James Sumners's questions

The authorization flow I'm trying to determine the possibility of is:

1. User goes to https://app.example.com/
2. app.example.com does not have a session for the user so it sends them to https://adfs.example.com
3. adfs.example.com does not have a session for the user
   • user does not have a session
     1. adfs.example.com acts as a SP and asks https://notadfsidp.example.com for authentication
     2. user has a session with notadfsidp so the are sent back to adfs as authenticated and in turn to app as authenticated
   • user has a session
     • user is redirected back to https://app.example.com as authenticated

Situation:

I have a "portal" that uses CAS to authenticate users. Due to circumstances beyond my control, the CAS server captures the user's credentials on login so that they can be used for SSO to various services (this is the wrench in the works). One, or more, of the services they can SSO to are backed by a local ADFS instance. Thus, the ideal situation is that when they go to one of those services the ADFS server can learn from the CAS server that they are logged in and the portal would not have to use their stored credentials to authenticate them with ADFS.

If the flow described above is not possible, is it possible to send the ADFS server some message that tells it the user authenticated elsewhere and they should get a session with the ADFS server?

Note: my knowledge of SAML is very limited and I have zero knowledge of administering an ADFS server (that's a coworker).

Edit #1: I need the authentication to be transparent. In other words, after the user has authenticated at notadfsidp any visit to adfs from app would not require the user to do anything.

Let's say I have an HTTP configuration block like so:

listen testing
  bind 1.2.3.4:80
  balance roundrobin
  use-server server1 if { urlp_val(force) eq 1 }
  use-server server2 if { urlp_val(force) eq 2 }
  force-persist if { urlp(offline) -m bool }
  cookie SRVID insert indirect nocache
  server server1 1.2.3.5:9000 cookie 1
  server server2 1.2.3.6:9000 cookie 2

Then, at some point, I disable server2 via the socket interface so that all connections to it are now forced over to server1. But server2 isn't really offline, it is just undergoing maintenance and it should be checked before being re-enabled. So requesting http://1.2.3.4/?force=2&offline=true should be proxied to server2. But that's not happening, it's being proxied to server1.

If I add option persist then persistence will stay and no one will be directed to server1 since server2 wasn't really unavailable.

How can I accomplish my goal of stopping automatically load balanced traffic from going to server2 but force conditional traffic to it when it is disabled?

I'm setting up a Puppet master server for the first time. It's configured to use environments:

/etc/puppet/puppet.conf:

[main]
environmentpath = /var/opt/puppet/environments
basemodulepath = /var/opt/puppet/modules

Whenever I install a module, puppet module install foo, it get installed into my "production" environment's module directory. What I want to happen is for the module to be installed to /var/opt/puppet/modules unless I specify an environment with the --environment switch.

How do I do that?

I'm looking to convert a Bind-DLZ based setup to a PowerDNS based setup. To do this, I would like to use the zone2sql tool that comes with PowerDNS. Sadly, this tool skips right over the DLZ defined zone in my named.conf. I have been searching for a script that will dump the DLZ database into traditional DNS files and a named.conf that references them, but have not had any luck.

Does such a tool exist? If so, would you be so kind as to link me to it?

I want to run script upon initial login over SSH that displays some helpful information to the user logging in. However, I don't want this script to run on every login. That is, if the user starts screen after logging in the custom "motd" shouldn't be run again (nor if subsequent screens are created). Of particular note, the script will need the user's final ENV to work correctly. Is this possible? If so, how do I go about doing it?

I have a server running Lighttpd with three user's serving domains from it. Each user gets their own PHP FastCGI process for serving PHP content across all of their domains. Lighttpd allows me to write the access log files for each domain to unique log files. I also want to write PHP errors to three different log files (one for each user).

Each PHP process is reading its own php.ini (this has been verified by viewing phpinfo() output). Each php.ini specifies the log file to which it should write. For example:

error_reporting = E_ALL & ~E_NOTICE
display_errors = 0
log_errors = 1
html_errors = 0
fastcgi.logging = 1
error_log = /var/www/vhosts/example.com/logs/php_errors.log

If I set fastcgi.logging = 1 then the PHP errors, for all three users, always go to Lighttpd's error log. If I set fastcgi.logging = 0 then the PHP errors get written to the system STDERR. In this case, I can redirect the STDERR for each FastCGI process to whatever file I like, but I loose time stamping on the errors (which is less than ideal).

