Abort, Rephrase, Ignore?

I’ve been fighting this for ages, and finally got something to start working today. Here’s what I did.

First, I gave up on Sun’s LDAP server. It’s a huge thing, quite possibly great for large-scale implementations, but we just want to authenticate ~100 users across ~100 hosts.

So I installed OpenLDAP, followed the stuff in the Quick Start guide to get a basic top-level thing going, and then created appropriate OUs for users and groups, e.g.:


dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People


You need to load the cosine, inetorgperson, and nis schemas if you want to do account-fu. Here’s an example account:


dn: uid=someuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: someuser
uidNumber: 5226
gecos: Some User
homeDirectory: /home/someuser
loginShell: /bin/bash
cn: Some User
sn: User
userPassword:: crypted-password
gidNumber: 603


It’s helpful to have at least one user in the thing before you start fiddling with clients, as then you can tell it’s working.

Finally, you need a user for Solaris to authenticate as:


dn: ou=LDAPusers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: LDAPUsers

And:

dn: cn=solaris,ou=LDAPusers,dc=example,dc=com
objectClass: top
objectClass: person
cn: solaris
sn: LDAP User
userPassword:: somecrypt


Now it’s time to fiddle with the client.

First, ignore Sun’s documentation. The absolute dead-easiest way to make this work is to ensure that the LDAP cache manager is off and then frob the config files by hand. They should look a bit like this:


# /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 10.132.3.149:389
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN= example.com
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=example,dc=com)
NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=example,dc=com)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 3600



# /var/ldap/ldap_client_cred
NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}somecrypt


Now you can change nsswitch.conf’s passwd line to look like this:

passwd: files ldap

Kick nscd (svcadm restart name-service-cache) and you should start seeing LDAP content show up, e.g.:


# listusers
someuser Some User
...


If things are working this far, you can try making the accounts active for login. Edit pam.conf and where you see a line with required pam_unix_auth.so.1 change it to binding pam_unix_auth.so.1 server_policy and add a line of the form required pam_ldap.so.1 immediately after.

This got me to the point of being able to log in to the host with LDAP-based accounts, though it is far from being a complete picture. You should also be able to use ldapaddent to inject data, though if you try anything but the passwd or group map you’ll find you need to create the top-level container in the directory first.

Popularity: 96% [?]

Tags: Solaris, Tech by matt
No Comments »

Horror of horrors, I’ve wound up having to run Windows again at home and work.

For work it’s because I’m now ClearCase-boy, which means supporting developers who are running the Windows client. Plus I pretty much have to use Outlook, as the Linux speakers-to-Exchange are all less than ideal. Having two different environments with incompatible clipboards was driving me nuts.

At home it’s entirely down to World of Warcraft, or more to the point the crappy way it’s been interacting with sound on Linux. I’ve tried everything I can think of and while the stuttering can be kept to a minimum it can’t be eliminated.

As most of my work — at home and the office — is done inside web browsers and terminal sessions the underlying OS isn’t a huge deal. My partner continues to be happily running Gutsy on her desktop, and if I were also deaf I most probably would be too.

Popularity: 90% [?]

Tags: Tech by matt
2 Comments »

Since we bought a new PC for my partner a month or so ago I’ve been meaning to move the disk from the house “server” (an old Shuttle box with a 1.6GHz Celeron and 256MB of RAM) into her old desktop so we can do more with the server and maybe recycle the Shuttle as a media PC.

Finally got around to it today, only to discover that one part or another of her old machine has given up and now it won’t power on.

No idea what’s buggered, but after fiddling around and making sure everything was still connected correctly I was ready to give up. Then I remembered the machine I used to use as a PVR. It’s a 1.4GHz Athlon with 256MB of RAM, but I hadn’t been using it for anything as it didn’t have a NIC and I hadn’t been sufficiently bothered to buy one. The ex-desktop has an Intel EEPro in it…

So now the old Athlon is happily running as house server and the other machines are in parts all over the floor. Better clean that up. Now thinking about maybe buying more RAM for the Athlon (PC133 is expensive!) and a proper disk cooling tray to keep things humming along.

The irony is that I’m thinking that the iMac downstairs would make a better media machine if I can convince Front Row to run and operate in widescreen over S-video. Just not keen to spend $150 on Leopard to then find out it still won’t do widescreen.

Popularity: 87% [?]

Tags: Tech by matt
No Comments »

Today the ALP announced a big push on IT in schools, but is there any sign of this on their websites? Nope.

(That they have several is also confusingly stupid.)

Yesterday the Liberal Party announced 9 frigging billion dollars of pork. They do have the PM’s speech transcript online, but no further detail than that.

Ludicrous. Anyone’d think they don’t want the general public to have more than the soundbites.

Popularity: 45% [?]

Tags: News by matt
No Comments »

Dymocks have announced today that they will start selling ebooks. Purchases are online for now, but they’ll start selling in-store as a “dump to memory card” deal fairly soon and they’re also talking up on-demand print.

Formats are Mobipocket, Adobe Reader, and Microsoft Reader. It looks like the Adobe versions are DRM-free.

Prices are ~30% lower than physical books.

They’ve also announced they’re now selling audiobooks online, but this is basically just a rebranding of Audible. Presumably the value-add here is the in-store marketing, something Audible can’t really do itself.

(Note for the non-Australians: Dymocks is one of the big book-store chains here. Unlike some I’ll refrain from naming they also have a pretty decent reputation.)

Popularity: 45% [?]

Tags: News by matt
No Comments »

It has occurred to me that part of the cause of my worry about going to new places by public transport is that with my lousy vision it’s fairly easy to get lost in an unfamiliar area, and it’s difficult to tell when the appropriate stop has been reached.

I then recalled reading on VIP-L about people using GPS-enabled phones with some software to tell them when they’re approaching their destination. So I’ve done some digging and some reading and have some ideas forming…

The first thing is that I need a Series 60 phone to try anything at all. Preferably one with a built-in GPS. As it happens, Nokia has recently released the N95 8GB, a revision of the original N95 with a better battery, more memory, more storage, and tweaked software. And of course the original N95 has GPS, as does the new one…

That plus Loadstone GPS may well be enough. I’d have to figure out the co-ordinates for places I wanted to go well in advance — it looks like Loadstone doesn’t have mapping data for Australia at the moment — but that’d do for warning me when I’m approaching a particular tram stop, for example.

The other thing I think may be worth my while to poke at is Talks. I can barely read the average mobile display but it’s a strain and I can’t do it very much. Talks (again requires Series 60) may well make things simpler, though at ~AU$300 for a license it’s not cheap. At least there’s a trial version.

Unfortunately one can’t simply borrow an N95 and see how these things go before investing the considerable amount of money involved — I am not interested in being tied to another contract if I can help it. They sell for around AU$900. I could probably do the salary-sacrifice dance though to reduce the cost.

Hm. Maybe. Clearly needs more thought.

Popularity: 50% [?]

Tags: Tech by matt
7 Comments »

One of the things I really hate about most “enterprise” software is that there is very little by way of useful online community resources. Having a problem with ClearCase? What’s Up Gold? CA eTrust Directory? You’re pretty much stuck dealing with the vendor support department, and they are generally not very helpful.

Is there some great site out there I’m missing where sysadmin types discuss the problems they’re having with this sort of software? Because while a lot of what you’ll find searching for answers to OSS problems is people asking exactly the same question and getting no answers, at least there’s some chance of finding an answer or a clue that’ll put you on the right trail.

Popularity: 46% [?]

Tags: Tech by matt
5 Comments »