subversion on WebDAV with Active Directory authorization on SLES10

Posted on June 29th, 2008 by Christian in Life

Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing apache) worked fine.

For POC or as a hint to myself, here’s where and what I needed to add/change:

Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:

  1. dav_svn (dav_svn needs dav, thus the need to add it too)
  2. dav
  3. authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
  4. ldap

After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<IfModule mod_dav_svn.c>
 
<Location /svn>
  DAV svn
  SVNParentPath /srv/svn
 
  # Limit write permission to list of valid users.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    # Require SSL connection for password protection.
    # SSLRequireSSL
 
    AuthType Basic
    AuthName "Subversion repositories (Domänenzugangsdaten)"
 
    # The authentification provider is mod_ldap
    AuthBasicProvider ldap
 
    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on
 
    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org"
    AuthLDAPBindPassword "somethingrandom"
 
    # The URL to search in
    AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)"
 
    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org
 
  </LimitExcept>
</Location>

Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.

All I got was this line in the error_log of apache:

[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use
r failed][Operations error]

Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:

The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.

Did I get the wrong file ? Absolutely.

/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.

Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.

No Comments | Tags: , , , ,


The clue to build ppc64 RPM’s

Posted on June 26th, 2008 by Christian in Life

Remember, I talked about building RPM’s on SLES10SP2 on ppc64 ? Well, turns out I was rather stupid .. and it was rather simple (don’t ask me why I didn’t think of that). I tried asking solar, I used google (apparently with the wrong search parameters), nothing though. Not a clue.

Today it bugged me again, so I used google again. This time with “ppc64 suse rpmbuild“, and guess what I saw within the preview of the second hit ..

rpmbuild -ba --target ppc64 myfile.spec

And here I thought I was missing something, turns out I was really stupid though .. *shrug* Building stuff like nagios works with that just fine ..

Update: or not. It worked only a single time and is broken ever since again. Guess I’m gonna reload the box on Tuesday.

No Comments | Tags: , ,


Removing newlines (\n) with sed

Posted on June 24th, 2008 by Christian in Life

Today I had to search again on how to remove newline special characters with sed. Thanks to Kamil over at linux.dsplabs.com.au, I found it again rather quickly.

Now, this is just for my own safekeeping, so I don’t end up googling for it again … *shrug*

echo -e "Line containing \nnewlines!" | sed ':a;N;$!ba;s/\n//g'

Comments (2) | Tags: ,


VMware design rules

Posted on June 20th, 2008 by Christian in Life

I’m just got back from four days in Rostock over at S&N, where I was attending a VMware design course and here’s a list of questions I did ask the trainer:

  1. What’s the disadvantage of having a 1016 ported vSwitch ?
  2. Any clues on how to exchange the default certificate of the Virtual Center ?
  3. Are there any tools to stress test the virtual system ?
  4. Are there any performance impacts of having more than 10 users in Virtual Center ?
  5. Any clues and/or guides on how to do time synchronization in VMware guests, especially Linux guests ?
  6. What’s the preferred NIC type for Linux guests ?
  7. Any clues to using Raw Device Mappings with VMotion ?
  8. Is there a way of defining CPU masks on a global level ?

Answers:

  1. There might be a small overhead, though that’s limited to a really, non-measureable amount
  2. Hasn’t done it yet.
  3. Yes, there are free stress test tools like cpubusy.vbs, cpubusy.pl, iometer.exe, ..
  4. Nope, you should only experienece load problems starting at 25 or so users
  5. Select *one* variant, either time synchronization by use of the VMware tools or ntpupdate; if ntpupdate, select a single time source for your whole environment
  6. For ESX 3.5.0 that would be “Flexible” (as per VMware Knowledgebase), as the vmxnet type is a leftover from ESX 3.0
  7. Raw device mappings are *absolutely* supported by VMware, and also work without any troubles (when mapping/zonig is correctly configured)
  8. Currently there’s no known way of doing this
  • When adjusting the CPU afinity of a VM, *always* completely stop the virtual machine afterwards
  • When trying to figure out CPU bottlenecks, check whether or not hyperthreading is enabled. The hyperthreaded (second) core is only giving you a CPU with 15% of the first.

Also, here are some guidelines on how the trainer extended the defaults:

ESX Server:

  • Extend the “/” size to 10GiB
  • Extend the “swap” partition to about 1GiB
  • Extend the “/var/log” partition to about 4 GiB
  • don’t mess around with creating too many vSwitches; just keep it simple
  • set the duplex mode manually if the ESX is giving you any trouble
  • disable the Traffic Shaping, unless you *really* need it

VirtualCenter:

  • There’s two options when installing VirtualCenter: either install it on a physical box or simply put it into a virtual machine itself
  • A problem with putting it into a virtual machine is, when the VM is shutting down or powered off due to isolation of the ESX running it, any ESX Server powering up isn’t going to start any virtual machines as that in return requires the License Server
  • Only use the SQL Server Express variant if you really have to. It’s limited to 4GB database size, so if your installation grows above say 50 hosts and 2000 VM’s, this is gonna break the limits of SQL Server Express

No Comments | Tags: , ,


Updated `check_ram’ plugin

Posted on June 17th, 2008 by Christian in Life

As I was building the updated RPMs for SLES10, though needed to refresh my old patch. Also, I was getting strange messages from autotools and fixed these quirks, Now, I prepped a patch for it, and finished building new RPMs for i585 and x86_64.

