The first step to acheive this is to update the Samba configuration (/etc/samba/smb.conf) on your DiskStation. Adding the configuration below will get Samba to use the Active Directory attributes. I use 100000-199999 for my user and group IDs. If you use different values you may need to adjust it a bit. If you don't yet have Unix attributes assigned to your Active Directory users, check out Assigning Unix Attributes to Active Directory Objects for how I've gone about that.

[global]
    idmap config * : backend=tdb
    idmap config * : range=3000-7999
    idmap config DIGITALLOTUS : backend=ad
    idmap config DIGITALLOTUS : range=100000-199999
    idmap config DIGITALLOTUS : schema_mode=rfc2307
    idmap config DIGITALLOTUS : unix_nss_info=yes
    idmap config DIGITALLOTUS : unix_primary_group=yes

Once that is in place, restart your DiskStation. After it's up, you can check the user ID by running id user@corp.example.com and see that... it's still showing the automatically generated ID? That's actually expected at this point because of some of the DiskStation internals. If you run wbinfo -i "user@corp.example.com", which will query Samba directly, you should see the right information.

So, how do we now get the DiskStation to recognize the updated values? We have to clear its cached mappings. You can do that by running the command below.

find /volume1/@accountdb \( -type f -o -type l \) -delete

After running that command, you should be able to rerun id user@corp.example.com and see the right attributes. I did all this prior to setting up my shares and permissions. If you already have shares and permissions setup, you'll likely need to reapply your permissions to get them working with the new ID values.

#activedirectory #diskstation

$objectBase = "ou=Digital Lotus,dc=corp,dc=digitallotus,dc=com"
$idRangeBase = 100000
$primaryGid = 101110
$loginShell = "/bin/bash"
$homeDirectoryBase = "/users"

Get-ADObject `
        -LDAPFilter "(&(|(objectClass=user)(objectClass=group))(!objectClass=computer))" `
        -SearchBase "$objectBase" `
        -Properties objectClass,objectSid,uidNumber,gidNumber,sAMAccountName,loginShell,unixHomeDirectory,primaryGroupID | ForEach {
        
    $sAMAccountName = $_.sAMAccountName
    $objectRid = ($_.objectSid -split "-")[-1]
    $idNumber = $idRangeBase + $objectRid

    if ( $_.objectClass -eq "user" ) {
        if ( -not $_.uidNumber ) {
            Write-Host "Adding uidNumber $idNumber to $sAMAccountName"
            $_ | Set-ADObject -Add @{uidNumber=$idNumber}
        }
        if ( -not $_.gidNumber ) {
            Write-Host "Adding gidNumber $gidNumber to $sAMAccountName"
            $_ | Set-ADObject -Add @{gidNumber=$primaryGid }
        }
        if ( -not $_.loginShell ) {
            Write-Host "Adding loginShell $loginShell to $sAMAccountName"
            $_ | Set-ADObject -Add @{loginShell=$loginShell}
        }
        if ( -not $_.unixHomeDirectory ) {
            $homeDirectory = "$homeDirectoryBase/$sAMAccountName"
            Write-Host "Adding unixHomeDirectory $homeDirectory to $sAMAccountName"
            $_ | Set-ADObject -Add @{unixHomeDirectory=$homeDirectory}
        }
    }

    if ( $_.objectClass -eq "group" -and -not $_.gidNumber ) {
        Write-Host "Adding gidNumber $idNumber to $sAMAccountName"
        $_ | Set-ADObject -Add @{gidNumber=$idNumber}
    }

}

The objectBase variable is the base of the search for users and groups, and idRangeBase is the starting value for the IDs. The Active Directory object's relative ID is added to idRangeBase to create the actual UID or GID number.

#activedirectory #powershell

Luckily, Write.as provides the option to enter custom CSS and JavaScript to add to your blog. I wouldn't want to make an entirely different theme this way (though several people have), but it's perfect for making small modifications like these.

The relevant CSS customizations are below. These enable horizontal scrolling of the code block, and modify the layout and styling of the copy button that will get dynamically added.

#post #post-body pre {
  overflow-x: auto;
  position: relative;
}
#post #post-body pre code {
  white-space: pre;
}
pre button {
  position: absolute;
  top: 4px;
  right: 4px;
  opacity: 0.5;
  border: none;
  font-family: monospace;
}
pre button:hover {
    opacity: 1.0;
}

Here's the JavaScript code to dynamically add a copy button to the code blocks.

if ( navigator.clipboard ) {
  let preBlocks = document.querySelectorAll("pre");
  for ( const preBlock of preBlocks ) {
    let codeBlock = preBlock.querySelector("code");
    if ( ! codeBlock ) { continue }
    let button = document.createElement("button");
    button.innerText = "Copy";
    preBlock.appendChild(button);
    button.addEventListener("click", async () => {
      await navigator.clipboard.writeText(codeBlock.innerText);
      button.innerText = "Copied";
      setTimeout(() => {button.innerText="Copy";}, 3000);
    });
  }
}

Part of what I really like about Write.as is that the limited customization is just enough to let me tweak things as needed. With Jekyll and similar options, I feel compelled to try customizing everything instead of just writing.

