Restrict RADIUS usage in Server 5.x

Posted: February 29th, 2016 | Author: | Filed under: Uncategorized | No Comments »

2000px-Circle-withsegments.svgThis is a follow up post to my previous article about how to setup RADIUS on Server 5.x

In my Open Directory user list I have a user called scanner with a password of, you guessed it, scanner. Now I know this isn’t the most secure thing ever but the user only has very limited access. Recently I wanted to implement RADIUS so that the VPN concentrator could authenticate against Open Directory but I certainly don’t want the scanner user to be able to authenticate. Previously I would fire up WorkGroup Manager and build a service access control list, SACL. However with WGM now gone I have to do it on the command line. After some hacking I figured it out.

First, you’ll need to make a group in OD called VPN and put the users you would like to have VPN access in it. Then whip open a terminal and get the GUID of that group.

dscl localhost read /LDAPv3/127.0.0.1/Groups/VPN

You’re looking for the “GeneratedUID” record this somewhere. Next edit the following script and put your GeneratedUID into the line where it says NestedGroups


dscl localhost create /Local/Default/Groups/com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius RealName com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius passwd "*"
dscl localhost create /Local/Default/Groups/com.apple.access_radius gid 260
dscl localhost create /Local/Default/Groups/com.apple.access_radius NestedGroups PASTE_GUID_HERE

Then reboot radius with a serveradmin stop/start radius and you should be good to go!


How to Push Watchman Monitoring Windows Agent

Posted: November 10th, 2014 | Author: | Filed under: Uncategorized | No Comments »

Recently, I was granted access to the Windows beta agent. In a word, amazing. Truly, Allen and the guys at watchman have done an amazing job. Now, I have most of my clients enrolled in Meraki Systems Manager and I wanted to be able to push this agent to them without getting in the user’s face. I came up with the following and please keep in mind, I’m NOT a Windows sysadmin.


mkdir C:\temp
bitsadmin.exe /transfer "MSI" http://www.yourdomain.com/path/to/MonitoringClient.msi C:\temp\MonitoringClient.msi
bitsadmin.exe /transfer "regfile" http://www.yourdomain.com/path/to/monitoringclient.reg C:\temp\MonitoringClient.msi C:\temp\monitoringclient.reg
Regedit /s C:\temp\monitoringclient.reg
Msiexec.exe /I C:\temp\MonitoringClient.msi

I take this code and paste it line by line into the “Command Line” feature of Meraki Systems Manager.

For more info on Watchman Monitoring Windows Beta go here.
For Meraki Systems Manager go here.


Migrating OS X Server Wiki from 10.7 Lion to 10.8 Mountain Lion

Posted: April 7th, 2013 | Author: | Filed under: Uncategorized | No Comments »

Great article on Apple’s support page outlining how to migrate the wiki service from 10.7 Lion Server to 10.8 Mountain Lion Server, aka OSX Server 2.2

http://support.apple.com/kb/HT5697


And We’re Back!

Posted: February 13th, 2013 | Author: | Filed under: Uncategorized | No Comments »

openAfter a long while I’ve decided to bring my personal blog back to the net. I took it offline originally so I could redirect the web traffic to a company website that I started. However I quickly learned that nerds do not buy IT services, this is why they’re nerds – Nerds do IT themselves. (Get it?)

Hopefully the wizardry that is Google will be able to figure out that I moved the blog back, originally I did a 403 redirect, however this time I redesigned my company website without moving the wordpress content any where. I checked my pagerank and at a whopping 3/10 I’d have to say that I lost the traffic. Looking to future, I’m hopefully going to be adding a lot of content here, currently looking into FOSS AD/OD replacements, as well as some outdoor adventures!

Thanks for reading.

Jordan


Vacation Time

Posted: July 19th, 2010 | Author: | Filed under: Uncategorized | No Comments »

Jealous?

So this going to be my last post for a while. Probably till the end of summer. I’m going on a european vacation with my lady. It’s going to be an epic adventure full of battles, conquests, and amazing sites. If you want to follow our adventure please check out our new tumblr blog.


Free Geek Summer Sale

Posted: July 15th, 2010 | Author: | Filed under: Uncategorized | No Comments »

A little bird told me Free Geek Vancouver is having a crazy sale this saturday! Check it out!




Old Trick: Cloning Over Network

Posted: June 17th, 2010 | Author: | Filed under: Uncategorized | No Comments »

Here’s an old but great trick. I had a server that was dying on me, I wanted to clone the computer but didn’t want to have the hassle of taking it apart. By using netcat and the dd command I was able to clone the computer over the network.

