Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "ldap"
Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
More sysadmin focused but y’all get this stuff and I need a rant.
TLDR: Got the wrong internship.
Start working as a sysadmin/dev intern/man-of-many-hats at a small finance company (I’m still in school). Day 1: “Oh new IT guy? Just grab a PC from an empty cubicle and here’s a flash drive with Fedora, go ahead and manually install your operating system. Oh shit also your desktop has 2g of ram, a core2 duo, and we scavenged your hard drive for another dev so just go find one in the server room. And also your monitor is broken so just take one from another cubicle.”
Am shown our server room and see that someone is storing random personal shit in there (golf clubs propped against the server racks with heads mixed into the cabling, etc.). Ask why the golf clubs etc. are mixed in with the cabling and server racks and am given the silent treatment. Learn later that my boss is the owners son, and he is storing his personal stuff in our server room.
Do desktop support for end users. Another manager asks for her employees to receive copies of office 2010 (they’re running 2003 an 2007). Ask boss about licensing plans in place and upgrade schedules, he says he’ll get back to me. I explain to other manager we are working on a licensing scheme and I will keep her informed.
Next day other manager tells me (*the intern*) that she spoke with a rich business friend whose company uses fake/cracked license keys and we should do the same to keep costs down. I nod and smile. IT manager tells me we have no upgrade schedule or licensing agreement. I suggest purchasing an Office 365 subscription. Boss says $150 a year per employee is too expensive (Company pulls good money, has ~25 employees, owner is just cheap) I suggest freeware alternatives. Other manager refuses to use anything other than office 2010 as that is what she is familiar with. Boss refuses to spend any money on license keys. Learn other manager is owners wife and mother of my boss. Stalemate. No upgrades happen.
Company is running an active directory Windows Server 2003 instance that needs upgrading. I suggest 2012R2. Boss says “sure”. I ask how he will purchase the license key and he tells me he won’t.
I suggest running an Ubuntu server with LDAP functionality instead with the understanding that this will add IT employee hours for maintenance. Bosses eyes glaze over at the mention of Linux. The upgrade is put off.
Start cleaning out server room of the personal junk, labeling server racks and cables, and creating a network map. Boss asks what I’m doing. I show him the organized side of the server room and he says “okay but don’t do any more”.
... *sigh* ...20
I might be fucked up, but I have a tendency to gravitate towards the shit that everyone else dislikes for the sake of knowing if their bias against is actually because shit is truly fucked up or if shit is legit plain WRONG.
From all technologies that I have worked with professionally I can count:
Java(currently in the form of old JSP services for an "enterprise level application")
Java for Android development - i was the lead engineer for a mobile project
Swift with IOS dev, same gig as the above.
C++ for Android development in the form of OpenCV with Java as well.
Clojure for an ldap active directory application
Python for glue scripts
Classic ASP with JScript and VBScript
VB Net forms
C# For ASP.NET MVC
Bootstrap for multiple intranet frontends
Node+Express for a logistics warehouse management tool
Ruby on Rails freelancing small gigs
Php in all ways possible from complete standalone php apps to Laravel and just php+composer apps aaaaall the way to wordpress
WHYYY is LDAP so god damn convoluted??!?
I love the idea of it, but in practice, everything is just a hack on top of hack on top of hack going as far back as the 90s.3
When you come to work eager to code, and the whole day goes to trying and failing to fix some network shit -_-2
I am making an LDAP user manager and porting application for my workplace.
The thing is, i made the first version of it in PHP already. Shit works fine and it without an issue.
I had an itch to redesign it using another tech stack that would be speedier, more tested and using a more established platform.
Enter Clojure, a Lisp dialect for the JVM. In a single day I managed to get 80% of the application done. We have about 80k users inside of our ldap system(maybe more) and I tested it with 150 accounts, so far so good.
If this works I will be the first person to deploy a Clojure application, not only for my organization, but for the city as a whole while simultaneously being able to say that I got a Lisp app deployed and working :D
I am loving this. Really wanna have a Lisp app out there and add it to my resume.
