The Briar Patch

w32 time finally fixed

2007-11-09T09:42:00.000-08:00

for years, our computer clocks have been off. everytime i sat down for a 20 minute shot to try and get it working, it always failed. finally found a site that walked through the process and it finally works!

http://www.anotherurl.com/library/network_time.htm

snip:
Setting the time automatically is just so simple™. Run this ruin:
net time /setsntp:"ntp2a.mcc.ac.uk ntp2b.mcc.ac.uk"

Port 123 must be open
So how DO you know it's all working?

turn off the time service
net stop w32time

set the time out by 10 minutes
C:\>time
The current time is: 15:54:45.17
Enter the new time: 16:04

check it
C:\>time
The current time is: 16:04:43.35
Enter the new time:

type:

C:\>w32tm -once

.....

W32Time: *****SetSystemTime()*****
W32Time: END Line 1258
W32Time: Time was 06min 08.201s
W32Time: Time is 57min 08.431s
W32Time: Error 539770ms
W32Time: BEGIN:CheckLeapFlag
W32Time: END:Line 584
W32Time: BEGIN:ComputePostTimeData
W32Time: BEGIN:ComputeInterval
W32Time: END Line 2452
W32Time: BEGIN:ComputeSleepStuff
W32Time: Computed stagger is 0ms, bias is 0ms
W32Time: Time until next sync - 2699.960s
W32Time: END:Line 794
W32Time: END:Line 220
W32Time: END:Line 195
W32Time: BEGIN:TermTime
W32Time: TimeMMCleanup()
W32Time: BEGIN:FinishCleanup
W32Time: BEGIN:TsUpTheThread
W32Time: END Line 1385
W32Time: Time service stopped.
W32Time: END:Line 407

now check the time, and restart the service

C:\>time
The current time is: 15:58:39.37
Enter the new time:

C:\>net start w32time

The Windows Time service was started successfully.

Finally make sure the time service starts automatically.

From the client machines on the domain type w32tm /resync

xp machine not able to access w2k domain

2007-11-09T07:29:00.000-08:00

this is a sporadic problem on our w2k domain.

i have a new xp laptop that can join the domain, login to the machine on the domain with access privileges, and ping the domain name. it cannot however access or ping any of the hosts no the network - even the domain controller.

following the script here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

trying:
nltest /dsgetdc:domain
works fine

trying:
nslookup server_name.child_of_root_domain.root_domain.com
fails
*** can't find server name for address 192...[dc ip]: non-existent domain
*** default servers are not available.
http://support.microsoft.com/kb/200525
This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct make sure that a reverse lookup zone exists and contains PTR records for the name servers.

For additional information, see the following article or articles in the Microsoft Knowledge Base:
172953 (http://support.microsoft.com/kb/172953/EN-US/) How to Install and Configure Microsoft DNS Server
did this but still get the nslookup issue and still unable to ping anybody

trying:
ipconfig /registerdns
that worked finally!!!!

Drupal cron job setups on SiteGround

2007-09-08T14:18:00.000-07:00

The purpose of this post is to save failed attempts at getting this working.

ATTEMPT 1a/1b
/usr/local/bin/php /home/username/public_html/cron.php
/usr/bin/php /home/username/public_html/cron.php

both result in this error:
Warning: main(./includes/bootstrap.inc): failed to open stream: No such file or directory in /home/username/public_html/cron.php on line 9

Warning: main(): Failed opening './includes/bootstrap.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/username/public_html/cron.php on line 9

Fatal error: Call to undefined function drupal_bootstrap() in /home/username/public_html/cron.php on line 10

This post indicates you can't get to it via command line php and says to go wget route:
http://drupal.org/node/153247

ATTEMPT 2 - WGET
wget -O - -q http://www.mydomain.net/cron.php
/usr/bin/wget -O - -q http://www..com/cron.php -U "Mozilla/4.0"

neither appeared to run - they did not send a notification either

this one works for me:
wget -O - http://www.mydomain.net/cron.php

OpenID for Drupal and .NET

2007-08-08T18:04:00.000-07:00

Having serious doubts about the LDAP direction. Doing some research/play with openid found this guy who built a drupal module support for it:

http://www.jirwin.net/
http://jirwin.net/openid-5-2.tar.gz - it is not yet ready for drupal 5.

duh - i finally found it. its not listed among the modules for some reason:

http://drupal.org/project/openid

the old version was crashing drupal, so i needed to disable it by hand in phpmyadmin

