How to configure IPA-Server & Client-Centos 7Tola LENG
The document provides steps for configuring an IPA-Server on Centos 7, which includes assigning an IP address, downloading and installing IPA server services, and configuring the freeIPA server and client. It notes that the IP address must be assigned manually along with the DNS, gateway, and subnet mask.
This document provides instructions for setting up a 4-node Hadoop cluster on Amazon EC2 instances in 4 major steps:
1) Setting up 4 EC2 instances and configuring security groups
2) Setting up client access to the instances using Putty and generating keys
3) Setting up WinSCP access using the generated keys
4) Installing Java, Hadoop, and configuring the Hadoop distributed filesystem and YARN, including enabling passphraseless SSH access between nodes.
This document discusses the evosip platform, which uses Docker and Kubernetes to provide a scalable VoIP infrastructure based on Kamailio, Asterisk, and RTPEngine. Key aspects include:
- Using containers and Kubernetes for fast, automatic scaling with no limits and distributed architecture.
- Implementing Kamailio, Asterisk, and RTPEngine as stateless services using techniques like cached dispatchers, authentication from a shared table, and storing dialogs in a database.
- Using macvlan networking to give containers direct public IPs without NAT for better performance.
- Separating data and core service networks and using Multus CNI to give containers multiple networks.
-
The document discusses configuring web servers like Apache and IIS. It explains how web servers work using HTTP, and how to host multiple websites using port numbers, IP addresses, or host names. Virtual directories are also configured to make directories appear below the root even if they are physically located elsewhere.
A proxy server sits between a LAN and the internet and allows users on the LAN to access the internet in a secure manner. It accepts requests from users and enables them to browse websites and access other internet services without providing direct connectivity to the internet. Common proxy server software includes Squid, Microsoft Proxy Server, and Apache. Squid is an open source caching proxy that improves performance by caching frequently requested web pages. It can be installed and configured on Linux by editing the squid.conf file to specify settings like the visible hostname and network interface to use.
This document provides step-by-step instructions for setting up a proxy server on Windows using AnalogX proxy server software. It describes downloading and installing AnalogX, configuring the proxy server, establishing the proxy connection, and setting up the proxy in a web browser. The proxy routes internet requests through one source, allowing the administrator to control access from the proxy server.
A web proxy is a server that acts as an intermediary for client requests to access resources from other servers. Squid is a commonly used open source web proxy caching server that improves performance by caching content and controlling bandwidth usage. It provides access logging and filtering capabilities. To install Squid, it is downloaded and configured on a Linux system. Access control lists (ACLs) are defined in the configuration file to restrict access based on source/destination IP addresses, domains, URLs, or time of day.
Free ipa installation and cluster configuration, freeipa client connectionRustam Sariyev
FreeIPA is installed on two servers, ipa01 and ipa02, and configured as a replication cluster. ipa01 is configured as the master FreeIPA server, while ipa02 is configured as a replica server. Several client systems are then joined to the FreeIPA domain, including configuring authentication, authorization, and other identity services for the clients.
How to configure IPA-Server & Client-Centos 7Tola LENG
The document provides steps for configuring an IPA-Server on Centos 7, which includes assigning an IP address, downloading and installing IPA server services, and configuring the freeIPA server and client. It notes that the IP address must be assigned manually along with the DNS, gateway, and subnet mask.
This document provides instructions for setting up a 4-node Hadoop cluster on Amazon EC2 instances in 4 major steps:
1) Setting up 4 EC2 instances and configuring security groups
2) Setting up client access to the instances using Putty and generating keys
3) Setting up WinSCP access using the generated keys
4) Installing Java, Hadoop, and configuring the Hadoop distributed filesystem and YARN, including enabling passphraseless SSH access between nodes.
This document discusses the evosip platform, which uses Docker and Kubernetes to provide a scalable VoIP infrastructure based on Kamailio, Asterisk, and RTPEngine. Key aspects include:
- Using containers and Kubernetes for fast, automatic scaling with no limits and distributed architecture.
- Implementing Kamailio, Asterisk, and RTPEngine as stateless services using techniques like cached dispatchers, authentication from a shared table, and storing dialogs in a database.
- Using macvlan networking to give containers direct public IPs without NAT for better performance.
- Separating data and core service networks and using Multus CNI to give containers multiple networks.
-
The document discusses configuring web servers like Apache and IIS. It explains how web servers work using HTTP, and how to host multiple websites using port numbers, IP addresses, or host names. Virtual directories are also configured to make directories appear below the root even if they are physically located elsewhere.
A proxy server sits between a LAN and the internet and allows users on the LAN to access the internet in a secure manner. It accepts requests from users and enables them to browse websites and access other internet services without providing direct connectivity to the internet. Common proxy server software includes Squid, Microsoft Proxy Server, and Apache. Squid is an open source caching proxy that improves performance by caching frequently requested web pages. It can be installed and configured on Linux by editing the squid.conf file to specify settings like the visible hostname and network interface to use.
This document provides step-by-step instructions for setting up a proxy server on Windows using AnalogX proxy server software. It describes downloading and installing AnalogX, configuring the proxy server, establishing the proxy connection, and setting up the proxy in a web browser. The proxy routes internet requests through one source, allowing the administrator to control access from the proxy server.
A web proxy is a server that acts as an intermediary for client requests to access resources from other servers. Squid is a commonly used open source web proxy caching server that improves performance by caching content and controlling bandwidth usage. It provides access logging and filtering capabilities. To install Squid, it is downloaded and configured on a Linux system. Access control lists (ACLs) are defined in the configuration file to restrict access based on source/destination IP addresses, domains, URLs, or time of day.
Free ipa installation and cluster configuration, freeipa client connectionRustam Sariyev
FreeIPA is installed on two servers, ipa01 and ipa02, and configured as a replication cluster. ipa01 is configured as the master FreeIPA server, while ipa02 is configured as a replica server. Several client systems are then joined to the FreeIPA domain, including configuring authentication, authorization, and other identity services for the clients.
