February 2010 Posts

When you work across multiple devices and multiple computers on a daily basis, keeping the information you expect to be there the same across all of them used to be a monstrous pain. This is where synchronization comes in. I have 3 “computers” I use every day: my iMac, my Macbook Pro, and my iPhone. On each of those computers, I have several programs that may need to access the same type of data. Bookmarks are synchronized using Xmarks. This allows me to sync them across Safari, Google Chrome and Firefox. And because the bookmarks are sync’d to Safari via a background process, I can use Mobileme to sync them to my iPhone. All this happens in the background, without me having to think about it. I just add a bookmark somewhere, and minutes later it’s reflected everywhere else. Email rules, accounts and signatures are synchronized via Mobileme and appear on all my computers and my iPhone. Contacts are sync’d via Mobileme and appear everywhere. Same with calendars, except calendars is the real win. I can make an calendar entry on my iPhone, and it’s instantly sync’d to my calendars on my laptop and desktop. I have some files and programs that I need access to, I sync those with Mobileme across all my devices via iDisk. I can access those everywhere, even on my iPhone. I even created a directory in there called “Scripts;” with a change to my bash path on my Macs, any scripts I write are sync’d too. And all this stuff happens more or less instantly and completely transparently to me. Via the Internet and over the air for the iPhone. I don’t even have to plug anything in. It just happens. I can’t believe computers ever worked any other way, and there is no way I can do without it now. Xmarks is free. Mobileme is $99 a year, but totally worth it simply in the headache I save in not having to deal with disparate data spread over 3 devices.

In working on a side project with a few friendly developers, we decided to set up a Subversion repository and a Trac bug and issue tracker. Both of these, in normal setups, rely on HTTP authentication. So, being that we already had an authentication database as part of the project, my natural first thought was to find a way to authenticate Trac and Subversion of these against our existing MySQL authentication database rather than to rely on Apache passwd files that would have to be updated separately. Surprisingly, this was more difficult than it sounded. My first thought was to try mod_auth_mysql. However, from the front page, it looks as if this project has not been updated since 2005 and is likely not being actively maintained. Nonetheless, I gave it a shot and, surprisingly, got it mostly working against Apache 2.2.14. Notice I said “mostly.” It would authenticate about 50% of the time, while filling the Apache error logs with fun things like: [Sat Feb 13 11:11:27 2010] [error] [client -.-.-.-] MySQL ERROR: Lost connection to MySQL server at 'reading initial communication packet', system error: 0 [Sat Feb 13 11:11:28 2010] [notice] child pid 19074 exit signal Segmentation fault (11) [Sat Feb 13 11:34:14 2010] [error] [client -.-.-.-] MySQL ERROR: Lost connection to MySQL server during query: [Sat Feb 13 11:34:15 2010] [error] [client -.-.-.-] MySQL ERROR: MySQL server has gone away:` Rather than tear into this and try to figure out why a 5-year-old auth module isn’t working against far newer code, and with very little to actually go on, I just concluded that it wasn’t compatible and looked for a different solution. That’s when I came across mod_authnz_external. If your’e not familiar with this module, what it allows you to do is auth against a program or script running on your system, therefore allowing you to auth against anything you want - a script talking to a database, PAM system logins, LDAP, pretty much anything you have access to. All you have to do is write the glue code. In pipe mode, mod_authnz_external uses pwauth format, where it passes the username and password to stdin, each separated with a newline. It uses exit codes to return back to Apache whether or not the login was valid. Knowing that, it’s pretty easy to write a little script to intercept the username/password, run a query, and return the login. #!/usr/bin/php <?php` include "secure_prepend.php"; include "database.php"; $fp=fopen("php://stdin","r"); $username = stream_get_line($fp,1024,"\n"); $password = stream_get_line($fp,1024,"\n"); $sql = "select user_id from users where username='%s' and password='%s' and disabled=0"; $sql = sprintf($sql, $db->escape_string($username), $db->escape_string($password)); $user = $db->get_row($sql); if(!empty($user)) { exit(0); } exit(1); ?> Then, you just hook this into your Apache config for Trac or Subversion: AddExternalAuth auth /path/to/authenticator/script SetExternalAuthMethod auth pipe <Location /> DAV svn SVNPath /path/to/svn AuthName "SVN" AuthType Basic AuthBasicProvider external AuthExternal auth require valid-user </Location> Restart, and it should be all working. Some may argue that the true “right” way to do this is LDAP. But with just three of us, LDAP is overkill, especially when we already have the rest of the database stuf in place. The big advantage to this, even over mod_auth_mysql, is the amount of processing you can do on login. You basically can run any number of queries in your authenticator script - rather than just one. You can update with last login or last commit date, for instance. Or you can join tables for group checking; say you want someone to have access to Trac, but not Subversion. You can do that with this.