OpenStack Active Directory / LDAP authentication

OpenStack (Grizzly) allows keystone to authenticate to different backends. The default backend is an SQL database, storing both user information (username/password) and also tenant information (which user belongs to which group). Although you can update this to a LDAP based backed, it would mean having to take care of tenant information in LDAP too (which means tedious things like creating new LDAP DC, which no self-respecting LDAP admin will let you do arbitrarily). But what if you just wants OpenStack to authenticate to a LDAP server, like Active Directory in an enterprise setting?

Luckily, keystone allows you to extend authentication easily. What the following patch does is to allow you to set up to 3 LDAP servers, which keystone will attempt to bind to using provided username / password when a user logs in. It can also fall back to use the user information in SQL if it fails to bind to LDAP servers by setting FALLBACK = True.

First of all, you need to create your own Identity backend with _check_password() function. Please check out ldapauth.py on my github. Put this file into keystone/identity/backends.

Next, you will need to update config.py to read some new configurations in your keystone.conf.

The full patch is in my github. https://github.com/waipeng/keystone/commit/8c18917558bebbded0f9c588f08a84b0ea33d9ae

After this, you can update keystone.conf to specify the LDAP servers that you want to authenticate with. Example:

[ldapauth]
server1_host = ldap://ldap1.example.com
server2_host = ldap://ldap2.example.com
server3_host = ldap://ldap3.example.com
server1_domain = DOMAIN1
server2_domain = DOMAIN2
server3_domain = DOMAIN3
fallback = True

Advertisements

Watching Netflix in Singapore

roku netflix

Recipe for Netflix in Singapore

Ingredients

Steps

  • Sign up for MyRepublic Fibre Broadband Service
  • Sign up for Netflix free trial through their website [3]
  • Purchase Roku 3 through Amazon (free shipping to Singapore)
  • Twiddle thumbs till Roku 3 arrives
  • IMPORTANT: Set up a Roku account with a US Country and Zip Code. Use credit card.
  • Plug in Roku 3 (might need a 220v to 110v step down transformer, but users have reported success without)
  • Run through setup.
  • Start Netflix
  • Watch Netflix

Optional

  • Cancel Starhub 🙂

[1] My Republic Teleport is free till 31 Dec, $5 a month afterwards (I really hope they don’t charge!)
[2] I’ve heard Apple TV works, and WD TV Live too. Let me know if your device works for you
[3] Free trial for 1 month, so that you don’t lose anything if it doesn’t work. You need to pay for it after free trial.

[edits:] added information that you need to create a Roku US account BEFORE activating Roku

Bad experience with IPMIRROR robot review

A good friend recently wanted to register a .SG domain, and he asked me about SG registrars. This reminded me of a IPMIRROR fiasco a few years ago, and I just wanted to let people know about it. In case someone asks me again, then I can point them to this webpage and I don’t have to repeat myself.

Every year during National Day, SGNIC will run a promotion offering .sg domains for a steal (like $8, instead of $40+ normally). Looking through, I decided to go with ipmirror as the registrar. However, as ipmirror was still charging the full price in their system. I emailed them about this and they replied that their system is not updated, but this is not a problem as they will take note and rebate me the difference after I registered. So I went ahead and register and emailed them.

Posted On: 23 Aug 2009 11:05 AM
Dear Wai Peng YIP,
——————————————————————————–
First Name: Wai Peng
Last Name: YIP
Company Name:
Contact Number:
Email Address: waipengyip@yahoo.com
Email to: sales@ipmirror.com
Subject: I Love sg 2009 promotion
Message: I registered yip.sg. Please help process the rebate
——————————————————————————–

They replied promptly, which was cool

From: Jenelle Bi <sales@ipmirror.com>
To: waipengyip@yahoo.com
Sent: Monday, 24 August 2009 11:41 AM
Subject: [#SWK-630635]: I Love sg 2009 promotion

Dear Wai Peng,

Thank you for choosing IP Mirror as your preferred registrar.

We have received your domain name registration under the I Love.sg 2009 promotion. As you have paid the full price at the point of submission, we have calculated and refunded the excess amount into your credit balance account. This amount can be used for your future domain name transactions and if you have further inquires pertaining to this refund, we will be most pleased to assist.
Best regards,

Jenelle Bi
IP Mirror Pte Ltd
47 Duxton Road, IP Mirror TechHaus, Singapore 089511
Tel: +65 6222-0105 Fax: +65 6222-0210
http://www.ipmirror.com

Fast forward a few years, I didn’t want the domain anymore and wanted to close the account, getting my refund back. I emailed them.

From: “Yip Wai Peng” < waipengyip@yahoo.com >
To: billing@ipmirror.com
Sent: Monday, July 4, 2011 1:32:17 PM
Subject: withdraw credit in account

Dear ipmirror,

I would like to withdraw my credits in my account. My username is <likeyouwanttoknow>.

If you can refund via a check, please send a crossed cheque to

Name: YIP Wai Peng

Address: <redacted>

I got this back in reply

From: ” billing@ipmirror.com ” < billing@ipmirror.com >
To: Yip Wai Peng < waipengyip@yahoo.com >
Cc: IP Mirror Billing < billing@ipmirror.com >
Sent: Tuesday, 5 July 2011 11:35 AM
Subject: Re: withdraw credit in account

Dear Wai Peng,

For refund, there is a 10% admin charge, therefore we will only issue a cheque of $43.38.
Attached refund policy for your reference

Best regards,

IP Mirror Pte Ltd
47 Duxton Road, IP Mirror TechHaus, Singapore 089511
Tel: +65 6222-0105 Fax: +65 6222-0210
Reg No: 200003703C

What? You took my money for 2 years and now you’re charging me an admin charge?!