Presentation done at AstriCon 2014, Las Vegas, USA - how relevant can be SIP signaling traffic in a Real Time Communications platform and where pure SIP signaling servers such as Kamailio can be used.
Setup a new ubuntu VPS to host multiple websites. The setup includes dns server configuration, mysql server installation php installation and moderewrite configuration, phpmyadmin installation.
The slide answers your most of question for a new unmanaged linux vps configuration to host your cms websites.
This document discusses Squid Proxy in Red Hat Enterprise Linux 6 (RHEL 6). It provides instructions on installing RHEL 6, including selecting packages during installation such as PHP, MySQL, and Eclipse IDE. It then discusses proxy servers and their uses such as filtering content, caching to improve performance, and load balancing between multiple web servers. Common proxy types include forward, reverse, and open proxies.
Dns server setup on ubuntu vps (master+slave)Vijay Sharma
This document discusses configuring a DNS server on Ubuntu 14.04. It begins by explaining what a DNS server is and its purpose in resolving hostnames to IP addresses. It then discusses the different types of DNS server zones (forward and reverse) and record types (A, MX, NS, CNAME, PTR). It explains the differences between a master and slave DNS server. Finally, it provides instructions for setting up a master DNS server and configuring it with records, as well as setting up a slave server and configuring it to sync with the master.
This document provides an introduction to web servers. It discusses how web servers work by responding to client requests over HTTP and mapping URLs to files on the server. Examples of popular web servers like Apache, IIS, and Tomcat are given. The document also gives a brief history of web servers and provides statistics on current market shares of different web servers. It describes accessing web servers locally or remotely via domain names or IP addresses. Finally, it discusses features of the IIS web server included with Windows and how to create virtual directories.
This document discusses using Ubuntu to set up an intranet server to provide essential services like DNS, DHCP, mail, file sharing, printing, authentication, firewall, web, and content management. It describes configuring these services and considerations for an intranet like security, administration, bandwidth savings, and offline access within an organization. Alternative options like hosting services and Google Apps are also mentioned.
The document discusses how to use the PEAR installer to easily deploy websites by splitting a site into logical packages. The PEAR installer allows for easy upgrading, dependencies between packages, custom file roles and post-installation tasks. It provides instructions on dismantling a site into packages, defining custom file roles and post-installation scripts.
The document discusses setting up a Squid proxy server on a Linux system to improve network security and performance for a home network. It recommends using an old Pentium II computer with at least 80-100MB of RAM as the proxy server. The document provides instructions for installing Squid and configuring the Squid.conf file to optimize disk usage, caching, and logging. It also explains how to set up the Squid proxy server to work with an iptables firewall for access control and protection from intruders.
Choosing A Proxy Server - Apachecon 2014bryan_call
This document summarizes a presentation about choosing a proxy server. It discusses several popular proxy options including Apache Traffic Server (ATS), Nginx, Squid, Varnish, and Apache HTTP Server. It covers the types of proxies each supports, features, architectures, caching, performance, and pros and cons. Benchmark tests show ATS has the best cache scaling and performance overall while using less CPU than alternatives like Squid. Nginx and Squid had some issues with latency and HTTP compliance. The document recommends ATS as a good choice for its scaling, efficient caching, and plugin support.
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
In this practice you will be able:
-Configure Primary DNS and Secondary DNS
-Configure DNS zone transter
-DNS Delegation
-DNS Security zone transfer
-Configure also Linux(Sles 11) and Windows Server 2008R2
Kea DHCP – the new open source DHCP server from ISCMen and Mice
This webinar will highlight the differences between the old ISC DHCP and new Kea DHCP (database support, dynamic reconfiguration, performance wins, scripting hooks) and will showcase the Men & Mice Suite as a graphical front-end to both ISC DHCP and Kea to ease the migration.
A web server stores and transfers website data upon requests from visitors' browsers. The document discusses setting up an Apache web server by updating packages, installing Apache, checking the localhost and IP address, starting and checking the Apache server status. It also covers accessing the root user, editing an HTML file, granting write permissions to the file so it can be accessed on the localhost.
The document provides an overview of the key components and applications of the Internet. It discusses:
- The TCP/IP protocol and origins of the ARPANET
- Popular applications including email, Telnet, FTP, the World Wide Web, Usenet, chat, e-commerce, and entertainment
- Common internet elements like web browsers, servers, clients, and how they interact
- Methods of connecting to the internet including corporate dial-in, lease lines, modems, and routers
Ch 22: Web Hosting and Internet Serverswebhostingguy
Web hosting involves providing space on a server for websites. Linux is commonly used for hosting due to its maintainability and performance. A web server software like Apache is installed to handle HTTP requests from browsers. URLs identify resources on the web using protocols like HTTP and FTP. CGI scripts allow dynamic content generation but pose security risks. Load balancing distributes server load across multiple systems. Choosing a server depends on factors like robustness, performance, updates, and cost. Apache is widely used and configurable using configuration files that control server parameters, resources, and access restrictions. Virtual interfaces allow a single server to host multiple websites. Caching and proxies can improve performance and security. Anonymous FTP allows public file downloads.
NGINX is used by more than 130 million websites as a lightweight way to serve web content. Use it to decrease costs, improve performance and open up bottlenecks in web and application server environments without a major architectural overhaul. In this talk, we'll cover the three most basic use cases of static content delivery, application load balancing, and web proxying with caching; and touch on the NGINX maintained Docker container.
Fluentd is an open source data collector that allows flexible data collection, processing, and output. It supports streaming data from sources like logs and metrics to destinations like databases, search engines, and object stores. Fluentd's plugin-based architecture allows it to support a wide variety of use cases. Recent versions of Fluentd have added features like improved plugin APIs, nanosecond time resolution, and Windows support to make it more suitable for containerized environments and low-latency applications.
This document discusses monitoring containers with the ELK stack. It introduces ELK (Elasticsearch, Logstash, Kibana) as a solution for centralized logging of containers. It describes using Logstash to collect logs from Docker containers via syslog and using a Docker log collector container to fetch logs and metrics from all containers on a Docker host. The document concludes with a demonstration of ELK for container monitoring.
