Enable File System Quota On Debian


  • For example we want to apply disk quota on /dev/md5 to each user, say 2000MBytes soft limit & 2500MB/2.5GB hard limit.
  • 1. install quota package
    • sudo apt-get install quota
  • 2. edit /etc/fstab to enable quota on /dev/md5 file system
    • /dev/md5 /home ext3 defaults,usrquota,grpquota 0 2
  • 3. re-mount /dev/md5
    • sudo mount -o remount /home
  • 4. edit user quota one by one
    • sudo edquota -u tom -f /dev/md5
Disk quotas for user tom (uid 3050):
Filesystem blocks soft hard inodes soft hard
/dev/md5 0 2000000 2500000 0 0 0

* the above assigns 2000000KB/2GB soft limit and 2500000/2.5GB hard limit to user tom.

  • 5. set grace period to 0seconds

    • sudo edquota -t -f /dev/md5

Grace period before enforcing soft limits for users:
Time units may be: days, hours, minutes, or seconds
Filesystem Block grace period Inode grace period
/dev/md5 0seconds 0seconds

  • 6. disable then re-enable the quota to make it work

    • sudo quotaoff -a

    • sduo quotaon -vug /dev/md5

      • on error:see this

        • quotaon: using /home/aquota.user on /dev/md5: Invalid argument

        • quotaon: using /home/aquota.group on /dev/md5: Invalid argument

      • quotacheck -vugm /dev/md5

  • 7. to list the current quota settings

    • repquota -a

How To Remove CDFS Partition From USB Thumb Drive


  1. You need to check the chip model of your USB drive using this tool: ChipGenius
    1. Download ChipGenius
    2. Connect you USB drive
    3. Run ChipGenius and check the information
    4. take down the information of your dirve, for example, the chip model of my usb drive is MTX6208.
  2. You will then need to find the tool for your chip.
    1. You can find and download the tool from this web site: www.51stor.net
      1. Note: make sure the tool you download matches your chip model.
    2. Run the tool. You should be able to remove the CDFS partition (by re-initializing the disk).

Debian Samba Server Setup


  1. Install samba
    • aptitude install smaba samba-doc smbldap-tools
      • Workgroup/Domain Name: NIG
      • Modify smb.conf to use WINS settings from DHCP?: No
    • dpkg-reconfigure samba
      • How to run Samba: daemons
      • Create password database: Yes
  2. Enable samba.schema in LDAP server
    • aptitude install samba-dodc
    • cd /usr/share/doc/samba-doc/examples/LDAP
    • gunzip samba.schema.gz
    • cp samba.schema /etc/ldap/schema/samba.schema
    • vim /etc/ldap/slapd.conf
      • include /etc/ldap/schema/samba.schema
    • /etc/init.d/slapd restart
  3. Let Samba use LDAP as backend
    • vim /etc/samba/smb.conf
      • passdb backend = ldapsam:ldap://localhost
      • ldap suffix = dc=neuroimaging,dc=org,dc=au
      • ldap machine suffix = ou=SMBMachines
      • ldap user suffix = ou=People
      • ldap group suffix = ou=Group
      • ldap admin dn = cn=admin,dc=neuroimaging,dc=org,dc=au
      • ldap delete dn = no
      • ldap ssl = start_tls
  4. Configure smbldap-tools package
    • aptitude install smbldap-tools
    • cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
    • gzip /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz
    • cp /usr/share/doc/smbldap-tools/examples/smbldap.conf /etc/smbldap-tools/
    • vi /etc/smbldap-tools/smbldap_bind.conf
    • vi /etc/smbldap-tools/smbldap.conf
    • vi /etc/samba/smb.conf
    • Note: read /usr/share/doc/smbldap-tools/
  5. Important:
    • To change rootpw of the binddn cn=admin,dc=example,dc=org, you need
      • smbldap-passwd
      • edit /etc/smbldap-tools/smbldap_bind.conf
      • smbpasswd -w <ldap_rootpw>
See Also
  1. Samba LDAP
  2. Samba 3 LDAP

LDAP Replication Using syncrepl


My Solution
  • Master server:
    • edit configration in /etc/ldap/slapd.conf, append following:
## syncrepl provider
index entryCSN,entryUUID eq

moduleload syncprov.la
overlay syncprov

syncprov-checkpoint 10 5
syncprov-sessionlog 100

  • Slave server:

    • edit /etc/ldap/slapd.conf, append:

## syncrepl consumer
index entryCSN,entryUUID eq
syncrepl rid=123

  • Note: in my case, I am using SASL DIGEST-MD5. Read the references if you want to use simple bind. Detail about how to enable SASL on openldap server, see here

  • Restart Master slapd then Slave slapd.


