CJC.org

I finally had to clean up LDAP authentication for Apache on the mail server. I had let it continue to use /etc/shadow for authentication for the past year, mainly because we didn’t have that many directories that were protected — the various IMAP clients auth’ed against IMAP, not HTTP. Clearly, over time the mail password stored in LDAP would get out of sync with the old password in /etc/shadow. I hadn’t switched over the LDAP because Rude Dog’s LDAP authentication module, shipped with Red Hat, causes Apache to segfault on startup. It’s not clear why this happens; it runs perfectly happily on the main web server, which is more or less identical to the mail server, at least in terms of Apache, libc, and so on. I’ve tried to fix it on and off without success.

The main change over the past few weeks has been the deployment of Mailman for list management, which features a web interface for most functions. All of a sudden, HTTP authentication on this box was used much more often. Combined with the password rot in /etc/shadow, people couldn’t log in to manage their lists.

I used mod_auth_pam with nss_ldap as the end-run around mod_auth_ldap. Apache consults PAM for authentication, which consults LDAP. This is working now, after many fits and starts.

At first, I could su successfully with LDAP authentication, but I needed an entry in /etc/passwd for that user, or else I’d see messages saying “Cannot find name for user ID” and “I have no name!”. HTTP authentication with mod_auth_pam didn’t work at all, even though it was clearly hitting LDAP and searching with the right filters. After much back and forth, compiling and recompiling, and changes to ldap.conf, nsswitch.conf, and pam.d/http, I was about to give up, but decided to make one more try in seeing why I was getting the “Cannot find name” message. It turned out that PAM was using an anonymous bind to query the uid, given the received uidNumber from a non-anonymous auth with the supplied credentials. I then remembered that I had turned off anonymous reads in the slapd ACL for most things.

After changing the ACL, the messages on the su cleared up, and, most importantly, Apache started authenticating successfully using mod_auth_pam.

Lessons? The usual one about reading logs carefully: if I had done so, I might have noticed the anonymous binds being attempted. I should have also tested PAM’s LDAP queries earlier using command line tools, which would have also shown the same problem. Another lesson might have to do with using mod_auth_pam instead of mod_auth_ldap: partial success with the former, as well as knowing that other people have gotten similar setups to work, kept me motivated to try different things. Mod_auth_ldap crashing out Apache on startup left few debugging avenues open to me, since I can’t rewrite the thing: if recompile after recompile with slightly different options failed to yield anything useful, I’m out of things to try.

The ceilings have finally been redone. It took a couple of days longer than expected, but the doorman and his brother did a great job — the new ceilings in the bedroom and bathroom are perfectly smooth. They wound removing the plaster from the entire ceiling, doing a skim coat, and then several layers of paint. I imagine it’s as good as it was four years ago, before the upstairs neighbor flooded her bathtub. Honestly, I don’t remember what it looked like then; the cracked and disintegrating plaster has been a part of the apartment almost as long as I’ve been there, and the holes had simply become features.

The problem now is the fine plaster dust that covers all the surfaces of the apartment, from the obvious floors and tables to the difficult to see legs of chairs. I’ve begun cleaning, and have made decent progress: the curtains have been washed for the first time since they went up, most of the furniture in the bedroom has been wiped down (though the tangle of computer cable needs to be rationalized, wiped, and plugged back in; the black power cables are now a shade of dusty gray), and the mattress and office chairs have been “steam” vac’ed (the Hoover Steam Vac Jr. just uses hot tap water, and doesn’t really make steam; it does a decent job of cleaning, though, judging from the color of the water in the disposal tank).

The mopping has been a failure. I’ve mopped the bedroom, the bathroom, the kitchen, and a good part of the living room. The wood floors, at least, are not convincingly clean. They look dusty, and I pick up the fine white powder when I run my finger across the boards. I have no idea how the plaster dust survived the mopping (hot water, Murphy’s Oil, and one of those sponge mops), but it has, leaving residue everywhere. Would scrubbing help? I’m not sure it would, as the dust doesn’t seem to be embedded in nooks crannies missed by the mop — I can pick it up with my fingers. A different cleaning compound, that’ll bind better to the dust? Vacuuming? No ideas. Maybe electrostatically: Grace has Pledge Grab-It packets. We’ll try a few things over the weekend. Or, rather, I will, since she has to study and sleep.

I can’t help but think of the white dust covering New York last year. Cleaning was a monumental task, and I’m not sure how the people living in Battery Park City did it. The perceptions and emotions are, of course, wholly different: the white dust in my apartment is merely an obstacle to be tackled, a sign that my apartment is a bit nicer than it once was, or at least a necessary step in that direction. The powder that my fingers pick up are a puzzle for cleaning techniques, and only that.

Documentation for open source projects can sometimes be very finicky. Witness the missing HOWTO for integrating MHonArc, a mail-to-HTML converter, with Mailman, a mailing list manager, in the answer to the FAQ.

