Author Archives: btm

Exchange 2007 Public Folder Security Groups

Tried to add an Exchange 2007 Global Security Group to a tree of public folders today. Exchange wouldn’t see the group unless it was mail enabled, but trying to switch it to a distribution group would break the NTFS ACLs that use it. Changing the group to be a universal security group however allowed me to mail enable it under recipient configuration, distribution groups, new distribution group in the exchange management console (EMC).

Then in the exchange management shell (EMS) I ran:

get-publicfolder -identity "\publicfolder" -recurse |
add-publicfolderclientpermission -user "Some Kind of Managers" -accessright publishingeditor

It’s perplexing how pipes work in powershell. That ‘get-publicfolder -identity “\foo”‘ produces very little information while ‘get-publicfolder -identity “\foo” | format-list” produces extended information is confusing to say the least, coming from a DOS/UNIX background, made worse by the command being named FORMAT rather than GETMEMOREINFORMATION. Oh well. Note that in the past I’ve seen that add-publicfolderclientpermission breaks if the user has some degree of permissions already, and you have to run a get command into a pipe to a remove command to clean up first.

git commit email notification on debian etch

We use git with a single bare repository for our puppet configuration, and each systems administrator has a local git repository clone which they push back to the origin. I wanted to set up email notification on this main repository which lives on a debian etch server.

I found post-receive-email in the git gitweb repository and assumed that it was not included in the debian package because it has a copyright with no OSS license included. It pulls its configuration from the git config, which is repository specific and kind of neat, but I had to modify it to call ‘git-repo-config’ instead of ‘git config’ because that’s all etch had. Again, assuming some weird debian problem, but I didn’t bother looking.

Then when I had trouble with it not working I noticed my ubuntu hardy box had a newer major revision of git-core than the debian etch box. That is 1.5.4.3-1ubuntu2 and 1.4.4.4-2 respectively. I poked around the git documentation a little bit and found that the post-receive hooks weren’t added until 1.5.1. But there is a 1.5.4 git-core deb in etch-backports.

If you want to upgrade multiple boxes with a local repository, you’ll need a copy more than git-core to meet the dependences. otherwise you can just use apt-get install after adding the backports repo.

add ‘deb http://www.backports.org/debian etch-backports main’ to /etc/apt/sources.list

sudo apt-get update
sudo apt-get install debian-backports-keyring
sudo apt-get update
sudo apt-get install apt-move
sudo rm /var/cache/apt/archives/git*
for package in gitk gitweb `apt-cache search '^git-*' --names-only | awk '{ print $1 }'` ; do sudo /usr/lib/apt-move/fetch $package ; done

latest debs are in /var/cache/apt/archives, for copying to a local repository.

git-core 1.5.4.2-1~bpo40+2 includes git-config and ‘post-receive-email’.

cd /path-to-bare-git-repo/.git/hooks
ln -sf /usr/share/doc/git-core/contrib/hooks/post-receive-email post-receive
sudo chmod a+x /usr/share/doc/git-core/contrib/hooks/post-receive-email
git-config hooks.mailinglist "to@example.org"

git-config --global user.name "Your Name"
git-config --global user.email "Your Email"

tinkering with ruby, activeldap and active directory, part 2

These are my notes from tonights reading after trying to get activeldap working with active directory today at work. Here is when they renamed ActiveLDAP to ActiveLdap, around 0.8.0, so if you’re looking at examples using the capital case, they’re fairly old and really should probably ignore them. v0.8.0 and later is also when Base.connect went away and we got Base.establish_connection, and dnattr became dn_attribute. The most sane examples live in the rdoc in active_ldap.rb. Still not 100% there though.

Connecting to Active Directory using ruby and Activeldap

ruby-activeldap requires ruby-ldap and ruby-log4r (hah @ log4r). On Activeldap 0.7.4 via debian etch packages:

Remember that AD doesn’t like anonymous binds:

require 'activeldap'

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_dn => "cn=ldapbind,ou=service,dc=ad,dc=example,dc=org",
  :password => "password",
)
/usr/lib/ruby/1.8/activeldap/base.rb:312:in `connection': Unable to retrieve schema from server (plain) (ActiveLDAP::ConnectionError)

This error is deceiving though. I noticed via wireshark that it was trying to bind as ‘cn=username,dc=localdomain’, failing, and trying an anonymous bind, at which point AD was letting it search that weird referral land that typically breaks other ldap searches. After adding:

  :allow_anonymous => false

I got:

/usr/lib/ruby/1.8/activeldap/base.rb:1225:in `do_bind': Invalid credentials (LDAP::InvalidCredentials)

Using this worked:

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_format => "cn=%s,ou=service,dc=ad,dc=example,dc=org",
  :user => "ldapbind",
  :password => "password",
  :allow_anonymous => false
)

I’ve lost the class block using ldap_mapping I was using, but you could do things like:

