Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "ldap"
Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
More sysadmin focused but y’all get this stuff and I need a rant.
TLDR: Got the wrong internship.
Start working as a sysadmin/dev intern/man-of-many-hats at a small finance company (I’m still in school). Day 1: “Oh new IT guy? Just grab a PC from an empty cubicle and here’s a flash drive with Fedora, go ahead and manually install your operating system. Oh shit also your desktop has 2g of ram, a core2 duo, and we scavenged your hard drive for another dev so just go find one in the server room. And also your monitor is broken so just take one from another cubicle.”
Am shown our server room and see that someone is storing random personal shit in there (golf clubs propped against the server racks with heads mixed into the cabling, etc.). Ask why the golf clubs etc. are mixed in with the cabling and server racks and am given the silent treatment. Learn later that my boss is the owners son, and he is storing his personal stuff in our server room.
Do desktop support for end users. Another manager asks for her employees to receive copies of office 2010 (they’re running 2003 an 2007). Ask boss about licensing plans in place and upgrade schedules, he says he’ll get back to me. I explain to other manager we are working on a licensing scheme and I will keep her informed.
Next day other manager tells me (*the intern*) that she spoke with a rich business friend whose company uses fake/cracked license keys and we should do the same to keep costs down. I nod and smile. IT manager tells me we have no upgrade schedule or licensing agreement. I suggest purchasing an Office 365 subscription. Boss says $150 a year per employee is too expensive (Company pulls good money, has ~25 employees, owner is just cheap) I suggest freeware alternatives. Other manager refuses to use anything other than office 2010 as that is what she is familiar with. Boss refuses to spend any money on license keys. Learn other manager is owners wife and mother of my boss. Stalemate. No upgrades happen.
Company is running an active directory Windows Server 2003 instance that needs upgrading. I suggest 2012R2. Boss says “sure”. I ask how he will purchase the license key and he tells me he won’t.
I suggest running an Ubuntu server with LDAP functionality instead with the understanding that this will add IT employee hours for maintenance. Bosses eyes glaze over at the mention of Linux. The upgrade is put off.
Start cleaning out server room of the personal junk, labeling server racks and cables, and creating a network map. Boss asks what I’m doing. I show him the organized side of the server room and he says “okay but don’t do any more”.
... *sigh* ...20
I might be fucked up, but I have a tendency to gravitate towards the shit that everyone else dislikes for the sake of knowing if their bias against is actually because shit is truly fucked up or if shit is legit plain WRONG.
From all technologies that I have worked with professionally I can count:
Java(currently in the form of old JSP services for an "enterprise level application")
Java for Android development - i was the lead engineer for a mobile project
Swift with IOS dev, same gig as the above.
C++ for Android development in the form of OpenCV with Java as well.
Clojure for an ldap active directory application
Python for glue scripts
Classic ASP with JScript and VBScript
VB Net forms
C# For ASP.NET MVC
Bootstrap for multiple intranet frontends
Node+Express for a logistics warehouse management tool
Ruby on Rails freelancing small gigs
Php in all ways possible from complete standalone php apps to Laravel and just php+composer apps aaaaall the way to wordpress
WHYYY is LDAP so god damn convoluted??!?
I love the idea of it, but in practice, everything is just a hack on top of hack on top of hack going as far back as the 90s.3
When you come to work eager to code, and the whole day goes to trying and failing to fix some network shit -_-2
I am making an LDAP user manager and porting application for my workplace.
The thing is, i made the first version of it in PHP already. Shit works fine and it without an issue.
I had an itch to redesign it using another tech stack that would be speedier, more tested and using a more established platform.
Enter Clojure, a Lisp dialect for the JVM. In a single day I managed to get 80% of the application done. We have about 80k users inside of our ldap system(maybe more) and I tested it with 150 accounts, so far so good.