Since I’m migrating the work mailing lists from the no-longer-being developed majordomo (which occassionally hangs sendmail), and since I’ve found Mailman’s pipermail to be grossly disk space inefficient, I have to get these two pieces working together. After that, I can point the namazu search engine at the archives, which will hopefully be nicer than htDig.

Fortunately, someone on the MHonArc mailing list kindly posted the configuration changes for Mailman to use MHonArc as the external archiver:

PUBLIC_ARCHIVE_URL = ‘/testarc’
PRIVATE_ARCHIVE_URL = ‘/testarc’
PUBLIC_EXTERNAL_ARCHIVER = ‘/usr/bin/mhonarc -add -outdir /var/www/html/www.cjc.org/testarc/%(listname)s > /dev/null’
PRIVATE_EXTERNAL_ARCHIVER = ‘/usr/bin/mhonarc -add -outdir /var/www/html/www.cjc.org/testarc/%(listname)s > /dev/null’

This works. Some notes:

1. The outdir/%(listname) has to be created, and owned by mailman. That’s relatively obvious, but I have to set up a mechanism to do this automatically on list creation.

2. I’m not sure what the trailing “s” after %(listname) does. Should look at Mailman docs more carefully.

3. Pipermail output directories can be removed. Mail is still appended to a big mbox file in the usual place, which is good.

4. I should set the outdir back to the old mail.randomwalk.com/lists location. Private lists can be protected using .htaccess files, as they were under majordomo and hypermail.

5. Transfer to MHonArc will probably be done as I’m upgrading to cyrus-imapd-2.0.17 tonight.

The Once and Future Beans
Recipe courtesy Alton Brown

1 pound dried Great Northern beans
1 pound bacon, chopped
1 onion, chopped
2 jalapenos, chopped
1/4 cup tomato paste
1/4 cup dark brown sugar
1/4 cup molasses
Vegetable broth
1/4 teaspoon cayenne pepper
1 teaspoon black pepper
2 teaspoons kosher salt
Heat oven to 250 degrees F.

Soak beans in a plastic container overnight in just enough cold water to submerge them completely.

Place a cast iron Dutch oven over medium heat and stir in the bacon, onion, and jalapenos until enough fat has rendered from the bacon to soften the onions, about 5 minutes. Stir in the tomato paste, dark brown sugar, and molasses.

Drain the beans and reserve the soaking liquid. Add the drained beans to the Dutch oven. Place the soaking liquid in a measuring cup and add enough vegetable broth to equal 4 cups of liquid. Add the liquid to the Dutch oven and bring to a boil over high heat. Add in cayenne, black pepper and salt. Give them a stir and cover with the lid. Place the Dutch oven in the oven for 6 to 8 hours, or until the beans are tender.

Yield: 6 servings
Prep Time: 30 minutes
Cook Time: 8 hours

Here’s a Slate article discussing Rawl’s difference principle, i.e.: economic inequalities are justified only if they benefit the worst-off members of society.

The primary problem with this principle, and how it’s derived from the “veil of ignorance” thought experiment, is that the actors are assumed to be totally risk adverse (hence the maximin solution) and are prevented from knowing the probabilities of outcomes, so that they can’t make a choice based on expected utility. The economist John Harsanyi points this out, and comes up with his own thought experiment showing how absolute preference given to the worst-off actor lead to obviously uncomfortable results.

The fourth time through at making yogurt has gone without a hitch. The only failure has been the very first time, when I burned the milk, because I was using a cheap pan to heat the milk over the stove (the metal was too thin, and the bottom burnt well before the top had a chance to heat up). I’ve been using the microwave since then, sterlizing the milk directly in the yogurt making container. Ten or twelve minutes is enough. I bring the milk up above 200 degrees, which is probably overkill, actually. I should look up the kill temperatures for the unwanted bacteria.

I’m using a Salton 1 Quart Yogurt Maker, whose main function is to keep the mixture at 110 degrees so that the bacteria can do its work. The other piece of hardware is the digital thermometer. I’m using one with a Pyrex brand. Unfortunately, I’ve lost the instruction manual, and, while it does have a alarm, I have to monitor it myself, since I can’t get it to beep when the mixture gets down to a particular temperature. I’m sure it works fine when a mixture gets up to a temp.

The software is a quart of lowfat milk, some powdered milk (more protein to help stiffen the resulting yogurt), and half-a-cup of Stonybrook Farm plain yogurt, as the source of the live bacterial culture. At 110 degrees, everything takes about ten hours.

