Securing PWM

In last week’s post we set up PWM insecurely. In this post, we are going to secure it down and install mysql to store the reset questions. First, we will need to install mysql, set up a database, and add a user to that database. To do that, we need to edit our manifest.pp and append the following:

 class { '::mysql::server':
     root_password           => 'My4cc0unt$$password!',
     remove_default_accounts => true,
     package_name            => 'mariadb-server',
     package_ensure          => 'installed',
     service_name            => 'mariadb',

 mysql::db { 'pwm':
     user     => 'pwm',
     password => 'pwm_passworD2!', # Can't do a password hash here :(

 class { 'mysql::bindings':
     java_enable => true,

file { '/opt/tomcat8/pwm/lib/mysql-connector-java.jar':
     ensure  => link,
     target  => '/usr/share/java/mysql-connector-java.jar',
     require => Class['mysql::bindings']

We will also need to install additional modules: Continue reading Securing PWM

Password management portal for end users

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular); however, I want to demonstrate the puppet apply command in this tutorial.


This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.

Continue reading Password management portal for end users

Avoiding Catastrophic Failure

You may have already heard the news about Delta Airlines catastrophic failure. Ars Technica reports the true cause of the failure – routine maintenance of the power generators. While it may be a little presumptuous or high on the bragging scale to have only one datacenter to house your entire infrastructure – this is not the best method. The blame is often placed on the IT personnel when computer systems go down, but in this case the error is shared. There was a maintenance individual who did not spot the potential of a fire, there is the building planning committee that placed the power sources too close together, there is the IT budgeting team that did not have an off-site solution, and there is the CTO misinformed on the infrastructure needs of a worldwide company. A catastrophic failure is anything that damages a company’s reputation.

I can understand the single point of failure – it is often found in SMB/non-profit environments. The single point of failure happening is marginal at best. This causes it to be overlooked many times over as some will hope it never comes to encountering that scenario. Budgetary constraints are often the first road block, the second being time to implement, the third being the internal security practices of customer data, and the fourth being the time to restore after a catastrophic failure is less than 24 hours – these also minimizes the single point of failure in our minds. We so often minimize the single point of failure to where it loses its place as #1 concern to #100 on “do someday task.”

We live in the best computer age right now. Catastrophic failures can be avoided. Here are a few ways to prevent catastrophic failures.

Continue reading Avoiding Catastrophic Failure

Common problems with Web Developers configuring LAMP/LEMP

I am a SysAdmin who likes to code. I would say I know a fair amount of web developing, but do not understand it like a web developer uunderstands it. I think the reverse is true as well – web developers know how to set up a LAMP/LAMP stack, but they do not understand it as well as SysAdmin might understand it.

To be a successful SysAdmin, you need to relearn your field every 3-5 years. New versions of software come out, new OSes, new features, new methods, and new ideas come out every several months. It takes somebody dedicated to read news blogs, mailing lists, and following the appropriate people on social media to keep up with the rapid trends. Web developers do not have that time to dedicate to operations work. They only need infrastructure to work for their project and it doesn’t matter how well tuned the software is – if it works, that is all they need. Below are some common pitfalls I see with web developers. Continue reading Common problems with Web Developers configuring LAMP/LEMP

The future without Microsoft Office products 

I recently submitted a proposal to remove Microsoft Office from off my network and switch to Google Apps for Work and LibreOffice. This would incur a cost savings of ~$17.50 per user per month (GAFW $5 plan versus Office 2016 Professional Plus, Corporate, Open License, License Only). Some may argue that there are better license options with Microsoft and the $508 per user per 2 years (with the open license; source: is not a fair estimation, however, it is not fair to compare a stagnant version of Office versus the always updated version of GAFW or LibreOffice. Continue reading The future without Microsoft Office products 

Refreshing Ruby Knowledge

I see a trend in system administration tasks moving toward the Ruby programming language. Yes, you can still code in Perl, Python, Shell, etc., but Ruby seems to be growing in popularity as a choice in scripting language. It should be – it is certainly easier to type and it has a big community to go with it. I was first introduced to Ruby in 2009 and immediately after learning Ruby, I learned Ruby on Rails. At the time, Rails and the MVC model was too advanced for me and so I never used my knowledge. Mostly because Rails had many “does this automatically so you do not need to include it in your code” so it was difficult for a beginner.

Now nearly 7 years later, I am taking Ruby off my virtual bookshelf and blowing the bugs off of it and refreshing my knowledge – this time leaving Rails out of the picture. So far I am liking plain Ruby. Below are some resources I have used to sharpen my Ruby skills.


Bonus: Setting up the exercism client on Fedora 24

The exercism client is written in Go. Go can fetch and install other Go programs as long as you have a Go workspace set up. To do that we will issue the following commands:

# To install go
sudo dnf install golang

# To set up the workspace
mkdir -p ~/gocode/{bin,src,pkg}
echo 'export GOPATH=$HOME/gocode' >> ~/.profile
echo 'export export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.profile
source ~/.profile

Those commands will set up the Go workspace and allow you to issue the next command: go get -u

Linux training on sale until 7/31/16

The Linux Foundation is offering select courses at a discount until 7/31/16. Some offers are up to 55% off. You can also get an additional 10% off in check-out by using the code GSHOP. That brings the prices down to:

$180 – For Essentials of System Administration (LFS201) or Linux Networking and Administration (LFS211)

$315 – Essentials of System Administration AND Linux Networking and Administration

$269.10 – Certified Linux SysAdmin or Certified Linux Engineer

$495 – Certified Linux Rockstar

You can find these prices by using their special system administrator appreciation sale page and using the checkout code GSHOP. If you were looking for a time to level up your Linux knowledge, now is the time to do it.

OpenWRT Captive Portal

In a previous post, I explained how to set up a captive portal on a Raspberry Pi which was running Raspbian (Debian). If you read that article, you can skip the next paragraph.

A captive portal is a piece of software that prompts for user interaction before allowing the client to access the internet or other resources on the network. It is a combination of a firewall and a webserver. In this tutorial, I will explain how to create an open WiFi network on OpenWRT firmware. Before deploying an open WiFi network, you may want to consult a lawyer of the legality and restrictions for having one. You can also review what has been said by lawyers here and here.

To set up a captive portal on a wireless access point (WAP), you will need to have the OpenWRT firmware installed and have at least 5mb of free space. My TP-Link 1043ND had enough space and this article was tested against it. This article assumes you have OpenWRT installed without any additional addons and have plenty of space to spare.

Continue reading OpenWRT Captive Portal

Puppet with Mac and GNU/Linux

Puppet on Mac is a mixture of Puppet on Linux and Windows. Registry settings are called “secrets” and to make things easier, you need to install homebrew.

Enforcing a local admin is a little bit tedious. In the past few OSX releases, the have changed their password hashing algorithm several times. This causes a few case statements based on release version in order to set up one single local admin.

Continue reading Puppet with Mac and GNU/Linux

Puppet with Windows

Using Puppet on Windows workstations can be a challenge. The different architectures (x86 and x86_64) can have an impact on declaring packages. I have decided to ignore 32 bit systems and treat all as 64 bit – after all, it is 2016 and 32 bit should not be deployed.
Continue reading Puppet with Windows