Friday, September 20, 2013

TLS: warning: cacertdir not implemented for gnutls

I got this error recently while trying to use ldap utilities and libraries. In the debug output from an ldapsearch, I noticed the distinct error:
TLS: warning: cacertdir not implemented for gnutls
This error comes up when you try and use the TLS_CACERTDIR directive in your ldap configuration. Googling for answers was somewhat fruitless, the first complaints of the problem started many years ago. People said it happened when the openldap packages were compiled against gnutls instead of openssl, which apparently does not support the tls_cacertdir option. The general consensus was therefor to not use that directive.

I didn't turn up anything about a fix. The current versions of the openldap packages are still broken all these years later. Although I expected to fail (there had to be reason no one did this before, right??) I tried the obvious solution and it worked.

$ mkdir /tmp/openldap
$ cd !$
$ sudo apt-get source openldap
$ sudo apt-get build-dep openldap
$ sudo apt-get install libssl-dev
$ sudo vim openldap-2.4.31/debian/configure.options

Change --with-tls=gnutls to --with-tls=openssl

$ sudo apt-get -b --no-download source openldap

Go have some lunch, mow the lawn, maybe a pub crawl. The amount incredible amount of hardcore testing that's been integrated into the build process is amazing, but it takes a while.

$ sudo dpkg --install ldap-utils_2.4.31-1ubuntu2.1_amd64.deb \
    libldap-2.4-2_2.4.31-1ubuntu2.1_amd64.deb \
$ ldapsearch -LLL -h -D uid=andy,ou=foo,dc=example,dc=com -b dc=example,dc=com -ZZ -W uid=andy cn
Enter LDAP Password:
dn: uid=andy,ou=foo,dc=example,dc=com
cn: Andy Harrison

The other applications I was using that relied on the ldap libraries started working immediately as well.

Friday, August 23, 2013

Linux Mint Olivia - 1 week later...

A follow up to my last post Linux Mint 15 Olivia - Observations...

The Good


Xorg has been working beautifully. No memory leaks. No squirrelly issues in performance or attitude. I haven't even had to blow away my $HOME/.kde/share/config/plasma* files even once!


I think I finally started to make friends with the packaging system. The stock 'screen' package is left hamstrung with a MAXWIN value of 40. I can't live within the confines of only 40 so this was my catalyst for making this a priority and figuring out. I finally found some decent docs so that I could download the src-deb, extract, fix, compile, repackage, install. Not only that, but there was another package I needed to tweak and it was super easy to download the binary deb file, extract, fix, repackage, install.

The Bad


Also thanks to the Mint teams priorities, I quickly noticed that after fixing your default search engine in Firefox, the search autocomplete is broken.
If Aerobie Inc. paid Tesla Motors to replace the steering wheel in their vehicles with an Aerobie, do you think they should do it? After all, Tesla needs the money, so shouldn't they do it? Because it's such a great idea to have the primary means in which you steer your vehicle be a product that people used to have a little fun with a long time ago. Not only that, but let's make sure if people try to fix the mistake and switch to a real steering wheel, that it won't turn all the way.

Other missing package nits...

The curl package isn't installed by default. Seriously. No, I'm not kidding.
Less ridiculous exclusions that you can find in every other distro, no 'lynx' (which only old farts like me use anyway), 'pcregrep' and friends, 'mc' (again, an old fart utility) and 'whois' (ok, I work at an isp, obviously that would only be important to me).

Thursday, August 15, 2013

Linux Mint 15 Olivia - Observations

I've been an opensuse user for the last several years and usually really enjoy running it as my workstation's desktop operating system. But, as the 12.1 repos have started to unceremoniously vanish from existence, I've finally decided that enough is enough. I had been thinking about possibly another rpm based distro or even going in a completely different direction (like Arch) while avoiding any Debian based distro, but Mint has held such a commanding lead on for such a long time, I thought it might be worth taking a look.

Here's some observations from the first few days.

The Good


My Xorg memory leaks aren't present in this version. This represents about 1/3rd of the reason I started looking outside my normal opensuse comfort zone.


Mint's KDE 4.10 environment is fast. So far I haven't even gone in and shut off all the silly animations and junk. Normally, however slight the amount, these things interfere enough so that it's obvious I'm spending time waiting for animations to draw when I could be already clicked onto the next step. The animations on Mint seems so well tuned that there's actually some benefit to having the animations enabled. Otherwise, the transitions are so fast you have to almost stop and evaluate whether you clicked something and an action actually took place.


VMware Workstation 9.02 installed and ran perfectly right out of the gate. Stock install, didn't have to go and fetch linux kernel header packages or anything.


