Finally ;)

From: Matthias Klose <doko@cs.tu-berlin.de> To: 452750-done@bugs.debian.org Subject: openjdk-6 in unstable Date: Sat, 12 Jul 2008 16:50:30 +0200 openjdk-6 accepted into unstable.

I had configured an ipv6 tunnel on my soekris router/fw since a long time, but I had never spent any time to actually make it an ipv6-gateway for all my machines. Configured radvd.conf (need to checkout how dhcpv6 behaves..) opened up a couple of forwading rules and sysctl's and here we go:

michele@eeepc:~$ ping6 -n ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=52 time=546 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=52 time=340 ms

Finally I can open www.openldap.org at a reasonable speed ;)

Read up enough on reprepro in order to be able to actually push some stuff out the "proper" apt way. So for source packages and the amd64 architecture here we go:

deb http://michele.pupazzo.org/debian sid main contrib non-free
deb-src http://michele.pupazzo.org/debian sid main contrib non-free

Just apt-get install dirsrv and you're good to go ;) (well almost, since there's a crapload of stuff to fix .. bit it's a start)

Given that I've had quite a few comments about my last post on authnz_ldap and Active Directory, I thought I'd summarize the issues involved a little. Basically, without setting Referrals Off in /etc/ldap/ldap.conf you get an Operations Error when Apache tries to authenticate to AD. So far so good.

A quick glance in the apache2 code, didn't turn up any option to disable this behaviour, unfortunately. So we're either stuck with editing _/etc/ldap/ldap.conf _or we can always point the authnz_ldap module towards the AD Global Catalog port (TCP/3268). That is, if you have one available to be pounded by your authentications ;)

Switching to an encrypted channel with LDAP+SSL is fairly trivial (the example below is still subject to MITM, I'll leave solving that as an exercise for the reader), you just need to ask the Global Catalog SSL port (TCP/3269) :

AuthType basic
AuthName Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://globalcatalogdc.domain:3269/DC=DOMAIN?sAMAccountName?sub?(objectClass=user)"
NONE
AuthLDAPBindDN "LDAPQueryUser@DOMAIN"
AuthLDAPBindPassword "foo"
require ldap-group CN=GP-SVN-USERS,CN=Users,DC=DOMAIN
require ldap-user michele
# MITM
LDAPVerifyServerCert Off

In no particular order:

• Moved my main development machine from i386 to amd64 (6G RAM)

• Added two Terabyte drives to get some backup going

• I'm going to pycon2 in Florence (9/10/11 of May)

• Started migration of some sites (this one included) to a new server (let me know if you spot any issues)

I've gotten most of the important dependencies of FDS done : svrcore, mozldap, perl-mozilla-ldap. I've got a halfway baked package for fds-base also, but it isn't really worth publishing yet. Anyway, the deps can be found here: http://michele.pupazzo.org/debian .

As soon as I finish cleaning everything a bit more up, I'll announce it to the appropriate lists.

So we actually did complete the move to our new apartment...I still look puzzled at how much stuff we were able to squeeze into our old 40 square meter apartment in Milan..all this stuff does not seem to fit in the new place which is twice as big. There are still a lot of things to finish (like my computer table), but for the rest we settled in quite all right.

During the couple of weeks I was disconnected from the net at home, I read "The Great Gatsby" by Fitzgerald, which I enjoyed a lot. I sure wish I had a "wortschatz" like his ;) Before Fitzgerald I finally finished "The Flat World" by T. Friedman, which was very interesting for certain parts, but overall it gave me the impression of focusing way to much how good and how inevitable and how we will all profit if we're competitive enough in this globalization. Mentions to the negative aspects of it are miniscule and quite frankly the idea of companies doing only good things in countries were labor is cheap..well I find that slightly naive, mind you.

Given that I picked up reading again lately, I got my self a "Bookeen Cybook Gen3" e-reader. I find it very useful for reading technical books or pfd's. In the end I drooled a long time over the Iliad, but given the exorbitant price, I settled for a device which does one thing and it does it well.

So, now I'll try to reduce the backlog of my e-mails. If I didn't get back you please drop me a line, I most probably forgot and lost your mail in the queue.

ps. In an act of idiocy I managed to destroy my phone (+ SIM), so I also don't have many phone numbers ATM ;)