If this works I will be the first person to deploy a Clojure application, not only for my organization, but for the city as a whole while simultaneously being able to say that I got a Lisp app deployed and working :D
I am loving this. Really wanna have a Lisp app out there and add it to my resume.
The head of my department, an old timer and really ancient dev smiled heavily when I showed him the codebase. Not only is it minimal, it is concise and elegant :D
I love Clojure
My current job at the release & deploy mgmt team:
Basically this is the "theoretically sound flow":
* devs shit code and build stuff => if all tests in pipeline are green, it's eligible for promotion
* devs fill in desired version number build inside an excel sheet, we take this version number and deploy said version into a higher environment
* we deploy all the thingies and we just do ONE spec run for the entire environment
* we validate, and then go home
In the real world however:
* devs build shit and the tests are failed/unstable ===> disable test in the pipeline
* devs write down a version umber but since they disabled the tests they realize it's not working because they forgot thing XYZ, and want us to deploy another version of said application after code-freeze deadline
* deployments fail because said developers don't know jack shit about flyway database migrations, they always fail, we have to point them out where they'd go wrong, we even gave them the tooling to use to check such schema's, but they never use it
* a deploy fails, we send feedback, they request a NEW version, with the same bug still in it, because working with git is waaaaay too progressive
* We enable all the tests again (we basically regenerate all the pipeline jobs) And it turns out some devs have manually modified the pipelines, causing the build/deploy process to fail. We urged Mgmt to seal off the jenkins for devs since we're dealing with this fucking nonsense the whole time, but noooooo , devs are "smart persons that are supposed to have sense of responsibility"...yeah FUCK THAT
* Even after new versions received after deadline, the application still ain't green... What happens is basically doing it all over again the next day...
This is basically what happens when you:=
* have nos tandards and rules inr egards to conventions
* have very poor solution-ed work flow processes that have "grown organically"
* have management that is way too permissive in allowing breaking stuff and pleasing other "team leader" asscracks...
* have a very bad user/rights mgmt on LDAP side (which unfortunately we cannot do anything about it, because that is in the ownership of some dinosaur fossil that strangely enough is alive and walks around in here... If you ask/propose solutions that person goes into sulking mode. He (correctly) fears his only reason for existence (LDAP) will be gone if someone dares to touch it...
This is a government agency mind you!
More and more thinking daily that i really don't want to go to office and make a ton of money.
So the only motivation right now is..the money, which i find abhorrent.
And also more stuff, but now that i am writing this down makes me really really sad. I don't want to feel sad, so i stop being sad and feel awesome instead.1
Steps for making something that works become shitty, gmail and Microsoft edition:
1. Enforce non standards compliant authentication methods because you know client developers will have to bend to your will because you're fucking google
2. Let Microsoft develop a ldap wrapper with web authentication to load when you try to log in with a client.
3. As per usual, the Microsoft azure Authenticator crashes thunderbird immediately. Not even sure how they managed to do that
4. And we have suck.
The most crazy issue I've fixed was caused by a TCP behavior which I didn't know, called the "half-closed connection".
There was a third-party application installed on a production server which called a LDAP server for retrieving users information. During the day we had several users using the application and all worked fine. During the night, when the application was not accessed, something happened and the first call to the application in the morning was stuck for about 5 minutes before returning a response. I tried to reproduce the issue in a testing environment without success. Then I discovered that the application and the LDAP server were located on two different networks, with a firewall between them. And firewalls sometimes drop old connections. For this reason network applications usually implement a keep-alive mechanism. Well, the default LDAP Java libraries don't set the keep-alive on their connections. So, I found a library called "libdontdie", which force the keep-alive on the connections. I installed the library on the server, loaded it at the startup and the weird stuck behavior in the morning disappeared.2
Being forced to migrate an application written to to run on Solaris 9, which uses Sun ONE Webserver, Netscape LDAP Server and Cold fusion and migrate it to RHEL 7.3 ppc64le before the 3rd of January (I was only told about the project this morning), and I'm told I *have* to use the exact same technologies and versions. I'm on leave for Xmas from the 22 until the 5th of Jan. I know exactly where they can put their arbitrary management deadlines.2
Just got handed a dozen servers. Documentation shows a (Linux) database cluster is using ldap authentication. I try logging in with my creds. No joy. I look up the root password and log in.
