Thursday, October 30, 2008

PyUNO broken in OOo 3.0 with system-python

The issue was reported at here. And the solution is also there. I had to add the following lines to the beginning of the scripts and that come with KnowledgeTree to make them work with 3.0 of Mandriva 2009.0:

import os

Otherwise both scripts will throw out the following error:
AttributeError: loadComponentFromURL

Saturday, October 25, 2008

LILO with /boot on a Raid 1 mirror

  • I ran mcc in Mandriva 2009.0 and selected /dev/md0 as the Boot Device. The lilo.conf generated is shown below:

#disk=/dev/sdb bios=0x80

  • To migrate a OS partition from a non-raid drive to a raid volume, one must reinstall lilo after the partition was cloned. And that has to be done after chroot: (assuming the new raid volume is mounted in /mnt/newsys)
    chroot /mnt/newsys
    mount /proc
    lilo -H

    Otherwise lilo will fail to boot.
Lilo.conf man page

Thursday, October 23, 2008

Mod_authnz_ldap cause Apache2 to dump core

I installed mod_authnz_ldap on Mandriva 2009.0 with urpmi apache-mod_ldap and only got httpd to dump core every time I tried to authenticate with openldap server. Later I found urpmi didn't install a required library apr-util-dbd-ldap when it installed apache-mod_ldap. So the fix is to run urpmi apr-util-dbd-ldap.

I had the following settings in /etc/httpd/modules.d/47_mod_authnz_ldap.conf:

AuthType basic
AuthName "Restricted area"
AuthBasicProvider ldap
AuthLDAPBindDN "uid=ldap,dc=example,dc=com"
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://server/ou=people,dc=example,dc=com?uid?one"
Require valid-user

Tuesday, October 14, 2008

dotproject default user role for LDAP

Default user role can be changed in file classes/authenticator.class.php
LDAP users are created in function createsqluser the first time they log in. So the line to modify is
$acl->insertUserRole($acl->get_group_id('anon'), $this->user_id);
update it to
$acl->insertUserRole($acl->get_group_id('normal'), $this->user_id);

Thursday, October 9, 2008

Apache serve Subversion with LDAP authentication

Apache2 modules apache-mod_dav and apache-mod_dav_svn are required to serve Subversion by httpd. I also installed apache-mod_ldap as well as apr-util-dbd-ldap to authenticate against a openldap server.

DAV svn
SVNParentPath /home/apps/svnrepo
SVNListParentPath on
Order deny,allow
Deny from all
allow from 192.168.
AuthType basic
AuthName "Restricted area"
AuthBasicProvider ldap
AuthLDAPBindDN "uid=ldap,dc=example,dc=com"
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://server/ou=people,dc=example,dc=com?uid?one"
Require valid-user

Using ldapi://

OpenLDAP needs to be configured to accept conections via ldapi://, a local unix socket. This is done in the /etc/sysconfig/ldap file. Change the SLAPD URL list to the following:

# SLAPD URL list
SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"

OpenLDAP will need to be restarted, of course.

A great reference on cyrus SASL and LDAP

Thursday, October 2, 2008

Enable UNC file link access in Firefox

Close firefox, add the following lines to Program files/Mozilla Firefox/defaults/pref/firefox.js and restart Firefox
pref("capability.policy.policynames", "localfilelinks");
pref("capability.policy.localfilelinks.sites", "");
pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");

Click here for more information.

Wednesday, October 1, 2008

Samba 3 user authentication against OpenLDAP server

Samba 3 daemon is running on the same host as the LDAP server (openldap 2.4) and only the following settings related to LDAP are added into /etc/samba/smb.conf:

passdb backend = ldapsam:ldap://
#Specifies the base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=examples,dc=com

ldap ssl = off
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap delete dn = no
ldap admin dn = cn=manager,dc=examples,dc=com
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'

Then run testparm to make sure the smb.conf file is OK. New Samba users can be added to the LDAP directory by running the command "pdbedit -a -u username" if username exists in the system (e.g. /etc/passwd). Otherwise run "useradd username" first.

At the LDAP server, there's an entry sambaDomainName=XXX,dc=examples,dc=com created by pdbedit. Note XXX must be the netbios name of the Samba server. It has an attribute sambaSID=S-YYY which is required. The Samba user entry created by pdbedit has the following attributes:

objectClass: sambaSamAccount
sambaAcctFlags: [U ]
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
sambaPwdLastSet: 1222817828

Note the sambaPwdLastSet attritube is required for the windows client to authenticate properly. Otherwise net use would report the following error:

System error 1907 has occurred.
The user's password must be changed before logging on the first time.

If the pwdInHistory attribute of the Password policy under cn=default,ou=password policies is set and a user is trying to change his password to one stored in history in windows, he'll receive an error message like the following:
Your password must be at least x characters; cannot repeat any of your previous x passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name. Please type a different password. Type a password which meets these requirements in both text boxes.

The required attributes can be easily added to all the user account entries with the perl module Net::LDAP

Close unwanted SAMBA or NTLM sessions in Windows

As an administrator, type in CMD
  1. net stop WORKSTATION then Y then N.

  2. net use /persistent:no
    net use * /delete /yes

Any of the methods above will close all remote connections this computer made as client. Then type the in CMD
net use \\Server\share * /user:username