I totally forgot I had this blog. Perhaps it’s time to start posting again.
Here is a photo of my dog izzy.
And her big brother lando.
What?
July 8th, 2013 · Personal
→ No CommentsTags: dogs·izzy·lando·Personal
Ubuntu OpenLDAP SSL
April 27th, 2010 · tech
The setup:
I have an Ubuntu Karmic machine hosting an Apache webserver. Being security minded, I decided to set up SSL to protect user logins. Works fine. I am using an external IBM Tivoli Directory Server (ITDS) for authentication. It is an LDAP server so everything works out of the box. That is until I tried to do LDAPS. See, when you log into apache, it sends a request of to LDAP. If you don’t use LDAPS, it is in clear text. That is a big no no.
Here is my rough config:
LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem
<VirtualHost *:443>
ServerName wingfont
AddDefaultCharset utf-8
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/wingfont.crt
SSLCertificateKeyFile /etc/ssl/private/wingfont.key
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem
<Location /svn>
DAV svn
SVNPath /srv/svn/wwptsng
AuthBasicProvider ldap
AuthType Basic
AuthName “BluePages”
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)
require valid-user
</Location>
</VirtualHost>
LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem
<VirtualHost *:443>
ServerName wingfont
AddDefaultCharset utf-8
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/wingfont.crt
SSLCertificateKeyFile /etc/ssl/private/wingfont.key
ErrorLog /var/log/apache2/error.log
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem
<Location /svn>
DAV svn
SVNPath /srv/svn/wwptsng
AuthBasicProvider ldap
AuthType Basic
AuthName “Example.com”
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)
require valid-user
</Location>
</VirtualHost>
The issue:
Apache’s error log has this.
[Thu Apr 15 12:26:10 2010] [debug] ssl_engine_io.c(1892): OpenSSL: I/O error, 5 bytes expected to read on BIO#21604778 [mem: 216250c0]
[Thu Apr 15 12:26:10 2010] [info] [client 9.56.181.54] (70007)The timeout specified has expired: SSL input filter read failed.
So I tired to do a search with ldapsearch.
ldapsearch -x -H ldaps://host:636 -b “o=example.com” “(mail=mike@example.com)” -d-1
TLS: peer cert untrusted or revoked (0×42)
TLS: can’t connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
The story:
Google was very little help, hence this blog post.
Way back in the ancient time, Debian was king. Ubuntu is a step child, and has inherited lots Debian’s awesomeness. Debian folks will tell you that they adhere to open source licenses in the strictest sense of the word. LIBSSL has a non GPL compatible license. Debian and Ubuntu normally do not compile and link against it. The use GNU LTS instead. Which is fine. But for some reason there is a bug with GNU TLS and certain SSL cert chains. I have tested this against a number of ITDS servers and they all fail.
The fix:
Replace GNU TLS with libssl for the openldap libraries.
sudo apt-get install build-essential fakeroot dpkg-dev
sudo apt-get build-dep libldap-2.4-2
cd ~/
mkdir libldap
cd libldap/sudo apt-get source libldap-2.4-2
sudo dpkg-source -x openldap_2.4.21-0ubuntu4.dsccd openldap-2.4.21/
cp debian/configure.options debian/configure.options.orig
sed ‘s/tls=gnutls/tls=openssl/g’ debian/configure.options.orig > debian/configure.options
DEB_BUILD_OPTIONS=”–with-tls=openssl” fakeroot debian/rules binary
Go grab a nice glass of Blanton’s whiskey, this might be a while.
Once the compile and tests are all done, install the new debs.
dpkg – i ldap-utils_2.4.21-0ubuntu4_i386.deb libldap-2.4-2_2.4.21-0ubuntu4_i386.deb slapd_2.4.21-0ubuntu4_i386.deb
→ 1 CommentTags: debian·gnutls·ITDS·LDAP·libssl·openldap·tech·Ubuntu
biosinfo_linux (Xen and the art of going crazy)
March 17th, 2009 · Uncategorized
Back in January I got a new HPC system for all my Xen guest. It is a pretty sweet box.
2 TB of disk, 8 cores, 16 GB of memory
I installed RHEL 5.2 with the Virtualization packaged.
So dom0 is running a few things, like IBM Director 6.1, DNS/DHCP, OpenVPN, and an Apache server.
I have a few domU guests for various projects/people. I normally only have 2 booted at a given time.
Well I noticed that the machine was at nearly 100% CPU. Looking at the domU’s top information, I saw that there was a number of processes that looked like the following:
root 464 368 7 10:53 ? 00:24:10 /tmp/BIOS1236869588427/biosinfo_linux
root 876 778 7 12:01 ? 00:18:34 /tmp/BIOS1236873707992/biosinfo_linux
30 or 40 of those per guest. Google returned nothing about this process. The binary did not exist.
