Category Archives: Uncategorized

Connecting to Active Directory using ruby and Activeldap

ruby-activeldap requires ruby-ldap and ruby-log4r (hah @ log4r). On Activeldap 0.7.4 via debian etch packages:

Remember that AD doesn’t like anonymous binds:

require 'activeldap'

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_dn => "cn=ldapbind,ou=service,dc=ad,dc=example,dc=org",
  :password => "password",
)
/usr/lib/ruby/1.8/activeldap/base.rb:312:in `connection': Unable to retrieve schema from server (plain) (ActiveLDAP::ConnectionError)

This error is deceiving though. I noticed via wireshark that it was trying to bind as ‘cn=username,dc=localdomain’, failing, and trying an anonymous bind, at which point AD was letting it search that weird referral land that typically breaks other ldap searches. After adding:

  :allow_anonymous => false

I got:

/usr/lib/ruby/1.8/activeldap/base.rb:1225:in `do_bind': Invalid credentials (LDAP::InvalidCredentials)

Using this worked:

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_format => "cn=%s,ou=service,dc=ad,dc=example,dc=org",
  :user => "ldapbind",
  :password => "password",
  :allow_anonymous => false
)

I’ve lost the class block using ldap_mapping I was using, but you could do things like:

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => 'uid', :prefix => ""
end

user = User.new("myusername")
puts user.mail

Awesomely enough you have to pay strict attention to what version of Activeldap you’re using. in Later versions ActiveLDAP becomes ActiveLdap and the Base.connect method becomes Base.establish_connection and works a little differently (using Activeldap 0.10.0 via gem). dnattr used with ldap_mapping becomes dn_attribute. ri is your friend here. Something like this works:

#!/usr/bin/ruby
# requires ruby-activeldap (libactiveldap-ruby1.8)
#     ruby-ldap (libldap-ruby1.8) ruby-log4r (liblog4r-ruby1.8)
# this particular syntax requires ruby-activeldap 0.10.0
# rubygems is required because I installed via gem. I don't know why.
# Bryan McLellan 

require 'rubygems'
require 'active_ldap'

ActiveLdap::Base.establish_connection(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_dn => "cn=ldapbind,ou=service,dc=ad,dc=example,dc=org",
  :password => "password",
)

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => 'uid', :prefix => 'ou=MyUsers, :classes => ["user"]
end

user = User.find("myusername")
puts user.mail

You need classes to tell activeldap what schema to load. Standard classes are things like [‘top’, ‘account’, ‘posixAccount’]. You can list multiple schema’s in an array like I just did. I found user by ‘puts user.attribute_names’ and looking for the attribute I wanted. Note also that we’re using User.find instead of User.new. Previously User.find didn’t contain any attributes, now it does, whereas User.new will have empty attributes because it is in fact creating a new user class as one would expect (albeit in memory).

I’m going to post this as WP like to destroy my PRE blocks, and I haven’t looked for a solution yet.

moving mysql databases with innodb tables with foriegn keys

I was trying to move an old IRM database from a mysql 4 to a mysql 5 install. I dumped the usual way and had issues, and ended up using ‘mysqldump –opt database > date.file’ then instead of the usual ‘mysql database < date.file’ to import I ran ‘mysql database’ then the mysql command ‘SET FOREIGN_KEY_CHECKS = 0;’ followed by ‘source date.file’ then ‘SET FOREIGN_KEY_CHECKS = 1;’

ERROR 1217 (23000) at line 927: Cannot delete or update a parent row: a foreign key constraint fails

Proxying Alfresco with mod_proxy and mod_rewrite


Order allow,deny
Allow from all

ProxyRequests Off
RewriteEngine On
RewriteRule ^/alfresco/(.*) /$1 [PT]
ProxyPass / http://127.0.0.1:8080/alfresco/
ProxyPassReverse / http://127.0.0.1:8080/alfresco/

