There I was minding my own business when my iMac suddenly complained that it had lost my home directory. At about the same time I began to hear an ominous clicking sound from the direction of my QNAP. After a few minutes this went away and was replaced by a loud beep. At that point the Mac popped back to life and I was able to ssh to the QNAP.

Rut roh! Looks like one of the disks in my RAID1 has croaked.

    SCSI error : <0 0 0 0> return code = 0x8000002
    sda: Current: sense key=0x3
        ASC=0x0 ASCQ=0x0
    Info fld=0xcbd60ed
    end_request: I/O error, dev sda, sector 213737708

    md: unbind
    md: export_rdev(sda1)
    raid1: Disk failure on sda4, disabling device.
    	Operation continuing on 1 devices
    RAID1 conf printout:
     --- wd:1 rd:2
     disk 0, wo:0, o:1, dev:sdb4
     disk 1, wo:1, o:0, dev:sda4

QNAP’s website says they will replace faulty kit free of charge so I hope to be back up and running properly again soon.

Rebecca and I have a curious ritual whenever we leave the flat. Unless she’s taking (one of) her handbag(s) with her she will proudly announce that she isn’t carrying any money or her keys, presumably as a reminder to me that I need to make sure that I am. Of course she always waits until after we’ve left before saying this.

For my part, usually I say nothing. Sometimes I remark that it might be more helpful if she told me while we were still indoors. This time I was halfway through allowing the door to slam shut when I remembered that I had put my keys and wallet on my desk while changing trousers and had clean forgotten to pick them back up.

Luckily the flat is not entirely secure and has a backdoor. Or more precisely a back window. I was able to raise it high enough for Rebecca to clamber inside and safely retrieve the keys. And all without attracting the attention of the police.

/var/ldap/ldap_client_file needs to contain:

    NS_LDAP_AUTH= tls:simple
    NS_LDAP_CREDENTIAL_LEVEL= proxy

/var/ldap/ldap_client_cred needs to contain:

    NS_LDAP_BINDDN= 
    NS_LDAP_BINDPASSWD= 
    NS_LDAP_HOST_CERTPATH=

And here’s the non-obvious (and most important) step. You need to set up the above-referenced certificate store. Assuming your CA certificate is in /etc/sfw/openssl/certs/ca.crt and you set NS_LDAP_HOST_CERTPATH= /var/ldap (which is actually the default location), you need to do this:

    # certutil -A -a -i /etc/sfw/openssl/certs/ca.crt -n RootCA -t CT -d /var/ldap

The Solaris 10 LDAP client stores its credentials in the file /var/ldap/ldap_client_cred. The password is hashed using NS1 format. The correct hash for your password is created for you when you use ldapclient to generate the configuration but if you simply wish to change the credentials without running that tool you have to jump through a few hoops.

One suggested solution is to find a Solaris 8 system and use the LDAP configuration tools from there, as one option allows you to dump a profile to stdout without applying it. This is a bit of a hassle if you have a Solaris 8 system and not much use if you don’t.

Now that Solaris is Open Source it’s much easier to create an NS1 hash. We can build our own tool straight form the horse’s mouth.

libsldap has the code we need. At time of writing it’s available from the OpenSolaris project. Download the three files ns_internal.h, ns_sldap.h and ns_crypt.c. On a Solaris 10 system the ns_crypt.c file can be compiled without any changes.

    $ gcc -I . -c ns_crypt.c

On Linux we can make a few tweaks to the code in order to compile it.

• In ns_crypt.c:
  • Comment out all lines referring to ns_crypt_lock.
• In ns_internal.h:
  • Comment out the line #include <thread.h>.
  • Comment out all lines referring to thread_t.
  • Comment out all lines referring to mutex_t.
• In ns_sldap.h:
  • Add the following lines above #include <stdio.h>:

      typedef unsigned int uint_t;
      typedef unsigned char boolean_t;
      #define B_TRUE 1
      #define B_FALSE 0

Now save the following as main.c.

    #include "ns_sldap.h"
    #include "ns_internal.h"

    static int is_cleartext(const char *pwd) {
        return strncmp(pwd, CRYPTMARK, strlen(CRYPTMARK));
    }

    int main(int argc, char **argv) {
      if (argc == 1) {
        fprintf(stderr, "Usage: ns1 <hash>\n");
        fprintf(stderr, "Usage: ns1 <plaintext>\n");
        exit(1);
      }

      if (is_cleartext(argv[1])) printf("%s\n", evalue(argv[1]));
      else printf("%s\n", dvalue(argv[1]));
      exit(0);
    }

Compile ns1.c:

    $ gcc -I . -c ns1.c

And finally link the two object files.

    $ gcc -o ns1 ns1.o ns_crypt.o

You may need to add -lcrypt to the above on Linux.

With the tool we just compiled we can make some NS1 hashes.

    $ ./ns1 my_secret_password
    {NS1}c2ab9ff37b69c4b5a665a2b15d003bba0779
    $ ./ns1 {NS1}c2ab9ff37b69c4b5a665a2b15d003bba0779
    my_secret_password

Rebecca and I were on our way along the river bank when I pointed to a patch of vegetation and asked "Do you know what those are?"

She said "No."

"Those are nettles. We call them stinging nettles. If you touch them you will hurt your hand."

She nodded. I carried on walking.

A few seconds later I heard a high pitched squeal from behind me. Sure enough there she was nursing her hand and complaining that she "won’t try that again."

Monday: Cycled to work. Sunny.

