Since I keep wasting an hour to figure this out every time I need to move a user within OUD, I’m writing down the proper LDIF text to move a user from ou=disabled,o=orgName to ou=users,o=orgName.
dn: uid=TestUser123,ou=disabled,o=orgName
changetype: moddn
newrdn: uid=TestUser123
deleteoldrdn: 1
newSuperior: ou=users,o=orgName
For some reason, Oracle’s documentation omits the newrdn component and it all fails spectacularly.
I am starting to use git to manage application server configurations — partially to ensure team members are familiarizing themselves with git and thinking about it when they update code (we’ve seen a LOT of tweaks that are not pushed to the git server), but also to reduce the administrative overhead of managing servers.
The best use case thus far has been our sendmail environment — seven servers with three configuration bases. By issuing certificates with SAN values for each host name and the VIP name, we are able to use the same cert and config file on each server in a functional group. Admins can make changes to the config offline (i.e. we’re not live-editing config files on the sendmail servers), there is history to who made the changes {and a quick means of reverting changes), and, using a cron’d pull, we can ensure changes are consistent across the environment.
They value tribalism over actual plans with specifics, objective reality, or independent thought too. The logic currently being peddled seems to be that any diplomatic overture is vastly better than nuclear holocaust. Now I’m not one to make the argument that there’s a scenario where nuclear annihilation is preferable but it’s disingenuous to call this development a stunning success.
Don’t forget that there was progress in the late 90’s — until GW took over and sought to end the Agreed Framework. The US cut back diplomatic contacts in 2001 while the new administration’s policy was under review. By 2002, NK was asking IAEA inspectors to leave. In 2005, an agreement that might have allowed IAEA inspection was considered progress. Maybe GW was justified in distrusting NK’s concessions (or *not* trusting NK with light-water reactors) — although NK may have violated more the ‘spirit’ of the agreement than the actual substance. But, historically speaking, we’ve been lowering the bar for NK for over a decade. We’re no longer seeking access for IAEA inspectors, now we’re almost looking for agreement that nuclear weapons are a heap-o bad news.
Ignoring decades of history in Korea, Trump was still complicit in the brinkmanship – taunting someone into nuking you then celebrating your negotiating skills when tensions are reduced is a bit like “hero fireman” setting blazes and then saving people from the inferno. And somehow it’s a major bonus that Trump didn’t give un-freeze 150 billion in Iran’s assets for NK? (Republican marketing is winning in the Iran discussion, and Obama unfreezing billions in Iranian assets has been conflated with the US government forking over billions of taxpayer dollars … but what that has to do with North Korea I cannot imagine)
Destroying missile engine testing sites after you’ve got one that works? Not such a concession. Hell, promising not to test any more nukes isn’t a significant concession – once you’ve got the thing working, tests become a way of reminding everyone you’ve got the bloody things. The US has been adhering to terms of the CTBT since, what, 1996. Doesn’t mean we’ve denuclearized. Last year, NK detonated a 200+ kiloton bomb and launched the Hwasong-15 missile which gives them theoretical delivery to the US. Sure they might need more testing to get a functional re-entry vehicle. Worst case, launch with an untested re-entry vehicle. And their current design isn’t as apt to be obliterated on re-entry — it merely lacks accuracy. Well, as someone who lives in the “oops, we missed” zone for a few high probability targets … low accuracy nuclear strikes are still REALLY REALLY BAD.
The WSJ report a year and a half ago about Trump conceiving a brilliant strategy for dealing with NK … after Trump spoke with Putin. The strategy? Cease joint military exercises with SK. Because damaging US / SK relations doesn’t help Putin in any way? For a guy who pulled out of the Paris Accords ostensibly because it was such a bad deal for the US (which, I guess, has plans to jettison everyone with more than nine hundred thirty seven million dollars in net worth to some secret space colony where they’ll be able to fly around extracting resources from planets throughout the solar system), this move hardly seems in line with the “America First” doctrine. Stopping the ‘war games’ is something NK wanted – they offered to stop nuclear testing back in 2015 if we stopped the military exercises. And it’s only *saving* money if you don’t spend it elsewhere. Anyone think the US military budget will decrease by a few mill if we can “save” that by avoiding US/SK joint military exercises?