The head of my department, an old timer and really ancient dev smiled heavily when I showed him the codebase. Not only is it minimal, it is concise and elegant :D
I love Clojure
My current job at the release & deploy mgmt team:
Basically this is the "theoretically sound flow":
* devs shit code and build stuff => if all tests in pipeline are green, it's eligible for promotion
* devs fill in desired version number build inside an excel sheet, we take this version number and deploy said version into a higher environment
* we deploy all the thingies and we just do ONE spec run for the entire environment
* we validate, and then go home
In the real world however:
* devs build shit and the tests are failed/unstable ===> disable test in the pipeline
* devs write down a version umber but since they disabled the tests they realize it's not working because they forgot thing XYZ, and want us to deploy another version of said application after code-freeze deadline
* deployments fail because said developers don't know jack shit about flyway database migrations, they always fail, we have to point them out where they'd go wrong, we even gave them the tooling to use to check such schema's, but they never use it
* a deploy fails, we send feedback, they request a NEW version, with the same bug still in it, because working with git is waaaaay too progressive
* We enable all the tests again (we basically regenerate all the pipeline jobs) And it turns out some devs have manually modified the pipelines, causing the build/deploy process to fail. We urged Mgmt to seal off the jenkins for devs since we're dealing with this fucking nonsense the whole time, but noooooo , devs are "smart persons that are supposed to have sense of responsibility"...yeah FUCK THAT
* Even after new versions received after deadline, the application still ain't green... What happens is basically doing it all over again the next day...
This is basically what happens when you:=
* have nos tandards and rules inr egards to conventions
* have very poor solution-ed work flow processes that have "grown organically"
* have management that is way too permissive in allowing breaking stuff and pleasing other "team leader" asscracks...
* have a very bad user/rights mgmt on LDAP side (which unfortunately we cannot do anything about it, because that is in the ownership of some dinosaur fossil that strangely enough is alive and walks around in here... If you ask/propose solutions that person goes into sulking mode. He (correctly) fears his only reason for existence (LDAP) will be gone if someone dares to touch it...
This is a government agency mind you!
More and more thinking daily that i really don't want to go to office and make a ton of money.
So the only motivation right now is..the money, which i find abhorrent.
And also more stuff, but now that i am writing this down makes me really really sad. I don't want to feel sad, so i stop being sad and feel awesome instead.1
Just reminiscing about the time I needed to recover my ldap password and the procedure consisted of an asthmatic tech support dude showing it to me in a giant spreadsheet.
Steps for making something that works become shitty, gmail and Microsoft edition:
1. Enforce non standards compliant authentication methods because you know client developers will have to bend to your will because you're fucking google
2. Let Microsoft develop a ldap wrapper with web authentication to load when you try to log in with a client.
3. As per usual, the Microsoft azure Authenticator crashes thunderbird immediately. Not even sure how they managed to do that
4. And we have suck.
The most crazy issue I've fixed was caused by a TCP behavior which I didn't know, called the "half-closed connection".
There was a third-party application installed on a production server which called a LDAP server for retrieving users information. During the day we had several users using the application and all worked fine. During the night, when the application was not accessed, something happened and the first call to the application in the morning was stuck for about 5 minutes before returning a response. I tried to reproduce the issue in a testing environment without success. Then I discovered that the application and the LDAP server were located on two different networks, with a firewall between them. And firewalls sometimes drop old connections. For this reason network applications usually implement a keep-alive mechanism. Well, the default LDAP Java libraries don't set the keep-alive on their connections. So, I found a library called "libdontdie", which force the keep-alive on the connections. I installed the library on the server, loaded it at the startup and the weird stuck behavior in the morning disappeared.2
Being forced to migrate an application written to to run on Solaris 9, which uses Sun ONE Webserver, Netscape LDAP Server and Cold fusion and migrate it to RHEL 7.3 ppc64le before the 3rd of January (I was only told about the project this morning), and I'm told I *have* to use the exact same technologies and versions. I'm on leave for Xmas from the 22 until the 5th of Jan. I know exactly where they can put their arbitrary management deadlines.2
Just got handed a dozen servers. Documentation shows a (Linux) database cluster is using ldap authentication. I try logging in with my creds. No joy. I look up the root password and log in.