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => 'uid', :prefix => ""
end

user = User.new("myusername")
puts user.mail

Awesomely enough you have to pay strict attention to what version of Activeldap you’re using. in Later versions ActiveLDAP becomes ActiveLdap and the Base.connect method becomes Base.establish_connection and works a little differently (using Activeldap 0.10.0 via gem). dnattr used with ldap_mapping becomes dn_attribute. ri is your friend here. Something like this works:

#!/usr/bin/ruby
# requires ruby-activeldap (libactiveldap-ruby1.8)
#     ruby-ldap (libldap-ruby1.8) ruby-log4r (liblog4r-ruby1.8)
# this particular syntax requires ruby-activeldap 0.10.0
# rubygems is required because I installed via gem. I don't know why.
# Bryan McLellan 

require 'rubygems'
require 'active_ldap'

ActiveLdap::Base.establish_connection(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_dn => "cn=ldapbind,ou=service,dc=ad,dc=example,dc=org",
  :password => "password",
)

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => 'uid', :prefix => 'ou=MyUsers, :classes => ["user"]
end

user = User.find("myusername")
puts user.mail

You need classes to tell activeldap what schema to load. Standard classes are things like [‘top’, ‘account’, ‘posixAccount’]. You can list multiple schema’s in an array like I just did. I found user by ‘puts user.attribute_names’ and looking for the attribute I wanted. Note also that we’re using User.find instead of User.new. Previously User.find didn’t contain any attributes, now it does, whereas User.new will have empty attributes because it is in fact creating a new user class as one would expect (albeit in memory).

I’m going to post this as WP like to destroy my PRE blocks, and I haven’t looked for a solution yet.

moving mysql databases with innodb tables with foriegn keys

I was trying to move an old IRM database from a mysql 4 to a mysql 5 install. I dumped the usual way and had issues, and ended up using ‘mysqldump –opt database > date.file’ then instead of the usual ‘mysql database < date.file’ to import I ran ‘mysql database’ then the mysql command ‘SET FOREIGN_KEY_CHECKS = 0;’ followed by ‘source date.file’ then ‘SET FOREIGN_KEY_CHECKS = 1;’

ERROR 1217 (23000) at line 927: Cannot delete or update a parent row: a foreign key constraint fails

Proxying Alfresco with mod_proxy and mod_rewrite


Order allow,deny
Allow from all

ProxyRequests Off
RewriteEngine On
RewriteRule ^/alfresco/(.*) /$1 [PT]
ProxyPass / http://127.0.0.1:8080/alfresco/
ProxyPassReverse / http://127.0.0.1:8080/alfresco/

The wordpress visual editor has a frustrating desire to mess with text inside pre tags, but above is my alfresco redirect apache configuration, for the record.

copying a disk with lvm

I dug this out of the LVM HOWTO. I had an Ubuntu linux install on an IDE disk and I was moving this install to a newer SATA only box. I got both the disks running in the old computer and booted up on System Rescue CD. I copied my boot partition using gparted, then ran:

pvcreate /dev/newdiskpartition
vgextend oldvolumegroup /dev/newdiskpartition
pvmove /dev/olddiskpartition /dev/newdiskpartition
vgreduce oldvolumegroup /dev/olddiskpartition

I’d recommend thinking about all of this carefully before hitting enter. It took an hour or two to move 80GB of physical extents from IDE to SATA. Since I’m running ubuntu, I also mounted the new partition as /mnt, and ran ‘chroot /mnt /bin/bash’ then mounted the boot partition in /boot. I ran grub-install, updated /boot/menu.lst, and updated the UUID’s in /etc/fstab.

Short ATI Config for Ubuntu Gutsy (7.10)

I don’t know why this was so hard. Lots of hacks out there for getting dual head working on an ATI Radeon. This is an X1300.

I started up and Ubuntu detected that there was a Radeon installed and the restricted drivers manager wanted to install the fglrx (ati) drivers. I did this and rebooted, then ran this command with a fairly clean xorg.conf:

aticonfig –initial=dual-head –dtop=horizontal

resizing the text box in pidgin 2.4

I downloaded Pidgin (formerly gaim) on a new machine, like I normally do. I quickly noticed that I could no longer change the size of the text input area. I subscribed to ticket #4986 and watched the arguments roll until eventually the developers simply closed the ticket as wontfix. I’ve heard rumors there is some turmoil within development, but really only the developer to user turmoil is externally visible. I’ve just been using pidgin 2.3 while this was all being discussed but I’m switching to the funpidgin fork now that the developers have expressed that pidgin will not have an option to manually resize the text input area.

While it seems like a lame fork, it’s up to the pidgin developers I suppose as to see where things go from here. Hopefully if the pidgin developers keep contributing new code that doesn’t suck, the funpidgin developers will keep integrating it and keep up with releases. Of course, what would just be best is a damn option in pidgin to enable manual resizing again. Looks like that’s not happening with the current developer hierarchy though.