So we’ve seen destruction at some missile and nuclear test facilities (journalists were invited to watch the destruction at Punggye-ri. Journalists and IAEA reps watched the explosion at Yongbyon in 2008 – the destruction of a cooling tower. After which it was discovered that NK was building a new facility to continue production of fissionable material. And they used another method to cool the reactor at Yongbyon after the cooling tower was destroyed. So destruction at a facility isn’t {a} new or {b} terribly meaningful), agreed to suspend military exercises, and gained NK’s commitment to complete denuclearization. Sounds good on it’s face, once you add complete denuclearization in there.
But there *is* history in the relationship with North Korea. Objectively – “complete denuclearization of the Korean Peninsula” is what NK was pushing for as it involves eliminating American military presence on the peninsula too. It’s not the same as unilateral denuclearization. And if they want to consider delivery capabilities – complete denuclearization means eliminating all American nukes. Not like anyone included a three page appendix detailing what “complete denuclearization of the Korean Penninsula” means to both parties. There’s also the larger context of American military policy — even if we completely withdraw troops from the Korean peninsula, how does Trump’s desire to expand America’s nuclear capacity reassure, well, anyone?
Trump’s press conference in Singapore where he tells us about the scientific fifteen year time period it takes to denuclearize — WTF? I’ve got all the respect in the world for PoliSci studies, but it’s not *scientifically* required that “you have to wait certain periods of time, and a lot of things happen”. Unless we’re talking about complete decay of the fissionable material – in which case fifteen years is WAAAAAY short. The half-life of U-235 is like 700 million years.
Blending it down to reactor-grade, though – NNSA contracts have down-blended well over a tonne of HEU a year. The problem is 1 tonne of HEU becomes 16 tonnes of LEU. And how many reactors, submarines, and space vehicles do we need to fuel? Doubtful NK’s got facilities for down-blending weapon-grade material, but “de-enrich my stuff at your facility for free and I won’t have nukes” would be a really strong negotiating position — and as much as Trump may decry billions Clinton spent to denuclearize NK … it would be billions well spent if there were no enriched material in the country. And NK has maybe half a tonne of HEU – the logistics of shipping the shit would take longer than down-blending it.
But we’ve got a president looking at what may be a reasonable political estimate of how long it would take the country to denuclearize and calling it a scientific requirement. Which is ironic given the number of *actual* scientific things the administration feels free to ignore.
Last week in fake history: just days before the Bowling Green Massacre, Canada invaded Washington DC and razed our federal buildings.
Historical ignorance (and sure it’s scary that Trump is both so ignorant of history AND unwilling to accept counsel), aside — so what if Canada *did* burn down the White House in 1814. Say Canada *were* a country aligned with England, and they participated in the war of 1812 by invading the US and burning DC. How does that make Canada a national security threat TODAY?
We normally keep our printer turned off. Residential printer standby can have a decent draw. It’s something you have to research specific to your printer — some have low single-digit standby draw and waste ink when powered on and off. Others, like ours, has a non-trivial standby draw that isn’t offset by ink savings. The problem is that you’ve got to turn the printer on, print your stuff, and then remember to turn it off. The tiny person remote power controller (i.e. Anya) works for this, but it’s not an elegant automated solution.
Scott set up a smart outlet for the printer – you can tell the Echo to turn the printer outlet on and off now. But you still have to remember to turn it off 🙂
So I set up a print queue on the server & all print jobs are submitted to the server-based queue. A scheduled task on the server checks the print queue for jobs and turns the printer on when jobs are found. When the printer is on but no jobs are in the queue, it waits ten minutes and checks again (otherwise you could turn the printer on & have the batch immediately turn it off. Or worse the job could be out of the queue but still printing!), then turns the printer off if there are still no jobs in the queue. Voila, now the printer turns itself on when you want to print something and it remembers to turn itself off later.
The tricky bit was figuring out how to post ‘ON’ and ‘OFF’ to the OpenHAB2 REST API. -Body with just the command:
Invoke-WebRequest -URI ‘http://openhabserver.domain.gTLD:8080/rest/items/Outlet1’ -ContentType “text/plain” -Method POST -Body ‘OFF’
The script is available at https://github.com/ljr55555/miscPowershell/blob/master/printQueueMonitor.ps1
The Supreme Court decision in the Masterpiece Cakeshop case clarifies exactly nothing — maybe the ruling would have stood if the review had not disparaged the baker’s religious beliefs. I’m not sure I’d want a baker who hates me (or something I do) to bake me a cake — too many ways to accidentially ruin a cake. Same with the photographer — why risk accidental overexposure or data loss destroying your wedding photos?