Not only is it not configured to use ldap, it's also not clustered.
I need more coffee.
Why has authentication of web services to be so fucking complicated?
PAM, OpenID, LDAP, SSO...
Every fucking service supports something different and I have a hard time finding a decent tutorial on LDAP and the likes.6
FUCK APPLICATION LEVEL FIREWALLS!
So i cam online today, thought already lets open the shitty outlook webmail client. Holy crap .... thats way to much mails. Many of them are missed teams messages. So i open up teams and holy crap. Like every third dev in my company send me a message screaming "gitab is not working!!!".
Yesterday i updated it so imediately get in panic mode - what the shitty hack have i done?!
So yeah gitlab seems to be working just fine, everything is speedy and responsive, so i call one of my fellow devs and ask him whats wrong? And he is like oh yeah there comes a ldap error saying timeout or something.
I try to login with active directory. Works like a charm. Try another account, same problem?!
Google the problem, search gitlab tickets. Nope there is no open bug or sth. like this.
So alright lets call the network guy. "Yo, can you check if there is something ldap-like getting blocked to the gitlab server?" - He is like oh yeah damn like almost every damn request is getting blocked. Ah wait, there was an firewall update yesterday too. Yeah ldap is no longer ldap. BLOCK THAT SHIT!
After 10 minutes of figuring out what shitty type is detected by the firewall and what needs to be whitelisted to make it fucking work again it seems to work.
But ha no, there is another update rolling on, so same shit like 15 minutes later.
Now it seems to work and i have to inform every damn fcking developer that it works again. And yeah alright you sent a mail, but fuck it, i will call you though! So yeah just answering calls, mails and chat messages. Like why the fuck cant you read your mails like a damn normal person?!1
I am not a php dev and I have nearly 0 knowledge of php. All I know about php is that xampp is your friend and you have to write that $ everywhere. But that one day I had to setup phpLDAPadmin on apache2.
I have nothing against php, but I just don't want to have anything in common, since I'm just perfectly fine with my java.
So I had to make it work. Fought my way through different incompatible versions of php and phpldapadmin only to see "not found" on phpldapadmin.
I thought, like, wtf?? Especially when index.php of apache2 is displaying just fine? I mean, I can "edit" some php code, but configs and php setups are just something like out of my world. Tried setuping it on different vms - same result. I've buried way too many hours into this with no result. Finally I gave up and contacted a friend of mine which is like php god for me. He did same thing as I did in ~ 10 mins, but the result was the same. Tweaked some configs - same. Scratched his head, sat for 5 more minutes, did something and boom - it works!
I've asked him, what is that php magic and the answer killed me:
"Index.html was missing"
At that moment I just wanted to exit through the window. Sadly, there were no way to open it.
Yes, I am this stupid in php. But I still miss all these wasted hours...2
Was this week bad for you guys?
Personally I had to deal with a university department. They changed their code and how their enterprise directory works breaking almost everything.
Trying to get my head round LDAP for , what will eventually be, a government project.
Security up the wazoo is difficult1
I had a discussion with my colleagues about my bachelor thesis.
Together we created within the last 18 month a REST-API where we use LDAP/LMDB as database (tree structured storage). Of course our data is relational and of course we have a high redundancy there. It's a 170 call API and I highly doubt that it's actually conforming REST.
Ensuring DB integrity is done in the backend and coding style there is "If we change it at one place, let's make sure to also change it everywhere else", so you get a good impression how much of spaghetti code we have there.
Now I proposed to code a solution in my bachelor thesis where we use a relational database (we even have an administrated Oracle DB with high availability) and have a write-only layer to also store the data in LDAP but my colleagues said that "it would add too much complexity to the system".
Instead I should write the relational layer myself and fetch the data somehow from the existing LDAP tree.
What the actual fuck, spaghetti code is what makes the system really unnecessarily complex so that no one will understand that code in 2 years.
Congratulations, you just created legacy code that went into production in 2018 while not accepting the opportunity to let that legacy code get eliminated.
