We’re repeatedly seeing more and more accounts of accounts being hacked and passwords being stolen across the web. Â Take a look at the recent Gawker hack and all their hashed passwords being posted to torrent sites. Â People should also realize that there are many lists out there that take millions of common passwords and run them through all the standard hashing algorithms. Â This allows a hacker to quickly search through a list of hashed passwords and come up with the actual password you’re using. Â How many of us use this same password across multiple sites, or a very similar variant of the same password.
A few years ago I envisioned what the next generation OpenID platform might look like. Â I’ve shared this with multiple people over the years and they all ask me why I haven’t built it yet. Â I honestly just haven’t made the time so I feel like its time to give someone else the opportunity. Â OpenID is great in that it allows you tohave a single strong password to authenticate you against multiple sites. Â Many of you will have used Facebook Connect to go to websites and this is a very similar technology Â Some of the things I noodle in the attached diagram TheNextGenOpenIDPlatform include stronger hardware based authentication devices, delegated account access, digital personas, linking of devices that can be remotely de-authorized, an analytics dashboard to find out who is using your identity and attributes, andÂ synchronizingÂ your attributes across all the places you go.
If there are any VCs listening I’m more than happy to start an angel round of investing and start building, I already have the team I’d use ready to go. 😉
One of the great features of Oracle IRM 11g is being able to automatically link your users from LDAP. Â This way you don’t have to manage the user’s in two places or write any custom synchronization code between them. Â The LDAP integration is done through the providers WebLogic. Â A word of warning about this integration is that you need to have your LDAP provider setup in WebLogic before logging into IRM for the first time. Â You also need to have your LDAP provider as the first item in the list before logging in.
My reason for typing this out is because it burned me for a few hours trying to figure out what was going on. Â The first user that logs into IRM is set to be the administrator. Â This person creates the contexts, roles, etc. and assigns all the privileges. Â For most implementations people normally use the built in weblogic user that is created during installation. Â This is where I went terribly wrong. IRM binds the GUID of this user to the IRM database repository. Â This is obviously much stronger than binding just the username or the DN of the user but also can cause crinkled skulls when trying to debug.
So, I logged into the server as weblogic, got the tabs and pages I expected so I figured I would setup my LDAP provider. I went into WebLogic and created the provider. Â In a development environment I normally set the internal provider first and then the LDAP provider second. Â Even though I take a hit in performance, in a development environment I prevent myself from being locked out of the server. I was now able to authenticate but IRM wasn’t letting me into the interface. Â After talking to the dev team they told me the LDAP provider had to be the first one in the list as thats all they look at when authenticating the user. Â No problem pop it up to the top of the list.
Now I can authenticate into IRM and get into the irm_rights pages, but I don’t have any of the other tabs to manage the server. Â The GUID that my weblogic user is tied to is now second on the providers list and the GUID of the weblogic user in my LDAP server doesn’t match the local GUID. Shit, so now my administrator user can’t be reached because he’s second in the provider list and I can’t set any other administrators because if I move that provider back to the top of the list the LDAP users don’t appear since IRM only looks at the first one.
Lessons learned and a reinstall to fix.
So today I decided to switch over to the mainline Firefox 4.0 Beta from the Minefield dailies I’ve been using. Â I started to copy the new Firefox.app directory over the existing one in my Applications folder and immediately was met with a:
‘The operation can’t be completed because the item “libsmime3.dylib” is in use.’
Well shit, whats holding onto that lib. Â Turns out that it was my Cisco VPN Anywhere Agent, aka vpnagentd. Â So I go ahead and do a:
‘sudo killall vpnagentd’
Ugh and of course it restarts automatically before I can copy the files over. Â So what now. Â Oh yeah, it runs as a daemon so I need to use my old friend launchctl to unload it. Â The command for this is:
sudo launchctl unload /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
w00t! Now the files copy over with no problem. Â Now I need to put AnyConnect back into place. Â This can be done with:
sudo launchctl load /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
That should do it, Firefox 4 Beta up online and working again.
That was 15 minutes of my life I’ll never get back. Hopefully this post saves you 10.