Security and Email groups in LDAP

After working with Active Directory since 2000, I’ve clearly become a bit spoiled with the ability to create a group in AD that serves the purpose of both a security group and a distribution group with just one checkbox. Why do I say that? Because in LDAP, there isn’t a commonly used way of achieving that same goal.

LDAP, or Lightweight Directory Access Protocol, is an Internet protocol that services can use to look up information from a server. Active Directory makes use of LDAP which is why you’ll come across terms common to both such as schema.

For the UNIX world, the commonly used schemas are defined in RFCs. For example, the most common objectClass used to define a person – inetOrgPerson – is defined in RFC 2798. This is a really great class to use for storing personal information in an LDAP directory because it has attributes for all of the important stuff you might want to know about someone.

When it comes to groups, though, things get a bit tougher. There is posixGroup which is a good class to use for security needs because it stores a group ID, a description and the members of the group. Rather surprisingly, there isn’t an accepted standard for defining a distribution or email group. There are classes for defining groups of users, such as groupOfNames, groupOfUniqueNames and groupOfMembers. They each have their slight differences and which one(s) you use typically comes down to either personal preference or the tools you are going to be using to manage those groups.

Another curious aspect about groups in LDAP is that there are differences in how the members are represented. For example, posixGroup uses an attribute called memberUid and the value is just that – the uid of the member of the group. groupOfUniqueNames, by comparison, uses an attribute called uniqueMember and the value is the distinguishedName of the member. One of the benefits of using the distinguishedName is that it allows groupOfUniqueNames to contain other groups as members, which posixGroup does not.

So when it comes to trying to maximise the value of a group’s membership by using the group for dual-purposes, i.e. security and email, what can you do? One option is to define your own objectClass and add it to the schema on the LDAP server. That is essentially what Microsoft did but the problem then is that your tools probably won’t know how to work with that class unless you can modify the tools.

Given that the objectClasses do represent members in different ways makes any attempt to “merge” or “overlay” multiple objectClasses to get the desired result is also likely to fail.

For myself, in the end, I decided that I would use posixGroup as the definitive representation of a group and then have a script that reads the various posixGroup groups and creates groupOfUniqueNames groups to match those groups. I wrote the script in Perl and it is at the end of this blog.

Here is a bit more detail about how the script works and how I’ve got my LDAP server set up …

I have an organizationalUnit (OU) called groups, below which I have an OU called mailing and an OU called security. The idea should be clear but all of my posixGroup groups go into ou=security and the script creates the mailing groups in ou=mailing. The script can be used in two ways:

1. Full scan of the security OU. It looks at each of the groups in turn and processes it.
2. Processing of one security group by specifying the cn value on the command line. This functionality is primarily there for use with LDAP Account Manager Pro. This great web-based product allows the administrator to define custom scripts that get run at specified trigger points. In my case, I get it to run the script, passing the cn value, when a group is created or modified, thus ensuring the email group is kept up-to-date.

The logic behind processing a security group is as follows:

• Get the attributes we need from the security group: modifyTimestamp, description, displayName, mail, owner and memberUid.
• If there aren’t any members, we delete the corresponding email group. This is because groupOfUniqueNames has to have at least one member. If you want to use groupOfMembers instead, that restriction goes away and the script could be modified accordingly.
• If the email group already exists and its modifyTimestamp is newer than that of the security group, we don’t do anything else because the implication is that it was created by the script after the security group was created/modified.
• The next step is to delete the email group. This is done rather than trying to figure out the differences in group membership. If you want to get fancy with the code, go ahead but this works for me .
• The final step is to create a new email group, specifying the attributes and members retrieved from the security group.