This document summarizes the PEAR Installer and how it can be used to deploy applications and split websites into logical plugin packages. The PEAR Installer allows for file roles, tasks, post-installation tasks, and upgrading of packages that depend on external packages. It discusses splitting a site into plugins, maintaining separate PEAR configurations for each website, and using post-installation tasks for database setup or virtual host configuration. Real-world examples of using these features on pear.php.net are provided.
FlossUK 2015 presentation
Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms.
We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.
Ricardo Schmidt gave a presentation on Ansible, an open source tool for configuration management, application deployment, provisioning, and orchestration. He explained that Ansible is fast, clear, complete, and secure. It uses SSH to connect to nodes agentlessly without requiring additional firewall rules or open ports. Key components include the inventory to define hosts and groups, modules to run tasks on nodes, and playbooks to orchestrate tasks across multiple hosts. The presentation demonstrated Ansible's capabilities through examples and a demo of its core features.
This document discusses the LDAP Synchronization Connector (LSC), an open-source tool for synchronizing data between different data sources like LDAP directories, SQL databases, and files. It provides an overview of LSC's features like connectors for various data sources, synchronization rules, logging capabilities, and support for Active Directory. The document also describes how to configure LSC to synchronize between an OpenLDAP directory and Active Directory, including handling passwords and attribute mapping between the different schemas.
Presentation done at AstriCon 2014, Las Vegas, USA - how relevant can be SIP signaling traffic in a Real Time Communications platform and where pure SIP signaling servers such as Kamailio can be used.
Setup a new ubuntu VPS to host multiple websites. The setup includes dns server configuration, mysql server installation php installation and moderewrite configuration, phpmyadmin installation.
The slide answers your most of question for a new unmanaged linux vps configuration to host your cms websites.
This document discusses Squid Proxy in Red Hat Enterprise Linux 6 (RHEL 6). It provides instructions on installing RHEL 6, including selecting packages during installation such as PHP, MySQL, and Eclipse IDE. It then discusses proxy servers and their uses such as filtering content, caching to improve performance, and load balancing between multiple web servers. Common proxy types include forward, reverse, and open proxies.
Dns server setup on ubuntu vps (master+slave)Vijay Sharma
This document discusses configuring a DNS server on Ubuntu 14.04. It begins by explaining what a DNS server is and its purpose in resolving hostnames to IP addresses. It then discusses the different types of DNS server zones (forward and reverse) and record types (A, MX, NS, CNAME, PTR). It explains the differences between a master and slave DNS server. Finally, it provides instructions for setting up a master DNS server and configuring it with records, as well as setting up a slave server and configuring it to sync with the master.
This document provides an introduction to web servers. It discusses how web servers work by responding to client requests over HTTP and mapping URLs to files on the server. Examples of popular web servers like Apache, IIS, and Tomcat are given. The document also gives a brief history of web servers and provides statistics on current market shares of different web servers. It describes accessing web servers locally or remotely via domain names or IP addresses. Finally, it discusses features of the IIS web server included with Windows and how to create virtual directories.
This document discusses using Ubuntu to set up an intranet server to provide essential services like DNS, DHCP, mail, file sharing, printing, authentication, firewall, web, and content management. It describes configuring these services and considerations for an intranet like security, administration, bandwidth savings, and offline access within an organization. Alternative options like hosting services and Google Apps are also mentioned.
The document discusses how to use the PEAR installer to easily deploy websites by splitting a site into logical packages. The PEAR installer allows for easy upgrading, dependencies between packages, custom file roles and post-installation tasks. It provides instructions on dismantling a site into packages, defining custom file roles and post-installation scripts.
The document discusses setting up a Squid proxy server on a Linux system to improve network security and performance for a home network. It recommends using an old Pentium II computer with at least 80-100MB of RAM as the proxy server. The document provides instructions for installing Squid and configuring the Squid.conf file to optimize disk usage, caching, and logging. It also explains how to set up the Squid proxy server to work with an iptables firewall for access control and protection from intruders.
Choosing A Proxy Server - Apachecon 2014bryan_call
This document summarizes a presentation about choosing a proxy server. It discusses several popular proxy options including Apache Traffic Server (ATS), Nginx, Squid, Varnish, and Apache HTTP Server. It covers the types of proxies each supports, features, architectures, caching, performance, and pros and cons. Benchmark tests show ATS has the best cache scaling and performance overall while using less CPU than alternatives like Squid. Nginx and Squid had some issues with latency and HTTP compliance. The document recommends ATS as a good choice for its scaling, efficient caching, and plugin support.
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
In this practice you will be able:
-Configure Primary DNS and Secondary DNS
-Configure DNS zone transter
-DNS Delegation
-DNS Security zone transfer
-Configure also Linux(Sles 11) and Windows Server 2008R2
Kea DHCP – the new open source DHCP server from ISCMen and Mice
This webinar will highlight the differences between the old ISC DHCP and new Kea DHCP (database support, dynamic reconfiguration, performance wins, scripting hooks) and will showcase the Men & Mice Suite as a graphical front-end to both ISC DHCP and Kea to ease the migration.
A web server stores and transfers website data upon requests from visitors' browsers. The document discusses setting up an Apache web server by updating packages, installing Apache, checking the localhost and IP address, starting and checking the Apache server status. It also covers accessing the root user, editing an HTML file, granting write permissions to the file so it can be accessed on the localhost.
The document provides an overview of the key components and applications of the Internet. It discusses:
- The TCP/IP protocol and origins of the ARPANET
- Popular applications including email, Telnet, FTP, the World Wide Web, Usenet, chat, e-commerce, and entertainment
- Common internet elements like web browsers, servers, clients, and how they interact
- Methods of connecting to the internet including corporate dial-in, lease lines, modems, and routers
Ch 22: Web Hosting and Internet Serverswebhostingguy
Web hosting involves providing space on a server for websites. Linux is commonly used for hosting due to its maintainability and performance. A web server software like Apache is installed to handle HTTP requests from browsers. URLs identify resources on the web using protocols like HTTP and FTP. CGI scripts allow dynamic content generation but pose security risks. Load balancing distributes server load across multiple systems. Choosing a server depends on factors like robustness, performance, updates, and cost. Apache is widely used and configurable using configuration files that control server parameters, resources, and access restrictions. Virtual interfaces allow a single server to host multiple websites. Caching and proxies can improve performance and security. Anonymous FTP allows public file downloads.
NGINX is used by more than 130 million websites as a lightweight way to serve web content. Use it to decrease costs, improve performance and open up bottlenecks in web and application server environments without a major architectural overhaul. In this talk, we'll cover the three most basic use cases of static content delivery, application load balancing, and web proxying with caching; and touch on the NGINX maintained Docker container.
Fluentd is an open source data collector that allows flexible data collection, processing, and output. It supports streaming data from sources like logs and metrics to destinations like databases, search engines, and object stores. Fluentd's plugin-based architecture allows it to support a wide variety of use cases. Recent versions of Fluentd have added features like improved plugin APIs, nanosecond time resolution, and Windows support to make it more suitable for containerized environments and low-latency applications.
This document discusses monitoring containers with the ELK stack. It introduces ELK (Elasticsearch, Logstash, Kibana) as a solution for centralized logging of containers. It describes using Logstash to collect logs from Docker containers via syslog and using a Docker log collector container to fetch logs and metrics from all containers on a Docker host. The document concludes with a demonstration of ELK for container monitoring.
This document summarizes the PEAR Installer and how it can be used to deploy applications and split websites into logical plugin packages. The PEAR Installer allows for file roles, tasks, post-installation tasks, and upgrading of packages that depend on external packages. It discusses splitting a site into plugins, maintaining separate PEAR configurations for each website, and using post-installation tasks for database setup or virtual host configuration. Real-world examples of using these features on pear.php.net are provided.
FlossUK 2015 presentation
Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms.
We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.
Ricardo Schmidt gave a presentation on Ansible, an open source tool for configuration management, application deployment, provisioning, and orchestration. He explained that Ansible is fast, clear, complete, and secure. It uses SSH to connect to nodes agentlessly without requiring additional firewall rules or open ports. Key components include the inventory to define hosts and groups, modules to run tasks on nodes, and playbooks to orchestrate tasks across multiple hosts. The presentation demonstrated Ansible's capabilities through examples and a demo of its core features.
This document discusses the LDAP Synchronization Connector (LSC), an open-source tool for synchronizing data between different data sources like LDAP directories, SQL databases, and files. It provides an overview of LSC's features like connectors for various data sources, synchronization rules, logging capabilities, and support for Active Directory. The document also describes how to configure LSC to synchronize between an OpenLDAP directory and Active Directory, including handling passwords and attribute mapping between the different schemas.
This document discusses Ansible, an open-source automation tool. It provides an overview of Ansible's capabilities including configuration management, orchestration, deployment and more. It also summarizes Ansible Tower which adds centralized control, RBAC, and other features to Ansible. Examples are given of using Ansible playbooks to automate tasks like installing and configuring Apache on Linux hosts and using Ansible modules to configure network devices.
Ansible is the simplest way to automate. MoldCamp, 2015Alex S
Ansible is a radically simple IT automation engine. This is new and great configuration management system (like Chef, Puppet) that has been created in 2012 year. Also Ansible is pretty simple and flexible system, that helps you in managing your servers and execute Ad-hoc commands.
During this session I will explain how to start using Ansible in infrastructure orchestration and what are pros and cons of this system. Also I will explain you our experience in deployments, provisioning and other aspects.
Docker provides containerization capabilities while Ansible provides automation and configuration capabilities. Together they are useful DevOps tools. Docker allows building and sharing application environments while Ansible automates configuration and deployment. Key points covered include Docker concepts like images and containers, building images with Dockerfiles, and using Docker Compose to run multi-container apps. Ansible is described as a remote execution and configuration tool using YAML playbooks and roles to deploy applications. Their complementary nature makes them good DevOps partners.
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This is the sandbox used in the Vivaldi, Brave, Chrome and Opera browsers among others. The Chromium Sandbox has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox in detail and go through how the Linux implementation fulfills these requirements.
- GOsa2 is an open source tool for managing infrastructure like directories, users, systems, software, and services through a web-based interface.
- It uses LDAP as a centralized backend to store information and prevent duplicate data. Services can connect to LDAP to be automatically configured.
- GOsa2 allows for deploying and managing Linux and Windows systems through tools like FAI and OPSI. It was used to deploy clusters of over 250 nodes for EDF R&D.
Desktop direct competitive analysis and value propositionShawn Reilly
The document provides a competitive analysis of DesktopDirect, a remote desktop computing solution, compared to alternatives like GoToMyPC, LogMeIn, and VPN. Some key advantages of DesktopDirect are that it has no third-party software or hosting, allows up to 10,000 simultaneous sessions, and provides a familiar desktop environment for users compared to traditional VPN solutions. Downsides of competitors include additional licensing costs per device, proprietary software installs, and security risks from third-party authentication and management of remote connections.
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
A presentation given at PuppetCamp NYC 2014 about why Puppet users should stop storing secrets in Git/Hg and encrypt them instead. TLDR: It enables collaboration.
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
This presentation covers web filtering with Squid and DansGuardian, proxy auto-detection, router access control, computer time limits and access control for applications.
The document discusses a workshop on Fandogh PaaS. It includes discussions on what containers are, what Docker is, and comparisons between virtual machines and containers. It also covers how to use Docker images and containers, how to write Dockerfiles, and an overview of how Fandogh works including features like registry integration, managed services, scaling, and support. Examples are provided on using Fandogh's internal registry and deploying new services.
This document provides instructions for creating a wireless access point on a Raspberry Pi that routes all internet traffic through the TOR anonymity network. It involves installing an operating system on the Pi, configuring software like hostapd and dhcpd, and setting up network address translation. The access point is given a static IP and broadcasts an SSID of "TEC383" with WPA2 encryption. All configurations are saved so the access point will restart automatically with these settings.