So, how do enable proper error logging for my PHP FastCGI processes through Lighttpd?

I have just inherited a Subversion server that is a mess. I want to migrate to a new server with a saner file system layout. I figured a svnadmin dump and then svnadmin load for each repository would be sufficient. However, I have learned the repositories make use of svn externals, and mostly absolute externals. Is it possible to move repositories with externals to a new server?

My current configuration:

svn+ssh://subversion.example.com/var/svn/repoA
svn+ssh://subversion.example.com/var/svn/repoB
...
svn+ssh://subversion.example.com/var/svn/repoAA

The configuration I want to move to:

svn+ssh://vcs.example.com/var/repos/internalDepartmentA/repoA
svn+ssh://vcs.example.com/var/repos/internalDepartmentA/repoB
...
svn+ssh://vcs.example.com/var/repos/internalDepartmentB/repoA
svn+ssh://vcs.example.com/var/repos/internalDepartmentB/repoB
...
svn+ssh://vcs.example.com/var/repos/internalDepartmentC/repoA
svn+ssh://vcs.example.com/var/repos/internalDepartmentC/repoB

I am running Windows Vista Ultimate. I went to the add/remove Windows components tool and unchecked "Internet Information Services." However, when I access http://localhost/ the IIS 7 default page is still shown. I would expect no response.

I am trying to get screen to set my xterm title. I have this working outside of screen, but screen keeps whatever title was in place when I started it. Here is my .bashrc:

function bash_prompt_command() {
    # How many characters of the $PWD should be kept
    local pwdmaxlen=25
    # Indicate that there has been dir truncation
    local trunc_symbol=".."
    local dir=${PWD##*/}
    pwdmaxlen=$(( ( pwdmaxlen < ${#dir} ) ? ${#dir} : pwdmaxlen ))
    NEW_PWD=${PWD/#$HOME/\~}
    local pwdoffset=$(( ${#NEW_PWD} - pwdmaxlen ))
    if [ ${pwdoffset} -gt "0" ]
    then
        NEW_PWD=${NEW_PWD:$pwdoffset:$pwdmaxlen}
        NEW_PWD=${trunc_symbol}/${NEW_PWD#*/}
    fi

    export NEW_PWD
}

PROMPT_COMMAND=bash_prompt_command
# Color chart @ http://wiki.archlinux.org/index.php/Color_Bash_Prompt
case "${TERM}" in
    "xterm")
        TITLEBAR='\[\033]0;\u@\h > ${NEW_PWD}\007\]'
        PS1="${TITLEBAR}\[\e[1;32m\][\e[0;36m\]\u\e[1;32m\]@\e[1;33m\]\h\e[1;32m\]] \e[0;37m\]\${NEW_PWD}/ \e[1;32m\]\$ \[\e[0m"
        ;;
    "screen")
        TITLEBAR='\[\033]0;\u@\h > ${NEW_PWD}\007\]'
        ESC='\[\ek\e\\\]'
        PS1="${TITLEBAR}\[\e[1;32m\][\e[0;36m\]\u\e[1;32m\]] \e[0;37m\]\${NEW_PWD}/ \e[1;32m\]\$ ${ESC}\[\e[0m"
        ;;
    *)
        PS1="\[\e[1;32m\][\e[0;36m\]\u\e[1;32m\]@\e[1;33m\]\h\e[1;32m\]] \e[0;37m\]\${NEW_PWD}/ \e[1;32m\]\$ \[\e[0m"
    ;;
esac

And here is my .screenrc:

hardstatus alwayslastline
hardstatus string '%{= kg}[%{Y}%H%{g}][%= %{= kw}%?%-Lw%?%{=b kR}(%{W}%n-%t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{g}[%{B}%m.%d.%Y %{G}%c%{g}]'

termcapinfo xterm|xterms|xs|rxvt ti@:te@
termcapinfo xterm 'hs:ts=\E]2;:fs=\007:ds=\E]2;screen\007'

altscreen on
shelltitle '$ |bash'

What am I doing incorrectly?

Update (19 August 2010): The problem is that you cannot update the terminal's title from within screen when you set alwayslastline. So my solution was to just give up and settle for a predetermined, useful, title for my screen sessions. My updated .bashrc and .screenrc can be found at http://bitbucket.org/jsumners/rcfiles/src.