Greg's Tech blog

My technical journal where I record my challenges with Linux, open source SW, Tiki, PowerShell, Brewing beer, AD, LDAP and more...

Modifying tiki

Wednesday 28 of June, 2006

Modifying Tiki
Last month I signed up for a claimID account. ClaimID uses the concept of a microID to help you identify your web sites. microID site Claim ID site. I then went through the process of adding a claimID to each of the applications I use at www.gmartin.org (tikiwiki, WebCalendar, Gallery v2) so that my microID was part of the generated page. (this is somewhat invalid as I used the generic http://www.gmartin.org to generate the microID).

For the most part this was a trivial exercise. I found the header or footer template and made some changes. See my other blog post for the particulars.

What I want to do now is a couple things.

  1. The first is to adjust tikiwiki so that I can add new meta tage without regenerating the smarty template file
  2. Next, I'd like to add some code that actually generates the microID based on the page URL.

upgrading tiki

Monday 12 of June, 2006

Made some changes to tikiwiki and had to upgrade to v1.9.4. I had some problems

  1. The ldap login wasn't working. That turned out to be a global problem unrelated (ldap was down)
  2. The tikipedia theme was busted. I copied over the tikipedia directory in the ./styles directory, but forgot the tikipedia.css in the ./styles directory
  3. the bloglist plugin wasn't working. Had to copt it from /lib/wiki-plugins-dist to /lib/wiki-plugins
  4. my microid meta tag changes weren't there.

Adding MicroID info (or how to add meta tags to your apps)

Tuesday 30 of May, 2006

I grabbed a userid at www.claimid.com and wanted to add the microid meta tag to the pages of several apps I run - namely TikiWiki & Gallery. I figured this all out in under an hour, so your app may be different, but give it a try. One thing. This breaks a simple rule of microID - that the url is encrypted with the email addess. I used the site base URL (linux2.gmartin.org:82) for all pages. Since most of these apps only support static meta tags - that's where I wound up.

Here's how I did it:
The microid is a hash that is assigned to the url & email address combination for a particular page. The email address is the address on file at microid. The mID gets added to a meta tag in the page header. The following is the microID for

< meta name="microid" content="ccb852bd6c3bfce1414c1c950bada71584ade9ba" / >

I had to find the theme.tpl file corresponding to the theme I use (matrix) on the home page. I found it under ../gallery/themes/matrix/templates.

The instructions in the file say that in order to save edits across upgrades, not to edit the original files. I created a local directory (../gallery/themes/matrix/templates/local) and copied theme.tpl there. I edited the file with a text editor and modified the html to add the correct meta tag right before the line containing </head>

For TikiWIki 1.10

This was much more involved, but simpler than v1.9.x. Tiki supports the use of meta tags. Problem is that they have a pre-defined set of tags and microID was not on of them. Take a look at http://.../tiki/tiki-admin.php?page=metatags

Edit /tiki/tiki-admin_includes_metatag.php and add these lines in the (isset($_REQUEST%22metatags%22)) section:


I added them after the author tag so they were clustered on the top of the page separate from the geo tags.

Next is to edit the header.tpl file in ./tiki/templates. In that file I added:

{if $metatag_author ne ''} &lt meta name="microID" content="{$metatag_microid}" /&gt
Again, I copied the 'author' item and edited it.

Last is to edit ./tiki/templates directory to modify tiki-admin-include-metatags.tpl file. I copied the author line and changed the references to microid to match the other changes.

&lt tr &gt &lt td class="form" &gt {tr}Meta microID{/tr}: &lt /td &gt &lt td &gt &lt input type="text" name="metatag_microid" 
value="{$metatag_microid}" size="50" / &gt &lt /td &gt &lt /tr &gt

Once this is done, you should be able to edit the microid tag on the admin/meta tags page. Once you save that and refresh, the tags should be on all pages in the site (not particularly accurate based on the microID concept, but it works for me!


For TikiWIki 1.92

This was much more involved. Tiki supports the use of meta tags. Problem is that they have a pre-defined set of tags and microID was not on of them. Take a look at http://.../tiki/tiki-admin.php?page=metatags

Edit /tiki/tiki-admin_includes_metatag.php and add these lines in the if (isset($_REQUEST) section:


and this line in the else section:


I added them after the author tag so they were clustered on the top of the page separate from the geo tags.

