Julian C. Dunn

I decided to move my shared hosting from 1&1 to DreamHost. I had some poor experiences with 1&1:

1. remapping domains to subdirectories of my $HOME didn’t work at first
2. excessively stringent RLimitCPU meant that certain operations, like trying to migrate from Gallery 1.x to 2.x would fail and time out
3. trying to use 1&1′s built-in photo gallery hosed my site for a day as it remapped all the virtual host to subdirectory mappings

I hope hosting with Dreamhost will help these issues. I would really love to have my own server in a co-lo (i.e. eating my own dog food by having one in the TCCP co-lo, which I run) but I can’t justify the expense.

Devlin’s rebuilding its intranet and moving away from the old Lotus Domino-based directory service. One of the developers on the intranet project asked me if he could authenticate employees against Active Directory instead. He’ll be using the MODx CMS, and would like to authenticate using mod_auth_ldap.

We’ve done this before to authenticate Subversion SCM users, but just as a test. This time I decided to try and create a user in Active Directory that would be used solely to bind to LDAP when doing lookups. I called this user “LDAP User”.

Making this work required a lot of trial and error, and I still haven’t managed to figure out a few things (see below). The first problem I had was that I was confused as to what the CN actually is for this particular user: it’s going to be cn=LDAP User, cn=Users, dc=devlin, dc=ca rather than cn=ldapuser, cn=Users, dc=devlin, dc=ca. ldapuser is just the login ID of the account rather than the actual CN.

The other thing I did wrong is that I put quotes around the Require statement, so rather than having

Require group “cn=Devlin Employees,cn=Users,dc=devlin,dc=ca”

the correct syntax is just

Require group cn=Devlin Employees,cn=Users,dc=devlin,dc=ca

A few things are still broken:

1. I can’t figure out why LDAPS isn’t working. Doing searches from the command line using ldapsearch over SSL work fine, but the configuration of LDAP-SSL within Apache seems to be really tricky. I already have the directives

           LDAPTrustedCA certs/sf_issuing.crt
           LDAPTrustedCAType BASE64_FILE
   

   in the configuration file, and Apache does say [notice] LDAP: SSL support available, but any attempt to actually use it gives an

   [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
   

   error.

2. I’m not particularly impressed that AuthLDAPBindPassword is stored in cleartext in the configuration file, but there doesn’t seem to be a way of hashing it or otherwise concealing it.
3. I haven’t figured out how to enable LDAPS on Domain Controllers that aren’t already HTTPS-enabled, so for now I’m not authenticating against them.

I’ve been preparing an old IBM PC 300PL for my parents to replace their generic clone that died (RIP the machine formerly known as exodus.dreaming.org). They’re familiar with Windows, so I installed Windows 2000 Professional, ran Windows Update to download all the latest patches, and installed ClamWin as a virus scanner, and ZoneAlarm as a firewall. Fortunately they don’t have Internet access yet, but I worry about them clicking on some malware link and having some nasty spyware/trojan/virus take over their machine.

Despite all this, somewhere along the line I picked up some nasty trojan. This particular strain, TROJ_CONHOOK.AE, attached itself to WINLOGON.EXE so even booting in Safe Mode wouldn’t get rid of it. It saved itself as a randomly-named DLL (in my case, C:WINNTSYSTEM32pmnmlml.dll) and added itself as an AutoRun all over the place, a fact I was able to ascertain by using SysInternals‘ excellent Autoruns utility. Using another SysInternals utility, ProcessExplorer, I was also able to see that it was causing WINLOGON.EXE to run some routine inside the DLL file every second!

Call me a skeptic but I was still not totally convinced that pmnmlml.dll was not some legitimate Windows DLL. After all, just open your C:WINNTSYSTEM32 and half the stuff in there looks like a virus. (Quick: is dcomcnfg.exe a virus? How about dcomcfg.exe?) So I decided to copy the DLL to my Linux workstation and run strings(1) on it. Sure enough, the following text string was enough confirmation for me to see that it was a trojan:

http://82.98.235.63/cgi-bin/check/autoaff3

So I followed the procedure on Trend Micro’s site for getting rid of it — namely, booting off the Windows 2000 Professional CD and running the recovery console, then deleting the DLL.

Let’s step back for a second here. I am a professional system administrator, and my parents are not. How can I expect them to surf the Internet safely and not suck down one or more of these nasty trojans? Next thing I know, I’ll be getting a call from their ISP telling me that their little IBM is sending out 10,000 spams a minute, or is the control point for some DoS botnet.

I’m leaning more and more towards just getting them a Macintosh. I just have to convince them to part with their beloved Windows.

(By the way, dcomcnfg.exe is legitimate, while dcomcfg.exe is not. But how would one ever tell?

This evening I went to DemoCampToronto #7, a project of BarCamp Toronto. As BarCamp’s website says,

BarCamp is an ad-hoc gathering born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos, and interaction from attendees.

DemoCamp consists of a set of presentations totally no more than 15 minutes apiece (including questions) on up-and-coming software projects. It’s basically the same as a WiP session at any USENIX conference.

I don’t have enough time to summarize all of the presentations, but I’m sure others will (and I’ll try to link to some of the better summaries here). I just wanted to step back a moment and reflect on the fact that a room full of 150 passionate, articulate coders — in Toronto, no less — makes me think that we’re having a renaissance in the software development and IT industry. These are not coders who are just buzzword and Web 2.0-compliant; I sense that these folks are making real productive use of technologies like Ruby on Rails, AJAX, DHTML, Flash, and all the other gadgets that are revolutionizing the Internet by providing a true challenge to the classic thick application.

This renaissance is borne out by the increasing proliferation of jobs. Tucows just held a job fair, after which they hired a number of individuals fresh out of Computer Science at U of T (I know because two of them were sitting at my table). Exciting companies like Nurun and Critical Mass are hiring and expanding. I’ve personally been courted by one or two companies, unsolicited. Contrast this with the state of affairs five years ago, which is when I graduated from U of T. Jobs were scarce and I was lucky to land a position programming PHP for a firm that hadn’t blown its money in the dot-com crash.

It seems to be a great time to be in IT. The buzz is in the air again, and I have but one word of warning for many of the IT firms that have just barely stayed afloat for the last few years: You’d better do something to make sure you hang onto your technical staff — i.e. give them interesting, challenging work, and respect their talents — or you will lose them to other companies that are willing to make those tools available.