I previously posted my experiences setting up OpenLDAP on Ubuntu Server, using my own custom schema. This whole ordeal is for a couple of reasons...I wanted to learn about openLDAP and how schema works, and I wanted to eventually create something akin to "Active Directory" from my home that wasn't just "use Samba" or "use FreeIPA." I don't have anything against Samba, but it feels like using Samba is trying to acheive Microsoft functionality with Microsoft compatibility, and I don't need Microsoft compatibility, so I wanted to do it without. I have no Microsoft devices in my ecosystem and have no plans to add any. I don't have anything against FreeIPA either, but their docs target rpm distros and I tend to live in deb land, and I found the initial install frustrating unless I switched platforms...it felt like lock-in. There are other solutions and this is a problem that has been solved other ways but with shortcomings, but I wanted to really do something "from scratch" so I share this not as a recommendation, but as a start-to-finish resource with some nuggets of wisdom that may help someone else whose journey brushes up against parts of mine.

When I started, I was just authenticating web services like nextcloud, jellyfin, SAML, etc. Tying those into openLDAP was very easy and has worked very well for a long time. Now though, I want to use Kerberos for Linux PAM authentication as I am about to spin up a bunch of small servers (I got a new hypervisor and am redoing a lot of infrastructure, I don't want different credential stores all over the place). Because of this, I'm bolting on MIT Kerberos as my network authentication provider; that being said, getting OpenLDAP and Kerberos to work together and only use 1 password was not intuitive. Kerberos will use LDAP as it's database, and authentication will happen through SASL. Ultimately, requests will go to openLDAP, then depending on the account, the password will either be validated in OpenLDAP for web users, or it will defer to SASL for users doing both web/PAM stuff, which will then authenticate against the Kerberos passoword it stores in LDAP. Circular much?

Here is the vision, to help you see what I'm working towards. Ultimately I have about 20 users, all of which might access web services like nextcloud, but 4 core users which will actually log into computers. One of those 4 (me) has sudo rights on any computer. All 20 users should be able to log into nextcloud, jellyfin, etc without issue, and for now I'm managing password resets if they come to my house (I had previously used phpldapadmin for password resets, but that was struggling on php7+ when I last tried). For the internal users, they will be able to sit at ANY computer and log in using their same username and password. If an web only user tries to sit and log into a computer, the'll get username not found. If any of the 3 non-sudo users tries sudo, they'll get an unauthorized error. If my account tries sudo, I can become root. I can handle password resets for the internal users via kpasswd or kadmin.local.

Read more »

After all this time...why am I still working on this? The cameras are dead, Motorola shut down the monitoreverywhere service, so the cameras are dead! You can't register them, or join to cameras remotely, right?

Well, they still work on the LAN, so if they're already on the wifi, you can use them as little RTSP streams. The problem is...I want to change my SSID's, and there's no way to rejoin to wifi without the app connecting with the (now offline) monitoreverywhere service.

Enter crazy old Joe. I had a Titanium Backup of the apk and my config from an android device I don't even have anymore. I was able to extract this and decompile it to learn how the app handles registration, then emulate that. First, from previous research, when you factory reset a camera it broadcasts a "Camera-######" SSID when you can connect to as it's open. You'll get a 192.168.2.# address, and the camera will be "192.168.2.1". From there, you can start performing operations on the camera, for example, If you go here in a web browser: http://192.168.2.1/?action=command&command=enable_telnet You will then be able to telnet to the camera.

Read more »

This was originally posted Here but I'm cross-posting it to my site for preservation and self-reliance.

I've been experimenting with user and account management solutions for my home lab, and I was looking for something that could manage posix users and web users. I wanted something with group management and OU hierarchies that sort of follow what you would use in Active Directory. I found a lot of issues with some of the more well recommended solutions out there:

Read more »

This was originally posted to reddit Here but I am archiving the post here for posterity and self-reliance.

A long time ago we had IRC integrated into our server so offline people could chat, but with IRC becoming less used, we wanted to switch to something Discord-like which could enable voice chat. My preference is for self-hosted, open-source software where I control the data and service, so my target platform was Mumble. The result is pretty great; I have a easy mumble web client users can hang out in and talk with the server when they're offline, I have a phone app which receives notifications and does text to speech so with my headset I can be notified if a new user joins or if someone dies (this is all configurable). Users can choose to voice chat as well to collab on projects.

Read more »

So I took the camera apart and took a high-res picture of the PCB. The wifi sub-board is soldered on so I won't remove it yet to expose the ARM CPU. That being said, maybe there's a clue on here for how to mount and write to the flash memory: