Resetting Guacamole OTP for an user

I’ve implemented Guacamole for remote access, for the time being it uses the builtin OTP module. In the future I might migrate to LemonLDAP or Keycloak for 2FA, for the time being the solution if good enough and works with zero configuration after module installation ūüôā

Chapter 9. TOTP two-factor authentication

My particular setup is pulling users from FreeIPA through LDAP, but also uses MySQL as a supplement to handle the connections definitions and things like the OTP plugin information.

From time to time, an user would need to re-enroll a device because the original device was stolen or reset. Did a quick search, but couldn’t find a clean/easy option to reset it from the GUI in version 1.3.0.


As a quick fix (don’t want to have to rethink this each time a user has this requirement), I created a simple script to do the job for me.

All you need to do is setup your mysql DB connection in ~/.my.cnf and get the script from here:

https://github.com/ciroiriarte/sysadmin-scripts/blob/main/guacamole-reset-user-otp.sh

In most Linux machines, you can copy it to ~/bin/.

mkdir ~/bin
wget https://raw.githubusercontent.com/ciroiriarte/sysadmin-scripts/main/guacamole-reset-user-otp.sh
chmod +x guacamole-reset-user-otp.sh

If you run the script with no options, it will show you the syntax

me@workstation:>; guacamole-reset-user-otp.sh
Usage: /home/me/bin/guacamole-reset-user-otp.sh <username>
      /home/me/bin/guacamole-reset-user-otp.sh ciro.iriarte

And the execution should be as simple as:

guacamole-reset-user-otp.sh the.user

Apstra Web UI & FreeIPA integration

First Attempt (the correct one?)

Looking to provide multiple users sane access to Apstra 4.0.0, I found it supports LDAP based directories in the form of “Providers” in the “External Systems” section.

https://www.juniper.net/documentation/us/en/software/apstra/apstra4.0.0/providers.html#creating-ldap-provider

I happily adapted the default configuration to match the FreeIPA schema (tested with Freeipa 4.6.8), I could authenticate users succesfully but authorization failed, not matter what parameter I change to modify the group lookup function.

ParameterValue
Groups Search DNcn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com
Users Search DNcn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com
Bind DNuid=sys.apstra,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com
Passwordyou.wish
EncryptionSTARTTLS
Tested “Provider-specific Parameters” – Not working

ParameterValueApstra default?
Username Attribute NameuidYes
User Search Attribute NameuidYes
User First Name Attribute NamegivenNameYes
User Last Name Attribute NamesnYes
User Email Attribute NamemailYes
User Object Class Attribute NameinetOrgPerson*Yes
User Member Attribute NamememberOfYes
Group Name Attribute NamecnYes
Group DN Attribute NameentryDNYes
Group Search Attribute NamecnYes
Group Member Attribute NameentryDNYes
Group Member Mapping Attribute NamememberNo
Group Object Class Attribute Namegroupofnames*No
Tested “Advanced configuration” – Not working

Take into account that “Group Object Class Attribute Name” can take “groupofnames” or “ipausergroup” for this usecase.

Looking at the logs, the attribute for user membership lookup seems to be hardcoded to UID, hence the lookup is:

SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=john.doe)" attrs="cn"

When it should be like:

SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=uid=john.doe,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com)" attrs="cn"

The workaround

The correct way to fix this would be to accept a parameter for the user attribute we should use for group membership lookup (DN instead of UID in this case).

As a workaround, I found the “compat” view from FreeIPA could be used to provide another view that’s more inline to what openLDAP would present for example.

The culprit for me is that the compat view:

  • is generated on the fly, it’s not indexed: probably won’t scale if you’re dealing with thousands of users.
  • requires the group to be of class “posixGroup”: because the Apstra groups are expected to be an application only group, it will clutter the view of Unix/Linux sysadmins with irrelevant groups.

In the hope of waiting for a proper fix from Juniper (now owners of Apstra), and given this is a limited environment (in terms of scalability), the workaround seems to be good enough.

As only the group lookup fails, we’ll use the compat view only for the groups.

ParameterValue
Groups Search DNcn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com
Users Search DNcn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com
Bind DNuid=sys.apstra,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com
Passwordyou.wish
EncryptionSTARTTLS
Tested “Provider-specific Parameters” – Working workaround

ParameterValueApstra default?
Username Attribute NameuidYes
User Search Attribute NameuidYes
User First Name Attribute NamegivenNameYes
User Last Name Attribute NamesnYes
User Email Attribute NamemailYes
User Object Class Attribute NameinetOrgPersonYes
User Member Attribute NamememberOfYes
Group Name Attribute NamecnYes
Group DN Attribute NameentryDNYes
Group Search Attribute NamecnYes
Group Member Attribute NameentryDNYes
Group Member Mapping Attribute NamememberUidYes
Group Object Class Attribute NameposixGroupYes
Tested “Advanced configuration” – Working workaround

Don’t forget to setup the “Provider Role Mapping” section to get authorization working.

AOS RoleProvide Group
administratorgapstra-administrator
device_ztpgapstra-device_ztp
usergapstra-user
viewergapstra-viewer
Role Mapping setup

Side note

Even though I can get proper authentication & authorization, the “role” user attribute in the profile just shows a gray box for the LDAP backed user. Might be a presentation bug, otherwise the authorization works as expected

Profile for LDAP backed user

Profile for internal admin user

Relocating v2

Hello world v2.!. This is a new attempt to jump start the blog. Unluckily some posts from the previous relocation were lost.

I’m taking a break from my management role, and going hands on once more (good for the soul, from time to time :).

Hope to post in the short term about some work I’ve been doing with VMware products & technology in general (SDN+IaaS+Automation).

Stay tunned!

