On getting OpenLDAP and Windows LDAP to interop Friday, Dec 18 2009 

Many Windows developers have a need of some sort to connect to OpenLDAP directory services.  Some use wldap32, others use the DirectoryServices namespace in .NET, others use custom libraries.  Myself, I’m writing an ASPX front-end to our FreeBSD LDAP directory service.

If you are one of the developers in the first two camps, you’ve probably been dumbfounded by one of these error messages:

  • An unexpected operation error occurred
  • A local error occurred
  • TLS negotiation failure

At first, I was inclined to believe this was due to the fact that MS wanted devs to stick with ADAM and not use OpenLDAP.  However, this is not the case.  Each error means something different, and I have workarounds now for all of them that fixes it.

An unexpected operations error occurred

My favourite.  This is due to an OpenLDAP bug that the developers won’t fix.  They have claimed that “Microsoft is the one that is broken by following RFC 2830″…yes, that’s right, an open-source project upset that MS is following an RFC.

Anyway, to fix it you need to apply a one-liner patch (thanks Kirill) to starttls.c, verified to work with OpenLDAP-2.4.19 and CVS HEAD as of this morning (GMT):

=============
--- orig/starttls.c	2004-01-01 21:15:32.000000000 +0200
+++ fixed/starttls.c	2004-05-27 14:14:54.000000000 +0300
@@ -94,6 +94,8 @@
     op->o_conn->c_is_tls = 1;
     op->o_conn->c_needs_tls_accept = 1;

+    rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
+
     rc = LDAP_SUCCESS;

 done:
=============

Recompile OpenLDAP with this change.  Your OpenLDAP is now RFC 2830 compliant and Microsoft APIs (and older Netscape and Novell APIs) can now connect and start TLS with it.

“But wait, Pongo,” you say.  “Now I’m getting a new error!”  Yes, because MS is strange about server certificate processing you will now receive:

A local error occurred (on the LDAP server, “TLS negotiation failure”)

You need the server certificate from the OpenLDAP server (see your slapd.conf file, under TLSCertificateFile.  Mine is in /etc/ssl/keys/ldap).

  1. Copy the file (named chicago-auth.crt in the example) to your Windows computer.
  2. Install the certificate (double-click it) to the Trusted Root Certificate Authorities store.  (I am not sure if this step is required or not.  It was for me for other reasons.)
  3. In your .NET application, add a code block similar to the following:
                lc.SessionOptions.VerifyServerCertificate = Ldap_ServCertCallback;  // Add this line BEFORE StartTLS call
                lc.SessionOptions.StartTransportLayerSecurity(null);

Your Ldap_ServCertCallback function should look something like this:

        private bool Ldap_ServCertCallback(LdapConnection connection, X509Certificate cert)
        {
            X509Certificate realchi = new X509Certificate("chicago-auth.crt");

            if (realchi.GetCertHashString() == cert.GetCertHashString())
                return true;
            else return false;
        }

That’s it. Your .NET application will now happily connect to your OpenLDAP server.

Note that I have not personally tested this workaround with wldap32 (I’m unsure how to set a VerifyServerCertificate callback and I don’t hack the Win32 API anymore anyway), but I have in .NET and it works in both Win32 and ASP.NET applications.

Advertisements

On taking FreeBSD seriously Tuesday, Nov 3 2009 

Now playing: ♫ Rebel Yell by Billy Idol on Greatest Hits [2001]

I found myself frustrated with Windows 7 at work.  It’s a fairly decent system, and a craptonne better than Vista in both performance and resource usage on the old desktop I have (a Pentium 4/2.66 with a gig of RAM).  But it was still slow, and I had heard that FreeBSD was fast approaching the ‘usable’ state for a desktop role.  So, I decided to take it for a spin.

Firstly, your experience may vary wildly from mine; I spent the entire weekend compiling everything (including the kernel and all of KDE) to my own liking (and optimisation).  And disclaimer: this is on a new ATA-133 drive that actually beats older SATA drives on sustained speed (the very definition of ‘win’).

Installation: I used the ports source-package system (if you’ve used Gentoo Linux, this is where the idea of ebuild came from).  Of course, on a Pentium 4, this took a while; however, I found it to be worthwhile because I was able to enable features I wanted (that nobody else does) and disable features I dislike or had no use for.  This makes binaries that fit my exact needs, and one reason I do love the ports system.