But I can see being offended when someone refuses you service based on your sexual orientation (or religion, or ethnicity, or …). I had a whole host of medical problems — eventually learned that my body does not process sugars/carbohydrates well and simply limiting sugars and simple carbohydrates eliminated most of these problems. But a decade before that discovery, the only thing that sorted amenorrhea and fibromyalgia-like symptoms was hormonal birth control pills. My insurance copay was the same amount regardless of where I purchased medication, so I used a small, privately owned pharmacy in a boutique part of town. Until my state passed a law that permitted pharmacists to refuse to distribute anything that contravened their religious beliefs. Shortly thereafter, I got lectured about my sinful promiscuity instead of picking up my prescription. I’m sure there was some way to get the pills from that pharmacy, but frankly I was insulted and more than a little embarrassed. Not that it was the least bit of their business, but I was absolutely celibate. Just didn’t enjoy being chronically exhausted and in pain. Wasn’t worth arguing about, I transferred my prescription to a chain that wasn’t staffed by people who want to pass judgement on my medical prescriptions.
Thinking back to that embarrassment, I hope these anti-discrimination laws get tested by a case where the local officials don’t editorialize — just state the action violates the law and be done with it.
We are still in the process of moving the last few applications from DSEE to OUD 11g so the DSEE 6.3 directory can be decommissioned. Just two to go! But the application, when pointed to the OUD servers, gets “Unable to cast object of type ‘System.Byte[]’ to type ‘System.String'” when retrieving values for a few of our DirectoryString syntax custom schema.
This code snippet works fine with DSEE 6.3.
string strUserGivenName = (String)searchResult.Properties["givenName"][0]; string strUserSurame = (String)searchResult.Properties["sn"][0]; string strSupervisorFirstName = (String)searchResult.Properties["positionmanagernamefirst"][0]; string strSupervisorLastName = (String)searchResult.Properties["positionmanagernamelast"][0];
Direct the connection to the OUD 11g servers, and an error is returned.
The attributes use the same syntax – DirectoryString, OID 1.3.6.1.4.1.1466.115.121.1.15.
00-core.ldif:attributeTypes: ( 2.5.4.41 NAME ‘name’ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} X-ORIGIN ‘RFC 4519’ )
00-core.ldif:attributeTypes: ( 2.5.4.4 NAME ( ‘sn’ ‘surname’ ) SUP name X-ORIGIN ‘RFC 4519’ )
00-core.ldif:attributeTypes: ( 2.5.4.42 NAME ‘givenName’ SUP name X-ORIGIN ‘RFC 4519’ )
99-user.ldif:attributeTypes: ( positionManagerNameMI-oid NAME ‘positionmanagernamemi’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )
99-user.ldif:attributeTypes: ( positionManagerNameFirst-oid NAME ‘positionmanagernamefirst’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )
99-user.ldif:attributeTypes: ( positionManagerNameLast-oid NAME ‘positionmanagernamelast’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )
I’ve put together a quick check to see if the returned value is an array, and if it is then get a string from the decoded byte array.
string strUserGivenName = (String)searchResult.Properties["givenName"][0];
string strUserSurame = (String)searchResult.Properties["sn"][0];
string strSupervisorFirstName = "";
string strSupervisorLastName = "";
if (searchResult.Properties["positionmanagernamefirst"][0].GetType().IsArray){
strSupervisorFirstName = System.Text.Encoding.UTF8.GetString((byte[])searchResult.Properties["positionmanagernamefirst"][0]);
}
else{
strSupervisorFirstName = searchResult.Properties["positionmanagernamefirst"][0].ToString();
}
if (searchResult.Properties["positionmanagernamelast"][0].GetType().IsArray){
strSupervisorLastName = System.Text.Encoding.UTF8.GetString((byte[])searchResult.Properties["positionmanagernamelast"][0]);
}
else{
strSupervisorLastName = searchResult.Properties["positionmanagernamelast"][0].ToString();
}
Voila
The outstanding question is if we need to wrap *all* DirectoryString syntax attributes in this check to be safe or if there’s a reason core schema attributes like givenName and sn are being returned as strings whilst our add-on schema attributes have been encoded.
We finally got rid of Time Warner Cable / Spectrum / whatever they want to call themselves this week’s overpriced Internet that includes five free outages between 1100 and 1500 each day. But the firmware on the new ISP’s router doesn’t have a facility to back up the config. And if we’re going to have static IPs for all of our speakers, printers, servers … we don’t want to have to re-enter all of that data if the router config gets reset. Same with configuring the WiFi networks. And, and and. So instead of using the snazzy new router, we are using our old router on .2, the new router on .1 … and everything actually connects to the old router, uses the DHCP server on the old router. And only uses the new router as its default gateway. Worked fine until we tried to turn on the guest network.
