buzzco.org

Drunk and Famous

buzzco.org header image 1

Ubuntu OpenLDAP SSL

April 27th, 2010 · tech

The setup:
I have an Ubuntu Karmic machine hosting an Apache webserver. Being security minded, I decided to set up SSL to protect user logins. Works fine. I am using an external IBM Tivoli Directory Server (ITDS) for authentication. It is an LDAP server so everything works out of the box. That is until I tried to do LDAPS. See, when you log into apache, it sends a request of to LDAP. If you don’t use LDAPS, it is in clear text. That is a big no no.

Here is my rough config:

LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem
<VirtualHost *:443>
ServerName wingfont
AddDefaultCharset utf-8
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/wingfont.crt
SSLCertificateKeyFile /etc/ssl/private/wingfont.key
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem
<Location /svn>
DAV svn
SVNPath /srv/svn/wwptsng
AuthBasicProvider ldap
AuthType Basic
AuthName “BluePages”
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)
require valid-user
</Location>
</VirtualHost>

LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem

<VirtualHost *:443>

ServerName wingfont

AddDefaultCharset utf-8

SSLEngine on

SSLOptions +StrictRequire

SSLCertificateFile /etc/ssl/certs/wingfont.crt

SSLCertificateKeyFile /etc/ssl/private/wingfont.key

ErrorLog /var/log/apache2/error.log

LogLevel debug

CustomLog /var/log/apache2/access.log combined

LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem

<Location /svn>

DAV svn

SVNPath /srv/svn/wwptsng

AuthBasicProvider ldap

AuthType Basic

AuthName “Example.com”

AuthzLDAPAuthoritative on

AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)

require valid-user

</Location>

</VirtualHost>

The issue:


Apache’s error log has this.

[Thu Apr 15 12:26:10 2010] [debug] ssl_engine_io.c(1892): OpenSSL: I/O error, 5 bytes expected to read on BIO#21604778 [mem: 216250c0]
[Thu Apr 15 12:26:10 2010] [info] [client 9.56.181.54] (70007)The timeout specified has expired: SSL input filter read failed.

So I tired to do a search with ldapsearch.

ldapsearch -x -H ldaps://host:636 -b “o=example.com” “(mail=mike@example.com)” -d-1

TLS: peer cert untrusted or revoked (0×42)
TLS: can’t connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

The story:


Google was very little help, hence this blog post.
Way back in the ancient time, Debian was king. Ubuntu is a step child, and has inherited lots Debian’s awesomeness. Debian folks will tell you that they adhere to open source licenses in the strictest sense of the word. LIBSSL has a non GPL compatible license. Debian and Ubuntu normally do not compile and link against it. The use GNU LTS instead. Which is fine. But for some reason there is a bug with GNU TLS and certain SSL cert chains. I have tested this against a number of ITDS servers and they all fail.

The fix:

Replace GNU TLS with libssl for the openldap libraries.

sudo apt-get install build-essential fakeroot dpkg-dev
sudo apt-get build-dep libldap-2.4-2
cd ~/
mkdir libldap
cd libldap/

sudo apt-get source libldap-2.4-2
sudo dpkg-source -x openldap_2.4.21-0ubuntu4.dsc

cd openldap-2.4.21/

cp debian/configure.options debian/configure.options.orig

sed ’s/tls=gnutls/tls=openssl/g’ debian/configure.options.orig > debian/configure.options

DEB_BUILD_OPTIONS=”–with-tls=openssl” fakeroot debian/rules binary

Go grab a nice glass of Blanton’s whiskey, this might be a while.

Once the compile and tests are all done, install the new debs.

dpkg – i ldap-utils_2.4.21-0ubuntu4_i386.deb libldap-2.4-2_2.4.21-0ubuntu4_i386.deb slapd_2.4.21-0ubuntu4_i386.deb

→ 1 CommentTags: ······

Digest for 09/24/09

September 24th, 2009 · Uncategorized

→ No CommentsTags:

Digest for 09/21/09

September 21st, 2009 · Uncategorized

→ No CommentsTags:

Digest for 09/18/09

September 18th, 2009 · Uncategorized

→ No CommentsTags:

Digest for 09/14/09

September 14th, 2009 · Uncategorized

→ No CommentsTags:

biosinfo_linux (Xen and the art of going crazy)

March 17th, 2009 · Uncategorized

Back in January I got a new HPC system for all my Xen guest. It is a pretty sweet box.

