• Apache, subversion and LDAP group authentication

    04Jun
    Categories: general IT, linux, tips, work Comments: 1

    Hellu!

    Lately I’ve been working on securing some web accessible resource, especially Subversion access to repositories through the Apache webserver. One aspect we found very difficult was to secure subversion access through our apache server, when we had a Active Directory server to authenticate against (I know..).

    Apache have some directives such as “Require valid-user” which signals that a user has to be authenticated against some authentication provider. This is in most cases a standard “.htaccess” and “.htpasswd” combination which provides this. For small projects, this may be a working approach. However, in a large-scale organization where you want a dynamic handling of users and their access, then using groups to reflect the users access to resources may be a better working solution.

    For one of our projects, we wanted all LDAP (AD) users to have read access, while members of certain groups have read and write access. We solved this with the following Apache config:

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

    <Location /wicked_project>
   DAV svn
   SVNParentPath /var/svn/wicked_project
   AuthzLDAPAuthoritative off
   AuthType basic
   AuthBasicProvider ldap
   AuthName "Need to authenticate here"
   AuthLDAPBindDN "ldap_user@domain.net"
   AuthLDAPBindPassword secretPassword
   AuthLDAPURL "ldap://ad.domain.net/dc=domain,dc=net?sAMAccountName?sub?(objectClass=*)"
 
   <Limit GET PROPFIND OPTIONS CHECKOUT>
      Require valid-user
   </Limit>
   <Limit REPORT MKACTIVITY PROPPATCH PUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
   Require ldap-filter |(memberOf=CN=Staff,OU=GROUPS,DC=DOMAIN,DC=NET) \
                (memberOf=CN=Wicked_project_rw,OU=GROUPS,DC=DOMAIN,DC=NET)
   </Limit>
</Location>

    Another LDAP directive which can work if you only need one group to have read and write access is the “ldap-group” directive. However, in our case we needed multiple groups, which is not supported by the “ldap-group” directive.

    To solve this problem we used “ldap-filter” with multiple group filters inside the same filter, and divide them with the boolean OR. I don’t know if there are any more elegant ways of achieving the same result, but this solved our problems.

    Having a second look at this “ldap-fiter” directive, I see that it have a significant strength in terms of flexibility. However, one aspect I have not considered is the performance of this approach. Without looking in-depth into the mod_ldap apache module, I can guess that for each filter inside the ldap-filter directive, it have to make a query to the LDAP (AD) server to retrieve the wanted resource. So, for each group filter inside the ldap-filter, you need a call. In our approach, we need two LDAP queries. As you now may see, the more groups to filter, the more LDAP queries, hence the performance will degrade the more complex the ldap-filter is.

    Tags: , , , , , ,

  • Using Vim marks to move around in source codes

    20Apr
    Categories: VIM, development Comments: 0

    Hi there.

    These days is all about being efficient in your working process. Now, I find myself using Vim a lot, bot for regular text processing, e-mail, Wiki page edit (Firefox + ViewSourceWith), and Python/C/C++ programming.

    I should be clear on that the usage of Vim as an IDE pretty much relies on the size of the software project. If we are making a very small software, then most often I find Vim most efficient. But, however, if the project is large, then maybe Eclipse or KDevelop is more efficient. I should also state that I keep Java programming in the Eclipse IDE.

    So, how can you use Vim Marks to be more efficient? Well, given that you have a large source code file, and you find yourself moving a lot between some blocks of code. Then, a way of saving you for the trouble of actually holding in your keys until your at the requested position, you just jump to a previously declared mark.

    Vim screenshot

    Vim screenshot

    Now, if we were have the marker over some frequently used function/class/variable (or something), and we want to store a VIM marker there, we hit the keys:ma.

    This stores a marker in registry a. So, if we’re somewhere else in our file, and want to jump back, we may type: 'a.

    Notice however that there is a distinction between lowercase and uppercase registry definition. If we type mA instead of ma, then we are able to jump between files (often you’re writing source code in multiple files). You may store these markers in registers from a-z for in-file references, and A-Z for between file references.