I started shutting down services to find out who was spawning this thing. I assumed from the name, that it was trying to get info about the bios. (Strange, there isn’t a real one under Xen)
I contacted the COSI Gang to see of they had seen anything like it. They had not.
Today when I came in, I ran find on the dom0 and sure enough there was a biosinfo_linux on it.
/opt/ibm/director/agent/runtime/agent/subagents/eclipse/plugins/com.ibm.sysmgmt.uim.provider.cit.sw_1.0.0/bin/biosinfo_linux
Director pushes this out and tries to get information even though there is no agent on the guest.
It took me 3 months to figure this out. So if anyone out there finds the same problem, I am working with the IBM Director team to get it fixed.
→ No CommentsTags: tech·xen
Information overload
February 16th, 2009 · tech
I have been dealing with the Internet for so many years, it has become boring. I have beaten the Internet. The end guy was pretty hard.
I was reading an interview the other day located at this fine url.
This was an interview of Clay Shirky. I find Clay’s view on the current state of social entanglement fascinating. In this interview one of the topics that came up was that of information overload. I feel this every single day. There is so much. For instance, I am currently preparing a set of presentations for the mainframe based conference SHARE. I have three sessions. One I have done before, called Comparing and Contrasting Virtualization technologies. The other two are new. SOA Security, which I got tricked into doing, already has the presentation done. I am also putting together a session that deals with running the IBM HTTP Server which is based on Apache on z/OS and how that compares to the older DWG/IHS/ICSS HTTP server that IBM has shipped with z/OS since 1995.
For each of those topics, I have found about 10 billion pieces of work. There is just so much information out there. Like I stated before, I have beaten the Internet. I used my skills as a professional web user to cull this information. I need to vet certain things.
I needed to filter.
And that is what Clay hinted at in this interview. There is now information overload, there is filter failure. He spoke of Library of Alexandria and said that pretty much since the, when there was more information than any person could ingest in a life time in once place, information overload was created.
I have my ways of filtering things. Google Reader is a big one. When I am searching for something in particular, I tend to use Google’s image search or something like “site:share.org ext:ppt Apache” on Google to fine presentations of Apache on the SHARE site.
By the time I got to the end of the interview I had already reached for my copy of “Here Comes Everyone”, Clay’s latest book. I read this on a plane to France last October. It started out really interesting, and the interview made me recall some of the tidbits hidden between those pages. The information filtering topic kinda fits in with this expansion of the social web. We are seeing vast amounts of data being thrown up to that series of tubes in the sky and there are just tremendous results. Sites like Flickr, Delicious, and Reddit are giving everyone the ability to quickly, personally, and publicly categorize seemingly random data. We can tag pictures, people and places. Everyone makes everything more accessible. And now with Facebook, Myspace and what ever the next big friend site we can share this information to a network of friends and friends of friends.
For example, finding music I might like used to involved a lot of failed attempts. I used to have to stay up really late to watch Subterranean on MTV. Now I have Last.fm. I have collected a ton of information about the music I like and don’t like just by passively listening to music. Last.fm takes this information and similar information about what your friends listen to and makes suggestions.
I feel that the social web, or semantic web or Web 2.0 or whatever people are calling it is about context. Building a context that is important you each person. This massive amount of unfiltered Internet needs to have context wrapped around it. We are still trying to figure out what we are doing with it. The web is still building itself. We are adding context. Things like locations aware applications on the iPhone and Android are bridging the gap between the real world and the virtual world while at the same time giving new context to information that is already out there.
The last thing I want to touch on about this interview was the act of unlearning. Clay talks to this point at the end of the interview and it is something that I have never really thought about before. I still call people. My friends 16 year old daughter rarely talks on the phone. Now I send text messages just like the rest of the twenty somethings with a cell phone. (Unlike Dr. Eli MD who lives in the dark ages with a land line.) I just don’t use text messages and the wall on Facebook as my primary mode of communication. I feel that like my parents have to unlearn the Dewey decimal system, I may have to unlearn talking to people on the phone. At the same token, I do all my banking on the the Internet. I pay my rent by a monthly scheduled account to account transfer. My pay it direct deposited. My bills are paid online automatically. Mint manages my budget. My Dad would have none of this. Not that he hates computers. He doesn’t go to a travel agent to book flights. But he would not dare trust a computer, or the Internet, with his financial data. That is something he might have to unlearn.
I leave you folks with this video: Institutions vs. collaboration
→ No CommentsTags: tech
Replacing an old xbox
December 27th, 2008 · tech
As many of you know, I have a first generation xbox as my main media box. I have Avalaunch and Xbox Media Center installed on it. It is getting pretty old and I want to upgraded it. I can’t play anything HD on my 47 inch plasma TV and that bothers me.
