Sivel.net  Throwing Hot Coals


XCache Admin Cannot Login When Using Apache and mod_fcgid

I have been helping a friend setup a dedicated server to host his clients sites on and wanted to make things as streamlined and as easy as possible. To do so I installed Apache 2.2, PHP5, XCache and mod_fcgid. I am using suexec with Apache to run the scripts as the users who own the scripts.

I wanted to verify that XCache was working, so I copied the XCache admin directory into one of the document roots and tried to login. To my surprise I was not able to login even though I was using a known good md5 password hash in the XCache configuration.

It took me about a month of searching to find out that the server variables PHP_AUTH_USER and PHP_AUTH_PW don’t seem to work with mod_fcgid. This Lighttpd forum entry led me to the XCache admin config.php.

Here is what is required:

  1. Create a file in your XCache admin directory called config.php
  2. In this file add the following, using the information you provided in the XCache configuration:

    <?php $_SERVER[‘PHP_AUTH_USER’] = ‘admin_username’; $_SERVER[‘PHP_AUTH_PW’] = ‘admin_password’; ?>

  3. Configure some other means of authentication such as htpasswd or htdigest

HowTo Linux PHP Technology

Checkgmail Uses 100% CPU at Startup

While using checkgmail on Ubuntu 7.10 I was running checkgmail with no problem at all. I not too long ago upgraded to Ubuntu 8.04 and quickly noticed that checkgmail was taking 30+ seconds to start and was taking 100% of my CPU.

I did a search on Google and found a lot of users experiencing the same problem. It took a bit of reading, which is why I am posting this, and found that it is do the localizations (languages) that are loaded into checkgmail. There are 1,728 lines in checkgmail devoted to localization and I imagine that it is due to parsing this data that is causing the 100% CPU useage.

The solution to speeding up checkgmail is to remove all of the localizations that you don’t need. For me this was removing lines 3089-3280 and 3346-4817 or checkgmail and the corresponding lines in ~/.checkgmail/lang.xml.

I have created some patches to take care of this but cannot guarantee that with updates to the code that the localizations will remain on the same lines as they are this minute. So use with care. The patches can be applied as such:

wget http://sivel.net/patch/checkgmail/checkgmail_1.13svn_slowstart_checkgmail_en.patch
wget http://sivel.net/patch/checkgmail/checkgmail_1.13svn_slowstart_langxml_en.patch
patch /usr/bin/checkgmail checkgmail_1.13svn_slowstart_checkgmail_en.patch
patch ~/.checkgmail/lang.xml checkgmail_1.13svn_slowstart_langxml_en.patch

If you have checkgmail running kill it and start it up again. It should have started almost instantly and not taken 100% CPU to do so.

HowTo Linux

Getting Lighttpd, FastCGI and PHP working on CentOS 4

Over the years I have been installing Lighttpd from the RPMforge repository on my CentOS 4 servers for high traffic sites. The one thing that bothers me time and again is that installing lighttpd, lighttpd-fastcgi and PHP; configuring lighttpd.conf to enable FastCGI and configuring FastCGI for PHP isn’t all that is required. Try doing only that and starting Lighttpd. It will die immediately all the while telling you that it started successfully.

The problem is that the default configuration for FastCGI + PHP in lighttpd.conf tries to place the PHP sockets into /var/run/lighttpd/ which doesn’t exist.

Only 2 quick steps are required to finish the installation and configuration:

  1. mkdir /var/run/lighttpd
  2. chown lighttpd. /var/run/lighttpd

Now fire up Lighttpd and enjoy the wonderful world of PHP on a web server that doesn’t suck.

Side Note: For those of you who are trying to find the location of php-cgi on your PHP 4.3.9 install from the base or updates CentOS repo, you aren’t going to find what you are looking for. Uninstall PHP 4.3.9 and install PHP 5.1.6 from the centosplus repo.

HowTo Linux PHP Technology

CheckGmail Problem With Google Hosted Domains

For some time now I have been using CheckGmail to monitor both my gmail.com accounts and my sivel.net accounts. But several months ago Google changed the way that accounts are authenticated for hosted domains.