The document provides steps to install Ubuntu server in a VMware virtual machine, including:
1. Creating a new virtual machine in VMware Workstation and selecting Ubuntu as the guest operating system.
2. Configuring options like the virtual disk size, network settings, and language before installing Ubuntu.
3. Installing common server packages like OpenSSH, LAMP, and Samba after Ubuntu installation is complete.
Nextcloud Open Source Collaborative Cloud Platform, OW2online, June2020OW2
This presentation was given by Genma Herledan, from ATOS. With Nextcloud Hub, Nextcloud offer a new standard in on-premises team collaboration. Discover this solution and its functionnality, an opensource alternative to GoogleDocs or Office365. The talk presents about the "Framacloud" project from Framasoft, based on Nextcloud. And about the offer that Atos provides to its customer around Nextcloud.
The document discusses and compares Linux and Windows operating systems. It covers security differences, prices of OS and applications, legality of piracy, desktop screenshots, console use, and who commonly uses each OS. It finds that Linux is more secure and customizable, while Windows is more widely used, especially in personal computing. Both OSes have valid uses and will continue to co-exist.
IDNOG 4 Lightning Talks - Documenting your Network in 3 Simple StepsAffan Basalamah
This document provides a 3-step process for documenting a network in a sane and healthy way:
1. Draw network diagrams using tools like Visio or OmniGraffle to depict the physical, logical, and application layers. Store the diagrams online or in a wiki for easy access.
2. Backup network configurations regularly using tools like RANCID or Oxidize, which can save configurations to a repository and detect changes between backups.
3. Use IP address management (IPAM) tools like Netbox to document IP assignments, devices, rack locations, and network connections. This provides a single source of truth for the physical and logical network resources.
Following these steps provides visibility into
This document provides a 3-step process for documenting a network in a sane and healthy way:
1. Draw network diagrams using tools like Visio or OmniGraffle to depict the physical, logical, and application layers. Store the diagrams online or with network monitoring tools.
2. Backup network configurations regularly using tools like RANCID or Oxidize, which can save configurations to repositories and alert administrators of changes via email or messaging.
3. Use IP address management (IPAM) tools like Netbox to document IP prefixes, devices, rack locations, and network links. This provides a single source of truth for the physical and logical network resources.
Properly documenting the network
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
This document discusses exploiting trust relationships and group policies to escalate privileges on a Windows system with full disk encryption. It describes exploiting MS15-122 and MS16-014 to poison the credential cache and authenticate to a rogue domain controller. Group policies can then be used to run applications with SYSTEM privileges and extract credentials or encryption keys before Windows fully loads. While Windows 10 provides some improvements, similar vulnerabilities were still present until MS16-072 was released after several months.
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyMaki Toshio
Toshio Maki of Hitachi Solutions discusses integrating Cloud Foundry with their company's development platform running on public cloud infrastructure behind a proxy. They solved issues with authentication (using SAML), getting application logs (fixing a proxy authentication bug), and SSH access (using a custom ProxyCommand). They are now considering running a Docker container with a terminal to simplify SSH access over the proxy.
BSides Rochester 2018: Lee Kagan: Red and Blue Ping PongJosephTesta9
This document summarizes a talk about attacking and defending Windows systems. The talk covers how attackers can weaponize legitimate Windows tools like PowerShell, WMI, and Active Directory to conduct reconnaissance and execute malicious actions. It then discusses defensive techniques like Sysmon, Device Guard, and Group Policy Objects that can be used to detect and prevent such attacks. The talk includes a demo of red team techniques for lateral movement and privilege escalation, and how a blue team can detect those activities using defensive tools and logs. It concludes by mentioning additional Windows defenses that were not covered in detail.
The document discusses the advantages of using Linux over the last 20 years. It highlights that Linux provides high performance, efficiency, security and maximizes hardware compared to alternatives. It also notes that Linux is widely used in servers, Android phones, and other devices. Additionally, common software has been made easy to install and most software is regularly updated and debugged, improving reliability. The document also emphasizes Linux's strong security, interoperability across platforms, and extensive hardware support from drivers. It encourages readers who want these benefits to contact the author to learn more.
Olivier Cleynen: Overtaking Proprietary Software Without Writing Code [24c3]OpenSlidesArchive
Presented by Olivier Cleynen at the 24th Chaos Communication Congress, Berlin, December 2007.
http://events.ccc.de/congress/2007/Fahrplan/events/2290.en.html
http://youtube.com/watch?v=rVHBFqvTPoM
http://lanyrd.com/scgyqf
This document discusses using Terraform and the GitHub provider to manage GitHub repositories and access in a way that is compliant with ISO27001 standards. It outlines problems with the default GitHub UI and access controls. The solution presented is to define infrastructure as code using Terraform to create repositories, teams, users and access management. This satisfies ISO27001 requirements by providing strict access control, audit trails, security policies and a pull request approval process. Atlantis is also introduced to run Terraform plans and apply changes within pull requests for approval before state changes.
Similar to Enterprise desktop at home with FreeIPA and GNOME (20)
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
3. Enterprise desktop at home with FreeIPA and GNOME 3
* almost
local office network is not managed by a company’s IT department
4. Enterprise desktop at home with FreeIPA and GNOME 4
* almost
company services’ hosting is cloudy
there is no one cloud to rule them all
5. Enterprise desktop at home with FreeIPA and GNOME 5
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
I want them to be usable at the same time
6. Enterprise desktop at home with FreeIPA and GNOME 6
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources
I want them to be usable at the same time
7. Enterprise desktop at home with FreeIPA and GNOME 7
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources
▶ Cloud-based (social networking) identities
I want them to be usable at the same time
8. Enterprise desktop at home with FreeIPA and GNOME 8
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources
▶ Cloud-based (social networking) identities
▶ Free Software hats to wear
I want them to be usable at the same time
9. Enterprise desktop at home with FreeIPA and GNOME 9
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources
▶ Cloud-based (social networking) identities
▶ Free Software hats to wear
▶ Certificates and smart cards to present myself legally
I want them to be usable at the same time
10. Enterprise desktop at home with FreeIPA and GNOME 10
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources
▶ Cloud-based (social networking) identities
▶ Free Software hats to wear
▶ Certificates and smart cards to present myself legally
▶ Private data to protect and share
I want them to be usable at the same time
11. Enterprise desktop at home with FreeIPA and GNOME 11
I work on FreeIPA, https://www.freeipa.org
Management of identities and policies:
▶ stored centrally
▶ applied locally
And it is available in:
▶ Fedora
▶ Red Hat Enterprise Linux / CentOS
▶ GNU/Linux Debian and Ubuntu
▶ https://account.gnome.org/ runs FreeIPA since october 2014
14. Enterprise desktop at home with FreeIPA and GNOME 14
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)
15. Enterprise desktop at home with FreeIPA and GNOME 15
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)
2. Jump onto virtual private network (enter a password or more)
16. Enterprise desktop at home with FreeIPA and GNOME 16
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)
2. Jump onto virtual private network (enter a password or more)
3. Obtain initial Kerberos credentials (enter a password)
17. Enterprise desktop at home with FreeIPA and GNOME 17
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)
2. Jump onto virtual private network (enter a password or more)
3. Obtain initial Kerberos credentials (enter a password)
4. Use corporate applications (enter a password?)
18. Enterprise desktop at home with FreeIPA and GNOME 18
Can we do better than this?
how far are we from
▶ Sign into a corporate environment
▶ Use corporate applications
?
19. Enterprise desktop at home with FreeIPA and GNOME 19
Let’s try to login!
Demo of interactive logon
20. Enterprise desktop at home with FreeIPA and GNOME 20
What was that?
▶ The system is configured to be a client for FreeIPA
21. Enterprise desktop at home with FreeIPA and GNOME 21
What was that?
▶ The system is configured to be a client for FreeIPA
▶ SSSD handles login and Kerberos keys
22. Enterprise desktop at home with FreeIPA and GNOME 22
What was that?
▶ The system is configured to be a client for FreeIPA
▶ SSSD handles login and Kerberos keys
▶ Login to the system is verified over public network using a proxy for Kerberos
protocol
23. Enterprise desktop at home with FreeIPA and GNOME 23
What was that?
▶ The system is configured to be a client for FreeIPA
▶ SSSD handles login and Kerberos keys
▶ Login to the system is verified over public network using a proxy for Kerberos
protocol
▶ Established VPN connection based on Kerberos ticket
24. Enterprise desktop at home with FreeIPA and GNOME 24
What was that?
▶ The system is configured to be a client for FreeIPA
▶ SSSD handles login and Kerberos keys
▶ Login to the system is verified over public network using a proxy for Kerberos
protocol
▶ Established VPN connection based on Kerberos ticket
▶ Credentials were entered only once
25. Enterprise desktop at home with FreeIPA and GNOME 25
Kerberos proxy
Available on the client side with Microsoft Active Directory and MIT Kerberos 1.13
▶ protocol is called MS-KKDCP
▶ transparent for Kerberos library users
Kerberos proxy is implemented by FreeIPA 4.2, OpenConnect Server 7.05, and as a
standalone server
▶ Requires HTTPS connection, set up by default in FreeIPA 4.2, very easy to use
(one line change on the client)
▶ Allows to obtain tickets from anywhere
▶ SSSD 1.12+
▶ GNOME project uses KDC proxy to allow GSSAPI authentication in SSH for
GNOME developers
26. Enterprise desktop at home with FreeIPA and GNOME 26
VPN and Kerberos
OpenConnect client supports GSSAPI negotiation
▶ Fedora 22+ works out of the box
OpenVPN does not support GSSAPI negotiation
▶ to do since 2005
Support for GSSAPI in IPSEC is coming
27. Enterprise desktop at home with FreeIPA and GNOME 27
Could we enforce stronger authentication at a VPN edge?
▶ yes, we are be able to do so with Kerberos 1.14
▶ two-factor authenticated Kerberos tickets get ‘otp’ authentication indicator
▶ no practical implementation of enforcement in FreeIPA yet
28. Enterprise desktop at home with FreeIPA and GNOME 28
Two-factor authentication
FreeIPA 4.x supports 2FA natively
▶ Yubikey, FreeOTP client for Android and iOS, any HOTP/TOTP compatible
software and hardware
▶ Two-factor authentication is enforced on Kerberos level
▶ Performs pre-authentication before issuing a ticket
▶ Authentication Indicators are in Kerberos 1.14
▶ Pre-authentication modules can say how tickets were issued
29. Enterprise desktop at home with FreeIPA and GNOME 29
FreeOTP client for Android and iOS
30. Enterprise desktop at home with FreeIPA and GNOME 30
Demo of interactive logon with 2FA
Let’s create a token for a user and logon with 2FA via Yubikey
31. Enterprise desktop at home with FreeIPA and GNOME 31
What was that?
1. One time password token was programmed to Yubikey and added for the user in
FreeIPA
32. Enterprise desktop at home with FreeIPA and GNOME 32
What was that?
1. One time password token was programmed to Yubikey and added for the user in
FreeIPA
2. SSSD handles login and notices OTP pre-authentication support in Kerberos
conversation
33. Enterprise desktop at home with FreeIPA and GNOME 33
What was that?
1. One time password token was programmed to Yubikey and added for the user in
FreeIPA
2. SSSD handles login and notices OTP pre-authentication support in Kerberos
conversation
3. Login to the system is verified over public network using a proxy for Kerberos
protocol
34. Enterprise desktop at home with FreeIPA and GNOME 34
What was that?
1. One time password token was programmed to Yubikey and added for the user in
FreeIPA
2. SSSD handles login and notices OTP pre-authentication support in Kerberos
conversation
3. Login to the system is verified over public network using a proxy for Kerberos
protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking
GNOME passwords and keys storage (SeaHorse)
35. Enterprise desktop at home with FreeIPA and GNOME 35
What was that?
