Joe’s Amazing Technicolor Weblog

Any readers out there who know what options exist for a 5 hr layover in Amsterdam? This is before an international flight, so it’s not like I have 5 actual hours to play with. A (not this) Friday morning.

Wikipedia claims it’s a 20 minute trip into the city, which suggests that some minimal tourism should be possible…

Here’s the configuration I’ve been working on: control access to Apache webserver by checking (over LDAP) against our existing user database, held in an OS X Open Directory. It’s taken me more casting about than I’d expected, but it looks like I’m finally there.

In the beginning, I got a little confused by the HTTP auth options. I’d been hoping to use Digest mode, but a comment on this post points out the logical problem with that: Digest doesn’t involve the password making its way to Apache, so there’s no way for it to pass the password along over LDAP.

BTW this is under Tiger (OS X 10.4) — I’m not sure if anything changes with other versions of OS X.

Once figuring out that I did need to use Basic auth, Production Monkeys got me most of the way with my Apache config. What I missed is that, at least with our OD configuration, it’s necessary to include the server name in the dc list. Here’s what worked for me:

<Location "/somewhere">
AuthType Basic
AuthName "Whatever You Call This Auth"
Require valid-user
AuthBasicProvider ldap
AuthLDAPURL ldap://servername.yourdomain.org/cn=users,dc=servername,dc=yourdomain,dc=org?uid
AuthzLDAPAuthoritative off
 </Location>

One of the first things that struck me about the IT systems at my current gig is that there are a bunch of different, unsyncronized authentication systems. In other words, to add a new user, you go to a handful of different admin interfaces and type in the same username and password for that person.

Being a programmer, this kind of duplication smells bad to me, so I dug around for possible solutions. One of the systems happens to be Apple’s Open Directory, which speaks LDAP — seemed like the obvious integration point. However, it turned out that none of our other systems was predisposed to pulling in the auth info over LDAP. Since I only have a few dozen users to support, I filed the whole thing deep on my todo list and basically forgot about it.

Now, however, I’m starting to roll out new services, which are mostly web-based. Being loath to make the dup auth situation worse, I gave some more thought to this issue, and realized that OpenID might be a good solution. Off I went in search of an in-house OpenID server to store my user data. ( there is a tool for OpenID-enabling your LDAP server, but reading about implementing it makes my head hurt )

Surprisingly, there don’t seem to be a huge amount of people running their own organization-level OpenID providers. After digging around for a while, I ended up at a page on the openid.net wiki, which does list a number of projects that enable you to run your own OpenID provider. Most of them look a bit half-baked or abandoned, but two appear to be alive and potentially appropriate for my needs: clamshell and community-ID.

Next steps, then, are to install one or both & see how it goes.

Having a few accounts at slicehost has sold me on the potential of server virtualization. Faced with the need to build a new in-house server on some older hardware, I figured it’d be worth taking a look at setting the new server up as a virtual host. Even though I only need one linux server today, it’d be nice to easily migrate  sets of services on/off it in the future, jump onto new hardware without doing a whole reinstall, etc.

I like ubuntu, so that’s where I started looking at for the host OS. Being on the client end of Xen via slicehost has been smooth, but there are also other virtualization options pushed in the Ubuntu docs, including at least VMware and KVM, so I’ve spent a little time looking into them. I’m a bit of a Free Software snob, so VMware was off the list. KVM requires one of a small set of recent processors to run — the CPU of the server in question is on that list, so KVM remained an option.

Due to previous experience, though, I started looking at Xen first, only to find that Ubuntu isn’t and won’t be supporting Xen from the current release onwards. Wondering why that would be, I came to the following debate, and became thoroughly confused.

After getting this far into the process, I revisited my reasons for looking into virtualization in the first place, and came to the conclusion that my relatively simple needs don’t justify the time to wade through the options.

In a word, no.

However, old-skool readers¹, you can still rejoice: the slagwerks blog homepage has a new feature that will help you answer this question any time you like. In honor of Earth Day 2009, you can now see at the above URL a shiny JPG depicting the latest CO₂ levels recorded by NOAA’s lab at the Mauna Loa Observatory in Hawaii.

To celebrate, here’s the mega version.