If you are experiencing this problem I suggest downloading the most recent version of CheckGmail from the CheckGmail subversion trunk. For those of you who don’t have subversion installed or for those of you who don’t know how to use subversion there is any easy way around this.

Simply issue the following command:

sudo wget -O /usr/bin/checkgmail http://checkgmail.svn.sourceforge.net/viewvc/*checkout*/checkgmail/checkgmail

If you currently have CheckGmail running kill it and restart it. Now you will be able to monitor your hosted domain again with CheckGmail.

HowTo Linux

AJAX-ify the FAQ-Tastic WordPress Plugin

If you came here looking for the plugin click here.

Update: This plugin has been tested with the new FAQ-Tastic Lite plugin and works as expected.

FAQ-Tastic is a wonderful WordPress plugin for maintaining a FAQ on your website. My company recently made a decision for one of its products to run both the blog and FAQ for the product off of WordPress. Using FAQ-Tastic will enable the folks in charge of the FAQ to make changes without having to modify any code.

While the developers of FAQ-Tastic apparently went to great lengths to add AJAX effects to the admin area for this plugin the actual display in the post or page is rather boring in the fact that it does not include any AJAX and simply displays the answer directly under the question. You can additionally list all of the questions which will link to the question and answer lower in the page but that keeps the users scrolling up and down the page. The authors of FAQ-Tastic list in their FAQ that they are planning on AJAXifying the plugin at some future time, but we don’t have time to wait for them to do it.

A simple solution would be to add a small amount of Javascript and CSS code to collapse the answers and only display them once the question has been clicked.

There is one caveat though…Ratings do not collapse with the answer, which causes them to not display correctly, and thus have been hidden using CSS in this plugin.

Now for instructions on implementing it

  1. Open header.php from your WordPress theme in your favorite text editor or the WordPress theme editor.
  2. Add the following code just above the line reading <?php wp_head(); ?>

  3. Add the following code just after the line reading <?php wp_head(); ?>:

  4. You can add some additional styling by adding a open/close indicator next to the question by adding the following into the css styles listed in step 3.

    ol.faq h3 {
        padding-left:20px;
        background: url(/wp-content/themes/YOURTHEME/images/open.gif) top left no-repeat;
    }
    ol.faq h3.active {
        background: url(/wp-content/themes/YOURTHEME/images/close.gif) top left no-repeat;
    }
    

    You can download these sample open/close images here

    These gif images should be extracted/uploaded to ‘wp-content/themes/YOURTHEME/images’

And now that you are saying I’m not going to do this because it is too complicated…Don’t worry I have also written a plugin with the information I have provided above that will automatically implement this just by activating the plugin.

The plugin can be downloaded from WordPress.org repository.

Instructions on using the plugin

  1. Download the plugin from here
  2. Upload the ajaxify-faqtastic directory to wp-content/plugins/
  3. Open the admin section of WordPress, click on Plugins and then Activate this plugin.
  4. Simple as that…you are done.

If you don’t want to go through subscribing to a mailing list to get the FAQ-Tastic plugin, download using the following links:
Plugin
Manual

Change Log

1.4 (2009-02-27):

  • Update to new version numbering
  • enqueue styles and scripts instead of printing directly to the head

0.3 (2008-08-12): * Updated for WordPress 2.6 compatibility

0.2 (2008-03-26): * Initial Public Release

Download
AJAXify FAQTastic version 1.4
Archived Versions

HowTo Plugins WordPress

Display Most Recent WordPress Posts On Another Site

I was recently had the job of displaying the most recent WordPress posts on a sites main page. The easiest way I could think of doing this is to use the RSS feed.

I’ll give two sample php functions that will do this as one requires some pear packages and the other doesn’t.

Option 1

This option requires the use of several PHP Pear packages. Those packages are XML_RSS, XML_Tree and XML_Parser. This is the preferred option as the code is specific to RSS instead of XML generically.