I missed aptitude. I gave Ubuntu (kubuntu, specifically) a try many years ago and generally didn't like it. Traditionally I'm a Red Hat derivative guy, and moving to a Debian derivative was a little shocking. But aptitude was such nice piece of curses based package management. I found myself opening a shell window to install packages instead of using the gui package managers and I may continue this with Mint.


Speaking of aptitude, the stock set of repos with Mint are fairly well rounded.
When I go into the main Mint repo in a browser, I see the last 11 versions of Mint. This represents the other 2/3rds of the reason I'm giving up on opensuse. I'm incredibly sick and tired of having my repos dry up and vanish on me every couple of point revs. I'm done being forced to do a full OS upgrade of a perfectly working desktop just because someone's OCD is preventing intelligent repo management. The 'zypper dup' upgrades may work for some folks, but they never, ever, ever work as expected for me. Doing a 'zypper dup' is always an 8 or more hour ordeal for me.


Java works a bit better. I work on a large amount of HP enterprise class hardware. Unfortunately, doing away with Java is not an option for me because of the iLO management interface. While not perfect, the Java support is definitely better and I can reasonably expect it to work when I open up a remote console window.

The Bad


Firefox default search engine is Yahoo. Google isn't even present as an option in the drop-down choices. This says a lot about Mint's priorities. Spoiler alert: it isn't you.

Let's all pretend VLAN's don't exist.

If your only network connection requires VLAN tagging, you will have *no* internet access during the installation.

The Network Settings panel hasn't the faintest hint of VLAN support (before or after installation). If your installation is already underway, maybe you can use your mobile phone to Google how to set up VLAN tagging. Otherwise, hopefully you looked up how to configure VLAN tagging before starting to install Mint. The process of configuring VLAN's is obscure and stupid, similar to an enterprise Linux distro, definitely not what you'd expect from a premiere desktop Linux distribution. And since VLAN's don't exist in Mint's world and consequently do not appear in documentation, you'll have to take an educated guess on how to add them to the /etc/network/interfaces file. After you've finally figured out that the appropriate file to edit is /etc/network interfaces, that is.

I tried setting my physical ethernet interface to "link-local" just to get it out of the way of my VLAN interfaces while keeping it active. This vaporizes the ability to configure your dns servers. Even if you had used the Network Settings panel to configure dns servers previously, it quietly deletes them and replaces them with opendns. On the plus side, the Network Settings panel doesn't complain if you set your ethernet interface to "manual" and then leave everything blank except the dns servers.

VLAN network interfaces *never* show up in the Network Settings panel. You're 100% command line and text file editing to manage your VLAN interfaces.

EFI (and GPT)

EFI support is terrible. Almost everyone's is, Mint's is just worse.

With EFI present, it is not possible to complete the installation without an internet connection. Period. Even if you open a shell and manually preinstall the necessary packages (which *are* present on the live iso), the installer is hard coded to download the EFI related packages from the online public repos. It never even bothers to check if those packages are already installed, nor does it try to install them from the iso. Since VLAN's don't exist in Mint's world, if your only network connection requires VLAN tagging, you're completely out of luck. For that matter, if for any other reason you don't have internet access during the install, you're completely out of luck if you booted from the EFI loader.

Also absent are GPT partition management utilities. In general, it seems like it would be best if you just didn't start the Mint install until you'd already burned a bootable image of Parted Magic in preparation for having to do any partition editing.


During install, the tail command does not work at all. Nor tailf. It shows you the last few lines of the file and just sits there with its thumb up its ass. I found a forum post where someone mentioned this issue a year (and a few Mint versions) or so ago with no response. I don't really like using less and its "F" function to follow files, but at least it works.


sshd host keys don't get generated. If you're expecting to immediately be able to ssh into your newly installed Mint host, forget it. There may be an official and proper way of doing this, but fortunately I had saved my host keys from my last Linux desktop distro so I just restored those right into place with no fuss.

Minor missing package nits:

gnu screen

Some popular but missing packages...

Try installing taskjuggler. Go ahead. With no ruby knowledge. Just try it.
Despite the well rounded stock repos, once going outside their scope, I feel like I'm really up the creek. Being an rpm guy, though familiar with package management in general, normally I know exactly what to do in any situation. Everything from how to find the difficult-to-find packages, to porting source rpm files from other distros, to building my own packages from the spec up I have no problem handling. I've even automated building Solaris packages on my own. I'm no stranger to this. Yet every time I go looking for HOWTO docs on deb packages, I feel like I'm looking at VCR schematics when generally all I want to do is stop the time from flashing 12:00.

Saturday, May 25, 2013

Google Reader to TT-RSS - coping with 3rd party apps and services

Here's a guide to replacing Google Reader with Tiny Tiny RSS, but with more detail on the greater tragedy (travesty?) of Google's continued bulldozing of open internet standards with the termination of Reader, the interaction with other services and software on which we used to depend.  I'm starting with a couple of simple but important services, though I'd like to flesh this out over time.