---

1: old-skool — reading this via a web browser rather than some sort of feed reader

Faced with a big site full of URLs like http://mysite.com/Internal1.asp?id=357 to mirror & archive, I recently tried out a new (to me) tool, HTTrack. I’ve fiddled with wget for this sort of job in the past, but it always takes me ages of man-page reading to get my options right, and even then not everything seems to work out.

This time around, for example, I’d convinced myself that wget -r -N -l inf --no-remove-listing -E -k -p http://mysite.com would do the trick. It mostly did, except for seemingly random pages that didn’t get all of their links converted.

HTTrack, on the other hand, did The Right Thing without any switches or arguments whatsoever. It was a bit more of a pain to get running; even though it’s in macports, right now the port is lagging behind the available versions, so I had to actually type ./configure and ./make myself. Well worth it for a usable mirror.

The Soekris I installed a few months ago has been working well, so I’m setting up a second for another location. Mostly setting it up the same as before, and collected the following notes along the way.

• I’d forgotten how to figure out the Soekris’ MAC address, which is needed for the DHCP server config. Turns out it’s shown when you tell the soekris to try netbooting via boot f0.
• The ubuntu (& presumably debian) tftpd configures itself without the -s flag, which allows pxeboot’s requests for files like /bsd to be found in the /srv/tftp/ directory
• Despite rediscovering the above, I ended up reinstalling onsite from my macbook. Got most of the way thanks to tfpd tips here and the ISC dhcp server from MacPorts. However, as launchd was involved, there was much unhappiness getting tftpd to actually serve the files in question. Had just about thrown up my hands when I figured out that the -s flag actually works the same as it does in debian, not the way the OS X manpage says it does.
• After close to 10 years of being confused about why OpenBSD’s installer often pukes when trying to use a local ftp or http connection, I finally thought to look at my local webserver’s access log, and saw that the installer was trying to get an index.txt file. Creating one with the name of the relevant files did the trick.
• I thought to plug the Soekris into a Kill a Watt while installing, and never saw a draw of over 4 watts while formatting the CF, copying over the install set, or writing the files. Not bad! Idles at 2 watts.

Rather than taking Michiel’s exact approach with the memory filesystem, I decided I’d use the memoryfs for the commonly-changed files, but leave the root writeable, which has the benefit of allowing ports to be installed and configuration changes to be made on the fly.

Am I crazy, or does Michael Franti’s song Hello Bonjour have a reaggeton beat? The drum sounds are a bit different than we’re used to from hanging out in Hyde Square, but I think that’s still it. Yes? No?

In short, I’m happy to report that passenger a.k.a. mod_rails is awesome. I see no need to fiddle with mongrel, mongrel_cluster & mod_proxy for future rails apps.

Miscellaneous notes from the project:

• My environment is now ubuntu server 8.04, on slicehost. This project finally prompted me to upgrade from 7.10, which went very smootly — the long-term support releases of Ubuntu seem like the way to go for most server situations.
• How to handle the apache config? We have some php stuff running on this server, too, so the 3rd party ubuntu passenger package, which wants to use the worker mpm, isn’t the hot ticket. No problem, passenger’s default gem-based install is smooth as butter.
  This configuration also seems to require RailsAutoDetect off, which had the side benefit of letting me leave an existing mongrel-using configuration alone until I had a few minutes hours to upgrade it to rails 2.2.2, then switch it over to git & passenger.
• Slicehost has decent docs for this, in particular ubuntu-hardy-mod_rails-installation and ubuntu-hardy-using-mod_rails-to-serve-your-application & its comments.
• Capistrano mods for passenger
• This was also my first git-powered rails app, which proved a little challenging to get going with cap, but has turned out really nicely. Very fast deployments.
  Along the way, having a plugin as a git submodule proved to be more trouble than it was with, though I’m not sure if that’d apply to my final configuration, which involves checking the project out from the same server as it’s deployed on,  using the :local_repository argument to capistrano.
• This project helped me realize that having a deployed app as a public github project is more trouble than it’s worth, what with the various configuration informations that I’d rather have under SCM but don’t want to share.

I’ve used technoweenie’s handy us_state_select rails plugin in past projects. Just tried it out on a new rails 2.2 project & found out that the call to InstanceTag needed to be updated, and since technoweenie’s SVN version of the plugin seems moribund, I thought I’d take 30 extra seconds to put it up on github. Fork away!

P.S. github is way cool.