Next is to edit the header.tpl file in ./tiki/templates. In that file I added:

[if $metatag_microid ne ''] &lt meta name="microid" content="{$metatag_microid}" / &gt

Last is to edit ./tiki/templates directory to modify tiki-admin-include-metatags.tpl file. I copied the author line and changed the references to microid to match the other changes.

Once this is done, you should be able to edit the microid tag on the admin/meta tags page. Once you save that and refresh, the tags should be on all pages in the site (not particularly accurate based on the microID concept, but it works for me!

USB Mice & Slackware

Wednesday 28 of December, 2005

For Christmas I got this great IOGear MiniView Micro USB Plus 2-port KVM. Tonight I hooked it up to my Slackware server and had some problems with it recognizing the mouse now that it was connected via USB. My PC is an old Dell GX110 ~ 3 yrs old. It will work with a USB keyboard & mouse. I made sure USB EMulation was enabled in BIOS, but I am not sure it was necessary.

Within Slackware, I had to make the following changes

File: /etc/rc.d/rc.gpm
/usr/sbin/gpm -m /dev/mouse -t ps2 /usr/sbin/gpm -m /dev/input/mice -t ps2
File: /etc/rc.d/rc.modules
# /sbin/modprobe hid /sbin/modprobe hid
# /sbin/modprobe usbmouse /sbin/modprobe usbmouse
# /sbin/modprobe usbkbd /sbin/modprobe usbkbd
File: /etc/X11/xorg.conf
Option "Protocol" "auto" Option "Protocol" "IMPS/2"
Option "Device" "/dev/mouse" Option "Device" "/dev/input/mice"

WebCalendar & LDAP

Saturday 05 of November, 2005

Upon further review, I flipped the setting $set_ldap_version to true in user-ldap.php

Here are the rest of my settings

$ldap_server = 'localhost';          

// Port LDAP listens on (default 389)        
$ldap_port = '389';                   

// Use TLS for the connection (not the same as ldaps://)
$ldap_start_tls = false;

// If you need to set LDAP_OPT_PROTOCOL_VERSION
$set_ldap_version = true;
$ldap_version = '3'; // (usually 3)

// base DN to search for users      
$ldap_base_dn = 'ou=people,dc=gmartin,dc=org';

// The ldap attribute used to find a user (login). 
// E.g., if you use cn,  your login might be "Jane Smith"
//       if you use uid, your login might be "jsmith"
$ldap_login_attr = 'uid';

// Account used to bind to the server and search for information. 
// This user must have the correct rights to perform search.
// If left empty the search will be made in anonymous.
// *** We do NOT recommend storing the root LDAP account info here ***
$ldap_admin_dn = 'cn=search,ou=people,dc=gmartin,dc=org';  // user DN
$ldap_admin_pwd = 'Search'; // user password

//------ Admin Group Settings ------//
// A group name (complete DN) to find users with admin rights
$ldap_admin_group_name = 'cn=webcalAdmin,ou=groups,dc=gmartin,dc=org';

// What type of group do we want (posixgroup, groupofnames, groupofuniquenames)
$ldap_admin_group_type = 'groupOfUniqueNames';

// The LDAP attribute used to store member of a group
$ldap_admin_group_attr = 'uniqueMember';

//------ LDAP Search Settings ------//
// LDAP filter to find a user list.
$ldap_user_filter = '(objectclass=person)';

// Attributes to fetch from LDAP and corresponding user variables in the
// application. Do change according to your LDAP Schema
$ldap_user_attr = array( 
  // LDAP attribute   //WebCalendar variable
  'uid',              //login
  'sn',               //lastname
  'givenname',        //firstname
  'cn',               //fullname
  'mail'              //email

Finally got this to work with LDAP. The problem was that Webcal wasn't making the transition to LDAP V3. I had to add:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
after if ( $ds ) { in function user_valid_login()
and in connect_and_bind()

For some reason, the variable $ldap_version doesn't work


LDAP Passwords

Saturday 05 of November, 2005

OK, I got slapd set up with password-hash {SSHA}. The tells slapd that all password are stored as {SSHA} hashes. I was able to encrypt the root password as well as several user passwords using phpLDAPAdmin

I was then able to authenticate within Tiki as an user. Don't know how to make groups work though

LDAP, Passwords, SSL & SASL

Friday 04 of November, 2005

I'm trying to do a simple thing - store non-cleartext passwords in OpenLDAP and use phpLDAPAdmin to set them. Long term I'll be using LDAP to authenticate for tikiwiki & webcalendar.

