System Administration - 1

Let's Encrypt changes the game for SSL certificates. By combining free certificates with an effective mechanism for ensuring these certificates are legitimately issued, everyone running a site can now have a signed certificate. EFF's Certbot is a handy tool for allowing even novice administrators to easily maintain these certificates, with automatic renewal.

For companies with intranets, Let's Encrypt may not be suitable. The resolution protocol which proves out the site owner requires access to the dns or parent web server for a real domain. Regardless of registration method used, the addresses of these intranet sites are then publicly available via logs which anyone can see, which could be an issue in cases where it is important to keep these private.

Regardless of the caveat for intranets, this new option is a tremendous improvement over the previous state of SSL for many, and has particularly impressive use cases in cloud deployments.

In Liferay 6.0 GA4 Community Edition there is an error in the CKEditor configuration; different configuration files are used to define the editing toolbar for the web content and other areas depending on the browsing path. This results in an issue where the toolbar changes seemingly at random. This is fixed in the Enterprise Edition and for future versions, but for those of us using the current Community Edition, the following workaround is useful.

The most problematic disappearing item for my use case is the spell checker; the same method can be used to restore other buttons as necessary. Back up, then apply this ckconfig.jsp patch to the Liferay root web app. For the tomcat download this is located in the liferay-portal-6.0.6/tomcat-6.0.29/webapps/ROOT/html/js/editor/ckeditor/ directory. Shut down Liferay, remove the tomcat work directory to clear the cache, then restart Liferay.

Although Apple uses standard protocols for Airprint, the service is very picky about the exact broadcast settings before the printer will show up on iOS devices. The easiest way I've found to Airprint to an office workgroup printer:

• Configure the printer to be printable via a Linux / CUPS server. On Debian install the cups and cups-pdf packages then log in via port 631 and configure the workgroup printer, making sure a test page prints.


• Add ServerAlias * in /etc/cups.conf; this prevents "Request from x using invalid Host: field" errors.


• Install avahi, on Debian use the avahi-daemon package.


• Run this handy airprint-generate script. Copy the resulting file to /etc/avahi/services/ and restart avahi and cups.

Airprint should now be working for your iOS devices on the local network.

After upgrading to Debian squeeze, snmp output will change; the descriptions are missing.

Before squeeze (i.e. in lenny):
$ snmpget -v1 -On -c public printer.example.com 1.3.6.1.2.1.25.3.5.1.1.1
.1.3.6.1.2.1.25.3.5.1.1.1 = INTEGER: idle(3)
After squeeze upgrade:
$ snmpget -v1 -On -c public printer.example.com 1.3.6.1.2.1.25.3.5.1.1.1
.1.3.6.1.2.1.25.3.5.1.1.1 = INTEGER: 3

This is because the MIB files were stripped from squeeze due to licensing reasons. Install the snmp-mibs-downloader package and comment out the line in /etc/snmp/snmp.conf as described in that config file. Non-free will need to be enabled in apt sources if you are not finding the package. See the Debian wiki section on snmp for added information.

If receiving e-mails like this from Zimbra after upgrading to 6.0.9:

/etc/cron.daily/logrotate:
error: zimbra:5 unknown user 'USER'
run-parts: /etc/cron.daily/logrotate exited with return code 1

See this forum post on a 6.0.9 logrotate issue. In a nutshell, edit /etc/logrotate.d/zimbra and replace USER GROUP with zimbra zimbra.

In August I attended Debconf 10. My primary goals were to learn more about the current status of the Debian community, particularly in the face of Ubuntu's rise to popularity, and to fix the package xtrkcad for Debian, which used an outdated library.

Current versions of Apache HTTP Server support SSL certificates and keys all in one file; it is no longer required to separate them. Point SSLCertificateFile at the combined file (commonly .pem) and comment out or omit SSLCertificateKeyFile.

This may not be desirable if you wish to have the certificate publicly available somewhere like /etc/ssl/certs/, available on the web for verification, or use the certificate for other applications for that domain (it's important to keep the key, and thus the combined file, private). In many common cases certificates are only used for an SSL secured web server, however.

