Setting up apache httpd and subversion on a redhat host to integrate with Windows AD Domain authentication


The following setup worked for me:

1 using kerberos for the auth module: mod_auth_kerb.so.

I tried to use mod_ntlm but it proved too hard to get it to work on Apache 2.2 on redhat.

I have the following in /etc/krb5.conf:

[libdefaults]
clockskew = 300
default_realm = AAA.BBB.XXX.COM

[realms]
AAA.BBB.XXX.COM = {
kdc = pdc01.aaa.bbb.xxx.com
default_domain = AAA.BBB.XXX.COM
kpasswd_server = pdc01.aaa.bbb.xxx.com
}

[domain_realm]
server01.www.yyy.xxx.com = AAA.BBB.XXX.COM
.yyy.xxx.com = AAA.BBB.XXX.COM
.xxx.com = AAA.BBB.XXX.COM
xxx.com = AAA.BBB.XXX.COM


With that I am to run kinit and get kerberos ticket from the redhat host.

And my /etc/httpd/conf/httpd.conf has:


DAV svn
SVNPath "/path/to/svn_repo"

AuthType Kerberos
AuthName Kerberos
KrbMethodNegotiate Off
KrbMethodK5Passwd On
KrbServiceName Any
KrbAuthRealms AAA.BBB.XXX.COM
KrbSaveCredentials on
KrbLocalUserMapping on
# The last bit I had to fix to get this working:
KrbVerifyKDC Off

AuthzSVNAccessFile /path/to/svn_access_file
require valid-user

Using this setup I can get users to authenticate against the corporate active directory domain controller to access Subversion.

My apache httpd version: 2.2.15
My subversion svn version: 1.6.11

Advertisements

installing and running beeline client


I work with a Hortonworks HDP 2.5 distro of Big Data hadoop/hiveserver2. I have been wondering for sometime now what it would take to run beeline client on another machine to connect to Hive or Knox.

After some work, I managed to get beeline client running with a minimal set of jar files on another machine outside of the cluster. The crucial bit was identifying the set of jar files involved using the jvm option: -verbose:class

After collecting the necessary jar files, beeline can be started using a java commandline.

java -Xmx1024m -classpath apache-log4j-extras-1.2.17.jar:avatica-1.8.0.2.5.0.0-1245.jar:calcite-core-1.2.0.2.5.0.0-1245.jar:calcite-linq4j-1.2.0.2.5.0.0-1245.jar:commons-cli-1.2.jar:commons-codec-1.4.jar:commons-collections-3.2.2.jar:commons-configuration-1.6.jar:commons-lang-2.6.jar:commons-logging-1.1.3.jar:curator-client-2.6.0.jar:curator-framework-2.6.0.jar:derby-10.10.2.0.jar:guava-14.0.1.jar:hadoop-annotations-2.7.3.2.5.0.0-1245.jar:hadoop-auth-2.7.3.2.5.0.0-1245.jar:hadoop-common-2.7.3.2.5.0.0-1245.jar:hadoop-mapreduce-client-core-2.7.3.2.5.0.0-1245.jar:hive-beeline-1.2.1000.2.5.0.0-1245.jar:hive-exec-1.2.1000.2.5.0.0-1245.jar:hive-jdbc-1.2.1000.2.5.0.0-1245.jar:hive-jdbc-1.2.1000.2.5.0.0-1245-standalone.jar:jce.jar:jline-2.12.jar:jsse.jar:log4j-1.2.16.jar:rt.jar:slf4j-log4j12-1.7.10.jar:sunec.jar:sunjce_provider.jar:super-csv-2.2.0.jar:xercesImpl-2.9.1.jar -Dhdp.version=2.5.0.0-1245 -Djava.net.preferIPv4Stack=true -Dhdp.version=2.5.0.0-1245  -Dhadoop.log.dir=/home/userid -Dhadoop.log.file=hadoop.log -Dhadoop.home.dir=/home/userid -Dhadoop.id.str=userid -Dhadoop.root.logger=INFO,console -Djava.library.path=:/home/userid -Dhadoop.policy.file=hadoop-policy.xml  -Djava.net.preferIPv4Stack=true -Djava.util.logging.config.file=/home/userid/parquet-logging.properties -Dlog4j.configuration=beeline-log4j.properties -Dhadoop.security.logger=INFO,NullAppender org.apache.hadoop.util.RunJar /home/userid/hive-beeline-1.2.1000.2.5.0.0-1245.jar org.apache.hive.beeline.BeeLine -n userid -p pass -u "jdbc:hive2://knox.company.com:8000/;ssl=true;transportMode=http;httpPath=gateway/tdcprd/hive"

There was no need to install beeline or any hadoop app.

Java 8 JRE is required.

Powerdirect vs Powershop


I just recently changed energy service providers from Powershop to Powerdirect on recommendation from iSelect. After getting my first Powerdirect bill, it does look like the shift has been a positive change.

I compute a dollar to kwh usage ratio of 0.2379 for powerdirect using the pay on time 37% discount.

The same ratio is 0.261019 for powershop.

 

Gold Coast 2017-04


 

  1. The groupon for Sifu worked out really great for our large group. Food was good and they gave us a private room. Parking was free at Crowne Hotel.
  2. Car rental with Jucy. Got a Toyota Estima/Previa 8 seater for $58 per day. Found them on airportrentals.com
  3. Marriott is situated 1km away from the central area of Elkhorn – Chevron Rennaisance.
  4. Holoverse was nice and interesting experience. Groupon voucher had free popcorn?
  5. Could have spent more time at Seaworld. Raisa does not like.
  6. Using uber for 6 people did not work. Even with uber XL the Prado that came to pickup can only fit 4.
  7. Got $20 discount at Marriott Citrique breakfast.
  8. Can get photos at movieworld if you scan barcode at end of some rides.
  9. Paradise country was not very interesting. Seaworld would probably have been better choice in the few days we had in gold coast.
  10. Car needs to be returned by 4:30pm to avail of shuttle. Takes an hour to get to Coolangata.
  11. I called my internet service provider to temporarily suspend my service. Got a bit off my bill as a result.
  12. Lost a pair of small foldable scissors at airport security. They already survived a couple of international flights.

Weird Things


The weird things that Meralco does:
– makes it very hard to transfer account names, such as from developer to property owner
– blocks people making online payments when a day or more late. Do they not want to collect/receive payments in these circumstances anyway?

The weird things that PLDT do:
– makes it very hard to request an account disconnection: need to go to a PLDT business office, when the transaction could alternatively be handled over the phone. Don’t they know how to authenticate people over the phone?

The weird things that BPI do:
– Everyday their BPI express online goes offline early in the morning. It also goes offline at random times during the day.
– BPI credit cards cannot be paid from other banks online. Most other credit cards are possible to pay online via any bank.
– Charges a fee for inward local remit from another bank

The weird things Philippine banks do other than citibank:
– make it hard to do local interbank fund transfers which is very free, simple and easy to do in many other countries.

Cebu pacific
– it is not possible to choose currency when booking a flight using the website but if you call to make the booking they can.

Standard chartered:
– they make it really difficult to do simple funds transfers. Even for transfers within own account.

 

Notepad++

  • search automatically defaults to text under the cursor

Bank Security Overdrive


Some banks demonstrate behaviour that I find very odd. These are peculiar security measures that some creative security bright sparks must have thought of.

I think there is an important role for information security professionals to play, but sometimes they overdo it, or don’t seem to think through practical consquences thoroughly.

Its when banks do unique things in their process, is probably when common sense alarm bells should go off. Here are soem examples.

1. Standard chartered PH requires a mobile pin (which they call an eTAC code) even for internal transfers. And its a very long code. 10 digits

2. Metrobank PH – on most pages, copy pasting is disallowed. Even for enrolling credit card numbers for payments.

3. HSBC US blocks online internet transactions on debit cards and requires the customer to call back customer service/security department.
– customer service is only available to receive calls 9am to 5pm
– if you happen to be elsewhere around the world at the time, calling customer service may require an international call.
– HSBC US claim they have a collect call service but it doesn’t work 99% of the time
– the combination of having to call during working hours of customer service, and having to make an international call probably should have set off usability/practicality alarm bells

3. Citibank’s internet banking messaging system disallows most symbols and punctuations.
– the reply function will include original text, but the system will complain if you hit send because the system crafted original text portion has characters that it does not like
– the message is limited to only a certain number of characters, so often a message trail cannot be maintained
– the system does not store sent messages
– the system does not help the user with an indication of what the invalid character(s) are

These are just some fails I have encountered in bank security policy/processes. Have you had similar experiences?

Advertisements

pvillaflores' blog site