_Note: This is an old post that was sitting in my drafts for a long time.  It might be useful to someone still as most of the content is still relevant. _

You should checkout dotnet-monitor if you are using .NET Core 3 and above! - it promises to make the while thing a lot easier. I’ve left the below content for posterity, but it’s very out of date now.

I’ve just been looking at a nice new tool called sysdig, which seems to be really useful for analysing and troubleshooting on production systems.  There’s a great blog post by Gianluca Borello, detailing how he set up a number of honey-pot servers with poor passwords, and then captured system activity with sysdig, showing exactly how his server was compromised, and what the hacker did at each stage.  The level of detail he was able to garner is astounding, and I can see how powerful this tool could be in the future, for any sort of troubleshooting where it’s not clear exactly what has happened/is happening on a system.

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[vinay shetty] - Nov 1, 2014 Super explanation.. Thanks lot

[Anderson] - Mar 5, 2015 Hi Chris, how I can synchronizing passwords (no plain text) between the openldap and Active Directory ?

Synchronizing users with LSC-project | Opencloud engineering - Sep 1, 2015 […]  -w ‘xxx’ Useful links: 1) Official LSC tutorial OpenLDAP to AD 2) Good blogpost AD to OpenLDAP 3) Official LSC documentation This entry was posted in Uncategorized and tagged ad, java, ldap, […]

[ebooster] - Nov 5, 2016 Hi Chris, Thanks for this. I was curious, did this config allow you to receive event notifications from Active Directory ? Namely, when an entry changed there, did lsc receive that change event automatically and near instantly ? That is what I am looking to do with no luck so far but I’m looking a bit closer at your configuration.

[chrisgilbert42] - Nov 5, 2016 Hi, if I remember correctly, this just synced on a schedule. It didn’t have a way of receiving events at the time. I am not sure if LSC can do that or not - it worked well for me as a scheduled tool, and is very flexible, but not that easy to get working for all purposes. It’s worth looking into AD LDS and federation as alternative approaches. If an external organisation needs access to AD records, then something like using federation on Azure is worth a look too (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-azure-adfs/). But in our case we just cared about having a strongly enforced DMZ.

[chrisgilbert42] - Nov 5, 2016 Oh, I almost forgot, at Hudl we use Okta as a powerful alternative for authenticating to cloud services. Worth a look.

[ebooster] - Nov 5, 2016 Thank you much Chris.

[chrisgilbert42] - Mar 3, 2017 I’ve had a quick look around and I can’t find it now either. My article is a few years old now, and I work somewhere different, so can’t be sure I’m giving you great advice. However - first check this method is the best one to meet your use case. Since I wrote it, ADFS (federation services) are much better, and Microsoft also host a Azure based AD which can sync with your on-prem one. We were trying to create a strict DMZ, which we believed at the time was required, but there were other ways of solving the problem too. Also look at using newer real authentication protocols like OAuth, SAML and so on to solve single-sign on problems. LDAP is really an old fall back these days, and is not a particularly secure way of authenticating. Also, check out Okta SSO - this is a good way to control access to cloud products that your team use, hooked into AD auth. It works well and has Chrome/Firefox plugins and mobile apps, that’s something we use at hudl. If you give me a bit more information on the problems you are trying to solve I can maybe help further. For most companies, I’d start looking at a cloud first solution to SSO and authentication sharing because most people are accessing cloud apps all over the place now, with or without the IT department’s consent.

[chrisgilbert42] - Mar 3, 2017 Oh, I also found this for a similar comericial tool: https://www.manageengine.com/products/self-service-password/active-directory-password-synchronizer.html

[Jens] - Mar 3, 2017 Thanks for the article. I didn’t find anything in the web about hkpassword. Is the tool still available? Are you aware of other ways to sync the passwords from the AD?