UPDATE system set status = 0 WHERE name = [module name];

.net

http://www.openidenabled.com/openid/libraries/csharp

http://cs.nerdbank.net/blogs/jmpinline/archive/2007/01/09/Getting-OpenID-user-profile-information-using-JanRain_2700_s-.NET-assembly.aspx

http://lists.openidenabled.com/mailman/listinfo/dev

What i like about openid (if i can actually get it working). is that it separates and solves a single very important problem and answers a primary question - who is this user? knowing that and not having to maintain separate user accounts and passwords and password retrievers, reseters, etc. etc. is a big deal. getting a unique id from every user is a big deal. its also a big deal to force someone to go create a secondary openid, which they won't likely do, but they would create a second id on our system.

What openID will not do for us is groups. we will need some process/mechanism to tell each drupal site or .net service what group someone is in, and therefore what access rights they have.

Also, openid seems like a good thing to put in exchange contacts web address field - urn:schemas:contacts:businesshomepage in order to CRU contact information in a self-service manner using webdav for exchange

Scratch - Shell Script Part 1

2007-07-25T16:50:00.000-07:00

#!/bin/sh
set -e

# Version 0.6c, 2007-06-21
# - Updated 2007-06-21 by Eric Lannert (eric.lannert@gmail.com)
# - added openldap, openssl, and bdb
# - changed flow to package by package - I found the need to run in pieces and wanted
# to make it easier for future add-on's
# - added switch to choose whether to delete source directory as this prevents incremental installs
# and recovering from errors
# - NOTE - I do not know where oracle's ftp is for the bdb, so the script assumes you
# have downloaded via http and uploaded by hand
# - abstracted wget_source to a reusable function
# - added LD_LIBRARY_PATH, CPPFLAGS, and LDFLAGS to chk_prepare
# - Updated 2007-06-08 by Chris Shymanik (chris@chipsncheese.com)
# - Will backup and re-install any old php.ini's found (see notes in wiki about this).
# - Source file detection.
# - Allows cgi-bin to be installed in a sub-directory (EXTDIR)
# - Created steps as functions, for easier troubleshooting/modification.
# - Updated various packages and did some additional code cleanup.
# - OSSP mm (Shared Memory Allocation) and bzip2 packages added.
# - Changed which binary to use, based on the new location in PHP 5.2.3.
# - Updated 2007-01-15 by Charles Wiltgen (charles@wiltgen.net)
# - Make "nicer" to help keep it from getting killed by DreamHost
# - Make less verbose to keep signal-to-noise level high
# - Updated 2006-12-25 by Carl McDade (hiveminds.co.uk)
# - Allow memory limit and freetype

#### User Configuration Options
## Domain & Directory Configuration
# Domain to install to
export DOMAIN="events.icstars.org"
# Temporary source directory
SRCDIR=${HOME}/source
# Download temporary DIST files to which directory?
DISTDIR=${HOME}/dist
# Delete contents of DISTDIR after installation? (Default: No)
DISTDEL="No"
# Delete contents of SRCDIR after installation? (Default: No)
SRCDEL="No"
# Backup your previous php.ini files to which directory (if any)?
# Please Note: You'll need to remove this directory manually if it's used.
# (!!You MUST use a trailing slash when specifying this directive!!)
BACKUPDIR=${HOME}/php5tmp/
# Install PHP5 to which directory?
INSTALLDIR=${HOME}/php5
# Install PHP5's cgi-bin files to a directory besides home?
# ie.: /home/username/mywebsite.com/sub/level/directory
EXTYESNO="No"
# Directory under home in which the cgi-bin files will be installed to
# ie.: /sub/level/directory
EXTDIR=main
# Nice Level for Processes. (Deprecated)
# Higher is nicer, lower is less nice and could get your install process killed!
NICE=19
# Wget options
WGETOPT="-t1 -T10 -w5 -q -c"

####Setup environment
chk_prepare
chkproc_paths

####Download and install each package
#LIBICONV
FOLDER="libiconv-1.11"
FILENAME=${FOLDER}.tar.gz
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="http://mirrors.usc.edu/pub/gnu/libiconv/${FILENAME}"
CONFIGURESWITCHES="--enable-extra-encodings --prefix=${INSTALLDIR}"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

#LIBMCRYPT
FOLDER="libmcrypt-2.5.8"
FILENAME=${FOLDER}.tar.gz
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="http://umn.dl.sourceforge.net/sourceforge/mcrypt/${FILENAME}"
CONFIGURESWITCHES="--enable-extra-encodings --prefix=${INSTALLDIR}"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

