SuSE Linux round two

I decided to format my CBC-issued desktop and install SuSE Linux 10.1. You will recall that back in January I tried to install SuSE 10.0 on a Thinkpad T42, with very poor results. So why did I decide to try again? There are a number of reasons:

  1. CBC is a Novell shop internally; they use GroupWise for email and make extensive use of NDS, ZENworks Desktop Management, iPrint, and many other Novell technologies. SuSE, as you probably know, is a division of Novell.
  2. I despise GroupWise but I am hoping at some point in the future to be able to use Ximian Evolution’s Groupwise connector to talk to our Groupwise servers. This probably won’t happen until corporate IT upgrades to Groupwise 7, though (or at least until they turn on the web services interface in Groupwise)
  3. CBC.ca runs SuSE Linux Enterprise Server 9 on all of its production web and Java servers, so having a similar environment on my desktop for development purposes makes sense.

After a few weeks of using SuSE Linux 10.1, I’m generally happy with it. Part of that is due to the fact that I’m not using it on a laptop, so my original beef about WPA being broken is a non-issue in my use case. (That doesn’t mean that the problems have been solved, though; 10.1 still doesn’t support WPA properly.) I still have a couple of complaints:

  1. The successor to Red Carpet, Zen Updater, is horribly broken out of the box. In order to “fix” it I still needed to run YaST to upgrade to the latest versions of libzypp and all that jazz. Still, YaST and Zen Updater are both far, far slower than any other package management tool I’ve ever used.
  2. SaX2, SuSE’s X Server configuration tool, is still extremely buggy. This would be only slightly annoying if you could hack the xorg.conf yourself, but SaX puts all kinds of proprietary directives in there (such as Option "SaXDualHead") and prefaces the file with a warning to not hand-edit it. So what are you supposed to do when SaX fails you, e.g. it refuses to properly configure my Matrox G450 in dual-head mode?

There are some positive aspects to SuSE Linux though, namely its integration with NDS (I guess they call this "eDirectory" now). I was able to successfully install the Novell Client for Linux 1.2 and log onto eDirectory. There’s a nice fancy QT GUI and GNOME tray icon for managing Novell connections and for the most part it works flawlessly, just like Novell Client for Windows. This is a huge improvement over the awful NovelClient (sic) that I used to use before during my first term at CBC.

As I said, I’m generally happy with SuSE Linux. My one remaining complaint is this: why does Novell have so many confusing names for its Linux products, and why do they seem to change them every 6 months? We have SuSE Linux Enterprise Server (SLES), Novell Linux Desktop (NLD), OpenSuSE, SuSE Linux Enterprise Desktop (SLED), SuSE Linux Enterprise OpenExchange Server (SLEOS? SLOS???), Open Enterprise Server (which I gather isn’t even really Linux but some form of Netware?), and so on. Even SuSE Linux 10.1 has two versions: a so-called “retail” version that comes with support, and a downloadable “community” edition (that I’m using) with no support and missing a bunch of non-GPL packages like RealPlayer, Flash, Adobe Reader, etc. but which you can install later. Worse still, Novell refers to SuSE Linux 10.1 as “created by the openSuSE project”, but the next version of SuSE Linux, 10.2, is going to be called openSuSE 10.2 …?!

All of this SLES, SLOS, and SLED nonsense makes my head spin — makes me want to give the Novell marketing monkeys a SLAP.

exporting IIS SSL certificates for use in Apache

I didn’t think you could do this, but it is possible to export SSL certificates creating under a Windows IIS environment for use in Apache. Here’s how to do it:

  1. On the Windows box, fire up Microsoft Management Console (mmc.exe) and add the Certificates snap-in. Choose Computer Account and then Local Computer.
  2. Find the certificate that you want to export and choose All Tasks > Export. Follow the Export wizard and make sure you export the private key too. You’ll be asked for a passphrase to use to encrypt the key.
  3. Take the PFX-format file that was created by the wizard and copy it to your UNIX machine.
  4. Use OpenSSL to convert the PFX file into a PKCS12 format:
    $ openssl pkcs12 -in whatever.pfx -out pfxoutput.txt
    
  5. The PKCS12 output file is basically a concatenation of the private key and the certificate, so use vi to slice it up into two files, a .crt for the cert and a .key for the private key.
  6. If you want to remove the passphrase from the key (highly recommended in a production environment where Apache must start up unattended) then just run:
    $ openssl rsa -in encrypted.key -out unencrypted.key
    

That’s it! You can now use the key and cert in your Apache config files.

authenticating Apache against Windows 2003 Active Directory

Devlin’s rebuilding its intranet and moving away from the old Lotus Domino-based directory service. One of the developers on the intranet project asked me if he could authenticate employees against Active Directory instead. He’ll be using the MODx CMS, and would like to authenticate using mod_auth_ldap.

