Tuesday, December 13, 2005

Active Directory Web Interface for Administration

I have been administering active directory since last 4 years. The most frustating thing I found was to administer it remotely - the only was to remote desktop to one of the domain controllers and do my task.

Later on I realized that Active Directory Administration GUI provided by Microsoft was just enough to get my task done. But this GUI was not smart enough to provide me instant feedback on whats happening in my domain. Such as - last logon time for each user, active computers, groups with member summary and many more things. So I realized that it was not enough for me to do normal administration task. And more over I wanted to do it using Web Browser - so it does not matter whether I am using Linux or Windows, I just pop-up browser and do everything required to do administration.

Microsoft included System.DirectoryServices package which can talk to AD and give us more information. I started writing a small application which can give me visual feedback on domain users.

So, I came up with above screenshots, and there were many more things possible with these APIs, but there were half-cooked api. So I had to figure out how do I things.

Now, I have active directory web interface, which allows me to do Administration using web browser. I have following features in this interface
  • Create New Users
  • Create Groups
  • Edit user group membership
  • Edit user properties
  • Edit group members
  • Display user status
  • Display group summary
  • Display computer summary
I think I will be able to open source it soon. But if you really want to use my application please send me an email and I will send you the app.

AdWebMin 0.1 is released!

Monday, December 12, 2005

So blogger hung!

and after getting my name from flickr! my blogger hanged!
I just got my name from flicker! and here it is

aJ Spraye30 cutler / / yoga

Monday, December 05, 2005

Microsoft's Half Cooked APIs

So when you publish APIs, what should you usually do? Say -

public string IWillReturnCaps(string anycase)

This is kind of self explanatory, and it tells me that If you give string in any case it will return Capital Letter String.

Microsoft has done a great job on publishing APIs on ActiveDirectory, called System.DirectoryService. These APIs look great on Surface! the time you dive in, you are almost dead, because when you prepared for diving in. You thought its 10 Ft Deep Water. But as soon as you get into water, you hit the face with rock solid surface and there is nothing to penetrate further. Some of the APIs are like this :

public willreturnobject IWillDoSomething(object givemesomething, object somethingmore, object andsoemthingmore)

This is called half cooked apis, you have the API, you need to figure it out what its going to do! The more concrete example can be - if you ask for properties - then documentation says, returns strings or values of properties? How many properties? Where are the properties, go figure out! Or do a enum or properties collection, use ADSI. Agreed! but why are properties not listed there. More over - if you are trying to do something, then you need to have basic concepts clear, should be able to write code in C++ or Visual Basic. There are not many examples which provide you with C# Code samples.

IRONY is that you are trying to do something with .NET but you need to use ActiveDS and COM Interop. Any way! if you go in that way - long time back you could not write a plugin for Visual Studio .NET in .NET Itself. If your plugin involves little bit of of GUI, you must use ActiveX.

If you are trying to do something with System.DirectoryServices then go here.

Btw- I am trying to write a Active Directory Web Administration Interface in ASP.NET - which will be available here soon.

Long time no see! Politics...

Internal Politics exists in every company, people are in rat race and thats something not gonna change. I wonder how many people actually read AND implement "rich dad poor dad". My point is that people give lots of gyan about professional ethics and team building. But sometimes all around I see that people are just there to pull strings or climb on other's shoulder to get something done.

I see no solution to it, other than get out of this RAT Race. I can see two of my friends are trying to do it and some how I feel that they are successful, namely Rajesh and Ravi. But I seriously see a problem over here - they have done it afterwards once they have been through it and it took them a lot of time to achieve this. Instead of getting out of this RAT Race! why can't we just fix it?

Thursday, September 15, 2005

Secure Wireless Access

Today was a good day, I have been trying to find out a special way to make my wireless secure! I could not find a nice and better solution in last 8 weeks, which can tell me that its not broken yet - of course there is nothing which is secure in this internet world; having said that - my solution sounds pretty secure! because I have found that lots of person (including nice companies in many countries use these techniques)

First - a Linux based solution - of course :-) - Ingredients as follows
  • Linux Kernel 2.4 or greater
  • Iptables - you do not have to know about IPTables
  • NoCat - nocat.net
  • DHCPD - plain vanilla dhcpd from distribution
  • Apache HTTPD 2.0
  • bind - optional
  • Wireless AccessPoint
Now - before you get to solution - you need to have a machine - which has two network cards.