I'm trying to understand how passwords are stored then how to make use of them. It appears in slapd.conf, you can specify the default password hash mechanism or it defaults to SSHA. I'm trying to generate such a password and set it using LDAPPasswd. LDAPPasswd makes use of SASL.

So I've generated a certificate using OpenSSL and currently slapd is listening on port 636 & 389, however MyLDAPAdmin cannot connect using it. Not sure yet what that is about, but I suspect the cert isn't quite right

Auto login to the Linksys WRT54GS Parental Control

Sunday 02 of October, 2005
Auto login to the Linksys WRT54GS Parental Control

So we use the WRT54GS v2 for Parental Control. The PC software has a per user login that tracks what sites/IM/E-mail you use and restricts access based on time, site, user, etc. More can be found on the Linksys site (cache).

I have a Linux server that runs e-mail, a web site and keeps my dynamic dns up-to-date. in order for it to work, it must aleays be logged into parental control. Problem is that whenever the server or router is restarted, I have to manually log in the server so it can work. Until now. With the release of the 3.x and 4.x firmware, a new feature was added to allow you to "auto-login" particular PCs or gaming device. it took me 3 tech support chat sessions before I was able to convice Linksys tech support that the router now supported the feature (I had to read them the release notes!) and that they should find out how to do it. Here's what you do! (Thanks to Bryan Beals at Cisco for finally sending me the docs)

  • upgrade the router firmware to the latest version (currently 4.70.6)
  • Go to the Parental Control Support page (cache)
  • Reconnect your router (this is important - it will upgrade the version of firmware on file and allow you to get the new settings

Once this is done, you are ready to setup the PC to autologin

  • Get the MAC address for you PC. It will look like this 00:40:93:35:41:42 or this 00-40-92-35-41-47. You can get this address from the DHCP Clients table on your router if the client is currently connected and using DHCP (it is unless you've done something to stop it). That table is located at Status, Local Network, DHCP Clients Table.
  • Go Back to the Parental Control Support page. Click the Family Settings menu option.
  • Look for the hyperlink "here" text in the beginning of the instructions and click it:
"Click a family member's name to change their Internet privileges. Click here to automatically use a family member's privileges on a specific computer or device.
  • Enter a name for the device (e.g. XBox)
  • Enter the MAC address use the colon as a separator (e.g. 00:40:93:35:41:42). Note: There is a link to see the currently connected devices. Click "Show me the known devices", highlight the device you wish to use and click Move then Close
  • Pick the existing family member's setting that you wish to use. The device will always use the permissions of the familiy member you've chosen. You might consider creating a special family member for the device.
  • Click Add, then click Save.

That's it. Now the device you specified will always be logged in to Parental Controls.


AD, SSL & Load Balancing

Wednesday 04 of May, 2005

Interesting times. In previous posts we walked through some thoughts about how to create 3rd party certs that have the same CN so that the LDAP clients could see any server as though it were one.

We had created a cert request that had the cn set correctly, but AD/Win2k3 would not accept it since the domain controller name was not in the CN. The article from MS said we could put the dc name in the DNS name field of the Subject Alternative Name (SAN). We thought we had tried this. What we found is that you cannot specify a SAN with a retail cert from Verisign. We then signed up for the Verisign Managed PKI service.

We're still working through the results.

LDAP, SSL & Load balancing

Wednesday 20 of April, 2005

We need to configure two AD domain controllers/ldap servers behind a load balancer. The certificates for the servers (to allow ldaps) must have a common host name in order for the application server to see the correct cert when it connects.

For the Certs for the DCs we created the following Subjects:
Subject = "CN=AUTH.dom.ORG,OU=DomNTBZ07,O=DOM,C=US,S=state,L=city"

Note that the CN is the DNS name for the load balancer VIP.