  1. Configuring the Master-Slave Replication

  2. LDAP Sync Replication

  3. LDAP replication setup using syncrepl

  4. Debian LDAP Server Setup

Debian Samba LDAP Integration


  1. install samba

    • aptitude install samba

  2. install smbldap-tools

    • aptitude install smbldap-tools

  3. read smbldap-tools documentation

    • gunzip /usr/share/doc/smbldap-tools/README.Debian.gz

    • less /usr/share/doc/smbldap-tools/README.Debian

I. LDAP Server Configuration

  1. Copy the 'samba.schema' to be used in your LDAP server (you can find it in '/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz' after installing the samba-doc package):

    • zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

  2. Modify the file '/etc/ldap/slapd.conf' to include the samba schema:

    • include /etc/ldap/schema/samba.schema

  3. Optionally add indexes to optimize SAMBA access:

    • index uid,uidNumber,gidNumber,memberUid eq

    • index cn,mail,surname,givenname eq,subinitial

    • index sambaSID eq

    • index sambaPrimaryGroupSID eq

    • index sambaDomainName eq

  4. Allow users to change their NT and LM Passwords changing the line: access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword

  5. Restart the LDAP server.

    • /etc/init.d/slapd restart

II. Samba Server Configuration

  1. Edit the '/etc/samba/smb.conf' to change the passdb backend from the original to:

    • passdb backend = ldapsam:ldap://localhost

  2. Add configuration directives for the passdb system:

    • obey pam restrictions = no

    • ldap admin dn = cn=admin,dc=neuroimaging,dc=org,dc=au

    • ldap delete dn = no

    • ldap suffix = dc=neuroimaging,dc=org,dc=au

    • ldap machine suffix = ou=Computers

    • ldap user suffix = ou=Users

    • ldap idmap suffix = ou=Users

    • ldap group suffix = ou=Groups

  3. More to use the smbldap-tools to change passwords:

    • ; Do ldap passwd sync

    • ldap passwd sync = Yes

    • passwd program = /usr/sbin/smbldap-passwd %u

    • passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*

  4. And if you want to administer user and groups from windows add:

    • add user script = /usr/sbin/smbldap-useradd -m "%u"

    • ldap delete dn = Yes

    • delete user script = /usr/sbin/smbldap-userdel "%u"

    • add machine script = /usr/sbin/smbldap-useradd -w "%u"

    • add group script = /usr/sbin/smbldap-groupadd -p "%g"

    • delete group script = /usr/sbin/smbldap-groupdel "%g"

    • add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

    • delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

    • set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

  5. Restart samba and add the smbldap admin password to let SAMBA use it:

    • /etc/init.d/samba restart

    • smbpasswd -w LDAP_ADMIN_PASSWORD

smbldap-tools Configuration

  1. Start copying the files 'smbldap.conf' and 'smbldap_bind.conf' from '/usr/share/doc/smbldap-tools/examples/' to '/etc/smbldap-tools/':

    • zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

    • cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf

  2. Edit the 'smbldap.conf' file; the main parameters to watch out are the 'SID', the ldap servers addresses, the TLS settings and the LDAP suffix.

    • NOTE: To obtain the SID execute the following command with your SAMBA server Running:

      • net getlocalsid

  3. Edit the 'smbldap_bind.conf' file and put there the SMBLDAP administrator's DN and Password.

  4. Fix file permisions:

    • chmod 0644 /etc/smbldap-tools/smbldap.conf

    • chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

  5. To initialize the LDAP database invoque the command:

    • smbldap-populate

    • NOTE: This makes the tool start adding uids and gids from 1000 (hardcoded default), if you want to start from different numbers you can use "-g <firstgid>" or "-u <firstuid>" as options to smbldap-populate.

Mac OS X LDAP Client Setup

  • Add LDAPv3 source to Directory Access
    1. go to Applications -> Utilities, open Directory Utility
    2. Unlock it with root password 
    3. Click "Show Advanced Settings"
    4. Click "Services
    5. Select LDAPv3, click Configure
    6. Click the edit pen icon at bottom left
    7. Check off "Use DHCP-supplied LDAP server"
    8. Select Options then click New
    9. Enter a configuration name i.e.: Master LDAP
      •  Server Name: your Master LDAP server name ie. ldap.example.org
    10. Click on LDAP Mappings and select RFC 2307 (Unix) 
    11.  A window will pop up that will ask you for a search base. Input ie. dc=example,dc=org and tick SSL, click Ok then Ok again.
    12. Now you'll be back at the Directory Access Window
      • Click on Authentication at the top of the window 
      • Under Search, pull down & choose "Custom Path" then Click Add
      • Select ldap/ldap.example.org source 
      • Click OK and OK again until Directory Access closes.
    13. Restart the machine
  • After the restart you should be able to log in as any valid LDAP user


  1. If after configuring your LDAP you still can't authenticate and your /var/log/system.log contains messages like these /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher: DSOpenNode(): dsOpenDirNode("/LDAPv3/ldap.example.org") == -14002

    • The problem comes from the Format utility of the Directory Access which apparently keeps misconfiguration even if it is corrected.
    • To correct
      1. Remove all contents of the directory /Library/Preferences/DirectoryService ie. double click on your Mac HDD
      2. Open /Applications/Utilities/Netinfo Manager and within it remove all contents of /config/mcx-mask
      3. Then restart the machine and reconfigure.

