Fellinghaug Blog » tips

Apache, subversion and LDAP group authentication

Asbjørn Alexander Fellinghaug — Thu, 04 Jun 2009 07:30:00 +0000

Hellu!

Lately I’ve been working on securing some web accessible resource, especially Subversion access to repositories through the Apache webserver. One aspect we found very difficult was to secure subversion access through our apache server, when we had a Active Directory server to authenticate against (I know..).

Apache have some directives such as “Require valid-user” which signals that a user has to be authenticated against some authentication provider. This is in most cases a standard “.htaccess” and “.htpasswd” combination which provides this. For small projects, this may be a working approach. However, in a large-scale organization where you want a dynamic handling of users and their access, then using groups to reflect the users access to resources may be a better working solution.

For one of our projects, we wanted all LDAP (AD) users to have read access, while members of certain groups have read and write access. We solved this with the following Apache config:

<Location /wicked_project>
   DAV svn
   SVNParentPath /var/svn/wicked_project
   AuthzLDAPAuthoritative off
   AuthType basic
   AuthBasicProvider ldap
   AuthName "Need to authenticate here"
   AuthLDAPBindDN "ldap_user@domain.net"
   AuthLDAPBindPassword secretPassword
   AuthLDAPURL "ldap://ad.domain.net/dc=domain,dc=net?sAMAccountName?sub?(objectClass=*)"
 
   OPTIONS CHECKOUT>
      Require valid-user
   
   
   Require ldap-filter |(memberOf=CN=Staff,OU=GROUPS,DC=DOMAIN,DC=NET) \
                (memberOf=CN=Wicked_project_rw,OU=GROUPS,DC=DOMAIN,DC=NET)
   
Location>

Another LDAP directive which can work if you only need one group to have read and write access is the “ldap-group” directive. However, in our case we needed multiple groups, which is not supported by the “ldap-group” directive.

To solve this problem we used “ldap-filter” with multiple group filters inside the same filter, and divide them with the boolean OR. I don’t know if there are any more elegant ways of achieving the same result, but this solved our problems.

Having a second look at this “ldap-fiter” directive, I see that it have a significant strength in terms of flexibility. However, one aspect I have not considered is the performance of this approach. Without looking in-depth into the mod_ldap apache module, I can guess that for each filter inside the ldap-filter directive, it have to make a query to the LDAP (AD) server to retrieve the wanted resource. So, for each group filter inside the ldap-filter, you need a call. In our approach, we need two LDAP queries. As you now may see, the more groups to filter, the more LDAP queries, hence the performance will degrade the more complex the ldap-filter is.

Twitter from commandline

Asbjørn Alexander Fellinghaug — Mon, 05 May 2008 19:26:44 +0000

I’ve been taken by the Twitter storm these days.. Damn, I should focus a hole lot more on my master report. Well, this took me only one little hour, so it’s not that waste of time.. So, I guess you have heard about the new “facebook” called Twitter? Well, its this new web community thing were people can write their current status for what they are doing in the world.. And, of course, one can follow friends and pay attention to were / what they are doing.. Now, after some time I found it rather heavy to enter the twitter webpage, login, and then post a new twitter message for each time I want to update my status. So, as a python fan I am, I created myself a little python script to capture this problem. It relies on the python-twitter module available at the Google Code pages. So, lets have a look at the code. I have named this file “update.py”, however feel free to rename it.

#!/usr/bin/env python
import twitter
import sys
 
USERNAME=""
PASSWORD=""
 
def postNewMessage(msg):
    api = twitter.Api()
    api = twitter.Api(username="", password="")
 
    if isinstance(msg, list):
        msg = " ".join(msg)
    msg = unicode(msg, "utf-8")
    if len(msg) > 140:
        print "ERROR: Message can't be over 140 chars."
        return
    try:
        api.PostUpdate(msg)
        print "OK. Was %i chars in msg." % len(msg)
    except Exception, e:
        print "FUck.."
 
    api.ClearCredentials()
 
if __name__ == "__main__":
    if len(sys.argv) > 1:
        t = sys.argv[1:]
        if len(t) == 1 and len(t[0]) > 10:
            # writes ./update "hi there mate"
            postNewMessage(t[0])
        else:
            # writes ./update hello world
            postNewMessage(sys.argv[1:])
    else:
        print "fuck"

Linux and internal OS caching

Asbjørn Alexander Fellinghaug — Sat, 19 Apr 2008 19:46:34 +0000

Caching inside Linux such as pages and inodes can become quite hugh, and thats the point. Linux wants to utilize all the available memory to create a faster working environment…

Now, lately I’ve been experimenting on some IR-software (http://lucene.apache.org), and for these experiments I needed to clear the internal page caching of I/O data. Basicly, whenever I open a file, then Linux caches that particular file, so that if I need it again later on, it will be available in “no-time”. For my experiments, I needed a “clean” cache for every run, and therefor needed to clear my cache.

After some Googling I stumbled upon this site: http://linux-mm.org/Drop_Caches. There was a lot of interessting stuff there, so I would recommend people to read it.

Basically, whenever you need to uncache something in your computer, you can (in Linux that is), write the following in a terminal:

This one below will free pagecache:

# echo 1 > /proc/sys/vm/drop_caches

This one below will free dentries and inodes:

# echo 2 > /proc/sys/vm/drop_caches

This one below will free both pagecache, dentries and inodes:

# echo 3 > /proc/sys/vm/drop_caches