Andrew’s personal weblog

During the weekend we have migrated our main firewall system to the latest release of pfSense. Although we had spent some hours testing in a pilot environment, a couple of minor issues were encountered in the process, as outlined below.

We upgraded the main node at first (as suggested by the “Redundant Firewalls Upgrade Guide“. Then the secondary node was not syncing immediately after its upgrade, because the old webConfigurator SSL certificate was not selected by default. Selecting the right certificate and rebooting the 2nd node solved the problem.

Some bits of the OpenVPN configuration (we have been running a couple of site-to-site VPN) was not retained correctly: tun(4) interfaces disappeared in favour of the new “ovpns” interfaces, so a reassignment was needed. After a couple of clicks all was working again flawlessly.

A little more work is planned to polish the configuration (for example, the FTP proxy is now implemented in a different way, and there is no need to allow port TCP 21 to external WAN addresses), but all the main functions are here, and the performance of the webConfigurator interface seems to be drastically improved.
In conclusion, we are very satisfied by this new version, which we have been running in production since it was released a few weeks ago, for some customer’s new firewalls.

After a couple of days spent in studying and testing, today the first SVN server was put in the development stage. A test repository is available for anonymous checkout and ViewVC browsing at http://svn.valsania.it. Commit privilege is granted only to selected accounts, defined both in Active Directory and htpasswd file.

This first deployment still has some rough corners, but the main goals are targeted:

• simple anywhere access to the repository both for read and write access (via WebDAV and ViewVC);
• secure transmission of credentials and data (enforced SSL offloading was activated);
• integrated authentication with corporate directory service (thanks to the auth_ldap Apache module).

During the next days I’ll be committed to put this service in the hands of all the developers which have the potential to be involved in any sort of collaboration with our company in the future!

This is the first post I can write without being in front of a computer: I’m using my new iPhone to write these lines while I’m “on the go”!
I must admit that I never thought to blog in that way, but this mobile device seems a very powerful platform, not only because of it’s builtin functions, but mainly because of the possibilities it can offer by the development point of view. This post is a little example of what I mean: I wrote it using a thirdt party application developed by the WorPress team who made it available on the Apple online App Store.

Today I got the time to upgrade the WordPress MU platform which is running the Valsania Corporate Blogs collection from version 1.5.1 to the release 2.6 (which is based on WordPress 2.6). It has been the first time I upgrade a WPMU instance in a production envirnoment. The upgrade procedure has been extremely straightforward, and I must say I’m quite impressed by that, since my WPMU configuration is very complex (many plugins and customizations were made, but all of them should have been made consistently with the architecture). At the same time I got all the others WP-based blogs I manage upgraded to the 2.6.1 release.

Today I had to login into one of my WP powered weblogs, running the wpDirAuth 1.3 plugin which I wrote about in this previous post. Surprisingly, it returned me the error message “No directory server available for authentication”. No change was made in the last few days in my infrastructure, and I soon discovered that all user accounts in my Active Directory were able to succesfully authenticate with the only exception of mine!

A few minutes have been necessary to understand that the problem was lying in the password I changed yesterday, which was including an apostrophe (‘). It seems that the function parsing this variable in WordPress automatically puts a backslash (\) escape character before the apostrophe, in order to pass it correctly to the builtin authentication function. The matter was the way the ldap_bind() PHP function was sending the password to my domain controllers, including the unnecessary (in this case) escape character.

I’m not a developer, but I think I resolved this issue, simply by adding the line in bold to the wpDirAuth_bindTest() function in the file wpDirAuth.php:

function wpDirAuth_bindTest(&$connection, &$username, &$password)
{
    $password = strtr($password, array(“\’”=>”‘”));
    if ( ($isBound = @ldap_bind($connection, $username, $password)) === false ) {
        // @see wpLDAP comment at http://ashay.org/?page_id=133#comment-558
        $isBound = @ldap_bind($connection,”uid=$username,$baseDn”, $password);
    }
    return $isBound;
}

Since the returned error message was also incorrect (it should be a “check credentials” warning, not a “server unreacheable” error), I’ve also included the change suggested by Clint in the last part of his message “I have a bug fix for 1.3…“.