We’ve done this before to authenticate Subversion SCM users, but just as a test. This time I decided to try and create a user in Active Directory that would be used solely to bind to LDAP when doing lookups. I called this user “LDAP User”.

Making this work required a lot of trial and error, and I still haven’t managed to figure out a few things (see below). The first problem I had was that I was confused as to what the CN actually is for this particular user: it’s going to be cn=LDAP User, cn=Users, dc=devlin, dc=ca rather than cn=ldapuser, cn=Users, dc=devlin, dc=ca. ldapuser is just the login ID of the account rather than the actual CN.

The other thing I did wrong is that I put quotes around the Require statement, so rather than having

Require group “cn=Devlin Employees,cn=Users,dc=devlin,dc=ca”

the correct syntax is just

Require group cn=Devlin Employees,cn=Users,dc=devlin,dc=ca

A few things are still broken:

  1. I can’t figure out why LDAPS isn’t working. Doing searches from the command line using ldapsearch over SSL work fine, but the configuration of LDAP-SSL within Apache seems to be really tricky. I already have the directives
            LDAPTrustedCA certs/sf_issuing.crt
            LDAPTrustedCAType BASE64_FILE
    

    in the configuration file, and Apache does say [notice] LDAP: SSL support available, but any attempt to actually use it gives an

    [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
    

    error.

  2. I’m not particularly impressed that AuthLDAPBindPassword is stored in cleartext in the configuration file, but there doesn’t seem to be a way of hashing it or otherwise concealing it.
  3. I haven’t figured out how to enable LDAPS on Domain Controllers that aren’t already HTTPS-enabled, so for now I’m not authenticating against them.

I should just get my parents a Mac Mini

I’ve been preparing an old IBM PC 300PL for my parents to replace their generic clone that died (RIP the machine formerly known as exodus.dreaming.org). They’re familiar with Windows, so I installed Windows 2000 Professional, ran Windows Update to download all the latest patches, and installed ClamWin as a virus scanner, and ZoneAlarm as a firewall. Fortunately they don’t have Internet access yet, but I worry about them clicking on some malware link and having some nasty spyware/trojan/virus take over their machine.

Despite all this, somewhere along the line I picked up some nasty trojan. This particular strain, TROJ_CONHOOK.AE, attached itself to WINLOGON.EXE so even booting in Safe Mode wouldn’t get rid of it. It saved itself as a randomly-named DLL (in my case, C:WINNTSYSTEM32pmnmlml.dll) and added itself as an AutoRun all over the place, a fact I was able to ascertain by using SysInternals‘ excellent Autoruns utility. Using another SysInternals utility, ProcessExplorer, I was also able to see that it was causing WINLOGON.EXE to run some routine inside the DLL file every second!

Call me a skeptic but I was still not totally convinced that pmnmlml.dll was not some legitimate Windows DLL. After all, just open your C:WINNTSYSTEM32 and half the stuff in there looks like a virus. (Quick: is dcomcnfg.exe a virus? How about dcomcfg.exe?) So I decided to copy the DLL to my Linux workstation and run strings(1) on it. Sure enough, the following text string was enough confirmation for me to see that it was a trojan:

http://82.98.235.63/cgi-bin/check/autoaff3

So I followed the procedure on Trend Micro’s site for getting rid of it — namely, booting off the Windows 2000 Professional CD and running the recovery console, then deleting the DLL.

Let’s step back for a second here. I am a professional system administrator, and my parents are not. How can I expect them to surf the Internet safely and not suck down one or more of these nasty trojans? Next thing I know, I’ll be getting a call from their ISP telling me that their little IBM is sending out 10,000 spams a minute, or is the control point for some DoS botnet.

I’m leaning more and more towards just getting them a Macintosh. I just have to convince them to part with their beloved Windows.

(By the way, dcomcnfg.exe is legitimate, while dcomcfg.exe is not. But how would one ever tell?

NetworkManager starts getting some docs

Looks like someone has started putting together some informal documentation for NetworkManager.

In a completely unrelated note, the upgrading of my Fedora Core 5 Thinkpad T42 to kernel 2.6.17-1.2139 has broken wireless (again). Any attempt to use NetworkManager with it causes ipw2200: Firmware error detected. Restarting. to be seen in the dmesg. However, if I run wpa_supplicant manually and then dhclient, it works.

I’m really looking forward to the day when all this is fixed, although I suspect wireless is such a bleeding edge problem space that the day won’t be coming soon.

