WordPress LDAP auth on Ubuntu

I support too many servers and applications to manage separate user databases for each. LDAP is a must. If an application can’t hook up to LDAP, I don’t want it. WordPress can be configured to use LDAP, and has several different LDAP plugins. I’ve had mixed results with PHP LDAP plugins. I usually find that having the application trust Apache’s authentication, and attaching Apache to LDAP, gives better results in my environment.

Note that my WordPress installations usually have only one or two registered users. They are administrators. Most people cannot register. If you want to hook hundreds of LDAP users into WordPress, and manage them completely through LDAP, you’ll need to find an LDAP-specific plugin that meets your needs. In this environment, where I’m just looking for administrator password synchronization, it’s good enough.

This particular Web server runs Ubuntu 10.04 with Apache and WordPress 3.1. To enable LDAP auth in Apache, run:

# a2enmod authnz_ldap
# /etc/init.d/apache2 restart

On the WordPress side, install for the HTTP Authentication plugin. This tells WordPress to trust the Web server’s authentication.

WordPress won’t read a list of usernames from basic auth. You’ll need to create your users. (Again, this is for a couple of admin accounts, not for massive user databases.)

WordPress protects its administrative directory, /wp-admin/, automatically redirecting requests to the page wp-login.php. For this plugin to work, we must require LDAP auth to the one file wp-login.php. Here’s the Apache configuration for the WordPress directory.

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

AuthType Basic
AuthName "Web Admins Only"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapserver1.domain.com/dc=domain,dc=com" STARTTLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=wordpressadmins,ou=groups,dc=domain,dc=com

Note that my LDAP servers do not require a LDAP login to validate a user. If yours do, you’ll need to add the username and password to this configuration.

Restart Apache, open a new browser, go to the site, and hit the Login button. You should get an Apache login window. Enter your username and password, and you’ll reach the WordPress control panel.

You’re now handing your LDAP username and password to WordPress. You do have WordPress available over SSL, don’t you? Configure Apache so that http://wordpress.domain.com is also available as https://wordpress.domain.com, and add the following near the top of wp-config.php.

//we like SSL
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

WordPress will now pass user credentials and cookies over SSL.

new personal Web site

Over the last fifteen years or so, hand-coded HTML has transformed from “how it is done” to “a baroque eccentricity” to “an amusing peccadillo” to “what is WRONG with you, dude?”

My personal Web site, http://www.michaelwlucas.com, has now been updated. It’s as boring as ever, except for the awesome art. Let me know if you see any problems. Those of you who prefer the old version can see it at www-old, but I won’t update it again.

Permalinks Updated

For an unrelated project, I learned how to make WordPress permalinks. I made that change on the blog this morning. My testing shows that they work, and that incoming links are redirected correctly.

If you should see a problem, please drop me a note.

New FreeBSD Installer test and walkthrough

For those who missed the announcement, FreeBSD 9 has replaced sysinstall with a new installer. It’s based on the PC-BSD installer’s back end and a text-based front end by Nathan Whitehorn. So, what is this new installer we’ve waited sixteen years for? I decided to find out.

As an official snapshot with the BSD installer isn’t yet available, I grabbed one of nwhitehorn’s recent snapshots. The back end is not integrated, but let’s see what the front end looks like. I assume there will be changes between this February snapshot and the next official snapshot. For my testing, I used a VM running Microsoft Virtual PC (for ease of screenshots) with ACPI disabled (so the install would finish).

Booting the image, I saw:

First Boot Screen
Select Install

A recovery shell and a live CD are great, but I want to install.

The next screen tells me to select a keyboard. By virtue of alphabetical order, the default is Armenian. When I arrow down to find the US keyboard, there’s several different options. I know exactly what kind of keyboard I have, it’s an Endurapro with the mouse pointer between the G and the H. But that’s not an option. Fortunately, I use a Dvorak layout, and that is an option.

I’m now asked for a hostname, and then allowed to choose optional components.

what optional parts to install
Distribution Choices

Of course I want source code!

I will miss the ability to choose “the smallest distribution possible,” but in reality, upgrading added the entire base system anyway.

Now we partition the disk.

Partition Methods
Partitioning Tools

Ooooh, a “guided” method. That sounds newbie-friendly. Let’s try that.