I’ve also succesfully tested this modified wpDirAuth plugin against different Active Directory instances on WordPress 2.6 and I’ve genereted two patch to upgrade from both 1.2 and 1.3 version. Here are the links:

• wpDirAuth-1.2-to-1.4.patch
• wpDirAuth-1.3-to-1.4.patch

If you prefer to use directly the 1.4 release I’ve also prepeared a pre-patched copy that you can download it here.

Since that’s not my job, I’m not sure to have done a good thing by defining this as the new 1.4 release, and I’ll be glad to receive any suggestion about it.

I finally got the time to make the wpDirAuth plugin function both on WordPress 2.5.1 and WordPress µ 1.5.1. My need is to migrate to the WPMU platform from Telligent’s Community Server as soon as possible, since I’m planning to port my entire corporate infrastructure from MSFT to the more dependable BSD Unix technology.

Unfortunately the 1.2 version of this plugin simply didn’t work on the latest versions of WP, so I had to apply the Patch for WordPress 2.5 compatibility kindly published by Adam Yearout. As now, I’ve only got the time to test it against Microsoft Active Directory LDAP servers, but I plan to try it in an Apple Open Directory environment before put it in production. The pilot blog collection can be accessed at the well-known Valsania Corporate Blogs WMPU instance.

UPDATE:
I’ve just tried to bind against an Apple Open Directory LDAP service, and the process is quite straightforward: the only real difference is the user object’s attribute to search for to identify the user who is logging in (sAMAccountName for AD, uid for OD), ad shown in the following image.

As you see, in this example we have an OD domain named mydomain.local, and we are using the unprivileged user named dsquery to bind to the LDAP service.

NOTE: remember to populate the EMailAddress attribute of your users in Open Directory, if you whish to the required E-mail field in WordPress user profile to be automatically filled upon the first logon.

This is my first post of the new year 2008, and this is my first post written on a Mac! Yes, you’ve read well: during the last year I’ve worked hard to explore all the paths that would make possible to me "reinvent" the way of doing business (where for "business" I mean IT, obviously!), and I came to this choice after a long and heavy work in the new (for me) Unix field.
I’d like to explain as soon as possible the reasons which made me follow this path of innovation, but this subject is too important to be told about in this informal blog. I’ll surely write about Microsoft’s fall in a few posts on my official corporate blog.

As now, I can only say that the "Leopard" operating system from Apple looks like a good candidate to support a lot of small-to-middle sized businesses in my Country, where the Open Directory system seems to be able to accomplish the basic functions needed by them in a more cost-effective and reliable way than the new Windows Longhorn platform can.
I’m at the beginning of my evaluation, but I feel that there will be a lot of work in the next months, mainly adapting my "engineering  habits" to the new Apple’s platform. :S

I’m writing using the Qumana offline blog editor on my new black Intel-based MacBook … so everything I’ve written so far was only to test this tool! If you wish to know something more about this work, please go to my official blog and wait until I’ll have the time to write down some no-nonsense words about that!

A log time has past since my last post on my corporate weblog, mainly because I’ve spent a lot of time to working on several tasks, both internally and externally to my company. During these months I’ve collected a lot of drafts about many arguments, mainly related to new business experiences, and I wish to publish them as soon as possible, hoping to have some time to spend on it during the next month. See you later!

After I spent some hours yesterday night to get some information from the Net, I downloaded the latest version of the blogging software from Microsoft.  Currently I post in this personal weblog only by using the web interface provided by the WordPress engine, while I use Microsoft Office Word 2003 to write down the articles I publish on my corporate blog.

Whereas I’ve already tested some blogging tools like the Zoundry Blog Writer, I choose to use Microsoft Word because of the need to send all posts to a person who checks the language before publishing.  Moreover, I’ve told that the Microsoft tool for blogging, almost in its beta release, was something ugly to use and badly integrated with the most of blogging engines.

Yesterday night I read a good review of the latest revision of Windows Live Writer, so I decided to have a try with it, and I realized it is the best blog writer I’ve ever tested since I began to writing and publishing articles in that way! Despite of its beta revision status, it looks like a fully functional and perfectly integrated tool, both with the WordPress and the Community Server engines. Saving local drafts in the user’s personal documents folder is a great feature for persons like me that have it redirected on a server share, since I can start writing a post on a PC and complete it on another.

The only thing I wish, and I think Microsoft will do so, is to get the blogging feature of Live Writer integrated with other writing tools (maybe in the Office System), to make even more simple to edit, print, save and share blog posts, as we do with any other Office document.