Friday, March 30, 2007

Sakai LDAP Provider

Ok so I was attempting to connect Sakai up to our LDAP server to get user details and after a successful user login was seeing an error in the logs:

WARN: getUser() from LDAP directory exceptionnull (2007-03-29 17:32:34,597 http-

Not the most helpful error so I edited the source so that it logged the stack trace as well:

       at com.novell.ldap.asn1.ASN1OctetString.<init>(Unknown Source)
       at com.novell.ldap.rfc2251.RfcLDAPString.<init>(Unknown Source)
       at com.novell.ldap.rfc2251.RfcAttributeDescription.<init>(Unknown Source
       at com.novell.ldap.rfc2251.RfcAttributeDescriptionList.<init>(Unknown So
       at com.novell.ldap.LDAPSearchRequest.<init>(Unknown Source)
       at Source)
       at Source)
       at edu.amc.sakai.user.JLDAPDirectoryProvider.getEntryFromDirectory(JLDAP
       at edu.amc.sakai.user.JLDAPDirectoryProvider.getUser(JLDAPDirectoryProvi

Now we are getting a null pointer exception thrown from inside the novell LDAP library (not a good sign or very helpful). After a little bit of digging around I found the call line:, LDAPConnection.SCOPE_SUB, searchFilter, attribs, false, cons);

and it turns out (half an hour later) that one of the elements in the attribs array was set to null. This was caused by having a sakai configuration where I had removed the attribute mapping for the group memberships as I wasn't using it but it turns out that the provider was still attempting to retreive this value from the configuration and then using it. It really shouldn't be this hard to fix simple configuration problems.

I believe that this LDAP provider has had some work done on it for 2.4 and I'll check to see if this bug still exists in 2.4 and if it does send in a patch.

Thursday, March 29, 2007

Are we there yet?

buckett@oucs-matthewb:~/sakai/sakai-2.3.1/checkout $ maven cln bld 
 __  __
|  \/  |__ _Apache__ ___
| |\/| / _` \ V / -_) ' \  ~ intelligent projects ~
|_|  |_\__,_|\_/\___|_||_|  v. 1.0.2


Total time: 11 minutes 2 seconds
Finished at: Thu Mar 29 15:24:07 BST 2007

Wednesday, March 28, 2007

Miscellaneous failure No principal in keytab matches desired name

I was getting this error in the server logs when trying to ssh into a kerberos enabled box and although my ssh client was getting a principal for the machine host/ I wasn't getting logged in. Now looking on the net it seemed that it was likely that I didn't have the matching principal in the keytab file. But a klist -k /etc/krb5.keytab showed all the correct keys. The next thing I checked was that the DNS records matched host and host After running round in circles I checked /etc/hosts to find the line machine and because my machine used the hosts file before DNS it was looking for the principal host/machine@OX.AC.UK which of course didn't exist.

This whole saga would have been much easier to debug if the error message had just included the principal that wasn't present in the keytab file. The machine was a server Ubuntu 6.10 install. Strangely it seems that my desktop Ubuntu machine has the machine name only associated with and not the external IP, although this machine uses DHCP to get its IP.

Tuesday, March 27, 2007

pam_env, /etc/environment and expansion

Rather than setting environment variables for a system in shell startup files (/etc/profile) you can use pam_env to set them (both ssh and login by default use pam_env). By default on Ubuntu this appears to be where the path is set, now to add something extra to the path I wanted to define a new value (JAVA_HOME) and then include $JAVA_HOME/bin in the path. To start with I edited /etc/environment but it seems that expansion doesn't occur in this file. However you can edit /etc/security/pam_env.conf to set the PATH and expansion does happen here. This is what I ended up adding to /etc/security/pam_env.conf : JAVA_HOME DEFAULT="/opt/jdk1.5.0_11" PATH DEFAULT="/usr/local/sbin:/usr/local/bin:/usr/sbin:\ /usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:${JAVA_HOME}/bin"