OpenVPN on Microsoft Windows has a problem with the TAP-Win32-Adapter driver used for the tunnel. The device needs to be deactivated/reactivated after a Windows restart before any connection can be established. In this article I present a very simple script and solution for automating this process.
Category: sysadmin
System Administration
Gentoo: MySQL and PHP Charset Problems
At the moment, Gentoo is experiencing several inconsistency and problems with character sets between MySQL and PHP. This is primarely based on MySQL-4.1 now updating from 4.0 without warning and user interaction which most of the times breaks existing extended characters as MySQL now stores every dump from former databases as UTF-8, which is still badly supported by PHP.
For many PHP web applications which experience problems with extended characters (like umlauts, accents, …), the following hack might help.
- Locate the file where the mysql database connection is opened.
- Add the following commands after opening the database connection:
mysql_query('SET character_set_client=latin1');
mysql_query('SET character_set_results=latin1');
mysql_query('SET character_set_connection=latin1');
This will resume using latin1 instead of UTF-8 for the connection and the result set. For performance reasons, the data in the database should then be stored as latin1 as well.
According to messages in the Gentoo Forum, the developers have now released an ebuild for PHP (both 5.x and 4.4.2) that will regard character-set settings in my.cnf in a section especially for php (still in unstable). You should use the section [php-cli], [php-cgi] and/or [php-apache2handler]. Unfortunately I have not yet had time to test this out.
Out of /dev/random?
Ever happened to run out of random numbers?
Well, if you are using Apache together with mod_ssl you can easily run into the situation that after starting up Apache, requests to it will block up to several minutes or time out. This happenes, if Apache is configured to use /dev/random as a source for random numbers which are required in the initialisation of mod_ssl and similar, if you have to few entropy information left for the generation of more secure random numbers.
As suggested in a Gentoo Forums article, you can emerge the tool sys-apps/rng-tools, which provides you with rngd, a daemon collecting entropy from hardware random number generators and feeds /dev/random with this data.
If you happen (like me) to not having a hardware random number generator on your server’s mainbord, rngd will use /dev/urandom as a source of entropy and mix it with entropy collected from your system. While this will indeed result in a certain drop of “randomness” of /dev/random, it still has major advantages by reducing the startup time of apache to several seconds, as /dev/random will not block any more.
Don’t forget to add rngd to your server’s default runlevel (rc-update add rngd default).
Windows 2003 Server as NTP client
Our Windows 2003 Server refused to sync the clock via NTP. Main reason for this behaviour is the fact that as PDC it wants to change the NTP server’s clock as well, which is normally not permitted by the NTP server and the packet is discarded.
To change the preferred server of the Windows Time service (w32time), follow these steps:
w32tm /config /manualpeerlist:<server>,0x8 /syncfromflags:MANUALw32tm /config /update
net time /querysntp
w32tm /resync
(source: Meinberg Funkuhren – FAQ – Windows synchronisiert nicht mit NTP (German))
Apache: Force SSL for a Directory Using .htaccess and mod_rewrite
To force SSL on a given directory using .htaccess, use the following code. It requires mod_rewrite enabled in Apache. Adjust the path in the RewriteRule to match the full qualified URL of the HTTPS-domain.
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
Bugzilla: Active Directory Integration
As you might have guessed from previous posts, I’m currently in the process of implementing a single-sign-on scenario within our network. Or, at least, I’m trying to have at least one single username/password combo for all internal services. Authentication is therefore realized against an Active Directory, based on a Microsoft Windows 2003 Server.
For integration of Bugzilla into the Active Directory, see this link (Update: Link is broken, for an archived version, use this link, thanks to the commenter!).
TikiWiki and Active Directory Integration
If you want to authenticate TikiWiki agaist Microsoft Active Directory, have a look at this article.
The most interesting part in this posting is that if you are using a Windows 2003 Server, you need to patch the LDAP.php in the PEAR authentication module, as Win2k3 by default does not allow any anonymous queries against the directory.
In <tikiroot>/lib/pear/Auth/Container/LDAP.php search for the following line in function _connect():
if ((@ldap_bind($this->conn_id)) == false) {
and replace it with
if ((@ldap_bind($this->conn_id,"someuser","somepassword")) == false) {
Note, that someuser is in the form of user@domain.tld.
I also recommend to choose to authenticate your admin user against the internal database and not the LDAP (AD) container, otherwise you will lock yourself out easily.
Changing MSDE Authentication Scheme After Installation
If you are using Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) you are supposed to decide if you are going to use “integrated windows authentification” only or if you are using “mixed mode authetication”. Latter is sometimes considered less secure but if you are developing ASP.NET applications it can be easier to use a non-NT user for the connection.
If you ever tried that you are surly familiar with the “login is not associated with a trusted connection” exception when trying to access the database. Today I had to install an ASP.NET application on a server with MSDE where mixed mode authentication was not available. A quick research on the net revieled a blog entry indicating how to change the authentication scheme of MSDE after the installation.
- Stop the MSDE service
- Search the registry for
HKEY_LOCAL_MACHINE\Software\Microsoft\MSSqlserver\MSSqlServer
(for unnamed instances) or
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Name\MSSQLServer\
(for named instances)
- Change the key
LoginModeto value 2.
Unlike a comment on the page, value 0 will not work (at least it didn’t in my case).