This solution creates wireless network as different LAN and which has access to either your LAN or Internet using this Linux box which we are going to setup. Let call internal network 192.168.91.X (wireless) and external network 172.16.X.X (LAN/Internet). And this box has has as internal network address and as external network address

  • Setup DHCP - Plain vanilla default dhcpd.conf has range of to
  • Setup bind - if you do not want to use name server - then you can provide your network's name server as main name server in dhcpd.conf
  • Setup HTTPD - and make it listen only on - setup ssl on httpd
  • NoCat has two part AuthServ and Gateway - when you download nocat it comes with one tar, which will have both the things. by default nocat gets installed at /usr/local/nocat - but we are going to install AuthServ and Gateway on same machine - we will install authserv in /usr/local/nocat/authserver and gateway at /usr/local/nocat/gateway . you need to change makefile and change the directory in makefile and then execute either authserv and gateway targets respectively
  • You need to change configuration of AuthServ and Gateway and make appropriate changes, these files are well commented.
  • Now choose the authentication method, I choose samba and pointed it to my windows domain.

And if everything goes smooth, you are done, what you have to do is to hook up on wireless visit some site, it will redirect to NoCat authentication page, once authentication is done, it will update IPTables to give your machine access and you are done...

The other solution is RADIUS Server - get windows 2003 and configure it as radius server. Create a SSL Certificate, distribute it using group policy and allow user dialin access in their account management page and point your access point to use this windows 2003 server as radius server. And you get the access! the only problem with this is that you can not get Linux client hooked on it.

Tuesday, August 23, 2005

World is what you see around!

So, another funny story - Uncle Sam's Country - we all know all about Uncle Sam, but the problem is Uncle Sam thinks that the world is Uncle Sam and that means Uncle Sam knows about the world and anything which is not into Uncle Sam's world is not get involved in Documentories like "World's Most Beautiful Models" or "Worlds worst earthquakes" - keeping this thought aside that earth quakes are always worst - if happens on earth it shakes building and if inside the sea then we have to face 60 Feet High water wall on our sea shores. Any way! leave that thing - lets talk about "world is what you see around!"

So, last night I was watching some serial, one was on Channel 4 and another was on 5 - "world's most beautiful models" included Iman, Veruschitka, Cyndi Crawford and many more - but one thing was common, either they were settled in Uncle Sam's country or Born in Uncle Sam's country. So I think we should stop conducting Miss World and Miss Universe competetions and pick from World's Most beautiful models! and only magazine they know about is "Vogue"

any way! next was - EarthQuake, I think all earthquake - which can be called UncleQuake, occur only at San Franscisco, once in Florida and sometime Australlia" what about Japan? no if they do not count 7 on rictor scale or may be victor scale, they do not count? chuck india! we lost 20,000 men in last earthquake! but 798 is a huge number of casulalities! sometimes - I feel that discovery channel, only understands what Nasa Does! may be I am jealous, but sometime I feel very very surprized when one person asked me "do you really have Tar roads all around India?" I answered saying except few villages, then the person asked but I heard that India is 90% made of villages! thats the fact I love.

I have more to say about what happened on Talkers Corner in Hyde park last sunday = 20th August 2005, but that might appear in next post as I am still waiting for those crazy pictures from Rohan.

Thursday, August 18, 2005

Who writes code?

At the heart of every development department of a IT enabled company, there lives an architect and/or a tech lead! The story is interesting, its about struggle to write code or struggle to write good code.

Many of the tech leads in some moron companies think that since they have crossed the "experience age" they should not be writing any more code but they should be dictating how to write code and integrate, some of them are good - because they keep themself informed. AS long as you do this you are fine, but suddenly - you keep architecting stuff - making diagrams and flow charts and then one fine day, when you are completely obsolete - forgot most of the language stuff and even forgot that languages and SDKs have improved, and you miss sometimes that a feature. And when you argue about it - and since he is tech lead and does not understand that developers are more close to language/sdks/libraries than he is actually then he should not make a decision that we should be using PERL instead of Java because perl has better regular expression capabilities! and at the end you end up with a code which calls perl modules to just do string manipulation! what a architecture!

Friday, August 12, 2005

Creating a Simple Router and Firewall

Problem Statement :
I have two gateways doing exactly the same thing - any one of them can be termed as default gateway, But now you want to split the traffic and do many more smarter things on the traffic! you want to control exactly what kind of traffic goes through which Gateway?

Install Linux! I do not have special atttraction towards Linux, but Linux networking tool excel in many areas and much better than what plain vanilla windows installation give you. So thats why linux. Actually - I can assign hosts in dhcp for static routes, implement rip or igrp in my firewalls - but all that costs alot of stupid network traffic. Does not make sense to me. You are welcome to accept this solution - or - you can put your comments right here and I will get enlightened with your smart solution. Any way, lets continue with our problem.

so what I did, I put another Linux Box, which decides where to send packet, logs the packet, creates the graph of which protocol being used most, how much vpn traffic, how much non - vpn traffic and its all fast, because my firewall runs on PII cpu and My Linux box runs on PIII with minimal services. And gives me alot of flexibilities.

how to do this?

