Notes

For quite some time we have been setting up a federated identity system for single sign on web apps at work.

The way it works is that whenever you access a web app and you are not authenticated, you get redirected to a login server. There you can choose which intranet you belong to. You click on you intranet name, you authenticate there, and then you are redirected back to the original web app you where trying to access. From then on, you can access to all the other web apps that use the same system without further authentication steps. Authorization is also managed by the system based on profile information provided by each intranet about the user.

This works very well and allows for distributed management of permissions of each user, but with centralized enforcement.

Some weeks ago I found out about Shibboleth. It does exactly the same thing, so I'm looking into using their code and replace all our half-baked solution. If you are interested in this kind of stuff, check out OpenSAML and Ping Identity for commercial solutions with open source code. Also, a great article about identity from Doc Searls is up at Linux Journal.

Anyway, when I was reading through the shibboleth docs, I started to think that since I use my powerbook, I've been doing single sign on almost in every app I use and website I visit without all this fuss about setting up a federated identity system.

The system Keychain of Mac OS X is a great solution. It stores all my login/passwords for apps, sites, ssh keychains, and x.509 certificates I use for mail. It really works well, and I feel a lot more secure knowing that all my "stuff" is in my personal computer, where I'm the only one responsible for backups (which I do almost every week... :) ).

Kudos, Apple.

Posted by Pedro Melo at 04:58 PM | Permalink | Comments (view)

If you like RSS and use Fedora Core 3, then you can have the nightly yum update reports delivered to you via RSS.

The following setup requires: * using fedora core 3, or having the command rss-generate in yum (check man yum); * your mail is delivered via qmail; * you can install .qmail files.

You probably could workaround the last two. I might do that someday. For now, consider this as a quick (took me less than 20 minutes after I noticed rss-generate in yum manpage :) ) hack.

The setup is simple: each night, a cron runs on each server, and generates the RSS file. The file is then sent to a special mailbox, and there we filter the message and place it in a public HTTP site. You then configure your favorite RSS reader with that URL.

First I created a email address with .qmail file in my homedir:

cat > ~/.qmail-yum <<EOF'
|/home/melo/bin/convert_yum_rss_mails_to_http.pl
& youraddress@yourdomain.top
EOF

The second line should be a good email address. If something goes wrong with the script, it will fallback to the email address. At least you'll know that something has gone bad.

Then you place the perl script in the correct place. You can download the convert\yum\rss\mails\to\_http.pl script, or paste it:

#!/usr/bin/perl -w

# Where to place RSS files? Should be available via Web
my $dir_for_rss_files = "/var/httpd/htdocs/yum_rss";
my $server;

while (<>) {
  $server = $1 if /^Subject: Yum changes for (.+)/;
  last if /^$/;
}

fallback('no_server') unless $server;

my $filename = "$dir_for_rss_files/$server.xml";

umask(022);
fallback("could not create file '$filename.new'") unless open(RSS, ">$filename.new");
print RSS <>;
close(RSS); 

sucess() if rename("$filename.new", $filename);

unlink("$filename.new");
fallback("could not rename file '$filename.new'");

# qmail exit codes, see qmail-command man page
sub sucess   { exit(99) }
sub fallback { my $m = shift; print STDERR "Err: $m\\n"; exit(0)  }

That's it. If something goes wrong, check your qmail-send logs. A message is written there.

Now you only need to generate the mails on each server. To do that download the script yum-rss-report.cron. It looks like this:

#!/bin/sh

/usr/bin/yum --rss-filename=/dev/fd/1 -R 120 -d 0 -e 0 generate-rss |  \\
/bin/mail -s "Yum changes for `hostname`" youraddress-yum@yourdomain.top

This command will generate the RSS (the -R 120 will make sure that each server will wait a random number of seconds), and mail it to your address that you set up before. Make sure you change the address in this script, and make sure you can receive mail at that address.

Then, copy the edited script to all the servers that you want to report to you. On each one, copy the script to /etc/cron.daily and make sure you make it executable:

cp yum-rss-report.cron /etc/cron.daily
chmod 555 /etc/cron.daily/yum-rss-report.cron

That's it! Just subscribe each server in you favorite RSS reader and each morning you'll know which servers got upgraded and to which versions.

I have some improvements to make to these scripts, but they are good enough for now.

Enjoy!

Posted by Pedro Melo at 06:04 PM | Permalink | Comments (view)

I upgraded my aging 3.0D version of MT to 3.14.

