After a couple of days spent in studying and testing, today the first SVN server was put in the development stage. A test repository is available for anonymous checkout and ViewVC browsing at http://svn.valsania.it. Commit privilege is granted only to selected accounts, defined both in Active Directory and htpasswd file.
This first deployment still has some rough corners, but the main goals are targeted:
- simple anywhere access to the repository both for read and write access (via WebDAV and ViewVC);
- secure transmission of credentials and data (enforced SSL offloading was activated);
- integrated authentication with corporate directory service (thanks to the auth_ldap Apache module).
During the next days I’ll be committed to put this service in the hands of all the developers which have the potential to be involved in any sort of collaboration with our company in the future!
I’ve just read the “wpDirAuth-Versionen” post written in Dutch by Damian, who wish to have it published in English too. I do not know very much about Dutch neither English, but I think he had done a great job for the WordPress community, since this plugin has a tremendous impact on the usage of WordPress in the business environment, and I’m glad to post a translation of his article here.
“wpDirAuth is a useful plugin to create WordPress user accounts connected to an LDAP directory service. Unfortunately Stephane Daury, the developer who built it, does not seem to be interested in or to have the time to maintain it, so the project page, the official WordPress plugin page, and even the Google groups wpdirauth-support and wpdirauth-dev are become stale. Despite of this, the plugin still seems to be functional: Adam Yeraout published on wpdirauth-support the 1.3 release for WordPress 2.5 and newer, Andrew Valsania wrote a patch to fix a password-check bug on his blog and published the 1.4 release.
In order to take under control this versioning chaos, since the project-trac without an Administrator has become not usable, I’ve created my personal SVN repository, which also contains a revision history at https://www.delta-phi.net/svn/wordpress/wpDirAuth/tags/. Obviously I can commit other patches to SVN, but if someone would take over this work I could give him/her a dump of the repository.
I’ll be glad if someone would publish the same post in English…”
Thank you so much for you work! I hope that someone would be interested in maintaining this plugin working and improving it even more.
Some days ago our production web application platform has been upgraded to the 6.9 Drupal release. A little work has been necessary to migrate some self-customized themes and to remove or substitute with custom views some modules which were not available for the 6.x branch.
Drupal has confirmed to be a very interesting web development framework to address the needs of highly customized and business-tailored applications for (at least) the SME segment.
It’s impossible to keep an updated list of what I’m studying about the latest Apple technologies, but today I’ve successfully completed a “milestone” step towards the integration of OD in a Microsoft AD environment, and I must to write it somewhere.
An essential step in the process of migrating from MSFT to Apple IT infrastructure is the setup of a Mac OS X Server as Open Directory Master, leveraging the KDC service of an existing Active Directory Domain Controller. It’s just a snap to make this new server join a Microsoft-based realm and then installing OD services on it to take advantage of the centrally managed authentication from AD while effectively managing all Mac client with the MCX (Managed Client for X ) system.
What it took me into some troubles was the integration of the AFP (Apple Filing Protocol) service that I need to host Mac users’ home folders into the Microsoft customized Kerberos infrastructure. At the end I only needed to issue the command “dsconfigad -enableSSO” on the Mac server to have all Mac users automatically authenticated through Kerberos TGS (Ticket Granting Service) released by Microsoft’s KDC. Chances are that this behavior was due to a little bug in the Server Admin interface, which didn’t show me the button to join an external Kerberos realm under the OD Service settings tab, since the same machine was acting as an Open Directory Master, as you can view in the next figure.
Now, by using the same AD credentials whichever machine they log on to, my users browse happily both SMB and AFP shares, without being prompted for the same password after the first Kerberos authentication. Another little step was done through the way of adopting Apple technologies in the enterprise.
I finally got the time to make the wpDirAuth plugin function both on WordPress 2.5.1 and WordPress µ 1.5.1. My need is to migrate to the WPMU platform from Telligent’s Community Server as soon as possible, since I’m planning to port my entire corporate infrastructure from MSFT to the more dependable BSD Unix technology.
Unfortunately the 1.2 version of this plugin simply didn’t work on the latest versions of WP, so I had to apply the Patch for WordPress 2.5 compatibility kindly published by Adam Yearout. As now, I’ve only got the time to test it against Microsoft Active Directory LDAP servers, but I plan to try it in an Apple Open Directory environment before put it in production. The pilot blog collection can be accessed at the well-known Valsania Corporate Blogs WMPU instance.
I’ve just tried to bind against an Apple Open Directory LDAP service, and the process is quite straightforward: the only real difference is the user object’s attribute to search for to identify the user who is logging in (sAMAccountName for AD, uid for OD), ad shown in the following image.