The resulting yogurt is a bit more liquid and creamy, less stiff, than Stonyfield Farm yogurt. They use pectin, which probably helps with the texture. Also, I think they drain off most of the liquid whey, which should tighten the remaining yogurt. I’m trying a new thing with this batch of yogurt, where I drained off some of the whey after I transfered the mix from the Salton container to a clean one-quart soup container for fridge storage. This was fairly easy: I folded a paper towel a couple of times to get a 4-fold thickness, held it to the container by hand, and just poured. The yogurt is only at 110 degrees, so holding it is no big deal.

The yogurt gets mixed various fruit jams for actual eating. Either that, or I use it in cooking, such as pancakes. This isn’t hard at all, and the main nuisance right now is my inability to get the digital thermometer to beep correctly, so I don’t have to keep looking at the temperature every few minutes.

There’s a mystery about the radio/keyless entry/alarm. The alarm seems to be third party, and is tied to a keyless entry system. The remote has two buttons, and says “Prestige” on it. I don’t see a model number beyond that, just some FCC number for it being a radio transmitter. I apparently can look up the manufacturer at the FCC web site, and then go from there. The goal is to figure out what the second button does, and get a duplicate remote.

From a stock radio placement document, I see that the radio would have been tied into the keyless entry as well as (for some stupid reason) the ceiling dome light, if these were stock parts. Thankfully, they’re not, as I’m replacing the radio with the Sony CD/MP3 player. If the keyless entry were stock, then I’d have to keep the stock radio, hiding it inside the dash; such a kludge. The two different wiring harnesses suggest that the previous owner must have done something with the wiring, some sort of splice, and as well as something to bypass the ceiling dome wiring. This is OK, since we can still use the third-party keyless entry, and the extra wiring harness should be useful to the new radio. I assume both connectors work.

So, the previous owner must have done a fair amount of internal wiring for the aftermarket alarm system, as well as the keyless entry. Well, maybe not that much, since all the locks are powered, and presumably you just wire the alarm system with the lock switch, and, viola, keyless entry. All without wiring through the radio.

Some documents on tuning the Solaris kernel, mainly through entries in /etc/system.

http://www.princeton.edu/~unix/Solaris/troubleshoot/kerntune.html
http://docs.sun.com/db/doc/806-7009/6jftnqsie?a=view

Egads! Asian taxonomy.

As a side note to the current car entertainment, this is where I first encountered the term “rice” as it applies to cars, but the term didn’t sink in, and I didn’t realize how it would apply to me in the near future.

As a further aside, while hanging out on Thanksgiving, we went to the old standby, the White Castle on Bell Boulevard. There, we saw these three Korean kids (notable, because they spilled a big soda all over themselves), and, later, we saw what had to be their car in the lot: a Honda Civic, yellow, with Chinese character decals on the windows next to some web site sticker, tailfin, and, I think, a large muffler. Yes, they were archetypes from the taxonomy.

The existing stereo in the car has to go. It’s the stock Honda one, a simple tape deck with a radio, and it doesn’t work very well. We’re replacing it with a Sony CD/MP3 player rather than the Jensen I mentioned earlier. The Sony should have better quality; the Jensen had one review on Amazon which basically tore it apart. I picked up the Sony at www.etronics.com, which had the cheapest price on a comparison site.

The main trick will be putting the new stereo in nicely. I found some instructions on
how to remove the stock radio from a Honda Civic, 1996-2000. Much of the dash has to be taken apart, but it shouldn’t be that bad, since it looks like it’s just screws and plastic tabs. Here’s another site, which looks like it might be more detailed. This was referenced on the Honda newsgroup, but I haven’t taken a look at it yet.

My main fear is that the clowns/previous owners damaged the cabling harness. The current stereo cuts out, and requires some jiggling to get it to work again, meaning that there’s a loose wire in there someplace. I’m hoping it’s in the stereo itself rather than the car’s wires. I think they had some fancy stereo, which they hooked up to their big speakers in the back (the subwoofer is gone, but there wires are clearly there), and replaced it with the old Honda one when they sold the car. There’s some RCA jacks that pop out of the console right underneath the lever that opens the hood, so god knows what they did to the wiring. Hopefully, the other end of the RCA jacks are hanging forelornly in the console someplace, rather than spliced stupidly into the wiring. There are also two 16-pin connectors that hook into the stereo, a wide one and a narrow one. The old stereo was hooked up using the wide one. If the old stereo’s problems are due to the connector, hopefully it’s the wide one, and I can still use the narrow one. Just speculating. I’m not sure how much of a pain it’s going to be to redo all the wiring.

Oh, Jack noticed the tint film on the front passenger side had peeled a bit in one corner because of the shlocky job they did. In an act resembling the peeling of labels off beer bottles, the tint film was gone within minutes, leaving thin traceries of glue on the window. These should go away with a little acetone or ammonia, and there’s much, much more light in the car. The other tint films were better applied, so we’ll need more effort. The most annoying and hazardous tint is on the rear window, since, near dusk, it makes cars very hard to see.