The question is whether once the certs are installed whether AD will accept them as appropriate and enable ldap over SSL. We'll know soon

ssh config

Wednesday 20 of April, 2005

I realized the danger in having root access via ssh. I reconfigured sshd by editing /etc/ssh/sshd_config and adding the line: DenyUsers root.

Using a Verisign (or 3rd party) Certificate for AD Domain Controllers

Thursday 07 of April, 2005

If you are using a Microsoft CA, adding a cert to enable LDAP over SSL is a matter of simply installing the CA on a domain controller in the domain. The DCs all enroll automatically and you're done.

We've been struggling with how to add a 3rd party (Verisign) certificate to our Win2k3 AD domain controllers. Here's what we tried and what worked. If this helps you, please drop me a note at gmartinatgmartin.org

We first went to the MS knowledge base and found several articles. See the resoruces link below

They were mostly useless as few relate to Windows 2003. Particularly with how to generate the request. They refer to the Certificates snap-in. For whatever reason, you cannot generate a cert request using the snap-in. I believe it was tied to the MS CA.

The document with the real information is &lt;a href=&quot;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx&quot; target=&quot;_blank&quot;&gt;Advanced Certificate Enrollment and Management&lt;/a&gt;

Read that document then follow these steps:

Create the reqdccert.vbs vbscript on the domain controller file system
Run the script on the domain controller console (or in a terminal service session). (I did so without any command-line switches)
The following files get created:

We're most interested in the .inf file. Open it with notepad and the contents should look like this:
Signature= &quot;$Windows NT$&quot;

KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = &quot;Microsoft RSA SChannel Cryptographic Provider&quot;
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

; The subject alternative name (SAN) can be included in the INF-file
; for a Windows 2003 CA.
; You don't have to specify the SAN when submitting the request.
; The template name can be included in the INF-file for any CA.
; You don't have to specify the template when submitting the request.

The section that says NewRequest. For Verisign, there must be a subject entry in this section and it must contain a lot of information. The subject we settled on looked like this:
Subject = &quot;CN=ourServerName.ourDomain.org,OU=IT,O=ourOrg,C=US,S=somState,L=someCity&quot;

Verisign requires the OU,O,C,S,L entries in order to generate the cert.
So make the changes and save the ifn file.

Now run the certreq -new svrname.inf svrname.req

The resulting .cer file can be used to request the certificate from Verisign.

Once you receive the cert back you import it using:

certutil -ACCEPT certfilename

Hope this helps.

If this helps you, please drop me a note at gmartinatgmartindotorg

Description of the requirements and of the troubleshooting methods that you can use to enable an LDAP client to communicate with an LDAP server over SSL

Requirements for Domain Controller Certificates from a Third-Party CA

Unable to Connect to a Domain Controller by Using LDAP Connection over SSL

How to enable LDAP over SSL with a third-party Certification Authority

Advanced Certificate Enrollment and Management

Updating user accounts with DSMOD

Thursday 07 of April, 2005

We had to set the passwords for a bunch of accounts. DSMOD seemed appropriate since we had a list of DNs.

Here's what I did.
I saved the file as a CSV then replaced the commas delimiting the fields with colons. Using comma as the delim didn't work since DNs have commas.

Then the following command did the trick:
for /f "delims=: tokens=1-3" %a in (ETSNT60UsersToSetPasswords2.csv) do dsmod user %a -pwd %c

The for /f loops through the file specified in 'in (...)

The delims=: tells for that every colon delimits the next field

The tokens tells for how many items to pass once it has split the input line based on the delim

The %a is the name of the first token. Inour command %a %b & %c was set with DN, samaccoutname and password. The samaccount name was not need so the followin g command would have worked:

for /f "delims=: tokens=1,3" %a in (ETSNT60UsersToSetPasswords2.csv) do dsmod user %a -pwd %c
Note the change in token to pass just the first & 3rd token (DN & pwd).