    To delete your marker, type: d'a. If you only want to replace it with a new marker, then simply type ma. You may also list all known markers with:


    :markers

    I would recommend reading this Vim wiki page regarding these Vim markes. I find them very useful, hopefully also you will.

    Vim screenshot

    Vim screenshot

    Tags: , , , ,

  • Python 3.1 is now released

    21Mar
    Categories: development, python Comments: 0

    Since the very important and big release of Python v3.0 (also knowed as “Python 3000″) in december, there has been some minor bugfixes and further improvements. Now, in Python v3.1, we may get to feel these bugfixes and enhancements.

    Python Logo

    Python Logo

    Of important changes we may highlight such as:

    • The IO module have been reimplemented in C for gaining even more speed
    • Decoding of utf-8, utf-16 and latin1 is know from 2x to 4x times faster than before
    • int and str comparisons is know faster

    So, for all Python v3.0 people out there, I would suggest upgrading to this lastest version. Visit this site: http://www.python.org/download/releases/3.1/

    Tags:

  • AC/DC was awesome

    25Feb
    Categories: Funny Comments: 0

    I was on the AC/DC Black Ice concert in Oslo 18.Feb, and I must say, it was an incredible live performance of the AC/DC. The concert was held in the new “Telenor Arena”

    AC/DC

    AC/DC

    Classic songs like “Highway to hell”, “Thunderstruck”, “T.N.T.”.. Also the fact that these guys ain’t getting any younger, the sure did impress me. I would serious consider attending to another concert with these guys, even it means I have to put my arse on a plain to another country.

    Tags: , , ,

  • Concerning my master thesis

    30Jan
    Categories: development, lucene, python Comments: 1

    Hi everyone.

    I just want to inform that I’ve taken some further steps to describe and provide my master thesis. I have written a page (http://asbjorn.fellinghaug.com/blog/master-thesis/) who’s goal is to summeraize and further describe the overall goals and design of my master thesis.

    I will also - in time - further work on the bigram index, as I want to see its full working potential one a more real-life collection. In the beginning I will use the dumps provided by the wonderful Wikipedia foundation. These dumps are several gigabytes with pure text (and some metadata). I realize that the content of each wikipedia article may not fully reflect typical websites on the internet, but it is a start. The next step I’ve made myself is to find a sufficiently large website, and then index all the data on it. Then, to check how the bigram index performs on it.

    I will most likely keep further developments in the Java programming language, as it is the language which Apache Lucene is written in. However, I’m also quite interessted in writing a Python analyzer for the PyLucene package (Python port of Lucene).

    Tags: , , , , , , , ,

  • Make global-ignores in subversion

    06Jan
    Categories: development, general IT Comments: 0

    Hi everyone.

    Every now and then I get somewhat annoyed by the fact that I add temporary or “unwanted” files to a subversion repository. These files may be just temporary files, like *.tmp, which has no value of being kept in a repository, or compiled python files *.pyc, etc.

    The common characteristics is that they are generally unwanted, and that they can easily be removed from the SVN repository. A common approach towards this issue is to set a property named “svn:ignore” on a directory, or the whole directory structure. This can be achieved with this command:

    $# svn propset svn:ignore "*.tmp" .

    where the single-dot at the end signalize the standing directory. However, this must be performed for each subversion project, which can get annoying in time. I’ve recently discovered the possibility of setting global subversion settings for my own user. The per-user subversion settings file is located on $HOME/.subversion/config. In that file there is a section named “[miscellany]“, which holds a variable named “global-ignores”. This variable can hold multiple ignore statements which will apply for all the svn checkouts you may work on (given you are using this user).

    This subversion setting file also contains many more exciting options, such as automatic properties which apply to certain files. Have a look at the end for the $HOME/.subversion/config file and notice some of the predefined settings.