#writeas

I could see the web traffic getting to ADFS, but it wasn't being handled properly. After some investigation, I found that ADFS has some quirks with how it handles web traffic. Specifically, it requires the incoming HTTPS request to include SNI data indicating the name of the ADFS site. This isn't enabled by default in HAProxy, so I had to modify my configuration.

If you are directly editing an HAProxy config file, you'll want to add sni str(your.adfs.hostname) to the backend server line. If you're using the pfSense HAProxy package, you'll want to edit your backend configuration and add that to the Per server pass thru option under Advanced settings.

I only have a single ADFS instance, so I have health checks disabled. If you're using health checks, you'll also need to add the check-sni option.

#adfs #haproxy #pfsense

The problem is that objectGUID is stored as a binary attribute, so it must be handled differently in the IdP. Shibboleth has the ability to automatically handle binary attributes by listing them in a <BinaryAttributes> tag, but it does so by base64 encoding them. This isn't ideal because some SAML attributes, like eduPersonUniqueId, only allow alphanumeric characters.

The solution I came up with was to allow Shibboleth to do the binary conversion, but then transform the base64 data to hex codes. The result is a user identifier that is unique, not reusable, and entirely composed of alphanumeric values.

Here are the relevant parts of my attribute-resolver.xml setup.

<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">

    <!-- ========================================== -->
    <!--      Attributes                            -->
    <!-- ========================================== -->

    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="userIdentifier"/>
    </AttributeDefinition>

    <AttributeDefinition id="eduPersonUniqueId" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="userIdentifier"/>
    </AttributeDefinition>

    <AttributeDefinition id="userIdentifier" xsi:type="ScriptedAttribute" dependencyOnly="true">
        <InputDataConnector ref="activeDirectory" attributeNames="objectGUID"/>
        <Script>
            <![CDATA[
            var base64guid = objectGUID.getValues().get(0);
            var hexguid = '';
            for ( var i=0; i < base64guid.length; i++ ) {
                var hex = base64guid.charCodeAt(i).toString(16);
                if ( hex.length == 1 ) {
                    hex = '0' + hex;
                }
                hexguid += hex;
            }
            userIdentifier.addValue(hexguid);
            ]]>
        </Script>
    </AttributeDefinition>

    <!-- ========================================== -->
    <!--      Data Connectors                       -->
    <!-- ========================================== -->

    <DataConnector
            id="activeDirectory"
            xsi:type="LDAPDirectory"
            ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
            baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
            principal="%{idp.attribute.resolver.LDAP.bindDN}"
            principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
            useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
            connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
            responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>
            <![CDATA[
            %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
        <BinaryAttributes>objectGUID</BinaryAttributes>
        <ReturnAttributes>givenName sn displayName mail objectGUID</ReturnAttributes>
    </DataConnector>

</AttributeResolver>

#shibboleth

I was using the iCloud Desktop & Documents Folders option to keep all the contents of my Documents folder in iCloud. At first, I thought I could just point Obsidian to my Documents folder as-is. That worked on macOS, but not on the iOS or iPadOS apps. It appears those are restricted to only access the Obsidian iCloud folder.

After some thinking, I figured out how I could make it work. It's pretty simple, and it still keeps my Documents folder saved in iCloud.

1. Disable the Desktop & Documents Folder iCloud option
2. Copy existing iCloud Documents to my local Documents
3. Move my local Documents folder to the Obsidian iCloud folder
4. Link my local Documents folder to the one I moved into Obsidian

Step 1 is done by going to your iCloud settings in macOS and de-selecting the option. Here are the terminal commands for the other steps. They assume that you don't already have an Obsidian vault named Documents.

cd ~
# sync iCloud Documents to local Documents
rsync -av ~/Library/Mobile\ Documents/com~apple~CloudDocs/Documents/ Documents/
# allow moving / removing the Documents folder
chmod -a 'group:everyone deny delete' Documents
# move current documents to Obsidian's iCloud Drive area
mv Documents ~/Library/Mobile\ Documents/iCloud~md~obsidian/Documents/
# link Documents to the new location
ln -s ~/Library/Mobile\ Documents/iCloud~md~obsidian/Documents/Documents .

I've been running this way for a few days, and so far it's working out exactly as I'd hoped. When I create a new project folder, it's immediately available for Obsidian notes, Terminal work, Finder, and anything else I want to use.

#macos #obsidian

Conditional Resources

I needed to import an existing EC2 instance into a stack. The import failed, complaining that several resource types weren't able to be imported. The only resource in the template that didn't already exist was the instance itself, so why the errors?

After some trial and error, I found that it was due to using conditions. There were several resources defined in the stack to be conditionally created based on the parameters – things like creating either an application load balancer or a network load balancer. It appears that on import, CloudFormation doesn't check the conditions and was failing because some of those conditional resources weren't of an importable type.

After manually removing all the unused conditional resources, the stack imported successfully.

Dynamic References

I had a stack that needed imported into the root stack. When trying to do this, CloudFormation failed because the contents of the template given in the root stack didn't match the contents of the template currently in use. But... it did! I downloaded both, and confirmed they were exactly the same!

The issue was that the template used dynamic references for some values. It seems like CloudFormation was comparing the new template, with unresolved references, to the current template with references resolved.

To work around this, I manually updated the template to use static values in place of the dynamic references.

#aws