Greg

May 162013
 

I recently ran into an issue configuring HTTP Basic authentication against Active Directory using Apache httpd.  What was happening was that I’d get a 500 Internal Server Error page every time I hit a location that required Basic authentication.  There wasn’t anything useful in the logs, and I started playing around with the configuration (which, I must point out, was correct in a way).  After about two hours of trial I finally figured out the problem — there appears to be some sort of bug either in the OpenLDAP libraries, Apache httpd, or Active Directory itself, when Apache was trying to connect to AD via LDAP.  I found this only appeared when I had my search base configured to be the top-level DN of my Active Directory.  Changing the search base to an OU lower also resolved the problem, but I couldn’t do that because I have users across several OU’s off the top of the DIT.  The solution I came up with was to connect to port 3268, the Global Catalog, rather than the normal port of 389.

Here’s my mod_authnz_ldap configuration settings:

Hope that helps!

Mar 262013
 
p1010249

I recently found an old Dunlop Crybaby Wah pedal that I’d had lying around for the past 20 years.  The thing was in horrible shape and I had forgotten I even had it, let alone used it.  Since I didn’t really have anything to lose by doing so, I ended up deciding that this might make a good project pedal to modify.  That being the case, I decided to go ahead and do the true bypass mod, which eliminates the “tonesucking” that takes place without it (high end frequencies bleed off passing through the pedal), and to add an LED indicator light as the first modification.  Here’s the story of how I did it.

Continue reading »

Feb 022013
 

A new version of AuthLDAP has been released and is ready for consumption.  I’ve put in some more error checking and tried to fix some of the bugs around the group membership checking for users.  I’ve also done some major reworking of the configuration options in order to hopefully allow for better interoperability between directories and to add options that can help with search optimization in some cases.

This has been tested against Active Directory, OpenLDAP, and SunOne Directory Server.  You can download the new library from it’s project page.  I hope you find it useful!

Aug 302012
 

Lately I’ve been spending a lot of time trying to get a useful combination of LDAP + SSL + Kerberos working on various Unix systems (Linux, Solaris, and AIX specifically).  I’ve had excellent results with Kerberos + LDAP and SSL + LDAP, but combining all three on my CentOS and RHEL systems had me running repeatedly into this error:

I first saw this when I configured my systems to authenticate against Active Directory with SSSD and then I started noticing it with the OpenLDAP clients (ldapadd, ldapmodify, et al) when I began doing more and more work using SASL/GSSAPI authentication. Continue reading »

Jul 182012
 

It’s been a while since I left you with my last pearl of wisdom.  A couple months ago, I presented a couple methods for authenticating to Active Directory using winbind and for authenticating using the LDAP interface.  In more recent versions of CentOS and RHEL, there is a new method for retriving user information and authenticating – SSS, the System Security Service, which runs as sssd.  SSS was devised by Red Hat as a replacement for the various nss and PAM modules and it seems like they did a halfway decent job with it.

SSS acts as a replacement for the various PADL, Samba winbind, and other ldap and AD based pam and nss modules.  In addition to consolidating several nss and authentication types, there are a couple other advantages, including one unified configuration file and offline authentication, as well as access control.

Continue reading »

Mar 242012
 

I’ve posted some new packages for php 5.4 in the TechRockDo yum repository.  I originally had uploaded some under the php package name.  To avoid confusion with doing an update from 5.3 straight to 5.4, I’ve since renamed them as php54.  The original packages can be found under the deprecated tree of the repository.

Repoview packages for the various RHEL versions and architectures are listed below:

If you want to install and use these packages, just run

Feb 222012
 

I’ve built and uploaded several new packages and uploaded them to the TechRockDo Yum Repository.    In case you missed the previous post, you can use the TechRockDo Yum Repository by issuing the following command (use the correct one based on your version of RHEL/Cent and your system architecture):

or

The following packages have been added: Continue reading »

Jan 182012
 

The TechRockDo yum repository has been created as a place to hold all rpm’s that I roll and use.  I’m making them available to the public; I hope you find everything you find here useful.  For now, only CentOS and RHEL 6 are supported.  There are channels for both 32- and 64-bit architectures.  To use the repository, just install the trd-release package for your architecture:

This will install the yum repository definition and the GPG key.  After that, you’ll be able to use the repository just like any other.

Enjoy!

Dec 302011
 

A while back, I described a method for authenticating CentOS and RHEL servers to Active Directory using LDAP.  While this approach is easy to set up and works right out of the gate, there are a few drawbacks to it that I’ve run across:

  • Changing passwords from the Linux server does not work unless you set up LDAP over TLS/SSL, which I’ve found very difficult (though not impossible!) to accomplish
  • While changing the passwords does work, it can be very user unfriendly.  In particular error messages given are very cryptic to the lay user.  Unless you are in IT, you’re not going to know or care about the LDAP error codes that are reported back, nor are you going to want to research what the appropriate character classes are for the AD passwords so that you can choose from at least three of them appropriately.

In this article, I’ll describe how to use winbind to join your Linux server to a Microsoft Active Directory and become a domain member.

Continue reading »

Dec 052011
 
VMware Fusion Logo

Recently, I wanted to use the built-in iSight on my Mac under my Windows 7 virtual machine that I run under VMware Fusion.  I figured that the VMware Tools would have installed drivers for it, but this is not the case.  Under normal circumstances, you’d need to run Boot Camp Assistant located under /Applications/Utilities and have it download the drivers and burn them to a CD for you.  For some reason, this wasn’t working in my set up as Boot Camp Utility kept giving me an error that it couldn’t modify my disk’s partitions to work with Boot Camp properly.  That’s great, but I didn’t really want it to do anything with my partitions anyways since I’m just planning on installing the drivers and not building a separate Boot Camp install of Windows.   Continue reading »