BSDCan 2006 Day 0xFFFE: VoIP and FreeBSD tutorial

I’m going to be posting a couple of journal entries where I will summarize the talks I attended at BSDCan 2006 last weekend. It might take me a little while to get through all the summaries, but eventually I’ll finish them all! I’m starting with Day -2 of BSDCan, i.e. 2 days before BSDCan really started I attended a tutorial on VoIP and FreeBSD.

VoIP and FreeBSD Tutorial

Presented by Massimiliano Stucchi

I attended this tutorial, presented by Massimiliano (Max), who works as a consultant for a major communications company in Italy. He mentioned that in his work he manages over 2000 channels — I took this to mean either simple FXO/FXS channels (single POTS lines) or PRIs. I took this to mean about 70 customers with PRIs since PRIs in Europe can carry up to 30 b-channels (whereas in North America, on the T-1 standard, one can carry 24 b-channels).

Primarily, VoIP in a free or open-source software environment means Asterisk, which is fine; that’s what I’m interested in. Max did briefly mention that there are other open-source PBXes out there such as VOCAL (which is probably not being actively maintained given that the "latest" release is for RedHat 7.3) and Bayonne, the GNU PBX which might show some promise. Still, when one thinks of open-source PBXes, one typically thinks of Asterisk.

Much of Max’s tutorial was a very basic introduction to Asterisk, which was fine although I felt like I didn’t learn too much more about the operation of the system. He did manage to clear up some terminology for me, though; in particular I think people use the word termination wrong. In the telephony world, termination is used to describe when calls leave your VoIP system and get into the PSTN. I think a lot of people, myself included, misuse the word termination to mean the completion of a call on a DID number, whereas this is actually termed origination. Confusing, yes. I guess it’s the same hurdle in understanding that you need to jump when thinking about what signalling to use for a FXO/FXS device: for an FXO device (which actually interfaces to an FXO, i.e. a CO) you need to use FXS signalling, because your FXO device is behaving as a "station" (like a regular analog phone is a station).

Another useful tip I got out of the tutorial was that faxing does not work well with Asterisk, and definitely not with pure IP. This is in part due to a number of factors: Asterisk does not have the capability to do the error control (ECM) necessary for faxing; although ECM is, strictly speaking, optional, most Class-1 fax devices expect to have it turned on. Moreover, the GSM codec does not handle faxing very well, therefore faxes will not work on IAX or SIP channels. Max felt that the T.38 protocol (faxing over UDP) is probably the way to go, but there is not yet wide support for this.

Max eventually got into some use cases of Asterisk, showing us parts of his dialplan, and discussing some of the syntax, but I felt that during this part of the talk he got a little distracted and started telling some stories & conversing semi-privately with some of the participants. To his credit, Max had some slides prepared, but he did not stick to them, particularly near the end of the tutorial. I think this would have been discouraging to any real newbie who came into the tutorial with absolutely no knowledge of Asterisk. At one point, a newbie asked him what it would take to implement a basic Asterisk setup just for testing — what hardware should be purchased? Max wasn’t able to answer this question directly, perhaps because he had never purchased small-scale hardware. I would have preferred to see an example of a starter setup, such as the use of cheap FXO clone cards to build an answering machine, for example.

Overall, though, I got some good tips from someone who has actually built a large-scale production Asterisk setup. I won’t try running a non-POTS fax line, that’s for sure.

Linux WiFi improvements on the horizon

Wireless device support — and indeed, wireless reliability — has been frankly awful in Linux up to this point. Even among the devices that work (at least some of the time), there are frequent problems. For example, my IBM Thinkpad T42 laptop comes with an IPW2200BG adapter that mostly works — except after suspend, when it will refuse to function unless the driver is unloaded and reloaded. I’m using NetworkManager to "magically" manage my network connection; when it works, it works fabulously, but there are no docs. None. I challenge you to try and find a man page or any scrap of documentation about NetworkManager anywhere on the Internet.

At least on the driver side there might be some hope on the horizon. Devicescape, a WiFi software stack specialist, has just released their "Advanced Datapath" IEEE 802.11 driver stack under an open source license, and several kernel developers are trying to get it integrated into the Linux kernel. Of course, as with all integrations, this won’t happen overnight, but when it does, many wireless features such as WPA, WEP, software MAC, and so on that currently require add-ons like the userland wpa_supplicant for WPA could be directly run by this stack.

I’m looking forward to the day when I don’t have to do this magic incantation to get wireless working after suspend:

# /etc/init.d/NetworkManager stop
# /sbin/modprobe -r ipw2200
# /sbin/modprobe ipw2200
# sleep 10
# /etc/init.d/NetworkManager start

A complete non-sequitur: survey questions that make no sense.
how quickly?