    A tip based on personal experience is to hook the current files to the global-ignores variable:

    *.pyc # python byte compiled code
    *.swp # vim swap file
    *.tmp # general temp files

    Tags: , , , ,

  • New year resolutions

    29Dec
    Categories: general IT Comments: 0

    Every year I make myself some “abstract” goals regarding some achievements I should manage to reach. However, each year there are always one or two goals which is left behind. What I would especially highlight this year is to finish some of my software projects which has just been left in the mid-air.

    • A simple webpage for my topdomain (fellinghaug.com)
    • My very simple, yet (hopefully) powerfull Python search engine (codename “Wallace”)
    • Contribute more to the open-source community (register myself as a python developer, solve bugs and translate projects on launchpad.net)

    Let’s now get ahead of ourselves here, and just stop the list there. Adding more would simply make it overwhelming and unrealistic. If I surprise myself in terms of the timeframe (a year) for these goals, then I would allow myself to add more stuff on this list.

    I would point to fellow developers out there to also make yourselves goal lists, as these lists tend to improve the developers efficiency. It certainly feels so in my case.

    Tags: , ,

  • Python 3.0 is now released

    04Dec
    Categories: Uncategorized Comments: 0

    Hi everyone!

    Today I have a pleasant surprise! “Python v3.0″ has reached its final milestone, and has therefore been released into the wild. This is very interesting, as this new version facilitates some neat features. Instead of listing them here, I would recommend you read the “What’s In Python 3.0“.

    Python Logo

    Python Logo

    One issue they haven’t been able to solve is the GIL (Global Interpreter Lock). I sincerly hope this will be solved in time, as it somewhat constraints the usage of Python in high performance computing with threads.

  • IPython - enhanced python interpreter

    18Nov
    Categories: Uncategorized, python Comments: 0

    Hi everyone.

    A couple of times now I’ve been amazed over how many people who is still unaware of the IPython. From the IPython webpage, a very short summary of what IPython is “Enhanced interactive Python shell”. The python programming language is surrounded its interpreter, which facilitates dynamic typing and execution. This feature sufficiently increases productivity as there is no problem to test and try code snippets on-the-fly.

    The IPython is a further extension of the standard python interpreter, as IPython provides more features in the python shell, such as auto-completion of imported modules, syntax highlightning, colors, and a variouse other usefull commands and features.

    IPython is highly flexible in terms of providing the user with the possibility to extend the python shell even further with custom commands (called magic commands). There is also an even tigther integration between the python interpreter and the underlying shell, such as bash,csh, etc. It is for instance much simpler to list files and folders, by just typing “ls” directly into the shell. Even commands such as “mkdir”, “mv”, “rm” is builtin, and its trivial to further extend the shell command vocabulary with more complex commands. We’ll show an example for howto extend with custom commands below.

    As every flexible software, IPython comes with a main configuration file ($HOME/.ipython/ipythonrc). If we wanted a custom command, such as “chmod <mod> <file>” (chmod 755 myfile.py), we could add this to the “ipythonrc” file:


    # my custom chmod alias. By typing '>>> chmod 755 myprog.py' or
    # '>>> chmod a+rx myprog.py' IPython will execute this
    # statement as a shell command.
    alias chmod chmod %s %s

    Also, debugging lists (tuples, dictionaries, etc) is more readable within the IPython, as it wraps all such print statements inside the “pprint” (pretty-print) module, and therefore a comprehensible representation will find place.

    So, if you often find yourself in the python interpreter, I would highly recommend you spending a half an hour to get to known IPython. I promise you - it will save you a lot of headaches in the future.

    Tags: , ,

  • New python magazine

    27Oct
    Categories: python Comments: 0

    Finally!

    Its time for the monthly edition of the Python Magazine, which is a highly interesting and technial magazine regarding the python programming language.

    python magazine

    python magazine

    Everyone who is in to Python should subscribe to this magazine, as it covers many “hot” topics, as well as presenting many howto tutorials for everyday challenges. From cutting edge web applications and frameworks, to desktop applications and backbone server implementations.

    Tags: ,
« Previous Page

Blogroll:

Meta:

Recent Posts