I have recently had to sync accounts and groups from Activc Directory to OpenLDAP, for a requirement for a directory server in the DMZ.  A DMZ (De-millitarised zone) is an area of the network open to the internet.  It’s supposed to be separate from the rest of your LAN, so you can have services running on the internet without fear that people can break into your LAN from these. There are other options for doing this, including a read-only domain controller (RODC), a AD LDS (Lighweight Directory Server) and so on, but they all require connectivity back from the DMZ to the LAN, which is precisely what we are trying to avoid. If you start from the premise that no traffic at all be allowed to flow into the LAN from the DMZ, then how do you authenticate your user’s accounts?  The only real answer is a directory server in the DMZ, and to save our own users having to have multiple logins, clearly some sort of account sync would be required. We looked at a tool called LSC (LDAP Syncronisation Connector) which is designed for syncing various directory sources to and from each other.  It’s a very capable product, and now I’ve gone through the learning process, I will have to remember if for similar functions in the future (it can’t read/write from databases, CSV files and so on too). In order to get it set up, there are some gotchas, not least password sync, which requires another method.  But I will leave discussion of that until later.  First of all, I needed to get our users and groups into OpenLDAP from Active Directory. To set this up required a config file, a modified version of which is below:

Simple Steps to Use Yum Rollback on Centos / RHEL 5 Some nice instructions on a simple backup/rollback technique for packages on Centos / RHEL 5. This can be accomplished even more easily in newer versions of yum, such as on Centos / RHEL 6, which the ‘yum history’ command.  There’s a nice undo feature there now, that makes it trivial to revert a change, if you have problems with a package update for any reason.

You can increase disk sizes in vmware guests whilst they are running. This is supported, but Linux will not see the new size of the disk until it reboots. There is a way around this (assuming here we are using LVM disks): 1. Increase the disk size in the vmware settings. 2. Logon as root onto the Linux guest system. 3. Do:

echo "1" > /sys/class/scsi\_device/<device>/device/rescan

..where is the SCSI bus you wish to rescan. This will take a while. 4. Increase the physical volume size by doing this:

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[Andy Dorfman] - Apr 5, 2014 Excellent article. Do you think this setup will work to load balance/failover several nonclustered weblogic instances. In my current setup, i have apache rp listening on port 443 with ssl termination and forwarding everything to weblogics, listening on port 80. Unfortunately the failover is not very smooth. HAProxy sounds like a more robust solution. Can this be accomplished with HAproxy?

[chrisgilbert42] - Apr 5, 2014 Hi Andy. Yes, HAproxy will work in front of a couple of standalone managed servers. In the case of a non-clustered environment though, you might find the problem is to do with the session failover - that won’t work without clustering features enabled. If you aren’t worried about session failover, and have a mostly public web application, then it should work fine. Say you are running two standalone weblogic servers, and you don’t care about session state, then HAproxy can do a decent job of detecting when one is down, and straight away routing traffic to the other. It’s actually a general purpose proxy, it works with any protocol, not just HTTP. If users do have sessions though, then they will have to log in again on the second node. That’s always going to be the case without a cluster though, as the Java servlets hold the session state, and if you don’t replicate them, then the user will lose anything in the session when they switch nodes (this could be shopping cart contents, etc). However, you might also want to look at the Weblogic plugins for Apache, which could help you if you are not already using them. These help route requests to only active managed servers, and have the added advantage that they can automatically resubmit a failed request to another managed server. I have not tried this set up without a cluster, but I think it possibly works OK. Chris

Although I have worked with enterprise envrionments running Oracle and SQL Server for quite a few years, I’ve yet to be involved in a real high-availability deployment.  This has been for a variety of technical reasons in our company’s application, and a lack of interest from most customers. Recently, I explored options and had the opportunity to test some load balancing setups for our application servers at a customer site.  I was impressed with the reliability and reputation of the HAproxy software, so had a look at that to begin with.  In the past this software has been unable to terminate SSL connections, and had to deploy help from other applications in order to achieve that.  The latest versions have SSL support though, and aside from a bit of compiling from source, are easy to install. Here’s how I did it, on Centos 6.4.