS CloudFormation, AWS CloudWatch, TravisCI,

 

What I bought? – Mikrotik hEX, Netgear R7000, Apple Magic Trackpad 2

My Current Devices – MacBook Pro Retina Late 2012, Dell Vostro 260s, Libreboot X200, Raspberry Pi 1 Model B, Raspberry Pi 3 Model B

 

Dec 2020 – Verdaccio(npm repository), serverless-flask

Sep, Oct, Nov 2020 – NodeJS, Fargate. (nodejs, sequelize)

Sep 2020 – Mikrotik hEX

Aug 2020 – AWS ECS Fargate (nodejs, python, php, vuejs)

Jul 2020 – Dell Vostro 260s (2012 ~ 2017 … 2020 ~ ) reborn (SSD migrated from hulk)

Jul 2020 – hulk.dgkim.net (2012 ~ 2020) died

Jul 2020 – Docker / AWS ECS, ECR

Jun 2020 – AWS CloudWatch/X-Ray, ElasticAPM

May 2020 – AWS CodeDeploy (ec2)

Apr 2020 – Serverless Framework(nodejs)

Apr 2020 – new job. DevOps. NodeJS, Python3

Mar 2020 – Netgear R7000

 

Oct 2019 ~ Apr 2020 : OpenStack, …

The year 2019

    • January
      • Japanese – Just hiragana, katakana
    • February
      • my first Apple Watch(1st generation) died. 2015.07. ~ 2019.02. (battery is swollen)
    • March
      • Spring Web MVC + Spring Security archetype project. (https://github.com/deokgonkim/spring-archetype)
      • Python server project. (2-tier to 3-tier application renovation, http server that provides JSON data service. extended SimpleHTTPServer module. first-try of Decorator.) Spring based module also will be.
    • May
      • retirement of Vostro 260s (My main desktop switched to Hulk, i7, 32GB RAM, 128 SSD, 1TB(*2 RAID1) HDD
      • Beginning Swift
      • Glimpse of Qt 4.8.6 C++, with Visual Studio 2008 C++ project.
      • Purchased another Raspberry Pi 3 Model B
        • Purchased sensor kits for RPi, especially DHT11 temperature, humidity sensor.
    • June
      • Spring Web Project (RPi Sensor chart, and MQ, and IoT control)
    • July, August, September
      • Job seeking.
    • October
      • New job, OpenStack operations. new town.
    • November
      • New Server, LDAP, Django Project(id service)
      • OpenStack Queens Test
      • DBA Role : PostgreSQL
    • December
      • New Django Project (Linux monitoring)

그냥 생각

게시판, 블록체인, 유즈넷.

지금은 인터넷에 특정 사이트의 게시판에 글을 쓰면, 해당 사이트 관리자에게 게시물에 대한 처리를 요청할 수 있다.

하지만, 유즈넷 시절에는 불가능했겠지?

그리고, 다가오는 블록체인 기술을 활용해서, 인터넷 사이트의 컨텐츠가 유즈넷 같이 바뀐다면 게시글의 수정이 더 어려워지겠지?

파일용 클라우드의 경우, 블록체인을 사용하는 것을 만들었다?는 것을 본 것 같은데,

일반 인터넷 사이트에도 블록체인, 클라우드, P2P 같은 기술이 쓰일 날이 올까?

NodeJS, MongoDB 볼까?

javascript가 참 끌리는 언어이다.

nodejs의 한계도 있는데…

MongoDB document db 개발자에게 유리한 것은 많은데, ….

성능이 문제가 안 될까 싶은데, 아래 인용구가 답

The RDBMS optimizes data for storage efficiency (as it was conceived at a time when storage was the most expensive component of the system).

MongoDB’s document model is optimized for how the application accesses data (as developer time and speed to market are now more expensive than storage).

VPS에 대해서 잠깐 찾아보다.

OKKY에서 HDD를 지원하는 VPS를 언급하면서, Linode, Digital Ocean 언급하는 글을 보았다.
https://okky.kr/article/386021

dgkim.net 서버의 경우, 작년에 Amazon 3개 인스턴스로 점진적인 이전을 일차적으로 진행했다.

그런데, 주로 검색을 해보면 AWS가 위 두 VPS에 대비해서 비용이 비싸다고 하는데,
물론, 클라우드 본연의 인프라나 확장성을 보면 AWS가 좋긴 한데…

Linux를 좋아하는 입장에서 Linode에 하나 만들어 보고 싶은 마음은 굴뚝 같지만, 아직 좀 더 참아보기로 한다.

Linode의 경우 싱가폴과 일본 영역을 사용하면 속도 문제는 그럭저럭 사용은 할 만 할 듯한데…

클라우드로 한번 사용해 보면서 (아직까지 사고는 없었지만) 백업에 대한 불안함이 어느 정도 있어서, 고민이긴 하다.

현재, 대상으로는 홈페이지(이것)와 Gitlab이 우선적인 대상이다.
(홈페이지라고 얘기했지만, 딸린 서비스도 몇개가 가고, 홈 서버의 시대는 끝나게 되는데…)