I want to upgrade to something that will play movie files from either a CIFS share. I don’t really want the thing to have a local hard drive, and if it does, I would like it to be solid state. Like a SD card or something similar. I don’t want to build it myself, mostly cause I am lazy and don’t want to have to fiddle with it.
I was thinking about canceling my cable, so I don’t really care about DVR/PVR.
I was looking at the Roku but I don’t know anyone out there that has played with one. Also, I don’t currently have netflix.
Any body have any ideas for me ?
→ 3 CommentsTags: tech
Pidgin key bindings for emoticon
November 4th, 2008 · tech
A long time ago, when I was but a wee lad, I used a program called GAIM. It was good enough for me. One of my favorite features was hitting
To get it back, create a file in your ~/.purple directory called gtkrc-2.0
I put in the following:
binding “my-bindings”
{
bind “1″ { “insert-at-cursor” (“:-)”) }
bind “2″ { “insert-at-cursor” (“:-(“) }
bind “3″ { “insert-at-cursor” (“;-)”) }
bind “4″ { “insert-at-cursor” (“:-P”) }
bind “5″ { “insert-at-cursor” (“=-O”) }
bind “6″ { “insert-at-cursor” (“:-*”) }
bind “7″ { “insert-at-cursor” (“>:o”) }
bind “8″ { “insert-at-cursor” (“8-)”) }
}
widget “*pidgin_conv_entry” binding “my-bindings”
→ 1 CommentTags: linux·tech
I watch a lot of movies
October 27th, 2008 · Uncategorized
It almost Halloween. Which means lots of really bad horror movies.
I watched ( all or part of )the following this weekend:
Night of the Living Dead
Halloween
Halloween 2
Halloween 4
Halloween 5
Halloween 6
Salem’s Lot ( the one with Rob Lowe )
Carrie
Christine
A Nightmare on Elm Street
28 days later
American Werewolf in London
Constantine
Pet Sematary
Notice Halloween 3 wasn’t on there. Cause that one was junk. What is a Halloween movie with out Michael Myers ?
→ No CommentsTags: Personal
Alarm clock
October 27th, 2008 · Uncategorized
About 4 or 5 years ago, I was in need of a new alarm clock. This was before the Target in the mall (in Poughkeepsie) opened so I headed down to the Wallmart.
For 20 dollars I got a pretty sweet alarm clock. 2 alarms, that I have set for weekend/weekday. And the best part? it set the time from the radio waves. I would never have to worry about resetting it after a power outage. Awesome, cause I am pretty lazy.
That was until 2007. See, this clock has “smarts.” It knows when to reset it self for day light savings. (Don’t get me started on how much I hate DST.) When the US Congress decided that instead of fixing real problems, they would screw with time, they changed when DST started and stopped. No one told my alarm clock.
I woke up this morning, like every morning when the alarm clock went off at 5:45. I walked the dog. I made the dog breakfast. I finished up my laundry. I showered, dressed and woke up my special lady friend. I had to give her a ride home and then head to work. Then I noticed the clock on my cable box. 8:30. The alarm clock said 7:30. Confused, I rushed to my cell phone. 8:30. Her cell phone; 8:30 Damn. Thinking that maybe just maybe the cell towers were screwed up, I went to the car. 8:30.
My alarm clock thinks we still set the clock back on the last Sunday of October, not the first Sunday of November. I was an hour late to work because of it.
Now my question is, who should I be mad at? Congress for changing DST? The manufacturer of my alarm clock ? or myself ?
→ No CommentsTags:
Off to France
September 13th, 2008 · Uncategorized
Well, its that time of year again. I am heading to Montpellier France for a week. I am giving a presentation at the IBM location there.
I am looking forward to being in Europe again.
Though, I will miss my doggy. Lando has been getting bigger and bigger everyday.
→ No CommentsTags: France·travel
Cent OS 4 SSL, Apache 2.0.5.2, Ldap
September 1st, 2008 · tech
I recently upgraded buzzco.org. It took a while, since I had some difficulty getting SSL to work.
I found 2 great online docs for doing some of the stuff I wanted to do with SSl:
- http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.1
- http://tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html
After reading threw those I was all ready to setup my site.
The layout is not too difficult.
- buzzco.org/ and buzzco.org/wordpress are my wordpress install ( I am running 2.3.3)
- buzzco.org/projects is my Trac (Bug reporting and wiki.
- buzzco.org/svn is my Subversion server.
I wanted projects and svn to be authenticated through Apache’s mod_ldap. This used basic auth so I wanted to also use SSL so the password’s would not be sent plaintext over the internet.
First step I did was to generate my SSL certificates. I did not want to use a self signed cert, since the private key is sent with the cert. So I decided I would create my own SSL certificate authority (CA). I don’t have the cash to get this signed by a high level CA, such as Verisign. I found startSSL. Perfect. Free and supported by Firefox out of the box. They have documentation for setting up the keys and certificates with Apache.
Now I have SSL for a year. Yay.