1. One time password token was programmed to Yubikey and added for the user in
FreeIPA
2. SSSD handles login and notices OTP pre-authentication support in Kerberos
conversation
3. Login to the system is verified over public network using a proxy for Kerberos
protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking
GNOME passwords and keys storage (SeaHorse)
5. Credentials were entered only once
36. Enterprise desktop at home with FreeIPA and GNOME 36
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
37. Enterprise desktop at home with FreeIPA and GNOME 37
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)
38. Enterprise desktop at home with FreeIPA and GNOME 38
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)
▶ Use to access networking file systems
39. Enterprise desktop at home with FreeIPA and GNOME 39
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)
▶ Use to access networking file systems
▶ Display properties of the available tickets
40. Enterprise desktop at home with FreeIPA and GNOME 40
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)
▶ Use to access networking file systems
▶ Display properties of the available tickets
▶ Renew the ticket granting ticket (TGT)
41. Enterprise desktop at home with FreeIPA and GNOME 41
If Kerberos credentials are available, what can we do with them?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)
▶ Use to access networking file systems
▶ Display properties of the available tickets
▶ Renew the ticket granting ticket (TGT)
▶ Choose which Kerberos principal is in use
42. Enterprise desktop at home with FreeIPA and GNOME 42
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 3.18:
▶ GSSAPI support is no more, depends on libsoup support
43. Enterprise desktop at home with FreeIPA and GNOME 43
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 3.18:
▶ GSSAPI support is no more, depends on libsoup support
▶ libsoup has been dragging since 2009, bug #587145
44. Enterprise desktop at home with FreeIPA and GNOME 44
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 3.18:
▶ GSSAPI support is no more, depends on libsoup support
▶ libsoup has been dragging since 2009, bug #587145
▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos
45. Enterprise desktop at home with FreeIPA and GNOME 45
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 3.18:
▶ GSSAPI support is no more, depends on libsoup support
▶ libsoup has been dragging since 2009, bug #587145
▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos
▶ One cannot use Google apps with GSSAPI in Gnome Online Accounts
46. Enterprise desktop at home with FreeIPA and GNOME 46
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 3.18:
▶ GSSAPI support is no more, depends on libsoup support
▶ libsoup has been dragging since 2009, bug #587145
▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos
▶ One cannot use Google apps with GSSAPI in Gnome Online Accounts
▶ No single sign-on with GSSAPI from GNOME applications using WebkitGtk to
authenticate
48. Enterprise desktop at home with FreeIPA and GNOME 48
What was that?
Tomáš Popela (Red Hat) and David Woodhouse (Intel) worked to fix libsoup and
WebkitGtk
This laptop is running an experimental build of them
We logged into my FreeIPA server’s Web UI
Hopefully, the code will be in the next GNOME release
49. Enterprise desktop at home with FreeIPA and GNOME 49
But can we do more than that? Administering is a boring task!
50. Enterprise desktop at home with FreeIPA and GNOME 50
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
51. Enterprise desktop at home with FreeIPA and GNOME 51
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
▶ Listen to Patrick Uiterwijk’s talk on Sunday, same time (13:10 – 13:50)
52. Enterprise desktop at home with FreeIPA and GNOME 52
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
▶ Listen to Patrick Uiterwijk’s talk on Sunday, same time (13:10 – 13:50)
▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP
53. Enterprise desktop at home with FreeIPA and GNOME 53
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
▶ Listen to Patrick Uiterwijk’s talk on Sunday, same time (13:10 – 13:50)
▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP
▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for
them
54. Enterprise desktop at home with FreeIPA and GNOME 54
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
▶ Listen to Patrick Uiterwijk’s talk on Sunday, same time (13:10 – 13:50)
▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP
▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for
them
▶ At no point Google has access to FreeIPA users’ credentials
55. Enterprise desktop at home with FreeIPA and GNOME 55
What was that?
▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA
▶ Listen to Patrick Uiterwijk’s talk on Sunday, same time (13:10 – 13:50)
▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP
▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for
them
▶ At no point Google has access to FreeIPA users’ credentials
▶ GNOME Online Accounts now configured to access Google Apps’ services
56. Enterprise desktop at home with FreeIPA and GNOME 56
What does GSSAPI support open for use in GNOME Online Accounts?
▶ Single sign-on is the primary feature
57. Enterprise desktop at home with FreeIPA and GNOME 57
What does GSSAPI support open for use in GNOME Online Accounts?
▶ Single sign-on is the primary feature
▶ Automated credentials renewal
58. Enterprise desktop at home with FreeIPA and GNOME 58
What does GSSAPI support open for use in GNOME Online Accounts?
▶ Single sign-on is the primary feature
▶ Automated credentials renewal
▶ Automated token/assertion renewal for SAML/OpenID
59. Enterprise desktop at home with FreeIPA and GNOME 59
What does GSSAPI support open for use in GNOME Online Accounts?
▶ Single sign-on is the primary feature
▶ Automated credentials renewal
▶ Automated token/assertion renewal for SAML/OpenID
▶ No need to store passwords locally (secure kiosks?)