Using wget for DynamicDNS updates

Wednesday 06 of April, 2005

wget -O - http-user=username http-passwd=$SEC 'https://dynamic.zoneedit.com/auth/dynamic.html?host=linux2.gmartin.org'

wget -O - http-user=username http-passwd=$SEC 'https://dynamic.zoneedit.com/auth/dynamic.html?host=linux1.gmartin.org'

wget -O - http-user=username http-passwd=$SEC 'https://dynamic.zoneedit.com/auth/dynamic.html?host=ldap.gmartin.org'

MIIS Design

Wednesday 06 of April, 2005
MIIS design
Question today was whether we need to provide a MIIS environment for staging. After talking through we came up with the following:

  • There is no internal staging directory. There is only the etslan.org directory although we do have staging server defined
  • There is no need to performance test against the internal directory

With this in mind, we're thinking that we'll have a single MIIS server sync accounts into both the prod & stage directories

WebCalendar upgrade

Monday 27 of September, 2004

I upgraded WebCalendar to 0.9.44 (from .43). The process was painless. I:

  1. created a new directory /usr/local/WebCalendar-0.9.44
  2. Edited the includes/config.php to add the db password
  3. edit the Alias entry in httpfd.conf to point to the new directory

What's left:

  • zip the old directory
  • make any no db updates


sed (the stream editor)

Tuesday 07 of September, 2004

I've been using sed to modify the import files for the Exchange lab here are some tricks &amp; links.

To match &amp; replace a particular string:

"s/%Distribution Lists\/cn=[0-9][0-9][0-9][0-9]//ig" This matches &quot;%Distribution Lists/cn=xxxx&quot; where xxxx is four digits
s/ROSNT[0-9][0-9]/EAOEX1/gImatches ROSNTxx and replaces with EAOEX1
s/EWZNT[0-9][0-9]/EAOEX1/gImatches EWZNTxx
s/ou=ETS\//ou=ETSEXT\//gImatches ou=ETS\
s/o=ETS\//o=ETSEXT\//gImatches o=ETS\
s/ETS\//ETSEXT\//gImatches ETS\
s/p=ETS;/p=ETSEXT;/gImatches p=ETS;
s/o=ETS;/o=ETSEXT;/gImatches o=ETS;
s/ETS.ORG/etsext.ORG/gImatches ETS.ORG
sed -n -e &quot;/\$:/p&quot; &lt;filename Prints only lines in filename containing &quot;$:&quot;
sed -e &quot;/\$:/d&quot; &lt;filename Prints only lines not containing &quot;$:&quot;
sed -n -e "/^dn: CN=ets/,/^$/p" matches all the lines between one starting with ^dn: CN=ets and end a blank line (^$)

The general command line looks like:

sed -e "s/%Distribution Lists\/cn=[0-9][0-9][0-9][0-9]//ig" filename.
The quotes around the regex are required if there is a space in the regex. The regex can be added to a file and references with -f

sed -f sedscript.sed filename

  • The

PXE Server

Thursday 22 of April, 2004

We need three things:

  • DHCP server
  • TFTP server
  • NFS share

DHCP server

edit configure file:

option domain-name &quot;linux.sun.com&quot;;
option domain-name-servers,;
option subnet-mask;

allow bootp;
allow booting;
option ip-forwarding false; # No IP forwarding
option mask-supplier false; # Don’t respond to ICMP Mask req
ddns-update-style = adhoc;
get-lease-hostnames on; # DNS lookup hostnames
use-host-decl-names on; # And supply them to clients

  1. WARNING: This is a default configuration — any system PXE booting will
  2. wipe out all existing data on the first hard disk and install
  3. RedHat Enterprise Linux AS

subnet netmask {
next-server; # name of your TFTP server
filename &quot;/as-2.1/sun/pxelinux.bin&quot;; # name of the boot-loader program
range; # dhcp clients IP range

- start dhcpd manually (added it to rc.local)

tftp server

  • create /var/tftp directory
  • Add files tp directory (pxelinux.bin)
  • startup using /usr/sbin/in.tftpd -c -l -v -s /var/tftp

NFS share

  • edit /etc/exports
  • add ' /var/tftp *(ro,sync) '
  • restart nfs 'rc.inet2 restart'

Turning on POP3 & other services

Monday 19 of April, 2004
Turning on POP3 & other services

I have sendmail working but couldn't connect to a mailbox using OE. Did some looking around and sure enough we weren't listening on port 110 - the POP3 port. More research and I found that I needed to edit etc/inetd.conf in order to have inetd start the pop3 service. While I was there I started imap2 and swat (for samba admin).