I/O hung forever trying to access VDEV device

Setting up snapshots with Hitachi VSP we saw that many kpart processes were waiting for I/O  trying to access VDEV devices. That’s because of the queue_if_no_path feature in multipath.

The thing is, that’s a good feature, if you have really small gaps of times without access to the storage (cluster transition, someone messing with fiber cables, etc) you want the I/O to be queued and resume once conection comes back to live.

On the other side, VDEVs appear failed if the snapshots are not active, so most of the time you don’t want to queue the probes from udev (hundreds of proceses in less than a day in our case). To solve this you can enable the “fail_if_no_path” feature per LUN, here’s an example:

multipath {
wwid 350760e9016040b000001040a00002001
alias snapdata02LU
no_path_retry fail
}

And don’t forget to restart multipath daemon…

If needed, you can release pending I/O processes (and return I/O error) with the following command:

dmsetup message snapdata02LU 0 "fail_if_no_path"

That’s all…

Quickguide: Installing Sun JRE on SLES11

For Internet archiving purposes: After installing Sun JRE (rpm -Uvh jre-7u5-linux-x64.rpm), the properly way to use it is setting up the alternatives links:

update-alternatives –install java java /usr/java/jre1.7.0_05/bin/java 60 \
–slave jre jre /usr/java/jre1.7.0_05 \
–slave rmiregistry rmiregistry /usr/java/jre1.7.0_05/bin/rmiregistry \
–slave tnameserv tnameserv /usr/java/jre1.7.0_05/bin/tnameserv \
–slave rmid rmid /usr/java/jre1.7.0_05/bin/rmid \
–slave ControlPanel ControlPanel /usr/java/jre1.7.0_05/bin/ControlPanel \
–slave policytool policytool /usr/java/jre1.7.0_05/bin/policytool \
–slave keytool keytool /usr/java/jre1.7.0_05/bin/keytool \
–slave javaws javaws /usr/java/jre1.7.0_05/bin/javaws

If you have more than one JRE, you can choose the new one with:

update-alternatives –config java

Automatizando Snapshots en Symmetrix VMAX con Powershell

Hace poco me tocó automatizar el backup de una aplicación no soportada por NetBackup, puntualmente MS SQL Server Analysis Services. La idea es básicamente realizar un backup en frío sin dejar a la aplicacion fuera de servicio por mucho tiempo.

A modo ilustrativo, el equipo productivo tiene presentada una Meta de un  VMax y el snapshot de esta Meta debe ser montado en un equipo secundario para copiar los datos a cinta. El script corre en el equipo secundario donde necesitamos PSExec y Solutions Enabler debe estar instalado en ambos equipos. Además se asume que el pool para snapshots y el grupo necesario ya están preparados.

Continue reading “Automatizando Snapshots en Symmetrix VMAX con Powershell”

Quick Tonido installation on openSUSE

Ok, last week I updated my laptop to openSUSE 11.4, that, unluckily, broke my MoneyManagerEx installation as I needed a package for this new distro and the one from Packman is currently broken because of some repo changes.

Because I have a pile of expenses pending to be added to my accounting, I was urged to find a working MMEx installation, so I went to it’s homepage to look for latest version and fix my OBS package that has been broken for months because of my lazyness ¬¨¬¨’

Then, that’s were I saw it, there’s a web version of MMEx!!!, and that’s great as it would allow me to use it from my new Android phone without the need to access to my laptop, “maybe it’ll be fully functional on its browser” I thought….. Reading a little more, I found out that it was part of some cloud platform called Tonido. That sounded like a lot of hassle just for running the application, but when I found out that Tonido has a dedicated Android application, I was sold!.
Continue reading “Quick Tonido installation on openSUSE”

InstantClient RPMs

Well, a few years back I came across the Oracle InstantClient SPEC file prepared by Remi Collet, it was great to find it because the original RPMs made by Oracle don’t help to build other packages depending on them.

I created a set of packages for a project using the original file from Remi. Some days later I enhanced them to make the use of the package by end users really smooth (ORACLE_HOME environment variable, PATHs, etc). Also added other tweaks like a script to help building Perl-DBD-Oracle (not made by me) and was really happy with the results. Here’s where everything went downhill. There was a policy of only allowing software with source code on the openSUSE Build Service and the guys in charge just deleted the package from my repo project and I lost all the work done.

I had the recreation of the package on my ToDo list, but never had time to do it… A few days before, facing a new project involving Oracle, I went to Remi’s blog to look for the original SPEC file and luckily a month or so earlier he modified it to support the latest version of the client (to this date, 10.2.0.2).

I made some changes to it (them, as they were split in two) and I’m sharing the result here. As a final touch I’ll be addind tnsping to the packages, which is only included on the “thick” Oracle installation and maybe I’ll merge the “precomp*” sub-package to “devel”.

Files:

oracle-instantclient.spec
oracle-instantclient-11.2.0.2.0-37.1.nosrc.rpm

My changes to Remi’s SPEC files:


* Sun Jan 2 2011 Ciro Iriarte 11.2.0.2.0
- Added ORACLE_HOME definition
- Added tnsnames.ora example and required directory structure

* Sat Jan 1 2011 Ciro Iriarte 11.2.0.2.0
- merge i386/x86_64 SPECs again
- fixed RPM Groups
- added Jean-Christophe Duberga's config script to help building Perl-DBD-Oracle
(this wasn't documented on my first change in 2007, and was lost in OBS)
- skip RPATH and BYTECODE verifications in OBS builds
- renamed oracle-instantclient-basic to oracle-instantclient
- added unzip to BuildRequires
- general cleanup to make openSUSE 11.3 sanity checks happy
o ToDo: Verify rpmlint filters
- add precomp and precomp-devel sub-packages

Ref:

Request allowing OIC in Build Service