A few notes about the attributes: the posixGroup class doesn’t allow you to specify a display name (displayName), email address (mail) or group owner (owner). To permit that, I use the objectClass extensibleObject which allows you to add any attribute defined in the schema. LDAP purists tend to frown on this because it could lead to errant attributes being added. If you are concerned, you could define your own objectClass as an auxiliary class in order to allow just those three attributes to be used. Alternatively, the script will work without them since displayName and owner aren’t strictly necessary and the script can auto-create an email address by adding the email domain to the end of the existing cn value.

For the email groups, I again use extensibleObject because groupOfUniqueNames doesn’t allow a display name or email address. The email address is clearly required if you want this to work as an email group and the display name may be required if you are, for example, syncing with Google (which was my requirement) and you want the group to have a “nicer” name than just the cn value. Again, if you don’t like the idea of allowing all attributes to be added, you could define your own objectClass and amend the script accordingly.

Final comments:

• this is my first Perl script and I have been quite lazy in that I have hard-coded the various domain bits into the script. Feel free to improve and, if you want, share back!
• I’ve not used SSL in the connection because the script runs directly on the LDAP server. It is quite straightforward to amend the script to use LDAPS and there are examples on the web on how to do that.
• The script assumes, when converting from memberUid to uniqueMember that all of the UIDs exist in the same OU, namely ou=staff,ou=accounts,dc=example,dc=com. It should be fairly straightforward to extend the script so that it searches for the UID and finds the DN that way.

use strict;

use Net::LDAP;

# See if a group name has been passed on the command line, e.g. from

# LDAP Account Manager

my $groupMatch = "";

# $#ARGV is -1 if no parameters, 0 if 1 parameter, etc. We only

# look for one group name.

if ($#ARGV == 0)

{

$groupMatch = $ARGV[0];

}

# Create a connection to the LDAP server

my $ldap = Net::LDAP->new ( "<LDAP server>" ) or die $@;

my $mesg = $ldap->bind ( "account with appropriate write privs",

password => "account's password",

version => 3 );

my $result = $ldap->search ( base => "ou=security,ou=groups,dc=example,dc=com",

filter => "cn=*",

attrs => ['cn', 'description', 'displayName', 'mail', 'memberUid', 'owner', 'modifyTimestamp'] );

print "Got ", $result->count, " entries from the search.\n";

# Walk through the entries

my @entries = $result -> entries;

my $entr;

foreach $entr ( @entries ) {

my $thisCN = $entr->get_value("cn");

# Only process the group if either we are processing them

# all, or the group name matches.

if (($groupMatch eq "") || ($groupMatch eq $thisCN))

{

print "DN: ", $entr->dn, "\n";

my $deleteEmailGroup = 1;

my $buildEmailGroup = 1;

my $thisModify = $entr->get_value("modifyTimestamp");

my $thisDescription = $entr->get_value("description");

my $thisDisplayName = $entr->get_value("displayName");

my $thisMail = $entr->get_value("mail");

my $thisOwner = $entr->get_value("owner");

my $memberRef = $entr->get_value ( "memberUid", asref => 1 );

if ($memberRef == undef)

{

# No members means we don't build a new email group, regardless

# of timestamps, etc. We do still try to delete an existing email

# group though.

$buildEmailGroup = 0;

}

else

{

# We have members in the security group so now we check timestamps

# so that we only create a new email group if the security group has

# been modified more recently.

# See if the email group exists already and, if it does, when was it

# modified? There is no point in creating the new email group if it

# was modified after the security group.

my $emailGroup = $ldap->search ( base => "ou=mailing,ou=groups,dc=example,dc=com",

filter => "cn=$thisCN",

attrs => ['modifyTimestamp']);

if ($emailGroup->count == 1)

{

my @emailEntries = $emailGroup -> entries;

my $emailEntry = @emailEntries[0];

my $emailModify = $emailEntry->get_value("modifyTimeStamp");

if ($thisModify > $emailModify)

{

print "... security group is newer\n";

}

else

{

print "... email group is newer\n";

$deleteEmailGroup = 0;

$buildEmailGroup = 0;

}

}

else

{

print "... email group doesn't exist.\n";

