Maddening problem with LDAP and Apache

I've spent the last three days fighting with one of the most frustrating problems I've ever had. We replaced the hardware for the BCRC server -- an old Solaris server with a new Ubuntu box. We had done this before in the ISB and, other than a minor hiccup or two, everything switched over smoothly. I assumed this would be the same and almost everything was. Except for LDAP in Apache.

We use LDAP for centralized authentication. It's not perfect by any means, but it's been a huge efficiency in how we manage accounts and services. We use it for shell accounts (cf ssh), samba (file sharing and printing), and via apache (http basic authentication and in PHP). It was no problem to get it set up everwhere except for apache. LDAP only failed in apache. But the same configuration we were using on the other server wouldn't work on this one.

I spent one day just denying that it was anything to be concerned about. Then I spent a day double-checking everything: config files, permissions & ownerships, typos. Then I spent a day trying stuff: configuration changes, re-installing software -- even rebooting. Then I spent a day hiding from it (maybe two). Finally, on Sunday, I went in to the office in the evening, rolled up my sleeves, and made the commitment to just stay there working on it until it was solved or I was dead. About three hours in, I found it.

The errors I was getting didn't make sense. The first error, a generic "couldn't contact ldap server" wasn't helpful, especially as the ldap_connect function was working -- it was failing at ldap_bind. I figued out how to turn on debugging with this line of PHP code:

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

But the error I was getting back didn't make much sense.

TLS: only one of certfile and keyfile specified

This error is so rare that google mostly just returns links to the source code.

The logging on the LDAP server was the equally vague "TLS Negotiation Error".

Eventually, I figured out that the configuration for setting up SSL for HTTPS also governs the connections the server makes to the LDAP server. And then I found it:

#   Allow insecure renegotiation with clients which do not yet support the
#   secure renegotiation protocol. Default: Off
SSLInsecureRenegotiation on

This line was commented out on the server where it worked. I commented out the line, restarted the webserver, and it just started working.

I'm wondering if this is the point where people start to say, "I'm gettin' too old for this kind of shit!"

Bridging the divide

It's weird to live in a town like Amherst. In most of the country, people would call me a socialist, left-wing freakshow but, in Amherst, I sometimes feel like I'm on the right-wing fringe. You see, I believe that it's possible, through thoughtful effort, to improve the town. There is a vocal subset of the town that very strongly does not believe this.

I think part of it is anti-capitalism. I'm pretty anti-capitalist myself -- I can get my socialism on with the best of them. But I recognize that spitefully trying to prevent people with property using their property to make money, in the long run, hurts us as much -- probably more -- than it hurts them.

I think part is just fear and doubt -- fear that any change will be bad and so should be prevented. But simply preventing change is not conservation -- it's stagnation. Do people really look at the town and say that this is best of all possible worlds? Really? We can do better.

The most frustrating thing is the difficulty in having a meaningful conversation when the focus becomes questioning other people's motives, rather than articulating a positive vision for the town. I may be biased, but there seems to be a special reserve of venom directed at the people who are engaged with, and who do the hard work year round making town government work. Too many people seem inclined to snipe from the sidelines and try to be sand in the gears than expressing a willingness to roll up their sleeves and do the hard work necessary to move the town forward productively.

At one time, I was seduced by the idea of opposing development, but then I read The Geography of Nowhere by James Howard Kunstler, which talks about how bad things have gotten by people simply trying to stop bad things rather than trying to build good things. 'The future will require us to build better places,' Kunstler says, 'or the future will belong to other people in other societies.'

Circumnavigating the Connecticut River

One of my favorite rides is to ride north to the Sunderland Bridge, ride south along River Road through Whately and Hatfield, and cross back over via the Norwottuck Trail. I call it "Circumnavigating the Connecticut River". I kept my sights fixed on this ride through all of the graduation ceremonies: the Grad Ceremony Friday morning, Undergraduate Friday afternoon, the Graduation Dinner Friday night, the Senior Luncheon Saturday morning, and the College Celebration Saturday afternoon. When I finally got home around sundown, I was exhausted and pretty much went straight to bed. But on Sunday morning, I got up, checked the weather, and headed out.

I pumped up my tires, filled my water bottles, and grabbed two big "Pink Lady" apples for the road. I rode up to North Amherst, stopped for a minute to Ingress, then headed out. The wind was out of the south, south-east, so behind me for the first leg of the ride.

There's a good climb as you leave Amherst and head into Sunderland. It's not really steep, but it lasts a good while. After that, its all downhill to the river.

I took a slight detour to go by the Firestation: It was a green portal anchoring several big fields that covered a lot of where I would be riding, so it had to go.

Before I crossed the bridge, I stopped at a convenience store to drink a soda. I probably should have just gotten water, but its nice to have a little taste of something now and then.

I crossed the bridge and turned into the wind to head south along River Road. It was really starting to heat up, so the breeze was not actually that unwelcome. A few times, it really picked up and reduced my pace quite a bit, but many spots along the way are relatively sheltered.

I took a longish stop at the site of the original Smith Academy with a marker thanking Sofia Smith, the original benefactress of Smith College. I thought that I probably needed a benefactress. While I was there, I realized that there are a bunch of sakura cherry trees that were still blooming. They have a differently shaped flower than my sakura tree -- and evidently bloom a bit later. I'll have to remember that in coming years. I chomped one of my apples still musing under the cherry blossoms. The Pink Ladies are OK, but not as good as Honeycrisp.

I pushed on, making the steep climb up the overpass over the train tracks and I-91, and then the longer climb up Rt. 5 into Northampton. Feeling hungry, I stopped at the River Valley Market and fixed myself a salad at the salad bar. I felt justified in putting on two scoops of bacon bits. And I refilled my water bottles with fresh, cold water.

The only really nasty part of the ride is the left turn from King Street onto Damon Road and then the brief stretch on Damon Road to the bike trail. I should probably just head down King Street until I pick up the bike trail down there, but its not much better and quite a bit out of the way. It's scary to have the big trucks and traffic going so close, since there's no bike lane.

The newly resurfaced bike trail was like a dream after spending so much time on the roads. It was crowded with bikers and skaters and walkers, but much better than cars. I was starting to get pretty tired and, by the time I reached the climb into Amherst, I was seriously flagging. I stopped to drink most of the rest of my water and to eat the other apple. I finally climbed back on my bike and struggled up the hill and then turned the corner onto the last leg of the journey.

The Art Swift Way runs back to campus, mostly downhill, and I had a nice breeze behind me again. There are transverse cracks that are a bit unpleasant to ride over (90 on campus alone), but its better than being on the road. I finally made the last climb by Computer Science and turned back into my neighborhood. It came to about 30 miles. It was a great ride and good training for Pedal2Pints coming up in about a month.

Sakura Viewing

For several years, I've been sending out an invitation for friends and colleagues to stop by to see our sakura tree flower in the spring. This is a tradition in Japan with a history that goes back centuries. The brief flowering of the cherry trees is a moment in the spring to reflect on the ephemeral and transitory nature of life.

Sometimes the weather is bad where it's really too cold or wet to enjoy the flowers. But this year, it was absolutely perfect: the flowers hit their peak on perhaps the first really nice day of the spring. The temperature was nearly 70 with sun and just a few clouds.

Our tree is perhaps the most glorious sakura tree in Amherst. The nation of Japan gifted Amherst with several sakura trees in the 1930s in honor of William Clark and our tree (reportedly) was grown from a cutting of one of those trees. There are several more in the neighborhood and even more around town -- but ours is the best.

One thing I like most about the tradition of hanami is the unpredictability of it all: the cherry trees can bloom basically any time from the beginning of April to the beginning of May, so you really can't plan for it. You just have to drop everything and make time for it when it happens.

But not everyone can. Or does, anyway. But those who came had a lovely time and it gave me a lot of pleasure to share my sakura tree with others.

One friend who came said she'd planned a trip to see the famous cherry trees in Washington DC but, when the time came, she was too busy at work and couldn't get away. And she'd been really disappointed. My invitation came at just the right moment and she enjoyed my tree even more than she would have enjoyed the trees in Washington.

It's amazing. There simply aren't words to describe the feeling of standing under the tree, surrounded by flowers, looking up through beams of sun through the petals, to see the blue sky above. Sugoi. Or, as Daniel would say, Sugoku kawaii.

People came and went and, as the sun was finally going down, the last of my friends drove home. It was a lovely hanami and I look forward to several more days under the cherry tree until the petals start to fall. And then I'll have to wait another year, inshallah, to see them again.

Finding my bliss

I saw an article this morning about finding your bliss derived mostly from an interview with Joseph Campbell. I realize how fortunate I am to have as much freedom as I do to choose projects to work on that I think are worth doing. But I can tell when I'm working too much when, looking back, I see that it was a whole week since I wrote a haiku.

It's been a month of keeping plates spinning, one after another after another. My class is working on their final projects: amazing netlogo models! I almost have Junior Writing through the quinquennial review: just one more question to answer. We've got the beginnings of a draft for IT strategic planning: four goals defined and assignments to draft the narrative. I'm feeling like the Amherst Media board is finally starting to pull together: committees have projects and are moving forward. Makers at Amherst Media is hanging in there: the drop-in sessions are picking up steam. Hack for Western Mass is moving forward: full speed ahead! So I took Saturday to just decompress.

It's been a perfect day. I got up early. I had Love Crunch granola with fresh raspberries and coffee for breakfast. Lucy, Charlie, and I solved the Jumble. I went back to bed for an hour. Lucy and I drove downtown to walk around and play Ingress. We went to the Library (where I got Karen Memory!) We went to the grocery store. I came home and fixed chili. While it was simmering I took a bike ride with Daniel. We got back just in time for me to watch the Red Sox while I ate chili and had a beer. I napped for a bit while the game was on. Then I went out to play a bit more Ingress then stopped at Raos for a latte to compute and write haiku. I got home just in time to have taco bowls which Daniel had made for dinner. Afterward, we watched some Tony Tony Chopper. And now it's time for bed.

I particularly want to write more haiku over the next few weeks as I work to pull together my next book of haiku. I've decided on a theme and have hatched a plan to develop the imagery. I have enough haiku now, but it would be good to have a few more to let me drop some of the weakest ones. Hopefully, I'll have the new book ready to take with me to the UK.

I still have some questions: Do I want to keep to the same format? Or mix it up? Should I stick with the bilingual pattern? Or go monolingual? It's fun to think about the possibilities.

Online Threats and Phishing

Recently, I was invited to co-present on security. We each brainstormed up a list of what we thought were the biggest online threats today and some practical steps people can take to protect themselves. Here is the list I created:

Brewer's top five threats

  1. Dangerous scripts (flash, javascript, others) in browser
  2. Insecure/questionable links (in email, in social media, etc)
  3. Insecure attachments
  4. Insecure plugins, extensions, apps, etc
  5. Social Engineering

Brewer's recommendations

These are intended to be some basic steps anyone can take to improve their security, although they are not necessarily convenient.

Use Firefox with both no-script and flashblock enabled.

Only do banking, human-resources stuff, etc with fresh web-browser session:

  • Use a different browser only for that purpose
  • Start up browser, do session, quit browser
  • Do the same for insecure/questionable links.

View (and send) email as plain text only

  • Look at links carefully
  • Don't leak information via images and web-bugs

Look at full headers of questionable email

  • Only trust headers written by known hosts.
  • Learn to recognize suspicious hostnames.

Don't just click on links!

  • know the structure of links:
  • Navigate there directly
  • Critically evaluate links
  • Look at hostnames & paths
  • Avoid apps that obfuscate links
  • Use copy & paste
  • Use "whois" for questionable hostnames
  • Remove parts of path that might have tracking information

Don't be a monoculture -- don't just use the most widespread software:

  • Open Microsoft documents with Libre Office.
  • Don't use Acrobat: Use Preview (or something else).

Only use software that has a strong, open community

Periodically review addons/extensions/apps for browser, phone, social-media apps

Question/verify the provenance of people & information

  • Confirm human references "out of band"
  • online resources — even DNS — can be spoofed
  • fake hostnames can look like real ones

Ne IKUmos en Lille

Jen mia propono kiun oni neis por IKU-prelego ĉe la Universala Kongreso.

La Mondo Ne Estas Kiel Ĝi Ŝajnas: Historio kaj estonteco de mondaj altern-/pliigit-realaj interretaj ludoj


La Interreto dum la pasintaj 20-jaroj ebligas novan artan/kulturan produktaĵon: la amase retan ludon. Tiaj ĉi ludoj, iam la fako nur de fanatikuloj, nun estas grandskala, tutmonda, kultura fenomeno. La plej gravaj ludoj postulas la saman kapitalon de granda Holivuda filmo. En tiaj ludoj, homoj tutmonde povas partopreni kaj interagi por konkursi, kunlabori, kaj amuziĝi. Multaj el ĉi tiuj ludoj okazas nur en komputila universo sed iom post iom ekaperas ekzempleroj en kiu oni ne nur ludas en komputilo sed ankaŭ en alterna aŭ pliigita realo kiu kunekzistas kun la vera mondo. En tiu ĉi proponita IKU prelego, mi skizos la historion de altern-/pliigit-realaj interetaj ludoj; pli detale montros du ludojn; priskribos la rilaton inter lingvo, arto, kaj kulturo de ĉi tiuj ludoj; priparolos kiel ĉi tiaj ludoj jam ekinfluas la ceteran kulturon (ekz la "ludigado" de klerigado kaj merkatiko); kaj proponos, finfine, ke oni konsideru Esperanton kiel sukcesan mondan altern-/pliigit-realan ludon.


La Interreto dum la pasintaj 20-jaroj ebligas novan artan/kulturan produktaĵon: la amase retan ludon. Tiaj ĉi ludoj, iam la fako nur de fanatikuloj, nun estas grandskala, tutmonda, kultura fenomeno. La plej gravaj ludoj postulas la saman kapitalon de granda Holivuda filmo. En tiaj ludoj, homoj tutmonde povas partopreni kaj interagi por konkursi, kunlabori, kaj amuziĝi. Multaj el ĉi tiuj ludoj okazas nur en komputila universo sed iom post iom ekaperas ekzempleroj en kiu oni ne nur ludas en komputilo sed ankaŭ en alterna aŭ pliigita realo kiu kunekzistas kun la vera mondo.

Ekde la plej fruaj tagoj de la interreto, oni multe uzas ludojn por esplori la kapablojn kaj nuancojn de reta interago. Eble la plej frua altern-reala reta ludo estis LambdaMOO (CURTIS, 1990) kiu similis al pli fruaj tekstaj aventuraj ludoj, ekz Colossal Cave Adventure (CROWTHER, 1976; CROWTHER & WOODS, 1977) kaj la sekvaj Mult-Uzantaj Galerioj (TRUBSHAW, 1978; BARTLE & TRUBSHAW, 1980), sed malsamis en tiu ke la ludistoj povis ne nur esplori, sed ankaŭ kunkrei la medion kaj interparoli (tajpe) kun homoj en la samaj "lokoj" en la ludo. LambdaMOO estis virtuala versio de la domo de la kreinto. La komunumo bonvenigis samsekamajn kaj transgenrajn homojn (oni taŭge komenciĝas en la ludo/mondo en ŝranko) kaj donis al ili sekuran lokon por provi aliajn modojn de esprimo pri identeco kaj genro.

Sekvaj ludoj enkondukis la ideon ke per la reto multege da homoj povus samtempe partopreni: Masive Multiludantaj Rete Rolludoj (t.e. Massive Multiplayer Online Role-playing Games (MMPORG)) kiel Ultima Online, Everquest, kaj la plej konata World of Warcraft. Pro la eblo atingis grandegan partoprenaron, ludoj transiris el la fako de nur retaj teĥnikuloj kaj fariĝis varo de grandaj firmaoj. Nun, StarCraft 2 kaj Dota 2, estas mondskale konataj ludoj kiuj allogas grandan intereson. Firmaoj elspezos dekojn da milionoj da dolaroj por produkti unu novan ludon kaj konkurencoj fariĝas internaciaj spektakloj. La internacia Dota 2 konkurenco en 2014, “The International”, oftertis ĝis $10,9 milionan da prezoj kaj oni montris la ludojn per internacia televida reto ESPN kun samtempa komentado.

En 2008, Jane MCGONIGAL organizis mondan altern-realan ludon Lost Ring (La Perdita Ringo) kiu ricevis subvencion de mondaj firmaoj kaj organizaĵoj, precipe McDonalds kaj la Monda Olimpika Komitato. En la ludo, aktoroj ŝajnigis esti atletoj kiuj troviĝis, sed ajnaj memoroj kaj kun tatuoj kiuj diris “Trovu la ringon perditan” (en Esperanto!) Tiu ĉi ludo fariĝis speciale interesa por samideanoj ĉar oni uzis Esperanton kiel enigmon en la ludo. Mi mallonge resumos la ludon en la prelego kaj montros ĝiajn ecojn.

En 2012, la firmao Google starigis la ludon Ingress, pliigit-reala ludo kiun oni faras per poŝtelefono. Ĝi bone montras la ecojn de aktuala pliigit-reala ludo. En la ludo, ekzistas portaloj per kiu eniras la mondon “ekzotika materio”. Por ludi, oni devas viziti en la vera mondo la lokojn kie situas tiuj portaloj, ofte ĉe publikaj konstruaĵoj kaj artaĵoj. Praktike, oni tiel devas multe promeni de loko al loko por partopreni kaj unu el la kromceloj de la ludo estas plibonigi la san-staton de la partoprenantoj. En la prelego, mi priskribos kaj montros la ludon.

En la lasta sciencfikcia literaturo, verkistoj ekimagas kiel ĉi tiaj ludoj fariĝos parto de la ĉiutaga kulturo. En la fruaj 2000-aj jaroj, verkistoj komencis priskribi kiel tiaj ludoj povas transiri inter la alterna, luda realo kaj la vera realo. En la libroj Pattern Recognition (GIBSON, 2003), Halting State (STROSS, 2007), Little Brother (DOCTOROW, 2008), kaj This Is Not A Game (WILLIAMS, 2009) aŭtoroj priskribis kaj ellaboris la ideon ke tiaj ludoj ebligos la interrilaton kaj kunlaboron de homoj ĉirkaŭ la mondo. Mi resumos la ecojn kiujn oni priskribis kaj montros kiel la estonta mondo kiun oni priskribis jam multflanke efektiviĝas.

Ludoj ekhavas kreskantan influon sur la cetera kulturo kaj bonan kaj malbonan. La komputilo fariĝas pli ol nur “ilo” sed vera parto de la korpo kaj cerbo kaj menso (TURKLE, 1984; TURKLE, 2011). Lastatempe, oni multe priparolas kiel “ludigi” diversajn ecojn de la ĉiutaga vivo, precipe instruadon kaj merkatikon. Ofte la planoj kaj proponoj montras danĝeran nescion pri la lecionoj kiujn oni lernis pri kondutismo antaŭ jardekoj. Ankaŭ estas danĝero pri la datenoj kiujn oni devas dividi per ajna Interreta agado, sed precipe per poŝtelefonoj. Ludojn kiel Ingress postulas ke vi dividu kun Google kaj la poŝtelefon-firmaoj (kaj registaroj) kie vi estas kaj kien vi iras.

Esperanton mem oni povas pripensi kiel altern-/pliigit-realan ludon. Malmultaj homoj partoprenas Esperanton kiel parton de la profesia vivo, sed samtempe dediĉas multe da tempo al ĝi: por lerni, instrui, organizi, renkontiĝi, diskuti, kaj konstrui literaturon en kaj pri mondo kiu similas, sed ne tute kongruas, kun la ĉiutaga mondo. Mi esploros kiel per lenso de altern-/pliigit-realaj ludoj ni povas kompreni kaj eble plibonigi Esperantujon.


BARTLE, R. & TRUBSHAW, R. 1980. MUD3: Multi-User Dungeon. BCPL softvaro por PDP-10.

CROWTHER, W. 1976. Colossal Cave Adventure. FORTRAN softvaro por PDP-10.

CROWTHER, W. & WOODS, D. 1977. Colossal Cave Adventure. FORTRAN softvaro PDP-10.

CURTIS, P. 1990. LambdaMoo. Komunum-fonta softvara projekto. Available at:

DOCTOROW, C. 2008. Little Brother. Tor Teen. 387pp.

GIBSON, W. 2003. Pattern Recognition. Penguin Group. 384pp.

MCGONIGAL, J. 2008. The Lost Ring. Altern-reala ludo.

STROSS, C. 2007. Halting State. Ace. 380pp.

TRUBSHAW, R. 1978. MUD1: Multi-User Dungeon. Macro-10 softvaro por PDP-10.

TURKLE, S. 1984. The Second Self: Computers and the Human Spirit. MIT Press. 372pp.

TURKLE, S. 2011. Alone Together: Why We Expect More from Technology and Less from Each Other. MIT Press. 360pp.

WILLIAMS, W.J. 2009. This Is Not A Game. Orbit. 384pp.

Faculty Survey

The College of Natural Science is conducting a survey of the faculty. It was somewhat interesting to look at the questions and to gauge my own reactions to them. The survey focused primarily on the relationships between the faculty member and the department -- and the college. And then dealt with effort spent on research, teaching, and service.

Beyond answering the questions, I pointed out the two things that I've been raising with the University for the past 10 years. First, that the survey itself demonstrated the ambivalent relationship the University has with non-tenure-system faculty: the list of faculty ranks did not even include my rank "Senior Lecturer II" (among the 10 or 15 that were there) -- I just had to pick "full-time lecturer". Many faculty would argue that becoming a lecturer is having failed -- and this attitude pervades a whole range of micro-aggressions that the administration practices upon non-tenure-system faculty. The most important of these is the lack of support for on-going professional development. While tenure-system faculty get a sabbatical every seven years, non-tenure-system get a sabbatical, well, never. And the institutional support for non-tenure-system faculty to attend conferences or training is practically non-existent. This perhaps made sense when non-tenure-system faculty were purely short-term appointments, but when they work for 15 or 20 years in the same position, it would benefit the institution to make a strong commitment to helping these faculty stay current and retrain.

I pointed out one other thing too. The survey discussed the relationship with the department and college (and, to a lesser extent, the University as a whole), but it did not mention the faculty union as a source of community. The union has been really important to me in terms of getting to know colleagues from across the institution and thinking about scholarship from a broader perspective. And for making really tremendous gains over 10 years to improve the circumstances for non-tenure-system faculty. Go UMassMSP!

Pictures Don't Lie

I've always taken lots of pictures in St. Croix. Pictures don't lie, but they don't tell the whole truth either. You can see the flower, but can't smell it -- nor hear the bees buzzing. You can't feel their rubbery goodness. You can't see how they wave in the breeze — nor hear the ocean waves on the beach below. You can't see how they seem to change color when a cloud passes over the sun. You can't see how the flowers appear like magic overnight, but have already fallen off by midafternoon. You can't see how some flowers are only here for a short season, while others bloom year round. The pictures offer a truth, but they're not the truth.

Last full day

Today is my last full day on island. The time has passed quickly. We've been busy launching the trapping program (getting traps out of storage, getting access to the refuge, putting the traps into service, etc). We also had to move to a different cottage, which was surprisingly disruptive: afterwards you can't find anything.

I don't usually plan to come down for such a short stay, but this was a special occasion. And today we celebrate that occasion: Buzz's 60th birthday. Buzz is expecting around 20 people. The plans are all laid: we've arranged for the food from Rose's and will pick up the drink this afternoon. We couldn't get beer from the Fort Christian Brewpub -- they didn't have any IPA ready. But we can get some Island Hoppin' IPA in the bottle, which is pretty good. And maybe a bottle or two of rum as well.

We've had good success in the field. We've had nearly 50% trap success: a mix of recaptures and new animals. We had one rather harrowing experience with an Africanized bee colony in a tree hollow that became disturbed and wouldn't let us get to one trap site. So, after the colony calmed down, we moved that trap to a different site. Buzz only got one sting, but it's amazing how terrifying it is to have bees swarming around you, buzzing, and bumping into your head.

Yesterday we visited Christiansted to visit the boutiques and watch the crab races. I mostly walked around and played Ingress. We took three hermit crabs and entered them, but didn't have any win. But it was fun. The view from the boardwalk is amazing.

With Venus to guide us, we walked back to the car in the lot with the Baobab tree and drove back to Cottages.


Subscribe to Bierfaristo Blog RSS