I found someone in Internet-land who has the exact same configuration and wants to permit guests to use the LAN printer. His post included some ebtables rules to allow guest network clients access to his printer IP. Swapped his printer IP for our router IP and … nada.
And then I realized that the router is not the packet destination IP when the guest client attempts to communicate outside our network. The router is the destination MAC address. So you cannot add an ebtables rule to the router’s IP address and expect traffic to flow.
The first thing you need to do is figure out the upstream router’s MAC address. From the Asus, you can query the arp table. If the command says “No match found in # entries”, ping the router and try again.
root@ASUS-RT-AC68R:/tmp/home/root# arp -a 10.5.5.1 ? (10.5.5.1) at a3:5e:c4:17:a3:c0 [ether] on br0
The six pairs of hex numbers separated by colons – that’s the MAC address. You have to allow bidirectional communication from the guest network interface (wl0.2 for us) with the upstream router’s MAC address. You also have to allow broadcast traffic so guest devices are able to ARP for the router’s MAC address.
To have a persistent config, enable jffs and add the config lines to something like services-start:
root@ASUS-RT-AC68R:/tmp/home/root# cat /jffs/scripts/services-start #!/bin/sh logger "SERVICES-START: script start" # Prevent Echo dots from sending multicast traffic to speaker network ebtables -I FORWARD -o wl0.1 --protocol IPv4 --ip-source 10.0.0.36 --ip-destination 239.255.255.250 -j DROP # Guest network - allow broadcast traffic so devices can ARP for router MAC ebtables -I FORWARD -d Broadcast -j ACCEPT # Guest network - allow communication to and from router MAC ebtables -I FORWARD -s a3:5e:c4:17:a3:c0 -j ACCEPT ebtables -I FORWARD -d a3:5e:c4:17:a3:c0 -j ACCEPT # This should be automatically added for guest network, but it goes missing sometimes so I am adding it again ebtables -A FORWARD -o wl0.2 -j DROP ebtables -A FORWARD -i wl0.2 -j DROP
Use -L to view your ebtables rules:
root@ASUS-RT-AC68R:/tmp/home/root# ebtables -L Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 16, policy: ACCEPT -d a3:5e:c4:17:a3:c0 -j ACCEPT -s a3:5e:c4:17:a3:c0 -j ACCEPT -d Broadcast -j ACCEPT -p IPv4 -o wl0.1 --ip-src 10.0.0.36 --ip-dst 239.255.255.250 -j DROP -o wl0.2 -j DROP -i wl0.2 -j DROP
Voila, guests who can access the Internet & DNS on the .1 router, but cannot access anything on the internal network. Of course you can add some specific IPs as allowed destinations too – like the printers in the example that started me down this path.
One of my proudest parenting moments this past year wasn’t even something I taught Anya. She was in pre-school, and there was always a group of people that would hang out after pick-up and play on the little playground. The kids … parallel play” is the technical term for it — little kids don’t really *play together*. They do their own thing in close physical proximity to another kid. A few bigger/older/more outgoing kids would run around the yard, while the younger/smaller/shyer kids would more or less hide. Anya was younger/smaller/shyer — which made after-school play time not a lot of fun. So I’d play with all of the kids — coordinate an activity so all of the kids were on the same task. Be the ‘finder’ in a game of hide and seek, have two dozen little kids chase me around. Sometimes I’d even have a little physics lesson — there are lots of cool real-life physics things in a playground — kinetic v/s static friction trying to walk up a slide, levers at the seesaw, momentum on a swing. Or math — the kids would pick the number I would count to in hide-and-seek, and sometimes someone would get goofy with it. Count to a million — OK, 100k, 200k, 300k, etc. Count to zero! OK, -10, -9, -8, etc. Once they got started, and after the kids got worn out some, they’d usually start playing together in smaller groups; and I had some time to chat with the other parents.
One day, I had to work during pickup time. My husband ran over to the school, picked up our daughter, and took her into the playground to hang out with her friends. In my absence, one of the other moms took my role and kicked off a game of hide and seek. Other people valued having their kids play together — a couple people told me that they’d started leading group playtime at other parks when they’re out.
I hope a few of these playtime hours are great memories for Anya when she’s older.