Recently I was working on a PaloAlto VPN and had to set up the Duo Authentication Proxy service. This allowed the VPN to auth as a RADIUS client, first stage being LDAP auth to a RedHat 9 FreeIPA server, and the second stage being Duo itself. This was working great, but it meant I had to manage users in 2 places everytime someone came or went which is less than ideal. Duo has the possibility to do an External Directory Sync with the same tool, but they only seem to support OpenLDAP and not actual FreeIPA. However, I was able to get this directory sync working with a little modification, and here’s how:

A note before we begin, in all of the below I’m assuming you’re setting things up from scratch.

1) Log in to the Duo admin portal, go to Users => External Directories and set up a new one. It will ask you what connection to use, you’ll create a new one. It gives you an Integration key, Secret Key, and API Hostname you need to put into your Duo Authentication Proxy config file. You also need to have a user who can bind to LDAP and configure that in the same place. So this section in the INI-style config file ends up looking like (note that the service_account_username assignment breaks into 2 lines here, it is a single line without the backslash and newline in my actual config):

[cloud]
ikey=<integration_key>
skey=<secret_key>
api_host=<api_hostname>
service_account_username=uid=mybindaccount,cn=users,\
    cn=accounts,dc=mydomain,dc=com
service_account_password=<mybindaccount_password>

Now, restart the Duo Authentication Proxy service. Back on the Duo connection config page, give it the hostname of your FreeIPA server, and I used port 389. Specify the base DN, it would be “cn=accounts,dc=mydomain,dc=com” in this example. Authentication type is plain, and I used a STARTTLS Transport Type. On a FreeIPA-enabled machine, see /etc/ipa/ca.crt for the CA certificate – paste that into the “SSL CA Certs” box. Save the config, and your connection should be all set.

2) Now for the sync settings. The username attribute is “uid”, the Display Name attribute is “displayname”, and Email Address is “mail”. You can optionally add more attributes, but this is up to you, just the above was fine for me. Now’s when you’ll pick a group, an easy win is to just pick the group “ipausers” which is everyone. Click save on this config, and note that while it reports success in saving, the whole thing doesn’t work – the “ipausers” group wasn’t saved no matter how many times you try, so it “successfully” syncs 0 groups and 0 users, hardly useful. The reason is that Duo is looking for each entry to have a value named entryUUID, but FreeIPA uses an attribute named IPAUniqueID.

3) Patch the Duo Auth Proxy service to replace “entryUUID” strings with “IPAUniqueID”. The magic happens in the pkgs/duoauthproxy/duoauthproxy/modules/drpc_plugins/ldap_base.py file. At line 294, you need to patch any search filters:

  if filter_text != None:
    # print(“brosepatch filter before: ” + filter_text)
    filter_text = filter_text.replace(“entryuuid”, “ipauniqueid”)
    # print(“brosepatch filter after: ” + filter_text)

At line 307, you need to delete the “entryuuid” attribute from the list and add the “ipauniqueid” attribute:

  if “entryuuid” in attributes:
    # log.msg(“brosepatch: replacing entryuuid with ipauniqueid for query!”)
    attributes.remove(“entryuuid”)
    attributes.add(“ipauniqueid”)

And finally, at line 377, we need to swap the name of the value back before returning it to the Duo cloud:

  # log.msg(“brosepatch result before: “)
  # print(result)
  # log.msg(“brosepatch iterate over result and fix…”)
  for broseitem in result:
    if ‘ipauniqueid’ in broseitem:
      broseitem[‘entryuuid’] = broseitem.pop(‘ipauniqueid’)
  # log.msg(“brosepatch result after: “)
  # print(result)

4) Finish up. Recompile the Duo Auth Proxy with those patch changes, install it, and restart the service. You can see the changes happening in the logs if you uncommented the debug log/print statements. You can now go back to the Duo Admin web portal, maybe log out and back in to clear any cache, and now you will be able to select a group. I found that for some reason, I still could not select the “ipausers” group, but I could select any group that I created manually with the CLI “ipa” utility on the FreeIPA server. So, I simply did this:

