sigmoid

..oo..oo..oo..oo..oo..oo..

Let’s assume you already have a database under dn: olcDatabase={1}mdb,cn=config and you would like to keep access logs. To achieve this, we will do (and assume) the following:

  • Enable the AccessLog Module
  • Create an AccessLog database, where the logs will be stored
  • There is already an existing database for which we want to keep logs at: dn: olcDatabase={1}mdb,cn=config

Note that I use Gentoo linux, but with some modifications the following information should work on other distributions.

Enable the AccessLog Module

Ok, so first add the module to OpenLDAP:

Ensure that the accesslog module is available on your system/platform. In my case, it is in stored as /usr/lib64/openldap/openldap/accesslog.so. Modify the following LDAP Data Interchange Format (LDIF) file accordingly if the shared object file is elsewhere.

Create the file load_AccessLogModule.ldif and insert:

dn: cn=module{2},cn=config
objectClass: olcModuleList
cn: module{2}
olcModuleLoad: {0}accesslog.so
olcModulePath: /usr/lib64/openldap/openldap

Add the content into the slapd server (you may have to restart the daemon):

ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f load_AccessLogModule.ldif

Create an AccessLog database

Let’s now create the AccessLog database in which logs will be stored in:

Create a file create_AccessLogDatabase.ldif and insert:

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/openldap-data/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,cn=accesslog
olcRootPW: auditor_password
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

Caution here, the olcDbDirectory /var/lib/openldap-data/accesslog, must exist and the system user owning the slapd process must be able to read/write. On my system:

  mkdir -p /var/lib/openldap-data/accesslog
  chown ldap:ldap /var/lib/openldap-data/accesslog

Of course you should also use a more secure password than the plain text auditor_password used, by utilizing the SHA or SSHA password scheme (see https://www.openldap.org/faq/data/cache/347.html).

Add the content into the slapd server:

  ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f create_AccessLogDatabase.ldif

Add the AccessLog overlay to the “source” database

Recall, we have an existing database (with dn: olcDatabase={1}mdb,cn=config) we would like to log access for. We should create an overlay in that database and configure it to log into the AccessLog database we just created:

Create a file add_Overlay_to_Database.ldif and insert:

dn: olcOverlay=accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: session
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 07+00:00 01+00:00

Add the content into the slapd server:

  ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f add_Overlay_to_Database.ldif

Now, whenever a session abandon, bind or unbind action happens for the olcDatabase={1}mdb,cn=config database, a log entry will be created in dn: olcDatabase={2}mdb,cn=config.

0
10 June 2018 – NOTE: LEDE is no more. It has merged with OpenWRT. Furthermore, the TP-Link WA901NDV3 is no longer supported. I have updated some of the links to the new OpenWRT website, but further changes may have taken place. I will leave the post here for reference, but you ought to try compiling a newer firmware for security.

Apparently, I managed to compile and flash a working firmware for my TP-Link WA901NDV3 using the newer OpenWRT sources (in particular I used commit f60301db748a8a40f42a6dc4faa7250529cb6cc6). The update worked like a charm, with the settings being preserved. If anyone needs the new roms and kernel config drop me a message.

Information about the device can be found below:

I installed a custom LEDE rom on my TP-Link TL-WA901ND since the default one build upstream had features that I wasn’t using and they consumed the free space of the device unnecessarily.

Namely, I removed support for IPv6, USB and telephony, as well as some associated packages and kernel modules (including ppp). I also included in the custom ROM dropbear (sshd), nano (text editor), and luci over SSL. You can download:

You can use LuCI to upgrade, or using the command line sysupgrade -v lede-ar71xx-generic-tl-wa901nd-v3-squashfs-sysupgrade-20170615.bin. I have not tested the factory rom.

Customizing the custom ROM :)

If you want to build, or customize the rom using my kernel config, read on.

You first need the LEDE (or OpenWRT) source code:

git clone https://git.lede-project.org/source.git lede

Read the instructions on how to “Use the build system to compile a firmware image”. This is assuming you have setup your system with the necessary tools to build the code. My Gentoo system didn’t require anything to be installed, but if yours doesn’t you can get some info here.

