XML validation in Eclipse

Eclipse logo Eclipse is the XML editor I have been using the most to edit ForgeRock core docs, which are in DocBook 5 XML. The tag completion works for me. So does document validation.

But I am not using the default XML file validation preferences. First, I want to see all the errors, so have checked “Enable markup validation.”

Second, the core docs use XInclude so the book files include chapters and so forth with <xinclude:include href='chap-name.xml' /> elements. Therefore, I have checked “Process XML Inclusions” as well.

Eclipse XML file validation preferences

Seems like “Process XML Inclusions” should be checked by default, but it is not.

Now I can right-click (or Ctrl+click) an XML file, and then run Validate from the context menu.

FCB1010 expression pedal recalibration

Behringer FCB1010 On a trip to the US, I bought a Behringer FCB1010 MIDI foot controller. MIDI is a sort of networking protocol for musical instruments. When connected to a device that understands MIDI, a MIDI foot controller lets a guitarist send signals to change effects, adjust the volume, sweep a Wah effect up and down, or adjust an effect level. On the Mac it represents a programmable stomp box for playing and recording.

This controller seemed both cheap compared to alternatives and also fairly rugged. Yet two things were wrong out of the box. First, the controller came set up to plug into a US/Canada wall outlet with no adapter and no way to select voltage. So for $9 I got a transformer.

Second, neither expression pedal sent any signal out of the box. Since I had no idea what I was doing, I ended up installing the demo version of iFCB first including the package that let me see the FCB1010 in the MIDI setup. Not sure whether that was necessary (though I probably will go back to pay for iFCB once I better understand what I’m doing and want to get the FCB1010 to do more). Problem symptoms included getting nowhere trying to have MainStage learn the settings from either pedal, seeing MIDI signals in the status box at the top of the MainStage window for the switch pedals but not for the expression pedals, and seeing the same failure in more detail with MIDI Monitor.

Turns out the second problem was even easier to fix than the first, once I stopped trying to find the answer (or even anything I could comprehend) in the documentation. Instead I followed this procedure to recalibrate the FCB1010 expression pedals. With recalibration done, I turned the FCB1010 power off and on, restarted MainStage just for good measure, and found that MainStage had no trouble learning the settings.

OpenDJ: CentOS, Kerberos, JCE

OpenDJ community logoPerhaps this is not news to you, but if you want to set up OpenDJ & Kerberos on CentOS 6, then you need to get the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files as described in the example now posted on ForgeRock‘s OpenDJ wiki.

It was news to me. Until I turned on OpenDJ debug logging, it was also very confidential news. I could see the GSSAPI SASL mechanism load correctly on OpenDJ startup, but the errors when I attempted to authenticate through to Kerberos were too subtle.

18:22:06.660 protocol verbose LDAPMessage(msgID=1, protocolOp=BindResponse(resultCode=49))
18:22:06.662 caught error caught={org.opends.server.tools.ClientException: An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)}
18:22:06.662 caught error caught={org.opends.server.tools.LDAPConnectionException: An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)}
An error occurred while attempting to perform GSSAPI authentication to the Directory Server: PrivilegedActionException(AccessController.java:-2)
Result Code:  82 (Local Error)

Matt suggested turning on debug logging.

$ dsconfig -p 4444 -h `hostname`
-D "cn=Directory Manager" -w password
set-log-publisher-prop
--publisher-name "File-Based Debug Logger"
--set enabled:true
--log-file:/path/to/OpenDJ/logs/debug -X -n

After that, I saw this in the OpenDJ debug log.

[15/Aug/2011:18:46:35 +0200] 0 caught error thread={Worker Thread 19(70)} threadDetail={parentThread=main(1) isDaemon=false clientConnection=LDAP client connection from 10.0.2.15:36995 to 10.0.2.15:1389 operation=BindOperation(connID=0, opID=0, protocol="LDAP 3, dn=, authType=SASL) } method={run(SASLContext.java:809)} caught={javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]}

Armed with that information, I noticed the Kerberos KDC conf file had this line.

supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

In other words, Sun/Oracle Java and Kerberos on CentOS 6 do not seem to agree out of the box about the encryption strength to use. Once I installed Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, OpenDJ and Kerberos started working together nicely.

OpenAM: Getting started

OpenAM community logo OpenAM lets you protect your application, adding authentication and authorization. When you protect a web application running in a supported web server, for example, you can set everything up without actually touching your application. Okay, we gulped the marketing Kool-aid. We can even install OpenAM. But how does one get started protecting a web site?

It turns out that Sam Drew wrote a short, sweet tutorial on how to get started with OpenAM that he called, Add Authentication to a Website using OpenAM. He tells me he did it after coming to ForgeRock when he was first learning about OpenAM. As you follow along, you see the pieces of the OpenAM puzzle coming together clearly: core OpenAM services connected to an OpenDJ identity store to hold user data; an agent installed as an Apache web server plugin to manage the connection with core OpenAM services, and to manage the redirections to login and logout pages; access policy configured in OpenAM to allow users to access URLs on Apache when they have authenticated to OpenAM.

In order to complete the tutorial, you need to be able to configure your network with a couple of hosts, and potentially set up Apache web server. I only have one physical system here (this laptop), so I tried it with a couple of VirtualBox guests running on host-only network, all hosts sharing their names and IP addresses through /etc/hosts entries. Nice work, Sam.

EPUB layout for screen and programlisting

EPUB logo
Source: Wikipedia

When deciding on formats for ForgeRock documentation, I figured we needed at least both online and also printable docs. Printed documentation can be used to cure insomnia and start fires, and it can also be used when configuring a system not yet on the network, or recovering when systems are down.

Trouble is, printed documentation can be a pain in the lower back. I recall reaching the 5000 page mark for Sun Directory Server documentation at one stage of review before we released version 6. Although we dropped some documentation, reducing the burden before release, that’s way too much paper to carry around. And that was just one doc set for one product. So when I saw DocBook support for EPUB, it seemed like a good compromise.

The part of the compromise that I have not worked out yet is layout for <programlisting> and especially <screen>. If you have an electronic book reader, or even the plugin for Firefox, and have taken a look at the EPUB documentation as it is currently styled, then you have seen one of the big problems with EPUB layout for technical documentation: on a normally sized monospace font, you have far fewer than 80 columns. Yesterday I got to have a look on a Kindle after converting .epub to .mobi. I counted 38 characters before lines wrapped. (Wrapping at something other than space is also a problem.) This was with a 9 pt monospace font.

Making these blocks as wide as the whole page despite the context is perhaps a way of limiting the mess. Letting readers show the doc in landscape instead of portrait could be another workaround. If you have found a good solution, though, one that preserves the indent in procedures and also works with the HTML and printable docs, I would like to know about what you have done.