[root@freeipaserver ~]# ipa group-add myorg
——————-
Added group “myorg”
——————-
…
[root@freeipaserver ~]# ipa group-add-member myorg
[member user]:
[member group]: ipausers
[member service]:
[member User ID override]:
Group name: myorg
GID: …
Member groups: ipausers
Indirect Member users: every, user, in, the, directory
————————-
Number of members added 1
————————-

I also had to modify the FreeIPA default permissions so that the binding account could read the things that were needed:

[root@freeipaserver ~]# ipa permission-mod \
    ‘System: Read Groups’ –includedattrs=entrydn
[root@freeipaserver ~]# ipa permission-mod \
    ‘System: Read User Standard Attributes’ –includedattrs=mail \
    –includedattrs=entrydn

That’s it! You can now set the Duo Admin Web Console to use the group “myorg” and any new users will automatically sync into Duo, and any deleted users will end up in Trash. I also enabled high-frequency syncing because I am impatient. Perfect!

Happy 2-factoring!

Recently, [my wife] suffered an automotive breakdown while driving our 2008 Toyota Corolla CE. I was not present for this one, but sounded like a normal driving experience until she stopped at a red light. When it turned green, she pressed the gas, and very little happened other than the “check engine” light illuminating. She got towed to the dealer, who came back with this assessment:

“NO LIGHTS ON WHEN VEHICLE WAS PULLED IN FOUND CODES P0606 AND P0607 IN SYSTEM FOR ECM. VEHICLE HAS EXHAUST LEAK BUT IT IS AFTER THE SECOND EXHAUST SENSOR SO IT SHOULD NOT BE EFFECTING ISSUE. VEHICLE WAS DRIVEN AND DROVE NORMAL AND NO LIGHTS CAME BACK ON. BOTH CODES INDICATE POSSIBLE ECU GOING BAD START WITH ECU REPLACEMENT.”

They wanted $1,031.76 for this ECU replacement. Additionally, they said because of the exhaust leak, they want to replace the entire exhaust system for $3,296.69. So, total damage would be $4,328.45. I think we can do better than that.

I did know there was an exhaust leak, but until this incident, I was not aware that such a thing could make an ECU vomit all over itself. While researching this before hearing back from the dealer with the prognosis, I found [this article]. Thanks, Robert from Massachusetts!

I happened to have already ordered a new catalytic converter, resonator and intermediate pipe, and muffler kit since I knew about the exhaust leak previously. I’ve already done this job before, and used Walker brand parts. And here I am, maybe 10 years later, needing to do it again. So, this time I paid for premium stainless steel parts from Magnaflow & BRExhaust. Total with tax & shipping was $1,118.33. I also ordered new oxygen sensors, both upstream and downstream, because Robert’s article alludes to the fact that it could be just the sensor itself even without the leaks. And plus, why fight with getting an old sensor out just to install it in a brand new system – let’s go brand new the whole length (except the exhaust header).

Now, when I talked to the Toyota tech, he sounded like he’d had some years under his belt. He basically told me, even though the book says to replace the ECU, it is his experience that exhaust leaks can cause this behavior. So, he said to install my new exhaust, and if the code doesn’t come back, great! If it does come back, well, we’ll deal with the next thing. Since the exhaust system replacement was the majority of the quote’s price, this approach makes perfect sense to me!

So on Friday, I had a half-day at work, and got to removal of the old system. I had spent a couple days prior soaking the catalytic converter mounting bolts and the upstream oxygen sensor in penetrating oil. I really only had to remove (in order) the exhaust header heat shield, the upstream oxygen sensor, and the header-to-catalytic-converter mounting bolts. I had the old system out in under an hour!

So is there a leak?

