I’ve implemented Guacamole for remote access, for the time being it uses the builtin OTP module. In the future I might migrate to LemonLDAP or Keycloak for 2FA, for the time being the solution if good enough and works with zero configuration after module installation 🙂
My particular setup is pulling users from FreeIPA through LDAP, but also uses MySQL as a supplement to handle the connections definitions and things like the OTP plugin information.
From time to time, an user would need to re-enroll a device because the original device was stolen or reset. Did a quick search, but couldn’t find a clean/easy option to reset it from the GUI in version 1.3.0.
As a quick fix (don’t want to have to rethink this each time a user has this requirement), I created a simple script to do the job for me.
All you need to do is setup your mysql DB connection in ~/.my.cnf and get the script from here:
Looking to provide multiple users sane access to Apstra 4.0.0, I found it supports LDAP based directories in the form of “Providers” in the “External Systems” section.
I happily adapted the default configuration to match the FreeIPA schema (tested with Freeipa 4.6.8), I could authenticate users succesfully but authorization failed, not matter what parameter I change to modify the group lookup function.
The correct way to fix this would be to accept a parameter for the user attribute we should use for group membership lookup (DN instead of UID in this case).
As a workaround, I found the “compat” view from FreeIPA could be used to provide another view that’s more inline to what openLDAP would present for example.
The culprit for me is that the compat view:
is generated on the fly, it’s not indexed: probably won’t scale if you’re dealing with thousands of users.
requires the group to be of class “posixGroup”: because the Apstra groups are expected to be an application only group, it will clutter the view of Unix/Linux sysadmins with irrelevant groups.
In the hope of waiting for a proper fix from Juniper (now owners of Apstra), and given this is a limited environment (in terms of scalability), the workaround seems to be good enough.
As only the group lookup fails, we’ll use the compat view only for the groups.
Tested “Provider-specific Parameters” – Working workaround
Parameter
Value
Apstra default?
Username Attribute Name
uid
Yes
User Search Attribute Name
uid
Yes
User First Name Attribute Name
givenName
Yes
User Last Name Attribute Name
sn
Yes
User Email Attribute Name
mail
Yes
User Object Class Attribute Name
inetOrgPerson
Yes
User Member Attribute Name
memberOf
Yes
Group Name Attribute Name
cn
Yes
Group DN Attribute Name
entryDN
Yes
Group Search Attribute Name
cn
Yes
Group Member Attribute Name
entryDN
Yes
Group Member Mapping Attribute Name
memberUid
Yes
Group Object Class Attribute Name
posixGroup
Yes
Tested “Advanced configuration” – Working workaround
Don’t forget to setup the “Provider Role Mapping” section to get authorization working.
AOS Role
Provide Group
administrator
gapstra-administrator
device_ztp
gapstra-device_ztp
user
gapstra-user
viewer
gapstra-viewer
Role Mapping setup
Side note
Even though I can get proper authentication & authorization, the “role” user attribute in the profile just shows a gray box for the LDAP backed user. Might be a presentation bug, otherwise the authorization works as expected
Profile for LDAP backed userProfile for internal admin user
Hace poco me tocó automatizar el backup de una aplicación no soportada por NetBackup, puntualmente MS SQL Server Analysis Services. La idea es básicamente realizar un backup en frío sin dejar a la aplicacion fuera de servicio por mucho tiempo.
A modo ilustrativo, el equipo productivo tiene presentada una Meta de un VMax y el snapshot de esta Meta debe ser montado en un equipo secundario para copiar los datos a cinta. El script corre en el equipo secundario donde necesitamos PSExec y Solutions Enabler debe estar instalado en ambos equipos. Además se asume que el pool para snapshots y el grupo necesario ya están preparados.
Well, I’ve been a SuSE user for quit some time, since 7.3 days and some months ago (around January) I was accepted as a SuSE Linux Enterprise 11 (SLES11) betatester. I was happy to test the bleeding edge enterprise distribution and happy to help releasing it.
In the mail list they stated that some Netbooks would be given away to some testers as a reward (i’m not sure how many units where available and can’t remember what the rules were…). I didn’t pay much attention as I NEVER win those kind of things, EVER.
Now, 5 months after SLES11 was released, I got an email from the people at SUSE stating I won one of them!!!!, I can’t wait to receive the package, it’s like Christmas!!!!! (with a gift I will actually like).
Dealing with Novell Linux support found about their supportconfig script, it’s really useful while troubleshooting systems remotely (or on-site :D).
It’s basically a bash script that collects data about a linux system (it was made for SLES, but should work with any linux). The result is a nice tarball that you can take with you to analyze the system offsite.
The software: http://www.novell.com/communities/node/2332/supportconfig-linux
Basic health check guide: http://www.novell.com/communities/node/4097/basic-server-health-check-supportconfig