Use Entire Disk?
Conquer, or Divide?

We want to use the whole disk.


Wait a minute… where are /var, /tmp, /usr, and all the other partitions? Don’t tell me that one of the last survivors of proper partitioning is stumbling into the one large root filesystem trap? Ick. (I assume that the other partitioning methods will let you create proper partitions.)

Note that these are GPT partitions, not MBR partitions (slices).

Highlighting a partition and pressing ENTER shows details.

partition details
partition details

We can set a label in the installer, which is a nice feature. And it appears that two ESC takes you out of this submenu into the main menu. That seems odd, but perhaps it’s related to this being in Virtual PC. Arrow over to EXIT and hit ENTER to get the final confirmation screen.

are you sure?
you're committed now

“Are you sure?” Save and Abort aren’t exactly answers to that question – actually “save” is kind of ambiguous in this context. Save your existing data? Yes, we’re sure, choose Save. The filesystem is initialized:

newfs running

The installer verifies the files on disk and begins installing.

unpacking the archive
Oooh, a lock order reversal!

We must watch for a panic in the background, versus a simple lock order reversal. This is -current, either one can happen and both are displayed by default.

While watching this, I wanted to hit ALT-F2 and see just how well the ports were extracting. That’s apparently no longer an option.

After extracting everything, I was prompted for the root password, then for a network interface.

Choose Interfaces
Choose Interfaces

I took the default.

Yes, please

Why yes, I would like DHCP with my host, thank you.

Now I’m asked for the services I want enabled at boot.

just a few choices
services to start at boot

Compared to sysinstall there aren’t many choices, but I’m all right with being offered only the lowest common denominators. Far more vexing is how the network configuration gracelessly handled the unplugged network interface. While CTRL-L redrew the screen, a new link down message reappeared every second or so. I’d never tried Virtual PC before, and apparently I need to decipher the network configuration.

Once I choose the essential services, I’m asked if I want to add users. When I say yes, it drops me to text mode for the usual adduser(8) dialog.

adding our first user
adding a user, plus broken networking

All right, the network message is getting pretty annoying now.

After adding my user, I get the final screen.

Final Install Options
last chance to change things

You can change many of your optional settings, plus set the time zone. You get the usual warnings about removing the CD-ROM from the drive, and then reboot into the new install.

Overall, I like many of the changes. It doesn’t have many of the libdialog annoyances that plague sysinstall. I dislike the guided partitioning system, or more exactly the lack of actual partitioning therein. I do not want /tmp files filling my hard disk!

The good news is, with the separation between the front end and the back end, changing the installer will be much simpler than it ever was with sysinstall. For all the petty annoyances in this installer, it’s a big step in the right direction. I want to commend the creators for actually pushing Sysinstall Replacement Attempt #82,319 to completion.

[emerg] (13)Permission denied: couldn’t grab the accept mutex

I installed Apache on a diskless FreeBSD-9/amd64 server. Once I added SSL, the web server wouldn’t start. It died with:

[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:16 2011] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Mon Mar 21 15:37:17 2011] [alert] Child 1733 returned a Fatal error... Apache is exiting!

Google says that the fix for this is to define AcceptMutex flock somewhere in httpd.conf. Google shows dozens of mailing list discussions that give this advice, but without explanation. Every so often, someone whinges about it not working, and doesn’t get a response.

This is an example of what I call “Occult IT.” There are certain recipes that people just follow, without understanding why. We stumble around, grasping for invocations and incantations that will fix our problem. I don’t just want the ritual that will solve the problem; I want to know why the problem happened and deepen my understanding of the issue.

Besides, adding AcceptMutex flock didn’t work.

To identify the problem, I set LogLevel to debug in httpd.conf and tried starting httpd again.

[Mon Mar 21 16:03:18 2011] [debug] prefork.c(1018): AcceptMutex: flock (default: flock)

I didn’t have that configuration setting in my httpd.conf, but it’s the Apache default anyway. So, what are my other choices?

Apache documentation says that the AcceptMutex setting determines how Apache serializes incoming requests. The flock setting dictates how Apache locks the LockFile.

My configuration doesn’t have a defined LockFile, so choosing how we lock it isn’t going to help.