}

}

if ($deleteEmailGroup)

{

print "  ... deleting old email group\n";

$mesg = $ldap->delete("cn=$thisCN,ou=mailing,ou=groups,dc=example,dc=com");

# If we got an error from that, print the error and don't try to

# create the replacement group

if ($mesg->code() != 0 && $mesg->code() != Net::LDAP::Constant->LDAP_NO_SUCH_OBJECT)

{

print "  ... error while deleting group: ", $mesg->error(), " (code ", $mesg->code(), ")\n";

$buildEmailGroup = 0;

}

}

if ($buildEmailGroup)

{

# If we have members in the group, create a new email group

my $entry = Net::LDAP::Entry->new();

$entry->dn("cn=$thisCN,ou=mailing,ou=groups,dc=example,dc=com");

$entry->add('cn' => $thisCN,

'objectClass' => [ 'groupOfUniqueNames', 'extensibleObject' ]

);

# If we have an email address set that, otherwise make one up

if ($thisMail)

{

$entry->add('mail' => $thisMail);

}

else

{

$entry->add('mail' => "$thisCN\@example.com");

}

# If we have a description, display name or owner, set them

if ($thisDescription)

{

$entry->add('description' => $thisDescription);

}

if ($thisDisplayName)

{

$entry->add('displayName' => $thisDisplayName);

}

if ($thisOwner)

{

$entry->add('owner' => $thisOwner);

}

# For each of the memberUid entries, add a uniqueMember attribute

# $memberRef is a reference to the array, so dereference it

my @members = @{ $memberRef };

foreach ( @members ) {

print "  ... adding $_\n";

$entry->add('uniqueMember' => "uid=$_,ou=staff,ou=accounts,dc=example,dc=com");

}

#         $entry->dump();

print "  ... creating group\n";

$mesg = $entry->update( $ldap );

if ($mesg->code() != 0)

{

print "  ... error while creating group: ", $mesg->error(), "\n";

}

}

print "\n";

}

}

$ldap->unbind;

Converting Blu-Rays to high quality MP4s

Those of you who have followed my occasional blog postings will know that I have a home theatre setup with a Hush PC running Windows 7 with Media Center and a Synology NAS to store full rips of DVDs and Blu-Rays. I use Media Browser as the front-end to all of my stored videos.

Recently, however, two factors have led me to become increasingly frustrated with this configuration:

1. ArcSoft’s Total Media Theatre does not play well in conjunction with Media Browser. The more recent versions of MB have improved the situation but TMT 5 just doesn’t play well. I don’t know if it is the fact that my hardware is now getting a bit old or because TMT 5 just isn’t a good bit of software.
2. Some of the Blu-Rays recently purchased are protected by Cinavia. If you haven’t come across this before, it is an audio watermark designed in such a way that if you play a copy of the content rather than an original source, playback is supposed to stop after a period of time with an error. Now, the version of TMT 5 I was using had not had Cinavia support added but the Blu-Rays wouldn’t play properly, if at all, so I was left wondering if there was a change in the way the discs were being created that my version of TMT 5 was choking on. Upgrading TMT to the most recent version would introduce Cinavia support, which would then totally prevent me from using ripped copies.

So I’ve been researching the various options available to me, focussing mostly on HandBrake. This is a great, free piece of software that does a fantastic job of taking various source material (DVD, Blu-Ray and others) and converting to MP4. It does one job and it does it really well. It does not include any capability for defeating copy protection but I use AnyDVD HD for that.

Now I know that converting Blu-Rays to a different compressed format - both audio and video – is going to lose me some fidelity, and I know that I’ll lose functionality as well, such as the ability to dynamically turn subtitles on and off, or select different audio streams, etc. There are ways to solve this, such as using different containers such as MKV, but Windows 7 doesn’t support MKV natively and I didn’t want to install any more software onto the media PC. According to reports I’ve read, it is possible that the Cinavia watermark survives the transcoding but Windows 7 doesn’t provide any support for Cinavia .