Thinking that this was a automated reply, I told them of the circumstances why I had a credit, hoping a human can step in and set things right.

From: “Yip Wai Peng” < waipengyip@yahoo.com >
To: billing@ipmirror.com
Sent: Tuesday, July 5, 2011 1:36:23 PM
Subject: Re: withdraw credit in account

Dear ipmirror,

This refund was because of the purchase of .sg domain during the SGNIC promotion previously. Your system was unable to charge the promotion pricing, thus I was asked to pay the full price and get the refund. I do not think it is fair that I am charged a penalty for this.

– WP

The same robotic reply came back

Sent: Thursday, 7 July 2011 4:01 PM

Dear Wai Peng,

We regret to inform you that we will only refund $43.38 cause there is a 10% admin charge. Please refer to our web for refund policy.

http://www.ipmirror.com/en/service_agreements/agreements 

Best regards,

Undeterred, I tried again.

Sent: Thursday, July 7, 2011 6:20:58 PM

Dear IP Mirror,
Please try to understand the situation.

1. .SG domains were supposed to go for $5 during the I Love SG promotion. This is a nation wide promotion by SGNIC. All the registrars are supposed to charge $5.
2. When I choose you guys as my registrar, your systems were still charging the non-sale price.
3. I was told that your systems have not been updated, I should pay the full price and the remainder will be refunded.
4. There was no notification of any admin fee or any other fees at that time.

I didn’t mind paying more and getting the full refund as your systems were not updated. However, it is unfair to the customer to be charged an admin fee just because your systems were not updated. If you had that constraint, you should make it clear up front.

Your policies are set up by humans, Please try to understand the situation and help.

Thanks,
– WP

Same robotic reply

Sent: Monday, 11 July 2011 4:49 PM

We are so sorry to inform you that we will only refund $43.38 cause it is in our refund policy. Please refer to our web for refund policy.

Annoyed, I replied

Sent: Monday, 11 July 2011 10:38 PM

I really understand you have a policy. Do you understand what I have been trying to explain to you so far? By the way, may I know who I am talking to? If you are unable to help me from your position, I would like to escalate this please.

The billing robot didn’t reply after this. A few days later, I sent

Sent: Saturday, July 16, 2011 8:55:16 AM
Subject: Re: withdraw credit in account

Dear IP Mirror,
Any updates o this please?

Robot again

Sent: Monday, 18 July 2011 12:40 PM
Subject: Re: withdraw credit in account

Dear Wai Peng,

We understand what you are trying to explain and you are talking to the refund department. Please refer to our web site for refund policy and we will only refund $43.38.

http://www.ipmirror.com/en/service_agreements/agreements 

I gave up. Never argue with an idiot adage.

Sent: Friday, July 29, 2011 6:23:32 PM
Subject: Re: withdraw credit in account

Ok please refund me $43.38. Thanks.

And the reply

Date: Mon, 01 Aug 2011 11:29:43 +0800 (SGT)

We have issue a cheque UOB 730487 amount $43.38 and has mail out on 28 July 2011.
Thanks

Best regards,
Jasmine Loh

Finally, a human!

Shame on you, ipmirror. Shame on you, Jasmine and the helpdesk / billing robots. You people deserve better then to work for such a douchebag company.

How MyRepublic Teleport works

I’ve just signed up with MyRepublic on their Pure HD service, mostly due to their Teleport service. Briefly, Teleport allows you to watch US only service like Netflix and Hulu+ from Singapore.

In addition, I also purchased a WD TV Live to watch Netflix on my big screen TV. However when I set it up, I realized that the WD TV Live does not work with Netflix! 😦

After feeling sorry for myself, I decided to figure out how Teleport works, and maybe try to fix the issue with Netflix and WD TV Live.

First of all, I heard that many WD TV Live users have managed to let Netflix work using Unblock-Us. I went ahead and tried configuring Unblock-Us, and sure enough, it works! This made me further believe that the issue is not with WD TV Live nor Netflix, and surely is with Teleport.

I set up my laptop to NAT all traffic in and out of the WD TV, so that I could listen to all the traffic.

In short, MyRepublic Teleports uses their DNS to redirect you to an Amazon instance in the US for specific domains – mostly the authentication / setup part of streaming services like Netflix. The main bulk of the streaming content afterwards comes from CDNs, which I believe does not need to go through the US link. Let’s take a look.

The WD TV Live starts off by connecting to nccp-nrdp-31.cloud.netflix.net. If you look it up using MyRepublic DNS servers, you can see that it resolves to an Amazon EC2 instance in the US WEST.

$ dig @103.11.48.190 nccp-nrdp-31.cloud.netflix.net.
<snip>
;; ANSWER SECTION:
nccp-nrdp-31.cloud.netflix.net. 0 IN A 54.215.3.116

$ dig -x 54.215.3.116
<snip>
116.3.215.54.in-addr.arpa. 300  IN      PTR   ec2-54-215-3-116.us-west-1.compute.amazonaws.com.

After that, it connects to 2 other domains, uiboot.netflix.com and api-global.netflix.com. This is where the problem lies – MyRepublic still resolves these two to the same EC2 instance.

uiboot.netflix.com. 0 IN A 54.215.3.116
api-global.netflix.com. 0 IN A 54.215.3.116

As far as I can tell, both nccp-nrdp-31.cloud.netflix.net and uiboot.netflix.com connections are HTTPS, which means they can’t share the same IP. To test my theory, I set up a DNS server that responds with the Unblock-Us DNS servers for uiboot.netflix.com and api-global.netflix.com. It works!

I guess the fix for MyRepublic is simple – they just have to create another 2 instances to take care of the traffic going to the 2 affected domains, and everything should work!

I’ve forwarded them the information, hopefully it’ll help them.