  2. After an update to Mac OS X Server 10.5.3 some clients do not find the LDAP server with messages:
    • DirectoryService[48]: DSLDAPv3PlugIn: [machine] LDAP server config not updated with server mappings due to server mappings error.
    • DirectoryService[48]: LDAPv3: SafeOpen Can't retrieve server mappings from search base of <cn=config,dc=lip6,dc=fr>.
    • DirectoryService[48]: LDAPv3: SafeOpen Cannot retrieve server mappings at this time.
    • The problem came from utility Utility directory (Directory Utility) that keeps obviously a bad configuration. Pour corriger cela il faut : To correct this requires:
      1. Delete the contents of the directory / Library / Preferences / DirectoryService.
      2. Then, (restart), and repeat the configuration format Directory without error:)

  3. I just spent a very long time on a client does not find the LDAP server with messages: /System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher: DSOpenNode(): dsOpenDirNode("/LDAPv3/mon.server.fr") == -14002
    • The problem came from utility format Directory (Directory Access) that keeps obviously a bad configuration even if it is correct.
    • To correct this requires:
      1. Delete the contents of the directory / Library / Preferences / DirectoryService.
      2. Delete the entire contents of / config / pcs-cache in the NetInfo Manager (NetInfo Manager).
      3. Then, (restart), and repeat the configuration format Directory without error:)

  4. sudo dscl . -delete /Config/mcx_cache; sudo reboot


  1. Configuring Mac OS X LDAP Authorization for Leopard (Mac OS X 10.5.x)
  2. Configuring Mac OS X LDAP Authorization for Tiger (Mac OS X 10.4.x)
  3. Mac OS X authentication against OpenLDAP
  4. Setting up Mac OS X Server
  5. Mac OS X: How to Connect to an LDAPv3 Server Using a Self-Signed Certificate
  6. Integrating Apple OS X Clients with an OpenLDAP Directory(10.4 Tiger)
  7. Integrating OSX Clients with an OpenLDAP Directory
  8. Mac OS X: dscl
  9. Mac OS X ldap client
  10. Integrating Mac OS X And Novell eDirectory
  11. Integrating OS X into Active Directory
  12. dsconfigldap command
  13. MAC OS/X authentication against OpenLDAP 2.3 (Resolved)

Ubuntu LDAP Client Setup


  1. make sure your ldap server is reachable:
    • ping ldap.example.org
  2. install required packages
    • aptitude install auth-client-config ldap-auth-client ldap-auth-config libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
      • Configuring ldap-auth-config:
        • Should debconf manage LDAP configuration? Yes
        • LDAP server Uniform Resource Identifier: ldaps:ldap.neuroimaging.org.au (Note: use ldap: if the server does not enable TLS)
        • Distinguished name of the search base: dc=example,dc=org
        • LDAP version to use: 3
        • Make local root Database admin: Yes
        • Does the LDAP database require login? No
        • LDAP account for root: cn=admin,dc=example,dc=org
        • LDAP root account password: XXXXXXXX
        • Local crypt to use when changing passwords: md5
  3. If server enables TLS
    • copy the CA certificate from the server:
      • mkdir /etc/ldap/certs; scp root@ldap:/etc/ldap/certs/cacert.pem /etc/ldap/certs/
    • edit /etc/ldap.conf (There are two ldap.conf files. /etc/ldap.conf and /etc/ldap/ldap.conf)
      • vim /etc/ldap.conf
        • host ldap.example.org
        • base dc=example,dc=org
        • uri ldap://ldap.example.org
        • rootbinddn cn=admin,dc=example,dc=org
        • bind_policy soft
        • ssl on
        • ssl start_tls
        • tls_cacertfile /etc/ldap/certs/cacert.pem
  4. Now you can test it with following commands
    • getent passwd should return the accounts from ldap server.
    • nss_updatedb ldap should succeed.
    • If above do not work
      • check /var/log/auth.log
      • vim /etc/ldap.conf
        • bind_policy hard
        • tls_checkpeer no
        • try getent passwd and nss_updatedb ldap again
      • Files needs to look at:
        • /etc/ldap.conf
        • /etc/ldap.secret (Note: you need to update thisfile if you have changed rootpw.)
  5. Edit ldap-auth-config
    • vi /etc/auth-client-config/profile.d/ldap-auth-config
      • [lac_ldap]
      • nss_passwd=passwd: files ldap [NOTFOUND=return] db
      • nss_group=group: files ldap [NOTFOUND=return] db
      • nss_shadow=shadow: files ldap
      • pam_auth=auth sufficient pam_ldap.so
      • auth required pam_unix.so nullok_secure use_first_pass
      • pam_account=account sufficient pam_ldap.so
      • account required pam_unix.so
      • pam_password=password sufficient pam_ldap.so
      • password required pam_unix.so nullok obscure min=4 max=8 md5
      • pam_session=session required pam_unix.so
      • session required pam_mkhomedir.so skel=/etc/skel/
      • session optional pam_ldap.so
      • session optional pam_foreground.so
    • auth-client-config -a -p lac_ldap (note: lac_ldap is the profile name defined in /etc/auth-client-config/profile.d/ldap-auth-config file. Do not use the file name here.)
  6. enable nss_db cache
    • vi /etc/cron.hourly/nss_updatedb-ldap.sh
      • #!/bin/bash
      • /usr/sbin/nss_updatedb ldap
    • To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
      • passwd: files ldap [NOTFOUND=return] db
      • group: files ldap [NOTFOUND=return] db
    • This means:
      • look first in the local files (/etc/passwd and /etc/group)
      • if not found, use LDAP
      • when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
      • if the LDAP server was not reachable, proceed with using the cached data
See also:

Enable SASL Authentication on OpenLDAP Server


  • Note: This document is based on Debian 4.0 etch.
  1. Install SASL2 packages
    • apt-get install sasl2-bin libsasl2-modules
  2. Modify /etc/default/saslauthd
    • vim /etc/default/saslauthd
      • START=yes
      • MECHANISMS="pam"
  3. Configure OpenLDAP server to use SASL
    • vim /etc/ldap/slapd.conf
      • sasl-realm NEUROIMAGING.ORG.AU
      • sasl-host supertower.neuroimaging.org.au
      • authz-regexp uid=admin,cn=neuroimaging.org.au,cn=.+ cn=admin,dc=neuroimaging,dc=org,dc=au
      • authz-regexp uid=(.*),cn=neuroimaging.org.au,cn=.+ uid=$1,ou=People,dc=neuroimaging,dc=org,dc=au
      • sasl-secprops none
  4. Configure LDAP client
    • vim /etc/ldap/ldap.conf
      • SASL_SECPROPS none
  5. See also LDAPv3 How To
    • Note:
      • In openldap 2.3, authz-regexp replaces sasl-regexp
      • You may need to enable ldap server logging, see debian-ldap-server-setup
      • You may need to chgrp openldap /etc/sasldb2 to grant access to ldap server.
  • Note: The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received. Openldap Amin Guide,

Debian LDAP Client Setup


  1. Make sure FQDN of the ldap server is either in /etc/hosts or DNS resolvable.
  2. Copy CA certificate from the ldap server to the client computer:
    • mkdir /etc/ldap/certs; scp root@ldap-server:/etc/ldap/certs/cacert.pem /etc/ldap/certs/
  3. Install required software packages
    • aptitude install libnss-db libnss-ldap libpam-ldap nscd nss-updatedb
      • Configuring libnss-ldap
        • LDAP server Uniform Resource Identifier: ldap://ldap-server.example.org.au
        • Distinguished name of the search base: dc=example,dc=org,dc=au
        • LDAP version to use: 3
        • Does the LDAP database require login? No
        • Special LDAP privileges for root? Yes
        • Make the configuration file readable/writeable by its owner only? No
        • LDAP account for root: cn=admin,dc=example,dc=org,dc=au
        • LDAP root account password: XXXXXXXX
      • Configuring libpam-ldap
        • Make local root Database admin. Yes
        • Does the LDAP database require login? No
        • LDAP account for root: cn=admin,dc=example,dc=org,dc=au
        • LDAP root account password: XXXXXXXX
        • Local crypt to use when changing passwords: md5
  4. Enable TLS
    • vim /etc/libnss-ldap.conf
      • ssl start_tls
      • tls_cacertfile /etc/ldap/certs/cacert.pem
  5. Configure /etc/nsswitch.conf
    • vim /etc/nsswitch.conf
      • passwd: files ldap [NOTFOUND=return] db
      • group files ldap [NOTFOUND=return] db
      • shadow files ldap [NOTFOUND=return] db
      • OR
      • passwd: ldap compat
      • group: ldap compat
      • shadow: ldap compat
  6. Test:
    • getent passwd
      • should return list of password entries from LDAP server
    • nss_updatedb ldap
      • should succeed.
  7. Enable cron job to update local nss database
    • touch /etc/cron.hourly/nss_updatedb-ldap.sh
    • echo "#!/bin/bash" > /etc/cron.hourly/nss_updatedb-ldap.sh
    • echo "/usr/sbin/nss_updatedb ldap" » /etc/cron.hourly/nss_updatedb-ldap.sh
    • chmod +x /etc/cron.hourly/nss_updatedb-ldap.sh
  8. Configure pam.d
    • vi /etc/pam.d/common-auth
      • auth sufficient pam_ldap.so
      • auth required pam_unix.so nullok_secure use_first_pass
    • vi /etc/pam.d/common-account
      • account sufficient pam_ldap.so
      • account required pam_unix.so
    • vi /etc/pam.d/common-password
      • password sufficient pam_ldap.so
      • password required pam_unix.so nullok obscure min=4 max=8 md5
    • vi /etc/pam.d/common-session
      • session required pam_unix.so
      • session required pam_mkhomedir.so skel=/etc/skel/
      • session optional pam_ldap.so
      • session optional pam_foreground.so
  9. Troubleshooting:
    • Config files needs to look at:
      • /etc/pam_ldap.conf
      • /etc/pam_ldap.secret (Note: if you have change the rootpw, you will have to update this file)
      • /etc/libnss-ldap.conf
      • /etc/libnss-ldap.secret (Note: if you have change the rootpw, you will have to update this file)