Here are the settings I ultimately ended up with:

• Normal preset
• Video tab: select Fast Decode. I found this necessary to stop the media PC occasionally choking on the playback.
• Audio tab: add an audio track of your choice with the codec set to AAC (faac) and mixdown set to 5.1 Channels.
• Subtitles tab: if your Blu-Ray has any foreign language in it (e.g. Avatar, Star Wars I, Salt, etc), you can choose to have the English subtitles for those sections burned into the video image. This requires a copy of the nightly build of HandBrake and not the stable build at this time (0.9.8 doesn’t support this feature). Just add Foreign Audio Scan, select Forced Only and Burn In. It should be noted that enabling this feature will result in longer processing time as HB then has to scan through the video to see where the subtitles get turned on and off in order to determine if there are any foreign language subtitles to select.

That’s it. I found the resulting video and audio to be of very high quality.

2012 in review

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 35,000 views in 2012. If each view were a film, this blog would power 8 Film Festivals

Click here to see the complete report.

VS2012, Windows Phone and the “Reference to a higher version” error

Having installed Windows 8 Pro, Visual Studio 2012 Premium and the new Windows Phone 8 SDK, I was keen to make sure that my Windows Phone 7.1 project still built & worked. That meant getting all of the references to work again.

Most of the references were for packages that I could install through Nuget. However, one was for a Zip file that I had to download and unpack. Upon browsing to the appropriate DLL and selecting it as the reference, Visual Studio promptly reported:

A reference to a higher version or incompatible assembly cannot be added to the project

The ultimate solution was to right-click on each of the files that had been contained in the Zip file, choosing Properties and then clicking on the Unblock button. Once that was all done, Visual Studio then allowed me to add the reference, although it did warn me that it might be unstable! Not a lot I can do about that J.

Win8 development: using the Multilingual App Toolkit

The Multilingual App Toolkit (or MAT for short!) integrates into Visual Studio 2012 and is intended to make it easy to manage the translation of strings through features such as import & export of translations and the use of Microsoft Translator to automate some of the processes.

There are some good videos (http://go.microsoft.com/fwlink/?LinkId=266600, http://go.microsoft.com/fwlink/?LinkId=266603 and http://go.microsoft.com/fwlink/?LinkId=266604) and articles (http://msdn.microsoft.com/en-us/library/windows/apps/xaml/JJ572370(v=win.10).aspx and http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh965329.aspx) on how to use MAT but I still couldn’t get my app to use the translated strings. The app continued to use the strings that I was putting into my English resource file.

Here is the answer: you must mark each and every string as Signed off in the Multilingual Editor (so that the blob on the left hand side of the window goes green) before those strings are used. Once you’ve done that, you should then see the strings being used so long as you’ve set your display language appropriate in Windows.

 

Win8 Development: getting icons

One of the significant improvements from developing for the Windows Phone platform is that Windows 8 supports XAML as an image type, allowing you to provide vector graphics rather than rasterised. This ensures that you get the crispest, cleanest iconography you can have because the OS will scale the images appropriately.

One of the sites that I’ve used in the past is the Noun Project. They have some stunning icons, all of which can be downloaded in SVG format … but how to then get that into XAML?

The simplest method I’ve found so far is Mike Swanson’s free Adobe Illustrator to XAML Export plug-in. Download, copy to the right directory, open the SVG file in AI, choose Export > XAML.

Job done.

Well, almost. You’ve then got to incorporate that into the project as a resource, but that’s for another blog .

 

Win8 Development: major gotcha in page navigation

One of the major differences in page navigation between Windows Phone 7 and Windows 8 “Modern UI” apps is that the latter allows you to pass an object to the page whereas Windows Phone 7 is pretty much limited to simple items because navigation is done in the form of a URL.

