Get and use secure supported LDAP SASL authentication mechanisms

Posted: December 1, 2011 | Author: | Filed under: Active Directory, LDAP, Security, Unix | Tags: , , , , , , , , , , , | Leave a comment »

You don’t have to use insecure clear text Simple BIND authentication for accessing your LDAP servers.

Get list of supported authentication mechanisms:

ldapsearch -h example.com -x -b "" -s base -LLL supportedSASLMechanisms

Kerberos GSSAPI Example:

kinit
ldapsearch -v -Y GSSAPI -h example.com -b "DC=example,DC=com" "(sAMAccountName=someusername)"

DIGEST-MD5 Example:

ldapsearch -v -Y DIGEST-MD5 -h example.com -D user@example.com -b "DC=example,DC=com"\
 "(sAMAccountName=someusername)"

Fix Apache mod_jk or mod_proxy serving stale content

Posted: December 1, 2011 | Author: | Filed under: Deployment, http, Unix | Tags: , , , , , , , | Leave a comment »

If your web app starts serving stale cached content when run behind mod_jk or mod_proxy with apache, it may be due to apache inserting a default expiration header.

You can confirm this by comparing the headers returned from apache and directly from your web app.  curl -i will show response headers:

curl -i http://example.com | head -20

To disable apache’s content expirations, add the following to your virtual host:

ExpiresActive Off

Here is the official Apache Documentation.

Inspect Running Mac OS X Applications with F-Script

Posted: November 30, 2011 | Author: | Filed under: Cocoa, Mac OS X, Security | Tags: , , , , , , , , , , | Leave a comment »

Objective C is a Dynamic Runtime, so you can load code like plugins during runtime. This dynamic runtime can be very useful for exploring what applications are doing. I use this to assess the security of applications for example.

F-Script provides an easy way to inject itself into a running app and explore around.

Download F-Script here

Launch the app you want to explore.

Then find the process id number of the app in a Terminal shell:

ps auxww | grep “App Name

Load the F-Script Framework into the app and insert its menu using:

sudo gdb --pid AppNameProcessID --batch --nx --command=/dev/stdin << EOT
p (char)[[NSBundle bundleWithPath:@"path/to/Library/Frameworks/FScript.framework"] load]
p (void)[FScriptMenuItem insertInMainMenu]
EOT

I found the above snippet by reviewing this automator service.

Note that sudo is only required if you are not in the _developer group.

At this point, switch to your running application.  You will notice an F-Script Menu is added to the menu bar.

Choose Console from the F-Script menu and type:

del := NSApplication sharedApplication delegate

This will give you a reference to the application delegate.  The application delegate is a top level class of the application, so it should provide a good starting point.

Next, choose Open Object Browser from the F-Script menu.

Now you should have a nice GUI window to explore the app.

Click on del in the Workspace to explore the app delegate.  You can call methods, change values, etc.

See the F-Script documentation for more details.

Enjoy

MIME type issue with Apache mod_jk and mod_proxy serving plain text

Posted: November 30, 2011 | Author: | Filed under: Deployment, http, Unix | Tags: , , , , , , , , , | Leave a comment »

Some apps do not properly set mime types of content they serve, but still may work properly when served standalone because client applications like browsers are able to interpret the type of the content.  But when served behind Apache, these apps will not behave correctly because Apache will provide a default type of text/plain.

The solution is to add a DefaultType None line to your apache virtual host for these web apps:

DefaultType None

Here are the docs

Snow Leopard Apache Web Server SSL Pass phrase Error

Posted: November 29, 2011 | Author: | Filed under: http, Mac OS X, Mac OS X Server, Unix | Tags: , , , , | Leave a comment »

If you are getting errors “Pass phrase incorrect” in your apache logs on Snow Leopard server, it is because the key is protected by a password.  I found the answer here.

The password for the key is stored in the System Keychain.  It is a password entry called “Mac OS X Server certificate management”.  You can open the entry and select “Show Password”.  You may also use the security command line tool to dump the password.

security find-generic-password -l "Mac OS X Server certificate management" -g

or

security dump-keychain -d # look in data for password which will look like a GUID

Once you have the password, you can create a copy of the key without the password using openssl:

openssl rsa -in /etc/certificates/server.domain.com.uniqueid.key.pem \
 -out /etc/certificates/server.domain.com.uniqueid.passwordlesskey.pem

You can then replace the password protected key with the passwordless key or point apache to the passwordless key in your /etc/apache2/sites/sitename.conf file.