As you see, in this example we have an OD domain named mydomain.local, and we are using the unprivileged user named dsquery to bind to the LDAP service.
NOTE: remember to populate the EMailAddress attribute of your users in Open Directory, if you whish to the required E-mail field in WordPress user profile to be automatically filled upon the first logon.
This is my first post of the new year 2008, and this is my first post written on a Mac! Yes, you’ve read well: during the last year I’ve worked hard to explore all the paths that would make possible to me "reinvent" the way of doing business (where for "business" I mean IT, obviously!), and I came to this choice after a long and heavy work in the new (for me) Unix field.
I’d like to explain as soon as possible the reasons which made me follow this path of innovation, but this subject is too important to be told about in this informal blog. I’ll surely write about Microsoft’s fall in a few posts on my official corporate blog.
As now, I can only say that the "Leopard" operating system from Apple looks like a good candidate to support a lot of small-to-middle sized businesses in my Country, where the Open Directory system seems to be able to accomplish the basic functions needed by them in a more cost-effective and reliable way than the new Windows Longhorn platform can.
I’m at the beginning of my evaluation, but I feel that there will be a lot of work in the next months, mainly adapting my "engineering habits" to the new Apple’s platform. :S
I’m writing using the Qumana offline blog editor on my new black Intel-based MacBook … so everything I’ve written so far was only to test this tool! 😉 If you wish to know something more about this work, please go to my official blog and wait until I’ll have the time to write down some no-nonsense words about that!
I had been spending some free-time to research a good groupware server far less featured than an enterprise product (such as Microsoft Exchange, with whom I’ve some experience 😉 ). What I was looking for was a product which is able to:
- run on at least one type of BSD server platform;
- give a user experience similar to that of an Exchange system (e-mail, personal and shared contacts, calendar and tasks);
- be accessed using different types of desktop clients (such as Microsoft Outlook, Mac OS X Mail, web browsers or other free/open-sourced products) over the web in a secure way (using SSL/TLS);
- integrate with an existing corporate directory service (Active Directory, Mac and authenticate using secure protocols, such as kerberos.
I’ve spent a lot of time looking for that solution and, until now, it seemed that the only way to accomplish these goals was to build it using a few stand-alone products (SMTP and IMAP server for e-mail, web collaboration for groupware tasks, external authentication services, etc.). That was not what i was looking for, since one of my requirements was to maintain the administration cost as low as possible.
Same days ago I rediscovered the Communigate Pro platform, which seems to fit completely what are my needs: I’m giving it a try by creating a new service subdomain (see the CGP web interface at http://mail.bsd.valsania.it) and running it on a FreeBSD jail. It’s too early to say something sharp about it, but I feel that’s a great piece of software, built to perform and scale very well even in an enterprise or service provider environment, and I surely be glad to get deeper into that solution.
Few days have past from when I began to play with the most famous and feature-rich open sourced IP PBX. Obviously, I’m running it on my FreeBSD testing systems and, even if I’m in the beginnings, I can say that my impression about this software is very good: I feel like it was the “Sendmail” in the IP PBXes field, and that makes it very friendly to me! 😀
I’ve also discovered many ways to give it a user-friendly graphic interface; I gave them a try, but they are too simple to be effectively useful in the environments I wish to make Asterisk working. I’ll go further and mybe I’ll tell you again as soon I’ll have a sharper vision about that.
At the time I’m writing, the dialplan I’ve wrote is enabling me to place calls between two offices in different locations, manage incorrectly typed extension numbers and support remote SIP and IAX connections to the central office system. I wish to complete the configuration of the voicemail module and implement call parking, conferencing and dial-by-name directory as soon as possible.
Some days ago I read a very nice document explaining the technology behind the Jabber system. I have to admit that the specifications of the Extensible Messaging and Presence Protocol (XMPP) nicely impressed me! Making XMPP one of the few Internet standard IM protocol approved by the IETF is the fact that definitely convinced me to build a FreeBSD jail and begin testing some Jabber servers. I’m focusing on the Openfire product, which seems to be really enterprise-ready: I’ve been able to connect it to Active Directory and to the MSFT Live Messenger public IM service in a snap! I’m also interested in ejabberd, which seems to support all high-quality features that an hosting provider needs (as the clustering support): maybe it would be a building block of the Phoibos service infrastructure.
For the first time since I began working with Drupal I had to upgrade a running web site to a newer version. The upgrade has been from 5.1 to 5.2 release, which contains some bug fixes (see the related announcement). The process has been quite simple on a development test site and I succesfully completed it at the first shoot. I decided to wait some days more before upgrading my first Drupal web site in a production environment!