Security Technology

Authentication for Free, as in Beer (FreeIPA)

I’ve been busy with work lately, but got some time this Sunday to work on the next part of my build – authentication.

The Unraid build itself is coming on well, but I now have 14 separate docker containers doing things for me, all with their own individual authentication methods. If I plan on opening up the server to external access (which I do), then I need something to manage usernames and passwords from a central point.

That something is LDAP.

LDAP stands for Lightweight Directory Access Protocol, and is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

The most common implementation of LDAP that people will probably have heard of is Microsoft’s Active Directory, itself an implementation of LDAP. It’s what I’m most familiar with, having worked with flavors of AD from 2003 onwards. It’s easy to setup and easy to work with, and is – in my view – the best implementation of LDAP for a heavily Windows-based environment.

I’m not exactly running a completely Windows environment. My primary machine, and that of my girlfriend, is running Windows 10. However, I have 14 docker containers (and growing), and some implementations I want to do that require some integration with whatever LDAP server you’re running, and I’m not sure how well AD would play with those.

Lastly, AD requires you to be running Windows Server, which requires a license, and also some fairly decent system requirements.

Plus, it’s fun to learn new things.

So I’ll be using something called FreeIPA (hopefully the punny title makes sense now) on a CentOS 8 install, with 2 vCPUs, 4GB RAM and a 60GB disk.

Read on for how it’s done.


Blackjack Updates

So it’s been six days since my last post, and after a busy and at times frustrating week (work-wise, nothing to do with Blackjack) I have some more updates.

First, good news.
The Plex migration worked flawlessly as I mentioned in the last post. We’ve been running it for 6 days now and have watched a bunch of stuff on it without any issue whatsoever. This is what should have happened but I’m still pleased.

As you can see, I’m also penning this on my Windows 10 VM, using dual screens. The performance is excellent – it’s faster at booting than the bare metal install on my old machine!

I’ve now shut down my old machine, physically replacing it with Blackjack and swapping the rest of the memory. We’re now running on 64GB total, with 24GB reserved for the Windows 10 machine. It was pretty happy with 8 and I’m sure would be happy with 16, but if I have a surplus why not use it?
So far the containers I have running aren’t taxing the system much at all, but I have further plans which may drive that usage higher.

There have been a few things that haven’t quite worked as well as I’d hoped though.


Moving house with Plex & Docker

So, my data is all moved from t’old machine t’new one (for any Americans, you’ll need to read that sentence in a strong Yorkshire accent. Good luck.)

That could be that, but losing all of the ‘watched/unwatched’ and progress through series would be a bit of a pain in the arse, so I’m trying to migrate the metadata of my now-old Plex install (Razorback) to the new one (Blackjack).

On Windows, Plex stores everything in C:\Users\username\AppData\Local\Plex Media Server.

In Docker, that data is located at /mnt/cache/appdata/Plex-Media-Server/Library/Application Support/Plex Media Server/

Plex’s FAQ does include information on moving Plex data around, but it’s a far cry from what you really need to know in a scenario like this. That is fair, as there are a large number of potential scenarios and configurations that it would be unfair to expect Plex to constantly stay on top of and document adequately – after all if it doesn’t work, people would come crying to Plex and they’d have to support that or risk the wrath of Unhappy Internet People.

I’ll make this a long story short – I’m going with the basic bitch method of just copying the (several hundred thousand) files across the network from my Windows machine. I tried zipping the whole lot up and then unzipping it on the host, but with various combinations of commands I always got the same error: caution: filename not matched, which didn’t make sense then, and still doesn’t now.
I tried a number of different solutions from researching online but decided quite quickly that this is one of those annoying Linux things that I know I’ll spin my wheels on for an hour or so, and eventually just have to do it the basic way anyway.

So, I skipped ahead.

At the very least I am grateful that Plex have kept the folder structure and mechanisms broadly identical across different platforms. I’ve certainly dealt with software in my time where a Windows and a Linux version of an app were entirely incompatible and there was no hope of moving settings from one to the other, so this is a refreshing change from previous experiences.

Of course now we’ll have to see if this actually works or not. I have … middling hopes of success, but we’ll see.

A few hours later …

So the metadata is all copied over. I started the Plex Docker and immediately went into the server settings and edited my libraries; the existing libraries pointed at the old media locations, which was good. I added the new locations and let Plex scan them.

And … it worked! My On Deck still shows a half-watched episode of Brooklyn Nine-Nine, and my watched / unwatched lists are all there.


Getting started with UnRAID: Initial struggles

A couple of things I forgot to mention in the last post.

Firstly on the built-in fans; the two fans were identical, but held in with very different screws. The rear fan had what I would consider to be ‘regular PC case screws’, but the front fan was held in with odd small stubby screws which, when removed, had a strange sticky gasket attached to them which sort of broke away as I removed them.

Perhaps typical purchasers of these cases don’t remove the existing case fans and just add to them but … I found it an odd difference, and a disappointing lack of quality on the front screws.

Lastly, the ‘cable management’ around the back of the motherboard tray started out well, but started to become problematic. The case panel is lined with a foam insert, which is great for deadening vibrations and thus noise, but it means there’s not a lot of space in there. My goal was to keep the motherboard side of the case clean and clear, but I may need to let more cabling into the body of the case in order to not have everything so smooshed up behind it.

Anyway, it was another day before I could get the machine connected up to a monitor and to begin working on it. I booted into the BIOS/UEFI setup first to tweak things and see what I was dealing with.

The ASRock Z460 Taichi has what I’d call a ‘typical’ UEFI setup screen – graphics that (to me) hark back to 90s Japan, but it was functional and let me get to what I need. I went through all the settings, making sure to enable the virtualization features, as well as turning on the IOMMU passthrough features I’d need later.

I probably spent most time fiddling with the motherboards’ built-in LEDs. They do all sorts of things, but I just wanted a static white light. I’ve yet to see if I’ll be able to install software on my Windows VM to manage that further – possibly turning it off at night automatically – but for now it’s fine.

Next was to boot into UnRAID itself.