The problem we all face isn't installing the software (granted, TT-RSS is a non-trivial install, but I consider that to be outside the scope of this guide). The problem we face is the need for hosting. And most of the hosting solutions that will meet our needs require us to configure a hosted server of some kind.

My solution was to start with a Bitnami stack.  Specifically, I started with the LAMP stack.  However, the Bitnami portion of this process will soon become very simple. Tiny Tiny RSS won the regular contest Bitnami holds to decide on new stacks and is expected to be released soon.  Keep an eye on it here:

Next, I signed up a free "developer" class account with Bitnami Cloud Hosting.

Bitnami will allow you to deploy your stack to the Amazon EC2 service automatically and provides documentation for getting your Amazon account set up and ready:

If this is your first foray into AWS, the first year of your EC2 micro-instance is free.


Now, onto the part where you actually use TT-RSS.

There's plenty of howto links around for installing TT-RSS itself, so I keep the redundancy to a minimum.  The official guide is over here:

The guide for how to set up automatic updating of your feeds:

I'm not going to bother with details on how I rigged this up in my Bitnami stack as most of it will be soon be moot with the introduction of the TT-RSS stack. If you're a good Linux user and you do want to wait for the bitnami release, here's the summary with no training wheels.

  • Run gnu screen.
  • I used /opt/bitnami/mysql/bin/mysql_setpermission to set up the tt-rss db and configure a user to be able to access it.
  • Extract the tt-rss source tarball into /opt/bitnami/apache2/html/ and rename directory to tt-rss.
  • Slurp in the mysql schema.
  • Configure tt-rss according to the install guide.
  • Because the update_daemon2.php script needs to be run as the daemon user, I added a minimal ~daemon/.bashrc (just the path from ~bitnami/.bashrc):
    • PATH="/opt/bitnami/memcached/bin:/opt/bitnami/varnish/bin:/opt/bitnami/redis/bin:/opt/bitnami/nodejs/bin:/opt/bitnami/mercurial/bin:/opt/bitnami/perl/bin:/opt/bitnami/git/bin:/opt/bitnami/nginx/sbin:/opt/bitnami/frameworks/laravel/app/Console:/opt/bitnami/frameworks/cakephp/app/Console:/opt/bitnami/frameworks/codeigniter/bin:/opt/bitnami/frameworks/symfony/bin:/opt/bitnami/frameworks/zendframework/app/Console:/opt/bitnami/sphinx/bin:/opt/bitnami/sqlite/bin:/opt/bitnami/apps/django/bin:/opt/bitnami/php/bin::/opt/bitnami/java/bin:/opt/bitnami/mysql/bin:/opt/bitnami/postgresql/bin:/opt/bitnami/apache2/bin:/opt/bitnami/python/bin:/opt/bitnami/subversion/bin:/opt/bitnami/ruby/bin:/opt/bitnami/common/bin:$PATH"
      export PATH
  • In another screen window, become the daemon user
    • sudo su - daemon -c bash
  • Run the update script.
    • cd /opt/bitnami/apache2/html/tt-rss/
    • ./update_daemon2.php

That's pretty much it.  Filling in the blanks is left to the more experienced user.

On to the more important pieces...

Exporting from Google Reader

Here is an excellent guide for how to export your Google Reader data:
How to painlessly export your Google Reader feeds

Importing your rss subscriptions to TT-RSS

Extract the file you downloaded from Google Takeout.  Inside, the important item is the subscriptions.xml file.  Log into your TT-RSS instance and go into Preferences, then click into your Feeds tab. Expand OPML, the 2nd accordion item. Click the Import my OPML button and select the subscriptions.xml file you extracted. If you're interested in preserving your starred items from Reader, expand Import starred or shared items from Google Reader, the last accordion item. Select the starred.json file you extracted and click the Import my Starred Items button.



The official TT-RSS App has been under very active development and is maturing very quickly.  It's been perfectly stable and usable for me. The only downside is the lack of a launcher widget allow you to read feed article titles right on your homescreen.


My solution for the lack of a widget is a little complicated, but it's working great. It's made possible because TT-RSS is not just a feed reader, it is also a feed publisher. In your TT-RSS instance, put the feeds you want to appear in your widget into a category.  I used the Favorites for my category name. After you create and populate your new category, click on it.  Positioned underneath the Preferences link, you'll see Favorites and the RSS icon. Click directly on the RSS icon and it will pop up a long link.  Copy down this url, you'll need it later.

Next, install Simple RSS Widget.

Yahoo Pipes

You'll be feeding Simple RSS Widget from Yahoo Pipes.  Log into your Yahoo Pipes account and create a new pipe.