If you notice any problems, please leave a comment.

I'll install some anti comment spam plugins in the next few days, not exactly sure with ones. More to follow on that.

Posted by Pedro Melo at 02:21 PM | Permalink | Comments (view)

I was editing some Perl code and I needed to comment the function I was working on, from the cursor till the end.

My editor of choice is vim for quite some years now, so I typed this:

:.,/^}/-1s/^/#/

It never ceases to amaze me as line noise can be so productive and intuitive if you know your editor and your regexps.

Posted by Pedro Melo at 12:15 PM | Permalink | Comments (view)

I've made a list of products I found interesting from several online sources. I used: - the Best of Show listing of Macworld; - all the Macworld articles about Macworld SF 2005; - Alan Graham list of cool products that he saw at Macworld SF, and didn't get mentioned in mainstream media.

For future reference, if you ever need to give me a present, you can pick from the following list: - Webstractor, an app to save entire webpages and much, much more; - the firewire-to-ethernet repeater, just for the geek value; - Phlink, the perfect match for the home Mac mini; - TuneJuice, using normal 9 volt batteries with your iPod; - AirClick, another cool add-on to the home Mac mini; - LaClie SilverScreen, a USB 2.0 external hard drive that can connect directly to your TV for MPEG-2 or DivX playback; - PopCorn, a DVD copier software (not new but updated); - Solio, a solar-power recharger for your iPod; - EyeTVWonder, another add on to your Mac mini, this time a small PVR; - Super DriveDock+, the best firewire case for 3.5" IDE drives; - Loop Backpacks, form Radtech, because I need to upgrade my backpack to one that holds a 17".

I already use the Webstractor software, it's great; and I'll probably order the Loop backpack soon.

Posted by Pedro Melo at 02:51 PM | Permalink | Comments (view)

Apparently the honeymoon between Apple and HP is over. HP is stopping selling iPod's.

We'll see what part of this report is true in the near future, I'm sure. I can't wait for the next issue of MDJ (which is the best newsletter about the Mac I ever saw, highly recommended).

Posted by Pedro Melo at 01:52 PM | Permalink | Comments (view)

I'm very interested in the Mac mini. I'm thinking on buying one as a gift to someone (I will not mention names, in case she's reading this...).

Anyway, I'm trying to find information about what parts can be changed without voiding your warranty. I don't mind if it's difficult, but I don't want to void the warranty.

I found an article with a summary of some internal stuff, and a article with pictures of a disassembled Mac mini (although the first time I went there, the pictures where offline for some reason).

According to the first article, you can replace the memory, hard drive and even install Airport Extreme and Bluetooth after purchase, all without voiding your warranty, although the last one (wifi and bluetooth) they don't recommend.

I'm trying to confirm this in a more official matter. Will see.

Posted by Pedro Melo at 01:44 PM | Permalink | Comments (view)

By now, both the Mac-savvy and Mac-envy worlds are in a intense battle about the Mac mini. It's a low-powered box with a old 9200 ATI graphics card that (until two days ago) was not listed in the future Core Image list of supported cards. The list is gone, by the way, from the Apple site.

In spite of all this, I'm ordering one as a gift. It's just a no brainer. It's cheap (cheaper than a high-end iPod) and will allow me to cut down the family support calls for computer stuff.

It never ceases to amaze me how many people don't get a simple thing: not everyone is a top end gamer that needs a super FSB with gigabytes per second transfer rate. Yes, the Mac mini will not play Doom 3, at least with the Doom 3 requirements published by Aspyr, but will slice and dice you photos, it will burn your DVDs, and it will stream your music to your Airport Express.

And, it will infect your brain.

There is always some things that you would like to be better. I would like to have a better graphics card (or at least assurance from Apple that it will support Core Image in Tiger), I would like that the memory would be replaceable without going to a Apple Specialist (although you can argue that Apple is trowing them a bone: the retail stores are killing the apple specialist network, this will allow them to have some services to offer), and I would like a USB in the front (but I totally agree that would ruin the design).

I think that, if Apple can keep up with the demand, they will fly of the shelfs.

And now in the local news: when will they get to Portugal? They will be launched January 22, so I'm expecting to be able to buy one in February. And to put my money where my mouth is, I made a bet with Nuno: if a Mac mini is spotted on sale, in Portugal, before the last day of February, he will buy me lunch.

Posted by Pedro Melo at 09:31 AM | Permalink | Comments (view)