Netbook a little small for an IDE

Eclipse eating CPU
Eclipse was filtering the list of installable add-ons

After I installed Linux Mint 10 to get away from Unity bugs, I went to reinstall Eclipse.

First from Synaptic, but the version was a bit old. I did not manage to install Maven.

Next a download and manual install of Helios. Filtering the list of available add-ons seems to launch an enormous job. Type one letter and wait 2 minutes.

Hope I can get it all running before lunch. :-{

EPUBReader for Firefox

EPUBReader blog masthead

Head down working yesterday. I was too tired to write to you by the time I quit at 11 pm.

Still busy today, but I took a few minutes out to look at how to read the .epub files I have been generating with help from Docbkx Tools.

I don’t have an appliance to read EPUB, but there’s an EPUBReader add-on for Firefox that seems to work fairly well. At least well enough for me to figure out what I am doing wrong or right.

Why EPUB? My hope is that the content will be even easier to read than PDF, and still available so you can read the docs during a system crash combined with a network outtage. 😉 Seriously, I’m more curious than anything else at this point.

LDAP Account Manager and OpenDJ

LAM logoFrom Freshmeat.net, I saw an announcement that LDAP Account Manager had reached version 3.4.0. Congratulations to Roland Gruber and all the other contributors. A quick summary from the project site:

LDAP Account Manager (LAM) is a web frontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. LAM was designed to make LDAP management as easy as possible for the user. It abstracts from the technical details of LDAP and allows persons without technical background to manage LDAP entries. If needed, power users may still directly edit LDAP entries via the integrated LDAP browser.

This morning I tried out the older version of LDAP Account Manager with OpenDJ, version 3.1 I believe, that has gone into Linux Mint 10.

Setup works through the PHP-based web GUI. Yet I managed to put a typo in my ldap URL and could not contact OpenDJ, which is running on another system. Looking around, I found that the config info entered through the PHP pages goes not under /etc/ldap-account-manager, but into /usr/share/ldap-account-manager/config/lam.conf. So sudo vi /usr/share/ldap-account-manager/config/lam.conf and I was back in the saddle again after fixing ldap://192.168.0.11:1/1389 to read ldap://192.168.0.11:1389.

The lam.conf file seems approximately self-explanatory. It says, “Please do not modify this file manually.” I admit to having been impolite therefore. But what I did seemed to work.

  • Could not figure out how to get LAM to login with cn=Directory Manager — note: probably a good thing — so to the list of Admins I added uid=mark,ou=people,dc=example,dc=com, which is one of the users in my OpenDJ setup. mark appeared in the drop-down lists of LAM admins after I saved.
  • Changed a number of base DNs in the file to reflect that my main suffix is dc=example,dc=com.
  • Changed ou=group,dc=example,dc=com to ou=Groups,dc=example,dc=com.
Also, one of the organizationalUnit entries was missing. I added ou=Machines,dc=example,dc=com on the OpenDJ server.
I’m just discovering LAM, so I haven’t scratched the surface, yet. My guess is that a number of standard schema definitions are missing in OpenDJ to handle the accounts, because I could not even create a new UNIX group, let alone a Samba 3 group. Instead I got an object class violation.
Nevertheless the GUI is quite nice. Will have to give LAM a longer look later.

JSPWiki/Tomcat using LDAP auth

JSPWiki logo

An interesting thread came up Easter Sunday on the jspwiki-user list. Brian Burch explains how to set up LDAP authentication behind JSPWiki running on Apache Tomcat.

I have only gotten so far as to update the LDAP schema for OpenDJ (here’s what I used), add the tomcatRole to my users, create my groups, activate Tomcat container authentication through to LDAP, and tell JSPWiki to use container auth.

Now I see that SSL is needed, which makes sense if anyone’s going to start typing passwords to authenticate.

The procedure is not exactly quick and easy, but I am glad to see that the overall steps have been written up.

OpenDJ 2.4.2 available

OpenDJ logoGlad to relay that OpenDJ 2.4.2 has just released. 🙂

OpenDJ 2.4.2 is an update release that fixes a number of issues. See Ludo’s blog entry for more.

To perform an evaluation install if you already have Sun Java 6 on your system, try the Java WebStart version.

You are welcome to join the community, and also to sign up for the mailing list.

Notepad and \n

Billgates.JPG
Source: http://en.wikipedia.org/

Notepad still does not recognize UNIX newlines. But you already knew that.

Every time an intern looks at the problem and says, “Shucks, I could commit this one line fix for that,” a Windows product manager springs out from behind the desk to say, “Never! Not in a million years!”

I saw the issue first while trying Slackware, probably in 1996-7. Latest workaround noticed: On Windows 7 when you run the edit command in a Power Shell to open a UNIX file, you can just save it again. It’s like running unix2dos. Then you can edit the file in Notepad. YMMV, but it seemed to work for me.

dn: o=北京大学

g11n testing
Testing non-European locales, source: http://server.lunq.net

I told Gary I would run some manual functional tests of OpenDJ on Windows. At home the kids’ Windows 7 PC is in locale fr-FR.