<?php
require_once "XML/RSS.php";

// read_rss(display_n_items,feed_url)
function read_rss($display=0,$url='') {
    $rss =& new XML_RSS($url);
    $rss->parse();
    $itemArr = array();
    foreach ($rss->getItems() as $item) {
        if ($display == 0) {
            break;
        }

        array_push($itemArr,$item);

        $display--;
    }
    return $itemArr;
}
?>

Option 2

This option does not require any special Pear packages which would be helpful for users who do not have the capability to install them or have their hosting provider install them.

<?php
// read_rss(display_n_items,feed_url)
function read_rss($display=0,$url='') {
    $doc = new DOMDocument();
    $doc->load($url);
    $itemArr = array();
    foreach ($doc->getElementsByTagName('item') as $node) {
        if ($display == 0) {
            break;
        }

        $itemRSS = array (
            'title'       => $node->getElementsByTagName('title')->item(0)->nodeValue,
            'description' => $node->getElementsByTagName('description')->item(0)->nodeValue,
            'link'        => $node->getElementsByTagName('link')->item(0)->nodeValue,
            'pubdate'     => $node->getElementsByTagName('pubDate')->item(0)->nodeValue
        );

        array_push($itemArr, $itemRSS);

        $display--;
    }
    return $itemArr;
}
?>

Now to use either of these functions we would do something similar to the following:

<ul>
<?php
$items = read_rss(2, 'http://sivel.net/feed');
foreach ( $items as $item ) {
    echo '<li><a href="' . $item['link'] . '">' . $item['title'] . '</a>';
}
?>
</ul>
HowTo PHP WordPress

Single Sign-On with Apache and Active Directory &#8211; Part 2

Part 1 | Part 2

Back on May 23rd, 2007 I wrote an article titled Single Sign-On with Apache and Active Directory which I have now made Part 1 of this topic. In that article I wrote:

There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM…I tried mod_ntlm which seemed to be very easy to setup and worked well. But there was one catch…If the browser did not send the NTLM information or correct NTLM information, see the footnotes1 below as to why, the user had to login with the username in the form of DOMAINusername. In my experience with applications already in place they did not require this form of DOMAINusername. This could be resolved if you could specify the default domain in mod_ntlm which you cannot.

Now I will explain why there is a Part 2 to this topic. I used the Apache2::AuthenNTLM Apache Perl module in a large environment and quickly found a serious problem which I could not diagnose or resolve. When using the Apache2::AuthenNTLM Perl module Apache would stop responding to requests to the site after an undetermined number of requests. I tried limiting the file types that would be authenticated but in the end it would still stop reaponding after a while.

So I finally decided to use the Apache mod_ntlm module to handle the authentication. And with the article I had written titled Enabling NTLM Authentication (Single Sign-On) in Firefox, the problem with having to use the username in the form of DOMAINusername in Firefox can be eliminated.

This how to is intended for CentOS 4 and RHEL4 but can be easily adapted for other distributions.

Now for the HowTo:

1) Start by installing Apache by issuing the following command:
yum install httpd

2) Next we need to install the mod_ntlm Apache module

wget http://sivel.net/repo/i386/mod_ntlm-2-0.1.el4.sn.i386.rpm
rpm -ivh mod_ntlm-2-0.1.el4.sn.i386.rpm

3) Now we need to configure mod_ntlm

cd /etc/httpd/conf.d
vi mod_ntlm.conf

Modify the conf like so (the documentation in the conf pretty much covers it also):

<location ~ "/path/to/dir/to/protect/here)/(.*)" >

  # NTLMAuth - set to 'on' to activate NTLM authentication here
  NTLMAuth on

  # AuthNTGroups - text file containing (NT) group names and member user IDs

  # NTLMBasicAuth - set to 'on' to allov Basic authentication too

  # NTLMBasicRealm - realm to use for Basic authentication

  # NTLMAuthoritative - set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module
  NTLMAuthoritative on

  # NTLMDomain - set to the domain you want users authenticated against for cleartext authentication - if not specified, the local machine, then all trusted domains are checked
  NTLMDomain MYDOMAIN