Debian LDAP Server Setup


I. OpenLDAP Server Installation
  1. Install openldap server
    • aptitude install ldap-server
      • Admin Password: XXXXXXXX
      • Confirm Admin Password: XXXXXXXX
  2. Configure openldap server
    • dpkg-reconfigure slapd
      • Omit OpenLDAP server configuration? no
      • DNS domain name: example.org.au
      • Name of your orgnization: example.org.au
      • Admin Password: XXXXXXXX
      • Confirm Password: XXXXXXXX
      • Database backend to use: BDB
      • Do you want your database to be removed when slapd is purged? Yes
      • Move old database? Yes
      • Allow LDAPv2 protocol? No
  3. vim /etc/ldap/slapd.conf (optional)
    • uncomment:
      • rootdn "cn=admin,dc=example,dc=org,dc=au"
  4. Test installation
    • aptitude install ldap-utils
    • ldapsearch -H ldap://localhost -b "dc=example,dc=org,dc=au" -D "cn=admin,dc=example,dc=org,dc=au" -x -W
II. Migrate existing information(password,group) into LDAP
  1. aptitude install ldap-utils migrationtools
  2. pwconv; grpconv (optional, required if wants to enable shadow)
  3. vi /etc/migrationtools/migrate_common.ph
    • $DEFAULT_MAIL_DOMAIN = "example.org.au";
    • $DEFAULT_BASE = "dc=example,dc=org,dc=au";
    • $IGNORE_UID_BELOW = 1000; #(Uncomment to exclude Debian-managed system users)
    • $IGNORE_GID_BELOW = 100; #(Uncomment to exclude Debian-managed system groups)
  4. cd /usr/share/migrationtools/
  5. ./migrate_base.pl > /root/ldap/base.ldif
    • You will need to remove the top entries "dn: dc=org,dc=au" and "dn: dc=example,dc=org,dc=au" in /root/ldap/base.ldif since those top entries have been intialized when setting up the server.
  6. ./migrate_passwd.pl /etc/passwd /root/ldap/passwd.ldif
  7. ./migrate_passwd.pl /etc/group /root/ldap/group.ldif
  8. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/base.ldif
  9. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/passwd.ldif
  10. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/group.ldif
III. Enable TLS (optional)
  1. Generate CA-signed SSL Certificate
  2. Modify /etc/ldap/slapd.conf
    • TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
    • TLSCACertificateFile /etc/ssl/certs/cacert.pem
    • TLSCertificateFile /etc/ssl/certs/server-cert.pem
    • TLSCertificateKeyFile /etc/ssl/certs/server-key.pem
    • TLSVerifyClient allow
  3. Modify /etc/default/slapd
    • To enable both StartTLS and ldaps://
      • SLAPD_SERVICES="ldap:/// ldaps:///"
    • To enable only StartTLS
      • SLAPD_SERVICES="ldap:///"
    • To enable only ldaps://
      • SLAPD_SERVICES="ldaps:///"
    • See also StartTLS vs. ldaps://
  4. Force to use TLS connection:
    • vim /etc/ldap/slapd.conf
      • security ssf=56 update_ssf=112
    • see also 1 and 2
  5. Restart ldap server
    • /etc/init.d/slapd restart
  6. Test installation:
    1. If ldaps:/// is enabled, you can use the following command to test:
      • openssl s_client -connect localhost:636 -showcerts
    2. On the ldap server itself, make sure ldap-utils installed (aptitude install ldap-utils)
      • vim /etc/ldap/ldap.conf
        • BASE dc=example, dc=org, dc=au
        • URI ldap://localhost
        • ssl on
        • ssl start_tls
        • TLS_CACERT /etc/ssl/certs/cacert.pem
        • TLS_REQCERT demand
      • ldapsearch -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
      • ldapsearch -H ldap://localhost -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
  7. More detail at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
  8. See also http://www.openldap.org/doc/admin24/tls.html
IV. DUAConfigProfile.schema Support (Optional)
  1. What is DUA? Directory User Agent.
  2. Download the DUAConfigProfile.schema
  3. Include the schema in slapd.conf
    • vim /etc/ldap/slapd.conf
      • include /etc/ldap/schema/DUAConfigProfile.schema
  4. Restart ldap server
    • /etc/init.d/slapd restart
V. Enable openldap server logging
  1. modify /etc/ldap/slapd.conf
    • change
      • loglevel 0
    • to
      • loglevel 256
    • more detail about loglevel
  2. modify /etc/syslog.conf
    • append
      • local4.* /var/log/ldap.log
  3. restart syslog daemon
    • killall -HUP syslogd
  4. trouble shooting