Testing with European language characters seems to be pretty easy. Copy a suffix DN from a web page, paste it into the Control Panel, and then import an LDIF file. No problem.

But when I try creating a suffix with Chinese, o=北京大学, or Japanese, o=東京大学, all the entries are ignored on import. It is as if the text I copy/paste is not the same as the text I copy/paste then save in Notepad in UTF-8.

How does all that work, anyway? (Will the copy/paste steps I’m doing between a Terminal and Chrome on the Mac show up right in your view of this entry?)

Fun with docbkx-tools

Docbkx Tools logo Before starting at ForgeRock I had not played with doc tools for a couple of years. At Sun the doc tools team encapsulated doc production, which was a good thing for uniformity, productivity, and management of all the versions of all the documentation sets Sun published. The doc tools team had competent people, too. The production tools were great, even as early as 1999 when I joined.

It came as a surprise to see how far even a dilettante like me can get. With docbkx-tools, a tools for transforming DocBook in a Maven project, and a few other Maven plugins, I can roll my own. For a project based on a Maven environment, the tools make it straightforward to generate HTML and PDF but also EPUB and RTF from DocBook sources, which can then be uploaded directly as part of a project site.

If only it were as easy to do the book and page design. 🙂

XWiki LDAP authentication with OpenDJ

An Xwiki logo and OpenDJ logo

My copy of OpenDJ contains Example.com data imported from LDIF I posted at http://mcraig.org/ldif/Example.ldif, augmented with the data for using sudo-ldap.

After installing Xwiki, I followed the Xwiki instructions for configuring LDAP authentication. Here is what I changed in xwiki.cfg versus the original.

mark@ldapclient:~/XWiki Enterprise/webapps/xwiki/WEB-INF$ diff xwiki.cfg xwiki.cfg.orig
349c349
< xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
---
> # xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
354c354
< xwiki.authentication.ldap=1
---
> # xwiki.authentication.ldap=1
357,358c357,358
< xwiki.authentication.ldap.server=host.example.com
< xwiki.authentication.ldap.port=1389
---
> xwiki.authentication.ldap.server=127.0.0.1
> xwiki.authentication.ldap.port=389
362c362
< xwiki.authentication.ldap.bind_DN=uid={0},ou=people,dc=example,dc=com
---
> xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
385c385
< xwiki.authentication.ldap.base_DN=dc=example,dc=com
---
> xwiki.authentication.ldap.base_DN=
388c388
< xwiki.authentication.ldap.UID_attr=uid
---
> # xwiki.authentication.ldap.UID_attr=cn

Subsequently, Barbara Jensen can login to XWiki.

Screenshot: Login as Babs

In the Example.ldif mentioned above, bjensen’s password is hifalutin.

Screenshot: Welcome Barbara Jensen

Notice the profile is for Barbara Jensen.

Sudo with OpenDJ

Sudo on Ubuntu
Source: http://en.wikipedia.org/wiki/File:Sudo_on_Ubuntu.png, see license at http://www.sudo.ws/sudo/license.html

Using the same system set up according to Dave Koelmeyer’s instructions and my notes, I got sudo to work based on entries in OpenDJ. The first way is quick and dirty, the second longer bug cleaner.

Quick and Dirty

One quick and dirty way I found on Ubuntu to allow users with posixAccount objectclasses for their entries was to change a user’s gidNumber value to 27 (the sudo group in my Ubuntu 10.10 VM) or 119 (the admin group also allowed by default to sudo):

User mark is in group 119 admin, and can sudo. User bjensen is in group 1000, and so cannot sudo.

mark@ldapclient:~$ id
uid=1000(mark) gid=1000(mark) groups=1000(mark),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare)
mark@ldapclient:~$ sudo head /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification
mark@ldapclient:~$ su - bjensen
Password:
bjensen@ldapclient:~$ id
uid=1076(bjensen) gid=1000(mark) groups=1000(mark)
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
bjensen is not in the sudoers file.  This incident will be reported.

Go into the OpenDJ Control Panel, then click Manage Entries. Then search for user bjensen, change Babs’s gid to 27, and save your work. Returning to the LDAP client system command line, you see that Babs is now in the sudoers group.

bjensen@ldapclient:~$ id
uid=1076(bjensen) gid=1000(mark) groups=27(sudo),1000(mark)
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification
bjensen@ldapclient:~$

Trouble is, gidNumber is SINGLE-VALUE according to the schema. Maybe we do not want Babs only in the sudoers group.

So set bjensen’s gid back to 1000 through the OpenDJ Control Panel > Manage Entries.

Long and Cleaner

Step 1.

Install the sudo-ldap package.

The default sudo package has no ldap support.