2 TB of disk, 8 cores, 16 GB of memory

I installed RHEL 5.2 with the Virtualization packaged.

So dom0 is running a few things, like IBM Director 6.1, DNS/DHCP, OpenVPN, and an Apache server.

I have a few domU guests for various projects/people. I normally only have 2 booted at a given time.

Well I noticed that the machine was at nearly 100% CPU. Looking at the domU’s top information, I saw that there was a number of processes that looked like the following:

root 464 368 7 10:53 ? 00:24:10 /tmp/BIOS1236869588427/biosinfo_linux

root 876 778 7 12:01 ? 00:18:34 /tmp/BIOS1236873707992/biosinfo_linux

30 or 40 of those per guest. Google returned nothing about this process. The binary did not exist.

I started shutting down services to find out who was spawning this thing. I assumed from the name, that it was trying to get info about the bios. (Strange, there isn’t a real one under Xen)

I contacted the COSI Gang to see of they had seen anything like it. They had not.

Today when I came in, I ran find on the dom0 and sure enough there was a biosinfo_linux on it.

/opt/ibm/director/agent/runtime/agent/subagents/eclipse/plugins/com.ibm.sysmgmt.uim.provider.cit.sw_1.0.0/bin/biosinfo_linux

Director pushes this out and tries to get information even though there is no agent on the guest.

It took me 3 months to figure this out. So if anyone out there finds the same problem, I am working with the IBM Director team to get it fixed.

→ No CommentsTags:

Information overload

February 16th, 2009 · tech

I have been dealing with the Internet for so many years, it has become boring. I have beaten the Internet. The end guy was pretty hard.

I was reading an interview the other day located at this fine url.

This was an interview of Clay Shirky. I find Clay’s view on the current state of social entanglement fascinating. In this interview one of the topics that came up was that of information overload. I feel this every single day. There is so much. For instance, I am currently preparing a set of presentations for the mainframe based conference SHARE. I have three sessions. One I have done before, called Comparing and Contrasting Virtualization technologies. The other two are new. SOA Security, which I got tricked into doing, already has the presentation done. I am also putting together a session that deals with running the IBM HTTP Server which is based on Apache on z/OS and how that compares to the older DWG/IHS/ICSS HTTP server that IBM has shipped with z/OS since 1995.

For each of those topics, I have found about 10 billion pieces of work. There is just so much information out there. Like I stated before, I have beaten the Internet. I used my skills as a professional web user to cull this information. I need to vet certain things.

I needed to filter.

And that is what Clay hinted at in this interview. There is now information overload, there is filter failure. He spoke of Library of Alexandria and said that pretty much since the, when there was more information than any person could ingest in a life time in once place, information overload was created.

I have my ways of filtering things. Google Reader is a big one. When I am searching for something in particular, I tend to use Google’s image search or something like “site:share.org ext:ppt Apache” on Google to fine presentations of Apache on the SHARE site.

By the time I got to the end of the interview I had already reached for my copy of “Here Comes Everyone”, Clay’s latest book. I read this on a plane to France last October. It started out really interesting, and the interview made me recall some of the tidbits hidden between those pages. The information filtering topic kinda fits in with this expansion of the social web. We are seeing vast amounts of data being thrown up to that series of tubes in the sky and there are just tremendous results. Sites like Flickr, Delicious, and Reddit are giving everyone the ability to quickly, personally, and publicly categorize seemingly random data. We can tag pictures, people and places. Everyone makes everything more accessible. And now with Facebook, Myspace and what ever the next big friend site we can share this information to a network of friends and friends of friends.