60. Enterprise desktop at home with FreeIPA and GNOME 60
Visualize
GNOME Online Accounts could show Kerberos ticket properties
▶ Ticket time validity, flags (forward, renewal)
▶ Authentication indicators
▶ Existing service tickets in the credentials cache and allow to remove them
selectively
▶ Allow automatic ticket renewal if KDC permits it
61. Enterprise desktop at home with FreeIPA and GNOME 61
Visualize
And choose between different Kerberos principals
▶ MIT Kerberos supports kernel keyring (1.12+) and directory-based (1.11+)
storage of credentials
▶ Multiple Kerberos principals can be stored and used at the same time
▶ Only a single principal can be defined as “primary” for each Kerberos realm in the
collection of credentials
62. Enterprise desktop at home with FreeIPA and GNOME 62
Kerberos ticket renewal
▶ SSSD supports automatic Kerberos ticket renewal for single factor cases
▶ Renewing 2FA tickets requires UI interaction triggered by expiry time
▶ Automatic ticket renewal requires permission from KDC, visible as a ticket flag
▶ GNOME Online Accounts could integrate with SSSD in prompting for credentials
(multiple factors) in 2FA case needed information could be provided via SSSD
InfoPipe/AuthPipe
63. Enterprise desktop at home with FreeIPA and GNOME 63
Better Kerberos in browsers
▶ Firefox Kerberos setup isn’t nice
▶ needs about:config manipulation
▶ DNS domains associated with Kerberos realm could be discovered via DNS SRV
records, prompted for confirmation once
▶ FreeIPA used to provide an extension to automate Firefox setup
▶ Extension was generated locally for for each FreeIPA deployment to provide
configuration details
▶ not anymore: Firefox removed ability to provide non-publicly available extensions
since version 43
64. Enterprise desktop at home with FreeIPA and GNOME 64
Better Kerberos in browsers
▶ Chromium/Chrome
▶ Have bugs for processing of WWW-Authenticate: Negotiate when Kerberos
credentials are not available
▶ On Linux only allows to configure Kerberos use through command line or statically
system-wide, poor user experience
▶ A fixed libsoup/WebkitGtk allows to always use GSSAPI if server advertises
WWW-Authenticate: Negotiate over HTTPS
▶ no need to configure anything in Epiphany
▶ could be further confined with a user confirmation similar to how passwords are
managed on first use
▶ Konqueror browser in KDE allows to always use GSSAPI if server advertises
WWW-Authenticate: Negotiate over HTTPS
65. Enterprise desktop at home with FreeIPA and GNOME 65
Better Kerberos in browsers
▶ GSSAPI flow is synchronous, needs better UI interaction to avoid hogging down
other tabs
▶ still major issue for many browsers
67. Enterprise desktop at home with FreeIPA and GNOME 67
What was that?
▶ I set up Ipsilon to authenticate against my FreeIPA server
68. Enterprise desktop at home with FreeIPA and GNOME 68
What was that?
▶ I set up Ipsilon to authenticate against my FreeIPA server
▶ I set up Owncloud instance and created a simple application to do login via Ipsilon
SAML
69. Enterprise desktop at home with FreeIPA and GNOME 69
What was that?
▶ I set up Ipsilon to authenticate against my FreeIPA server
▶ I set up Owncloud instance and created a simple application to do login via Ipsilon
SAML
▶ Successfully logged-in users get created in Owncloud if they belong to a certain
group in FreeIPA
70. Enterprise desktop at home with FreeIPA and GNOME 70
What was that?
▶ I set up Ipsilon to authenticate against my FreeIPA server
▶ I set up Owncloud instance and created a simple application to do login via Ipsilon
SAML
▶ Successfully logged-in users get created in Owncloud if they belong to a certain
group in FreeIPA
▶ No need to enter password if Kerberos credentials are available
71. Enterprise desktop at home with FreeIPA and GNOME 71
What was that?
▶ I set up Ipsilon to authenticate against my FreeIPA server
▶ I set up Owncloud instance and created a simple application to do login via Ipsilon
SAML
▶ Successfully logged-in users get created in Owncloud if they belong to a certain
group in FreeIPA
▶ No need to enter password if Kerberos credentials are available
▶ Credentials were entered only once
72. Enterprise desktop at home with FreeIPA and GNOME 72
Oops, I “invented” Owncloud Enteprise Edition?
73. Enterprise desktop at home with FreeIPA and GNOME 73
Better support for SAML in GNOME Online Accounts
GNOME Online Accounts doesn’t support SAML for arbitrary provider
▶ One cannot setup own Owncloud account in GNOME without entering passwords
▶ Have to use separate Owncloud end-point for non-SAML logon
74. Enterprise desktop at home with FreeIPA and GNOME 74
Certificates
FreeIPA 4.2 supports issuing x.509 certificates to users
FreeIPA 4.2 adds per-user vault to store keys and credentials wrapped into an
encrypted blob
▶ authentication to password vaults is GSSAPI-based
▶ multiple clients can use unique public/private key pairs to derive their access to
user’s vault
▶ SSSD 1.13 allows to authenticate with certificates
▶ Certificates can come from any OpenSC and coolkey compatible devices
75. Enterprise desktop at home with FreeIPA and GNOME 75
How enterprisey our home could become?
76. Enterprise desktop at home with FreeIPA and GNOME 76
What is that?
▶ FreeIPA has a cross-forest trust to Active Directory forest
77. Enterprise desktop at home with FreeIPA and GNOME 77
What is that?
▶ FreeIPA has a cross-forest trust to Active Directory forest
▶ Ipsilon is configured to accept all valid users provided by FreeIPA
78. Enterprise desktop at home with FreeIPA and GNOME 78
What is that?
▶ FreeIPA has a cross-forest trust to Active Directory forest
▶ Ipsilon is configured to accept all valid users provided by FreeIPA
▶ Active Directory users are valid ones, with fully qualified user names to
differentiate them from IPA users
79. Enterprise desktop at home with FreeIPA and GNOME 79
What is that?
▶ FreeIPA has a cross-forest trust to Active Directory forest
▶ Ipsilon is configured to accept all valid users provided by FreeIPA
▶ Active Directory users are valid ones, with fully qualified user names to
differentiate them from IPA users
▶ Active Directory administrator signed into Owncloud as a normal user
80. Enterprise desktop at home with FreeIPA and GNOME 80
What is that?
▶ FreeIPA has a cross-forest trust to Active Directory forest
▶ Ipsilon is configured to accept all valid users provided by FreeIPA
▶ Active Directory users are valid ones, with fully qualified user names to
differentiate them from IPA users
▶ Active Directory administrator signed into Owncloud as a normal user
▶ Credentials were entered only once
81. Enterprise desktop at home with FreeIPA and GNOME 81
What benefits do we get by becoming enterprisey with FreeIPA and
GNOME?
1. Control your own infrastructure
82. Enterprise desktop at home with FreeIPA and GNOME 82
What benefits do we get by becoming enterprisey with FreeIPA and
GNOME?
1. Control your own infrastructure
2. Improve user experience by reducing number of password/logon interactions
83. Enterprise desktop at home with FreeIPA and GNOME 83
What benefits do we get by becoming enterprisey with FreeIPA and
GNOME?
1. Control your own infrastructure
2. Improve user experience by reducing number of password/logon interactions
3. Profit?