Adding Dynamic Contents to IFrames


       <title>Adding Dynamic Contents to IFrames</title> 
       <script type="text/javascript" src="IFrame.js"></script> 
       <script type="text/javascript"> 
          function onPageLoad() 
             var canvas = document.getElementById("canvas"); 
             var iframe = new IFrame(canvas); 
             var div = iframe.doc.createElement("div"); 
             div.style.width = "50px"; div.style.height = "50px"; 
             div.style.border = "solid 1px #000000"; 
             div.innerHTML = "Hello IFrame!"; 
    <body onload="onPageLoad();"> 
       <div id="canvas" style="border: solid 1px #000000; height: 500px; width: 500px;"></div> 

Java SPI: Service Provider Interface


David Gallardo on the Service Provider Interface

Ethan Nicholas: Creating a Service Provider Interface



FreeNX Setup on SuSE Linux Enterprise (SGI Altix 3000 Itanium 64bit)


I. FreeNX Server Setup

  1. Build NX Libraries
    1. Download NX sources
      1. Get all sources except nx-X11-compat.tar.gz from http://www.nomachine.com/sources.php
    2. Untar all sources, install all dependencies then do:
      1. $ cd nx-X11
      2. $ make World
      3. $ cd ..
      4. $ cd nxproxy
      5. $ ./configure && make
    3. Install the compiled libraries and binaries to /usr/local/freenx:
      1. $ NXPREFIX=/usr/local/freenx
      2. $ mkdir -p ${NXPREFIX}/lib ${NXPREFIX}/bin
      3. $ cp -a nx-X11/lib/X11/libX11.so* ${NXPREFIX}/lib
      4. $ cp -a nx-X11/lib/Xext/libXext.so* ${NXPREFIX}/lib
      5. $ cp -a nx-X11/lib/Xrender/libXrender.so* ${NXPREFIX}/lib
      6. $ cp -a nxcomp/libXcomp.so* ${NXPREFIX}/lib
      7. $ cp -a nxcompext/libXcompext.so* ${NXPREFIX}/lib
      8. $ cp -a nx-X11/programs/Xserver/nxagent ${NXPREFIX}/bin
      9. $ cp -a nxproxy/nxproxy ${NXPREFIX}/bin
    • *Note:* To compile those libraries, you need to have gtk-devel package installed.
  2. Build FreeNX Server
    1. Download FreeNX server source package:
      1. Download from: http://prdownload.berlios.de/freenx/freenx-server-0.7.3.tar.gz
    2. Compile FreeNX Server:
      1. $ cd freenx-
      2. $ patch -p0 < gentoo-nomachine.diff
      3. $ vi nxloadconfig
        • NX_DIR=/usr/local/freenx
        • PATH_BIN=$NX_DIR/bin
        • PATH_LIB=$NX_DIR/lib
      4. $ export DESTDIR=/usr/local/freenx
      5. $ make
      6. $ make install
      7. $ cp node.conf.sample $DESTDIR/etc/node.conf
    3. Xdialog is required. You need to download and build from source.
      1. Download http://xdialog.free.fr/Xdialog-2.3.1.tar.bz2
      2. Follow the instructions to build and install it.
    4. Setup nxserver
      1. $ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/freenx/lib
      2. $ export PATH=$PATH:/usr/local/freenx/bin
      3. $ nxsetup --install
    5. Fix sessreg
      1. $ vi /usr/local/freenx/etc/node.conf
        • COMMAND_SESSREG="/usr/X11R6/bin/sessreg"
    6. Set font path on the server (NOTE: This is an import step, otherwise the Mac OS NX Clients cannot display the fonts properly.)
      1. $ vi /usr/local/freenx/etc/node.conf
        • AGENT_EXTRA_OPTIONS_X="-nolisten tcp -fp /usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi"
    7. Modify the display base:
      1. $ vi /usr/local/freenx/etc/node.conf
        • DISPLAY_BASE=1001
    8. See also:
      1. Install Free NX server
      2. Fonts and NX
II. FreeNX Server Administration
  • Note: You need to operate as root and you need to export the env variables: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/freenx/lib; export PATH=$PATH:/usr/local/freenx/bin
  • See also:NX Server Admin Guide
  1. Server management
    1. To start server:
      1. $ nxserver start
    2. To stop server:
      1. $ nxserver stop
    3. To restart server:
      1. $ nxserver restart
  2. User management
    1. To add a user
      1. $ nxserver --adduser <user>
    2. To delete a user
      1. $ nxserver --deluser <user>
  3. Replacing the Default SSH Key-Pair with Keys Generated for Your Server: See section 4.4. of NX Server Admin Guide
III. FreeNX Client Setup
  1. Windows Client:
    1. Download from: http://www.nomachine.com/download-client-windows.php
  2. Mac OS X Client:
    1. Download from: http://www.nomachine.com/download-client-macosx.php
  3. Linux Client:
    1. Download from: http://www.nomachine.com/download-client-linux.php


