Im Beitrag ActiveDirectory SSO mit Apache habe ich erklärt, wie ein Apache per Kerberos Benutzer authentifizieren kann.
Benutzt man den Azure Anwendungsproxy, um die On-Premises Anwendung in der Cloud bereitzustellen, so sind ein paar zusätzliche Handgriffe notwendig um auch nicht-IIS Server per SSO verfügbar zu machen.
The recent GPL source release by WD brought some improvement to the RTC and Watchdog driver. (The updated part 2 shows how to compile and install the new kernel.)
Initially I was hoping for the RTC to be able to wakeup the device from suspend to RAM. But after looking at the board more closely, there's no backup battery to be found. So even if the device sports a RTC it's useless if it doesn't keep counting when there is no power.
In fact it turns out that the RTC driver is simply writing the current time to some flash, very similar to the FakeHWclock package in most Linux distros.
Together with the "working" RTC driver there comes a now fixed watchdog kernel driver. It turns out, once RTC is working the watchdog loads automatically (even if compiled as module) and starts doing what it's supposed to do. In this case it reboots the box after 120 seconds :D
From reading the source code this is what I came to understand how the watchdog works:
Obviously this does not conform to any existing watchdog daemons. So one would have to write a script like:
#!/bin/bash
while [ true ] ; do
echo kick > /proc/watchdog
sleep 10
done
If you really want to use a watchdog enabled kernel you can use this .config file.
Apart from the watchdog oddities RAH-66 mentioned an important sysctl setting to mute all syscalls not implemented in the kernel. You would be getting a lagging system otherwise. (the C-library takes care of the syscalls and redirects them appropriately. Especially systemd tries to use the latest kernel syscalls :D )
echo "debug.exception-trace=0" > /etc/sysctl.d/99-disable-syscall-traces.conf
I also finally found out how to access the uBoot arguments. They are written as a tar directly onto the mtd0 partition.
cd /
dd if=/dev/mtd0 bs=1 count=9216 skip=98304 | tar x
cat /tmp/factory/env.txtIn theory we might be able to dd a modified env.txt back onto mtd0 - great potential to mess up the boot ;)
It's about time for a new post since a lot of things have changed over the course of the past four years.
First things first though, the good news is there's finally an almost official way to properly use the script with your Amazon Alexa. Luckily all major home automation projects became inspired by the idea of the original script and some inner workings have been discovered by people smarter than me. Michael Geramb of openHAB and Ingo Fischer of ioBroker came up with the idea to proxy the login to Amazon very similar to how a mobile app would.
The result was for example the nodeJs package alexa-cookie2 (by Ingo Fischer). Looking more closely at the result of the login process it became clear that only a single item is required for our purposes. Hence I created a small nodeJS app that will output the token after successfully completing the login.
As not everybody would want to install nodeJS (or run it in Docker) I created packaged binaries using the nodeJS packager pkg.
While the old login flow may still work (for some time) I strongly encourage everybody to try the new cleaner method.
In part 1 Debian Buster was installed via debootstrap. Part 2 discussed how a suitable kernel can be compiled.
Having looked at the wrong places, I finally got the LED control to work. The DTB configures all internal devices and exposes them at /proc/devices/platform.
Aparrently there ar four PWM devices, of which only #3 is enabled. By adjusting the duty cycle one can actually control the LED:
echo 0 > /sys/devices/platform/980070d0.pwm/dutyRate3 # LED off echo 100 > /sys/devices/platform/980070d0.pwm/dutyRate3 # LED 100% brightness
Sollen Benutzer für Intranet Anwenungen per SSO authentifiziert werden, muss es nicht immer der IIS sein. Dank Kerberos und der flexiblen Authentifizierungsmodule im Apache, klappt auch hier die Anbindung. Häufig ist die Authentifizierung per Kerberos aber nur ein Teil der Anmeldung, Weitere Benutzerinformationen müssen im Fall der Anbindung ans Active Directory zusätzlich per LDAP(S) abgefragt werden. Für beide Zwecke muss im AD ein Proxy-Benutzer eingerichtet sein.
Seit Herbst 2020 erfordert Microsoft Secure Channel Binding für LDAP. Um Drittsysteme dennoch per Simple Bind mit dem Active Directory kommunizieren zu lassen, genügt es allerdings für eine verschlüsselte Kommunikation per LDAPS zu sorgen. Häufig verzichten Anbindungen auf einen Zertifikatscheck (TLS_REQCERT never).
Mit öffentlich gültigen Zertifikaten auf den Domain-Controllern ist das nicht notwendig. Dieser Beitrag zeigt, wie das unter bestimmten Voraussetzungen funktioniert.
In part 1 Debian Buster was installed on the Western Digital My Cloud Home. Unfortunately the default Kernel lacks quite a bit of features. Compiling our own kernel is desirable. Before we getting started to compile away, some base understanding of the device's boot process is required.