System Administration

Current versions of Apache HTTP Server support SSL certificates and keys all in one file; it is no longer required to separate them. Point SSLCertificateFile at the combined file (commonly .pem) and comment out or omit SSLCertificateKeyFile.

This may not be desirable if you wish to have the certificate publicly available somewhere like /etc/ssl/certs/, available on the web for verification, or use the certificate for other applications for that domain (it's important to keep the key, and thus the combined file, private). In many common cases certificates are only used for an SSL secured web server, however.

When upgrading from 32 to 64 bit Zimbra, I could not get the zimbra mailbox (mailboxd) to start. It turned out to be a set of borked certificates. Do yourself a favor if you have this problem and just do this:

mv /opt/zimbra/mailboxd/etc/keystore /opt/zimbra/mailboxd/etc/keystore.borked
sudo /opt/zimbra/bin/zmcertmgr deploycrt self

Then re-deploy your certificates using the gui admin interface after restarting Zimbra.

Working for a small company, our projects tend to be small. Processes and programs are best documented as tasks are first done and over time as improvements are made. Trying to document everything up front is a waste of time, as the requirements change throughout. Waiting until the end, the documentation is never completed as some other urgent project comes along. Humans are frighteningly perishable and can get hit by a bus/meteor/disease at any time.

When setting up Maildir in Debian 5.0, getting the generic mail applications working correctly can be tricky.

• Install the 'mailutils' package, not the bsd mailx package.


• Do not touch the mailutils /etc/mail.rc file; there are some promising looking variables here like mailbox-type but these do not do what is desired. When the MAIL environment variable is set correctly mailutils will automatically detect the maildir box type.


• Do not touch /etc/login.defs; the promising looking lines in here are deprecated.


• Edit files in /etc/pam.d, changing the pam_mail.so lines as shown (assuming ~/Maildir as the selected location):
  
  
  
  • login: default login shells
    session optional pam_mail.so dir=~/Maildir standard
    
  
  
  • su: set up for proper MAIL when using su; nopen does not show 'new mail' message
    session optional pam_mail.so dir=~/Maildir nopen
    
  
  
  • sshd: set up MAIL properly when logging in with ssh; this line probably has a noenv by default which needs removed to set this properly
    session optional pam_mail.so dir=~/Maildir standard
    

PostgreSQL has improved its checking for proper locale handling in version 8.3. Due to inconsistencies caused by changing defaults in past versions of Debian, some database clusters contain UTF8 and LATIN1 databases in the same cluster. This can cause problems when trying to restore from a pgdump file with errors similar to:

ERROR: encoding LATIN1 does not match server's locale en_US.UTF-8
DETAIL: The server's LC_CTYPE setting requires encoding UTF8.

On a server running Zimbra on Ubuntu, to get cron job output sent to an e-mail address, make the following link:

ln -s /opt/zimbra/postfix/sbin/sendmail /usr/sbin/sendmail

Until this is done, crontab output will silently vaporize.

I use the built-in Apache 2.2 ajp ProxyPass support when deploying Tomcat and JBoss applications via Apache. When doing so, be careful your slashes match up or you can have subtle problems with applications which use redirects. For example, I was deploying a JSPWiki but having an odd problem with authentication where logins would seem to fail but then work fine if I manually reloaded the page. I was using this Apache configuration:

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki/
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki/

This appeared to work fine, but when logging in an extra slash would get added to the Login.jsp redirection page. This kept the redirect to the main page from working, causing it to reload the Login.jsp infinitely even though login had been successful. A manual click of the reload button fixed the site, with authentication and all other functions working until trying to log in again.

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki

Removing the extra slashes as shown fixed this issue.

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

• auth_basic
• authz_user
• ldap
• authnz_ldap

Directives


AuthType basic
AuthBasicProvider ldap
AuthName "My Site"
AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example
AuthzLDAPAuthoritative Off
Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.

Zimbra lacks a calendar feature commonly used by serious Outlook and Entourage users, the ability to configure reminders for individual calendar entries. The workaround is to create a 'reminder' calendar entry, which does not work well as it requires manually changing the reminder if the original appointment changes. If you are a current or prospective Zimbra user and would like to have this feature added, please vote for this bug. On a related note, the Zimbra Toaster (which provides popup notification of new mail) does not support calendar reminders, which is documented in this bug.

In the area where I reside power fluctuations and outages are numerous, so having a UPS is crucial when doing serious computer work. When my old Belkin F6C800 unit recently died a malodorous death, I decided to return to APC. Browsing the local Best Buy, I saw a Back-UPS XS 1500 LCD on the shelf with, as the name implies, an LCD display. Such a geeky feature was beyond resistance for me.

I use a Back-UPS XS 1500 (without the LCD) for various machines downstairs, and it works well. The only issue with it is the noise; it beeps every time the power fluctuates with no way to turn it off. On some days when my power is particularly bad, this results in perpetual beeping every few minutes. Obviously they received many customer complaints about this, as the XS 1500 LCD has two buttons on the front; 'Power' and 'Mute'.

Update: The display readings for this device are proving to be inaccurate when tested. Do not rely on the readings from this device.

I made a purchase with Google Checkout earlier this week and was really impressed with the user experience. While doing some research into using it, I found they are offering free checkout services until 2008. This seems to be a killer deal for budding businesses; setting up a merchant account and transaction fees are a considerable obstacle for new businesses.

It does however lack Interchange support. It is possible to use the basic embedded-in-page checkout with Interchange now, but this HTML option doesn't provide as nice of an experience for the user. It also requires more administration work as the retailer has to manually process orders using Google's checkout site. Building and contributing Google Checkout XML interface support for Interchange may be in my future.

When using scratchbox (a cross-compilation toolkit), be very careful when moving or deleting user data from the /scratchbox/users directory. There are hard links to /dev, /sys, and other important directories there after adding users. Recursive commands are extremely dangerous in these user directories. The LILO boot results at the left were caused after moving scratchbox into its own partition using recursive commands.

/scratchbox/sbin/sbox_umount_all is your friend.

I have never had a good experience with S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology). It usually only reports the drive is about to fail after the drive has already failed and is completely unreadable. My latest drive failure is yet another case of this, but interesting in that this failure seems to have been quite easily predictable. The drive was obviously failing from the output of the S.M.A.R.T. monitoring system, with 197 new defects, and over 50 uncorrected errors. Yet the software in the drive still reports SMART Health Status: OK.

If your ethernet port is not working on OS X (it seems to be most common and/or only on the Intel Macbooks):

• Rename /Library/Preferences/SystemConfiguration


• Toggle a setting in the Network System Preferences panel


• Setup your Network as desired and test it, the configuration should rebuild and your network should now work

A friend had this happen on his brand new Macbook Pro Core 2. However, it has never happened on mine. This may mean the software preload was bad, especially if this happens on a new machine, so doing an Archive and Install is probably a good idea.

Update: Further testing indicates this problem was caused by bad firmware on a SMC SMCGS16-SMART switch. The problem only occurred upon connection to this brand and model of switch, and was resolved permanently by upgrading the firmware in the switch from v.1.00.04 to v.1.00.06_16.

When configuring a third party router with Verizon.net DSL, the DSL modem may need reconfigured to bridged mode and the third party router configured to handle PPPoE instead of the provided DSL modem. I found this issue in particular with the Westell 6100 DSL modems Verizon is now issuing. An excellent resource in this case is this information on configuring the Westell 6100 in bridged mode, then follow the third party router's instructions for PPPoE. Note the <username>@verizon.net and password configured for e-mail is the same one needed for PPPoE.