Yeah, some here, but then the big one…

Yikes! The muffler was simply decorative! Cheap ‘ol Walker stuff, it completely let go right at the weld, leaving the flange behind on the intermediate pipe. Never again!

And then I got a 22mm wrench on the upstream oxygen sensor and pulled with all my might. I was able to get it free, all it took was being slightly burned by the hot exhaust system to give me the strength! I took it and inspected it closely, and saw this:

Looky here, exposed copper! Supposedly the P0606 and P0607 codes fire when the computer detects a discrepancy in voltage between the main CPU and the sub-CPU (whatever that is). If this copper was shorting out to the chassis (ground), that could easily have caused this indeed!

I was able to get the new system installed in the next 3ish hours, all except the catalytic-converter-to-intermediate-pipe connection. Turns out the pipes were the exact same size at that point, so I needed a butt-joint clamp instead of a C-Clamp. That arrives Sunday and will complete the project. But for now, this was a great success which saved about $2,000 or $3,000, depending how you look at it ($2k if you consider just the exhaust system, $3k if you also consider the ECU with it).

Oh, and don’t forget, while it is easier to remove oxygen sensors and exhaust system parts while they are hot due to thermal expansion, ya still gotta be careful, or you end up like me!

So at this point, I will install the new butt-joint clamp on Sunday and drive it around for a bit to verify the codes do not come back. If not, fantastic! And if they do, I will update this article. So as you read this, if there is nothing written/added after this sentence, problem solved!

Our baby was born recently, and needed to spend 5 days in the NICU. All was well enough, a touch of TTN and bradycardia, the latter making the attached monitor, a Nihon Kohden LifeScope, alarm just about constantly. Well, all the doctors and nurses knew it was fine, and would always be hitting the silence button when they were around. Like any new dad, I wanted to be able to hold my newborn in relative peace. So, it’d be nice to be able to silence the machine’s alarms for 3 minutes at a time. And, behold:

Filetype: IR signals file
Version: 1
#
name: Suspend_alarms
type: parsed
protocol: NECext
address: 82 E4 00 00
command: F3 12 00 00

That’s it! Load this onto a Flipper Zero (or your other infrared-capable device of choice), and enjoy the temporary reprieve all without standing up, super-helpful if your newborn is still attached to a CPAP. The NICU is stressful enough without constant alarm fatigue.

Not in the sense of null, but rather of the blue nowhere. When one comments into the abyss, does the abyss comment back?

Before you even think it – yes, it’s Tuesday, and yes this must be Belgium. It’s a fairy-tale town, not sure who came up with that first, perhaps the 2008 film. If you haven’t seen it, go now and watch, I can wait.

We checked into our hotel, Hotel Ter Brughe. Assigned room number 13, I carried our bags up the stairs for there is no elevator. Pack light! The view from the room was top-notch.

We walked towards Da Halve Maan brewery, one of the more famous here, with a half-moon man logo. We tried all their beers, from single to quadruple. We couldn’t find one we didn’t like, especially at the end of the spectrum where things got darker, to Cait’s liking.

The brewery closed at 6pm so we stopped by a nearby eatery that served the only thing I ever wanted to eat again – fondue.

We sauntered back to our hotel room and passed out, stomachs full of beer and cheese.

We woke up to a rain downpour, and the latest news, “Clinton concedes”. The view on the USA election in Belgium was quite bleak. People here knew this election would in some significant way affect them. But, more on that in a short bit.

For our first full day here, Cait woke up and took a shower, easy for her given her height, but shortly it was my turn. It’s a tub, with the spigot on the wide backwall, which had the option for a handheld wand. The wand’s hose was about 3 feet long. So for the next few days I have been washing my head and face while sitting down in the tub, generating a puddle of water on the bathroom floor.