Since I have several feeds under my Favorites category in TT-RSS, I wanted to give each item title a little visual distinction so I would know from which feed the individual article came.  This made the Yahoo Pipe I created a bit more complicated than it needed to be, but the end result is exactly what I wanted.

From the Sources section, Drag out an Item Builder object.

I populated mine with the following attributes:

title = Favorites
description = Items from my Favorites category
link =<username>/<placeholder>?_render=rss (replace this with the link to your resulting yahoo pipe when you're done.
author = aharrison

From the Operators section, drag out a Loop object. Back under Sources, drag out a Fetch Data object and drop it in the middle of the Loop object you just dragged out. For the url, you're going to drop in the long url you copied earlier. However, you're going to modify the url. Your url will look something like:

Modify it slightly:

Add the item I put in bold and leave everything else the same.  In the Path to item list field, type: articles

Also worth noting, if you're using https:// for your TT-RSS instance, you need to drop the s to allow Yahoo Pipes to hit your feed without ssl. Likely this is simply because the default ssl certficates in your bitnami stack are just self-signed examples. If you want Yahoo Pipes to be able to use ssl, you're probably going to have to buy your own ssl certificate and rig it up inside your Bitnami stack. (If you really want to do this, here's an old guide that will help you get there: How to activate ssl / Security

Inside your Loop object, choose the radio button emit and the all dropdown choice.

Click and drag the botton of your Item Builder object to the top of your Loop object to connect them together.

If you don't want to bother altering the item titles to reflect the feed, you can now connect the bottom of this Loop object to the top of the Pipe Output object and you're done.  If you also want the indication of which feed the item is from, proceed.

Drag out a Rename object.  Connect the Loop object to this new Rename object.

For the mapping, choose from the field choices, then Copy As from the drop down, and type in the last field: titleprefix

Drag out a Regex object.  It should read:
In item.titleprefix replace ^http[:][/][/](.*?)[.](com|net|org).*$ with [$1]
Connect the Rename object to this new Regex object.

Drag out another Loop object. Connect the Regex object to this new Loop object.

Grab another String Builder object and drop it in the middle of the new Loop object. Populate it like so:

  • item.titleprefix
  • <blank spot>
  • item.title

Grab another String Builder object, but this time, drop it outside the Loop object, not inside.
Inside the new String Builder object, just enter ' - ' (without the quotes).  That's a space, a dash, and another space.

From the bottom of this new String Builder object, click and drag to connect it to the little bubble to the right of your empty field inside your Loop object's String Builder object. Now in your inner String Builder object, instead of the empty field, it should turn gray and read 'text [wired]' because the empty field will now pull from the outer String Builder object sitting off to the side.

To finish with our Loop object, instead of the emit results radio button, choose the assign result to radio button and select item.title from the choices.

Click and drag from the bottom of this Loop object and connect it to the top of the Pipe Output object.

You're done creating your Pipe, so click Save and then go back to your pipes page.

Click on your new pipe.  Inside, you'll see a link Get as RSS. Right click it and copy it.

Edit the pipe you just created.  Remember back up in the Item Builder object where I said you'd replace the url?  Paste the url there.

Also, send this link to your Android device so that you'll be able to configure it there as well.

Take that link, and configure it inside the Simple RSS Widget you installed. Now when you drop the widget onto your homescreen, you'll see all of your favorite items.

I made an example of this pipe available for reference:

Another frustration of the Reader retirement is all the awesome things you can do with your feeds at  Fortunately, all is not lost. For example, I had an ifttt trigger to push any of my starred items to Pocket automatically. Instead, you can use the simple version of the above Yahoo Pipe example to accomplish the same thing. For your Fetch Data object, use this example url instead.

Notice the id is -1, this automatically chooses your starred items feed. And instead of is_cat being 1, leave it blank.

Why the Pipes?

You may have already wondered, why would I use Yahoo Pipes to access feeds I've published in my TT-RSS instance rather than accessing them by my TT-RSS url directly?  Simple, if you have multiple apps and services polling your TT-RSS instance, this is going to greatly increase the amount of traffic to your EC2 instance. There are usage limits to these micro-instances and you'll hit them a lot faster if you let it get hit from lots of different sources. Yahoo Pipes is an effective way of keeping your costs down. For example, if your Simple RSS Widget is set to poll every 5 minutes, Yahoo Pipes is NOT going to hit your TT-RSS instance every time, it's just going to serve up the results since Pipes last polled it.

The Pipes Regex object

Yes, I know the regular expression I used for an article title prefix isn't very robust.  I'm lazily grabbing the hostname from the domain of the url of the feed. Improving the appearance of your feeds by having fun with Pipes is left as an exercise for the reader.