Once you have your system ready and updated your feeds, copy the config-tl-wa901nd-v3 kernel config in the root of the source code. If you want to customize it, do make menuconfig, then make -j1, or make -j5 if you have 4 cores, etc.

You may have to wait for quite a while for this to complete. Once done the images will be created in bin/targets/ar71xx/generic/. Note that if there are no errors, but you don’t see the lede-ar71xx-generic-tl-wa901nd-v3-squashfs-factory.bin and lede-ar71xx-generic-tl-wa901nd-v3-squashfs-sysupgrade.bin files, it means the packages and features you included in the rom’s kernel may have exceeded the amount of space the device has. You have to remove some features via the kernel configuration and try recompiling.

1+

Precompiled static and shared OpenSSL v1.0.2l and v1.1.0f for MSVC 2008-2017 are now available in the Precompiled OpenSSL page. Build scripts and patches also available for anyone who wants to customize their builds.

Library names have changed upstream for v1.1.0f, but I follow the older pattern for my builds (i.e. libname[MT/MD][d]), as with the other branches.

Older versions of OpenSSL are moved in the Precompiled OpenSSL (Past Builds) page, however it is only there for archival purposes, do not use these builds for any production systems. Actually, if you are doing any serious work, you ought to build your own OpenSSL anyway.

5+

This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.

Installing Plex Media Server and Letsencrypt client

Installing Plex Media Server on Gentoo is straight forward:

emerge -Dtva media-tv/plex-media-server

The post-installation instructions of the package will tell you:

Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings.
To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/

This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://<ip>:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.

To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:

emerge -Dtva app-crypt/certbot

You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:

=app-crypt/certbot-apache-0.13.0 ~amd64

Obtaining and installing a Let’s Encrypt certificate for Plex

Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com, obtain the respective Letsencrypt free certificate:

certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com

If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/home-plex.mydomain.com/.

Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)

Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in /etc/plex/plex-renew-cert.sh, we’ll need the script again later):

#!/bin/bash
#
# store this script in /etc/plex/plex-renew-cert.sh
#

PLEX_HOSTNAME=home-plex.mydomain.com
PLEX_CERT_ENCKEY=your-randomly-generated-password

pushd /etc/plex > /dev/null
openssl pkcs12 -export \
               -out /etc/plex/${PLEX_HOSTNAME}.pfx \
               -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \
               -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \
               -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \
               -name "${PLEX_HOSTNAME}" \
               -passout pass:${PLEX_CERT_ENCKEY}
popd

# Set the right ownership and permissions to the generated PKCS #12 container file:
chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx
chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx


Make sure you replace home-plex.mydomain.com with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.

Set good permissions and execute it:

chmod 700 /etc/plex/plex-renew-cert.sh
/etc/plex/plex-renew-cert.sh

Check the cert container has been generated:

ls -l /etc/plex/home-plex.mydomain.com.pfx

You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:

openssl pkcs12 -in /etc/plex/home-plex.mydomain.com.pfx -noout
Enter Import Password:
MAC verified OK

Using the Letsencrypt PKCS #12 cert with Plex Media Server

To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface http://home-plex.mydomain.com:32400/web. Login with your Plex.tv account, go to "Settings > Network", fill in the following and “Save Changes”:

        Custom certificate location: /etc/plex/home-plex.mydomain.com.pfx
  Custom certificate encryption key: your-randomly-generated-password
          Custom certificate domain: home-plex.mydomain.com

Plex Media Server Letsencrypt Certificate Config

Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https://home-plex.mydomain.com:32400/web/. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.

Your done! …. Well, almost done!

Renewing the Let’s Encrypt certificates

Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.

This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:

#Mins  Hours  Days   Months  Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
                                         --config-dir /etc/letsencrypt \
                                         --preferred-challenges tls-sni-01 \
                                         -d home-plex.mydomain.com \
                                         --renew-hook "/etc/plex/plex-renew-cert.sh && /etc/init.d/plex-media-server start"
2+

I have built ICU v59.1 with MSVC 2015 & 2017 which are available at the Precompiled ICU page.
In the respective archives you will find, as always, the dynamic and statically linked libraries.

Note that ICU cannot be built with any of the older MSVC compilers, as support has been dropped upstream. Thus only MSVC 2015 and 2017 are available from now on.

0