Tilman Kranz – Personal Blog

Comparing Distinguished LDAP Names

6. August 2020 in Administration, GNU/Linux, Programmierung.

In a Bourne Shell script, a distinguished name (DN) for performing an LDAP-query is held in a variable:

dn="cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe"

For the purpose of demonstration, this example DN contains a non-ASCII character.

Let’s write a Bourne Shell function that escapes such special characters as requested by RFC 4514 using perl’s Net::LDAP::Util:

canonical_dn() {
    perl -s -MNet::LDAP::Util -e '
        print Net::LDAP::Util::canonical_dn($dn, mbcescape=>1)
    ' -- -dn="$1"
}

Let’s test the function:

echo "Unescaped DN: $dn"
echo "Escaped DN:   $(canonical_dn "$dn")"

The expected output is:

Unescaped DN: cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
Escaped DN:   CN=Malm\c3\b8,OU=County Capitals,DC=Sweden,DC=Europe

With a normalized notation, DN values are more robust when sending them to external applications such as the OpenLDAP client tools (ldapsearch & Co.), and certain operations on DNs inside the shellscript itself become a bit more feasible.

But note: For various reasons, DNs can not be reliaby compared for equality, even if both are normalized using canonical_dn. For example, attributes can have a long and a short name, both are valid when denoting a DN, and the OID of an attribute can also be used when denoting a DN. The following DNs address identical entries:

cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
commonName=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
2.5.4.3=Malmø,ou=County Capitals,dc=Sweden,dc=Europe

The information that all these notations of the same attribute commonName are identical is contained in the schema of the LDAP database that is being queried, and neither canonical_dn nor the shellscript can apply this information, this can only be done by an LDAP server.

This made me wonder if there is a canonical way of comparing two DN representations for identity using interaction with an LDAP directory access server. Apparently this is not so:

RFC 2251 lists „bind“, „search“, „modify“, „add“, „delete“ and „modify DN“ as supported message types.
RFC 2253 makes no mention of DN comparison.
I am not aware of an extended request for comparing DNs, at least not one that was widespread across implementations. ldapwiki.com lists „cancel“, „password modify“, „StartTLS“ and „Who am I“ as known examples, ldap.com additionally lists „Start Transaction“ and „End Transaction“, calling them „standard extended operation types“.

Was manche Leute in ihrer „Datenschutzerklärung“ stehen haben …

23. Juli 2020 in Sonstiges.

Gesehen auf https://t3n.de/datenschutz/ am 23. Juli 2020, Zitat: „Eine Einwilligung in den Einsatz des Facebook-Pixels darf nur von Nutzern, die älter als 13 Jahre alt sind, erklärt werden. Falls Sie jünger sind, bitten wir Sie, Ihre Erziehungsberechtigten um Erlaubnis zu fragen.“

Das von t3n als „Datenschutzerklärung“ bezeichnete Dokument ist 110991 Zeichen in 13945 Wörtern lang; das obige Zitat erfolgt nach 40% des gesamten Texts bzw. nach 5681 Wörtern, die man hat lesen müssen, um bei dieser Information anzukommen. Eine so relevante Information, die nämlich mitteilt, dass unter 13 Jahre alte Benutzer die Webseite nur mit Einwilligung ihrer Erziehungsberechtigten verwenden dürfen, halte ich persönlich für reichlich unzugänglich.

Noch ein Zitat aus besagtem Dokument: „Facebook Inc. mit Sitz in den USA ist für das us-europäische Datenschutzübereinkommen „Privacy Shield“ zertifiziert, welches die Einhaltung des in der EU geltenden Datenschutzniveaus gewährleistet.“

Diese Aussage ist mit einem Urteil des europäischen Gerichtshofs vom 16. Juli 2020 als falsch festgestellt, und eine Änderung des Dokuments wird nötig sein. Das wäre vieleicht ein guter Anlass, auch an anderen Stellen in diesem Dokument für mehr Klarheit zu sorgen.

Endlich Sommer …

25. April 2020 in Sonstiges.

… im April. 😯

Determining User Access on a Linux Filesystem with „Classic Permissions“

30. November 2021 in Administration, GNU/Linux.

Introduction

Looking at a Linux filesystem, checking if a certain file or directory is accessible for reading, writing or executing by certain users or groups poses interesting challenges.

Let the basic and seemingly simple question be: „Given a user X and a file Y, can it be determined if X has access to Y, and if yes, how can it be determined?“ A simple answer was: „Let X try to access Y, and if it does not work, X does not have that kind of access.“ However, this may not be feasible: The users, files and directories in question may not exist yet. More generally, access by users to files and directories should be predictable; appropriate access restrictions should be placed in advance, not after exposing possibly sensitive information. Also, certain types of access, such as deleting a file or directory, can not be simulated in a safe manner.

