Just Apply Pressure

to wreck the SD-card slot cover of the Fujifilm X-T1. An obvious design flaw if you ask me.

Thankfully, I handle my camera with care, but I don't want to think what would happen if I applied a bit more pressure on closing the memory-card compartment.

Posted on April 25, 2014 and filed under Annoying, Gear, Hardware, Photography.

Domain User Membership check via LDAP

When you are using LDAP to determine Windows Active Directory group membership, and the group you are aiming for is the Domain Users group, than you're in for a surprise. It turns out that the LDAP interface doesn't have the Domain Users group listed for a user. It's missing the memberOf attribute for Domain Users. Just compare the following screenshots. The first screenshot shows the Active Directory user interface for the user Administrator, and the second shows the LDAP equivalent of that same user.

Active Directory group memberships

LDAP group memberships

The LDAP output doesn't show a 'memberOf: CN=Domain Users, CN=Users, DC=testdomain, DC=local' attribute.

The reason is that Active Directory has a so-called Primary Group attribute, and this is by default the Domain Users group. With that piece of information you might see a LDAP attribute called 'primaryGroupID' with a number. That number represents the Domain Users group.

So if you need to check for Domain User membership with LDAP, you should check the value of the primaryGroupID attribute. This value is (for as far as I know) always the same (513).

So if you're using Certificate based authentication on a Juniper Pulse Access Gateway or Pulse Access Control Service, and you need to check Windows Domain User group membership the primaryGroupID is the way to go.

B.t.w., if you're looking for a good cross-platform LDAP browser, I can recommend the Apache Directory Studio. It's intuitive, has a good interface and just works (oh... and it's free).

No EAP Protocol Was Agreed On

Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).

The limited parts are:

  • SSL is limited to 3 concurrent users
  • UAC is limited to 5 concurrent users
  • You cannot add additional licenses
  • The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
Max. 3 concurrent SSL VPN users

Max. 3 concurrent SSL VPN users

Max. 5 concurrent UAC users

Max. 5 concurrent UAC users

So yes, it's crippled, but still very nice to play with in a lab or home/study environment.

Anyway, I have both the UAC and the SSL VPN running at home. Both running in  VMWare Fusion on a MAC OSX server (Mac Mini).

A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.

So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.

Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.

The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.

After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.

Guess what, everything worked great after I had copied everything by hand.

So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.

So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.

I have no idea if this is applicable to the 'normal' hardware appliances with the software.

Posted on April 13, 2014 and filed under Security, Software, Tips'n Tricks.

Fujifilm X-T1 and Lee Filters

Lee Filter System

Lee Filter System

During the time with my Nikon D300 I always used regular (thread) filters (circular polarizers, and ND filters). Since the release of the Fujifilm X-T1 I wondered if a Lee filter system might be better / more flexible (not cheaper!!!!).

At the moment they offer the normal 100mm filter system and the new 75mm filter system (Seven5). The latter is designed specially for the smaller camera's (MFT, Mirrorless APS-C, etc.).

Fujinon XF 10-24mm f/4 R IOS

The Seven5 series is cheaper since it uses smaller filters (75mm versus 100mm), and since my Fujifilm X-T1 uses relatively small lenses this could be a winner (the kit lens has a 58mm filter thread). Until I found out that the new ultra wide angle Fujinon XF 10-24mm F/4 R OIS has a 72mm filter thread. And as you might guess, I'm really interested in that lens.

Fortunately, Lee has a 75-to-72mm adapter, so technically the Seven5 system can be used with that lens.

Adaptor ring thread sizes:
The holder attaches to the lens via a screw-in adaptor ring. The adaptor ring is available in the following thread sizes: 37, 37.5, 39, 40, 40.5, 43, 46, 49, 52, 55, 58, 60, 62, 67 and 72mm.

But 72mm versus 75mm doesn't leave much room on the vignetting side of it. Chances are that you get serious vignetting on the ultra wide end of the focal range (10-14mm), because of the filter holder attached to the lens.

Just to make sure, I dropped Lee an e-mail, and this is what I got in return:

I tested a pre launch version of this lens last week on my XPro-1 - 10mm is very wide and the lens is the maximum size our 75mm holder can accept. You do get vignetting below about 12mm, which is still good given that is 15mm FF equivalent.

You would have no problems with the bigger system and a wide angle ring at 10mm, but the system is much larger and more expensive.

The s5 system works very well on all other X lenses - you just need to decide whether those last 2mm of focal length are really important to you.

Personally, I will be sticking with the 14mm prime (but upgrading to the X-T1)

I hope this helps.

With regards,

Tech Support - LEE Filters
— - email

Fujinon XF 14mm f/2.8 R

So, there yo got it; Accept additional vignetting on the ultra wide side, or invest in the more expensive 100mm filter system. But before I even invest in a filter system I need to see some independent reviews of that new lens. I might even get the Fujinon XF 14mm f/2.8 R. That lens is available at the moment and is highly recommended by several sites [2] / reviewers / users.

Choices, choices, choices

Posted on March 28, 2014 and filed under Gear, Photography, Personal, Tips'n Tricks.

Fujifilm X-T1 Review

My interest in Fujifilm camera's was rekindled when they released the X-Pro1. When they announced and released the X-T1 this year I had to have one. Why, because it had everything that my old Nikon D300 doesn't have;

  • Lighter
  • Smaller
  • More Mpix (16 versus 12)
  • Lighter quality lenses
  • Capable of mounting Leica and Nikon lenses (through the use of third party adapters).
  • Tilt-screen
  • Electronic View Finder (EVF)

So my Nikon gear went on sale, and the X-T1 with the Fujinon 18-55mm 1:2.8-4 R LM OIS kitlens found a way into my camera bag, and I skipped the Sony A7(r).

Posted on March 28, 2014 and filed under Gear, Photography, Review.