Daenney's blog

NOTE: A much simpler solution is describe in BeyondCorp @ Home: Authentication and authorization proxy with OpenResty In a previous post I showed you how to set up a “Lite” version of a BeyondCorp style access layer for a home or startup environment. The reason I called it lite is because though it does do full authentication, it didn’t have separate controls for authorization. Meaning if you could authenticate you were authorized, I couldn’t specify that for certain endpoints you have to be part of a specific group or be granted a certain role before you get access.

Update 2019-10-06: If you don’t need SAML, consider swapping out Keycloak for Dex instead. You can read all about that in this follow-up post. BeyondCorp is a different approach to securing access to networked applications and services. Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet, accessible through a user and device-centric authentication and authorization workflow.

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs Now that we have a directory service up an running it’s important we talk a bit about some security aspects. The configuration that was generated sets up the LDAP server in such a way that anonymous access is not allowed.

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs I consider setting up a Directory Service a pretty big pain in the ass, especially OpenLDAP. Microsoft fares much better with Active Directory which is also much more easily configured for folks less familiar with directory services in general.

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs ACLs, access control lists, are an important aspect of running a directory service. ACLs are how you control who can access which parts of the DIT and what things they can do. You can limit certain things like which attributes one can read or write.

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs I apologise for the long delay between posts. Life took over for a while and I never got around to writing the rest of it. Sitting down and thinking a bit about the DIT upfront can save you endless hours of furstration later on.

I have a pretty standard Prometheus, bunch of exporters and Grafana setup at home. This is mostly used to monitor different aspects of my house, like the exporter I have for power usage. However, while trying to figure out the cause of a node exporter crash I found myself in need of an alerting system, so that it could tell me when the node exporter crashed instead of me just checking on a daily basis to see if it had.

One area Linux has made quite a lot of progress in is the ability for people to get firmware and BIOS updates for their devices. This used to be a massive PITA but thanks largely to the Linux Vendor Firmware Service and its associated tooling (fwupd, fwupdmgr) this has become a lot simpler. Quite a few vendors support this nowadays and deliver firmware and BIOS updates through LVFS. Most of this is thanks to @hughsie so if you run into him, say thank you or offer him a drink!

With my XPS 13 up and running I ran into some issues with the Dell WD15 (USB 3) dock. It mainly caused my display manager to crash whenever I would plug it in with (with my external screen attached), except after a fresh boot. This is of course wildely unhelpful but a colleague told me many folks had issues with the USB 3 version of the dock and to get a TB16 (thunderbolt) instead.

After about 3 years it was time to refresh my hardware. Though I’ve long used MacBook Pro’s as my daily drivers the new MBP with touchbar wasn’t getting me excited and the new keyboard feels downright awful to me. So, I decided this was going to be the year of the Linux Desktop and I’ve switched to a Dell XPS 13 (9360, Kaby Lake) Developer Edition (comes pre-loaded with Ubuntu).