Now good luck with running and maintaining that system and it's inconsistencies.1
For our current project, we connect to three different OpenVPNs:
Our dev OpenVPN (to get Jenkins/Artifactory)
The ops team devops OpenVPN (to get to environment)
The vendor's VPN for single signon
All of them have different keys and one connects to LDAP and uses a password we can't change.
I need your help. Im a junior Pentester.
Tomorrow I need to pentest a Macintosh workstation but I have no idea where to start. Users can login via LDAP and I will do a white box pentest.
Any suggestions where to start?13
Databases and LDAP down since 1 1/2 days...so embarrassing...am i really working in an it company???
luckily there are options beside work...hello amazon, spotify, devrant...:D
if we got Server/DB issues it always takes about at least half a day to fix it! *facepalm*1
I'm genuinely contemplating changing my career to an IT support role from my current web dev endeavors.
I have become rather disinterested for quite some time with web development, I've been working with React, Angular, the regular Wordpress stuff with the theme building/modifying, headless instances, plugin development and whatnot and all of these have become more of a chore than anything else.
I'm leaning towards an IT support role as I genuinely have more interest in a user support/infrastructure support role than a developer role, the question is, is it doable ?. I know my way around Windows and Linux Servers, know LDAP, Active Directory, BASH, Powershell, Networking, can do cabling and whatnot but I don't have the experience to show off those.
Any tips would be greatly appreciated4
I asked out IT guy to send me base URL for LDAP server, he send me quick reply with base URL of my application. Not sure he was being sarcastic or absolute dumb-arse
While planning my (personal) server I just seem to pile up more and more things to do/consider. Basically, for now I just want to have rclone, nextcloud and jellyfin, plus some usenet stuff later on. But I want to have the whole installation and configuration automated as far as possible, since I'll at first it will run in a test environment and needs to be migrated to another server at a point, possibly even another OS. So I suppose that means docker, docker-compose and Chef (any better options?). I want SSL: Traefik. User management / auth? RADIUS, LDAP. SSO? keycloak. I also need to deal with virtual hosts. And probably much more..
Since I just have basic Linux knowledge and have no real experience with any of the other technologies, I feel a bit lost. I just got to the abovementioned software due to some ddg research. I don't mind digging deep, I want to learn (which is half the reason for this project), but it's not easy to the the best way to set this up.11
Relatively often the OpenLDAP server (slapd) behaves a bit strange.
While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.
Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?
To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...
The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).
But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.
The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.2
when setting up SSO with LDAP on a customer's system they tell me to use a different domain than the one that everything resides on. tell them it won't work because when I did a nslookup and this other domain none of the domain controllers are listed. today SSO starts working out of nowhere and they claim they didn't change anything. did a nslookup and see the domain controllers. looks like someone fixed their mistake but didn't want to admit they made one lol.
Fellow devranters, I need your help for a... NodeJS question... (and I won't bother asking the question on SO, because all the questions/answers I found won't work)
You see, this client we have says they want their app to be login-less; once the app starts, ir automatically knows who is the ldap user that 'logged' in the app.
I've been struggling with it for weeks, trying to use npm modules, retrieving info from process.env, and I'm sure it is completely impossible without at least providing a username.
So here I am, asking anyone out here who can answer me this question: is it possible to login without providing anything?7
I used LDAP to get public facing employee details of my company.
Now my colleagues think that I am an hacker 😂
Why cant every server-application have a feature like openssh AuthorizedKeysCommand?!
So pretty much a command-hook for authentication.
You pass username, password and additional stuff to it, and its STDOUT and exit-status determine the authentication result.
No, instead of something so simple,
You're forced to use MySQL,LDAP...4
when you made a custom ldap token based authentication, what is suitable for every projects of your workplace.
Redoing our web apps to use SSO... Every single page within the app runs LDAP authentication. What is the point of signing in and having session cookies if you are reauthorization a logon on every page?!??? Now what seemed like a simple task of revamping the initial logon has turned into a hunting trip for LDAP queries and creating new sql tables