#LIBXML2
FOLDER="libxml2-2.6.28"
FILENAME=${FOLDER}.tar.gz
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="ftp://xmlsoft.org/libxml2/${FILENAME}"
CONFIGURESWITCHES="--enable-extra-encodings --prefix=${INSTALLDIR}"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

#LIBXSLT
FOLDER="libxslt-1.1.20"
FILENAME=${FOLDER}.tar.gz
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="ftp://xmlsoft.org/libxml2/${FILENAME}"
CONFIGURESWITCHES=" \
--prefix=${INSTALLDIR} \
--with-libxml-prefix=${INSTALLDIR} \
--with-libxml-include-prefix=${INSTALLDIR}/include/ \
--with-libxml-libs-prefix=${INSTALLDIR}/lib/"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

#MHASH
FOLDER="mhash-0.9.9"
FILENAME=${FOLDER}.tar.gz
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="http://umn.dl.sourceforge.net/sourceforge/mhash/${FILENAME}"
CONFIGURESWITCHES="\
--prefix=${INSTALLDIR}"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

#ZLIB
FOLDER="zlib-1.2.3"
FILENAME=${FOLDER}.tar.bz2
MIRROR1="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${FILENAME}"
MIRROR2="http://www.zlib.net/${FILENAME}"
CONFIGURESWITCHES="\
--shared --prefix=${INSTALLDIR}"
wget_source
cd ${SRCDIR}
echo "Extracting ${FILENAME}..."
tar xzf ${DISTDIR}/${FILENAME} > /dev/null
cd ${SRCDIR}/${FOLDER}
echo "Configuring ${FOLDER}..."
./configure ${CONFIGURESWITCHES}
echo "Making ${FOLDER}..."
nice -n ${NICE} make
echo "Installing ${FOLDER}..."
nice -n ${NICE} make install
echo "Done with ${FOLDER}!"

###########################################
# SUPPORT FUNCTIONS

###########################################
## Function to check for an existing install and kill if exists.
function check_prepare()
{
# Push the install dir's bin directory into the path
export PATH=${INSTALLDIR}/bin:$PATH

# set the install dir's lib and include directories for LD_LIBRARY_PATH, CPPFLAGS and LDFLAGS
export LD_LIBRARY_PATH=${INSTALLDIR}/lib
export CPPFLAGS=-I${INSTALLDIR}/include
export LDFLAGS=-L${INSTALLDIR}/lib

# Indicate the time at which the install started.
echo "Installation commencing..." `date +%r`
echo ""

# Backup previous php.ini file(s) if exist.
if [ -d ${INSTALLDIR}/etc/php5 ]; then
echo "--- Backing up php.ini file..."
mkdir -p ${BACKUPDIR}
cp -R ${INSTALLDIR}/etc/php5/* ${BACKUPDIR}/
echo "Done."
else
echo "No php.ini will be backed-up during this update!"
fi
# Check for existing php5 install, kill any running processes from it, and remove.
# Note: This is only for fast-cgi processes. This should probably be modified
# to detect other custom php5 processes for a fully functional script.
if [ -d ${INSTALLDIR} ]
then
# Check for a running process
# Note: This is only a very basic detect & kill system.
if [ "$(ps aux | grep -q php5.fcgi)" == "php5.fcgi" ]
then
while [ "$(ps aux | grep -q php5.fcgi)" == "php5.fcgi" ]
do
kill -9 php5.fcgi
sleep 5s
done
fi
echo "Install directory exists! Killing active processes and clearing it..."
rm -rf ${INSTALLDIR}
else
echo "Install directory check complete."
fi
# Remove the existing cgi-bin directory.
if [ -d ${HOME}/${DOMAIN}/cgi-bin ]; then
echo "cgi-bin directory exists! Clearing contents..."
rm -rf ${HOME}/${DOMAIN}/cgi-bin
else
echo "cgi-bin directory check complete."
fi
}

###########################################
## Function to check for and setup the appropriate paths.
function chkproc_paths()
{
# Detect how many processors the system has (for more optimal compliation).
cores=2 # the number of cores/procs to use when building
if [ $cores -a $cores -gt 1 ]; then
j="-j$cores "
fi
OS=`uname -s`
if [ "Darwin" = $OS ]; then
sed=gnused
makefile=makefile.macosx
else
makefile=makefile.linux_x86_ppc_alpha
sed=sed
fi
for i in $sed wget; do
$i --version >/dev/null 2>&1
done