I don’t like lock files. Bad stuff happens to them. Let’s try a locking method without a lockfile. The documentation lists two different classes of locking mechanisms. flock and fcntl work on lock files. posixsem, pthread, and sysvsem use the in-memory mechanisms of semaphores and/or mutexes to provide locking.

As I don’t like lock files, I’ll try one of the in-memory mechanisms.

AcceptMutex posixsem

And Apache starts and runs perfectly.

I can’t find any details on the differences between these in-memory mechanisms, from a system administrator’s point of view. I imagine that the System V mechanism wouldn’t work if you’d removed that support from your kernel. But the point is:

Do not rely on occult IT. Read The Fine Manual.


Yes, The Great Committer was an April Fools’ gag. I didn’t expect anyone to actually believe it, but it gathered a few laughs, so I’m content.

Far more successful was the FreeBSD and NetBSD to merge gag that Dan Langille and I pulled back in 2003. The United Nations Fretbsd.org site has long since expired, but Dan archived it. (Eight years later, and I still giggle madly about the moose in that one.) That one actually sucked in a reporter from an reputable tech site, who pestered Dan and I for details all day.

John Baldwin really did surpass PHK’s commit total, however, and deserves credit for working so hard on FreeBSD. I heard from John on Friday, and while I’m not going to be so gauche as to copy his email here, I can honestly say that I am relieved that I did not displease The Great Committer.

FreeBSD Project Reorganization

I’m pleased to be the first to announce that the FreeBSD Project is reorganizing. This will appear on the FreeBSD home page next week, but journalistic ethics decree that I must act when I get a scoop.

FreeBSD has always been something of a meritocracy, where the respect given to committers is directly proportional to the amount and quality of code they commit. This is tracked in the commit statistics. For many years, Poul-Henning Kamp (phk@) was the undisputed leader, but in 2010 his total was exceeded by relative newcomer John Baldwin (jhb@). Baldwin’s commits show no sign of slowing, and if he continues at this pace, he will soon overtake the combined totals of Foundation President Robert Watson and embedded emeritus Warner Losh.

The FreeBSD Project has a variety of leadership roles and teams, such as the Core Team, the Ports Management team portmgr, and so on. These teams have helped FreeBSD’s broad developer base coordinate their efforts, work together, and streamline FreeBSD’s internal processes.

Effective immediately, all such teams are disbanded.

John Baldwin is to be henceforth known as The Great Committer. He alone will dictate the FreeBSD Project’s direction and where its resources will be allocated. All commits will be credited to The Great Committer, as all commits will touch his work in some way and hence would not be possible without His knowledge, experience, and all-around wisdom.

“It’s clear that our current model just doesn’t work,” said Robert Watson. “In the sixteen years the FreeBSD Project has existed, and the decades BSD had before it, we’ve had at least four distinct generations of leadership. We’ve developed processes for mentoring and grooming our own leaders, letting people move on when they wanted. Frankly, it’s a lot of work, and I don’t know how many more decades we could keep that up. The Great Committer won’t put up with that sort of churn, I’m sure. Once you’re a FreeBSD committer, you’re in for life. However long that is.”

“I’m really glad that The Great Committer has taken this step,” said Wilko Bulte, FreeBSD core team member. “People think that the FreeBSD Core Team made all these high-level decisions, when really we broke up fights and inducted new members. All that email and discussion took a lot of time. Now that The Great Committer has condescended to claim his rightful place, we can get back to doing what’s important — namely, doing everything we can to increase the already bounteous glory of The Great Committer.”

Security Officer Colin Percival said, “We’ve worked tirelessly to ensure FreeBSD’s security. I don’t even know how many man-months I’ve spent auditing code and investigating reports, let alone other members of the FreeBSD Security Team. But now, The Great Committer has decreed that FreeBSD is secure. All praise to The Great Committer!”

The Public FreeBSD Developer Track at BSDCan 2011 will now alternate between technical talks and praising The Great Committer. In addition to learning about exciting features such as Capcisum, attendees will practice making index-finger-and-pinky “Beastie Horns” to salute The Great Committer. Attendees will also witness the unveiling of the official The Great Committer banners, forty feet tall and hand-painted on silk.

No active OpenBSD developers could be bothered to comment, but Jason Dixon, OpenBSD slacker, stated “It’s about time the FreeBSD bums realized that they needed a benevolent despot. Maybe they’ll do something useful now.” A phone call to the NetBSD Foundation got a recording that the Board of Directors could be reached at the pub.