No Comments | Tags:


Looong time

Posted on June 16th, 2008 by Christian in Gentoo, Life

Well, it’s been a loong time since I first thought about retiring (yes, I know that #-dev’s topic states “developer blogs” ain’t for announcing important things, but my blog has to do for this; if not, I don’t care anymore :!: ).

But I think it’s about time for me to leave. I haven’t done much lately, I’ve been soo damn busy with work these last months like I would never have imagined. I gave it some more thought, and I finally got to the point (again I might add) where all just annoys and/or and frustrates me.

All the damn bickering, the childish behaviour Josh talked about (”noooo, that’s my TOY!“), the constant abuse of power (hey #-chat, #-kde ops). I thought most of us would at least try and behave like the elderish people we are (well besides the few of us, who really are children by law’s definition - hey there welp, omp, keytoaster ;-) ). But I guess that’s just been an imaginary thought I had .. *shrug*

Read the rest of this entry »

Comments (10)


Building RPMs on SLES10SP2-ppc64

Posted on June 14th, 2008 by Christian in Life

Well, it turns out that building stuff on ppc64 is a *real* pain in the ass, at least on anything SUSE related. I do have to tweak every damn spec to include this:

%ifarch ppc64
export LDFLAGS="$LDFLAGS -m64"
%endif

Otherwise, ld is gonna fail when linking, as it’s gonna try linking the generated 64bit code (-m64 is passed on via RPM_OPT_FLAGS to CFLAGS) as 32bit code, which ain’t gonna work at all …

On top of that, stuff ain’t building due to multiple problems (for example nagios and vim, cause ld is unable to find the fitting -lperl (for nagios) and -lXt (for vim)) as well as source errors …

 gcc -DHAVE_CONFIG_H -I. -I. -I../../include -I../../include -I/usr/include -D_FREETDS_LIBRARY_SOURCE -DUNIXODBC -DHAVE_UNISTD_H -DHAVE_PWD_H -DHAVE_SYS_TYPES_H -DHAVE_LONG_LONG -DSIZEOF_LONG=4 -D_REENTRANT -D_THREAD_SAFE -DDEBUG=1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pthread -O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -Wdeclaration-after-statement -MT connectparams.lo -MD -MP -MF .deps/connectparams.Tpo -c connectparams.c  -fPIC -DPIC -o .libs/connectparams.o
In file included from connectparams.c:22:
../../include/config.h:375:1: warning: "SIZEOF_LONG" redefined
<command line>:1:1: warning: this is the location of the previous definition
connectparams.c:90: error: static declaration of `SQLGetPrivateProfileString' follows non-static declaration
/usr/include/odbcinst.h:170: error: previous declaration of `SQLGetPrivateProfileString' was here
make[3]: *** [connectparams.lo] Error 1
make[3]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/srv/BUILD/freetds-0.82/src'
make: *** [all-recursive] Error 1

Comment (1) | Tags: , ,


GPO (behind the scenes)

Posted on June 5th, 2008 by Christian in Life

Well, to begin with we had this really weird problem that the thin clients as well as the terminal server would only load user based group policy if you are a member of the group of local administrators. While that’s ok for the thin clients (users can’t actually change something unless they log in as “Administrator” - don’t ask me why), it’s a real no-no on the terminal server.

We tried redoing *everything* (that is, starting with the domain, then terminal server and after that the thin clients) and yet nothing changed, it didn’t work either. That’s what I’ve been doing the last 2 weeks. Up till now, I always thought a user would have access to the ntuser.dat (that is HKEY_CURRENT_USER), if his NTFS permissions would be correct. But nooooooooooooooooooooo, Microsoft had to introduce another layer of permissions.

Old permissions on HKEY_CURRENT_USER

Old permissions on HKEY_CURRENT_USER

Once you change it to be proper (as in remove the dead user entry and add a group that actually gets you somewhere), it’s all starting to work!

New permissions on HKEY_CURRENT_USER

New permissions on HKEY_CURRENT_USER

No Comments | Tags: , ,


Windows XP Embedded, Windows Server 2003 and GPO settings (the solution)

Posted on June 4th, 2008 by Christian in Life

OK, so about an hour (yeah, yeah; I know .. I shouldn’t be working at that time, but it really gave me sleepless nights) ago, I finally figured out why the hell both my Windows XP Embedded thin clients as well as my Windows Server 2003 systems where showing this real *weird* behaviour when applying group policies, or more precise the user based configuration of a group policy.

The inspiration came to me after reading this and taking a look at regedit myself, where I noticed the entry “Permissions” for the first time ever since I’m using regedit. I also noticed, that the regedit permissions seem to be using the same groups, one would assign to NTFS resources.

That said, it really all boils down to the ntuser.dat (which *IS* HKEY_CURRENT_USER). As I created the profile with a different user than I am using it with (basically, I want ~12.000 users to use this one profile), I needed to change the permissions *INSIDE* regedit to include a group containing all these users. After that, any user could again merge the settings from ntuser.pol into HKEY_CURRENT_USER\Software\Policies, which in return gives you the joy of your fucking policies working again.

TADAAAAAA! About two weeks worth of work spent for such a shitty thing, and noticing it when you’re off work — priceless!

No Comments | Tags: , , , ,


Shopping list

Posted on June 1st, 2008 by Christian in Life

Ok, as I promised my fellow collegue, I wanted to search for all the components I need to build my EPIA desktop. And here’s the list:

So we are currently at 759,24€ for the whole thing.

No Comments | Tags: ,