The wordpress visual editor has a frustrating desire to mess with text inside pre tags, but above is my alfresco redirect apache configuration, for the record.

copying a disk with lvm

I dug this out of the LVM HOWTO. I had an Ubuntu linux install on an IDE disk and I was moving this install to a newer SATA only box. I got both the disks running in the old computer and booted up on System Rescue CD. I copied my boot partition using gparted, then ran:

pvcreate /dev/newdiskpartition
vgextend oldvolumegroup /dev/newdiskpartition
pvmove /dev/olddiskpartition /dev/newdiskpartition
vgreduce oldvolumegroup /dev/olddiskpartition

I’d recommend thinking about all of this carefully before hitting enter. It took an hour or two to move 80GB of physical extents from IDE to SATA. Since I’m running ubuntu, I also mounted the new partition as /mnt, and ran ‘chroot /mnt /bin/bash’ then mounted the boot partition in /boot. I ran grub-install, updated /boot/menu.lst, and updated the UUID’s in /etc/fstab.

Short ATI Config for Ubuntu Gutsy (7.10)

I don’t know why this was so hard. Lots of hacks out there for getting dual head working on an ATI Radeon. This is an X1300.

I started up and Ubuntu detected that there was a Radeon installed and the restricted drivers manager wanted to install the fglrx (ati) drivers. I did this and rebooted, then ran this command with a fairly clean xorg.conf:

aticonfig –initial=dual-head –dtop=horizontal

resizing the text box in pidgin 2.4

I downloaded Pidgin (formerly gaim) on a new machine, like I normally do. I quickly noticed that I could no longer change the size of the text input area. I subscribed to ticket #4986 and watched the arguments roll until eventually the developers simply closed the ticket as wontfix. I’ve heard rumors there is some turmoil within development, but really only the developer to user turmoil is externally visible. I’ve just been using pidgin 2.3 while this was all being discussed but I’m switching to the funpidgin fork now that the developers have expressed that pidgin will not have an option to manually resize the text input area.

While it seems like a lame fork, it’s up to the pidgin developers I suppose as to see where things go from here. Hopefully if the pidgin developers keep contributing new code that doesn’t suck, the funpidgin developers will keep integrating it and keep up with releases. Of course, what would just be best is a damn option in pidgin to enable manual resizing again. Looks like that’s not happening with the current developer hierarchy though.

Getting manual input sizing back is a matter of  Tools -> Plugins, then Enable Entry Area Manual Size. You will likely need to close the conversation window and re-open it.

dell suu on debian linux

I mounted an SUU (Server Update Utility) dvd on a debian etch blade today and poked around it. ‘autorun.sh’ started X (over ssh to my ubuntu desktop) but the window was all white, although I did get a normal looking exit yes/no prompt when I closed it.

running ‘suu -u’ from the command prompt worked fine (mount the cd with a full mount /dev/device /mnt otherwise you risk inheriting ‘user’ from fstab which can muck with permissions).

It ran three times and each time wanting to reboot. After the third time I checked the log and found:

/var/log/dell/suu# cat update.log
Wed Apr 16 16:55:36 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_FRMW_LX_R168472.BIN – reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_ESM_FRMW_LX_R158506.BIN – update successful
Wed Apr 16 17:04:51 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update
Wed Apr 16 17:13:29 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN – reboot required to complete update

OMSA confirmed that the BIOS is v1.0.0. Apparently the BIOS upgrade isn’t taking but ‘omreport storage controller’ confirmed that the PERC firmware took, which is what I cared about the most. I assume if the BIOS update took it’d stop asking me to reboot.

That was all more painless than I expected.

bugzilla and subversion integration with scmbug

We recently switched to subversion from cvs and after patching together a Bugzilla 3.0.3 install since the debian buzgilla package is currently orphaned, the dev lead stepped into the IT office and informed me that we needed svn + bugzilla integration for checkins. Meh. There’s a nice long howto here that covers everything, almost step by step, but most of it’s manual. If you ignore that it explains how to install everything, the configuration is somewhat short but still involved hacks with email due to the lack of an API in bugzilla that’s widely used.