# Clear and/or create the source directory.
if [ -d ${SRCDIR} ]; then
echo ""; echo "Source directory already exists!"; echo "Clean it?"
if [ ${SRCDEL} == "Yes" ]
then
echo ""; echo "Yes!"; echo "Cleaning now..."; echo ""
rm -rf $SRCDIR/*
else
echo ""; echo "No!"; echo "Leaving the source directory intact."; echo ""
fi
else
echo "Creating source directory..."
mkdir -p ${SRCDIR}
fi
# Create the dist files directory if it doesn't exist
# optionally cleaning it if it does exist already.
if [ -d ${DISTDIR} ]; then
echo ""; echo "Distribution directory already exists!"; echo "Clean it?"
if [ ${DISTDEL} == "Yes" ]
then
echo ""; echo "Yes!"; echo "Cleaning now..."; echo ""
rm -rf $DISTDIR/*
else
echo ""; echo "No!"; echo "Leaving the distribution directory intact."; echo ""
fi
else
echo "Creating distribution directory..."
mkdir -p ${DISTDIR}
fi
}
###########################################
## Function to wget the current package
function wget_source()
{
echo "*************************"
if [ -a ${DISTDIR}/${FILENAME} ]; then
echo "Skipping wget of ${FILENAME}"
else
echo "Getting MIRROR1: ${MIRROR1}"
wget $WGETOPT $MIRROR1
# If primary mirror fails, use the alternative mirror.
if [ -a ${DISTDIR}/${FILENAME}]; then
echo "Got ${FILENAME}"
else
echo "Failed: Getting from MIRROR2: ${MIRROR2}"
wget $WGETOPT $MIRROR2
# Check to make sure the alternative mirror worked.
if [ -a ${DISTDIR}/${FILENAME} ]; then
echo "Got ${FILENAME}"
else
echo "Failed to get ${FILENAME}. Aborting install!"
exit 0
fi
fi
fi
}

Active Directory User Account Provisioning

2007-07-16T16:08:00.000-07:00

Since the Drupal ldap auth module does not support new account creation in Active Directory, I will need other options.

Microsoft Identity Lifecycle Manager 2007 formerly Microsoft Identity Integration Server 2003
http://www.microsoft.com/technet/technetmag/issues/2007/05/Workflow/

Drupal LDAP Integration - Extracting groups from W2K Domain Controller Active Directory

2007-07-16T13:56:00.000-07:00

The current setup is not extracting group information for users.

Tried this, but it did not work. Also seems counterintuitive to put values in boxes where the checkbox was left unchecked.
http://drupal.org/node/80020

http://drupal.org/node/147824 lead me to this:

msg_r($groups);
Which shows my groups are coming back from AD, but not propagating into drupal groups.

http://drupal.org/node/136303
Explains that the function in ldapgroups.conf.php needed to be commented out. Otherwise, the only groups that would get propagated were hard-coded ones it found.

That worked!!!

Ok, in the ldap groups screen, i only needed to do three things. everything else is blank:

Groups are specified by LDAP attributes - Checked - yes
Attribute names (one per line): memberOf

Attribute holding group members: memberUid

Unable to connect to Active Directory via LDP on port 636

2007-07-16T12:58:00.001-07:00

I am able to connect with ldp via port 389. I have run netstat/netdiag/and dcdiag with no issues.

However, when I try to connect using LDP via 636 and using an IP address as the server, I receive the following error:
ld = ldap_open("M.Y.I.P", 636);
Error <0x51>: Fail to connect to M.Y.I.P.

This says that is by design
http://support.microsoft.com/kb/814662

This indicates the problem is likely name resolution:
http://forum.java.sun.com/thread.jspa?threadID=645000&messageID=3824603

That works from the server using windowsdomain.domain.org. Still cannot connect via remote client.

This link:
http://www.pgina.org/?page_id=6
indicates that if you can connect via 389 but not 636 then you have a certificate problem.

The server event logs showed:
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36869
Date: 7/16/2007
Time: 7:31:05 PM
User: N/A
Computer: SERVER
Description:
The SSL client credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

I reinstalled the certificate from server/certsrv and still have the same unable to connect, but now i no longer get any event log messages.

THis post
http://www.eggheadcafe.com/aspnet_answers/windowsserveractive_directory/May2006/post26947443.asp

Suggests looking in the client machine event log, duh...
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36884
Date: 7/16/2007
Time: 8:03:44 PM
User: N/A
Computer: ME
Description:
The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is windowsdomain.domain.org. The SSL connection request has failed. The attached data contains the server certificate.

This tells you how to enable events in schannel:
http://support.microsoft.com/?id=260729

However, none of this explains how to fix the actual problem. How do you verify/change the name on the certificate that the server issues? it seems that ldp wants it to be the same fqdn that you use to address the server. however, that cannot be how mine is named, as i get the same error message when i tell the remote ldp client to use windowsdomain.domain.org.

Got it - from a remote machine, you have to use servername.windowsdomain.domain.org aka fqdn - dimwit.

This is ugly, as that is not a dns A record i want floating around out there. How to change the msft certificate services to issue a friendlier name, e.g. ldap.domain.org....?

This says you cannot change the name:
http://articles.techrepublic.com.com/5100-6345_11-5643908.html

Web Huddle

2007-07-16T10:50:00.000-07:00

wow.

http://groups.drupal.org/files/webhuddle_0.pdf

How to install SSL cert on Dreamhost for use in Drupal ldapauth against Active Directory

2007-07-16T07:46:00.000-07:00

THIS POST IS A DEAD END - It contains links and attempts at getting Drupal's ldap integration module to work against a W2K domain controller for active directory. It appears W2K does not support TLS and therefore, I need to create a separate post for how to get the drupal module to use ldaps instead of StartTLS.

Following up on the prior sequence of posts, this will document the learning/attempt path to get my cert installed on my dreamhost account that will enable drupal ldapauth to use secure communication with our Active Directory server.

This shows how to use openSSL to generate a self-signed certficate. Not what I need right now, but if I end up having to abandon using the MSFT self-signed, I'll come back to this.
http://www.neilstuff.com/apache/apache2-ssl-windows.htm

This looks promising... googled "ldapauth client SSL certificate active directory"
http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html:

Ok, that got me through exporting the cer file from Microsofts Certificate Authority. FTP's the file up to my dreamhost account, and ran the steps to create a .pem file. On to getting ldapauth to see and use that file...

Not sure where to set the path for the pem file in the ldapauth module setup. Within ldapinterface.php there is a secretKey = null attribute that goes along with tls setting on the next line. However, it may not go here at all and maybe part of the openldap or openssl configuration.

Here's the current error message when I check "Start TLS" in the ldap integration settings in drupal administration:
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Decoding error in /home/snip/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 128.

My php install directory is php5, which contains an etc folder which contains an openldap folder which contains an ldap.conf file which is where I believe the cert reference needs to exist. Err, maybe not. The script above indicates i need to create an ldaprc file and reference the pem file there.
http://edoceo.com/liber/network-openldap.php
The docs are not consistent on what the ldaprc file switch contains.
muquit says:

  TLS_CACERT /usr/local/certs/cacert.pem
TLS_REQCERT allow

Which I changed to:

  TLS_CACERT $HOME/.ssl/[domain].pem
TLS_REQCERT allow

Apache needs to know where to find the ldaprc... snipped from muquit:
Before starting apache set a env variable (probably in apachectl) like:

 LDAPCONF=/path_of/ldaprc
export LDAPCONF

How does that work on Dreamhost??
Do i put this in .htaccess?

The very last post in this thread indicates that TLS is NOT supported by Windows 2000 domain controllers!!!! If that's the case, where do i go from here? How do I get ldapauth module to use ssl instead of tls?
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html
http://forum.java.sun.com/thread.jspa?threadID=592611&tstart=240
And the final word??
http://support.microsoft.com/kb/321051
"Windows 2000 does not support the Start TLS extended-request functionality"

So do I need to hack the ldapauth module in drupal to use ldaps? will this automatically use ssl and the local cert instead of startTLS?
http://drupal.org/node/75645

Additional References
http://www.openldap.org/lists/openldap-software/200403/msg00034.html
http://www.thetipspool.com/freenode/ldap/27Apr2007/3

This one has a good thread about getting apache to see the ldap cert file.
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html

Access is denied for all accounts after migrating Drupal website

2007-06-27T15:00:00.000-07:00

We recently migrated the site from internal hosting to external. All users, including the first user with super admin rights get access is denied on all administrative actions.

It looks like its a php version problem, where the new host was running 5 and the drupal site version was 4.6.1....

Yep, that was it.

Dreamhost Drupal Sub-directory with clean urls

2007-06-23T13:56:00.000-07:00

Trying to consolidate hosts and need to have multiple drupal installations under an existing drupal installation. Clean urls were not working by default - they threw 404 errors on the parent drupal site. The sites themselves worked fine, just not clean urls.

Also interesting was that .htaccess file did not exist in the root of the subdir site - i'm not sure why - maybe it gets created when cleanurls are turned on in drupal 5.

So, i edited the parent .htaccess file to uncomment RewriteBase /[subdir desired], ftp'd it up to the subdir root installation and wala, clean urls now work in Dreamhost subdir installed drupal 5 apps.

Securing Active Directory for Drupal LDAP access

2007-06-23T10:23:00.000-07:00

I don't yet have the ldap authentication working on SSL or TLS, as i need to learn how to install the certificate root and certificate on the drupal server. but that will be a different post.

First, I need to tighten down security on the AD. I want the binddn reader and updater accounts to have no rights beyond that specific purpose. You would think that would be a very easy thing to specify... ehem.

Looking here (don't you love msft's refusal to adopt clean urls?):
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.
http://technet2.microsoft.com/WindowsServer/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx

Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.
http://technet2.microsoft.com/WindowsServer/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx

Promote a secure operating environment by running your computer without administrative credentials except when required.
http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx

this is crap - user rights assignment on AD is useless for my purpose. there are far too few rights defined, and they seem way to blunt.

found a new way-

by default, any authenticated account can scan the directory. attempting to use a plain user account as the reader account with no additional rights.... it seems to work

updater account settings:
create a new security group and put the updater account in it
right click domain in ad users and computers
choose delegate control
add the group that contains the updater account
create a custom task to delegate
only the following objects in the folder/User objects
Read all properties/Write E-Mail Address (Others)/Change Password/Reset Password
how do you edit/update those delegated rights? i've been just rerunning the wizard, hoping its smart enough to delete the prior policy.

Testing...

Unfortunately, the following error is generated when an attempt is made to modify the password. I'm assuming this is because we're not yet running TLS:
warning: ldap_modify() [function.ldap-modify]: Modify: No such attribute in /home/.martin/icsadmin/events.icstars.org/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 226.

Need to define some policies about locking out accounts after a number of password attempts are made.

phpSupport

2007-06-18T08:16:00.001-07:00

Found this today and plan to incorporate into our environment thanks to:
http://aplawrence.com/Reviews/bghelpdesk.html

http://phpsupport.jynx.net/?a=inuse

Dreamhost Drupal with LDAP

2007-06-18T07:45:00.000-07:00

http://drupal.org/node/62217

When we tried to connect we got an error message:
Fatal error: Call to undefined function ldap_connect() in D:\Program Files\wamp\www\drupal\modules\ldap_integration\ldap_integration\LDAPInterface.php

We needed to modify our php.ini to uncomment
extension=php_ldap.dll

In order to customize the php.ini we had to do some hacking:
http://wiki.dreamhost.com/index.php/PHP.ini

The php.ini file is working, but the dll list in it is for windows machines, not linux. need to find out how to configure php to load modules on linux. of course, you don't - you recompile php with the modules you need - which means this direction will orphan our php installation from future updates from dh.

Background/not followed: This gives details on how to do this from scratch:

http://us2.php.net/manual/en/ref.ldap.php

http://www.rpmfind.net/linux/rpm2html/search.php?query=php-ldap

This provides pre-compiled versions for use on a select group of linux distro's

To test the configuration you attempt to login as an account found in the ldap directory, but not in the drupal system.

Note from php.net (http://us2.php.net/manual/en/ref.ldap.php):

Chasing referrals in Active Directory (ie: searching across domains), can be slow. You can look up the object instead in the GC (Global Catalog) as follows:


Remove any reference to ldap:// when you use ldap_connect, ie: use "serv1.mydom.com" NOT "ldap://serv1.mydom.com"

Connect to port 3268 (not 389, the default)

Set the Base DN for the search to null ie: "" (empty quotes).

AD will then run the search against the GC which holds a copy of all objects in the Forest. You can also retrieve a subset of attributes (including group membership, except local groups).

You will still need to follow referals for a full set of attributes.

another:
http://greg.cathell.net/php_ldap_ssl.html

following the script from dh: http://wiki.dreamhost.com/PHP5_installscript

DOWNLOAD AND EXTRACT PACKAGES
used openldap source code and did a test run on the prep script with only ldap to ensure it worked properly. to do this i simply added:
LDAP="openldap-stable" to the version information list. this is a symbolic link maintained by openldap to get you the most recent stable version

then in the get section i added (don't be alarmed that the suffix is different from the other packages):
wget -c ftp://ftp.openldap.org/pub/OpenLDAP/${LDAP}.tgz

then to extract it i added this at the end (again needing to focus on the suffix to match openldap convention):
echo Extracting ${LDAP}...
tar xzf ${DISTDIR}/${LDAP}.tgz > /dev/null
echo Done.

INSTALL
I looked in the source directory via my ftp client and found that openldap had given me v2.3.32.
I used this as my LDAP variable in the install sh file:
LDAP="openldap-2.3.32"

I modified the PHPFEATURES list to include:
--with-ldap
note that you need to add a \ to the line above, and move the closing quote to after with-ldap

The openldap doc/install/configure file said generic installs run ok with just ./configure.

This approach bombed out on the script prior to getting to ldap - failed on cclient.

Started process over with the script at
http://wiki.dreamhost.com/PHP5_installscript/dev

This script ran ok on its own. When i modified to include ldap, it said:

checking Berkeley DB version for BDB/HDB backends... no
configure: error: BDB/HDB: BerkeleyDB version incompatible

This link explains more:
http://www.openldap.org/faq/data/cache/44.html

Same error message during ldap ./configure...
The berkeleydb and openssl installed without any error messages.
Many people posting this question to the openldap forum with rtfm responses...
Trying with env CPPFLAGS=-I${INSTALLDIR}/include LDFLAGS=-L${INSTALLDIR}/lib ./configure --prefix=${INSTALLDIR}

The flags are supposed to tell the openldap configure where to look... same result.

At this point, I'm wondering if the berkeleydb install didn't put things where i intended...
The first attempt at making the db i forgot the prefix, then ran the process again, i received an odd message about not replacing a .h file, which made me wonder how the file could be in two places from two runs. The berkeley docs state if you want to change anything, you need to run make realclean first - which removes everything...
Nope, now berkeley configures but crashes on make install, attempting to re-create the install subdirectory and getting a permission denied. ??

Trying again with the same env flags used above on openldap configure....ok, i got an install.

This is insane.

The openldap configure can see db.h, and it knows the version, why does it still say there is a version mismatch? Ehem. nosing up the tree, it looks like dh has db.h installed in the usr directory, indeed, the lib folder contains all the way up to 4.3. Given the openldap is telling me it has version 4.5, i imagine that means it does know about my version. Do i need to exclude all the prior versions in my configure statement? Argh! And why won't it run with the versions already installed? maybe the same reason - since so many are installed, maybe this step is lazy and stops with the first one it finds?

Analyzing the configuration.log - the conftest file has a strict test for DB_VERSION_MAJOR among others down to the patch level, but its not clear where these get defined. Also, the configuration.log shows an actual error message that does not make sense - this file exists in my lib folder:
./conftest: error while loading shared libraries: libdb-4.5.so: cannot open shared object file: No such file or directory

grep DB_VERSION_STRING db.h from within usr/local/include returns 3.2.9.

At a complete loss - need to find out what file contains the DB_VERSION_MAJOR check and put a print line to see what version it thinks it found. This code does not exist in the openldap directory!!! Somehow, when i searched all the files in the source directory, i could not find the source code file that contained the version check - i wanted to echo what version it found in order to understand who its finding and whether its stopping at the lowest or highest or what. unreal?

This http://www.openldap.org/lists/openldap-software/200308/msg00553.html makes it sound like i can hack the configure script in openldap to remove the hardcoded usr/lib searches...

Found this interesting discussion about the intricacies of library paths:
http://www.webservertalk.com/archive100-2005-3-945657.html

Colleague suggested using LD_CONFIG which will tell gcc where to get libraries from. Is this the same as LDFLAGS? Do we need to compile bdb with this flag or openldap?...

OMG I found it:
http://forums.devshed.com/ldap-programming-76/configure-error-berkeley-db-version-mismatch-181705.html
the flag you need is: export LD_LIBRARY_PATH="/build_unix/.libs"

Onward to make...