  # NTLMServer - set to the NT server to contact to authenticate users
  NTLMServer primary.mydomain.com

  # NTLMBackup - set to the alternate NT server to contact to authenticate users
  NTLMBackup secondary.mydomain.com

  # NTLMLockFile - set to the lock file that is used to prevent simutaneous contacts to DC
  NTLMLockfile /tmp/_mod_ntlm.lck

  AuthName NTAuth
  AuthType NTLM
  require valid-user
  Satisfy all

</location>

4) We need to modify the global conf file now.
vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’

5) Let’s start Apache
/etc/init.d/httpd start

6) Let’s setup a simple test page that will utilize the server environment variable that mod_ntlm sets.

cd /path/set/in/step/3/in/location/directive
touch index.php
vi index.php
  • Insert the following information:

    <?php echo “You have logged in as ” . $_SERVER[‘REMOTE_USER’] . “”; ?>

If you do not have PHP installed you can just place a page in the directory and if you login you should be able to see it.

If you get a login prompt check the footnotes1.

Part 1 | Part 2

Footnotes
1. Getting a login prompt can be caused by using Firefox with the default configuration, not being logged on in the domain that you are attempting to authenticate against, or not having the site listed in the Local Intranet security zone in Internet Explorer. Or worst of all you could have mis configured something in step 3

HowTo Linux

Using Sprint PCS Connection Card with Fedora

I have seen a good number of incoming links requesting this page that I had written back when I was using a wiki for my web site. So I decided to bring it back and make some redirects to direct people to the correct location.

With that being said these instructions are for configuring Fedora (Core 5 was used at the time) to use a Sprint PCS Connection Card to connect to the internet. I cannot verify or test this functionality as I no longer have a Sprint PCS Connection Card. So let the fun begin.

  1. With the Sprint PCS Connection Card PC-5740 not inserted boot up the computer into Fedora Core 5.
  2. Open a terminal window and SU to root.
  3. Execute the following command:

tail -f /var/log/messages

  1. Insert the card.
  2. You should see something similar to the following:

Aug 15 13:01:24 fedora-mobile kernel: pccard: CardBus card inserted into slot 0
Aug 15 13:01:24 fedora-mobile kernel: PCI: Enabling device 0000:03:00.0 (0000 -> 0002)
Aug 15 13:01:24 fedora-mobile kernel: ACPI: PCI Interrupt 0000:03:00.0[A] -> Link [LNKA] -> GSI 11 (level, low) -> IRQ 11
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.0: OHCI Host Controller
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.0: new USB bus registered, assigned bus number 5
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.0: irq 11, io mem 0xc2000000
Aug 15 13:01:24 fedora-mobile kernel: usb usb5: configuration #1 chosen from 1 choice
Aug 15 13:01:24 fedora-mobile kernel: hub 5-0:1.0: USB hub found
Aug 15 13:01:24 fedora-mobile kernel: hub 5-0:1.0: 1 port detected
Aug 15 13:01:24 fedora-mobile kernel: PCI: Enabling device 0000:03:00.1 (0000 -> 0002)
Aug 15 13:01:24 fedora-mobile kernel: ACPI: PCI Interrupt 0000:03:00.1[B] -> Link [LNKA] -> GSI 11 (level, low) -> IRQ 11
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.1: OHCI Host Controller
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.1: new USB bus registered, assigned bus number 6
Aug 15 13:01:24 fedora-mobile kernel: ohci_hcd 0000:03:00.1: irq 11, io mem 0xc2001000
Aug 15 13:01:24 fedora-mobile kernel: usb usb6: configuration #1 chosen from 1 choice
Aug 15 13:01:24 fedora-mobile kernel: hub 6-0:1.0: USB hub found
Aug 15 13:01:24 fedora-mobile kernel: hub 6-0:1.0: 1 port detected
Aug 15 13:01:25 fedora-mobile kernel: ohci_hcd 0000:03:00.0: wakeup
Aug 15 13:01:26 fedora-mobile kernel: usb 5-1: new full speed USB device using ohci_hcd and address 2
Aug 15 13:01:26 fedora-mobile kernel: usb 5-1: configuration #1 chosen from 1 choice
Aug 15 13:01:26 fedora-mobile kernel: cdc_acm 5-1:1.0: ttyACM0: USB ACM device
Aug 15 13:01:26 fedora-mobile kernel: usbcore: registered new driver cdc_acm
Aug 15 13:01:26 fedora-mobile kernel: drivers/usb/class/cdc-acm.c: v0.25:USB Abstract Control Model driver for USB modems and ISDN adapters