Tuesday: Cycled to work. Sunny.

Wednesday: Cycled to work. Sunny.

Thursday: Drove to work with the roof down. Rain.

Friday: Cycled to work. Sunny.

I already knew how to save the LDAP config back to the LDAP server and initialise a client using Directory Utility.app. That works well and is easy to understand. Unfortunately it requires using the GUI. It’s hard to script GUIs. I also already knew which files were changed when configuring DirectoryService so it shouldn’t be too hard to automate the process.

Configuring LDAP requires two steps. First you tell the DirectoryService LDAPv3 plugin about your server then you add LDAP to the search node list.

The first file edited is /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist. It’s created whether you use the Advanced section of the GUI to configure the server manually or just pull everything from ou=macosxodconfig. Read the linked articles if the above makes no sense.

Simply copying a working configuration file from somewhere else is possible and in an environment with lots of identically-configured machines it may even be desirable. You may not necessarily want to do it, however, if you have other LDAP servers, NIS server, OpenDirectory servers, Active Directory servers etc already configured on a particular machine. This was the case for my OS X Server machine, for example. Luckily we can script the addition of the LDAP profile.

    # dsconfigldap -a ldap.iain.cx

If you’ve already written the configuration back to the LDAP server, the above is all that’s needed to tell the workstation about it.

The second file, which determines whether or not the LDAP service is consulted for authentication, is /Library/Preferences/DirectoryService/SearchNodeConfig.plist. Because it’s a small file it’s easy to use Perl, cfengine or $YOUR_FAVOURITE_SCRIPTING_TOOL to add the correct lines viz:

            <key>Search Node Custom Path Array</key>
            <array>
                    <string>/LDAPv3/ldap.iain.cx</string>
            </array>

    ...

            <key>Search Policy</key>
            <integer>3</integer>

Exercise for the reader: you could use defaults to do it.

It seems the Search Policy=3 section is needed to set a Custom search path (ie actually using the settings we’ve configured).

Aside: If your LDAP schema includes contact details you can also configure ContactsNodeConfig.plist in the same way.

Once the proplists have been edited you simply kill DirectoryService and wait for it to be automagically restarted. Everything should then Just Work!

To confirm this:

   # dscacheutil -configuration
    DirectoryService Cache search policy:
        /Local/Default
        /BSD/local
        /LDAPv3/ldap.iain.cx

This morning for the first time since Tuesday I woke up without my eyes feeling like they were full of grit. Even when they did over the past few days the myriad bottles of eyedrops helped. I felt physically tired all last week, though, so I’m hoping that will improve as well.

As my man friday so insightfully points out, today is Wednesday, the day by which I promised to debrief my loyal readers should I have survived unscathed my date with destiny.

I have.

The operation itself was mostly painless. They stick a suction cup in your eye to hold it in place while the laser cuts open your cornea. The surgeon kept telling me to relax and look at the microscope while this was going on but my eye, quite involuntarily, wanted to blink and spasm when this happened. So he’s saying "relax, don’t blink" and I’m thinking "I’m not doing it deliberately" a few times over. No doubt they are used to the routine by now.

I could feel the laser cutting through but with the anaesthetic it wasn’t painful. More irritating, like being poked with a blunt stick. After that I felt nothing for the actual correction procedure. And saw very little. At first I thought that cutting open the cornea had perhaps blocked light from entering the eye at all as I literally couldn’t see anything but blackness. This was just the drops forcing my lids closed. When the nurse yanked them open for the second part of the procedure I could see well enough.

My vision was blurry afterwards but even walking (slowly) home the world around me just felt like it might be clearer if I hadn’t had a concoction of eyedrops floating around. As instructed I went straight to bed with my goggles on but I couldn’t sleep. An hour or so later I started to experience a fairly painful sensation in my eyes, as though I had been drinking all night and started rubbing my eyes with sandpaper. I’d been told to expect this and eventually it passed. My eyes were still very sensitive to light, though, and I wore my shades for the rest of the evening with all the lights off and Rebecca banished to the bedroom to study.

The biggest problem was boredom. I couldn’t watch TV. Of course I couldn’t read or go on the Wii. I tried going out for a walk but even with the shades on and keeping to the streets with the fewest lights it was still too bright so I decided to come home.

Finally I did sleep and I woke yesterday morning feeling very tired. My eyes felt very dry and it was a relief to apply some drops to them. Even then there were sensitive to light. I wore the shades most of the day, shedding them at last in the evening when this time I was able to venture outside.

It was a similar story today. A dry and unpleasant sensation in the morning which was relieved with the application of the drops. I walked to work with the shades safely tucked in my pocket and I was able to work although when six o’clock came round I was glad to be able to look away from the screen and head home. My pupils are still dilated but nowhere near as sensitive to light as over the past two days. The recovery is proceeding nicely, thank you very much.

I’m booked in for LASIK surgery tomorrow to correct my vision. This prompted Andy, the office joker, to crack wise throughout the week, calling me a variety of playground names such as Speccy and Four Eyes. This was on the basis that he only had six days left to do so. Of course neither he nor anyone else had felt the need to make such comments up until now but the old saying goes that you don’t know what you’ve got till it’s gone.

Needless to say it’s all in good humour and in fact Andy wears glasses himself. For now. He too is planning on having the treatment in the near future.

Assuming everything goes well I will be able to report on the procedure next week. If you don’t hear from me by Wednesday you are free to assume that it went horribly wrong, that I am now quite blind and this will have been my final journal entry.