Goal is to set up private a SVN and Mediawiki accessible via SSL after user authentication only (on Ubuntu Linux). For authentication, the existing system users/groups should be used for both services, i.e. users in group svn should be permitted to access the SVN repository, users in group wiki are allowed to see and edit the Wiki.

Securing MediaWiki can be done using the HttpAuth extension. Here is the relevant configuration in LocalSettings.php:

session_start();
if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE['fpwiki_en_UserID']) {
        require_once("$IP/extensions/HttpAuthPlugin.php");
        $wgAuth = new HttpAuthPlugin();
        $wgHooks['AutoAuthenticate'][] = array($wgAuth, 'autoAuthenticate');
}

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;

$wgShowIPinHeader = false;

$wgHooks['PersonalUrls'][] = 'DisableLogout';

function DisableLogout(&$personal_urls, $title) {
  $personal_urls['logout'] = null;
  return true;
}

Of course, access to the Wiki has to be controlled in Apache:

<Location /wiki>
        SSLRequireSSL

        AuthType Basic
        AuthName "MediaWiki"
        AuthBasicProvider external
        AuthExternal pwauth
        Require group wiki
</Location>

See my notes on the setup of mod_authnz_external for user authentication. Don't forget to restrict access to /var/lib/mediawiki/config to localhost and specify parameters for mod_authnz_external so it finds pwauth

	AddExternalAuth pwauth /usr/local/bin/pwauth
	SetExternalAuthMethod pwauth pipe

Configuration of SVN is rather simple: put the following in /etc/apache2/mods-available/dav_svn.conf:

        SSLRequireSSL

        AuthType Basic
        AuthName "Subversion Repositories"
        AuthBasicProvider external
        AuthExternal pwauth
        Require group svn

Here are the relevant files. Use with care!

posted at: 21:33 | path: /configuration | permanent link

If you do, don't forget to

1. Add user www-data to group shadow (dangerous!)
2. Put directive AuthBasicAuthoritative Off in front of your AuthPEM stanza
3. Make sure to enable the module: a2enmod auth_mod_pam

posted at: 20:54 | path: /configuration | permanent link

Use the system users and groups for web authentication? Via PAM? Why is a simple thing so awkward and not directly supported by Apache?

Here is a critical essay describing PAM authentication via mod_authnz_external and pwauth. One has to compile pwauth on Ubuntu, though. I didn't test PAM but just went with /etc/shadow.

posted at: 20:53 | path: /configuration | permanent link

Install ssl-cert package and do

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Want certificates valid longer than one month? Nope, look here, here (fixed for Ubuntu Intrepid), here.

posted at: 20:40 | path: /configuration | permanent link

Using NAT in VirtualBox guests is straightforward, but when you want to access a network service provided by the guest, some additional setup is required.

While everybody seems to follow a moderately complex host interface / bridging configuration, there actually is a slick alternative (described in the Virtual Box user manual): NAT with port forwarding. Use the following commands on the host to configure forwarding of host port 2222 to port 22 in the guest.

VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol" TCP
VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort" 22
VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort" 2222

"Linux Guest" is the name of the virtual machine, guestssh is just an identifier describing the service.

posted at: 20:27 | path: /configuration | permanent link

A PhD Comic featuring BG, home of the National Tractor Pulling Championships

posted at: 12:40 | path: /fun | permanent link

Going to Busan, South Korea in November hopefully.

posted at: 00:41 | path: /academic | permanent link

Nettes Programm im Mozarteum...

posted at: 00:40 | path: /fun | permanent link

The paper 'Watermarking of raw digital images in camera firmware: embedding and detection' got accepted at Pacific-Rim Symposium on Image and Video Technology 2009 (PSIVT '09).

Going to Tokyo in January...

posted at: 22:35 | path: /academic | permanent link

The following actually works with a Sony DR-BT10CX headset:

sox ~/bionicbabies_naked_on_the_ground_201791.mp3 -2 -s -B -t raw -r 44100 - | 
./a2play -v -i -r 44100 00:xx:xx:xx:xx:xx -

posted at: 22:30 | path: /projects | permanent link

The A2DP Bluetooth profiles allows to send audio between between two devices, eg. to allow streaming of music from a phone to a headset. The Linux PC can act as both, source and sink, and the Nokia 3500 (S40 platform, 3rd ed., feature pack 2) should be capable of both as well.

I'm using the old bluetooth-alsa stuff (a2play, a2recv), have not tried BlueZ's newer Bluetooth Audio support.

Nokia 3500 to PC works:

hciconfig hci0 class 0x200404
sdptool add A2SNK
./a2recv

However, PC to Nokia 3500 does not work (and the phone reboots when the stream is interrupted ):

sox squishysquid_no_more_lovesongs_201343.mp3 -t raw -r 48000 -B -s -2 -c 1 - | 
./a2play -i -d -m -r 48000 00:xx:xx:xx:xx:xx -

Found A2DP Sink
Product ID 0001:0039:0000
Found A2DP Sink at the destination
Connected [imtu 672, omtu 672, flush_to 65535]
Sent the Stream End Point Discovery Command
Got a Stream End Point Discovery Response
received 1 capabilities
SEID = 1
Requested Capabilities for SEID = 1
Got capabilities response
Sent set configurations command
Set configurations command accepted
Sent open stream command
Got open stream confirm
Connected [imtu 672, omtu 672, flush_to 400]
Sent stream start
Got start stream confirm
ending stream
Sent 1252 packets
Sent stream-close
Got close stream confirm
closing stream
closing control connection

I had to slightly modify a2play as the Nokia 3500 is very picky with regard to its capabilities (only one channel, only 48 kHz sampling rate, only allocation method 'loudness'; ie. it IMHO fails to implement the mandatory options). With a Jabra Bluetooth headset, I did have success a while a go.

posted at: 22:27 | path: /projects | permanent link