First on the destination computer, but up off of Ubuntu 10.04 Desktop liveCD and execute the command:


nc -l 10000 | dd of=/dev/sda

Then on the source

dd if=/dev/sda | nc 10000

Wait for the dd command to finish. Then reboot the new hardware, if you’re lucky it should just boot and you’re done! Yay! If not boot the destination up off of the liveCD once more and mount the drive. Edit any changes in drives (sda/sdb/hda) in /etc/fstab as well as grub. As well as any other changes you have to do, perhaps your modprobe.conf file needs editing. Once done make a new initrd and you’re happy!


/sbin/mkinitrd -v -f /boot/initrd-new.img 2.6.21


Free Geek: A Non-Profit Computer Reuse and Recycling Centre.

Posted: June 15th, 2010 | Author: | Filed under: Uncategorized | 1 Comment »

Free Geek Vancouver (FGV) is a non-profit computer reuse and recycling centre. They accept all computers, old and new as well as related electronics whether they are working or not! FGV is comprised of volunteers who breathe new life into these electronics to create functioning and useable computers. These born again computers are then either sold at low costs or are granted to various non-profit organizations in need. The computers that cannot be salvaged are disassembled properly and sent to various ethical recycling plants. Free Geek follows a strict recycling code of conduct set in place by the Basel Action Network. This ensures that our electronic waste is safely and locally disposed rather than shipped to developing nations where it often contaminates air and water.

You can help Free Geek by bringing your used computer down to be recycled! They’re located at 1820 Pandora St in Vancouver. Or if you are interested in lending a hand the please come down this Saturday at either 2 or 4pm for one of our infamous tours!

In today’s world we are becoming attached to our technology. For many computers are the first things we see in the morning, and the last thing we see before we sleep. They take our daily abuse now if only when we could give them the proper ending they deserve!


X forwarding on SSH after `sudo -u -i` or `sudo su`

Posted: May 24th, 2010 | Author: | Filed under: Uncategorized | No Comments »

X authentication over SSH is based on magic cookies! The problem though is that when you change users via sudo the new user is not aware of these magic cookies.

Before you issue the su (but after having ssh’ed into the remote
system), request the cookie for the current DISPLAY that’s connecting
to your X server:


bart:~ jordan$ xauth list $DISPLAY

hostname.hq.calltitan.com:10 MIT-MAGIC-COOKIE-1
4d22408a71a55b41ccd1657d377923ae

Then, after having done su, tell the new user what the cookie is:

bart:~ root# xauth add hostname.hq.calltitan.com:10 MIT-MAGIC-COOKIE-1
4d22408a71a55b41ccd1657d377923ae

Just cut’n-paste the output of the above ‘xauth list’ onto ‘xauth add’
That’s it.


The Cellular Pricing Problem

Posted: April 14th, 2010 | Author: | Filed under: Uncategorized | No Comments »

Cellular Internet connectivity is becoming more and more popular. So much so that a lot telcos are reporting problems keeping up with the demand. But to make matters worse the telcos, at least in North America, are gouging there customer base with ridiculous fees. Before we get into what the solution to this problem is, let’s just take a quick look into the telco pricing model. Thanks to an associate of mine who is the head IT administrator for an extremely large newspaper publishing house, I now know that Telus’ wholesale cost on talk time is 0.0018 cents per minute. That’s right, it’s not a typo, 0.0018 cents a minute. My associate, because his company does over 1.4 million in business per year with Telus was able to negotiate a flat rate of .002 cents a minute for the entire organization, and just to be clear… yes this is cellular talk time we’re talking about here.

The problem is that the telco industry is an old boys club that’s very very hard to penetrate. Not only from a consumer perspective but from an industry perspective as well. As a small business owner trying to work in the cellular space I can attest this statement. Implementing change or getting an answer to fairly basic question can be a monumental task when dealing with these companies. Which brings me to the problem within the telco pricing model. The cost of data allocation.

Take for example a family plan. There are multiple handsets that pull from a collective pool of minutes. When the pool is expunged the minutes are charged per, nothing like this exists for data. If you own an iPhone with a data plan and a rocket stick with a data plan they’re two separate allocated pools of data. What if you could get a cell phone plan and attach as many devices you like to it. An iPhone, a rocket stick and cell modem in your home. You could pay for one plan and use the allocated minutes and data for not only your cell phone but also your home Internet connection. Wouldn’t that be grand?