We decided to make our way via the rail station to Brussels. The tickets are pricey – almost 60 Euros for 2 adult visit/return passes. By a little before noon, we made it there, ready to explore. We started with lunch at Le Marmiton, myself having a “Heart of Beef” filet (tenderloin), and Cait having “Beef Carbonnade” basically Beef Stew cooked in local beer. The dialog for us now changed significantly, we could pretend to an extent that we were French (and we came up with a Canadian backstory – living in Toronto, Cait works for Canadian national healthcare and I am a Zamboni repairman, even though my hands are far too slender), but we know nothing of Dutch.

And of course, Canadians we are not. We faced many stares from the locals. Brussels is widely viewed as the unofficial capital of the EU. To a larger extent, people here embrace internationalism, and seeing Trump elected flew in the face of many of their beliefs. Of course, it is happening all over here, too. See Brexit, or the rise of Marie Le Penn corresponding with a rise in Syrian refugees. Indeed, the streets of Paris earlier on the trip were full of families huddled together under a plastic sheet, trying to keep warm and dry and escape the lives they left behind.

But like our lives, we can’t let a little shocking news derail plans – on with the journey! We walked around and eventually hit The Delirium, where we stopped in for a couple beers. Cait had a modest one, while I went for a 1 liter das boot.

^ Maybe not fully modest, but my choice here was still an exercise in modesty – they did also offer a 2-liter das boot which I resisted, wanting to not die today.

This wasn’t the correct place, though, and two people at the bar were far too inebriated and yelling back and forth about Trump. We departed for right next door, the Delirium Cafe, which is the Guinness Book record holder with over 3500 beers available to choose from. The beer list has an index and table of contents, it is the length of novel. They had a house tripel I enjoyed, and Cait had a cookie beer followed up by a cherry beer. The walls starting to move on us a bit, we needed to get some food in our stomachs. We ended up at Le Selecto for dinner where we quickly destroyed two of the same creamy chicken dish they had. The food was excellent, and perhaps by now the Trump news fervor died down or else we had enough alcohol to not care, the stares from the others around us became less pronounced.

We walked back to the train station, admiring the views on the way before we boarded.

We woke up to nicer skies and decided to stay in Bruges today instead of traveling regionally. We walked towards the Market and past many lovely churches and homes.

^ This place contained one of the few Michelangelo sculptures outside of Italy.

Back towards Market, there was a tower to climb with an impressive view atop!

The climb is not a joke, it’s pretty tight and steep at points, with 2-way traffic. But it doesn’t take too long, and soon you’re up in the tower with all of the impressive bell mechanics.

One of the bells up here, their largest, weighs in at 11,000 pounds.

Back down, time for lunch at Cafedraal. Cait was looking at the pheasant, but they were all out, so we both ended up with the specials of the day, pumpkin soup perfect for dipping fresh bread, and two plates of meatballs in a tomato sauce that went perfectly with their mashed potatoes.

On to try more of the beers from Belgium! We searched for a place named De Garre, famous for a house tripel with 11% ABV. It was a bit of an elusive one, tucked away in an alley, but along the way you’ll pass several chocolate shops and they’re worth stopping into – many give away free samples at the door!

Finally we found it, they don’t give you a whole lot of the tripel at once, but the quantity they do give really packs a punch. Delicious, too!

While I worked on some refills of that tasty beer, Cait tried their recommended sour beer. Crisp and refreshing, it goes down easy!

We walked around somewhat aimlessly for a while until it was time for dinner at ‘t Brugs Beertje. We went simple, with a couple of ham & cheese sandwiches, time to get to bed as we have an early tomorrow dragging luggage to another country.

Up early once more for a travel day, we dragged our bags across Bruges to the station. And I do mean dragged our bags, Cait somehow recently lost a wheel on her luggage so she’s been rolling mine as I drag hers along. This in turn made me subconsciously miss our cat at home, the unwilling dragging behind being quite similar to her attitude towards walks on her harness. Our train arrived and we boarded to Amsterdam via Antwerp – and woohoo, another Thalys with an included lunch!