When upgrading from 32 to 64 bit Zimbra, I could not get the zimbra mailbox (mailboxd) to start. It turned out to be a set of borked certificates. Do yourself a favor if you have this problem and just do this:

mv /opt/zimbra/mailboxd/etc/keystore /opt/zimbra/mailboxd/etc/keystore.borked
sudo /opt/zimbra/bin/zmcertmgr deploycrt self

Then re-deploy your certificates using the gui admin interface after restarting Zimbra.

Working for a small company, our projects tend to be small. Processes and programs are best documented as tasks are first done and over time as improvements are made. Trying to document everything up front is a waste of time, as the requirements change throughout. Waiting until the end, the documentation is never completed as some other urgent project comes along. Humans are frighteningly perishable and can get hit by a bus/meteor/disease at any time.

When setting up Maildir in Debian 5.0, getting the generic mail applications working correctly can be tricky.

• Install the 'mailutils' package, not the bsd mailx package.


• Do not touch the mailutils /etc/mail.rc file; there are some promising looking variables here like mailbox-type but these do not do what is desired. When the MAIL environment variable is set correctly mailutils will automatically detect the maildir box type.


• Do not touch /etc/login.defs; the promising looking lines in here are deprecated.


• Edit files in /etc/pam.d, changing the pam_mail.so lines as shown (assuming ~/Maildir as the selected location):
  
  
  
  • login: default login shells
    session optional pam_mail.so dir=~/Maildir standard
    
  
  
  • su: set up for proper MAIL when using su; nopen does not show 'new mail' message
    session optional pam_mail.so dir=~/Maildir nopen
    
  
  
  • sshd: set up MAIL properly when logging in with ssh; this line probably has a noenv by default which needs removed to set this properly
    session optional pam_mail.so dir=~/Maildir standard
    

PostgreSQL has improved its checking for proper locale handling in version 8.3. Due to inconsistencies caused by changing defaults in past versions of Debian, some database clusters contain UTF8 and LATIN1 databases in the same cluster. This can cause problems when trying to restore from a pgdump file with errors similar to:

ERROR: encoding LATIN1 does not match server's locale en_US.UTF-8
DETAIL: The server's LC_CTYPE setting requires encoding UTF8.

On a server running Zimbra on Ubuntu, to get cron job output sent to an e-mail address, make the following link:

ln -s /opt/zimbra/postfix/sbin/sendmail /usr/sbin/sendmail

Until this is done, crontab output will silently vaporize.

I use the built-in Apache 2.2 ajp ProxyPass support when deploying Tomcat and JBoss applications via Apache. When doing so, be careful your slashes match up or you can have subtle problems with applications which use redirects. For example, I was deploying a JSPWiki but having an odd problem with authentication where logins would seem to fail but then work fine if I manually reloaded the page. I was using this Apache configuration:

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki/
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki/

This appeared to work fine, but when logging in an extra slash would get added to the Login.jsp redirection page. This kept the redirect to the main page from working, causing it to reload the Login.jsp infinitely even though login had been successful. A manual click of the reload button fixed the site, with authentication and all other functions working until trying to log in again.

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki

Removing the extra slashes as shown fixed this issue.

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

• auth_basic
• authz_user
• ldap
• authnz_ldap

Directives


AuthType basic
AuthBasicProvider ldap
AuthName "My Site"
AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example
AuthzLDAPAuthoritative Off
Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.

Zimbra lacks a calendar feature commonly used by serious Outlook and Entourage users, the ability to configure reminders for individual calendar entries. The workaround is to create a 'reminder' calendar entry, which does not work well as it requires manually changing the reminder if the original appointment changes. If you are a current or prospective Zimbra user and would like to have this feature added, please vote for this bug. On a related note, the Zimbra Toaster (which provides popup notification of new mail) does not support calendar reminders, which is documented in this bug.