Productivity: I found this department heavily lacking.  I still work in Information Technology as a developer, and apparently KDevelop has gone unmaintained and is no longer part of the kdedev package.  This was upsetting to say the least.  I have yet to install Eclipse, but I have used it on Windows and didn’t care much for the UI.  Overall, I’m back to my old 90s hacker ways of using vim and make instead of the “niceties” of IDE-based programming.  I’m more than capable, but in this day and age of things like test-driven development and the monstrosities of modern Makefile-based systems (unless maybe you’re using CMake), this is unnecessary and something I found highly disappointing.

Office stuff: Office stuff is office stuff.  AbiWord is AbiWord; not quite as featureful as Microsoft Word but it uses a hell of a lot less RAM, and that’s something I can appreciate with this old box.  Of course nothing can compare to iWork Pages ’09 from Apple, and I would be willing to pay extra for a version of iWork for ELF systems, even Linux.

Email: At work we have Exchange 2007.  I have been as-of-yet unsuccessful in getting Evolution to connect to it, and have been using ActiveSync on my PDA to handle emails.  As you can imagine, this isn’t the easiest thing in the world.  I am working on a possible patch (it appears there is a bug in the codebase to do with SSL certificates); hopefully I can get this working soon.

amarok running

amaroK, a multimedia program

Media: This is one place where open-source could really use some work.  Problems I’ve had include amarok showing random last played times such as “August 1991”, mplayer deciding it had a “memory error” and not starting correctly, and attempts at writing numeric tag fields (i.e. year or track #) in media files cause a segfault.  This isn’t to say it’s all bad; amaroK, mplayer, and mpg123 all played the majority of my collection (or at least the formats they supported) quite decently, and the offerings now are fairly solid if not a bit lacking in features.  My wishlist would be for amaroK to have working cover art features and to have clicking the dock icon toggle play/pause.  I guess I have more patches to write.

IM: Pigs is pigs Pidgin is Pidgin.  It works exactly the same as it does on all the other platforms (Pidgin for Windows, Adium for OS X) and it just does it.  I am in the process of researching the best Skype client for FreeBSD, and will probably blog about that later, too.

Web browsing: This is where it gets interesting.  All browsers suck.  I’m telling you, plain and simple, all browsers suck.  So imagine my surprise when jtm, a close friend of mine, points out there is a relatively new one in ports called ‘Midori’, from the XFCE bunch.  I tried it out.  It’s nice, though a bit unstable when using npviewer (Flash / Java), and when you unload a page (i.e. browse to another or close a tab), it has an excessive lag and doesn’t kill the npviewer process.  End result?  A tonne of RAM and CPU spent until you manually kill -9 them.  There are also some favicon bugs.  Overall however, it’s a very decent browser based on my favourite rendering engine (WebKit) and it does get points for effort.  I’m still using Firefox though, because I do find I require Flash periodically.

Other: I’ve found a few little niggles.  One major one is that gtk-qt4-theme sometimes causes textboxes to appear black-on-black (see here).  One place where this is quite evident is the HTML editor in WordPress; it renders a black textarea with black text.  Obviously, I can’t edit HTML easily in WordPress anymore.

One other source of a bit of frustration lies in the fact that there is very little support for FreeBSD compared to Linux simply because it isn’t as widely deployed.  I can accept this and I’m more than capable of doing things, especially with the help of friends and colleagues, but it would be nice to have a lively FreeBSD desktop community (more than just IRC, because they mainly deal with servers).  Some day, ol’ boy, some day…

Anyway, this pretty much sums it up.  My verdict?

It’s not really different from Windows, but it’s free and you have more options.

Windows has buggy apps.  OS X has buggy apps.  FreeBSD has buggy apps.  It’s all really a matter of preference.  Windows is more tweaked for the beginning computer user, and as such has a lot of safeguards built-in.  This is a Good Thing(TM) for new users, but it gets dreadful and annoying to people like me.  OS X has its strong points, but it can be wildly random.  And randomness is one thing all IT people hate — because it’s nigh-on-impossible to pin down exactly where the problem lies.  FreeBSD…what can I say.  It’s grown so much from the days of 5.x when I started to run it on servers.  And overall, though it may not be as user-friendly as Ubuntu, it certainly packs a mean punch, and anyone who isn’t afraid to learn, is able to devote a bit of time to read the FreeBSD Handbook and other interesting manuals, and get their hands a bit “dirty” with computer knowledge should seriously consider using it as a desktop — especially Linux users looking for more.  I’d liken running FreeBSD on a computer to performing maintenance on your car; most people don’t want to do it, but the ones who do save time, money, and have the feeling of a job well done.

Oh, and you may be wondering why I chose “art” for a tag.  Because of my new theme, of course.  I love it; it’s artistic, expresses who I am, and that’s something Windows can’t really say.  Sure you can customise the bugger out of Aero; but no matter what you do, it’s still Aero.