SCMBug releases however, have debs, the latest being 0.23.4. you can download these and run:

dpkg -i scmbug-server_0.23.4_all.deb scmbug-common_0.23.4_all.deb ; apt-get install -f

I’m sure there’s a cleaner way to do that, but I haven’t stumbled across it yet and that works.

Installation documentation is nested deep in here.

Upon scmbug_daemon starting I saw:

** Scmbug error 77: The userlist mappings are enabled, but no mappings are configured.

My bugzilla install is currently in /usr/local/bugzilla due to the lack of a package, so I went in there and grabbed the corresponding information from localconfig to update /etc/scmbug/daemon.conf including database information (I keep my mysql databases consolidated in production), and made a point to update installation_directory to ‘/usr/local/bugzilla’.

I also enabled the mapping_regexes section (enabled =>1) and modified the “unix user mapping” to email addresses, since that’s what bugzilla uses.

I then installed scmbug-common and scmbug-tools on the subversion server and configured it like:

scmbug_install_glue --scm=Subversion --product=myproduct --repository=file:///srv/code/svn --daemon=10.0.0.19 --binary-paths=/bin,/usr/bin --bug 845

I made up the bug number, used the first one that didn’t exist in bugzilla yet. It requires all of those options. the ‘file://’ part of the svn url is required or you get the error “** Scmbug error 25: file:// prefix not specified for Subversion repository path.”

I was a little iffy about the product, because we separate out our repository by product but it’s all in one svn repository. There is chat about it all matching up here and having product be required in the scmbug_install_glue script was a little disconcerting in the way that I expect things to not work.

I used TortoiseSVN on a windows box to quickly make a new directory and tag it with a bug I made (845, after the fact of running the install script). I hit a couple default policy problems like that the bug wasn’t open yet, then that my commit message wasn’t over 50 characters. All this can be tuned in ‘/srv/code/svn/hooks/etc/scmbug/glue.conf’ after you’ve installed the glue.

Low and behold though, the install worked. Props to the scmbug folks, that was much cleaner than the alternatives.

update: checkin linkification

I modified some older diffs against bugzilla to linkify the file list on checkin. The were on bug #266 in bugzilla for scmbug, but I can’t create a login right now for whatever reason. hopefully people find it here, since I’m using this on 3.0.3 and viewsvn, which is different than what’s on the bug right now.

WP doesn’t like me pasting the diff, wrapping in pre or code tags, so it is here in my git repo.

wordpress

Moved this over to wordpress 2.2 from blogger. Easy enough to to do except for two things.

 1) “We were not able to gain access to your account. Try starting over.” after authorizing blogger, required an update to blogger.php locally for 2.2. Note I ‘switched’ from ftp to blogspot hosting in the process of debugging this too, which was seamless and immediate.

2) The default way that wordpress allows multiple sites on debian (which is much nicer than that of gentoo btw) uses the hostname to determine which site you’re connecting to, so I moved the blog to http://blog.loftninjas.org from http://loftninjas.org/blog.

flame) And the text window is resizable, unlike pidgin.

Why the switch? I was hosting this on my server using blogger’s “SFTP” interface and about 50% of the time I used it I’d get a “Your publish is taking longer than expected. To continue waiting for it to finish, click here.” error when trying to publish.

vmware timekeeping part 3

earlier posts here and here.

A review:
1) We removed ntp from the linux guests and left it running on the vmware hosts.
2) We installed open-vm-tools on the guest and live enabled timesync using vmware-guestd

Notes revealed we were gaining about 40s a day.

3) set clock=pit (use clocksource=pit now) in the grub config as a kernel option and restarted a guest

That looks like about 40s over three weeks.