Got clean install of openldap...

php5 configure got:
configure: error: Cannot find ldap.h
needed to modify the following to include =path
--with-ldap=${INSTALLDIR}"

got clean install of php...

now on to the drupal integration challenges
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Can't contact LDAP server ...


later on will need this regarding sasl:
supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
ok, when all security is turned off, and the ad accounts for reading and writing are domain admins, everything works!! and we wonder why systems are so vulnerable - the first thing to work is the least secure, shouldn't it be the other way around?
 
Current issues:
- retrieve password does not find the user
- new users do not appear in LDAP

to run the sh script:
chmod +x filename.sh
./filename.sh

Dreaded VS.NET Unable to start debugging

2007-04-18T08:33:00.000-07:00

Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug. Verify that you are a member of the 'Debugger Users' group on the sever.
http://msdn2.microsoft.com/en-us/library/aa290100(VS.71).aspx

Disable/Modify Loopback check:
http://support.microsoft.com/?kbid=896861

Other things to check:

IE - http://localhost is trusted
IIS - virtualdir/configuration/debugging/ enable asp server-side script debugging
NTFS - physicaldir/security/ - make sure your user account has full permissions
IE7 - internet options/security settings/local intranet/custom level - bottom make sure "automatic logon with current user name and password" is checked also add http://localhost to the sites list
NTFS - inetpub\wwwroot\ - give your account full control
Local Users and Groups - make sure you are indeed a member of debugger users; also add aspnet account to debugger users group
Web.config -
C:\WINDOWS\Microsoft.NET\Framework\\ - ensure ASPNET Machine Account has full rights
CMD - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i

http://ryanfarley.com/blog/archive/2005/08/23/8540.aspx

Ubuntu Recovery

2007-04-03T08:24:00.000-07:00

Got locked out of Ubutu login screens. To recover, hit escape at the beginning of the boot cycle to get a menu of boot options. Boot to recovery mode. In recovery mode, add a user by adduser [username]. then follow this post:

#addgroup –system admin
#visudo The sudoers file should then be edited to include:
%admin ALL=(ALL) ALL
#adduser username admin

in my case, the admin group already existed. so i skipped ahead to adduser [user] admin

Getting pear modules installed on dreamhost

2007-03-13T21:33:00.000-07:00

Scratch notes here. Go here for workable sequence.

Step 1:
/usr/local/php5/bin/pear config-create $HOME .pearrc ==>
Could not create ".pearrc"

running pear config-show has User configuration file set to /home/[myaccount]/.pearrc which is what i would expect the first step to accomplish, assuming this step has already been accomplished for me.

Running /usr.../pear install Net_URL ==>
Cannot install, php_dir for channel "pear.php.net" is not writeable by the current user

The .pearrc file did not actually exist there, it was set to live there by the pear config-show, but since the file doesn't exist, it makes sense that i need to create it. i attempted to upload an empty file, but got the message ERROR: The default config file is not a valid config file or is corrupted.

Found this resource:
http://www.appelsiini.net/~tuupola/doc/peardoc/installation.shared.html not much help

attempted:
/usr/local/php5/bin/pear config-create /home/[myaccount]/pear/ .pearrc
this resulted in a run, but the file does not appear to have created any file. however it did reset the user configuration file path to /home/.martin/[myaccount]/.pearcc which is interesting because i told it to use the /pear subdir.

attempted:
/usr/local/php5/bin/pear config-create $HOME/pear .pearrc
same result, with the same user config file path

moving on...

executing /usr/local/php5/bin/pear install -o PEAR
this ran now, but there are still no new files anywhere

moving on...

executing /usr/local/php5/bin/pear install HTTP_Request
this ran as well.

moving on...
other dh.wiki readers seem to have the same problem identifying where to include the set include path code in the next step

attempting to put it in the code of the page itself....

actually, putting it in drupal settings.php file

ini_set(
'include_path',
ini_get( 'include_path' ) . PATH_SEPARATOR . "/home/.martin/[myuser]/pear/php"
);

since the files didn't actually get installed to the home/user/pear folder, i cannot see how the ini_set command could possibly work. nevermind. the files are there now, ftp was not refreshing and showing the files.

somehow, someway this worked. i have no idea how!

Workable sequence to get pear and http_request working on dreamhost installation:
/usr/local/php5/bin/pear config-create $HOME .pearrc
/usr/local/php5/bin/pear install -o PEAR
/usr/local/php5/bin/pear install HTTP_Request
ini_set( 'include_path', ini_get( 'include_path' ) . PATH_SEPARATOR . "/home/.martin/[username]/pear/php");