Ubuntu’s openldap SASL authentication mechanism

In preparation for the possibility of new users at civilfritz, I’ve been trying to set up openldap on slice1. 10.10 uses a cn=config tree to configure openldap, which I don’t have any experience with. That’s fine, but I have found it particularly difficult to find documentation about.

I eventually found OpenLDAP’s documentation on cn=config, and eventually understood that the ldif literally stored on the disk serves to define the configuration tree.

That left me still wondering how Ubuntu intends you to authenticate to the directory. It turns out that Ubuntu sets up an EXTERNAL authentication mechanism, and I found examples of its use.

Update:

It’s getting so much clearer now! I knew I wanted to learn about sasl.

It turns out that dn’s of the form uid=<username>,cn=<mechanism>,cn=auth or uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth represent virtual identities that don’t actually exist in the directory. You usually set up a mapping between these virtual identities and entities stored in the directory, but the default ACL permits access explicitly to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth. I can’t find explicit documentation about ldapi and cn=peercred,cn=external,cn=auth yet, but it appears that, when I do, it will basically just describe the virtual identity tree as an interface to access a user’s unix identity via an IPC socket.

Another update:

While it’s true that the ldif stored at /etc/ldap/slapd.d is the literal backend storage for the cn=config hierarchy, you’re not meant to modify it directly (because, for example, the server stores things that you might not specify, like a structuralObjectClass attribute). Once I figured out how to modify the directory as root, (sudo ldap${foo} -Y EXTERNAL -H ldapi:///) everything made sense.

Mumble is good code, easy to get running

In an effort to attract actual users to civilfritz (and, by extension, encourage some certain people to join me in some Pathfinder, I’ve set up a preliminary Mumble server at mumble.civilfritz.net.

Mumble’s server application, Murmur, was already included in the repositories for Ubuntu 10.10, and it basically installed ready-to-go. What’s more, the client application worked flawlessly on my Debian Squeeze netbook.

Memory use was even reasonable. An idle server consumed 3-4MB, with each additional user (up to my sample size of 2) using an additional 2-3MB. I think that’s reasonable, anyway. Per-user memory overhead will probably drop with more users, too.

my first iTMS purchase

Ludovico Einaudi’s “Nuvole bianche” reduce me to… purchasing music on iTunes. Simply beautiful.

Even if I couldn’t listen to the album ever again, I still wouldn’t regret the $10 I spent on it.

gave up on b43

Much to my shame, I’ve given up on the open-source b43 driver for my hpmini’s wi-fi controller. I’ve got a bug report open with Debian on the DMA exception that continued to plague my system, but nothing has come of it yet. In the mean time, the binary-blob-laden wl driver is working fine for now.

destination Chicago security

In order to board my plane to Chicago I had to submit to

  • a rather thorough interrogation

  • carry-on luggage x-rayed

  • full-body metal detector

  • wand metal detector (even though the first metal detector did not go off)

  • another (briefer) interrogation

  • waiver to have my checked luggage searched

  • full, open-bag inspection of checked luggage (not a result of the x-ray)

  • full-body pat down

It’s absurd. I haven’t had to go through anything resembling this amount of security to enter any other country ever. This is worse than it’s ever been to enter the U.S., too. It would be laughable if it weren’t so frightening; and if it didn’t make me angry at America. And I’m a citizen.

usefulness of tools

It’s interesting to me how dependent the usefulness of a tool is on the person using it. More specifically, it is important to match the right tool with the right person.

I think it’s safe to say that this netbook was never particularly useful to Andi; yet here I am, watching films on it while waiting for my flight in the airport.

Turkish airline security

Today I was interrogated by Turkish airline security, and for only one reason: I dared to try to travel to the U.S. “Special Security Procedures” for U.S. flights, they said. Never mind that I’m a natural born citizen.

This puts me in an antagonistic mood. I’m not going to make a big deal at security in a foreign country, but if the TSA gives me any trouble I’m going to return in kind.

After all, my bus doesn’t leave until 7pm.