kevincox

joined 3 years ago
MODERATOR OF
opensource
sorted by: new top controversial old
LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago* (last edited 1 week ago) (1 children)

Ah ok. You aren't doing auth. I don't understand how this is relevant.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago (3 children)

Are you doing auth in the reverse proxy for Jellyfin? Do you use Chromecast or any non-web interface? If so I'm very interested how you got it to work.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago (1 children)

The concern is that it would be nice if the UNIX users and LDAP is automatically in sync and managed from a version controlled source. I guess the answer is just build up a static LDAP database from my existing configs. It would be nice to have one authoritative system on the server but I guess as long as they are both built from one source of truth it shouldn't be an issue.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 3 points 1 week ago (3 children)

Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I'm not really interested in storing other data.

I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase ... I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I'm not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn't a goal).

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago (5 children)

I do use a reverse proxy but for various reasons you can't just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can't just slap a proxy in front.

I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.

A study found that there is a significant decline of the nutrient content in 43 different crops between 1950 and 1999 in c/science@lemmy.ml
[–] kevincox@lemmy.ml 1 points 1 week ago

Even then how you you know? I don't think anyone can reliably look at a vegetable and tell you how nutritious it is. I don't think it is reasonable to have the general population being experts in evaluating vegetables.

I think what could work here is mandated labeling. This is required for most foods but generally not produce. I think there are some reasonable reasons for this, but for farms producing huge volumes it seems that occasional testing that gets reported at the store would make sense.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago (7 children)

How are you configuring this? I checked for Jellyfin and their are third-party plugins which don't look too mature, but none of them seem to work with apps. qBittorrent doesn't support much (actually I may be able to put reverse-proxy auth in front... I'll look into that) and Metabase locks SSO behind a premium subscription.

IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work

A study found that there is a significant decline of the nutrient content in 43 different crops between 1950 and 1999 in c/science@lemmy.ml
[–] kevincox@lemmy.ml 4 points 1 week ago (2 children)

But it does boil down to business pressures. The business prefers more and bigger produce to more nutritional produce.

Is that a bad thing? Maybe not. Maybe you can just eat more to get your nutrition since higher yield should reduce cost.

But the point still stands that there is very little business pressure to make a nutritious product.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 3 points 1 week ago (9 children)

But the problem is that most self-hosted apps don't integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 1 points 1 week ago* (last edited 1 week ago) (1 children)

NixOS makes it very easy to declaratively configure servers. For example the users config to manage UNIX users: https://nixos.org/manual/nixos/stable/options#opt-users.users

LDAP to UNIX user proxy in c/selfhosted@lemmy.world
[–] kevincox@lemmy.ml 3 points 1 week ago (4 children)

Yet another service to maintain. If the server is crashing you can't log in, so you need backup UNIX users anyways.

In search for a good VPN in c/privacy@lemmy.ml
[–] kevincox@lemmy.ml 7 points 1 week ago (1 children)

I mean it is always better to have more open source. But the point of the multi-hop system is that you don't need to trust the server. Even if the server was open source:

  1. You wouldn't know that we are running an unmodified version.
  2. If you need to trust the server then someone could compel us to tap it or monitor it.

The open source client is enough to verify this and the security of the whole scheme.

20
LDAP to UNIX user proxy (lemmy.ml)
 

Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don't want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

86
When the subway replacement shuttles roll in. (lemmy.ml)
 
16
Please recommend me some blogs about Linux or FOSS or similar that you follow through RSS. (iusearchlinux.fyi)
362
Haunted House (xkcd.com)
134
What is your favorite terminal emulator. (lemmy.ml)
 

I'm reconsidering my terminal emulator and was curious what everyone was using.

35
Decentralized vs. Federated (kevincox.ca)
4
A Decade of RSS Via Email (kevincox.ca)
5
Facebook, Fosstodon & The Fediverse (hub.fosstodon.org)
2
Default to Less Than Quadratic (kevincox.ca)
6
Attempting to use bcachefs (kevincox.ca)
4
Bisecting the Linux Kernel with NixOS (lemmy.ml)
 

cross-posted from: https://beehaw.org/post/551377

Recently my kernel started to panic every time I awoke my monitors from sleep. This seemed to be a regression; it worked one day, then I received a kernel upgrade from upstream, and the next time I was operating my machine it would crash when I came back to it.

After being annoyed for a bit, I realized this was a great time to learn how to bisect the git kernel, find the problem, and either report it upstream, or, patch it out of my kernel! I thought this would be useful to someone else in the future, so here we are.

Step #1: Clone the Kernel; I grabbed Linus' tree from https://github.com/torvalds/linux with git clone git@github.com:torvalds/linux.git

Step #2: Start a bisect.

If you're not familiar with a bisect, it's a process by which you tell git, "this commit was fine", and "this commit was broken", and it will help you test the commits in-between to find the one that introduced the problem.

You start this by running git bisect start, and then you provide a tag or commit ID for the good and the bad kernel with git bisect good ... and git bisect bad ....

I knew my issue didn't occur on the 5.15 kernel series, but did start with my NixOS upgrade to 6.1. But I didn't know precisely where, so I aimed a little broader... I figured an extra test or two would be better than missing the problem. 😬

git bisect start
git bisect good v5.15
git bisect bad master

Step #3: Replace your kernel with that version

In an ideal world, I would have been able to test this in a VM. But it was a graphics problem with my video card and connected monitors, so I went straight for testing this on my desktop to ensure it was easy to reproduce and accurate.

Testing a mid-release kernel with NixOS is pretty easy! All you have to do is override your kernel package, and NixOS will handle building it for you... here's an example from my bisect:

boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_2.override { # (#4) make sure this matches the major version of the kernel as well
  argsOverride = rec {
    src = pkgs.fetchFromGitHub {
      owner = "torvalds";
      repo = "linux";
      # (#1) -> put the bisect revision here
      rev = "7484a5bc153e81a1740c06ce037fd55b7638335c";
      # (#2) -> clear the sha; run a build, get the sha, populate the sha
      sha256 = "sha256-nr7CbJO6kQiJHJIh7vypDjmUJ5LA9v9VDz6ayzBh7nI=";
    };
    dontStrip = true;
    # (#3) `head Makefile` from the kernel and put the right version numbers here
    version = "6.2.0";
    modDirVersion = "6.2.0-rc2";
    # (#4) `nixos-rebuild boot`, reboot, test.
  };
});

Getting this defined requires a couple intermediate steps... Step #3.1 -- put the version that git bisect asked me to test in (#1) Step #3.2 -- clear out sha256 Step #3.3 -- run a nixos-rebuild boot Step #3.4 -- grab the sha256 and put it into the sha256 field (#2) Step #3.5 -- make sure the major version matches at (#3) and (#4)

Then run nixos-rebuild boot.

Step #4: Test!

Reboot into the new kernel, and test whatever is broken. For me I was able to set up a simple test protocol: xset dpms force off to blank my screens, wait 30 seconds, and then wake them. If my kernel panicked then it was a fail.

Step #5: Repeat the bisect

Go into the linux source tree and run git bisect good or git bisect bad depending on whether the test succeeded. Return to step #3.

Step #6: Revert it!

For my case, I eventually found a single commit that introduced the problem, and I was able to revert it from my local kernel. This involves leaving a kernel patch in my NixOS config like this:

  boot.kernelPatches = [
    { patch = ./revert-bb2ff6c27b.patch; name = "revert-bb2ff6c27b"; }
  ];

This probably isn't the greatest long-term solution, but it gets my desktop stable and I'm happy with that for now.

Profit!

1
SaaS RSS hosting (www.rss-hosting.com)
view more: next ›