Kerberos, and therefore LDAP with GSSAPI, has issues with servers behind NAT, or anywhere the forward DNS lookup does not match the reverse DNS lookup. For instance, in our lab we have an OpenLDAP LDAP server: $ dig +noall +answer ldap.itlab.stanford.edu ldap.itlab.stanford.edu. 207 IN CNAME idp.itlab.stanford.edu. idp.itlab.stanford.edu. 200 IN A 184.108.40.206 However, since it's running … Continue reading Kerberos, LDAP, SSH, and NAT/AWS
Amazon documents how reserved instances and consolidated billing work together, but it's apparently still confusing because Bob's account has instances and is also the paying account. Our setup is different - the only resource created inside the paying account is the S3 bucket where Amazon posts our billing data. Here's my edited version of the … Continue reading AWS Reserved Instances and Consolidated Billing
While messing around with Raspberry Pis, Docker, bridged networks, wireless networks, etc. I managed to bork my Pis. If this happened at home, I could use a serial console cable, or plug the Pi into the spare HDMI port on my monitor and use a USB keyboard, or attach a USB SD card reader to … Continue reading I Broke My Pi’s Networking!
We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to … Continue reading Yubikey PIV for SSH on Macs
We have a group who would like to use our internal University IDs to map campus users to Salesforce users for SSO. There are several ways to achieve this with a Shibboleth IdP and Salesforce, but this is the simplest.
Previously, I tried setting up a more efficient Shibboleth Attribute Authority - one where I could query for a specific attribute value for a specific attribute for a specific user (e.g. does firstname.lastname@example.org have an experimentId attribute with the value 2?). While you can add attribute values to the attribute elements in a SimpleAggregation AttributeResolver … Continue reading Authentication and Authorization with Shibboleth and LDAP
Shiny Toys Since it was Google I/O, every attendee received some shiny toys: a Nexus phone and Nexus 7 tablet, a Nexus Q streaming media player, and a Chromebox (the ChromeOS version of a Mac Mini). The Nexus Q doesn't really have any impact on IT, and it's an odd system: it costs over 3 … Continue reading Google I/O 2012
I recently took the Architecting with Amazon Web Services training class. The class is taught by AWS Solutions Architects, rather than by dedicated training staff, so the instructors have real, practical experience with helping customers use AWS; the SAs use that experience, and feedback from each class, to continually improve the class. The class covered … Continue reading Architecting with AWS Training
I went to my third (of three) Breaking Development Conference in April - this time it was in a biodome in Orlando, FL. Following on from the themes of the previous conferences, a large part of the conference was focused on responsive web design (RWD). RWD was proposed as a widely applicable solution at the … Continue reading Breaking Development, April 2012
My poor little brain is still trying to recover from the Breaking Development Conference (#bdconf), where many of the big names in mobile web crammed it full of statistics, theories and practical experience.