Category Archives: work

LDAP Commands on RHEL5

Posted on by
Reply

During the migration of a production system from Solaris 10 to RedHat Enterprise Linux 5, I discovered that I had a problem with a couple of my LDAP scripts.  The commands being run were standard ldapsearch and ldapmodify commands in a format similar to the following:

ldapsearch -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar
ldapmodify -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif

Each time I ran the commands I got the following error:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available:

It turns out that the versions of the ldapsearch and ldapmodify commands that comes with RHEL5 are based on the standard OpenLDAP code.  The OpenLDAP code defaults to expecting an SASL authentication mechansim on the server-side.  Given that the LDAP server I am connecting to is a iPlanet 5.1 LDAP server, it is not configured to understand the SASL authentication types.

The solution is to add the -x option to the commands:

ldapsearch -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar
ldapmodiy -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif

This command option specifies that the command should be executed using simple authentication instead of SASL.

File upload hang in Safari 4

Posted on by
3

While working on a method to allow the VSU Communications Unit to add or change the stories in the rotation on the main VSU webpage, I ran into a problem that involved a known Safari issue involving file uploads.

I don’t regularly create forms that allow for an upload of a file, however I don’t like to store binary data in the MySQL database either. Allowing the files to be uploaded makes creating pages that use them a whole lot easier, since I don’t have to “create” the image from the binary data, just pass off a file location and let the browser do the rest.

The symptoms exhibited were that when submitting the form, Safari would hang about 30-40% of the time. No error messages or timeout messages were displayed. Zip, zilch, nada!
Continue reading

Xephyr, RHEL5 and Mac OS X 10.5

Posted on by
Reply

When doing system administration it is often more convenient to connect to a server through some sort of remote connection setup rather than having to sit at a console in a datacenter.  The comfort of one’s office (or living-room) is often far superior in terms of noise and temperature than the environs of the datacenter itself.

When setting up the RHEL5 server this week here at VSU, I was forced to use the Sun iLOM connection to do the initial install of the server.  While I generally use command-line only tools, the ease of use one gains from the GUI tools can often make some tasks much simpler.  Towards this end I decided to setup the server and my client to allow XDMCP sessions so that I could have full access to the GUI when necessary.

On the server there are a couple of things that you need to configure in order to make this workFirew:

  1. Firewall ports
  2. GDM configuration options

On the client you will need to configure the OS X firewall, as well as use the correct Xephyr connection syntax.
Continue reading

Adding an Active Directory group to local admin on Mac OS X 10.5

Posted on by
Reply

One of the standard methods of configuring Mac OS X in the enterprise has become known as the magic triangle or golden triangle. This is generally described as a setup involving Active Directory (AD) for authentication of the clients and services and Open Directory (OD) for managing the client preferences.  The triangle comes from the fact that you have the Mac clients talking to AD, the clients also talking to OD, and the Mac server talking to AD. (Apple officially calls this the magic triangle setup in the Snow Leopard Server Open Directory Administration documentation.)

One of the issues I ran into was granting a non-admin in AD the ability to perform administrative functions on the clients bound to AD.  The way this is handled with the Windows clients is for the particular AD user to be a member of a group that grants local administrator privileges.

Unfortunately there is no simple equivalent on the OD side of the equation to allow this for the technicians working on the Mac OS X clients.  If you add an AD user to the system level group Open Directory Administrators using Workgroup Manager (WGM) this has no effect on whether a user is granted local administrator privileges to a connected client machine.

The solution to this involves:

  1. creating a group in OD to hold the members of AD that should have local administrative privileges,
  2. adding this OD group to the requisite local workstation groups to mimic the standard administrative privileges, and
  3. adding the OD group to the sudoers file

Continue reading

SSLSessionCache error on Apache for Windows

Posted on by
10

While setting up Apache for Windows to use SSPI so that I could implement Alain O’Dea’s method of combining Active Directory authentication with SVN I ran into an interesting path problem.

After following Alain’s instructions I kept receiving the following error:

SSLSessionCache: Invalid argument: size has to be >= 8192 bytes

After some investigation it runs out that this is due to the way the path in the configuration file was being parsed.  This is partially due to my environment.  On Windows Server 2008 when installing a 32-bit application, the installer drops the files into C:\Program Files (x86)\… unless otherwise directed.

It turns out that the extra set of parenthesis was causing Apache to bomb out.  I tried wrapping the path in quotes, as well as falling back to the Windows 98 naming scheme of using C:\Progra~2\Apache Software Foundation\Apache2.2\… but that didn’t work out either.  What I ended up doing was making a shortcut on the root of the C: drive called apache that pointed to the contents of C:\Program Files (x86)\Apache Software Foundation\ making the final path in the configuration file:

C:/apache/Apache2.2/logs/ssl_scache(512000)

References

  1. http://www.mail-archive.com/modssl-users@modssl.org/msg17862.html
  2. http://wiki.apache.org/httpd/SSLSessionCache
  3. http://concise-software.blogspot.com/2009/02/instant-windows-svn-server-with-ssl-and.html