The FreeBSD Foundation is raising funds for a 200-foot golden statue of The Great Committer, to be erected near the University of California Berkeley campus. Its stern visage will remind the university denizens of their second-greatest three-letter claim to fame. The Great Committer has declared that there are no rumors that the statue’s eyes will be lasers that will automatically target users of lesser operating systems.

Meanwhile, The Great Committer has ordered that someone bring him a sandwich. And a beer. And Bill Gates’ lunch money.

You can contribute to the Foundation through DonateNow or in person at BSDCan. There’s no guarantee that the Foundation will use your particular donation to fund the statue, but they will assuredly use it for FreeBSD.

NOON UPDATE: It seems that The Great Committer has declared that HAMMER will be the new default filesystem.

New review of Absolute FreeBSD

There’s a new review of Absolute FreeBSD at the Java Users Group Lugano Web site. I can’t find a way to link to this particular review, so this link goes to the review page. I expect it will eventually scroll off the bottom.

I do try to batch reviews, but four years after the book hit the shelves, I think I’d have to wait quite a while for the next one.

While I’ve said that only silence or thanks is appropriate for a negative review, thanks are also appropriate for a positive review. Thank you, Celestino Bellone, for taking the time to write up your impressions.

Dealing with Negative Reviews

Pop quiz: what do you do when someone releases an excoriating online review about something you’ve sweated blood over?

a) Leave a vitriolic comment questioning the reviewer’s integrity and decency.
b) Leave a bitter comment calling the reviewer an idiot.
c) Leave a vengeful comment declaring war.
d) A, B, and C, with lots and lots and lots and lots of comments
e) Give up. Never do anything again.
f) Close your browser and get on with your life.

I thought most authors understood the best answer, but then I came across a review where the author not only responded, she melted down. Spectacularly. So I thought it might be worthwhile to say something about dealing with negative reviews of your work.

Remember, reviews are not for the author. They are for prospective readers. The reviewer is not claiming you are a bad person. He is stating that your work did not meet his needs, expectations, or standards. Most negative reviews of my work amount to “I don’t like the tone and attitude of this book.” That’s OK. I deliberately use that tone and attitude, in the belief that the number of people who will appreciate it exceeds the number of people it will annoy.

Sometimes, negative criticism is actually constructive. If I don’t learn from my mistakes, who will?

The correct response to a negative review is: silence.

An even better response would be to send the reviewer a two-sentence note: Thank you for taking the time to review my book. Sorry you didn’t like it, but I appreciate your effort. Sincerely, Your-Name-Here. But I’m not that good of a human being.

Nonfiction Tuckerization Auctions?

For centuries, authors have traded mentions in a book for cold hard cash. Today, this is most often done for charity, as a Tuckerization auction. As a BSD author, though, I think that there’s a way to put this to use to raise development money for various BSD projects. BSD always needs money.

When Absolute FreeBSD came out, the FreeBSD Foundation auctioned off the first copy off the press. It raised $600. I suspect that getting your name in the book, or being able to name something in the book, might raise more.

I’m considering hold an auction to, say, let a reader name something in a tech book: a server, a sample user, whatever. I’d mention their winner by name in the acknowledgments. The money would go to the project covered in the book, and I would ask someone from the project to run the auction. (I don’t want to go near that money, as I’d probably spend it foolishly, for food or shelter or soap.)

I’d need some basic rules — the desired name would have to get past my publisher, for example, so obscenities are out. You couldn’t blatantly insult people — while I’m fine with naming my example server LucasDroolz, I’m not comfortable using someone else’s words to abuse other people. When I insult someone, I want to do it personally.

Would this be a publicity stunt? It would be publicity, yes. But the real goal is to extract money from you and give it to a developer.

Of course, setting up such an auction would be time and expense. I’d risk my own time and expense on such an idea, but this would mean asking other people to do so as well. Therefore, my question for readers is:

Would you bid in such an auction? Given the cause, how much would you bid? Do you think it’s a stupid idea? I’m also open to suggestions on where to run such an auction. eBay has a charity option, but they still take a cut. I suspect there’s a better choice.

Please reply in the comments, not email.