  1. The above is all important but the line we are most interested in is the following:

Aug 15 13:01:26 fedora-mobile kernel: cdc_acm 5-1:1.0: ttyACM0: USB ACM device

  1. The above line shows us that the device created is ttyACM0 which is actually located at /dev/ttyACM0.
  2. Assuming you are running Gnome, download and install gnome-ppp with the following:

yum install -y gnome-ppp

  1. In order for gnome-ppp to work properly it must be run as root.
  2. Open a terminal window and su to root.
  3. Execute gnome-ppp (Tip: You can add a “ &” to the end of gnome-ppp to disconnect it from the active session allowing you to close the terminal window without closing gnome-ppp).
  4. Click the “Setup” button.
  5. Click the “Detect” button. Your modem (/dev/ttyACM0) should automatically be detected. If not then something above went wrong.
  6. Click the “Init Strings…” button and change “Init 2” to “ATZ” (without the quotes).
  7. For the username you will need to boot into Windows, open the PCS connection application and select Diagnositcs from the menu. Your username will be in the form of username@sprintpcs.com.
  8. With gnome-ppp you are required to enter a password. This will not affect the dial up seeing as though the Sprint servers wont even respond to the password being sent. So type whatever you want in this field.
  9. The phone number is “#777”.
  10. Click connect. You’re done.
  11. If you can’t access anything on the internet after connecting and you have IP address info, it is probably due to gnome-ppp not updating the nameserver statements in resolv.conf

Using gnome-ppp eventually got old for me so I wrote a bash script to take care of it. I won’t post extensive usage information on how to use it so use at your own risk (although I don’t see any actual risk involved).

You will need to do several things to get this up.

  1. Download sprint-dial.sh to your home dir or where ever you want.

wget http://cdn.sivel.net/s/p/sprint-dial.sh

  1. Download or configure your own .wvdial.conf and place it in your home dir and /root

wget http://cdn.sivel.net/w/v/.wvdial.conf

  1. Execute the script

sudo ./sprint-dial.sh

or

su
./sprint-dial.sh

HowTo Linux Technology

Enabling NTLM Authentication (Single Sign-On) in Firefox

This HowTo will describe how to enable NTLM authentication (Single Sign-On) in Firefox.

How many of you have noticed that when you are using Internet Explorer and you browse to your companies intranet page that it will automatically authenticate you but when you use Firefox you will be prompted with a login box?

I recently, in searching for solutions to allow NTLM authentication with Apache, stumbled across how to set a preference in Firefox that will pass the NTLM authentication information to a web server. The preference is network.automatic-ntlm-auth.trusted-uris.

So how do you do it?

1) Open Firefox and type “about:config” in the address bar. (without the quotes of course)
2) In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”
3) Double click the name of the preference that we just searched for
4) Enter the URLs of the sites you wish to pass NTLM auth info to in the form of:

http://intranet.company.com,http://email.company.lan

5) Notice that you can use a comma separated list in this field.
6) Updated: I have created VBScript that can be used to insert this information into a users prefs.js file by using group policy or standalone if for some reason you want to use it for that.

The script is available to be downloaded here.

After downloading the script you will want to extract it from the ZIP archive and then modify the line starting with strSiteList.

NOTE: This script will not perform its function if the user has Firefox open at the time the script is executed. Running the script through group policy will work without problem unless for some reason your group policy launches Firefox before the execution of this script.

You can read through the rest of the script for additional information. If you have questions, comments or concerns please let me know.