[1] 《圣经》
它是了解西方文化的钥匙! 作为基督教的正式经典,其最重要的主题是人。
[2] 《古兰经》
[3] 牛顿《自然哲学的数学原理》
[4] 达尔文《物种起源》
[5] 弗洛伊德《梦的解析》
[6] 欧几里得《几何原本》
[7] 亚当·斯密《国富论》
[8] 马尔萨斯《人口原理》
[9] 卡逊《寂静的春天》
[10] 马克思,恩格斯《gcd宣言》
[11] 《论语》
[12] 孙武《孙子兵法》
[13] 拉瓦锡《化学原论》
[14] 麦克斯韦《电磁通论》
[15] M.韦伯《新教伦理与zb主义精神》
[16] J.S.穆勒《论自由》
“自由”是一个美丽的字眼,但不少人对它只是泛泛而谈,许多人批判它更是偷换概念、言不及义。穆勒的《论自由》是迄今为止论述社会自由最重要的著作,也是第一批介绍到中国的世界名著。遗憾的是,一百年后,一些中国人对此书的内容仍然茫然无知。 www.
[17] 孟德斯鸠《论法的精神》
[18] 卢梭《社会契约论》
[19] 希特勒《我的奋斗》
[20] 麦克卢汉《理解媒体》
[21] 柏拉图《共和国》
[22] 亚里士多德《工具论》
[23] 薛定谔《生命是什么?》
[24] 维纳《控制论》
[25] 威尔逊《社会生物学:新的综合》
[26] 莎士比亚《哈姆雷特》
[27] 陀斯妥耶夫斯基《卡拉马佐夫兄弟们》
[28] 孔德《实证哲学教程》
[29] 边沁《道德与立法原理引论》
[30] 《奥义书》
[31] 歌德《浮士德》
[32] 塞万提斯《唐·吉诃德》
[33] 凯恩斯《就业、利息和货币通论》
[34] 凡勃仑《有闲阶级论》
[35] 福柯《词与物》
[36] 罗尔斯《正义论》
[37] 卡西尔《符号形式的哲学》
“人是什么?”——人们对哲学本来应该解决的最根本问题一直没有给出像样的答案。卡西尔解决这个问题的出发点与众不同,那就是“人是符号的动物”。这打开了一个新的通道。由于所有的文化的基础都是建立在人有形成概念的能力之上,这种能力使我们能够发明和使用人工记号和符号。卡西尔认为这些“符号形式” 正是哲学所应该集中研究的对象。
[38] 乔姆斯基《句法结构》
[39] 冯·诺伊曼,摩根斯坦《对策论与经济行为》
[40] 微耳和《细胞病理学》
[41] 汤因比《历史研究》
[42] 布罗代尔《15至18世纪的物质文明、经济与zb主义》
[43] 罗素《自由与组织》
[44] 霍布斯鲍姆《极端的年代》
[45] 亨廷顿《文明的冲突与世界秩序的重建》
[46] 加缪《鼠疫》
[47] 劳伦斯《查泰莱夫人的情人》
[48] 尼采《查拉图斯特拉如是说》
[49] 波普尔《科学发现的逻辑》
波普尔的《科学发现的逻辑》是科学哲学的一次革命。波普尔说:“经验科学就是理论体系,我们可以把认识逻辑称做理论的理论。”“科学的理论就是普遍的命题。”按照他的学说,科学理论“不是由观察开始,而是由问题开始”。波普尔的整个科学理论的出发点是划界问题,也就是找出一个判据来区别科学与“伪科学 ”的界限。
[50] 托夫勒《第三次浪潮》
[51] 波伏瓦《第二性》
[52] 纪德《伪币制造者》
[53] 萨义德《知识分子的代表》
[54] 莫诺《偶然与必然》
[55] 萧伯纳《人与超人》
[56] 西蒙《人工物的科学》
[57] 泰勒《原始文化》
[58] 怀特海《科学与近代世界》
[59] 格劳秀斯《战争与和平法》
[60] 埃柯《玫瑰的名字》
[61] 笛卡尔《方法谈》
[62] 培根《论学术的进展》
[63] 《毛主席语录》
[64] 奥威尔《1984年》
[65] 卡夫卡《审判》
[66] C.P.斯诺《两种文化》
[67] 帕斯卡《思想录》
[68] 哈耶克《通往奴役之路》
[69] 列夫·托尔斯泰《战争与和平》
[70] 鲁迅《阿Q正传》
[71] 本尼迪克特《菊与刀》
[72] 加西亚·马尔科斯《百年孤独》
[73] 康拉德《黑暗的心》
[74] 冯特《民族心理学》
[75] 李约瑟《中国的科学与文明》
[76] 托马斯·阿奎那《神学大全》
[77] 卡莱尔《英雄与英雄崇拜》
[78] 《阿含经》
[79] 蒙田《随笔集》
[80] 哈代《无名的裘德》
[81] 列宁《国家与革命》
[82] 老聃《道德经》
[83] 笛福《鲁滨逊飘流记》
[84] 叔本华《作为意志和表象的世界》
[85] 杜威《democracy主义与教育》
[86] 贝克尔《人力资本》
[87] 熊彼得《经济发展理论》
[88] 博尔赫斯《文集》
[89] 斯特伦奇《国家与市场》
[90] 狄更斯《双城记》
[91] 尼赫鲁《印度的发现》
[92] 库恩《科学革命的结构》
[93] 罗斯托《经济增长的阶段》
[94] 法约尔《工业管理与一般管理》
[95] 马尔库塞《一维的人》
[96] 维科《新科学》
[97] 伏尔泰《老实人或乐观主义》
[98] 卡内蒂《群众与权力》
卡内蒂的《群众与权力》是他一生体验与不断探索与思考的结果。全书以科学的精神研究了四大主题:群众、权力、死亡、转变,而且把它们紧密地联系在一起。在历史上的确对群众心理学有过一些探讨,不过还没有什么理论研究。卡内提的独到之处在于把权力与死亡联系在一起。他说:“幸存之际就是权力在握之际。 ”
[99] 马斯洛《动机与人格》
[100] 曹雪芹《红楼梦》