For example, finding music I might like used to involved a lot of failed attempts. I used to have to stay up really late to watch Subterranean on MTV. Now I have Last.fm. I have collected a ton of information about the music I like and don’t like just by passively listening to music. Last.fm takes this information and similar information about what your friends listen to and makes suggestions.

I feel that the social web, or semantic web or Web 2.0 or whatever people are calling it is about context. Building a context that is important you each person. This massive amount of unfiltered Internet needs to have context wrapped around it. We are still trying to figure out what we are doing with it. The web is still building itself. We are adding context. Things like locations aware applications on the iPhone and Android are bridging the gap between the real world and the virtual world while at the same time giving new context to information that is already out there.

The last thing I want to touch on about this interview was the act of unlearning. Clay talks to this point at the end of the interview and it is something that I have never really thought about before. I still call people. My friends 16 year old daughter rarely talks on the phone. Now I send text messages just like the rest of the twenty somethings with a cell phone. (Unlike Dr. Eli MD who lives in the dark ages with a land line.) I just don’t use text messages and the wall on Facebook as my primary mode of communication. I feel that like my parents have to unlearn the Dewey decimal system, I may have to unlearn talking to people on the phone. At the same token, I do all my banking on the the Internet. I pay my rent by a monthly scheduled account to account transfer. My pay it direct deposited. My bills are paid online automatically. Mint manages my budget. My Dad would have none of this. Not that he hates computers. He doesn’t go to a travel agent to book flights. But he would not dare trust a computer, or the Internet, with his financial data. That is something he might have to unlearn.

I leave you folks with this video: Institutions vs. collaboration

→ No CommentsTags:

Replacing an old xbox

December 27th, 2008 · tech

As many of you know, I have a first generation xbox as my main media box. I have Avalaunch and Xbox Media Center installed on it. It is getting pretty old and I want to upgraded it. I can’t play anything HD on my 47 inch plasma TV and that bothers me.

I want to upgrade to something that will play movie files from either a CIFS share. I don’t really want the thing to have a local hard drive, and if it does, I would like it to be solid state. Like a SD card or something similar. I don’t want to build it myself, mostly cause I am lazy and don’t want to have to fiddle with it.

I was thinking about canceling my cable, so I don’t really care about DVR/PVR.

I was looking at the Roku but I don’t know anyone out there that has played with one. Also, I don’t currently have netflix.

Any body have any ideas for me ?

→ 2 CommentsTags:

Pidgin key bindings for emoticon

November 4th, 2008 · tech

A long time ago, when I was but a wee lad, I used a program called GAIM. It was good enough for me. One of my favorite features was hitting 1 for a smiley. Some time ago they took that out.

To get it back, create a file in your ~/.purple directory called gtkrc-2.0

I put in the following:

binding “my-bindings”

{

bind “1″ { “insert-at-cursor” (”:-)”) }

bind “2″ { “insert-at-cursor” (”:-(”) }

bind “3″ { “insert-at-cursor” (”;-)”) }

bind “4″ { “insert-at-cursor” (”:-P”) }

bind “5″ { “insert-at-cursor” (”=-O”) }

bind “6″ { “insert-at-cursor” (”:-*”) }

bind “7″ { “insert-at-cursor” (”>:o”) }

bind “8″ { “insert-at-cursor” (”8-)”) }

}

widget “*pidgin_conv_entry” binding “my-bindings”

→ 1 CommentTags:

I watch a lot of movies

October 27th, 2008 · Uncategorized

It almost Halloween. Which means lots of really bad horror movies.

I watched ( all or part of )the following this weekend:

Night of the Living Dead

Halloween

Halloween 2

Halloween 4

Halloween 5

Halloween 6

Salem’s Lot ( the one with Rob Lowe )

Carrie

Christine

A Nightmare on Elm Street

28 days later

American Werewolf in London

Constantine

Pet Sematary

Notice Halloween 3 wasn’t on there. Cause that one was junk. What is a Halloween movie with out Michael Myers ?

→ No CommentsTags: