Friday, January 11, 2013

Setting (Long) Expiry Date for IPA User Passwords

I use Identity, Policy, Audit (IPA) to provide authentication services to my oVirt and Red Hat Enterprise Virtualization environments. By default IPA not only forces passwords for all user accounts to expire at relatively frequent intervals but makes it difficult to turn this behaviour off.

Future versions of IPA are slated to make this functionality configurable on a more granular level but in the meantime here is how I configured all (existing) users in the system to have a password expiry date some time in 2037:
  • Obtain a Kerberos ticket for the administrative user.
$ kinit admin
  •  Generate an ldif file containing directives to change the krbpasswordexpiration value for each user.
  • You can use the following script to do this by changing the elements in bold to match your environment.

USERS=`ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=example,dc=com" | grep -o 'uid=[a-z]*' | cut -f 2 -d '='`

touch ./krbpasswordexpiration_all.ldif

for USER in ${USERS}; do

    cat >> ./krbpasswordexpiration_all.ldif <<DELIM
dn: uid=${USER},cn=users,cn=accounts,dc=toner-ipa,dc=usersys,dc=redhat,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20371231011529Z



  • Use ldapmodify to log in as the directory manager and run the ldif file to apply the modifications. You will be prompted to enter your directory manager password to complete this step.
$ ldapmodify -x -D "cn=directory manager" -W -vv -f update_krbpasswordexpiration_all.ldif 



Tuesday, March 13, 2012

AQEMU Now Packaged for Fedora

It has taken some time but my AQEMU package has been accepted by the Fedora Project.

    "AQEMU is a GUI to the QEMU and KVM emulators, written in Qt4. The program has a user-friendly interface for setting the majority of QEMU and KVM options."

It is an open source project started by Andrey Rijov and while a little rough around the edges a viable alternative to virt-manager, particularly for KDE Users.

The packages currently exist in the updates-testing repositories for Fedora 15, Fedora 16, and the yet to be formally released Fedora 17. To install the package on your chosen Fedora release run:

    # yum install --enablerepo=updates-testing aqemu

If you want to help speed up the process for getting AQEMU into the stable repositories be sure to test the package(s) and login to Bohdi to add karma!

Thursday, November 24, 2011

Testing oVirt Engine on Amazon EC2

Red Hat recently launched an open source virtualization management project called oVirt. This project is based on the source code for their Red Hat Enterprise Virtualization product, including a new web administration interface that will appear in a future release.

Building and deploying the oVirt is, at the moment, quite time consuming. To give people an opportunity to quickly get an instance up and running to have a look at the new user interface I thought I would provide an Amazon Machine Image (AMI) for use on Amazon's EC2 service.

Note that the image is for the oVirt Engine portion of the project only and consists of a very early build of the oVirt code and is not intended for anything other than testing and development use.

The image currently exists in us-east-1a region (Virginia) and identifies as ami-07438b6e and its name is oVirt Engine Appliance. When launching an instance based on the image ensure that you choose an instance type of m1.large or above to ensure enough RAM is available.

You must also use a security profile that allows access to the following ports:
  • 22
  • 8080
  • 8443
As always when using a public image on Amazon EC2 you should also take care to ensure that they are secure. Once the image is running you can view the new web administration by accessing:


The default user is admin with password letmein!. If you intend to leave the instance running then you must change this.

Obviously this image is not a long term solution for creating an oVirt environment with hosts attached on which you can launch virtual machines, but I thought it might assist people with seeing what all the fuss is about!

Thursday, November 3, 2011

Installing OwnCloud on Openshift Express PaaS

Updated Friday May 25th to cover OwnCloud 4!

OpenShift Express is a free Platform as a Service (PaaS) solution provided by Red Hat. It allows developers to quickly and easily deploy their applications on cloud servers while Red Hat handles the management overhead.

Currently OpenShift Express supports applications created in a number of languages including PHP, Java, Ruby and Perl. As well as allowing developers to quickly and easily deploy their own applications OpenShift provides an easily accessible test bed for off the shelf open source web applications.

I am going to demonstrate quickly setting up OwnCloud. OwnCloud is a project aimed at providing users with the same abilities as many commercially backed personal clouds but with the ability to deploy it anywhere you choose.

Today our infrastructure of choice is provided by OpenShift but an OwnCloud installation can just as easily exist or be moved to a virtual private server, or the machine in your basement.