Not only is it not configured to use ldap, it's also not clustered.
I need more coffee.
Was this week bad for you guys?
Personally I had to deal with a university department. They changed their code and how their enterprise directory works breaking almost everything.
Trying to get my head round LDAP for , what will eventually be, a government project.
Security up the wazoo is difficult1
Databases and LDAP down since 1 1/2 days...so embarrassing...am i really working in an it company???
luckily there are options beside work...hello amazon, spotify, devrant...:D
if we got Server/DB issues it always takes about at least half a day to fix it! *facepalm*1
For our current project, we connect to three different OpenVPNs:
Our dev OpenVPN (to get Jenkins/Artifactory)
The ops team devops OpenVPN (to get to environment)
The vendor's VPN for single signon
All of them have different keys and one connects to LDAP and uses a password we can't change.
I need your help. Im a junior Pentester.
Tomorrow I need to pentest a Macintosh workstation but I have no idea where to start. Users can login via LDAP and I will do a white box pentest.
Any suggestions where to start?13
I had a discussion with my colleagues about my bachelor thesis.
Together we created within the last 18 month a REST-API where we use LDAP/LMDB as database (tree structured storage). Of course our data is relational and of course we have a high redundancy there. It's a 170 call API and I highly doubt that it's actually conforming REST.
Ensuring DB integrity is done in the backend and coding style there is "If we change it at one place, let's make sure to also change it everywhere else", so you get a good impression how much of spaghetti code we have there.
Now I proposed to code a solution in my bachelor thesis where we use a relational database (we even have an administrated Oracle DB with high availability) and have a write-only layer to also store the data in LDAP but my colleagues said that "it would add too much complexity to the system".
Instead I should write the relational layer myself and fetch the data somehow from the existing LDAP tree.
What the actual fuck, spaghetti code is what makes the system really unnecessarily complex so that no one will understand that code in 2 years.
Congratulations, you just created legacy code that went into production in 2018 while not accepting the opportunity to let that legacy code get eliminated.
Now good luck with running and maintaining that system and it's inconsistencies.1
I asked out IT guy to send me base URL for LDAP server, he send me quick reply with base URL of my application. Not sure he was being sarcastic or absolute dumb-arse
Fellow devranters, I need your help for a... NodeJS question... (and I won't bother asking the question on SO, because all the questions/answers I found won't work)
You see, this client we have says they want their app to be login-less; once the app starts, ir automatically knows who is the ldap user that 'logged' in the app.
I've been struggling with it for weeks, trying to use npm modules, retrieving info from process.env, and I'm sure it is completely impossible without at least providing a username.
So here I am, asking anyone out here who can answer me this question: is it possible to login without providing anything?7
Relatively often the OpenLDAP server (slapd) behaves a bit strange.
While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.
Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?
To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...
The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).
But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.
The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.2
when setting up SSO with LDAP on a customer's system they tell me to use a different domain than the one that everything resides on. tell them it won't work because when I did a nslookup and this other domain none of the domain controllers are listed. today SSO starts working out of nowhere and they claim they didn't change anything. did a nslookup and see the domain controllers. looks like someone fixed their mistake but didn't want to admit they made one lol.
I used LDAP to get public facing employee details of my company.
Now my colleagues think that I am an hacker 😂
when you made a custom ldap token based authentication, what is suitable for every projects of your workplace.
Redoing our web apps to use SSO... Every single page within the app runs LDAP authentication. What is the point of signing in and having session cookies if you are reauthorization a logon on every page?!??? Now what seemed like a simple task of revamping the initial logon has turned into a hunting trip for LDAP queries and creating new sql tables