HowTo

Single Sign-On with Apache and Active Directory &#8211; Part 1

Part 1 | Part 2

This HowTo will describe how to setup single sign-on authentication with Apache and Microsoft Active Directory. Most of you are probably aware that there is no default/built-in support for automatically authenticating to an Apache web server using the NTLM header information passed from the web browser (in most cases Microsoft Internet Explorer) to the Web Server. Microsoft IIS of course supports this out of the box but who wants to use IIS? There are as I have found 3 major solutions for achieving this and I will outline which I picked and why.

First I’ll start by explaining which solution I selected and why. There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. I have chosen Apache2:AuthenNTLM. Now as for the why…I bypassed mod_auth_kerb instantly after reading that it required a working winbind setup. Keep in mind that I am looking for an easy quick setup, and configuring winbind first does not fall into that realm of a quick and easy setup. Next I tried mod_ntlm which seemed to be very easy to setup and worked well. But there was one catch…If the browser did not send the NTLM information or correct NTLM information1 the user had to login with the username in the form of DOMAINusername. In my experience with applications already in place they did not require this form of DOMAINusername. This could be resolved if you could specify the default domain in mod_ntlm which you cannot. Reading the documentation for Apache2:AuthenNTLM you could specify the default domain as well as many other options that are not available in mod_ntlm. Configuration proved to be a little tricky, but if it weren’t I wouldn’t be writing this HowTo. Now as you may have noticed from the naming syntax of Apache2:AuthenNTLM that it is indeed a perl module. Now as we are using Apache2:AuthenNTLM it will require mod_perl2 which is not included with CentOS4 or RHEL4.

Now for the HowTo:

1) Start by installing Apache and mod_perl by issuing the following commands:

shell> yum install httpd
shell> wget http://sivel.net/repo/i386/mod_perl-2.0.3-1.el4.sn.i386.rpm
shell> rpm -Uvh mod_perl-2.0.3-1.el4.sn.i386.rpm

2) Next we need to install the Apache2:AuthenNTLM module

shell> wget http://sivel.net/repo/i386/perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
shell> rpm -Uvh perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm

3) Now we need to configure Apache to use Apache2:AuthenNTLM

shell> cd /etc/httpd/conf.d
shell> touch ntlm.conf
shell> vi ntlm.conf

  • Add the following information:

    # Change this to the directory you wish to protect. Can be / PerlAuthenHandler Apache2::AuthenNTLM AuthType ntlm,basic AuthName Basic require valid-user

    domain pdc bdc

    PerlAddVar ntdomain “DOMAIN dc1 dc2” # Change DOMAIN to the netbios name of your domain. Change dc1 and dc2 to the hostnames of the domain controllers for your domain. dc2 is not required if your setup does not have a dc2. PerlSetVar defaultdomain DOMAIN # Change DOMAIN to the netbios name of your domain PerlSetVar splitdomainprefix 1

shell> vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’

4) Now we need to modify /etc/resolv.conf

shell> vi /etc/resolv.conf

  • We need to make sure that it looks like the following:

search domain.lan
nameserver 10.0.0.1
nameserver 10.0.0.2

  • Where domain.lan is your Active Directory domain name and the nameservers are the name servers for your Active Directory (usually the domain controllers)

5) Let’s start Apache

shell> /etc/init.d/httpd start

6) Let’s setup a simple test page that will utilize the server environment variable that AuthenNTLM sets.

shell> cd /path/set/in/step/3
shell> touch index.php
shell> vi index.php

  • Insert the following information:

<br /> <?php<br /> echo "You have logged in as <b>" . $_SERVER['REMOTE_USER'] . "</b>;";<br /> ?><br />

  • If you do not see your username then you don’t have something in step 3 setup correctly. If you get a login prompt check the footnotes below.

Part 2

Footnotes
1. Getting a login prompt can be caused by using Firefox with the default configuration, not being logged on in the domain that you are attempting to authenticate against, or not having the site listed in the Local Intranet security zone in Internet Explorer. Or worst of all you could have mis configured something in step 3. You can turn on debug information by adding ‘PerlSetVar ntlmdebug 2’ to step 3. Debugging will log to /var/log/httpd/error_log.

HowTo Linux