Getting manual input sizing back is a matter of  Tools -> Plugins, then Enable Entry Area Manual Size. You will likely need to close the conversation window and re-open it.

dell suu on debian linux

I mounted an SUU (Server Update Utility) dvd on a debian etch blade today and poked around it. ‘autorun.sh’ started X (over ssh to my ubuntu desktop) but the window was all white, although I did get a normal looking exit yes/no prompt when I closed it.

running ‘suu -u’ from the command prompt worked fine (mount the cd with a full mount /dev/device /mnt otherwise you risk inheriting ‘user’ from fstab which can muck with permissions).

It ran three times and each time wanting to reboot. After the third time I checked the log and found:

/var/log/dell/suu# cat update.log
Wed Apr 16 16:55:36 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_FRMW_LX_R168472.BIN – reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_ESM_FRMW_LX_R158506.BIN – update successful
Wed Apr 16 17:04:51 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update
Wed Apr 16 17:13:29 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update

OMSA confirmed that the BIOS is v1.0.0. Apparently the BIOS upgrade isn’t taking but ‘omreport storage controller’ confirmed that the PERC firmware took, which is what I cared about the most. I assume if the BIOS update took it’d stop asking me to reboot.

That was all more painless than I expected.

bugzilla and subversion integration with scmbug

We recently switched to subversion from cvs and after patching together a Bugzilla 3.0.3 install since the debian buzgilla package is currently orphaned, the dev lead stepped into the IT office and informed me that we needed svn + bugzilla integration for checkins. Meh. There’s a nice long howto here that covers everything, almost step by step, but most of it’s manual. If you ignore that it explains how to install everything, the configuration is somewhat short but still involved hacks with email due to the lack of an API in bugzilla that’s widely used.

SCMBug releases however, have debs, the latest being 0.23.4. you can download these and run:

dpkg -i scmbug-server_0.23.4_all.deb scmbug-common_0.23.4_all.deb ; apt-get install -f

I’m sure there’s a cleaner way to do that, but I haven’t stumbled across it yet and that works.

Installation documentation is nested deep in here.

Upon scmbug_daemon starting I saw:

** Scmbug error 77: The userlist mappings are enabled, but no mappings are configured.

My bugzilla install is currently in /usr/local/bugzilla due to the lack of a package, so I went in there and grabbed the corresponding information from localconfig to update /etc/scmbug/daemon.conf including database information (I keep my mysql databases consolidated in production), and made a point to update installation_directory to ‘/usr/local/bugzilla’.

I also enabled the mapping_regexes section (enabled =>1) and modified the “unix user mapping” to email addresses, since that’s what bugzilla uses.

I then installed scmbug-common and scmbug-tools on the subversion server and configured it like:

scmbug_install_glue --scm=Subversion --product=myproduct --repository=file:///srv/code/svn --daemon=10.0.0.19 --binary-paths=/bin,/usr/bin --bug 845

I made up the bug number, used the first one that didn’t exist in bugzilla yet. It requires all of those options. the ‘file://’ part of the svn url is required or you get the error “** Scmbug error 25: file:// prefix not specified for Subversion repository path.”

I was a little iffy about the product, because we separate out our repository by product but it’s all in one svn repository. There is chat about it all matching up here and having product be required in the scmbug_install_glue script was a little disconcerting in the way that I expect things to not work.

I used TortoiseSVN on a windows box to quickly make a new directory and tag it with a bug I made (845, after the fact of running the install script). I hit a couple default policy problems like that the bug wasn’t open yet, then that my commit message wasn’t over 50 characters. All this can be tuned in ‘/srv/code/svn/hooks/etc/scmbug/glue.conf’ after you’ve installed the glue.

Low and behold though, the install worked. Props to the scmbug folks, that was much cleaner than the alternatives.

update: checkin linkification

I modified some older diffs against bugzilla to linkify the file list on checkin. The were on bug #266 in bugzilla for scmbug, but I can’t create a login right now for whatever reason. hopefully people find it here, since I’m using this on 3.0.3 and viewsvn, which is different than what’s on the bug right now.

WP doesn’t like me pasting the diff, wrapping in pre or code tags, so it is here in my git repo.

wordpress

Moved this over to wordpress 2.2 from blogger. Easy enough to to do except for two things.

 1) “We were not able to gain access to your account. Try starting over.” after authorizing blogger, required an update to blogger.php locally for 2.2. Note I ‘switched’ from ftp to blogspot hosting in the process of debugging this too, which was seamless and immediate.

2) The default way that wordpress allows multiple sites on debian (which is much nicer than that of gentoo btw) uses the hostname to determine which site you’re connecting to, so I moved the blog to http://blog.loftninjas.org from http://loftninjas.org/blog.

flame) And the text window is resizable, unlike pidgin.

Why the switch? I was hosting this on my server using blogger’s “SFTP” interface and about 50% of the time I used it I’d get a “Your publish is taking longer than expected. To continue waiting for it to finish, click here.” error when trying to publish.