Moreover, a test procedure that just involves „trying to access the file“ may be incomplete: Just because the way the test procedure has attempted access did not succeed, that does not mean that there is no procedure at all by which the user in question can access the file.

This article investigates Linux filesystems that implement the semantics of „classic UNIX permissions“ in an effort to find more exhaustive methods of determining access.

Seiten: 1 2 3 4 5 6 7 8 9 10 11 12

AD-Precreation using ktutil, kinit and adcli

4. Dezember 2019 in Administration, GNU/Linux.

Using computer object precreation you can enable machines to join an Active Directory domain with knowledge of just one dedicated one-time-password. Combined with delegation you can offload management of computer objects to an otherwise unprivileged AD user.

Lesen Sie mehr »

Drawing a Yellow Rectangle on Android

26. November 2021 in Programmierung.

As an addendum to my previous article, there now also is an Android App „YellowRectangle“ that draws a yellow rectangle and terminates on the first touch event. It runs on Android version 4.0.3 (Ice Cream Sandwich MR1) and upward. It is written in Java and C++ and uses the Allegro game development library (http://liballeg.org/).

YellowRectangle running on Android 7.0 in the Genymotion emulator.

Lesen Sie mehr »

Drawing A Yellow Rectangle

25. März 2018 in Programmierung.

Premise

On the weekend i wanted to perform the task of drawing a yellow rectangle programmatically onto the screen of a Personal Computer:

The program would feature a viewport that occupies the entirety of the primary display of the PC.
On the viewport, 640 pixels could be adressed in width, 480 in height.
The viewport would be drawn in black color by default.
A yellow, filled rectangle would be drawn from an upper left corner at pixel coordinates 10 from the left, 20 from the top to a lower right corner at 100 from the left, 75 from the top.

When having drawn the yellow rectangle, the program would indefinately await any keypress and then shut down.

I solved this task using several different programming languages and toolkits, having the following goals for the implementation:

The program does a simple thing, so it should require little processing and memory resources.
The program should still work in 24 months from now.

Seiten: 1 2 3 4 5 6 7 8 9 10 11

Creative E-MU 1616m PCIe on Windows 10 64bit

27. Mai 2021 in Multimedia, Technik.

Update: Update 1903 of Windows 10 introduced breaking changes that Creative will not fix anymore. The device can still be brought to operation following this article on answers.microsoft.com by Mr. Freddie Stjerna. Having performed the procedure described therein, my 1616m PCIe works flawlessly on Win10Pro64, also as an ASIO device for Ableton 10 (64bit).

Update no. 2: Unfortunately, the 64-bit ASIO driver as installed using the procedure described in the previous update delivers very bad performance when used with Ableton Live 11. Status now is that i will not use the device in Windows anymore, only in Linux. 😎

On a PC running Win10Pro64 that has no Firewire port i needed a 4in4out audio solution functioning as an ASIO device.

So i dug out my E-MU 1616m PCIe, and – fearing that it would show severe compatibility issues – installed the most recent driver (EmuPMX_PCDrv_US_2_30_00.exe, July 15th 2011). To my surprise, the device started working immediately. So far i have not found any unsupported or problematic features (at 48 kHz samplerate i use WDM audio output, symmetrical input with zero-latency monitoring and ASIO sends and output to speakers through a 4-band EQ as DSP insert).

I think the E-MU 1616m PCIe is a great device:

10 years after i bought it, it works as on the first day.
It has good and solid performance, i permanently run it with 10ms buffer size, which in Ableton Live adds on to 23.3 ms global round-trip latency, and i am yet to encounter any dropout or instability.
PatchMix looks and feels very functional (apart from the brushed Aluminium skin which i find quite funny and nostalgic). Since it has spent many years in maturity, having no „software development“ bloating it with useless features and workflows, it runs rock solid and lightning fast on a modern PC.
The breakout box (called „Microdock“) has massive connectivity:
- copper S/PDIF, AES or EBU (really!),
- optical ADAT or S/PDIF,
- four balanced 6.35mm input jacks,
- two XLR/jack combo inputs,
- six balanced 6.35mm output jacks,
- three unbalanced 3.5mm stereo output jacks,
- a dedicated 6.35 mm headphone output jack with hardware volume control and
- a stereo pair of RCA inputs plus GND (Phono).
It works with Linux (using emutrix instead of PatchMix).

This is the best Creative product ever – ah wait, it’s not really by Creative … 😉