  1. install 2 network interface cards
  2. learn how to use "ip" command
  3. add rules and tables on ip command
  4. tell ip command to send which traffic where based on packet source, packet destination and user id
  5. and even you can control that which mac address can get how much bandwidth(i have not done yet, but you should go and read LARTC - Linux Advanced Routing and Traffic Control)
  6. install transparent proxy
  7. install iptraf + rrd tool
and you are there with words most advanced router sitting there, and if you are really a cisco router geek then you might want to get zebra and start using that!

Thursday, August 11, 2005

don't know

Don't know! oh my god, you do not know this? or he does not know even this? -- guess from where it is coming from. Most of the system administrator expect you to know everything on this world what they know - or Most of the consultant (being a consultant, I have learned not to say this) but IF in this world - some one is hiring you to do something - that means, one they do not have expertise to do that or they have some expertise but they are not able to do something to get it working; second - the most important thing - thats why you have the job. If some one will know how to fix network adaptor, apply permissions and play with IPTables on Linux, then why would they hire a Linux Administrator? OR everyone in this world will know LISP, how to create spreadsheets (useful ones) in Excel or Windows/Firewall Adminstration?

Dude, get a life, if some one is asking something to you, instead of expressing your "oh my god, you even do not know this" expression or discussing with collegues "dude, do you know that client dude does not know this thing" expressiong, you better help him/her out, and help him out the way he/she can understand it and better not ask you again. But if you like rubbing the coal on the wall, again and again! then please please go ahead and just do it on your own.

But humiliating something, or showing that you know the stuff and they do not? or keep pointing out mistakes and discussing lack of knowledge of someone, is specially not good.

Just think, how you do not know! instead of straightening your neck with what you know! because there is always a chance that some one might just tell you - "don't know"

One of my friend and myself discussed this yesterday while taking a walk! and I think its good they do not know because thats why I have the job! else I would have not had the job....

Wednesday, August 10, 2005

Innnocent Ignorance - Overconfidence

I wonder - How many times a person can do mistakes? I mean how many times? There are few things in life, which never change?

So when some one does something - which is not quite right but on the same point of time he did not know that there is something which he should not be doing - so we call that mistake - but thats innocent ignorance which can be ignored by us assuming that it was seriously innocent ignorance.

But - what's up with some dudes who got overconfidence in everything they do, which is completely not at all acceptable - I know many of this kind of dudes.

He will keep doing stuff - which is not good - and its not right to do something like that, if you are handling production servers - client deployment and real live environment - you do not want to be ashamed or you do not want to do somethings on ad-hoc basis; I mean, if you are trying to fix something - say for instance your antivirus, is not working, then it does not make sense to downlaod a virus and let antivirus catch it. If anti-virus catches that virus that means thats working? is that the right solution? may be I will call it overconfidence that dude got ego that he can actually clean the virus manually and has ability to edit executables in hex-editors and remove the virus code out of them.

But - if some one really does not know that there is something called firewall and while troubleshootinng the networking issues, he some how disables it on his pc then its okay - but if a network administrator opens a HOLE in firewall just to test whether he can reach out or not - then its stupid.

and most of these dudes handle some sensitive systems at companies, client sites and public domain. Which scares me! and I know from my experience - everytime they lack professionally. and they do not realize that it might cost them sometime in the bigger loss.

Professionally and Personally - I do not like these kinds of errors - My only question is - Why they can't think ahead or Consult with collegues? is that ego or innocent ignorance or overconfidence? anything - but if its the first and last one! then that should be punished or not?

frustated me!

Tuesday, August 09, 2005

being creative - proven stupid

origin of this subject is - that - in most of the talks, seminars and many more places, people keep coming up with the ideas. There is nothing wrong with coming up with the ideas, but the problem is that - that idea is stupid. They try to reinvent the wheel, which sucks most of the times. But on the other hand = they do not agree that their idea is STUPID - any way! so, most of the time, people try to be over creative and proven stupid immediately, I like this treatment of life with them. And this happens in many companies, your collegue will come up with a superb dev implementation - or try to write his own drivers and will understand that he is no where near some nice open source tool. So thats why he is "being creative - proven stupid"

And I think if you can avoid that - and do lateral, sincere thinking then this sentence renders itself "being creative -proven stupid"