On Ubuntu, you may have to set a root password before the package manager lets you remove sudo to install sudo-ldap.

mark@ldapclient:~$ sudo apt-get install sudo-ldap
[sudo] password for mark:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  sudo
The following NEW packages will be installed:
  sudo-ldap
0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded.
Need to get 0B/336kB of archives.
After this operation, 41.0kB of additional disk space will be used.
Do you want to continue [Y/n]?
dpkg: sudo: dependency problems, but removing anyway as you requested:
 ubuntu-minimal depends on sudo.
 gksu depends on sudo.
(Reading database ... 170472 files and directories currently installed.)
Removing sudo ...
You have asked that the sudo package be removed,
but no root password has been set.
Without sudo, you may not be able to gain administrative privileges.

If you would prefer to access the root account with su(1)
or by logging in directly,
you must set a root password with "sudo passwd".

If you have arranged other means to access the root account,
and you are sure this is what you want,
you may bypass this check by setting an environment variable
(export SUDO_FORCE_REMOVE=yes).

Refusing to remove sudo.
dpkg: error processing sudo (--remove):
 subprocess installed pre-removal script returned error exit status 1
Errors were encountered while processing:
 sudo
E: Sub-process /usr/bin/dpkg returned an error code (1)

This seems to be a known Ubuntu bug, https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/140467. The following workaround seems to have done the trick.

mark@ldapclient:~$ mkpasswd password
GjIcQ0DGpk0bI
mark@ldapclient:~$ sudo usermod -p GjIcQ0DGpk0bI root
mark@ldapclient:~$ sudo apt-get install sudo-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  sudo
The following NEW packages will be installed:
  sudo-ldap
0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded.
Need to get 0B/336kB of archives.
After this operation, 41.0kB of additional disk space will be used.
Do you want to continue [Y/n]?
dpkg: sudo: dependency problems, but removing anyway as you requested:
 ubuntu-minimal depends on sudo.
 gksu depends on sudo.
(Reading database ... 170472 files and directories currently installed.)
Removing sudo ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for man-db ...
Selecting previously deselected package sudo-ldap.
(Reading database ... 170447 files and directories currently installed.)
Unpacking sudo-ldap (from .../sudo-ldap_1.7.2p7-1ubuntu2.1_i386.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up sudo-ldap (1.7.2p7-1ubuntu2.1) ...
Installing new version of config file /etc/init.d/sudo ...

Step 2.

On the LDAP client system, make the configuration changes as described in the sudo-ldap doc.

You need to be a sudoer based on the rules in /etc/sudoers to edit these files on the LDAP client system.

In /etc/ldap.conf, add a line to specify the sudoers base DN.

sudoers_base ou=Special Users,dc=example,dc=com

In /etc/nsswitch.conf, add a line regarding sudoers.

sudoers:	ldap files

Edit /etc/sudo-ldap.conf to match the appropriate settings from /etc/ldap.conf.

BASE	dc=example,dc=com
SUDOERS_BASE	ou=Special\ Users,dc=example,dc=com
URI	ldap://10.0.2.2:1389

Step 3.

Copy the sudo schema, schema.iPlanet, to /path/to/OpenDJ/config/schema/99-sudo.ldif on the OpenDJ host.

mark@ldapclient:~$ scp /usr/share/doc/sudo-ldap/schema.iPlanet mark@opendj-host:/path/to/OpenDJ/config/schema/99-sudo.ldif

Step 4.

Get the entries to add to OpenDJ.

This example puts the sudoers under ou=Special Users,dc=example,dc=com.

mark@ldapclient:~$ export SUDOERS_BASE=ou=Special\ Users,dc=example,dc=com
mark@ldapclient:~$ sudo cat /etc/sudoers | perl /usr/share/doc/sudo-ldap/sudoers2ldif
[sudo] password for mark:
dn: cn=defaults,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset

dn: cn=root,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%sudo,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%admin,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Step 5.

Put the LDIF from the previous step in a file that you can access from the host running OpenDJ, such as /path/to/sudoers.ldif.

Step 6.

Use the ldapmodify -a command to add the sudoers.

mark@opendj-host:/path/to$ ./OpenDJ/bin/ldapmodify -a -p 1389 -D "cn=Directory Manager" -w ecureuil -f sudoers.ldif
Processing ADD request for cn=defaults,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=defaults,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=root,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=root,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=%sudo,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=%sudo,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=%admin,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=%admin,ou=Special Users,dc=example,dc=com

Step 7.

Using OpenDJ Control Panel > Manage Indexes, index sudoUser for equality searches.

Step 8.

Create a new entry under the sudoers base from LDIF.

dn: cn=bjensen,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: bjensen
sudoUser: bjensen
sudoHost: ALL
sudoCommand: ALL

Step 9.

Verify that sudo works for your new sudoer.

mark@ldapclient:~$ su - bjensen
Password:
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

Voilà.