4) today I noticed a lot of “/dev/vmmon[3685]: host clock rate change request 500 -> 998” messages on the vmware hosts (linux) and I set up the recommendations here which is ‘host.cpukHz = cpuspeedinkhz’, ‘host.noTSC = TRUE’, and ‘ptsc.noTSC = TRUE’ to work around possible speed step issues.

I accidentally used khz = mhz * 100 instead of khz = mhz * 1000 which made the time get way off when I stopped and then started the vm I testing was on. This was interesting though because I was afraid I’d have to stop vmware-server, not just an individual vmware-vmx process to get it to re-read /etc/vmware/config.

Looping ntpdate shows about 8/10th of a second gain over 20 minutes. Still more gain than I’d like to see. Will watch the graph and then try again in a week or two.

Avocent KVMoIP LDAP Configuration

The manual is way too confusing about this:

It works like this:
LDAP Overview:
LDAPS works fine with Server 2003 R2 AD, and is preferred (leave it on port 636). If you’re using fqdn’s, make sure you have DNS servers set in the network section.

On the Search page:
‘Search DN/Password’ is the Bind DN/Password.
‘Search Base’ is similarly the ‘Base DN’.
‘UID Mask’ should be ‘attribute=%1’, replace attribute with the name of the attribute storing the username, so generally with AD this is ‘sAMAccountName=%1’

Query page:
If ‘Group Container Mask’ = ‘ou=%1’ and Group Container = ‘KVM’ then we’re looking for ou=KVM in the above configured BaseDN. This is where we’ll set everything up. I recommend staying at the top of the tree for simplicity.

Target mask should be ‘cn=%1’ because we’re looking for objects and * Access Control Attribute will be ‘info’ because that corressponds to ‘notes’ in the ADUC UI.

In this OU container:

1) Create a computer object with the same name as the KVM name under ‘Appliance -> Overview’. I renamed this to KVM01. I had to do this on a DC as MMC was crashing on my terminal server when creating a computer object, probably unrelated.

2) Now create a group, call it whatever. In the notes section put ‘KVM Appliance Admin’. This is how we define what you can do. Add the KVM computer object to this group, and any users (or groups, ie domain admins) you want.

3) These people will have full access to the kvm and all objects. It sounds like adding access into individual objects requires being in a group with info of ‘KVM User’ and the computer objects for the actual server names in the group as well. Bah.

Vista trust relationship login failures

A local Vista computer started having intermittent login failures when a domain user tried to log in about a trust problem with the account database.

Since Vista disables the local administrator account even though it had a password. I used Nordahl’s ntpasswd linux boot cd to enable the local administrator account (if I hadn’t known the password I could have changed it as well). Of course the CD requires access to the syskey as the SAM is encrypted, but it always finds it automatically since nobody puts the syskey on floppy.

Then I logged in and removed the computer to the domain, changed it’s name, and rejoined it and things were fine.

Domain profiles were kept intact by the way.

FHS Compliance for NFS mounts

Where should one mount shared NFS data?

FHS 2.3 has no advice. All the NFS talk is about how you might NFS mount /usr and the likes.

Options: /opt, /mnt, /srv. mnt is the old school way, but FHS uses the key word ‘temporary’ which makes sense these days, even though we’ve started using /media for most things temporary. opt? I stay away from opt since I touched oracle.

/srv : Data for services provided by this system
Sounds good to me. nfs mounts will go in /srv, since it’s all data for services provided by this system.

further vmware timekeeping

I’ve talked about this in other posts. I’ve been automating vmware guest creation and configuration. Time has been one of the bigger hassles. The best reading about it is here.

I automated vmware tools install using the open-vm-tools deb (backport to etch). Then used puppet to run vmware-cmd to enable timesync on all of the guests. See here.

This keeps time from falling behind, but we set up some munin graphs and saw time was gaining about 40s a day. so I just wrote another puppet exec to add ‘clock=pit’ to the end of the kernel lines. Newer kernels use time algorithms that try to correct time for lost cycles. Lost cycles are common in virtualized environments. I’ll note how this works out after a week or so.