Register and Obtain Client Tools

Register With OpenShift Express, the registration page is available from As part of the sign-up process you will also be prompted to create a key and install the client tools for OpenShift Express.

Create a Domain

If you did not do so during registration then you need to create an OpenShift domain. At the time of writing each user is permitted one domain name and five applications. The URLs for your applications will take the form:


The rhc-create-domain tool is used to create a domain, providing a name for the domain and your OpenShift login credentials:

$ rhc-create-domain -n <domain_name> -l <login>

The tool prompts you for your password and, assuming it isn't already taken, creates the domain.

Create the Application
Before you can deploy OwnCloud you must create a stub application in the format that OpenShift understands. OpenShift adds application support for programming languages, frameworks, and even databases based on 'cartridges'.

Because OwnCloud is written in PHP we will be using the php-5.3 cartridge to create the application. Then to provide MySQL support we will also add the mysql-5.1 cartridge.

Use the rhc-create-app tool to create the application, providing a name for the application and your OpenShift login credentials. You will also need to provide the password associated with your key, created during registration, to complete application creation.

Note that by default the local copy of the application is created in your current working directory. This is where you will update and deploy your application from.

$ rhc-create-app -a <application_name> -l <login> -t php-5.3

Now use the rhc-ctl-app to add MySQL support.

$ rhc-ctl-app -a <application_name> -l <login> -e add-mysql-5.1

Be sure to take note of the Root User, Root Password, Database Name, and Connection URL of the database.

Install OwnCloud

Change into the directory that was created when you ran rhc-create-app. This directory contains a number of files and directories:
  • .openshift/
  • deplist.txt
  • libs/
  • misc/
  • php/
Check the README file for a full explanation of what each of these is for. For now we will be concentrating on deploying OwnCloud into the php/ subdirectory.

Change into the php/ subdirectory, download and extract the OwnCloud2 source tarball.

$ wget -O owncloud-4.0.0.tar.bz2
$ tar -xf owncloud-4.0.0.tar.bz2 --strip-components=1
$ rm owncloud-4.0.0.tar.bz2

Now our local copy is ready to deploy to the OpenShift Express servers. OpenShift Express uses git to facilitate version control and deployment. To deploy we must:
  • Add the new files to our commit, ensuring the .htaccess file is also added:
    • $ git add * .htaccess
  • Commit the new files, entering a commit message when prompted:
    • $ git commit
  • Push the commit to the remote server:
    • $ git push
Now, access your application in a web browser at the address of the form:


The OwnCloud setup wizard will appear.

Enter a Username and Password for your OwnCloud administration account. Remember that this application is running on the public internet and therefore must have a secure password.

Click Advanced and select MySQL as the storage engine. This enables a number of additional options.

These options should be set as follows:
  • The Data folder should be set to '../../data'. This folder is the location of the persistent data storage for an OpenShift Express application.
  • The Database user must be set to the database username as returned when adding the MySQL cartridge.
  • The Database password must be set to the database password as returned when adding the MySQL cartridge.
  • The Database name must be set to the database name as returned when adding the MySQL cartridge.
  • The localhost value must be replaced with the appropriate host as returned when adding the MySQL cartridge. This will be in the form of an IP address, the protocol and port information can safely be discarded.
Once you are satisfied with the values entered, click Finish Setup.

Assuming all has gone well you will be logged into your newly created OwnCloud installation running on OpenShift Express!

For some hints on what you can actually do with it, see:

Thursday, September 8, 2011

Changing the Primary Display in GNOME 3

I recently ran into a problem with GNOME 3 and my external monitor. GNOME 3 defaulted to displaying notifications and the activities overlay on what I consider to be my secondary monitor.

Investigating the graphical display configuration tools I was unable to find an option to change this. Luckily xrandr supports the setting of the primary display and GNOME 3 appears to take heed of it. To change primary display:
  1. Run xrandr to list available displays.
  2. Run xrandr --output <display> --primary to set the primary display.
In Fedora 15 the xrandr command is provided by the xorg-x11-server-utils package.

Update: Another viable solution has been posted in the comments. Unlike the one I have posted above it does not need to be done every time you log in. I am not sure how it performs in the event that you disconnect/reconnect the monitor or dock/undock the laptop frequently.