Search this site


[prev]  Page 2 of 2

Metadata

Articles

Projects

Presentations

Unix Basics slides posted

I gave a lecture on Unix basics this past friday in building 70. Attendance was about 20, which was far more than I expected. It was open to anyone who wanted to attend.

The slides can be found in the link below. They are html-based, and may require you to use a non-sucky browser to view them. I have not tested if browsers other than Firefox work, but I have heard that Opera and Safari choke on it. I'll fix that later.

Unix Basics slides

If you've never used my slide tool before, here's how:

  • arrow keys (left/right) navigate back/forward
  • spacebar goes forward
  • 't' will toggle showing of the slide list.

ldap, round 2

I already know how to setup ldap databases and add objects. Now I needed to figure out how to secure it and hook it to kerberos.

The following in my slapd.conf maps kerberos users to ldap objects.

authz-regexp uid=([^,]*),cn=gssapi,cn=auth 
             "ldap:///ou=Users,dc=csh,dc=rit,dc=edu??sub?(uid=$1)"
When you have kerberos ticket and authenticate using SASL, you will bind as 'uid=USER,cn=gssapi,cn=auth' - this is not the proper ldap object for any user on my system. Luckily, I can substitute this dn for a valid one using 'authz-regexp.' What this does, essentially, is do a subquery when you authenticate via SASL and looks for objects in the Users orgunit with a uid=USER. Very very helpful. Now I can get a kerberos ticket and ldap knows who I am:
nightfall(~) [976] % kinit
[email protected]'s Password: 
kinit: NOTICE: ticket renewable lifetime is 0
nightfall(~) [977] % ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL installing layers
dn:cn=jordan sissel,ou=users,dc=csh,dc=rit,dc=edu
Result: Success (0)
Wonderful! The next step was to allow users to modify their own objects. A short ACL entry in slapd.conf fixes that.
access to attrs=gecos,description,loginShell,mail by self write
This ACL ensures that users only have write access to themselves, and even then only to the attributes listed above. To test this, I did the following:
nightfall(~) [981] % ldapsearch -Q -LLL '(uid=psionic)' 'loginShell'
dn: cn=Jordan Sissel,ou=Users,dc=csh,dc=rit,dc=edu
loginShell: /test/baz/fizz

nightfall(~) [982] % cat myldif
dn: cn=jordan sissel,ou=users,dc=csh,dc=rit,dc=edu
changetype: modify
replace: loginShell
loginShell: Happy Login Shell

nightfall(~) [983] % ldapmodify -Q -f myldif
modifying entry "cn=jordan sissel,ou=users,dc=csh,dc=rit,dc=edu"

ghtfall(~) [984] !1! % !ldapse
ldapsearch -Q -LLL '(uid=psionic)' 'loginShell'
dn: cn=Jordan Sissel,ou=Users,dc=csh,dc=rit,dc=edu
loginShell: Happy Login Shell

Users have write access to their own objects now.

The next step is going to be getting SSL/TLS working. I made a brief attempt at doing that tonight but I failed. Getting some SSLv3 handshake error that is clearly PEBCAK on my part. Oh well, sleep now. More LDAP later.

migrating from nis to ldap, round 1

We at CSH need to move from nis and the many other user information datastores we use to using LDAP instead. To that effort, I have started working on merging our data informations. The first step is importing NIS (passwd/group) information into ldap.

I wrote a script, passwd2ldif, to use NIS passwd information and put it in ldap.

ypcat passwd | ./passwd2ldif > cshusers.ldif
ldapadd -D "cn=happyrootuserthinghere,dc=csh,dc=rit,dc=edu" -f cshusers.ldif
Wait a while, and all users from NIS show up in ldap. I have my laptop looking at ldap for user informatin using nss_ldap:
nightfall(~) [690] % finger -m psionic
Login: psionic                          Name: Jordan Sissel
Directory: /u9/psionic                  Shell: /usr/bin/tcsh
Never logged in.
No Mail.
No Plan.
Pretty simple stuff, so far. Next step is going to involve creating a new schema to support all of the information we currently store in "member profiles." Member profiles is a huge mess of a single mysql table with lots of columns such as "rit_phone," "csh_year," "aol_im," and others. All of that can go to ldap. I'll post more on this later when I figure out what kind of schema we want.

getting pageup/pagedown to work properly under solaris (Xsun)

The default handling of pageup and pagedown by xterm under Xsun is annoying. When you hit page up in xterm, it scrolls up. This behavior is undesirable and different from what I'm used to using. So, Xresources to the rescue.

Xterm supports a number of options including keybindings, here's my fix. This will send a "page up" or "page down" character sequence to your terminal if you hit page up or page down, respectively. Shift+pageup still works as expected (actually scrolls)

! Override default action when hitting pageup and pagedown - actually
! send the ANSI code for page up
*VT100.translations: #override \n\
	~Shift <Key>Prior: string(0x1b) string("[5~") \n\
	~Shift <Key>Next: string(0x1b) string("[6~") \n

Put that in your .Xresources and load it with:

xrdb -merge .Xresources

This file should get loaded automatically when you login through dtlogin, but I haven't tested this yet.

new project: solaudio

Solaris Audio Controller

I got tired of trying ot use Solaris' graphical audio controller, sdtaudiocontrol. It's slow locally, slower to xforward, etc. So I went on down to docs.sun.com and started perusing the documentation on audio(7I) and mixer(7I). A few hours later, BOOM, I've got a commandline audio control utility.
It's written in C and requires nothing. Compile it with: cc -o solaudio solaudio.c.

http://www.csh.rit.edu/~psionic/projects/solaudio/

dhclient and dhclient-exit-hooks

Using DHCP on resnet only gives me search rit.edu as far as search domains. So, I got bored and wrote a small script to add useful domains for me. This is done using a feature of ISC's dhcp program, dhclient, called dhclient-exit-hooks. This is a shell script that is run when dhclient finishes fetching you an IP address.
This will add csh.rit.edu and cs.rit.edu to the search line in my /etc/resolv.conf.
Requires: a version of sed that supports inline editing (the -i option)

#!/bin/sh

DOMAINS="csh.rit.edu cs.rit.edu"

for dom in $DOMAINS; do
        grep "^search.*\b$dom\b" /etc/resolv.conf > /dev/null 2>&1 || 
        sed -i -e "/^search/ s/$/ $dom/" /etc/resolv.conf
done