Ruby Time to Integer does give you seconds since Epoch

Posted: August 26, 2011 | Author: | Filed under: Ruby, Scripting | Tags: , , , , | Leave a comment »

“Time is stored internally as the number of seconds with fraction since the Epoch, January 1, 1970 00:00 UTC.”

 >>require 'time'
 >>Time.parse("January 1, 1970 00:00 UTC").to_i
 => 0

As expected, but nice to verify.

For the reverse, be sure to use Time.at rather than Time.new

>> Time.at(0).to_i
=> 0
>> Time.new(0).to_i
=> -62167201200

Tips for writing command line tools in ruby

Posted: August 2, 2011 | Author: | Filed under: Mac OS X, Ruby, Scripting, Uncategorized, Unix | Tags: , , , , , , , , , , | Leave a comment »
  1. Option parsing: Read this article by Allen Wei on RubyLearning Blog for a great overview.  I recommend sticking with the built-in OptionParser if you want to reduce dependencies.
  2. If you want your code to be loadable so you can access functions and classes in the irb console for testing, use the following pattern: 
    def main
 #option parsing and execution code here
end
if __FILE__ == $0
 main()
end

    This way the main function will only be automatically called if the script is being executed on the command line.
    And in irb, you can call your functions and classes as you see fit for testing without triggering your whole script to run.

    Note that this is similar to the python __main__ test if you are coming from a python background.

  3. Naming without ruby’s.rb extension: You can name your executable without the rb extension if you wish, just be sure to include your shebang (#!)

    To use the user’s default ruby, use:
    #!/usr/bin/env ruby
    But in some cases you may want the specify the path to ruby so you can use macruby or rubycocoa if you are need those frameworks to be available
    #!/usr/bin/ruby

    When testing in irb,
    require 'script-name'
    won’t work without the rb extension, but
    load 'script-name'
    does work.
  4. Use exit codes. When your script fails or needs to communicate status at exit, use standard exit status codes.
    Exit zero for default success status
    exit 0
    Exit any other number for a failure or warning status. You choose the exit codes for your tool, but be sure to document them if they require more explanation than simple success or failure.
    exit 27
  5. Output to stderr using:
    $stderr.puts "error: problem ...."

dockutil source has moved to github

Posted: July 17, 2011 | Author: | Filed under: dockutil | Tags: , , , , , | Leave a comment »

I’m a git user and dockutil needs updates and collaboration, so the source now lives on github. I’ll likely continue to post release downloads on google code.

Parsing Mac OS X System Profiler

Posted: February 4, 2011 | Author: | Filed under: Deployment, Hardware, Mac OS X, Mac OS X Server, Scripting, Unix | Tags: , , , , , , , , , , , | 2 Comments »

It is pretty cool how Apple System Profiler has a command line equivalent (system_profiler). And it is pretty cool how system_profiler has a -xml option to allow for easier parsing. You might use this info for extracting asset information into a database or for puppet facter facts.

However if you’ve ever looked at that xml, you know that it is a tree full of unpredictable semi-structured data that was designed specifically for the GUI app. So even though you can parse it with your favorite plist parser, there is still a lot more work to do to get to the data you care about.

The tree structure is nice for a browsing through on a single machine, but not so good for reporting across many machines.

Apple stores most of the same data as key value pairs in its database for ARD reporting, but they do a lot of massaging of the data to get it that way.

It is possible to get at this data in an ARD database if you have an ARD collection server, but an ARD collection server isn’t for everyone and doesn’t serve every use case.

You can still get at the nicely formatted ARD information. ARD client includes a tool that outputs most, if not all of the asset information you care about in a much nicer structured format for reporting.

The tool is called sysinfocachegen and you use it like this:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/sysinfocachegen -p /tmp/com.yourorganization.systeminfo.plist

Just use your favorite language’s plist parser to read the plist.

Quickly Calculate size of radmind Transcript Payload

Posted: May 13, 2010 | Author: | Filed under: Deployment, Mac OS X, Scripting, Unix | Tags: , , , , , | 1 Comment »

grep ^[af] /var/radmind/transcript/transcript_name.T | awk ‘{sum = sum + $7} END {print sum/1000}’

Every line that starts with “a” or “f” is a file. Sum up the size field. Divide by 1000 to get KB.

← Older Entries
Follow

Get every new post delivered to your Inbox.