Unfortunately, it turns out that while passing objects to a page does work, it causes a problem with the SuspensionManager because the object cannot be serialized. If you try, the call that SuspensionManager makes to Frame.GetNavigationState() results in an exception.

This took me a while to figure out (mainly because I’d forgotten that I’d been extending my code by passing objects to the pages) but also because I didn’t read the debug output closely enough to see this message:

WinRT information: GetNavigationState doesn’t support serialization of a parameter type which was passed to Frame.Navigate.

So, the upshot is that if you’ve written a Windows Phone app, you can pretty much stick to the same navigation methodology, passing simple objects to the page.

Reference: Microsoft Connect

How to inspect SQLite databases?

For the purposes of looking at the databases that my fledgling Windows 8 app creates, I’ve decided to try SQLite Administrator: http://sqliteadmin.orbmu2k.de/. This is a free tool that allows you to enter SQL queries to execute against the database. It means I need to brush up on my SQL but the tool isn’t too bad. Depending on how much I end up needing to look at the data, I may decide to try SQLite Spy (http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index) which was another tool suggested by a discussion on StackOverflow, which in turn also references a big list of tools on SQLite’s own web site … so my journey to find a nice tool may not end here …

Win8 Development: coping without EntityRef and EntitySet

In a recent post, I mentioned that the version of the .Net framework being used by Windows Store apps doesn’t have any support for EntityRef and EntitySet. I have used these extensively in my WP app to link database tables together. I posted on StackOverflow to see if there were any suggestions and one was to use System.Data.SQLite, which provides ADO.NET interfaces to SQLite. However, I was put off this suggestion for a few reasons:

1. The FAQ says that all System.Data.SQLite objects that implement IDisposable, either directly or indirectly, should be explicitly disposed when they are no longer needed in order to avoid memory leaks. The way it was worded was a bit off-putting in as much as how am I supposed to figure out which objects implement IDisposable, particularly indirectly?
2. There doesn’t appear to be a WinRT version yet. There are 32-bit and 64-bit Windows versions but what about ARM?
3. Would this work with SQLite-net or instead of? SQLite-net has good support for asynchronous working which may be lost if this works instead of that library.

So, in the end, I’ve decided to take a simpler approach and deal with it by hand. Where a child table is linked to a parent table, the child has an extra row defined that is a nullable int to store the ID for that parent table. Then, in the class for the parent table, I define an “Add” function like this:

public ChildClass Add(ChildClass child)
{
    Debug.Assert(this.ID != 0);
    child.ParentClass = this.ID;
    return child;
}

The purpose of the Assert is to make sure that the parent class has been inserted into the database and therefore has its primary key column set. In my code, when I want to create a new child class, I have a routine called AddChild which then returns the new child object. Because the above Add routine returns the class that is passed to it, this allows me to go:

_db.Update(_parent.Add(AddChild(parameters)));

The AddChild routine creates a new instance of the Child class and then calls _db.Insert(_child) so that the Child instance is added to the database and gets it’s ID value. The rest of AddChild does other bits to the members of the class but doesn’t call _db.Update. I rely on the above line to do the setting of the parent’s ID and calling Update all in one go so that writes to the database are minimised.

The above works but isn’t ideal. One way in which EntityRef and EntitySet are clearly better is that they enforce the correct class usage. For example, if the Child class could be linked to Parent and StepParent, my method wouldn’t do anything to stop me inadvertently setting the child’s ParentClass value to the ID of the StepParent class if I got my logic wrong somewhere. EnttiyRef/EntitySet would handle that because of the type linkage.

Win8 Development: Stumbling Block #1

This could be a bit of a show-stopper but Windows Store apps have their own flavour of .NET – yes, yet another variant of the framework and it seems even more restrictive than the Silverlight version that Windows Phone has.

The stumbling block in my case is the complete absence of EntityRef and EntitySet. These are used extensively in my WP app to link tables together and I’m struggling to figure out how to get the code to work without them. I’m still searching …