After saving the file I ran '/etc/rc.d/rc.inetd restart' to restart the daemon.


PS - what's left?
- Mail testing
- Mail migration for Priscilla & Caolinn
- Mailman install & migration

Compiling Sendmail

Wednesday 14 of April, 2004
Compiling Sendmail

  • Downloaded Sendmail 8.12.11
  • Created site.config.m4 file in sendmail/Site directory. Added following lines:


APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')

APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')

APPENDDEF(`confINCDIRS', `-I/usr/local/include/sasl')



APPENDDEF(`confLIBS', `-lnsl -lssl -lcrypto -lwrap -lm -ldb -lresolv')

  • ran ./Build -c -n (to clear out old build)
  • Set authinfo file

Authinfo:outgoing.verizon.net "U:vze1jt1m" "I:vze1jt1m@verizon.net"_

"P:password" "R:outgoing.verizon.net" "M:PLAIN"

  • restart sendmail ('rc.sendmail restart')

http://www.sendmail.org/~ca/email/auth.html (cache)

Adding SASL support

Wednesday 14 of April, 2004
Adding SASL support

I need to configure Sendmail. From my experience, I believe I will need SASL to support client authentication. The first step is to install SASL

  • I downloaded Cyrus-SASL v 2.1.18 from ftp.andrew.cmu.edu/pub/cyrus
  • Renamed file to *.tgz so it was compatible with the slackware installer
  • moved the subsequent directory to /tmp/sasl/cyrus-sasl-2.1.18

  • Ran ./configure without error

./configure enable-anon enable-plain enable-login disable-krb4 with-saslauthd=/var/run/saslauthd with-pam with-openssl=/usr/local/ssl with-plugindir=/usr/local/lib/sasl2 enable-cram enable-digest --enable-otp
http://www.projektfarm.com/en/support/howto/sendmail_smtp_auth_tls/sendmail_smtp_auth_tls.html (cache)
http://www.sendmail.org/~ca/email/auth.html (cache)
http://www.jimohalloran.com/archives/000227.html (cache)

  • Ran make without error
  • Ran make install
  • Removed /tmp/sasl...

  • Start SASL ('saslauthd -a shadow")
  • added to rc.local

More Linux2 changes

Tuesday 13 of April, 2004

More Linux2 changes

I made some more changes tonight. Specifically

  • Copies over and configured zoneclient to update ddns automatically. See 'crontab -e' and /usr/local/zoneclient

  • Copied over myindex.html
  • Apache changes
    • Copied but have not configured phpMyAdmin. Added dbAdmin link. Still need to do .htaccess
    • Configured apache to listen on port 80 & 82 (Listen). Removed forward from port 82 to port 80.
    • Configured Servername and serveradmin in apache config (httpd.conf)
    • Changed UseCanonicalname to Off. Should fix some problems with mailman...


Tiki Move

Monday 12 of April, 2004
Tiki Move

Tiki was migrated to linux2.gmartin.org over easter weekend. The new server is twice the speed (400mhz) and 3x RAM (320MB). Pages load much faster and graphics are rendered quickly. John is testing externally.

I moved the data using mysqldump and mysql. The config looks like this

  • Tiki is installed to /usr/local/tiki-<version> with a link to /usr/local/tiki
  • Files are stored extrnal in /usr/local/tiki/files
  • Images in /usr/local/tiki/imagegal

Still to do:

  • Upgrade tiki to 1.7.7 or 1.8.4
  • Install phpMyAdmin (use webmin until then)
  • Configure Sendmail
  • Move mailboxes
  • Move Mailman


Fixing new Mailman Lists

Wednesday 25 of February, 2004

Fixing new Mailman Lists

Creating a new mailman list imbeds it with an improper hostname. The best way to create a list is the following.

run '/usr/local/mailman/bin/newlist'

Once crerated, fix the url by running:
'/usr/local/mailman/bin> ./withlist -l -r fix_url -u linux1.gmartin.org:81'