How to avoid java.util.ConcurrentModificationException

The following code may cause java.util.ConcurrentModificationException:
for(Iterator it = list.iterator();it.hasNext();){
String member = (String)it.next();
To work around:
String memberToDelete = null;
for(Iterator it = list.iterator();it.hasNext();){
String member = (String)it.next();
memberToDelete = member;
See http://java.sun.com/j2se/1.5.0/docs/api/java/util/ConcurrentModificationException.html

Google Web Toolkit 1.6 on Linux (Ubuntu 8.0.4) failed to compile and run. How to work around?

I am trying GWT 1.6 for Linux on my Ubuntu 8.0.4. It was using SUN JDK 6. However, GWT failed to compile and run the application:

# An unexpected error has been detected by Java Runtime Environment:
# SIGSEGV (0xb) at pc=0x0625665c, pid=15353, tid=2418424720
# Java VM: Java HotSpot(TM) Server VM (10.0-b23 mixed mode linux-x86)
# Problematic frame:
# V [libjvm.so+0x25665c]
# An error report file with more information is saved as:
# /mnt/stor/development/workspace/ownproject/WebShopModule/war/hs_err_pid15353.log
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.


To work around this problem, I had to change to openjdk 6:

sudo aptitude install openjdk-6-jdk
sudo update-java-alternatives -s java-6-openjdk

In eclipse, Window -> Preferences -> Java -> Installed JREs -> add ..., then select /usr/lib/jvm/java-6-openjdk

Disable “unaligned access to …” message when running java on Itanium 64

Installed Java 6 on Itanium 64 Altix 3000 system. But it gives

java(84473): unaligned access to 0x2000000001aee211, ip=0x2000000001cb9ef0
java(84473): unaligned access to 0x2000000001aee219, ip=0x2000000001cb9ef1
java(84473): unaligned access to 0x2000000001aee211, ip=0x2000000001cb9ef0
java(84473): unaligned access to 0x2000000001aee219, ip=0x2000000001cb9ef1
java(84473): unaligned access to 0x2000000001aee211, ip=0x2000000001cb9ef0

when running a java application.

You can actually disable the messages:


prctl --unaligned=silent 

to java command line will disable the messages.

See also: http://java.sun.com/javase/6/webnotes/Itanium6u11.html